-
Notifications
You must be signed in to change notification settings - Fork 5.8k
/
Copy pathSignCookiePolicy.php
101 lines (90 loc) · 3.21 KB
/
SignCookiePolicy.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
<?php
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// snippet-start:[cloudfront.php.signed_cookie_policy.complete]
// snippet-start:[cloudfront.php.signed_cookie_policy.import]
require 'vendor/autoload.php';
use Aws\CloudFront\CloudFrontClient;
use Aws\Exception\AwsException;
// snippet-end:[cloudfront.php.signed_cookie_policy.import]
/* ////////////////////////////////////////////////////////////////////////////
* Purpose: Gets coookie-signing information that viewers need to
* access restricted content in a specially configured Amazon CloudFront
* distribution.
*
* Prerequisites: A CloudFront distribution that is specially configured for
* restricted access, and a CloudFront key pair. For more information, see
* "Serving Private Content with Signed URLs and Signed Cookies" in the
* Amazon CloudFront Developer Guide.
*
* Inputs:
* - $cloudFrontClient: An initialized CloudFront client.
* - $customPolicy: A policy statement that controls the access that a signed
* cookie grants to a user.
* - $privateKey: The path to the CloudFront private key file, in .pem format.
* - $keyPairId: The corresponding CloudFront key pair ID.
*
* Returns: Information about required Set-Cookie headers for cookie signing;
* otherwise, the error message.
* ///////////////////////////////////////////////////////////////////////// */
// snippet-start:[cloudfront.php.signed_cookie_policy.main]
function signCookiePolicy(
$cloudFrontClient,
$customPolicy,
$privateKey,
$keyPairId
) {
try {
$result = $cloudFrontClient->getSignedCookie([
'policy' => $customPolicy,
'private_key' => $privateKey,
'key_pair_id' => $keyPairId
]);
return $result;
} catch (AwsException $e) {
return [ 'Error' => $e->getAwsErrorMessage() ];
}
}
function signACookiePolicy()
{
$resourceKey = 'https://d13l49jEXAMPLE.cloudfront.net/my-file.txt';
$expires = time() + 300; // 5 minutes (5 * 60 seconds) from now.
$customPolicy = <<<POLICY
{
"Statement": [
{
"Resource": "{$resourceKey}",
"Condition": {
"IpAddress": {"AWS:SourceIp": "{$_SERVER['REMOTE_ADDR']}/32"},
"DateLessThan": {"AWS:EpochTime": {$expires}}
}
}
]
}
POLICY;
$privateKey = dirname(__DIR__) . '/cloudfront/my-private-key.pem';
$keyPairId = 'AAPKAJIKZATYYYEXAMPLE';
$cloudFrontClient = new CloudFrontClient([
'profile' => 'default',
'version' => '2018-06-18',
'region' => 'us-east-1'
]);
$result = signCookiePolicy(
$cloudFrontClient,
$customPolicy,
$privateKey,
$keyPairId
);
/* If successful, returns something like:
CloudFront-Policy = eyJTdGF0...fX19XX0_
CloudFront-Signature = RowqEQWZ...N8vetw__
CloudFront-Key-Pair-Id = AAPKAJIKZATYYYEXAMPLE
*/
foreach ($result as $key => $value) {
echo $key . ' = ' . $value . "\n";
}
}
// Uncomment the following line to run this code in an AWS account.
// signACookiePolicy();
// snippet-end:[cloudfront.php.signed_cookie_policy.main]
// snippet-end:[cloudfront.php.signed_cookie_policy.complete]