fixed variables and added cf url signer for pictures

.github/workflows/test.yml

@@ -26,7 +26,6 @@ env:
   CLOUDFRONT_KEY_ID: ${{ secrets.CLOUDFRONT_KEY_ID }}
   CLOUDFRONT_PRIVATE_KEY: ${{ secrets.CLOUDFRONT_PRIVATE_KEY }}
   CLOUDFRONT_DOMAIN: ${{ secrets.CLOUDFRONT_DOMAIN }}
-  CLOUDFRONT_PRIVATE_KEY_PATH: ${{ secrets.CLOUDFRONT_PRIVATE_KEY_PATH }}
   ONSHAPE_API: ${{ secrets.ONSHAPE_API }}
   ONSHAPE_ACCESS_KEY: ${{ secrets.ONSHAPE_ACCESS_KEY }}
   ONSHAPE_SECRET_KEY: ${{ secrets.ONSHAPE_SECRET_KEY }}

store/app/routers/artifacts.py

@@ -64,7 +64,7 @@ async def artifact_url(
     # Initialize CloudFront signer
     signer = CloudFrontUrlSigner(
         key_id=settings.cloudfront.key_id,
-        private_key_path=settings.cloudfront.private_key_path,
+        private_key=settings.cloudfront.private_key,
     )
 
     # Always use CloudFront domain and sign the URL
@@ -95,7 +95,7 @@ def get_artifact_url_response(artifact: Artifact) -> ArtifactUrls:
 
         signer = CloudFrontUrlSigner(
             key_id=settings.cloudfront.key_id,
-            private_key_path=settings.cloudfront.private_key_path,
+            private_key=settings.cloudfront.private_key,
         )
 
         expire_days = 180

store/app/utils/cloudfront_signer.py

@@ -16,14 +16,14 @@
 class CloudFrontUrlSigner:
     """A class to generate signed URLs for AWS CloudFront using RSA keys."""
 
-    def __init__(self, key_id: str, private_key_path: str) -> None:
-        """Initialize the CloudFrontUrlSigner with a key ID and the path to the private key file.
+    def __init__(self, key_id: str, private_key: str) -> None:
+        """Initialize the CloudFrontUrlSigner with a key ID and private key content.
 
         :param key_id: The CloudFront key ID associated with the public key in your CloudFront key group.
-        :param private_key_path: The path to the private key PEM file.
+        :param private_key: The private key content in PEM format.
         """
         self.key_id = key_id
-        self.private_key_path = private_key_path
+        self.private_key = private_key
         self.cf_signer = CloudFrontSigner(key_id, self._rsa_signer)
 
     def _rsa_signer(self, message: bytes) -> bytes:
@@ -38,16 +38,15 @@ def _rsa_signer(self, message: bytes) -> bytes:
         Raises:
             ValueError: If the loaded key is not an RSA private key.
         """
-        with open(self.private_key_path, "rb") as key_file:
-            private_key = serialization.load_pem_private_key(
-                key_file.read(),
-                password=None,
-            )
+        private_key = serialization.load_pem_private_key(
+            self.private_key.encode("utf-8"),
+            password=None,
+        )
 
-            if not isinstance(private_key, RSAPrivateKey):
-                raise ValueError("The provided key is not an RSA private key")
+        if not isinstance(private_key, RSAPrivateKey):
+            raise ValueError("The provided key is not an RSA private key")
 
-            return private_key.sign(message, padding.PKCS1v15(), hashes.SHA1())
+        return private_key.sign(message, padding.PKCS1v15(), hashes.SHA1())
 
     def generate_presigned_url(self, url: str, policy: Optional[str] = None) -> str:
         """Generate a presigned URL for CloudFront using an optional custom policy.

store/settings/environment.py

@@ -75,7 +75,7 @@ class StripeSettings:
 class CloudFrontSettings:
     domain: str = field(default=II("oc.env:CLOUDFRONT_DOMAIN"))
     key_id: str = field(default=II("oc.env:CLOUDFRONT_KEY_ID"))
-    private_key_path: str = field(default=II("oc.env:CLOUDFRONT_PRIVATE_KEY_PATH"))
+    private_key: str = field(default=II("oc.env:CLOUDFRONT_PRIVATE_KEY"))
 
 
 @dataclass