| Safe Haskell | None |
|---|---|
| Language | Haskell2010 |
Network.AWS.CloudFront.SignedCookies
Contents
Description
Example usage:
{-# LANGUAGE OverloadedStrings, ScopedTypeVariables #-}
import Network.AWS.CloudFront.SignedCookies
import qualified Data.Text.IO
main :: IO ()
main = do
-- Construct an IAM policy that expires three days from now
policy :: Policy <- simplePolicy
(Resource "https://example.com/secrets/*")
(Lifespan (3 * nominalDay))
-- Parse the .pem file to get the private key
key :: PrivateKey <- readPrivateKeyPemFile
(PemFilePath "./pk-APKAIATXN3RCIOVT5WRQ.pem")
-- Construct signed cookies
cookies :: CookiesText <- createSignedCookies
(KeyPairId "APKAIATXN3RCIOVT5WRQ") key policy
Data.Text.IO.putStrLn (renderCookiesText cookies)Output:
Cookie: CloudFront-Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc29... Cookie: CloudFront-Signature=wMN6V3Okxk7sdSPZeebMh-wo... Cookie: CloudFront-Key-Pair-Id=APKAIATXN3RCIOVT5WRQ
You can see a very similar example in action in the Network.AWS.CloudFront.SignedCookies.CLI module.
- createSignedCookies :: KeyPairId -> PrivateKey -> Policy -> IO CookiesText
- simplePolicy :: Resource -> Lifespan -> IO Policy
- data Policy = Policy {}
- newtype Resource = Resource Text
- newtype Lifespan = Lifespan NominalDiffTime
- data StartTime
- newtype EndTime = EndTime POSIXTime
- data IpAddress
- readPrivateKeyPemFile :: PemFilePath -> IO PrivateKey
- newtype PemFilePath = PemFilePath Text
- newtype KeyPairId = KeyPairId Text
- data PrivateKey :: *
- policyJSON :: Policy -> ByteString
- jsonTextPolicy :: Text -> Either String Policy
- jsonValPolicy :: Value -> Either String Policy
- cookiePolicy :: PolicyCookie -> Either String Policy
- type CookiesText = [(Text, Text)]
- renderCookiesText :: CookiesText -> Text
- newtype PolicyCookie = PolicyCookie Text
- newtype SignatureCookie = SignatureCookie Text
- data NominalDiffTime :: *
- type POSIXTime = NominalDiffTime
- nominalDay :: NominalDiffTime
- getPOSIXTime :: IO POSIXTime
- data Text :: *
Creating signed cookies
Arguments
| :: KeyPairId | A CloudFront key pair ID, which must be associated with a
trusted signer in the CloudFront distribution that you
specify in the |
| -> PrivateKey | The private key associated with the |
| -> Policy | The policy specifies what resource is being granted, for what
time period, and to what IP addresses. Construct a policy
using the |
| -> IO CookiesText |
Defining a CloudFront policy
A policy specifies what resource is being granted, for what time period, and to what IP addresses.
For AWS's documentation on what going into a CloudFront policy statement, see Values That You Specify in the Policy Statement for a Custom Policy for Signed Cookies.
Constructors
| Policy | |
Fields
| |
URL that a policy will grant access to, optionally containing asterisks for wildcards.
Examples:
"https://d123example.cloudfront.net/index.html""https://d123example.cloudfront.net/*.jpeg"
How long from now the credentials expire
Constructors
| Lifespan NominalDiffTime |
The time at which credentials begin to take effect
Constructors
| StartImmediately | |
| StartTime POSIXTime |
The time at which credentials expire
The IP address or address range of clients allowed to make requests
Getting your private key
readPrivateKeyPemFile Source #
Arguments
| :: PemFilePath | The filesystem path of the |
| -> IO PrivateKey |
Read an RSA private key from a .pem file you downloaded from AWS.
newtype PemFilePath Source #
Location in the filesystem where a .pem file containing an RSA secret key can be found.
The filename downloaded from AWS looks like this:
"pk-APKAIATXN3RCIOVT5WRQ.pem"
Constructors
| PemFilePath Text |
Instances
CloudFront key pair ID for the key pair that you are using to generate signature.
The key pair ID can be found in the name of key files that you download, and looks like this:
APKAIATXN3RCIOVT5WRQ
data PrivateKey :: * #
Represent a RSA private key.
Only the pub, d fields are mandatory to fill.
p, q, dP, dQ, qinv are by-product during RSA generation, but are useful to record here to speed up massively the decrypt and sign operation.
implementations can leave optional fields to 0.
Instances
Policy JSON
policyJSON :: Policy -> ByteString Source #
Encode a Policy as JSON, with no whitespace, as AWS requires.
Excerpt from Setting Signed Cookies Using a Custom Policy:
- "Remove all whitespace (including tabs and newline characters) from the policy statement."
Reading cookies
Miscellaneous
Cookies
type CookiesText = [(Text, Text)] #
Textual cookies. Functions assume UTF8 encoding.
renderCookiesText :: CookiesText -> Text Source #
Format a list of cookies as HTTP request headers.
newtype PolicyCookie Source #
The value of a CloudFront-Policy cookie.
Constructors
| PolicyCookie Text |
Instances
newtype SignatureCookie Source #
The value of a CloudFront-Signature cookie.
Constructors
| SignatureCookie Text |
Instances
Time
data NominalDiffTime :: * #
This is a length of time, as measured by UTC. Conversion functions will treat it as seconds. It has a precision of 10^-12 s. It ignores leap-seconds, so it's not necessarily a fixed amount of clock time. For instance, 23:00 UTC + 2 hours of NominalDiffTime = 01:00 UTC (+ 1 day), regardless of whether a leap-second intervened.
type POSIXTime = NominalDiffTime #
POSIX time is the nominal time since 1970-01-01 00:00 UTC
To convert from a CTime or EpochTime, use realToFrac.
nominalDay :: NominalDiffTime #
One day in NominalDiffTime.
getPOSIXTime :: IO POSIXTime #
Get the current POSIX time from the system clock.