Add SotoSignerCloudFront module for signed URLs and cookies#696
Merged
adam-fowler merged 11 commits intoJun 12, 2026
Conversation
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #696 +/- ##
==========================================
+ Coverage 81.26% 81.71% +0.44%
==========================================
Files 93 98 +5
Lines 6672 6841 +169
==========================================
+ Hits 5422 5590 +168
- Misses 1250 1251 +1 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
adam-fowler
reviewed
Jun 11, 2026
33cec23 to
1369d18
Compare
Implements CloudFront RSA-based signing (PKCS#1 v1.5) as a new dedicated module, separate from SotoSignerV4. Supports canned and custom policies for both signed URLs and signed cookies, with SHA-1 (default) and SHA-256 hash algorithms. New module: SotoSignerCloudFront - CloudFrontSigner struct with Sendable conformance - Canned policy signed URLs and cookies - Custom policy with wildcard resources, IP restrictions, start times - CloudFront-specific base64 encoding - Dual PEM initializers (String + Data) - Comprehensive error handling Tests: 33 unit tests covering all public API methods, edge cases, error conditions, and round-trip signature verification. Verified on both macOS and Linux (swift:amazonlinux2023). Documentation: Swift DocC documentation with usage examples and a complete end-to-end testing guide (SotoCore.docc/SotoSignerCloudFront/Articles/ EndToEndTesting.md) that walks through setting up a real CloudFront distribution and verifying signed URLs against it. Resolves: soto-project#613
…DER encoding - Rename privateKey: to privateKeyPEM: in the String initializer - Replace PEM-as-Data initializer with privateKeyDER: accepting DER-encoded keys - Update tests, docc documentation, and EndToEndTesting article
Returns an array of Set-Cookie header strings ready for use in HTTP responses, addressing review feedback to simplify cookie usage for callers.
CloudFront uses a non-standard mapping (/ → ~, = → _) that differs from RFC 4648 base64url, so the Swift 6.3 .base64URLAlphabet option is not applicable.
Combine separate canned/custom overloads into single methods that accept a Policy enum (.canned(expires:) or .custom(CustomPolicy)), as suggested in code review.
Uses a private enum code with static properties for better ABI stability and future extensibility without breaking API changes.
e28941d to
e271765
Compare
adam-fowler
reviewed
Jun 12, 2026
adam-fowler
left a comment
Member
There was a problem hiding this comment.
A couple of minor changes, but otherwise we are good
Contributor
Author
|
All good. |
adam-fowler
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a new
SotoSignerCloudFrontmodule that generates CloudFront signed URLs and signed cookies using RSA PKCS#1 v1.5 signatures. This is a first-class implementation of the signing logic described in the CloudFront developer guide.Closes #613
What's included
SotoSignerCloudFront(separate fromSotoSignerV4— uses_CryptoExtrasfor RSA)Hash-Algorithmparam appended for SHA-256)swift:amazonlinux2023API
Testing
docker run swift:amazonlinux2023)Documentation
Includes Swift DocC documentation:
CloudFrontSignerSotoCore.docc/SotoSignerCloudFront/Articles/EndToEndTesting.md) with copy-pasteable AWS CLI commands to set up a test distribution, generate signed URLs, verify with curl, and clean up all resources