-
Notifications
You must be signed in to change notification settings - Fork 4
/
CloudfrontUrlBuilder.java
225 lines (178 loc) · 6.12 KB
/
CloudfrontUrlBuilder.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
package com.widen.urlbuilder;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.Signature;
import java.util.Base64;
import java.util.Calendar;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.TimeZone;
import java.util.concurrent.TimeUnit;
public class CloudfrontUrlBuilder
{
private String distributionHostname;
private String key;
private boolean ssl;
private final TrustedSignerCredentials trustedSignerCredentials;
private String attachmentFilename;
private String contentType;
private ExpireDateHolder expireDate = new ExpireDateHolder();
private Map<String, String> parameters = new LinkedHashMap<String, String>();
/**
* Construct a "canned policy" Cloudfront URL; you must set an expire date.
*/
public CloudfrontUrlBuilder(String distributionHostname, String key, String keyPairId, PrivateKey privateKey)
{
this(distributionHostname, key, keyPairId, privateKey, "SunRsaSign");
}
/**
* Construct a "canned policy" Cloudfront URL; you must set an expire date. Use "BC" to use Bouncy Castle as crypto provider when generating SHA1 signature.
*/
public CloudfrontUrlBuilder(String distributionHostname, String key, String keyPairId, PrivateKey privateKey, String cryptoProvider)
{
this.distributionHostname = distributionHostname;
this.key = key;
this.trustedSignerCredentials = new TrustedSignerCredentials(keyPairId, privateKey, cryptoProvider);
}
public CloudfrontUrlBuilder withDistributionHostname(String hostname)
{
this.distributionHostname = hostname;
return this;
}
public CloudfrontUrlBuilder withKey(String key)
{
this.key = key;
return this;
}
public CloudfrontUrlBuilder withAttachmentFilename(String attachmentFilename)
{
this.attachmentFilename = attachmentFilename;
return this;
}
public CloudfrontUrlBuilder withContentType(String contentType)
{
this.contentType = contentType;
return this;
}
public CloudfrontUrlBuilder addParameter(String key, String value)
{
parameters.put(key, value);
return this;
}
public CloudfrontUrlBuilder withSsl()
{
ssl = true;
return this;
}
/**
* Time generated link is valid for. Expire time is calculated when
* #toString() is executed.
*
* @param duration
* @param unit
*/
public CloudfrontUrlBuilder expireIn(long duration, TimeUnit unit)
{
InternalUtils.checkNotNull(duration, "duration");
InternalUtils.checkNotNull(unit, "unit");
expireDate.duration = duration;
expireDate.unit = unit;
return this;
}
/**
* Set absolute time URL will expire. Time is accurate to seconds.
* @param date
*/
public CloudfrontUrlBuilder expireAt(Date date)
{
expireDate.instant = date;
return this;
}
@Override
public String toString()
{
InternalUtils.checkNotNull(expireDate.getExpireDate(), "Expire date");
UrlBuilder builder = new UrlBuilder();
builder.withHostname(distributionHostname);
builder.withPath(key);
builder.usingSsl(ssl);
builder.addParameters(parameters);
builder.modeFullyQualified();
if (StringUtilsInternal.isNotBlank(attachmentFilename))
{
builder.addParameter("response-content-disposition", HttpUtils.createContentDispositionHeader("attachment", attachmentFilename));
}
if(StringUtilsInternal.isNotBlank(contentType))
{
builder.addParameter("response-content-type", contentType);
}
String cannedPolicy = String.format("{\"Statement\":[{\"Resource\":\"%s\",\"Condition\":{\"DateLessThan\":{\"AWS:EpochTime\":%s}}}]}", builder.toString(), expireDate.getExpiresUtcSeconds());
String signature = trustedSignerCredentials.sign(cannedPolicy);
builder.addParameter("Expires", expireDate.getExpiresUtcSeconds());
builder.addParameter("Signature", signature, new NoEncodingEncoder());
builder.addParameter("Key-Pair-Id", trustedSignerCredentials.accessKeyId);
return builder.toString();
}
private class ExpireDateHolder
{
long duration;
TimeUnit unit;
Date instant;
Date getExpireDate()
{
if (instant != null)
{
return instant;
}
if (duration == 0)
{
return null;
}
long futureMillis = unit.toMillis(duration) + System.currentTimeMillis();
return new Date(futureMillis);
}
long getExpiresUtcSeconds()
{
Calendar gmt = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
gmt.setTime(getExpireDate());
return gmt.getTimeInMillis() / 1000;
}
boolean isSet()
{
return getExpireDate() != null;
}
}
public static class TrustedSignerCredentials
{
private final String accessKeyId;
private final Signature signer;
public TrustedSignerCredentials(String accessKeyId, PrivateKey privateKey, String cryptoProvider)
{
this.accessKeyId = accessKeyId;
try
{
signer = Signature.getInstance("SHA1WithRSA", cryptoProvider);
signer.initSign(privateKey);
}
catch (Exception e)
{
throw new RuntimeException(e);
}
}
public String sign(String text)
{
try
{
signer.update(text.getBytes(StandardCharsets.UTF_8));
byte[] bytes = signer.sign();
String encodedBytes = Base64.getEncoder().encodeToString(bytes);
return encodedBytes.replace("+", "-").replace("=", "_").replace("/", "~");
}
catch (Exception e)
{
throw new RuntimeException(e);
}
}
}
}