Drop .der cloudfront key format support

pureharm · Apr 11, 2021 · 8fa17a7 · 8fa17a7
1 parent 2015122
commit 8fa17a7
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,7 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 # unreleased
 
-Reverse deprecation on configuration companion objects. But this is the last release that depends on pureharm-config.
+- Reverse deprecation on configuration companion objects. But this is the last release that depends on pureharm-config.
+- Remove support for reading cloudfront signing keys as `.DER` format
 
 ## dependency upgrades
 

diff --git a/aws-cloudfront/src/main/scala/busymachines/pureharm/aws/cloudfront/CloudfrontURLSigner.scala b/aws-cloudfront/src/main/scala/busymachines/pureharm/aws/cloudfront/CloudfrontURLSigner.scala
@@ -81,8 +81,6 @@ object CloudfrontURLSigner {
           format match {
             case CloudfrontPrivateKey.PEM =>
               com.amazonaws.auth.PEM.readPrivateKey(new ByteArrayInputStream(bytes)): PrivateKey
-            case CloudfrontPrivateKey.DER =>
-              com.amazonaws.auth.RSA.privateKeyFromPKCS8(bytes): PrivateKey
           }
         }
         .adaptError { case e => CloudFrontKeyReadingCatastrophe(e) }

diff --git a/aws-cloudfront/src/main/scala/busymachines/pureharm/aws/cloudfront/anomalies.scala b/aws-cloudfront/src/main/scala/busymachines/pureharm/aws/cloudfront/anomalies.scala
@@ -37,7 +37,24 @@ final case class CloudFrontURLSigningCatastrophe(cause: Throwable)
   override val id: AnomalyID = CloudfrontAnomalyIDs.CloudFrontURLSigningCatastropheID
 }
 
+final case class InvalidCloudfrontPEMKey()
+  extends InvalidInputAnomaly(
+    message = s"""|Invalid PEM key. It did not include with 'BEGIN RSA PRIVATE KEY'. 
+                  |Assuming it's not a correct private key.
+                  |
+                  |Keep in mind that you take the .pem cloudfront keyfile, and base64 encode it.
+                  |And pass that _string_ along as a parameter.
+                  |
+                  |e.g.
+                  |
+                  |$$ base64 ~/some_path/my_cloudfront_private_key.pem
+                  |""".stripMargin
+  ) {
+  override val id: AnomalyID = CloudfrontAnomalyIDs.CloudFrontInvalidPrivateKeyID
+}
+
 object CloudfrontAnomalyIDs {
   case object CloudFrontKeyReadingCatastropheID extends AnomalyID { override val name: String = "PH_AWS_CF_001" }
   case object CloudFrontURLSigningCatastropheID extends AnomalyID { override val name: String = "PH_AWS_CF_002" }
+  case object CloudFrontInvalidPrivateKeyID     extends AnomalyID { override val name: String = "PH_AWS_CF_003" }
 }
diff --git a/aws-cloudfront/src/main/scala/busymachines/pureharm/aws/cloudfront/package.scala b/aws-cloudfront/src/main/scala/busymachines/pureharm/aws/cloudfront/package.scala
@@ -48,7 +48,10 @@ package object cloudfront {
       import java.util.Base64
       import busymachines.pureharm.effects.implicits._
 
-      Either.catchNonFatal[String](new String(Base64.getDecoder.decode(o), StandardCharsets.UTF_8)).liftTo[F]
+      for {
+        decoded <- m.catchNonFatal(new String(Base64.getDecoder.decode(o), StandardCharsets.UTF_8))
+        _       <- if (!decoded.contains("BEGIN RSA PRIVATE KEY")) m.raiseError(InvalidCloudfrontPEMKey()) else m.unit
+      } yield decoded
     }
 
     sealed trait Format
@@ -63,10 +66,6 @@ package object cloudfront {
     case object PEM extends Format {
       override def toString: String = ".pem"
     }
-
-    case object DER extends Format {
-      override def toString: String = ".der"
-    }
   }
 
   object CloudfrontKeyPairID extends SproutSub[String]