aws-cloudfront-signed-cookies: Generate signed cookies for AWS CloudFront

[ aws, cloud, library, mit, network, program ] [ Propose Tags ] [ Report a vulnerability ]
Versions [RSS] 0.1.0.0, 0.1.0.1, 0.2.0.0, 0.2.0.1, 0.2.0.2, 0.2.0.4, 0.2.0.6, 0.2.0.8, 0.2.0.9, 0.2.0.10, 0.2.0.11, 0.2.0.12
Change log changelog.md
Dependencies aeson (>=1.4 && <1.6), aeson-pretty (>=0.8 && <0.9), asn1-encoding (>=0.9.5 && <0.10), asn1-types (>=0.3.2 && <0.4), aws-cloudfront-signed-cookies, base (>=4.10 && <4.16), base64-bytestring (>=1.0.0.2 && <1.3), bytestring (>=0.10.8.1 && <0.12), cookie (>=0.4.3 && <0.5), cryptonite (>=0.25 && <0.30), lens (>=4.15.2 && <4.20 || >=5 && <5.1), lens-aeson (>=1.0.2 && <1.2), optparse-applicative (>=0.14.1.0 && <0.17), pem (>=0.2.3 && <0.3), text (>=1.2.3 && <1.3), time (>=1.8 && <1.10), unordered-containers (>=0.2.10 && <0.3), vector (>=0.12.0.1 && <0.13) [details]
Tested with ghc ==9.0.1, ghc ==8.10.1, ghc ==8.8.1, ghc ==8.6.3, ghc ==8.4.4, ghc ==8.2.2
License MIT
Copyright 2021 Mission Valley Software LLC
Author Chris Martin
Maintainer Chris Martin, Julie Moronuki
Category Network, AWS, Cloud
Home page https://github.com/typeclasses/aws-cloudfront-signed-cookies
Bug tracker https://github.com/typeclasses/aws-cloudfront-signed-cookies/issues
Source repo head: git clone https://github.com/typeclasses/aws-cloudfront-signed-cookies
Uploaded by chris_martin at 2021-06-10T09:42:45Z
Distributions LTSHaskell:0.2.0.12
Executables aws-cloudfront-signed-cookies
Downloads 4027 total (35 in the last 30 days)
Rating 2.0 (votes: 1) [estimated by Bayesian average]
Your Rating
  • λ
  • λ
  • λ
Status Docs available [build log]
Last success reported on 2021-06-10 [all 1 reports]

Readme for aws-cloudfront-signed-cookies-0.2.0.8

[back to package description]

aws-cloudfront-signed-cookies

Generate signed cookies for AWS CloudFront

One way to serve private content through AWS CloudFront is to use signed cookies. This package helps you generate signed cookies using a custom IAM policy which may include a range of time for which the cookie is valid and an IP address restriction.

The library

Creating signed cookies

Example usage:

{-# LANGUAGE OverloadedStrings, ScopedTypeVariables #-}

import Network.AWS.CloudFront.SignedCookies

import qualified Data.Text.IO

main :: IO ()
main = do

  -- Construct an IAM policy that expires three days from now
  policy :: Policy <- simplePolicy
    (Resource "https://example.com/secrets/*")
    (Lifespan (3 * nominalDay))

  -- Parse the .pem file to get the private key
  key :: PrivateKey <- readPrivateKeyPemFile
    (PemFilePath "./pk-APKAIATXN3RCIOVT5WRQ.pem")

  -- Construct signed cookies
  cookies :: CookiesText <- createSignedCookies
    (KeyPairId "APKAIATXN3RCIOVT5WRQ") key policy

  Data.Text.IO.putStrLn (renderCookiesText cookies)

The output should look something like this:

Cookie: CloudFront-Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9zZWNyZXRzLyoiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE1MjM2NjQxMjV9fX1dfQ__
Cookie: CloudFront-Signature=R17isgiJD36sb4kh4pNxqq5eFCx5Q~vC~QbQKMhi9BqyhLboLQfb3pCdPp-WSVYOn4wlOobqhgcwoX2vjCd3y8eiUtelX1~ddaDlPBkkdZA~5Imd2z-W1o3r0coKB1SE2SPFT7M1XgNvwOPanQoft1VLchfVPGaitFYMum4KS~GXffqQZzaVybKJ64KfFLLBPSobg8MmBhHvpO9DBiwKijmGhDip~6L3W7OcqGT8HdqAmWxjnTHInXpx7bbVotla6a~J6WB6xmtJrmQzMLdTUxAY6IbJ2PzMtTXKgdNzbByGHvImg9k3Q3fNBTim8l7Tds1zpwX9GsuPcFkPe9HZ1Q__
Cookie: CloudFront-Key-Pair-Id=APKAIATXN3RCIOVT5WRQ

You can see a very similar example in action in the Network.AWS.CloudFront.SignedCookies.CLI.Sign module which defines the command-line interface for creating signed cookies.

Decoding policy cookies

After you generate a policy cookie and send it to a client, you may later want to parse it back into a Policy value -- for example, to determine whether you need to send a new set of cookies to replace an expired policy.

Example in GHCi:

λ> cookiePolicy (PolicyCookie "eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9zZWNyZXRzLyoiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE1MjM2NjQxMjV9fX1dfQ__")
Right (Policy {policyResource = Resource "https://example.com/secrets/*", policyStart = StartImmediately, policyEnd = EndTime 1523664125s, policyIpAddress = AnyIp})

The executable

You can also generate cookies using the command-line interface. It provides two commands:

  • sign - Given a private key and policy options, produces signed cookies and prints them as HTTP request headers.
  • decode - Decodes a CloudFront-Policy cookie and prints it in human-readable JSON format.

sign

$ aws-cloudfront-signed-cookies sign --help
Generate signed cookies for AWS CloudFront

Usage: aws-cloudfront-signed-cookies sign --pem-file ARG --key-pair-id ARG
                                          --resource ARG --days ARG

Available options:
  --pem-file ARG           Location in the filesystem where a .pem file
                           containing an RSA secret key can be found
  --key-pair-id ARG        CloudFront key pair ID for the key pair that you are
                           using to generate signature
  --resource ARG           URL that the policy will grant access to, optionally
                           containing asterisks for wildcards
  --days ARG               Integer number of days until the policy expires
  -h,--help                Show this help text

Example usage:

$ aws-cloudfront-signed-cookies sign           \
    --pem-file pk-APKAIATXN3RCIOVT5WRQ.pem     \
    --key-pair-id APKAIATXN3RCIOVT5WRQ         \
    --resource "https://example.com/secrets/*" \
    --days 2

Output:

Cookie: CloudFront-Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9zZWNyZXRzLyoiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE1MjM2NjQxMjV9fX1dfQ__
Cookie: CloudFront-Signature=R17isgiJD36sb4kh4pNxqq5eFCx5Q~vC~QbQKMhi9BqyhLboLQfb3pCdPp-WSVYOn4wlOobqhgcwoX2vjCd3y8eiUtelX1~ddaDlPBkkdZA~5Imd2z-W1o3r0coKB1SE2SPFT7M1XgNvwOPanQoft1VLchfVPGaitFYMum4KS~GXffqQZzaVybKJ64KfFLLBPSobg8MmBhHvpO9DBiwKijmGhDip~6L3W7OcqGT8HdqAmWxjnTHInXpx7bbVotla6a~J6WB6xmtJrmQzMLdTUxAY6IbJ2PzMtTXKgdNzbByGHvImg9k3Q3fNBTim8l7Tds1zpwX9GsuPcFkPe9HZ1Q__
Cookie: CloudFront-Key-Pair-Id=APKAIATXN3RCIOVT5WRQ

decode

$ aws-cloudfront-signed-cookies decode --help
Decode signed AWS CloudFront policy cookies

Usage: aws-cloudfront-signed-cookies decode --policy-cookie ARG

Available options:
  --policy-cookie ARG      The value of a CloudFront-Policy cookie
  -h,--help                Show this help text

Example usage:

$ aws-cloudfront-signed-cookies decode --policy-cookie eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9zZWNyZXRzLyoiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE1MjM2NjQxMjV9fX1dfQ__
{
    "Statement": [
        {
            "Resource": "https://example.com/secrets/*",
            "Condition": {
                "DateLessThan": {
                    "AWS:EpochTime": 1523664125
                }
            }
        }
    ]
}