service/cloudfront/sign: Loosen policy statement count validation

service/cloudfront/sign/policy.go

@@ -79,11 +79,8 @@ var randReader = rand.Reader
 // guidelines in:
 // http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
 func (p *Policy) Sign(privKey *rsa.PrivateKey) (b64Signature, b64Policy []byte, err error) {
-	if len(p.Statements) != 1 {
-		return nil, nil, fmt.Errorf("invalid number of policy statements expected 1 got %d", len(p.Statements))
-	}
-	if p.Statements[0].Resource == "" {
-		return nil, nil, fmt.Errorf("no resource in profile statement")
+	if err := p.Validate(); err != nil {
+		return nil, nil, err
 	}
 
 	// Build and escape the policy
@@ -103,6 +100,21 @@ func (p *Policy) Sign(privKey *rsa.PrivateKey) (b64Signature, b64Policy []byte,
 	return b64Signature, b64Policy, nil
 }
 
+// Validate verifies that the policy is valid and usable, and returns an
+// error if there is a problem.
+func (p *Policy) Validate() error {
+	if len(p.Statements) == 0 {
+		return fmt.Errorf("at least one policy statement is required")
+	}
+	for i, s := range p.Statements {
+		if s.Resource == "" {
+			return fmt.Errorf("statement at index %d does not have a resource", i)
+		}
+	}
+
+	return nil
+}
+
 // CreateResource constructs, validates, and returns a resource URL string. An
 // error will be returned if unable to create the resource string.
 func CreateResource(scheme, u string) (string, error) {

service/cloudfront/sign/sign_url.go

@@ -81,7 +81,7 @@ func (s URLSigner) Sign(url string, expires time.Time) (string, error) {
 // Use this signing method if you are looking to sign a URL with more than just
 // the URL's expiry time, or reusing Policies between multiple URL signings.
 // If only the expiry time is needed you can use Sign and provide just the
-// URL's expiry time.
+// URL's expiry time. A minimum of at least one policy statement is required for a signed URL.
 //
 // Note: It is not safe to use Polices between multiple signers concurrently
 //