 Documentation
      ¶
      Documentation
      ¶
    
    
  
    
  
    Overview ¶
Package sign provides utilities to generate signed URLs for Amazon CloudFront.
More information about signed URLs and their structure can be found at: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.html
To sign a URL create a URLSigner with your private key and credential pair key ID. Once you have a URLSigner instance you can call Sign or SignWithPolicy to sign the URLs.
Example:
// Sign URL to be valid for 1 hour from now.
signer := sign.NewURLSigner(keyID, privKey)
signedURL, err := signer.Sign(rawURL, time.Now().Add(1*time.Hour))
if err != nil {
    log.Fatalf("Failed to sign url, err: %s\n", err.Error())
}
Index ¶
- func CreateResource(scheme, u string) (string, error)
- func LoadEncryptedPEMPrivKey(reader io.Reader, password []byte) (*rsa.PrivateKey, error)
- func LoadPEMPrivKey(reader io.Reader) (*rsa.PrivateKey, error)
- func LoadPEMPrivKeyFile(name string) (*rsa.PrivateKey, error)
- type AWSEpochTime
- type Condition
- type IPAddress
- type Policy
- type Statement
- type URLSigner
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CreateResource ¶
CreateResource constructs, validates, and returns a resource URL string. An error will be returned if unable to create the resource string.
func LoadEncryptedPEMPrivKey ¶
LoadEncryptedPEMPrivKey decrypts the PEM encoded private key using the password provided returning a RSA private key. If the PEM data is invalid, or unable to decrypt an error will be returned.
func LoadPEMPrivKey ¶
func LoadPEMPrivKey(reader io.Reader) (*rsa.PrivateKey, error)
LoadPEMPrivKey reads a PEM encoded RSA private key from the io.Reader. A new RSA private key will be returned if no error.
func LoadPEMPrivKeyFile ¶
func LoadPEMPrivKeyFile(name string) (*rsa.PrivateKey, error)
LoadPEMPrivKeyFile reads a PEM encoded RSA private key from the file name. A new RSA private key will be returned if no error.
Types ¶
type AWSEpochTime ¶
An AWSEpochTime wraps a time value providing JSON serialization needed for AWS Policy epoch time fields.
func NewAWSEpochTime ¶
func NewAWSEpochTime(t time.Time) *AWSEpochTime
NewAWSEpochTime returns a new AWSEpochTime pointer wrapping the Go time provided.
func (AWSEpochTime) MarshalJSON ¶
func (t AWSEpochTime) MarshalJSON() ([]byte, error)
MarshalJSON serializes the epoch time as AWS Profile epoch time.
type Condition ¶
type Condition struct {
	// Optional IP address mask the signed URL must be requested from.
	IPAddress *IPAddress `json:"IpAddress,omitempty"`
	// Optional date that the signed URL cannot be used until. It is invalid
	// to make requests with the signed URL prior to this date.
	DateGreaterThan *AWSEpochTime `json:",omitempty"`
	// Required date that the signed URL will expire. A DateLessThan is required
	// sign cloud front URLs
	DateLessThan *AWSEpochTime `json:",omitempty"`
}
    A Condition defines the restrictions for how a signed URL can be used.
type IPAddress ¶
type IPAddress struct {
	SourceIP string `json:"AWS:SourceIp"`
}
    An IPAddress wraps an IPAddress source IP providing JSON serialization information
type Policy ¶
type Policy struct {
	// List of resource and condition statements.
	// Signed URLs should only provide a single statement.
	Statements []Statement `json:"Statement"`
}
    A Policy defines the resources that a signed will be signed for.
See the following page for more information on how policies are constructed. http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html#private-content-custom-policy-statement
func NewCannedPolicy ¶
NewCannedPolicy returns a new Canned Policy constructed using the resource and expires time. This can be used to generate the basic model for a Policy that can be then augmented with additional conditions.
See the following page for more information on how policies are constructed. http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html#private-content-custom-policy-statement
func (*Policy) Sign ¶
func (p *Policy) Sign(privKey *rsa.PrivateKey) (b64Signature, b64Policy []byte, err error)
Sign will sign a policy using an RSA private key. It will return a base 64 encoded signature and policy if no error is encountered.
The signature and policy should be added to the signed URL following the guidelines in: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
type Statement ¶
type Statement struct {
	// The Web or RTMP resource the URL will be signed for
	Resource string
	// The set of conditions for this resource
	Condition Condition
}
    A Statement is a collection of conditions for resources
type URLSigner ¶
type URLSigner struct {
	// contains filtered or unexported fields
}
    An URLSigner provides URL signing utilities to sign URLs for Amazon CloudFront resources. Using a private key and Credential Key Pair key ID the URLSigner only needs to be created once per Credential Key Pair key ID and private key.
The signer is safe to use concurrently.
func NewURLSigner ¶
func NewURLSigner(keyID string, privKey *rsa.PrivateKey) *URLSigner
NewURLSigner constructs and returns a new URLSigner to be used to for signing Amazon CloudFront URL resources with.
func (URLSigner) Sign ¶
Sign will sign a single URL to expire at the time of expires sign using the Amazon CloudFront default Canned Policy. The URL will be signed with the private key and Credential Key Pair Key ID previously provided to URLSigner.
This is the default method of signing Amazon CloudFront URLs. If extra policy conditions are need other than URL expiry use SignWithPolicy instead.
Example:
// Sign URL to be valid for 1 hour from now.
signer := sign.NewURLSigner(keyID, privKey)
signedURL, err := signer.Sign(rawURL, time.Now().Add(1*time.Hour))
if err != nil {
    log.Fatalf("Failed to sign url, err: %s\n", err.Error())
}
  
  func (URLSigner) SignWithPolicy ¶
SignWithPolicy will sign a URL with the Policy provided. The URL will be signed with the private key and Credential Key Pair Key ID previously provided to URLSigner.
Use this signing method if you are looking to sign a URL with more than just the URL's expiry time, or reusing Policies between multiple URL signings. If only the expiry time is needed you can use Sign and provide just the URL's expiry time.
Note: It is not safe to use Polices between multiple signers concurrently
Example:
// Sign URL to be valid for 30 minutes from now, expires one hour from now, and
// restricted to the 192.0.2.0/24 IP address range.
policy := &sign.Policy{
    Statements: []Statement{
        {
            Resource: rawURL,
            Condition: Condition{
                // Optional IP source address range
                IPAddress: &IPAddress{SourceIP: "192.0.2.0/24"},
                // Optional date URL is not valid until
                DateGreaterThan: &AWSEpochTime{time.Now().Add(30 * time.Minute)},
                // Required date the URL will expire after
                DateLessThan: &AWSEpochTime{time.Now().Add(1 * time.Hour)},
            }
        }
    }
}
signer := sign.NewURLSigner(keyID, privKey)
signedURL, err := signer.SignWithPolicy(rawURL, policy)
if err != nil {
    log.Fatalf("Failed to sign url, err: %s\n", err.Error())
}