@aws-sdk/cloudfront-signer 3.90.0

package/dist-es/sign.js

@@ -0,0 +1,251 @@
+import { parseUrl } from "@aws-sdk/url-parser";
+import { createSign } from "crypto";
+export function getSignedUrl(_a) {
+    var dateLessThan = _a.dateLessThan, dateGreaterThan = _a.dateGreaterThan, url = _a.url, keyPairId = _a.keyPairId, privateKey = _a.privateKey, ipAddress = _a.ipAddress, policy = _a.policy;
+    var parsedUrl = parseUrl(url);
+    var queryParams = [];
+    for (var key in parsedUrl.query) {
+        queryParams.push("".concat(key, "=").concat(parsedUrl.query[key]));
+    }
+    var cloudfrontSignBuilder = new CloudfrontSignBuilder({
+        keyPairId: keyPairId,
+        privateKey: privateKey,
+    });
+    if (policy) {
+        cloudfrontSignBuilder.setCustomPolicy(policy);
+    }
+    else {
+        cloudfrontSignBuilder.setPolicyParameters({
+            url: url,
+            dateLessThan: dateLessThan,
+            dateGreaterThan: dateGreaterThan,
+            ipAddress: ipAddress,
+        });
+    }
+    var cloudfrontQueryParams = cloudfrontSignBuilder.createCloudfrontAttribute();
+    if (cloudfrontQueryParams["Expires"]) {
+        queryParams.push("Expires=".concat(cloudfrontQueryParams["Expires"]));
+    }
+    if (cloudfrontQueryParams["Policy"]) {
+        queryParams.push("Policy=".concat(cloudfrontQueryParams["Policy"]));
+    }
+    queryParams.push("Key-Pair-Id=".concat(keyPairId));
+    queryParams.push("Signature=".concat(cloudfrontQueryParams["Signature"]));
+    var urlWithNewQueryParams = "".concat(url.split("?")[0], "?").concat(queryParams.join("&"));
+    var urlParser = new CloudfrontURLParser();
+    if (urlParser.determineScheme(url) === "rtmp") {
+        return urlParser.getRtmpUrl(urlWithNewQueryParams);
+    }
+    return urlWithNewQueryParams;
+}
+export function getSignedCookies(_a) {
+    var ipAddress = _a.ipAddress, url = _a.url, privateKey = _a.privateKey, keyPairId = _a.keyPairId, dateLessThan = _a.dateLessThan, dateGreaterThan = _a.dateGreaterThan, policy = _a.policy;
+    var cloudfrontSignBuilder = new CloudfrontSignBuilder({
+        keyPairId: keyPairId,
+        privateKey: privateKey,
+    });
+    if (policy) {
+        cloudfrontSignBuilder.setCustomPolicy(policy);
+    }
+    else {
+        cloudfrontSignBuilder.setPolicyParameters({
+            url: url,
+            dateLessThan: dateLessThan,
+            dateGreaterThan: dateGreaterThan,
+            ipAddress: ipAddress,
+        });
+    }
+    var cloudfrontCookieAttributes = cloudfrontSignBuilder.createCloudfrontAttribute();
+    var cookies = {
+        "CloudFront-Key-Pair-Id": cloudfrontCookieAttributes["Key-Pair-Id"],
+        "CloudFront-Signature": cloudfrontCookieAttributes["Signature"],
+    };
+    if (cloudfrontCookieAttributes["Expires"]) {
+        cookies["CloudFront-Expires"] = cloudfrontCookieAttributes["Expires"];
+    }
+    if (cloudfrontCookieAttributes["Policy"]) {
+        cookies["CloudFront-Policy"] = cloudfrontCookieAttributes["Policy"];
+    }
+    return cookies;
+}
+var CloudfrontURLParser = (function () {
+    function CloudfrontURLParser() {
+    }
+    CloudfrontURLParser.prototype.determineScheme = function (url) {
+        var parts = url.split("://");
+        if (parts.length < 2) {
+            throw new Error("Invalid URL.");
+        }
+        return parts[0].replace("*", "");
+    };
+    CloudfrontURLParser.prototype.getRtmpUrl = function (rtmpUrl) {
+        var parsed = new URL(rtmpUrl);
+        return parsed.pathname.replace(/^\//, "") + parsed.search + parsed.hash;
+    };
+    CloudfrontURLParser.prototype.getResource = function (url) {
+        switch (this.determineScheme(url)) {
+            case "http":
+            case "https":
+                return url;
+            case "rtmp":
+                return this.getRtmpUrl(url);
+            default:
+                throw new Error("Invalid URI scheme. Scheme must be one of http, https, or rtmp");
+        }
+    };
+    return CloudfrontURLParser;
+}());
+var CloudfrontSignBuilder = (function () {
+    function CloudfrontSignBuilder(_a) {
+        var privateKey = _a.privateKey, keyPairId = _a.keyPairId;
+        this.customPolicy = false;
+        this.urlParser = new CloudfrontURLParser();
+        this.keyPairId = keyPairId;
+        this.privateKey = privateKey;
+        this.policy = "";
+    }
+    CloudfrontSignBuilder.prototype.buildPolicy = function (args) {
+        var policy = {
+            Statement: [
+                {
+                    Resource: args.resource,
+                    Condition: {
+                        DateLessThan: {
+                            "AWS:EpochTime": args.dateLessThan,
+                        },
+                    },
+                },
+            ],
+        };
+        if (args.dateGreaterThan) {
+            policy.Statement[0].Condition["DateGreaterThan"] = {
+                "AWS:EpochTime": args.dateGreaterThan,
+            };
+        }
+        if (args.ipAddress) {
+            var cidr = this.parseCIDR(args.ipAddress);
+            policy.Statement[0].Condition["IpAddress"] = {
+                "AWS:SourceIp": cidr,
+            };
+        }
+        return policy;
+    };
+    CloudfrontSignBuilder.prototype.normalizeBase64 = function (str) {
+        var replacements = {
+            "+": "-",
+            "=": "_",
+            "/": "~",
+        };
+        return str.replace(/[+=/]/g, function (match) {
+            return replacements[match];
+        });
+    };
+    CloudfrontSignBuilder.prototype.encodeToBase64 = function (str) {
+        return this.normalizeBase64(Buffer.from(str).toString("base64"));
+    };
+    CloudfrontSignBuilder.prototype.validateIP = function (ipStr) {
+        var octets = ipStr.split(".");
+        if (octets.length !== 4) {
+            throw new Error("IP does not contain four octets.");
+        }
+        var isValid = octets.every(function (octet) {
+            var num = Number(octet);
+            return Number.isInteger(num) && num >= 0 && num <= 255;
+        });
+        if (!isValid) {
+            throw new Error("invalid IP octets");
+        }
+    };
+    CloudfrontSignBuilder.prototype.validateMask = function (maskStr) {
+        var mask = Number(maskStr);
+        var isValid = Number.isInteger(mask) && mask >= 0 && mask <= 32;
+        if (!isValid) {
+            throw new Error("invalid mask");
+        }
+    };
+    CloudfrontSignBuilder.prototype.parseCIDR = function (cidrStr) {
+        try {
+            var cidrParts = cidrStr.split("/");
+            if (cidrParts.some(function (part) { return part.length === 0; })) {
+                throw new Error("missing ip or mask part of CIDR");
+            }
+            this.validateIP(cidrParts[0]);
+            var mask = "32";
+            if (cidrParts.length === 2) {
+                this.validateMask(cidrParts[1]);
+                mask = cidrParts[1];
+            }
+            return "".concat(cidrParts[0], "/").concat(mask);
+        }
+        catch (error) {
+            var errMessage = "IP address \"".concat(cidrStr, "\" is invalid");
+            if (error instanceof Error) {
+                throw new Error("".concat(errMessage, " due to ").concat(error.message, "."));
+            }
+            else {
+                throw new Error("".concat(errMessage, "."));
+            }
+        }
+    };
+    CloudfrontSignBuilder.prototype.epochTime = function (date) {
+        return Math.round(date.getTime() / 1000);
+    };
+    CloudfrontSignBuilder.prototype.parseDate = function (date) {
+        if (!date) {
+            return undefined;
+        }
+        var parsedDate = Date.parse(date);
+        return isNaN(parsedDate) ? undefined : this.epochTime(new Date(parsedDate));
+    };
+    CloudfrontSignBuilder.prototype.parseDateWindow = function (expiration, start) {
+        var dateLessThan = this.parseDate(expiration);
+        if (!dateLessThan) {
+            throw new Error("dateLessThan is invalid. Ensure the date string is compatible with the Date constructor.");
+        }
+        return {
+            dateLessThan: dateLessThan,
+            dateGreaterThan: this.parseDate(start),
+        };
+    };
+    CloudfrontSignBuilder.prototype.signData = function (data, privateKey) {
+        var sign = createSign("RSA-SHA1");
+        sign.update(data);
+        return sign.sign(privateKey, "base64");
+    };
+    CloudfrontSignBuilder.prototype.signPolicy = function (policy, privateKey) {
+        return this.normalizeBase64(this.signData(policy, privateKey));
+    };
+    CloudfrontSignBuilder.prototype.setCustomPolicy = function (policy) {
+        this.customPolicy = true;
+        this.policy = policy;
+    };
+    CloudfrontSignBuilder.prototype.setPolicyParameters = function (_a) {
+        var url = _a.url, dateLessThan = _a.dateLessThan, dateGreaterThan = _a.dateGreaterThan, ipAddress = _a.ipAddress;
+        if (!url || !dateLessThan) {
+            return false;
+        }
+        var resource = this.urlParser.getResource(url);
+        var parsedDates = this.parseDateWindow(dateLessThan, dateGreaterThan);
+        this.dateLessThan = parsedDates.dateLessThan;
+        this.customPolicy = Boolean(parsedDates.dateGreaterThan) || Boolean(ipAddress);
+        this.policy = JSON.stringify(this.buildPolicy({
+            resource: resource,
+            ipAddress: ipAddress,
+            dateLessThan: parsedDates.dateLessThan,
+            dateGreaterThan: parsedDates.dateGreaterThan,
+        }));
+    };
+    CloudfrontSignBuilder.prototype.createCloudfrontAttribute = function () {
+        if (!Boolean(this.policy)) {
+            throw new Error("Invalid policy");
+        }
+        var signature = this.signPolicy(this.policy, this.privateKey);
+        return {
+            Expires: this.customPolicy ? undefined : this.dateLessThan,
+            Policy: this.customPolicy ? this.encodeToBase64(this.policy) : undefined,
+            "Key-Pair-Id": this.keyPairId,
+            Signature: signature,
+        };
+    };
+    return CloudfrontSignBuilder;
+}());

package/dist-types/index.d.ts

@@ -0,0 +1 @@
+export * from "./sign";

package/dist-types/sign.d.ts

@@ -0,0 +1,59 @@
+/// <reference types="node" />
+/** Input type to getSignedUrl and getSignedCookies. */
+export declare type CloudfrontSignInput = CloudfrontSignInputWithParameters | CloudfrontSignInputWithPolicy;
+export interface CloudfrontSignInputBase {
+    /** The URL string to sign. */
+    url: string;
+    /** The ID of the Cloudfront key pair. */
+    keyPairId: string;
+    /** The content of the Cloudfront private key. */
+    privateKey: string | Buffer;
+    /** The date string for when the signed URL or cookie can no longer be accessed. */
+    dateLessThan?: string;
+    /** The IP address string to restrict signed URL access to. */
+    ipAddress?: string;
+    /** The date string for when the signed URL or cookie can start to be accessed. */
+    dateGreaterThan?: string;
+}
+export declare type CloudfrontSignInputWithParameters = CloudfrontSignInputBase & {
+    /** The date string for when the signed URL or cookie can no longer be accessed */
+    dateLessThan: string;
+    /** For this type policy should not be provided. */
+    policy?: never;
+};
+export declare type CloudfrontSignInputWithPolicy = CloudfrontSignInputBase & {
+    /** The JSON-encoded policy string */
+    policy: string;
+    /**
+     * For this type dateLessThan should not be provided.
+     */
+    dateLessThan?: never;
+    /**
+     * For this type ipAddress should not be provided.
+     */
+    ipAddress?: string;
+    /**
+     * For this type dateGreaterThan should not be provided.
+     */
+    dateGreaterThan?: never;
+};
+export interface CloudfrontSignedCookiesOutput {
+    /** ID of the Cloudfront key pair. */
+    "CloudFront-Key-Pair-Id": string;
+    /** Hashed, signed, and base64-encoded version of the JSON policy. */
+    "CloudFront-Signature": string;
+    /** The unix date time for when the signed URL or cookie can no longer be accessed. */
+    "CloudFront-Expires"?: number;
+    /** Base64-encoded version of the JSON policy. */
+    "CloudFront-Policy"?: string;
+}
+/**
+ * Creates a signed URL string using a canned or custom policy.
+ * @returns the input URL with signature attached as query parameters.
+ */
+export declare function getSignedUrl({ dateLessThan, dateGreaterThan, url, keyPairId, privateKey, ipAddress, policy, }: CloudfrontSignInput): string;
+/**
+ * Creates signed cookies using a canned or custom policy.
+ * @returns an object with keys/values that can be added to cookies.
+ */
+export declare function getSignedCookies({ ipAddress, url, privateKey, keyPairId, dateLessThan, dateGreaterThan, policy, }: CloudfrontSignInput): CloudfrontSignedCookiesOutput;

package/dist-types/ts3.4/index.d.ts

@@ -0,0 +1 @@
+export * from "./sign";

package/dist-types/ts3.4/sign.d.ts

@@ -0,0 +1,47 @@
+
+
+export declare type CloudfrontSignInput = CloudfrontSignInputWithParameters | CloudfrontSignInputWithPolicy;
+export interface CloudfrontSignInputBase {
+    
+    url: string;
+    
+    keyPairId: string;
+    
+    privateKey: string | Buffer;
+    
+    dateLessThan?: string;
+    
+    ipAddress?: string;
+    
+    dateGreaterThan?: string;
+}
+export declare type CloudfrontSignInputWithParameters = CloudfrontSignInputBase & {
+    
+    dateLessThan: string;
+    
+    policy?: never;
+};
+export declare type CloudfrontSignInputWithPolicy = CloudfrontSignInputBase & {
+    
+    policy: string;
+    
+    dateLessThan?: never;
+    
+    ipAddress?: string;
+    
+    dateGreaterThan?: never;
+};
+export interface CloudfrontSignedCookiesOutput {
+    
+    "CloudFront-Key-Pair-Id": string;
+    
+    "CloudFront-Signature": string;
+    
+    "CloudFront-Expires"?: number;
+    
+    "CloudFront-Policy"?: string;
+}
+
+export declare function getSignedUrl({ dateLessThan, dateGreaterThan, url, keyPairId, privateKey, ipAddress, policy, }: CloudfrontSignInput): string;
+
+export declare function getSignedCookies({ ipAddress, url, privateKey, keyPairId, dateLessThan, dateGreaterThan, policy, }: CloudfrontSignInput): CloudfrontSignedCookiesOutput;

package/jest.config.js

@@ -0,0 +1,6 @@
+const base = require("../../jest.config.base.js");
+
+module.exports = {
+  ...base,
+  testPathIgnorePatterns: ["/node_modules/"],
+};

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@aws-sdk/cloudfront-signer",
+  "version": "3.90.0",
+  "scripts": {
+    "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
+    "build:cjs": "tsc -p tsconfig.cjs.json",
+    "build:es": "tsc -p tsconfig.es.json",
+    "build:types": "tsc -p tsconfig.types.json",
+    "build:types:downlevel": "downlevel-dts dist-types dist-types/ts3.4",
+    "clean": "rimraf ./dist-* && rimraf *.tsbuildinfo",
+    "test": "jest"
+  },
+  "main": "./dist-cjs/index.js",
+  "module": "./dist-es/index.js",
+  "types": "./dist-types/index.d.ts",
+  "author": {
+    "name": "AWS SDK for JavaScript Team",
+    "url": "https://aws.amazon.com/javascript/"
+  },
+  "license": "Apache-2.0",
+  "dependencies": {
+    "@aws-sdk/url-parser": "3.78.0"
+  },
+  "devDependencies": {
+    "@tsconfig/recommended": "1.0.1",
+    "concurrently": "7.0.0",
+    "downlevel-dts": "0.7.0",
+    "rimraf": "3.0.2",
+    "typedoc": "0.19.2",
+    "typescript": "~4.6.2"
+  },
+  "engines": {
+    "node": ">= 12.0.0"
+  },
+  "typesVersions": {
+    "<4.0": {
+      "dist-types/*": [
+        "dist-types/ts3.4/*"
+      ]
+    }
+  },
+  "homepage": "https://github.com/aws/aws-sdk-js-v3/tree/master/packages/cloudfront-signer",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/aws/aws-sdk-js-v3.git",
+    "directory": "packages/cloudfront-signer"
+  }
+}

package/src/index.ts

@@ -0,0 +1 @@
+export * from "./sign";