cloudfront-signer 1.0.0

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in aws-cf-signer.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2011 Anthony Bouch
+Portions Copyright (c) 2011 Dylan Vaughn
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.markdown

@@ -0,0 +1,103 @@
+cloudfront-signer
+=================
+
+A fork of Dylan Vaughn's [excellent signing gem](https://github.com/stlondemand/aws_cf_signer). 
+
+See Amazon docs for [Using a Signed URL to Serve Private Content](http://docs.amazonwebservices.com/AmazonCloudFront/latest/DeveloperGuide/index.html?PrivateContent.html)
+
+This version uses all class methods and a configure method to initialize options.
+
+Seperate helper methods exist for safe signing of urls and stream paths, each of which has slightly different requirements. For example, urls must not contain any spaces, whereas a stream path can. Also we might not want to html escape a url or path if it is being supplied to a JavaScript block or Flash object.
+
+Installation
+------------
+
+The original gem was published as `aws_cf_signer`. Use `gem install aws_cf_signer` to install that version.
+
+This gem has been publised as `cloudfront-signer`. Use `gem install cloudfront-signer` to install this gem. 
+
+Alternatively, place a copy of cloudfront-signer.rb (and the cloundfront-signer sub directory) in your lib directory.
+
+In either case the signing class must be configured - supplying the path to a signing key.
+
+In a Rails app this can be done by creating an initializer script in the /config/initializers directory.
+
+e.g. 
+
+    require 'cloudfront-signer'
+
+    AWS::CF::Signer.configure! "#{Rails.root}/keys/pk-APKAIKURNAUNR2BDSFDMA.pem"
+
+
+Usage
+-----
+
+Call the class `sign_url` or `sign_path` method with optional policy settings.
+
+    AWS::CF::Signer.sign_url 'http://mydomain/path/to/my/content'
+
+or 
+
+    AWS::CF::Signer.sign_url 'http://mydomain/path/to/my/content', :expires => Time.now + 600
+
+Streaming paths can be signed with the `sign_path` method.
+
+    AWS::CF::Signer.sign_path 'path/to/my/content'
+
+or 
+
+    AWS::CF::Signer.sign_path 'path/to/my/content', :expires => Time.now + 600
+
+
+Both `sign_url` and `sign_path` have _safe_ versions that HTML encode the result allowing signed paths or urls to be placed in HTML markup. The 'non'-safe versions can be used for placing signed urls or paths in JavaScript blocks or Flash params.
+
+
+### Custom Policies
+
+See Example Custom Policy 1 at above AWS doc link
+
+    url = AWS::CF::Signer.sign_url('http://d604721fxaaqy9.cloudfront.net/training/orientation.avi',
+            :expires   => 'Sat, 14 Nov 2009 22:20:00 GMT',
+            :resource => 'http://d604721fxaaqy9.cloudfront.net/training/*',
+            :ip_range => '145.168.143.0/24'
+    )
+
+See Example Custom Policy 2 at above AWS doc link
+
+    url = AWS::CF::Signer.sign_url('http://d84l721fxaaqy9.cloudfront.net/downloads/pictures.tgz',
+            :starting => 'Thu, 30 Apr 2009 06:43:10 GMT',
+            :expires   => 'Fri, 16 Oct 2009 06:31:56 GMT',
+            :resource => 'http://*',
+            :ip_range => '216.98.35.1/32'
+    )
+
+You can also pass in a path to a policy file. This will supersede any other policy options
+
+    url = AWS::CF::Signer.sign_url('http://d84l721fxaaqy9.cloudfront.net/downloads/pictures.tgz', :policy_file => '/path/to/policy/file.txt')
+
+
+Note on Patches/Pull Requests (verbatum from Dylan's original repository)
+-------------------------------------------------------------------------
+
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+future version unintentionally.
+* Commit, do not mess with rakefile, version, or history.
+(if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+Attributions
+------------
+
+Parts of signing code taken from a question on Stack Overflow asked by Ben Wiseley, and answered by Blaz Lipuscek and Manual M:
+
+* [http://stackoverflow.com/questions/2632457/create-signed-urls-for-cloudfront-with-ruby](http://stackoverflow.com/questions/2632457/create-signed-urls-for-cloudfront-with-ruby)
+* [http://stackoverflow.com/users/315829/ben-wiseley](http://stackoverflow.com/users/315829/ben-wiseley)
+* [http://stackoverflow.com/users/267804/blaz-lipuscek](http://stackoverflow.com/users/267804/blaz-lipuscek)
+* [http://stackoverflow.com/users/327914/manuel-m](http://stackoverflow.com/users/327914/manuel-m)
+
+License
+-------
+
+cloudfront-signer is distributed under the MIT License, portions copyright © 2011 Dylan Vaughn, STL, Anthony Bouch

data/Rakefile

@@ -0,0 +1,11 @@
+require 'bundler/gem_tasks'
+
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.pattern = 'spec/**/*_spec.rb'
+  t.rspec_opts = ["--colour", "--format", "nested"]
+end
+
+task :default => :spec
+

data/cloudfront-signer.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "cloudfront-signer/version"
+
+Gem::Specification.new do |s|
+  s.name        = "cloudfront-signer"
+  s.version     = AWS::CF::VERSION
+  s.authors     = ["Anthony Bouch"]
+  s.email       = ["tony@58bits.com"]
+  s.homepage    = "http://github.com/58bits/cloudfront-signer"
+  s.summary     = %q{A gem to sign url and stream paths for Amazon CloudFront private content.}
+  s.description = %q{A fork of Dylan Vaughn's excellent signing gem - https://github.com/stlondemand/aws_cf_signer. The gem has been rewritten to use class methods and includes specific signing methods for both url and streaming paths, including html 'safe' escpaed versions of each.}
+
+  s.rubyforge_project = "cloudfront-signer"
+
+  s.add_development_dependency "rspec" 
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+end

data/lib/cloudfront-signer.rb

@@ -0,0 +1,188 @@
+# A re-write of https://github.com/stlondemand/aws_cf_signer
+#
+require 'openssl'
+require 'time'
+require 'base64'
+require "cloudfront-signer/version"
+
+module AWS
+    module CF
+        class Signer
+            # Public non-inheritable class accessors
+            #----------------------------------------------------------------------------
+            class << self
+                attr_accessor :key_pair_id
+
+                def key_path
+                    @key_path
+                end
+
+                def key_path=(path)
+                    raise ArgumentError.new("The signing key could not be found at #{path}") unless File.exists?(path)
+                    @key_path = path
+                    @key = OpenSSL::PKey::RSA.new(File.readlines(path).join(""))
+                end
+
+                def default_expires
+                    @default_expires ||= 3600
+                end
+
+                def default_expires=(value)
+                    raise ArgumentError.new("The default expires value must be an integer") unless value.is_a?(Integer)
+                    @default_expires = value
+                end
+
+                private
+
+                # Private key
+                #----------------------------------------------------------------------------
+                def private_key
+                    @key
+                end
+            end
+
+            #----------------------------------------------------------------------------
+            def self.is_configured?
+                if self.key_path && self.key_pair_id && private_key
+                    return true
+                else
+                    return false
+                end 
+            end
+
+
+            # Configure the signing class. 
+            #----------------------------------------------------------------------------
+            def self.configure!(key_path, options = {})
+
+                raise ArgumentError.new("You must supply the path to a PEM format private RSA key.") if key_path.nil?
+                self.key_path = key_path
+
+                @key_pair_id = options[:key_pair_id] || extract_key_pair_id(key_path)
+                unless @key_pair_id
+                    raise ArgumentError.new("The Cloudfront signing key id could not be inferred from #{key_path}. Please supply the key pair id as a configuration arguemet.")
+                end
+
+                @default_expires = options[:default_expires] ? options[:default_expires] : 3600
+            end
+
+
+            # Signing methods
+            #----------------------------------------------------------------------------
+
+            # Sign a url - encoding any spaces in the url before signing. CloudFront 
+            # stipulates that signed URLs must not contain spaces (as opposed to stream
+            # paths/filenames which CAN contain spaces). 
+            #----------------------------------------------------------------------------
+            def self.sign_url(subject, policy_options = {}) 
+                self.sign(subject, {:remove_spaces => true}, policy_options) 
+            end
+
+            # Sign a url (as above) and HTML encode the result.
+            #----------------------------------------------------------------------------
+            def self.sign_url_safe(subject, policy_options = {}) 
+                self.sign(subject, {:remove_spaces => true, :html_escape => true}, policy_options) 
+            end
+
+            # Sign a stream path part or filename (spaces are allowed in stream paths 
+            # and so are not removed).
+            #----------------------------------------------------------------------------
+            def self.sign_path(subject, policy_options ={})
+                self.sign(subject, {:remove_spaces => false}, policy_options) 
+            end
+
+            # Sign a stream path or filename and HTML encode the result.
+            #----------------------------------------------------------------------------
+            def self.sign_path_safe(subject, policy_options ={})
+                self.sign(subject, {:remove_spaces => false, :html_escape => true}, policy_options) 
+            end
+
+
+            # Sign a subject url or stream resource name with optional configuration and 
+            # policy options
+            #----------------------------------------------------------------------------
+            def self.sign(subject, configuration_options = {}, policy_options = {})
+
+                raise "Configure using AWS::CF.Signer.configure! before signing." unless self.is_configured?
+
+                # If the url or stream path already has a query string parameter - append to that.
+                separator = subject =~ /\?/ ? '&' : '?'
+
+                if configuration_options[:remove_spaces]
+                    subject.gsub!(/\s/, "%20")
+                end
+
+                if policy_options[:policy_file]
+                    policy = IO.read(policy_options[:policy_file])
+                    result = "#{subject}#{separator}Policy=#{encode_policy(policy)}&Signature=#{create_signature(policy)}&Key-Pair-Id=#{@key_pair_id}"
+                else
+                    if policy_options.keys.size <= 1
+                        # Canned Policy - shorter URL
+                        expires_at = epoch_time(policy_options[:expires] || Time.now + self.default_expires)
+                        policy = %({"Statement":[{"Resource":"#{subject}","Condition":{"DateLessThan":{"AWS:EpochTime":#{expires_at}}}}]})
+                        result = "#{subject}#{separator}Expires=#{expires_at}&Signature=#{create_signature(policy)}&Key-Pair-Id=#{@key_pair_id}"
+                    else
+                        # Custom Policy
+                        resource = policy_options[:resource] || subject
+                        policy = generate_custom_policy(resource, policy_options)
+                        result = "#{subject}#{separator}Policy=#{encode_policy(policy)}&Signature=#{create_signature(policy)}&Key-Pair-Id=#{@key_pair_id}"
+                    end
+                end
+
+                if configuration_options[:html_escape]
+                    return html_encode(result)    
+                else
+                    return result
+                end
+            end
+
+
+            # Private helper methods
+            #----------------------------------------------------------------------------
+            private
+
+
+            #----------------------------------------------------------------------------
+            def self.generate_custom_policy(resource, options)
+                conditions = ["\"DateLessThan\":{\"AWS:EpochTime\":#{epoch_time(options[:expires])}}"]
+                conditions << "\"DateGreaterThan\":{\"AWS:EpochTime\":#{epoch_time(options[:starting])}}" if options[:starting]
+                conditions << "\"IpAddress\":{\"AWS:SourceIp\":\"#{options[:ip_range]}\"" if options[:ip_range]
+                %({"Statement":[{"Resource":"#{resource}","Condition":{#{conditions.join(',')}}}}]})
+            end
+
+            #----------------------------------------------------------------------------
+            def self.epoch_time(timelike)
+                case timelike
+                when String then Time.parse(timelike).to_i
+                when Time   then timelike.to_i
+                else raise ArgumentError.new("Invalid argument - String or Time required - #{timelike.class} passed.")
+                end
+            end
+
+            #----------------------------------------------------------------------------
+            def self.encode_policy(policy)
+                url_encode(Base64.encode64(policy))
+            end
+
+            #----------------------------------------------------------------------------
+            def self.create_signature(policy)
+                url_encode(Base64.encode64(private_key.sign(OpenSSL::Digest::SHA1.new, (policy))))
+            end
+
+            #----------------------------------------------------------------------------
+            def self.extract_key_pair_id(key_path)
+                File.basename(key_path) =~ /^pk-(.*).pem$/ ? $1 : nil
+            end
+
+            #----------------------------------------------------------------------------
+            def self.url_encode(s)
+                s.gsub('+','-').gsub('=','_').gsub('/','~').gsub(/\n/,'').gsub(' ','')
+            end
+
+            #----------------------------------------------------------------------------
+            def self.html_encode(s)
+                return s.gsub('?', '%3F').gsub('=', '%3D').gsub('&', '%26')
+            end
+        end
+    end
+end

data/lib/cloudfront-signer/version.rb

@@ -0,0 +1,5 @@
+module AWS
+    module CF
+        VERSION = "1.0.0"
+    end
+end

data/spec/keys/pk-APKAIKUROOUNR2BAFUUU.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQCp280I7v8JBVJBN7Kdfl4eD+noyqzbLAsz9mIr07hZQ3PjVa5g
+3j5Q8oXioU2ycxzXephfPr83l/FTAtPSZQ94Jh6u/CdoEYXfEtFbJYQ2lHXrra36
+yVcyyxQ6tAKgUHdWnZ/vbItUhLnhCSqwelTNpgRzf6AKdVOtQPaZ+bnkQQIDAQAB
+AoGAXWSPTbQq4gjc+yLmwJW0pg7V67tUY4XJ+x4jSDm3CM1/sKVxpa1M0jEm0D8k
+e1Ozrf6oPOZBOQ4AEEZjtTD/2Yi8U0bwG97fg9NlZddGNN2jj8pEOWY53/iVWcfb
+VGXVDlhUA0uIZhKK3Sl2SW9t/8p7affjJmGKn2nGLieRKIkCQQDQmExXqRnVNtCz
+qjTPt81MU4cIrzXr/tUC9s6An8OcgiTDjiIOnY3XB/F19lpMQIMEzrB7f04GrpkQ
+0w6p/3NXAkEA0HXjiSyZaEoXoR2e/dTZrKw8npnjjW0CpKeSf8PK8qpFPK0UJOk7
+aU0rStQmoAmygcHiw3hJ7slyVS8f9zn+JwJBAMMVbHCfadWKSm19RZ7um0ZC6Asr
+MhbgYX9AK6kHwf3hiViK2TcqCrmMaDqWh6TAwMgCNfOKAAMnz2d4vEIo8kkCQQCl
+qnq4gkQsWG2s8jBvg1+2VW8bkCsCMvbdyfqoJP69mUnK7bXLm7tGdTiJkE5d8zb0
+3hQLyiXfaiK9xeS+gk0TAkEAtuFcd+taoBnjhVL6q0OhNuA1T1+qYr5fyzQWKKKC
++WMRi2/JCJCL/SX12q5hMq759VnzfnbgqwAq6MlPUZKEBQ==
+-----END RSA PRIVATE KEY-----

data/spec/keys/rsa-APKAIKUROOUNR2BAFUUU.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCp280I7v8JBVJBN7Kdfl4eD+no
+yqzbLAsz9mIr07hZQ3PjVa5g3j5Q8oXioU2ycxzXephfPr83l/FTAtPSZQ94Jh6u
+/CdoEYXfEtFbJYQ2lHXrra36yVcyyxQ6tAKgUHdWnZ/vbItUhLnhCSqwelTNpgRz
+f6AKdVOtQPaZ+bnkQQIDAQAB
+-----END PUBLIC KEY-----

data/spec/signer_spec.rb

@@ -0,0 +1,74 @@
+require 'spec_helper'
+
+describe AWS::CF::Signer do
+
+    let(:key_path) { File.expand_path(File.dirname(__FILE__) + '/keys/pk-APKAIKUROOUNR2BAFUUU.pem') }
+
+    before(:each) do
+        AWS::CF::Signer.configure!(key_path)
+    end
+
+    describe "before default use" do
+
+        it "should be configured" do
+            AWS::CF::Signer.is_configured?.should eql(true)
+        end
+
+        it "should expire urls and paths in one hour by default" do
+            AWS::CF::Signer.default_expires.should eql(3600)
+        end
+
+        it "should optionally be configured to expire urls and paths in ten minutes" do
+            AWS::CF::Signer.configure!(key_path, :default_expires => 600)
+            AWS::CF::Signer.default_expires.should eql(600)
+        end
+    end
+
+    describe "when signing a url" do
+
+        it "should remove spaces from the url" do
+            url = "http://somedomain.com/sign me"
+            result = AWS::CF::Signer.sign_url(url)
+            (result =~ /\s/).should be_nil
+        end
+
+        it "should not html encode the signed url by default" do
+            url = "http://somedomain.com/someresource?opt1=one&opt2=two"
+            result = AWS::CF::Signer.sign_url(url)
+            (result =~ /\?/).should_not be_nil
+            (result =~ /=/).should_not be_nil
+            (result =~ /&/).should_not be_nil
+        end
+
+        it "should optionally html encode the signed url" do
+            url = "http://somedomain.com/someresource?opt1=one&opt2=two"
+            result = AWS::CF::Signer.sign_url_safe(url)
+            (result =~ /\?/).should be_nil
+            (result =~ /=/).should be_nil
+            (result =~ /&/).should be_nil
+        end
+
+        it "should expire in one hour by default" do
+            url = "http://somedomain.com/sign me"
+            result = AWS::CF::Signer.sign_url(url)
+            get_query_value(result, 'Expires').to_i.should eql((Time.now + 3600).to_i)
+        end
+
+        it "should optionally expire in ten minutes" do
+            url = "http://somedomain.com/sign me"
+            result = AWS::CF::Signer.sign_url(url, :expires => Time.now + 600)
+            get_query_value(result, 'Expires').to_i.should eql((Time.now + 600 ).to_i)
+        end
+
+    end
+
+
+    describe "when signing a path" do
+
+        it "should not remove spaces from the path" do
+            path = "/someprefix/sign me"
+            result = AWS::CF::Signer.sign_path(path)
+            (result =~ /\s/).should_not be_nil
+        end
+    end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,20 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+
+require 'rspec'
+require 'cloudfront-signer'
+
+def get_query_value(url, key)
+    query_string = url.slice((url =~ /\?/) + 1..-1) 
+    pairs = query_string.split('&')
+    pairs.each do |item|
+        if item.start_with?(key)
+            return item.split('=')[1]
+        end
+    end
+end
+
+
+RSpec.configure do |config|
+
+end

metadata

@@ -0,0 +1,76 @@
+--- !ruby/object:Gem::Specification
+name: cloudfront-signer
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Anthony Bouch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-08-08 00:00:00.000000000 +07:00
+default_executable: 
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &2151692620 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2151692620
+description: A fork of Dylan Vaughn's excellent signing gem - https://github.com/stlondemand/aws_cf_signer.
+  The gem has been rewritten to use class methods and includes specific signing methods
+  for both url and streaming paths, including html 'safe' escpaed versions of each.
+email:
+- tony@58bits.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- README.markdown
+- Rakefile
+- cloudfront-signer.gemspec
+- lib/cloudfront-signer.rb
+- lib/cloudfront-signer/version.rb
+- spec/keys/pk-APKAIKUROOUNR2BAFUUU.pem
+- spec/keys/rsa-APKAIKUROOUNR2BAFUUU.pem
+- spec/signer_spec.rb
+- spec/spec_helper.rb
+has_rdoc: true
+homepage: http://github.com/58bits/cloudfront-signer
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: cloudfront-signer
+rubygems_version: 1.6.2
+signing_key: 
+specification_version: 3
+summary: A gem to sign url and stream paths for Amazon CloudFront private content.
+test_files:
+- spec/keys/pk-APKAIKUROOUNR2BAFUUU.pem
+- spec/keys/rsa-APKAIKUROOUNR2BAFUUU.pem
+- spec/signer_spec.rb
+- spec/spec_helper.rb