CustomSignerRequest Lacks Support For ResourceUrlPattern In Signed Cookie Policy

by ADMIN 81 views

Introduction

The AWS Java SDK provides a feature-rich interface for interacting with Amazon Web Services (AWS) resources. However, a critical issue has been identified in the CustomSignerRequest class, which affects the generation of signed cookies for CloudFront private content delivery. Specifically, the resourceUrlPattern property is not respected when using the getCookiesForCustomPolicy method, leading to an inability to specify wildcard paths in the policy. This article delves into the details of this issue, provides a reproduction step, and suggests a fix to align the behavior with the getSignedUrlWithCustomPolicy method.

Describe the Bug

When using the CloudFrontUtilities.getCookiesForCustomPolicy(CustomSignerRequest request) method, the SDK only utilizes the resourceUrl property to construct the custom policy. This results in an inability to specify a wildcard path (e.g., https://example.cloudfront.net/images/post/*) in the policy separately from the actual signed resource. In contrast, the getSignedUrlWithCustomPolicy method supports the resourceUrlPattern property, which is essential for signing paths instead of specific files.

Regression Issue

This issue appears to be a regression, as the getCookiesForCustomPolicy method does not respect the resourceUrlPattern property, unlike the getSignedUrlWithCustomPolicy method.

Expected Behavior

The CloudFrontUtilities.getCookiesForCustomPolicy method should:

  • Use the resourceUrlPattern from the CustomSignerRequest (if provided)
  • Or fallback to resourceUrl as the pattern
  • Just like how getSignedUrlWithCustomPolicy works

This enables generating signed cookies with a custom policy for wildcard resource paths (e.g., https://cdn.example.com/images/post/*), while still targeting a specific resource (e.g., https://cdn.example.com/images/post/1.jpg) for delivery.

Current Behavior

Signed cookies for a wildcard policy cannot be generated because:

  • resourceUrl is used both to specify the resource to sign and the policy scope
  • Setting resourceUrl to null (hoping the wildcard will apply) throws a NullPointerException

Reproduction Steps

CustomSignerRequest request = CustomSignerRequest.builder()
    .resourceUrl("https://my-cloudfront.net/images/post/1.jpg")
    .resourceUrlPattern("https://my-cloudfront.net/images/post/*")
    .privateKey(pemPath)
    .keyPairId("EXAMPLEKEYPAIRID")
    .expirationDate(Instant.now().plus(Duration.ofDays(1)))
    .build();

CookiesForCustomPolicy cookies = CloudFrontUtilities.create()
    .getCookiesForCustomPolicy(request); // ❌ resourceUrlPattern is ignored in policy generation

Possible Solution

The getCookiesForCustomPolicy method ignores the resourceUrlPattern even if it is specified in the CustomSignerRequest. This causes the generated CloudFront-Policy cookie to contain the exact resourceUrl as the "Resource" field, rather than using the intended wildcard or broader.

To align behavior with getSignedUrlWithCustomPolicy, update getCookiesForCustomPolicy to respect resourceUrlPattern if it is present.

Suggested Fix

String resourceUrlPattern = request.resourceUrlPattern() != null
                 ? request.resourceUrlPattern()
                 : request.resourceUrl();

String policy = SigningUtils.buildCustomPolicy(
    resourceUrlPattern,
    request.activeDate(),
    request.expirationDate(),
    request.ipRange()
);

Additional Information/Context

  • This issue arose while trying to use wildcard paths (e.g., images/post/*) in signed cookies for CloudFront private content delivery.
  • resourceUrl is currently used as the resource identifier in the signed cookie policy, even when a more general resourceUrlPattern is intended — making it impossible to apply wildcard or broader access rules.
  • resourceUrlPattern was recently introduced (per #5577) and is respected in getSignedUrlWithCustomPolicy, but not in getCookiesForCustomPolicy.
  • Perhaps additional discussion is needed around whether resourceUrl should remain mandatory, or become nullable if resourceUrlPattern is provided.
  • This is important for practical use cases like generating cookies for wildcard access patterns while maintaining the actual signed URL path separately.

AWS Java SDK version used

2.31.45

JDK version used

openjdk version "17.0.8" 2023-07-18 LTS

Operating System and version

Q: What is the issue with CustomSignerRequest and ResourceUrlPattern?

A: The issue is that the getCookiesForCustomPolicy method in the CloudFrontUtilities class does not respect the resourceUrlPattern property in the CustomSignerRequest class. This means that when trying to generate signed cookies for a wildcard policy, the method uses the resourceUrl property instead, which does not support wildcard paths.

Q: Why is this a problem?

A: This is a problem because it prevents users from generating signed cookies for wildcard policies, which is a common use case for CloudFront private content delivery. By not respecting the resourceUrlPattern property, the getCookiesForCustomPolicy method is not providing the expected behavior.

Q: What is the expected behavior?

A: The expected behavior is that the getCookiesForCustomPolicy method should use the resourceUrlPattern property from the CustomSignerRequest class if it is provided, or fallback to the resourceUrl property if it is not. This would allow users to generate signed cookies for wildcard policies.

Q: How can I reproduce this issue?

A: To reproduce this issue, you can use the following code:

CustomSignerRequest request = CustomSignerRequest.builder()
    .resourceUrl("https://my-cloudfront.net/images/post/1.jpg")
    .resourceUrlPattern("https://my-cloudfront.net/images/post/*")
    .privateKey(pemPath)
    .keyPairId("EXAMPLEKEYPAIRID")
    .expirationDate(Instant.now().plus(Duration.ofDays(1)))
    .build();

CookiesForCustomPolicy cookies = CloudFrontUtilities.create()
    .getCookiesForCustomPolicy(request); // ❌ resourceUrlPattern is ignored in policy generation

Q: What is the suggested fix?

A: The suggested fix is to update the getCookiesForCustomPolicy method to respect the resourceUrlPattern property if it is provided. This can be done by using the following code:

String resourceUrlPattern = request.resourceUrlPattern() != null
                 ? request.resourceUrlPattern()
                 : request.resourceUrl();

String policy = SigningUtils.buildCustomPolicy(
    resourceUrlPattern,
    request.activeDate(),
    request.expirationDate(),
    request.ipRange()
);

Q: Why is this fix necessary?

A: This fix is necessary because it aligns the behavior of the getCookiesForCustomPolicy method with the getSignedUrlWithCustomPolicy method, which already respects the resourceUrlPattern property. By making this change, users will be able to generate signed cookies for wildcard policies as expected.

Q: What are the implications of this fix?

A: The implications of this fix are that users will be able to generate signed cookies for wildcard policies, which is a common use case for CloudFront private content delivery. This will make it easier for users to manage their CloudFront resources and ensure that their content is delivered securely.

Q: How can get help with this issue?

A: If you are experiencing issues with the CustomSignerRequest class and the resourceUrlPattern property, you can reach out to the AWS support team for assistance. They will be able to provide you with further guidance and support to resolve the issue.