readme.md

GCP cloud CDN sign URLs and cookies

Test env

http(s)://<your_domain_or_ip>/abc1.txt
http(s)://<your_domain_or_ip>/abc2.txt
http(s)://<your_domain_or_ip>/abc/1.txt
http(s)://<your_domain_or_ip>/abc/2.txt
http(s)://<your_domain_or_ip>/xyz1.txt
http(s)://<your_domain_or_ip>/xyz2.txt
http(s)://<your_domain_or_ip>/xyz/1.txt
http(s)://<your_domain_or_ip>/xyz/2.txt

GCP setup

dingosign.py

 import argparse
 import base64
 import datetime
 import hashlib
 import hmac
 
 from six.moves import urllib
 
 
 # [START sign_url]
 def sign_url(url, key_name, base64_key, expiration_time):
     """Gets the Signed URL string for the specified URL and configuration.
 
     Args:
         url: URL to sign as a string.
         key_name: name of the signing key as a string.
         base64_key: signing key as a base64 encoded string.
         expiration_time: expiration time as a UTC datetime object.
 
     Returns:
         Returns the Signed URL appended with the query parameters based on the
         specified configuration.
     """
     stripped_url = url.strip()
     parsed_url = urllib.parse.urlsplit(stripped_url)
     query_params = urllib.parse.parse_qs(
         parsed_url.query, keep_blank_values=True)
     epoch = datetime.datetime.utcfromtimestamp(0)
     expiration_timestamp = int((expiration_time - epoch).total_seconds())
     decoded_key = base64.urlsafe_b64decode(base64_key)
 
     url_pattern = u'{url}{separator}Expires={expires}&KeyName={key_name}'
 
     url_to_sign = url_pattern.format(
             url=stripped_url,
             separator='&' if query_params else '?',
             expires=expiration_timestamp,
             key_name=key_name)
 
     digest = hmac.new(
         decoded_key, url_to_sign.encode('utf-8'), hashlib.sha1).digest()
     signature = base64.urlsafe_b64encode(digest).decode('utf-8')
 
     signed_url = u'{url}&Signature={signature}'.format(
             url=url_to_sign, signature=signature)
 
     print(signed_url)
     
 def sign_url_prefix(url, url_prefix, key_name, base64_key, expiration_time):
     """Gets the Signed URL string for the specified URL prefix and configuration.
 
     Args:
         url: URL of request.
         url_prefix: URL prefix to sign as a string.
         key_name: name of the signing key as a string.
         base64_key: signing key as a base64 encoded string.
         expiration_time: expiration time as a UTC datetime object.
 
     Returns:
         Returns the Signed URL appended with the query parameters based on the
         specified URL prefix and configuration.
     """
     stripped_url = url.strip()
     parsed_url = urllib.parse.urlsplit(stripped_url)
     query_params = urllib.parse.parse_qs(
         parsed_url.query, keep_blank_values=True)
     encoded_url_prefix = base64.urlsafe_b64encode(
             url_prefix.strip().encode('utf-8')).decode('utf-8')
     epoch = datetime.datetime.utcfromtimestamp(0)
     expiration_timestamp = int((expiration_time - epoch).total_seconds())
     decoded_key = base64.urlsafe_b64decode(base64_key)
 
     policy_pattern = u'URLPrefix={encoded_url_prefix}&Expires={expires}&KeyName={key_name}'
     policy = policy_pattern.format(
             encoded_url_prefix=encoded_url_prefix,
             expires=expiration_timestamp,
             key_name=key_name)
 
     digest = hmac.new(
             decoded_key, policy.encode('utf-8'), hashlib.sha1).digest()
     signature = base64.urlsafe_b64encode(digest).decode('utf-8')
 
     signed_url = u'{url}{separator}{policy}&Signature={signature}'.format(
             url=stripped_url,
             separator='&' if query_params else '?',
             policy=policy,
             signature=signature)
 
     print(signed_url)
 # [END sign_url]
 
 # [START cdn_sign_cookie]
 def sign_cookie(url_prefix, key_name, base64_key, expiration_time):
     """Gets the Signed cookie value for the specified URL prefix and configuration.
 
     Args:
         url_prefix: URL prefix to sign as a string.
         key_name: name of the signing key as a string.
         base64_key: signing key as a base64 encoded string.
         expiration_time: expiration time as a UTC datetime object.
 
     Returns:
         Returns the Cloud-CDN-Cookie value based on the specified configuration.
     """
     encoded_url_prefix = base64.urlsafe_b64encode(
             url_prefix.strip().encode('utf-8')).decode('utf-8')
     epoch = datetime.datetime.utcfromtimestamp(0)
     expiration_timestamp = int((expiration_time - epoch).total_seconds())
     decoded_key = base64.urlsafe_b64decode(base64_key)
 
     policy_pattern = u'URLPrefix={encoded_url_prefix}:Expires={expires}:KeyName={key_name}'
     policy = policy_pattern.format(
             encoded_url_prefix=encoded_url_prefix,
             expires=expiration_timestamp,
             key_name=key_name)
 
     digest = hmac.new(
             decoded_key, policy.encode('utf-8'), hashlib.sha1).digest()
     signature = base64.urlsafe_b64encode(digest).decode('utf-8')
 
     signed_policy = u'Cloud-CDN-Cookie={policy}:Signature={signature}'.format(
             policy=policy, signature=signature)
     print(signed_policy)
 # [END cdn_sign_cookie]
 
 if __name__ == '__main__':
     parser = argparse.ArgumentParser(
             description=__doc__,
             formatter_class=argparse.RawDescriptionHelpFormatter)
 
     subparsers = parser.add_subparsers(dest='command')
 
     sign_url_parser = subparsers.add_parser(
             'sign-url',
             help="Sign a URL to grant temporary authorized access.")
     sign_url_parser.add_argument(
             'url', help='The URL to sign.')
     sign_url_parser.add_argument(
             'key_name',
             help='Key name for the signing key.')
     sign_url_parser.add_argument(
             'base64_key',
             help='The base64 encoded signing key.')
     sign_url_parser.add_argument(
             'expiration_time',
             type=lambda d: datetime.datetime.utcfromtimestamp(float(d)),
             help='Expiration time expessed as seconds since the epoch.')
 
     sign_url_prefix_parser = subparsers.add_parser(
             'sign-url-prefix',
             help="Sign a URL prefix to grant temporary authorized access.")
     sign_url_prefix_parser.add_argument(
             'url', help='The request URL.')
     sign_url_prefix_parser.add_argument(
             'url_prefix', help='The URL prefix to sign.')
     sign_url_prefix_parser.add_argument(
             'key_name',
             help='Key name for the signing key.')
     sign_url_prefix_parser.add_argument(
             'base64_key',
             help='The base64 encoded signing key.')
     sign_url_prefix_parser.add_argument(
             'expiration_time',
             type=lambda d: datetime.datetime.utcfromtimestamp(float(d)),
             help='Expiration time expessed as seconds since the epoch.')
 
     sign_cookie_parser = subparsers.add_parser(
             'sign-cookie',
             help="Generate a signed cookie to grant temporary authorized access.")
     sign_cookie_parser.add_argument(
             'url_prefix', help='The URL prefix to sign.')
     sign_cookie_parser.add_argument(
             'key_name',
             help='Key name for the signing key.')
     sign_cookie_parser.add_argument(
             'base64_key',
             help='The base64 encoded signing key.')
     sign_cookie_parser.add_argument(
             'expiration_time',
             type=lambda d: datetime.datetime.utcfromtimestamp(float(d)),
             help='Expiration time expessed as seconds since the epoch.')
 
     args = parser.parse_args()
 
     if args.command == 'sign-url':
         sign_url(
             args.url, args.key_name, args.base64_key, args.expiration_time)
     elif args.command == 'sign-url-prefix':
         sign_url_prefix(
             args.url, args.url_prefix, args.key_name, args.base64_key, args.expiration_time)
     elif args.command == 'sign-cookie':
         sign_cookie(
             args.url_prefix, args.key_name, args.base64_key, args.expiration_time)

http.sh

#!/bin/bash

http --follow \
    --print=HhBb \
    GET \
    http://gcscdn.bindiego.com/abc1.txt \
    'cookie: Cloud-CDN-Cookie=URLPrefix=aHR0cDovL2djc2Nkbi5iaW5kaWVnby5jb20vYWJjLw==:Expires=1592579342:KeyName=dingocdnkey:Signature=AAWT3kd7Bs0I01MgYvaFUe8reJ0='

http --follow \
    --print=HhBb \
    GET \
    http://gcscdn.bindiego.com/abc2.txt \
    'cookie: Cloud-CDN-Cookie=URLPrefix=aHR0cDovL2djc2Nkbi5iaW5kaWVnby5jb20vYWJjLw==:Expires=1592579342:KeyName=dingocdnkey:Signature=AAWT3kd7Bs0I01MgYvaFUe8reJ0='

http --follow \
    --print=HhBb \
    GET \
    http://gcscdn.bindiego.com/abc/1.txt \
    'cookie: Cloud-CDN-Cookie=URLPrefix=aHR0cDovL2djc2Nkbi5iaW5kaWVnby5jb20vYWJjLw==:Expires=1592579342:KeyName=dingocdnkey:Signature=AAWT3kd7Bs0I01MgYvaFUe8reJ0='

http --follow \
    --print=HhBb \
    GET \
    http://gcscdn.bindiego.com/abc/2.txt \
    'cookie:
Cloud-CDN-Cookie=URLPrefix=aHR0cDovL2djc2Nkbi5iaW5kaWVnby5jb20vYWJjLw==:Expires=1592579342:KeyName=dingocdnkey:Signature=AAWT3kd7Bs0I01MgYvaFUe8reJ0=;CloudFront-Policy=eyJTdGF0ZW1lbnQiOiBbeyJSZXNvdXJjZSI6Imh0dHA6Ly8qLnN0YXJ0aW2rg3R2LmNvbS8qIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNjgwODQzMjQwfX19XX0_;CloudFront-Signature=XAFt~SGbeyya03cwCH9foloX9-XiLYTduzf9UtsG0hs5lYI8UiQ9GcFSbAyv9HWiPmy10ThF3UK-mz58PAtU00s0KuqWbDqCD7J4LDmkbVpiNZ8z~Sb4iy1ZeU~Woc2VgMbVuHVL3KI5bRF43SwWA7rNennjS9xoT2uMgIdgiWPSUvJxESD-5OUCIsng1SNCPfxBAv--QeuYl099D0-jUbTQzYzWrZpVOtuCEqUtroPdFw9-63rYJG7jNFavcS5NaUvctGnWoNSb6t3q5czvolArxHxiTPXwmPJPwowj7-XjaxHFJKp3-zKd2TXydNBWJDJopliNM1KMKAueBnbILQ__;CloudFront-Key-Pair-Id=APKAIPKMIOIQPHMZ2WK;'

test.py

 #!/usr/bin/env python
 
 """Tests for dingosign."""
 
 import datetime
 
 import dingosign
 
 # https://www.epochconverter.com/
 expire_ts = 1592579342
 key_code = '_COHO7gZhhK5yxd5BxHPGA==' # head -c 16 /dev/urandom | base64 | tr +/ -_
 key_name = 'dingocdnkey'
 
 dingo_url = "http://gcscdn.bindiego.com/abc1.txt"
 dingo_url_prefix_1 = "http://gcscdn.bindiego.com/abc"
 dingo_url_prefix_2 = "http://gcscdn.bindiego.com/abc/"
 
 def test_sign_url():
     dingosign.sign_url(
         dingo_url,
         key_name,
         key_code,
         datetime.datetime.utcfromtimestamp(expire_ts))
 
 def test_sign_url_prefix():
     dingosign.sign_url_prefix(
         dingo_url,
         dingo_url_prefix_1,
         key_name,
         key_code,
         datetime.datetime.utcfromtimestamp(expire_ts))
 
 def test_sign_cookie():
     dingosign.sign_cookie(
         dingo_url_prefix_2,
         key_name,
         key_code,
         datetime.datetime.utcfromtimestamp(expire_ts))
 
 test_sign_url()
 test_sign_url_prefix()
 test_sign_cookie()