In [6]:
from enum import Enum

class PermissionTypes(str, Enum):
    VIEW = "VIEW"
    EDIT = "EDIT"
    OWNER = "OWNER"


In [8]:
"OWNER" in PermissionTypes.__members__

True

In [7]:
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.serialization import load_pem_private_key
from cryptography.hazmat.backends import default_backend
from boto3 import Session
from datetime import datetime, timedelta
from loguru import logger
from botocore.signers import CloudFrontSigner

BUCKET_REGION_NAME = "eu-central-1"

session = Session(profile_name="private", region_name=BUCKET_REGION_NAME)

s3_client = session.client("s3")
secrets_client = session.client("secretsmanager")


def create_signed_url(
    url: str, key_pair_id: str, expiration: datetime
):
    private_key = ""
    try:
        # private_key = load_pem_private_key(
        #     data=private_key_pem.encode(),
        #     password=None,
        #     backend=default_backend()
        # )
        with open("private_key.pem", "rb") as key_file:
            private_key = load_pem_private_key(
                key_file.read(),
                password=None,
                backend=default_backend()
            )

    except Exception as ex:
        logger.error(f"Failed to load private key: {ex}")
        

    def rsa_signer(message):
        return private_key.sign(
            message,
            padding.PKCS1v15(),
            hashes.SHA256(),
        )

    signer = CloudFrontSigner(key_pair_id, rsa_signer)

    try:
        presigned_url = signer.generate_presigned_url(url, date_less_than=expiration)
        return presigned_url
    except Exception as ex:
        logger.warning(f"Failed to generate presigned url with ex: {ex}")


In [8]:
url = 'https://d1aa0yisny9egq.cloudfront.net/output/lisciowsky/moto.mp4'
key_pair_id = 'K3QTFHGRUDWZ0T'
expiration = datetime.now() + timedelta(days=10)

create_signed_url(
            url=url, key_pair_id=key_pair_id, expiration=expiration
)

'https://d1aa0yisny9egq.cloudfront.net/output/lisciowsky/moto.mp4?Expires=1715172951&Signature=EIEnmKLr5HY9d2ZwA-B9wAF5DtU6CzEo4t0jcntg94uO9qav-zm77pewgTm93tr-RLXoGqa1C3fBJf~YCKKoOVx6hjEudgksbNE9ezykH8hvIFlPNFZVISvaecwdce1EWajLWsV2Ky~LM9nTB72~XGLAvv7qUrs97zlKLgAvBDy8HOTRHdGpBfbSee-fsgIJL6ZYYAtln2wvt7byw~eMe9CAHLuFJQ2Q5tJ9ExDChcZ7UL~G2D6MlMgop~djco~t0nN5b6sj-BWzkmz08Ov-tQgidr6cVhn-uew3c-ca-jpyj8ADz7n7j3Yh1yhOpjWdZdWCknaIEb-XJM0WXUiiZg__&Key-Pair-Id=K3QTFHGRUDWZ0T'

In [8]:
import datetime

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding
from botocore.signers import CloudFrontSigner



def rsa_signer(message):
    with open('./private_key.pem', 'rb') as key_file:
        private_key = serialization.load_pem_private_key(
            key_file.read(),
            password=None,
            backend=default_backend()
        )
    return private_key.sign(message, padding.PKCS1v15(), hashes.SHA1())

key_id = 'K3QTFHGRUDWZ0T'
url = 'https://d1aa0yisny9egq.cloudfront.net/output/lisciowsky/moto.mp4'
expire_date = datetime.datetime(2024, 5, 1)

cloudfront_signer = CloudFrontSigner(key_id, rsa_signer)

# Create a signed url that will be valid until the specific expiry date
# provided using a canned policy.
signed_url = cloudfront_signer.generate_presigned_url(
    url, date_less_than=expire_date)
print(signed_url)

b'-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDF+USEuCqglaUx\n4P/E84DR1uGChELh3nYS2IH9/tqKkrwH4I/zvMzUq+fYvHBOfikTrExOBHMjpsQf\nEA1xYwQZ0oJB/96EqIqJ6RvLOFjb/ILiCxSzd4h1gLoWX0/gr5LdBZZpT1WTegVb\nFX1ksYn7YLJRlBVkP+kuLm6bZF8pjzR+abUFB344XqerwFjWKNJB7itIm5VUr0Re\n4xSxaqDanghkD99Z6OlbhJBNfiTOlvtBHL2H9In29nL/gmMcvoQRwThZR0zJqXYe\n88XV7uVO8QmERsa+VWKqT7yZ8W9ktGDsBrqme5gf8vIbILobkTq4LnS5ss3CskC6\niX4DEpdVAgMBAAECggEAAtoEUqUUeBuvtXg4Nu4K/PrLZMXi8L3zlXHo7W+uVjCm\n5LYnXKtrh+SyAj00oOzQSqhAsR7/SZQtXwUsLGXwuS5/EdRNsDt9Q19INzUokoKg\noADo22ztWkPwakIVNHdS9jwOXpX19ZncWeOFWt3zztsltmcbp8YD5dZlYXegp0iS\nS+jxpcOkYvlQY30ssADccKIuHzevhcHPG501/k29biKTuZ29Zz9TCkkS5tTZaZSc\n6J1IId9+zkBOx38ANdLhWVYUZdnWwkjRyZj9iUJqnNi5EMXJBQTiuPnPaIAcQl5c\nHZ29ChqGObXXvzKPMuEPC8//Nm7oT62luKemRLu4AQKBgQDoMHxP27MW6pr3+lOD\nOapxO5i7mLgxmeiILT4xBznvV5bCVDA4lxE5ljTzQ77bobOrl3HRpYQrka3QPPKF\n2qzn1zzgFAMF8z1IUUKqCbGyyiWmB1CxwQOqkQwkwaeY+ciVZiYsJ1RUSv66fPl0\nUY126Wwnskr06zQ02aPeB/pBIQKBgQDaRopCzMbNpSro9

ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])

In [11]:
import datetime
import json

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding
from botocore.signers import CloudFrontSigner

from boto3 import Session
session = Session(profile_name="private", region_name="eu-central-1")
secrets_client = session.client("secretsmanager")

def _get_secret(secret_name: str):
    response = secrets_client.get_secret_value(SecretId=secret_name)
    if "SecretString" in response:
        secret = json.loads(response["SecretString"])
        return secret.get("key")
    else:
        return None


def get_secret(secret_name: str):
    try:
        secret = _get_secret(secret_name=secret_name)
    except Exception as ex:
        raise ex
    return secret

secret_key = get_secret("dev_media_cdn_private_key_v3")



def rsa_signer(message):
    private_key = serialization.load_pem_private_key(
        secret_key.encode(),
        password=None,
        backend=default_backend()
    )
    return private_key.sign(message, padding.PKCS1v15(), hashes.SHA1())

key_id = 'K3QTFHGRUDWZ0T'
url = 'https://d1aa0yisny9egq.cloudfront.net/output/lisciowsky/moto.mp4'
expire_date = datetime.datetime(2024, 5, 1)

cloudfront_signer = CloudFrontSigner(key_id, rsa_signer)
# Create a signed url that will be valid until the specific expiry date
# provided using a canned policy.
signed_url = cloudfront_signer.generate_presigned_url(
    url, date_less_than=expire_date)
print(signed_url)

https://d1aa0yisny9egq.cloudfront.net/output/lisciowsky/moto.mp4?Expires=1714521600&Signature=qlWhEVNf9Ri0gDrkxw9Yso7MQ-jESA4JUq2SFr4rrOttJDZtwP4zqADbVt4sSd9ajPWeOVAsgBPoB5PNJB2Acky27Un3XsrH~ZPuP3eqKTCM3JXxNuI01WFeIx-E1vUj2hcXNApvscGSg716QGtoE5BTHu1qXhNwwf6Hxv7NR~FFcf5KJRzxCVRbQ~M9DoOZYDrnT7GrcDSr08585mwAXP3KQnGr76F3sIza9G--P1KS3GZSpqHQXdVrEZbH7qaPGZZW8VgEmGTgydbhf6jyidiZruuqacqjP~0cZCHpN9wS-8eaKGMFF0QP6X23NBxaEVoJijYYJE3LVekGvcYOLQ__&Key-Pair-Id=K3QTFHGRUDWZ0T
