Safe Haskell | Safe-Inferred |
---|---|
Language | Haskell2010 |
Example usage:
{-# LANGUAGE OverloadedStrings, ScopedTypeVariables #-} import Network.AWS.CloudFront.SignedCookies import qualified Data.Text.IO main :: IO () main = do -- Construct an IAM policy that expires three days from now policy :: Policy <- simplePolicy (Resource "https://example.com/secrets/*") (Lifespan (3 * nominalDay)) -- Parse the .pem file to get the private key key :: PrivateKey <- readPrivateKeyPemFile (PemFilePath "./pk-APKAIATXN3RCIOVT5WRQ.pem") -- Construct signed cookies cookies :: CookiesText <- createSignedCookies (KeyPairId "APKAIATXN3RCIOVT5WRQ") key policy Data.Text.IO.putStrLn (renderCookiesText cookies)
Output:
Cookie: CloudFront-Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc29... Cookie: CloudFront-Signature=wMN6V3Okxk7sdSPZeebMh-wo... Cookie: CloudFront-Key-Pair-Id=APKAIATXN3RCIOVT5WRQ
You can see a very similar example in action in the Network.AWS.CloudFront.SignedCookies.CLI module.
Synopsis
- createSignedCookies :: KeyPairId -> PrivateKey -> Policy -> IO CookiesText
- simplePolicy :: Resource -> Lifespan -> IO Policy
- data Policy = Policy {}
- newtype Resource = Resource Text
- newtype Lifespan = Lifespan NominalDiffTime
- data StartTime
- newtype EndTime = EndTime POSIXTime
- data IpAddress
- readPrivateKeyPemFile :: PemFilePath -> IO PrivateKey
- newtype PemFilePath = PemFilePath Text
- newtype KeyPairId = KeyPairId Text
- data PrivateKey
- policyJSON :: Policy -> ByteString
- jsonTextPolicy :: Text -> Either String Policy
- jsonValPolicy :: Value -> Either String Policy
- cookiePolicy :: PolicyCookie -> Either String Policy
- type CookiesText = [(Text, Text)]
- renderCookiesText :: CookiesText -> Text
- newtype PolicyCookie = PolicyCookie Text
- newtype SignatureCookie = SignatureCookie Text
- data NominalDiffTime
- type POSIXTime = NominalDiffTime
- nominalDay :: NominalDiffTime
- getPOSIXTime :: IO POSIXTime
- data Text
Creating signed cookies
:: KeyPairId | A CloudFront key pair ID, which must be associated with a
trusted signer in the CloudFront distribution that you
specify in the |
-> PrivateKey | The private key associated with the |
-> Policy | The policy specifies what resource is being granted, for what
time period, and to what IP addresses. Construct a policy
using the |
-> IO CookiesText |
Defining a CloudFront policy
A policy specifies what resource is being granted, for what time period, and to what IP addresses.
For AWS's documentation on what going into a CloudFront policy statement, see Values That You Specify in the Policy Statement for a Custom Policy for Signed Cookies.
Policy | |
|
URL that a policy will grant access to, optionally containing asterisks for wildcards.
Examples:
"https:/
/d123example.cloudfront.net/index.html"
"https:/
/d123example.cloudfront.net/*.jpeg"
The time at which credentials begin to take effect
The IP address or address range of clients allowed to make requests
Getting your private key
readPrivateKeyPemFile Source #
:: PemFilePath | The filesystem path of the |
-> IO PrivateKey |
Read an RSA private key from a .pem
file you downloaded from AWS.
newtype PemFilePath Source #
Location in the filesystem where a .pem file containing an RSA secret key can be found.
The filename downloaded from AWS looks like this:
"pk-APKAIATX
N3RCIOVT5WRQ.pem"
Instances
Show PemFilePath Source # | |
Defined in Network.AWS.CloudFront.SignedCookies.Types showsPrec :: Int -> PemFilePath -> ShowS # show :: PemFilePath -> String # showList :: [PemFilePath] -> ShowS # | |
Eq PemFilePath Source # | |
Defined in Network.AWS.CloudFront.SignedCookies.Types (==) :: PemFilePath -> PemFilePath -> Bool # (/=) :: PemFilePath -> PemFilePath -> Bool # |
CloudFront key pair ID for the key pair that you are using to generate signature.
The key pair ID can be found in the name of key files that you download, and looks like this:
APKAIATXN3
RCIOVT5WRQ
data PrivateKey #
Represent a RSA private key.
Only the pub, d fields are mandatory to fill.
p, q, dP, dQ, qinv are by-product during RSA generation, but are useful to record here to speed up massively the decrypt and sign operation.
implementations can leave optional fields to 0.
Instances
Policy JSON
policyJSON :: Policy -> ByteString Source #
Encode a Policy
as JSON, with no whitespace, as AWS requires.
Excerpt from Setting Signed Cookies Using a Custom Policy:
- "Remove all whitespace (including tabs and newline characters) from the policy statement."
Reading cookies
Miscellaneous
Cookies
type CookiesText = [(Text, Text)] #
Textual cookies. Functions assume UTF8 encoding.
renderCookiesText :: CookiesText -> Text Source #
Format a list of cookies as HTTP request headers.
newtype PolicyCookie Source #
The value of a CloudFront-Policy
cookie.
Instances
Show PolicyCookie Source # | |
Defined in Network.AWS.CloudFront.SignedCookies.Types showsPrec :: Int -> PolicyCookie -> ShowS # show :: PolicyCookie -> String # showList :: [PolicyCookie] -> ShowS # | |
Eq PolicyCookie Source # | |
Defined in Network.AWS.CloudFront.SignedCookies.Types (==) :: PolicyCookie -> PolicyCookie -> Bool # (/=) :: PolicyCookie -> PolicyCookie -> Bool # |
newtype SignatureCookie Source #
The value of a CloudFront-Signature
cookie.
Instances
Show SignatureCookie Source # | |
Defined in Network.AWS.CloudFront.SignedCookies.Types showsPrec :: Int -> SignatureCookie -> ShowS # show :: SignatureCookie -> String # showList :: [SignatureCookie] -> ShowS # | |
Eq SignatureCookie Source # | |
Defined in Network.AWS.CloudFront.SignedCookies.Types (==) :: SignatureCookie -> SignatureCookie -> Bool # (/=) :: SignatureCookie -> SignatureCookie -> Bool # |
Time
data NominalDiffTime #
This is a length of time, as measured by UTC. It has a precision of 10^-12 s.
Conversion functions such as fromInteger
and realToFrac
will treat it as seconds.
For example, (0.010 :: NominalDiffTime)
corresponds to 10 milliseconds.
It has a precision of one picosecond (= 10^-12 s). Enumeration functions will treat it as picoseconds.
It ignores leap-seconds, so it's not necessarily a fixed amount of clock time. For instance, 23:00 UTC + 2 hours of NominalDiffTime = 01:00 UTC (+ 1 day), regardless of whether a leap-second intervened.
Instances
type POSIXTime = NominalDiffTime #
POSIX time is the nominal time since 1970-01-01 00:00 UTC
To convert from a CTime
or System.Posix.EpochTime
, use realToFrac
.
nominalDay :: NominalDiffTime #
One day in NominalDiffTime
.
getPOSIXTime :: IO POSIXTime #
Get the current POSIX time from the system clock.
Text
A space efficient, packed, unboxed Unicode text type.
Instances
FromJSON Text | |
FromJSONKey Text | |
Defined in Data.Aeson.Types.FromJSON | |
ToJSON Text | |
Defined in Data.Aeson.Types.ToJSON | |
ToJSONKey Text | |
Defined in Data.Aeson.Types.ToJSON | |
Chunk Text | |
Defined in Data.Attoparsec.Internal.Types type ChunkElem Text pappendChunk :: State Text -> Text -> State Text atBufferEnd :: Text -> State Text -> Pos bufferElemAt :: Text -> Pos -> State Text -> Maybe (ChunkElem Text, Int) chunkElemToChar :: Text -> ChunkElem Text -> Char | |
Hashable Text | |
Defined in Data.Hashable.Class | |
Ixed Text | |
Defined in Control.Lens.At | |
AsJSON Text | |
AsNumber Text | |
AsValue Text | |
IsKey Text | |
type ChunkElem Text | |
Defined in Data.Attoparsec.Internal.Types | |
type State Text | |
Defined in Data.Attoparsec.Internal.Types type State Text = Buffer | |
type Item Text | |
type Index Text | |
Defined in Control.Lens.At | |
type IxValue Text | |
Defined in Control.Lens.At |