CloudFrontUtilities : cannot specify wildcard (*) resource url for a custom policy

[catherinegrogan]

Describe the bug

When using the new CloudFrontUtilities class to sign resource urls, it is not possible to specify a wildcard resource URL policy ('*') as the CustomSignerRequest.resourceUrl is used for both the policy and the URL to be signed.

The SigningUtils.buildCustomPolicyForSignedUrl(...) method which is called from the CloudFrontUtilities.getSignedUrlWithCustomPolicy(CustomSignerRequest request) method does appear to cater for this by defaulting to the wildcard if the resourceUrl is NULL BUT it is not possible to specify a null CustomSignerRequest.resourceUrl as this is also used for the URL to be signed.

Expected Behavior

Should be able to specify a custom policy resourceUrl as the 'wildcard' (or any other policy required) whilst also specify the resourceUrl to be signed.

• In the older AWS SDK this was possible as the custom policy was provided as a separate parameter string.

Current Behavior

Currently cannot specify a 'wildcard' resourceUrl for a custom policy separate to the URL to be signed.

Example:
When use a signed URL with primefaces '<p:graphicImage ... cache=false>' on a client page primefaces adds a '&pfdrid_c' paramter to the URL. Without the ability to specify a wildcard policy for the resource url then this enforces the primefaces parameter to be present in the URL when signing.

Reproduction Steps

For example:
As indicate above, the code does try to set the default wildcard for the custom policy if a NULL resourceUrl is specified.
However if try to do this then will get a NPE as this value is also used as the URL to be signed.

i.e. if you try this in a test then you will get a NPE exception.

CustomSignerRequest.builder()
	.resourceUrl( null ) // wildcard policy
	. etc
	.build();
CloudFrontUtilities.create()
	.getSignedUrlWithCustomPolicy(customSignerRequest)
	.url()

So the code as it stands forces the URL to be signed to always be specified & does not enable a custom resource URL policy to be specified which is different to the URL to be signed.

Possible Solution

• Could add a new/separate CustomSignedResource parameter to enable the policy resource url to be specified in addition to the URL to be signed.

OR

• Could make the CustomSignedResource.resourceUrl be specific to the custom policy & then add a new/separate parameter to the CloudFrontUtilities.create() API call

Additional Information/Context

No response

AWS Java SDK version used

2.27.19

JDK version used

openjdk version "17.0.8" 2023-07-18 LTS

Operating System and version

macOS Sonoma

[bhoradc]

Hello @catherinegrogan,

Thank you for reporting the issue. After analyzing the scenario, I believe this to be more of a feature request than a bug in the Java SDK V2.

1. The current design of CustomSignerRequest seems to couple the resource URL for both:
   • The URL to be signed
   • The resource specification in the policy 
2. Unlike SDK V1, which separates these concerns by having separate methods for:
   • Policy creation (buildCustomPolicyForSignedUrl)
   • URL signing (getSignedURLWithCustomPolicy)
3. Using below reproduction steps, I can confirm that CustomSignerRequest doesn't account for the wildcard policy 
   use case, while still allowing a specific URL to be signed.
   • Create Key pair for the signers - Create a key pair for a trusted key group.
   • Create CloudFront Distribution and update the related S3 bucket policy - Giving CloudFront permission to access the S3 bucket

Code snippet

package org.example;

import software.amazon.awssdk.services.cloudfront.CloudFrontUtilities;
import software.amazon.awssdk.services.cloudfront.model.CustomSignerRequest;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.time.Instant;
import java.time.temporal.ChronoUnit;

public class Main {
    public static void main(String[] args) throws Exception {

        Path privateKeyPath = Paths.get("/Users/***/private_key.pem");
        String keyPairId = "****";
        String resourceUrl = "https://****.cloudfront.net";
        Instant expirationDate = Instant.now().plus(7, ChronoUnit.DAYS);

        CustomSignerRequest customSignerRequest = CustomSignerRequest.builder()
                .privateKey(privateKeyPath)
                .keyPairId(keyPairId)
                .resourceUrl(null)
                .expirationDate(expirationDate)
                .build();

        try {
            String signedUrl = CloudFrontUtilities.create()
                    .getSignedUrlWithCustomPolicy(customSignerRequest)
                    .url();
            System.out.println("Signed URL: " + signedUrl);
        } catch (Exception e) {
            System.out.println("Exception occurred: " + e.getMessage());
        }
    }
}

By setting the resourceUrl to null in the CustomSignerRequest, the SDK attempts to use a wildcard policy, but since the same resourceUrl is used for the URL to be signed, it results in a NullPointerException.

I will further review this request with the Java SDK team and keep you posted.

Regards,
Chaitanya