Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Signed URLs and Signed Cookies for CloudFront in Python with boto
from boto.cloudfront.distribution import Distribution
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
import base64
class BetterThanBoto(Distribution):
def sign_rsa(self, message):
private_key = serialization.load_pem_private_key(self.keyfile, password=None,
backend=default_backend())
signer = private_key.signer(padding.PKCS1v15(), hashes.SHA1())
message = message.encode('utf-8')
signer.update(message)
return signer.finalize()
def _sign_string(self, message, private_key_file=None, private_key_string=None):
if private_key_file is not None:
self.keyfile = open(private_key_file, 'rb').read()
elif private_key_string is not None:
self.keyfile = private_key_string.encode('utf-8')
else:
raise Exception("private_key_file or private_key_string required")
if self.keyfile is None:
logging.error("Error loading cloudfront signing key")
return self.sign_rsa(message)
@staticmethod
def _url_base64_encode(msg):
"""
Base64 encodes a string using the URL-safe characters specified by
Amazon.
"""
msg_base64 = base64.b64encode(msg).decode('utf-8')
msg_base64 = msg_base64.replace('+', '-')
msg_base64 = msg_base64.replace('=', '_')
msg_base64 = msg_base64.replace('/', '~')
return msg_base64
def generate_signature(self, policy, private_key_file=None, private_key_string=None):
"""
:param policy: no-whitespace json str (NOT encoded yet)
:param private_key_file: your .pem file with which to sign the policy
:return: encoded signature for use in cookie
"""
# Distribution._create_signing_params()
signature = self._sign_string(policy,
private_key_file=private_key_file,
private_key_string=private_key_string)
# now base64 encode the signature & make URL safe
encoded_signature = self._url_base64_encode(signature)
return encoded_signature
def create_signed_cookies(self, url, private_key_file=None, private_key_string=None,
keypair_id=None,
expires_at=None, secure=True):
"""
generate the Cloudfront download distirbution signed cookies
:param resource: The object or path of resource.
Examples: 'dir/object.mp4', 'dir/*', '*'
:param private_key_file: Path to the private key file (pem encoded)
:param key_pair_id: ID of the keypair used to sign the cookie
:param expire_minutes: The number of minutes until expiration
:param secure: use https or http protocol for Cloudfront URL - update
to match your distribution settings.
:return: Cookies to be set
"""
# generate no-whitespace json policy,
# then base64 encode & make url safe
policy = self._custom_policy(
url,
expires_at
)
encoded_policy = self._url_base64_encode(policy.encode('utf-8'))
# assemble the 3 Cloudfront cookies
signature = self.generate_signature(
policy,
private_key_file=private_key_file,
private_key_string=private_key_string
)
cookies = {
"CloudFront-Policy": encoded_policy,
"CloudFront-Signature": signature,
"CloudFront-Key-Pair-Id": keypair_id
}
return cookies
def create_signed_cookies(object_url, expires_at):
"""
Create a signed cookie
"""
cf = BetterThanBoto()
cookies = cf.create_signed_cookies(url=object_url,
keypair_id=keypair_id="XXXXXXXXXXX",
expires_at=expires_at,
private_key_file="ssl/key.pem")
return cookies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment