Vendor aws-sdk-go (dep ensure) (#178)

vendor/github.com/aws/aws-sdk-go/service/cloudfront/cloudfrontiface/interface.go

@@ -0,0 +1,269 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+// Package cloudfrontiface provides an interface to enable mocking the Amazon CloudFront service client
+// for testing your code.
+//
+// It is important to note that this interface will have breaking changes
+// when the service model is updated and adds new API operations, paginators,
+// and waiters.
+package cloudfrontiface
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/service/cloudfront"
+)
+
+// CloudFrontAPI provides an interface to enable mocking the
+// cloudfront.CloudFront service client's API operation,
+// paginators, and waiters. This make unit testing your code that calls out
+// to the SDK's service client's calls easier.
+//
+// The best way to use this interface is so the SDK's service client's calls
+// can be stubbed out for unit testing your code with the SDK without needing
+// to inject custom request handlers into the SDK's request pipeline.
+//
+//    // myFunc uses an SDK service client to make a request to
+//    // Amazon CloudFront.
+//    func myFunc(svc cloudfrontiface.CloudFrontAPI) bool {
+//        // Make svc.CreateCloudFrontOriginAccessIdentity request
+//    }
+//
+//    func main() {
+//        sess := session.New()
+//        svc := cloudfront.New(sess)
+//
+//        myFunc(svc)
+//    }
+//
+// In your _test.go file:
+//
+//    // Define a mock struct to be used in your unit tests of myFunc.
+//    type mockCloudFrontClient struct {
+//        cloudfrontiface.CloudFrontAPI
+//    }
+//    func (m *mockCloudFrontClient) CreateCloudFrontOriginAccessIdentity(input *cloudfront.CreateCloudFrontOriginAccessIdentityInput) (*cloudfront.CreateCloudFrontOriginAccessIdentityOutput, error) {
+//        // mock response/functionality
+//    }
+//
+//    func TestMyFunc(t *testing.T) {
+//        // Setup Test
+//        mockSvc := &mockCloudFrontClient{}
+//
+//        myfunc(mockSvc)
+//
+//        // Verify myFunc's functionality
+//    }
+//
+// It is important to note that this interface will have breaking changes
+// when the service model is updated and adds new API operations, paginators,
+// and waiters. Its suggested to use the pattern above for testing, or using
+// tooling to generate mocks to satisfy the interfaces.
+type CloudFrontAPI interface {
+	CreateCloudFrontOriginAccessIdentity(*cloudfront.CreateCloudFrontOriginAccessIdentityInput) (*cloudfront.CreateCloudFrontOriginAccessIdentityOutput, error)
+	CreateCloudFrontOriginAccessIdentityWithContext(aws.Context, *cloudfront.CreateCloudFrontOriginAccessIdentityInput, ...request.Option) (*cloudfront.CreateCloudFrontOriginAccessIdentityOutput, error)
+	CreateCloudFrontOriginAccessIdentityRequest(*cloudfront.CreateCloudFrontOriginAccessIdentityInput) (*request.Request, *cloudfront.CreateCloudFrontOriginAccessIdentityOutput)
+
+	CreateDistribution(*cloudfront.CreateDistributionInput) (*cloudfront.CreateDistributionOutput, error)
+	CreateDistributionWithContext(aws.Context, *cloudfront.CreateDistributionInput, ...request.Option) (*cloudfront.CreateDistributionOutput, error)
+	CreateDistributionRequest(*cloudfront.CreateDistributionInput) (*request.Request, *cloudfront.CreateDistributionOutput)
+
+	CreateDistributionWithTags(*cloudfront.CreateDistributionWithTagsInput) (*cloudfront.CreateDistributionWithTagsOutput, error)
+	CreateDistributionWithTagsWithContext(aws.Context, *cloudfront.CreateDistributionWithTagsInput, ...request.Option) (*cloudfront.CreateDistributionWithTagsOutput, error)
+	CreateDistributionWithTagsRequest(*cloudfront.CreateDistributionWithTagsInput) (*request.Request, *cloudfront.CreateDistributionWithTagsOutput)
+
+	CreateFieldLevelEncryptionConfig(*cloudfront.CreateFieldLevelEncryptionConfigInput) (*cloudfront.CreateFieldLevelEncryptionConfigOutput, error)
+	CreateFieldLevelEncryptionConfigWithContext(aws.Context, *cloudfront.CreateFieldLevelEncryptionConfigInput, ...request.Option) (*cloudfront.CreateFieldLevelEncryptionConfigOutput, error)
+	CreateFieldLevelEncryptionConfigRequest(*cloudfront.CreateFieldLevelEncryptionConfigInput) (*request.Request, *cloudfront.CreateFieldLevelEncryptionConfigOutput)
+
+	CreateFieldLevelEncryptionProfile(*cloudfront.CreateFieldLevelEncryptionProfileInput) (*cloudfront.CreateFieldLevelEncryptionProfileOutput, error)
+	CreateFieldLevelEncryptionProfileWithContext(aws.Context, *cloudfront.CreateFieldLevelEncryptionProfileInput, ...request.Option) (*cloudfront.CreateFieldLevelEncryptionProfileOutput, error)
+	CreateFieldLevelEncryptionProfileRequest(*cloudfront.CreateFieldLevelEncryptionProfileInput) (*request.Request, *cloudfront.CreateFieldLevelEncryptionProfileOutput)
+
+	CreateInvalidation(*cloudfront.CreateInvalidationInput) (*cloudfront.CreateInvalidationOutput, error)
+	CreateInvalidationWithContext(aws.Context, *cloudfront.CreateInvalidationInput, ...request.Option) (*cloudfront.CreateInvalidationOutput, error)
+	CreateInvalidationRequest(*cloudfront.CreateInvalidationInput) (*request.Request, *cloudfront.CreateInvalidationOutput)
+
+	CreatePublicKey(*cloudfront.CreatePublicKeyInput) (*cloudfront.CreatePublicKeyOutput, error)
+	CreatePublicKeyWithContext(aws.Context, *cloudfront.CreatePublicKeyInput, ...request.Option) (*cloudfront.CreatePublicKeyOutput, error)
+	CreatePublicKeyRequest(*cloudfront.CreatePublicKeyInput) (*request.Request, *cloudfront.CreatePublicKeyOutput)
+
+	CreateStreamingDistribution(*cloudfront.CreateStreamingDistributionInput) (*cloudfront.CreateStreamingDistributionOutput, error)
+	CreateStreamingDistributionWithContext(aws.Context, *cloudfront.CreateStreamingDistributionInput, ...request.Option) (*cloudfront.CreateStreamingDistributionOutput, error)
+	CreateStreamingDistributionRequest(*cloudfront.CreateStreamingDistributionInput) (*request.Request, *cloudfront.CreateStreamingDistributionOutput)
+
+	CreateStreamingDistributionWithTags(*cloudfront.CreateStreamingDistributionWithTagsInput) (*cloudfront.CreateStreamingDistributionWithTagsOutput, error)
+	CreateStreamingDistributionWithTagsWithContext(aws.Context, *cloudfront.CreateStreamingDistributionWithTagsInput, ...request.Option) (*cloudfront.CreateStreamingDistributionWithTagsOutput, error)
+	CreateStreamingDistributionWithTagsRequest(*cloudfront.CreateStreamingDistributionWithTagsInput) (*request.Request, *cloudfront.CreateStreamingDistributionWithTagsOutput)
+
+	DeleteCloudFrontOriginAccessIdentity(*cloudfront.DeleteCloudFrontOriginAccessIdentityInput) (*cloudfront.DeleteCloudFrontOriginAccessIdentityOutput, error)
+	DeleteCloudFrontOriginAccessIdentityWithContext(aws.Context, *cloudfront.DeleteCloudFrontOriginAccessIdentityInput, ...request.Option) (*cloudfront.DeleteCloudFrontOriginAccessIdentityOutput, error)
+	DeleteCloudFrontOriginAccessIdentityRequest(*cloudfront.DeleteCloudFrontOriginAccessIdentityInput) (*request.Request, *cloudfront.DeleteCloudFrontOriginAccessIdentityOutput)
+
+	DeleteDistribution(*cloudfront.DeleteDistributionInput) (*cloudfront.DeleteDistributionOutput, error)
+	DeleteDistributionWithContext(aws.Context, *cloudfront.DeleteDistributionInput, ...request.Option) (*cloudfront.DeleteDistributionOutput, error)
+	DeleteDistributionRequest(*cloudfront.DeleteDistributionInput) (*request.Request, *cloudfront.DeleteDistributionOutput)
+
+	DeleteFieldLevelEncryptionConfig(*cloudfront.DeleteFieldLevelEncryptionConfigInput) (*cloudfront.DeleteFieldLevelEncryptionConfigOutput, error)
+	DeleteFieldLevelEncryptionConfigWithContext(aws.Context, *cloudfront.DeleteFieldLevelEncryptionConfigInput, ...request.Option) (*cloudfront.DeleteFieldLevelEncryptionConfigOutput, error)
+	DeleteFieldLevelEncryptionConfigRequest(*cloudfront.DeleteFieldLevelEncryptionConfigInput) (*request.Request, *cloudfront.DeleteFieldLevelEncryptionConfigOutput)
+
+	DeleteFieldLevelEncryptionProfile(*cloudfront.DeleteFieldLevelEncryptionProfileInput) (*cloudfront.DeleteFieldLevelEncryptionProfileOutput, error)
+	DeleteFieldLevelEncryptionProfileWithContext(aws.Context, *cloudfront.DeleteFieldLevelEncryptionProfileInput, ...request.Option) (*cloudfront.DeleteFieldLevelEncryptionProfileOutput, error)
+	DeleteFieldLevelEncryptionProfileRequest(*cloudfront.DeleteFieldLevelEncryptionProfileInput) (*request.Request, *cloudfront.DeleteFieldLevelEncryptionProfileOutput)
+
+	DeletePublicKey(*cloudfront.DeletePublicKeyInput) (*cloudfront.DeletePublicKeyOutput, error)
+	DeletePublicKeyWithContext(aws.Context, *cloudfront.DeletePublicKeyInput, ...request.Option) (*cloudfront.DeletePublicKeyOutput, error)
+	DeletePublicKeyRequest(*cloudfront.DeletePublicKeyInput) (*request.Request, *cloudfront.DeletePublicKeyOutput)
+
+	DeleteServiceLinkedRole(*cloudfront.DeleteServiceLinkedRoleInput) (*cloudfront.DeleteServiceLinkedRoleOutput, error)
+	DeleteServiceLinkedRoleWithContext(aws.Context, *cloudfront.DeleteServiceLinkedRoleInput, ...request.Option) (*cloudfront.DeleteServiceLinkedRoleOutput, error)
+	DeleteServiceLinkedRoleRequest(*cloudfront.DeleteServiceLinkedRoleInput) (*request.Request, *cloudfront.DeleteServiceLinkedRoleOutput)
+
+	DeleteStreamingDistribution(*cloudfront.DeleteStreamingDistributionInput) (*cloudfront.DeleteStreamingDistributionOutput, error)
+	DeleteStreamingDistributionWithContext(aws.Context, *cloudfront.DeleteStreamingDistributionInput, ...request.Option) (*cloudfront.DeleteStreamingDistributionOutput, error)
+	DeleteStreamingDistributionRequest(*cloudfront.DeleteStreamingDistributionInput) (*request.Request, *cloudfront.DeleteStreamingDistributionOutput)
+
+	GetCloudFrontOriginAccessIdentity(*cloudfront.GetCloudFrontOriginAccessIdentityInput) (*cloudfront.GetCloudFrontOriginAccessIdentityOutput, error)
+	GetCloudFrontOriginAccessIdentityWithContext(aws.Context, *cloudfront.GetCloudFrontOriginAccessIdentityInput, ...request.Option) (*cloudfront.GetCloudFrontOriginAccessIdentityOutput, error)
+	GetCloudFrontOriginAccessIdentityRequest(*cloudfront.GetCloudFrontOriginAccessIdentityInput) (*request.Request, *cloudfront.GetCloudFrontOriginAccessIdentityOutput)
+
+	GetCloudFrontOriginAccessIdentityConfig(*cloudfront.GetCloudFrontOriginAccessIdentityConfigInput) (*cloudfront.GetCloudFrontOriginAccessIdentityConfigOutput, error)
+	GetCloudFrontOriginAccessIdentityConfigWithContext(aws.Context, *cloudfront.GetCloudFrontOriginAccessIdentityConfigInput, ...request.Option) (*cloudfront.GetCloudFrontOriginAccessIdentityConfigOutput, error)
+	GetCloudFrontOriginAccessIdentityConfigRequest(*cloudfront.GetCloudFrontOriginAccessIdentityConfigInput) (*request.Request, *cloudfront.GetCloudFrontOriginAccessIdentityConfigOutput)
+
+	GetDistribution(*cloudfront.GetDistributionInput) (*cloudfront.GetDistributionOutput, error)
+	GetDistributionWithContext(aws.Context, *cloudfront.GetDistributionInput, ...request.Option) (*cloudfront.GetDistributionOutput, error)
+	GetDistributionRequest(*cloudfront.GetDistributionInput) (*request.Request, *cloudfront.GetDistributionOutput)
+
+	GetDistributionConfig(*cloudfront.GetDistributionConfigInput) (*cloudfront.GetDistributionConfigOutput, error)
+	GetDistributionConfigWithContext(aws.Context, *cloudfront.GetDistributionConfigInput, ...request.Option) (*cloudfront.GetDistributionConfigOutput, error)
+	GetDistributionConfigRequest(*cloudfront.GetDistributionConfigInput) (*request.Request, *cloudfront.GetDistributionConfigOutput)
+
+	GetFieldLevelEncryption(*cloudfront.GetFieldLevelEncryptionInput) (*cloudfront.GetFieldLevelEncryptionOutput, error)
+	GetFieldLevelEncryptionWithContext(aws.Context, *cloudfront.GetFieldLevelEncryptionInput, ...request.Option) (*cloudfront.GetFieldLevelEncryptionOutput, error)
+	GetFieldLevelEncryptionRequest(*cloudfront.GetFieldLevelEncryptionInput) (*request.Request, *cloudfront.GetFieldLevelEncryptionOutput)
+
+	GetFieldLevelEncryptionConfig(*cloudfront.GetFieldLevelEncryptionConfigInput) (*cloudfront.GetFieldLevelEncryptionConfigOutput, error)
+	GetFieldLevelEncryptionConfigWithContext(aws.Context, *cloudfront.GetFieldLevelEncryptionConfigInput, ...request.Option) (*cloudfront.GetFieldLevelEncryptionConfigOutput, error)
+	GetFieldLevelEncryptionConfigRequest(*cloudfront.GetFieldLevelEncryptionConfigInput) (*request.Request, *cloudfront.GetFieldLevelEncryptionConfigOutput)
+
+	GetFieldLevelEncryptionProfile(*cloudfront.GetFieldLevelEncryptionProfileInput) (*cloudfront.GetFieldLevelEncryptionProfileOutput, error)
+	GetFieldLevelEncryptionProfileWithContext(aws.Context, *cloudfront.GetFieldLevelEncryptionProfileInput, ...request.Option) (*cloudfront.GetFieldLevelEncryptionProfileOutput, error)
+	GetFieldLevelEncryptionProfileRequest(*cloudfront.GetFieldLevelEncryptionProfileInput) (*request.Request, *cloudfront.GetFieldLevelEncryptionProfileOutput)
+
+	GetFieldLevelEncryptionProfileConfig(*cloudfront.GetFieldLevelEncryptionProfileConfigInput) (*cloudfront.GetFieldLevelEncryptionProfileConfigOutput, error)
+	GetFieldLevelEncryptionProfileConfigWithContext(aws.Context, *cloudfront.GetFieldLevelEncryptionProfileConfigInput, ...request.Option) (*cloudfront.GetFieldLevelEncryptionProfileConfigOutput, error)
+	GetFieldLevelEncryptionProfileConfigRequest(*cloudfront.GetFieldLevelEncryptionProfileConfigInput) (*request.Request, *cloudfront.GetFieldLevelEncryptionProfileConfigOutput)
+
+	GetInvalidation(*cloudfront.GetInvalidationInput) (*cloudfront.GetInvalidationOutput, error)
+	GetInvalidationWithContext(aws.Context, *cloudfront.GetInvalidationInput, ...request.Option) (*cloudfront.GetInvalidationOutput, error)
+	GetInvalidationRequest(*cloudfront.GetInvalidationInput) (*request.Request, *cloudfront.GetInvalidationOutput)
+
+	GetPublicKey(*cloudfront.GetPublicKeyInput) (*cloudfront.GetPublicKeyOutput, error)
+	GetPublicKeyWithContext(aws.Context, *cloudfront.GetPublicKeyInput, ...request.Option) (*cloudfront.GetPublicKeyOutput, error)
+	GetPublicKeyRequest(*cloudfront.GetPublicKeyInput) (*request.Request, *cloudfront.GetPublicKeyOutput)
+
+	GetPublicKeyConfig(*cloudfront.GetPublicKeyConfigInput) (*cloudfront.GetPublicKeyConfigOutput, error)
+	GetPublicKeyConfigWithContext(aws.Context, *cloudfront.GetPublicKeyConfigInput, ...request.Option) (*cloudfront.GetPublicKeyConfigOutput, error)
+	GetPublicKeyConfigRequest(*cloudfront.GetPublicKeyConfigInput) (*request.Request, *cloudfront.GetPublicKeyConfigOutput)
+
+	GetStreamingDistribution(*cloudfront.GetStreamingDistributionInput) (*cloudfront.GetStreamingDistributionOutput, error)
+	GetStreamingDistributionWithContext(aws.Context, *cloudfront.GetStreamingDistributionInput, ...request.Option) (*cloudfront.GetStreamingDistributionOutput, error)
+	GetStreamingDistributionRequest(*cloudfront.GetStreamingDistributionInput) (*request.Request, *cloudfront.GetStreamingDistributionOutput)
+
+	GetStreamingDistributionConfig(*cloudfront.GetStreamingDistributionConfigInput) (*cloudfront.GetStreamingDistributionConfigOutput, error)
+	GetStreamingDistributionConfigWithContext(aws.Context, *cloudfront.GetStreamingDistributionConfigInput, ...request.Option) (*cloudfront.GetStreamingDistributionConfigOutput, error)
+	GetStreamingDistributionConfigRequest(*cloudfront.GetStreamingDistributionConfigInput) (*request.Request, *cloudfront.GetStreamingDistributionConfigOutput)
+
+	ListCloudFrontOriginAccessIdentities(*cloudfront.ListCloudFrontOriginAccessIdentitiesInput) (*cloudfront.ListCloudFrontOriginAccessIdentitiesOutput, error)
+	ListCloudFrontOriginAccessIdentitiesWithContext(aws.Context, *cloudfront.ListCloudFrontOriginAccessIdentitiesInput, ...request.Option) (*cloudfront.ListCloudFrontOriginAccessIdentitiesOutput, error)
+	ListCloudFrontOriginAccessIdentitiesRequest(*cloudfront.ListCloudFrontOriginAccessIdentitiesInput) (*request.Request, *cloudfront.ListCloudFrontOriginAccessIdentitiesOutput)
+
+	ListCloudFrontOriginAccessIdentitiesPages(*cloudfront.ListCloudFrontOriginAccessIdentitiesInput, func(*cloudfront.ListCloudFrontOriginAccessIdentitiesOutput, bool) bool) error
+	ListCloudFrontOriginAccessIdentitiesPagesWithContext(aws.Context, *cloudfront.ListCloudFrontOriginAccessIdentitiesInput, func(*cloudfront.ListCloudFrontOriginAccessIdentitiesOutput, bool) bool, ...request.Option) error
+
+	ListDistributions(*cloudfront.ListDistributionsInput) (*cloudfront.ListDistributionsOutput, error)
+	ListDistributionsWithContext(aws.Context, *cloudfront.ListDistributionsInput, ...request.Option) (*cloudfront.ListDistributionsOutput, error)
+	ListDistributionsRequest(*cloudfront.ListDistributionsInput) (*request.Request, *cloudfront.ListDistributionsOutput)
+
+	ListDistributionsPages(*cloudfront.ListDistributionsInput, func(*cloudfront.ListDistributionsOutput, bool) bool) error
+	ListDistributionsPagesWithContext(aws.Context, *cloudfront.ListDistributionsInput, func(*cloudfront.ListDistributionsOutput, bool) bool, ...request.Option) error
+
+	ListDistributionsByWebACLId(*cloudfront.ListDistributionsByWebACLIdInput) (*cloudfront.ListDistributionsByWebACLIdOutput, error)
+	ListDistributionsByWebACLIdWithContext(aws.Context, *cloudfront.ListDistributionsByWebACLIdInput, ...request.Option) (*cloudfront.ListDistributionsByWebACLIdOutput, error)
+	ListDistributionsByWebACLIdRequest(*cloudfront.ListDistributionsByWebACLIdInput) (*request.Request, *cloudfront.ListDistributionsByWebACLIdOutput)
+
+	ListFieldLevelEncryptionConfigs(*cloudfront.ListFieldLevelEncryptionConfigsInput) (*cloudfront.ListFieldLevelEncryptionConfigsOutput, error)
+	ListFieldLevelEncryptionConfigsWithContext(aws.Context, *cloudfront.ListFieldLevelEncryptionConfigsInput, ...request.Option) (*cloudfront.ListFieldLevelEncryptionConfigsOutput, error)
+	ListFieldLevelEncryptionConfigsRequest(*cloudfront.ListFieldLevelEncryptionConfigsInput) (*request.Request, *cloudfront.ListFieldLevelEncryptionConfigsOutput)
+
+	ListFieldLevelEncryptionProfiles(*cloudfront.ListFieldLevelEncryptionProfilesInput) (*cloudfront.ListFieldLevelEncryptionProfilesOutput, error)
+	ListFieldLevelEncryptionProfilesWithContext(aws.Context, *cloudfront.ListFieldLevelEncryptionProfilesInput, ...request.Option) (*cloudfront.ListFieldLevelEncryptionProfilesOutput, error)
+	ListFieldLevelEncryptionProfilesRequest(*cloudfront.ListFieldLevelEncryptionProfilesInput) (*request.Request, *cloudfront.ListFieldLevelEncryptionProfilesOutput)
+
+	ListInvalidations(*cloudfront.ListInvalidationsInput) (*cloudfront.ListInvalidationsOutput, error)
+	ListInvalidationsWithContext(aws.Context, *cloudfront.ListInvalidationsInput, ...request.Option) (*cloudfront.ListInvalidationsOutput, error)
+	ListInvalidationsRequest(*cloudfront.ListInvalidationsInput) (*request.Request, *cloudfront.ListInvalidationsOutput)
+
+	ListInvalidationsPages(*cloudfront.ListInvalidationsInput, func(*cloudfront.ListInvalidationsOutput, bool) bool) error
+	ListInvalidationsPagesWithContext(aws.Context, *cloudfront.ListInvalidationsInput, func(*cloudfront.ListInvalidationsOutput, bool) bool, ...request.Option) error
+
+	ListPublicKeys(*cloudfront.ListPublicKeysInput) (*cloudfront.ListPublicKeysOutput, error)
+	ListPublicKeysWithContext(aws.Context, *cloudfront.ListPublicKeysInput, ...request.Option) (*cloudfront.ListPublicKeysOutput, error)
+	ListPublicKeysRequest(*cloudfront.ListPublicKeysInput) (*request.Request, *cloudfront.ListPublicKeysOutput)
+
+	ListStreamingDistributions(*cloudfront.ListStreamingDistributionsInput) (*cloudfront.ListStreamingDistributionsOutput, error)
+	ListStreamingDistributionsWithContext(aws.Context, *cloudfront.ListStreamingDistributionsInput, ...request.Option) (*cloudfront.ListStreamingDistributionsOutput, error)
+	ListStreamingDistributionsRequest(*cloudfront.ListStreamingDistributionsInput) (*request.Request, *cloudfront.ListStreamingDistributionsOutput)
+
+	ListStreamingDistributionsPages(*cloudfront.ListStreamingDistributionsInput, func(*cloudfront.ListStreamingDistributionsOutput, bool) bool) error
+	ListStreamingDistributionsPagesWithContext(aws.Context, *cloudfront.ListStreamingDistributionsInput, func(*cloudfront.ListStreamingDistributionsOutput, bool) bool, ...request.Option) error
+
+	ListTagsForResource(*cloudfront.ListTagsForResourceInput) (*cloudfront.ListTagsForResourceOutput, error)
+	ListTagsForResourceWithContext(aws.Context, *cloudfront.ListTagsForResourceInput, ...request.Option) (*cloudfront.ListTagsForResourceOutput, error)
+	ListTagsForResourceRequest(*cloudfront.ListTagsForResourceInput) (*request.Request, *cloudfront.ListTagsForResourceOutput)
+
+	TagResource(*cloudfront.TagResourceInput) (*cloudfront.TagResourceOutput, error)
+	TagResourceWithContext(aws.Context, *cloudfront.TagResourceInput, ...request.Option) (*cloudfront.TagResourceOutput, error)
+	TagResourceRequest(*cloudfront.TagResourceInput) (*request.Request, *cloudfront.TagResourceOutput)
+
+	UntagResource(*cloudfront.UntagResourceInput) (*cloudfront.UntagResourceOutput, error)
+	UntagResourceWithContext(aws.Context, *cloudfront.UntagResourceInput, ...request.Option) (*cloudfront.UntagResourceOutput, error)
+	UntagResourceRequest(*cloudfront.UntagResourceInput) (*request.Request, *cloudfront.UntagResourceOutput)
+
+	UpdateCloudFrontOriginAccessIdentity(*cloudfront.UpdateCloudFrontOriginAccessIdentityInput) (*cloudfront.UpdateCloudFrontOriginAccessIdentityOutput, error)
+	UpdateCloudFrontOriginAccessIdentityWithContext(aws.Context, *cloudfront.UpdateCloudFrontOriginAccessIdentityInput, ...request.Option) (*cloudfront.UpdateCloudFrontOriginAccessIdentityOutput, error)
+	UpdateCloudFrontOriginAccessIdentityRequest(*cloudfront.UpdateCloudFrontOriginAccessIdentityInput) (*request.Request, *cloudfront.UpdateCloudFrontOriginAccessIdentityOutput)
+
+	UpdateDistribution(*cloudfront.UpdateDistributionInput) (*cloudfront.UpdateDistributionOutput, error)
+	UpdateDistributionWithContext(aws.Context, *cloudfront.UpdateDistributionInput, ...request.Option) (*cloudfront.UpdateDistributionOutput, error)
+	UpdateDistributionRequest(*cloudfront.UpdateDistributionInput) (*request.Request, *cloudfront.UpdateDistributionOutput)
+
+	UpdateFieldLevelEncryptionConfig(*cloudfront.UpdateFieldLevelEncryptionConfigInput) (*cloudfront.UpdateFieldLevelEncryptionConfigOutput, error)
+	UpdateFieldLevelEncryptionConfigWithContext(aws.Context, *cloudfront.UpdateFieldLevelEncryptionConfigInput, ...request.Option) (*cloudfront.UpdateFieldLevelEncryptionConfigOutput, error)
+	UpdateFieldLevelEncryptionConfigRequest(*cloudfront.UpdateFieldLevelEncryptionConfigInput) (*request.Request, *cloudfront.UpdateFieldLevelEncryptionConfigOutput)
+
+	UpdateFieldLevelEncryptionProfile(*cloudfront.UpdateFieldLevelEncryptionProfileInput) (*cloudfront.UpdateFieldLevelEncryptionProfileOutput, error)
+	UpdateFieldLevelEncryptionProfileWithContext(aws.Context, *cloudfront.UpdateFieldLevelEncryptionProfileInput, ...request.Option) (*cloudfront.UpdateFieldLevelEncryptionProfileOutput, error)
+	UpdateFieldLevelEncryptionProfileRequest(*cloudfront.UpdateFieldLevelEncryptionProfileInput) (*request.Request, *cloudfront.UpdateFieldLevelEncryptionProfileOutput)
+
+	UpdatePublicKey(*cloudfront.UpdatePublicKeyInput) (*cloudfront.UpdatePublicKeyOutput, error)
+	UpdatePublicKeyWithContext(aws.Context, *cloudfront.UpdatePublicKeyInput, ...request.Option) (*cloudfront.UpdatePublicKeyOutput, error)
+	UpdatePublicKeyRequest(*cloudfront.UpdatePublicKeyInput) (*request.Request, *cloudfront.UpdatePublicKeyOutput)
+
+	UpdateStreamingDistribution(*cloudfront.UpdateStreamingDistributionInput) (*cloudfront.UpdateStreamingDistributionOutput, error)
+	UpdateStreamingDistributionWithContext(aws.Context, *cloudfront.UpdateStreamingDistributionInput, ...request.Option) (*cloudfront.UpdateStreamingDistributionOutput, error)
+	UpdateStreamingDistributionRequest(*cloudfront.UpdateStreamingDistributionInput) (*request.Request, *cloudfront.UpdateStreamingDistributionOutput)
+
+	WaitUntilDistributionDeployed(*cloudfront.GetDistributionInput) error
+	WaitUntilDistributionDeployedWithContext(aws.Context, *cloudfront.GetDistributionInput, ...request.WaiterOption) error
+
+	WaitUntilInvalidationCompleted(*cloudfront.GetInvalidationInput) error
+	WaitUntilInvalidationCompletedWithContext(aws.Context, *cloudfront.GetInvalidationInput, ...request.WaiterOption) error
+
+	WaitUntilStreamingDistributionDeployed(*cloudfront.GetStreamingDistributionInput) error
+	WaitUntilStreamingDistributionDeployedWithContext(aws.Context, *cloudfront.GetStreamingDistributionInput, ...request.WaiterOption) error
+}
+
+var _ CloudFrontAPI = (*cloudfront.CloudFront)(nil)

vendor/github.com/aws/aws-sdk-go/service/cloudfront/doc.go

@@ -0,0 +1,31 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+// Package cloudfront provides the client and types for making API
+// requests to Amazon CloudFront.
+//
+// This is the Amazon CloudFront API Reference. This guide is for developers
+// who need detailed information about CloudFront API actions, data types, and
+// errors. For detailed information about CloudFront features, see the Amazon
+// CloudFront Developer Guide.
+//
+// See https://docs.aws.amazon.com/goto/WebAPI/cloudfront-2017-10-30 for more information on this service.
+//
+// See cloudfront package documentation for more information.
+// https://docs.aws.amazon.com/sdk-for-go/api/service/cloudfront/
+//
+// Using the Client
+//
+// To contact Amazon CloudFront with the SDK use the New function to create
+// a new service client. With that client you can make API requests to the service.
+// These clients are safe to use concurrently.
+//
+// See the SDK's documentation for more information on how to use the SDK.
+// https://docs.aws.amazon.com/sdk-for-go/api/
+//
+// See aws.Config documentation for more information on configuring SDK clients.
+// https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config
+//
+// See the Amazon CloudFront client CloudFront for more
+// information on creating client for this service.
+// https://docs.aws.amazon.com/sdk-for-go/api/service/cloudfront/#New
+package cloudfront

vendor/github.com/aws/aws-sdk-go/service/cloudfront/errors.go

@@ -0,0 +1,471 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+package cloudfront
+
+const (
+
+	// ErrCodeAccessDenied for service response error code
+	// "AccessDenied".
+	//
+	// Access denied.
+	ErrCodeAccessDenied = "AccessDenied"
+
+	// ErrCodeBatchTooLarge for service response error code
+	// "BatchTooLarge".
+	ErrCodeBatchTooLarge = "BatchTooLarge"
+
+	// ErrCodeCNAMEAlreadyExists for service response error code
+	// "CNAMEAlreadyExists".
+	ErrCodeCNAMEAlreadyExists = "CNAMEAlreadyExists"
+
+	// ErrCodeCannotChangeImmutablePublicKeyFields for service response error code
+	// "CannotChangeImmutablePublicKeyFields".
+	//
+	// You can't change the value of a public key.
+	ErrCodeCannotChangeImmutablePublicKeyFields = "CannotChangeImmutablePublicKeyFields"
+
+	// ErrCodeDistributionAlreadyExists for service response error code
+	// "DistributionAlreadyExists".
+	//
+	// The caller reference you attempted to create the distribution with is associated
+	// with another distribution.
+	ErrCodeDistributionAlreadyExists = "DistributionAlreadyExists"
+
+	// ErrCodeDistributionNotDisabled for service response error code
+	// "DistributionNotDisabled".
+	ErrCodeDistributionNotDisabled = "DistributionNotDisabled"
+
+	// ErrCodeFieldLevelEncryptionConfigAlreadyExists for service response error code
+	// "FieldLevelEncryptionConfigAlreadyExists".
+	//
+	// The specified configuration for field-level encryption already exists.
+	ErrCodeFieldLevelEncryptionConfigAlreadyExists = "FieldLevelEncryptionConfigAlreadyExists"
+
+	// ErrCodeFieldLevelEncryptionConfigInUse for service response error code
+	// "FieldLevelEncryptionConfigInUse".
+	//
+	// The specified configuration for field-level encryption is in use.
+	ErrCodeFieldLevelEncryptionConfigInUse = "FieldLevelEncryptionConfigInUse"
+
+	// ErrCodeFieldLevelEncryptionProfileAlreadyExists for service response error code
+	// "FieldLevelEncryptionProfileAlreadyExists".
+	//
+	// The specified profile for field-level encryption already exists.
+	ErrCodeFieldLevelEncryptionProfileAlreadyExists = "FieldLevelEncryptionProfileAlreadyExists"
+
+	// ErrCodeFieldLevelEncryptionProfileInUse for service response error code
+	// "FieldLevelEncryptionProfileInUse".
+	//
+	// The specified profile for field-level encryption is in use.
+	ErrCodeFieldLevelEncryptionProfileInUse = "FieldLevelEncryptionProfileInUse"
+
+	// ErrCodeFieldLevelEncryptionProfileSizeExceeded for service response error code
+	// "FieldLevelEncryptionProfileSizeExceeded".
+	//
+	// The maximum size of a profile for field-level encryption was exceeded.
+	ErrCodeFieldLevelEncryptionProfileSizeExceeded = "FieldLevelEncryptionProfileSizeExceeded"
+
+	// ErrCodeIllegalFieldLevelEncryptionConfigAssociationWithCacheBehavior for service response error code
+	// "IllegalFieldLevelEncryptionConfigAssociationWithCacheBehavior".
+	//
+	// The specified configuration for field-level encryption can't be associated
+	// with the specified cache behavior.
+	ErrCodeIllegalFieldLevelEncryptionConfigAssociationWithCacheBehavior = "IllegalFieldLevelEncryptionConfigAssociationWithCacheBehavior"
+
+	// ErrCodeIllegalUpdate for service response error code
+	// "IllegalUpdate".
+	//
+	// Origin and CallerReference cannot be updated.
+	ErrCodeIllegalUpdate = "IllegalUpdate"
+
+	// ErrCodeInconsistentQuantities for service response error code
+	// "InconsistentQuantities".
+	//
+	// The value of Quantity and the size of Items don't match.
+	ErrCodeInconsistentQuantities = "InconsistentQuantities"
+
+	// ErrCodeInvalidArgument for service response error code
+	// "InvalidArgument".
+	//
+	// The argument is invalid.
+	ErrCodeInvalidArgument = "InvalidArgument"
+
+	// ErrCodeInvalidDefaultRootObject for service response error code
+	// "InvalidDefaultRootObject".
+	//
+	// The default root object file name is too big or contains an invalid character.
+	ErrCodeInvalidDefaultRootObject = "InvalidDefaultRootObject"
+
+	// ErrCodeInvalidErrorCode for service response error code
+	// "InvalidErrorCode".
+	ErrCodeInvalidErrorCode = "InvalidErrorCode"
+
+	// ErrCodeInvalidForwardCookies for service response error code
+	// "InvalidForwardCookies".
+	//
+	// Your request contains forward cookies option which doesn't match with the
+	// expectation for the whitelisted list of cookie names. Either list of cookie
+	// names has been specified when not allowed or list of cookie names is missing
+	// when expected.
+	ErrCodeInvalidForwardCookies = "InvalidForwardCookies"
+
+	// ErrCodeInvalidGeoRestrictionParameter for service response error code
+	// "InvalidGeoRestrictionParameter".
+	ErrCodeInvalidGeoRestrictionParameter = "InvalidGeoRestrictionParameter"
+
+	// ErrCodeInvalidHeadersForS3Origin for service response error code
+	// "InvalidHeadersForS3Origin".
+	ErrCodeInvalidHeadersForS3Origin = "InvalidHeadersForS3Origin"
+
+	// ErrCodeInvalidIfMatchVersion for service response error code
+	// "InvalidIfMatchVersion".
+	//
+	// The If-Match version is missing or not valid for the distribution.
+	ErrCodeInvalidIfMatchVersion = "InvalidIfMatchVersion"
+
+	// ErrCodeInvalidLambdaFunctionAssociation for service response error code
+	// "InvalidLambdaFunctionAssociation".
+	//
+	// The specified Lambda function association is invalid.
+	ErrCodeInvalidLambdaFunctionAssociation = "InvalidLambdaFunctionAssociation"
+
+	// ErrCodeInvalidLocationCode for service response error code
+	// "InvalidLocationCode".
+	ErrCodeInvalidLocationCode = "InvalidLocationCode"
+
+	// ErrCodeInvalidMinimumProtocolVersion for service response error code
+	// "InvalidMinimumProtocolVersion".
+	ErrCodeInvalidMinimumProtocolVersion = "InvalidMinimumProtocolVersion"
+
+	// ErrCodeInvalidOrigin for service response error code
+	// "InvalidOrigin".
+	//
+	// The Amazon S3 origin server specified does not refer to a valid Amazon S3
+	// bucket.
+	ErrCodeInvalidOrigin = "InvalidOrigin"
+
+	// ErrCodeInvalidOriginAccessIdentity for service response error code
+	// "InvalidOriginAccessIdentity".
+	//
+	// The origin access identity is not valid or doesn't exist.
+	ErrCodeInvalidOriginAccessIdentity = "InvalidOriginAccessIdentity"
+
+	// ErrCodeInvalidOriginKeepaliveTimeout for service response error code
+	// "InvalidOriginKeepaliveTimeout".
+	ErrCodeInvalidOriginKeepaliveTimeout = "InvalidOriginKeepaliveTimeout"
+
+	// ErrCodeInvalidOriginReadTimeout for service response error code
+	// "InvalidOriginReadTimeout".
+	ErrCodeInvalidOriginReadTimeout = "InvalidOriginReadTimeout"
+
+	// ErrCodeInvalidProtocolSettings for service response error code
+	// "InvalidProtocolSettings".
+	//
+	// You cannot specify SSLv3 as the minimum protocol version if you only want
+	// to support only clients that support Server Name Indication (SNI).
+	ErrCodeInvalidProtocolSettings = "InvalidProtocolSettings"
+
+	// ErrCodeInvalidQueryStringParameters for service response error code
+	// "InvalidQueryStringParameters".
+	ErrCodeInvalidQueryStringParameters = "InvalidQueryStringParameters"
+
+	// ErrCodeInvalidRelativePath for service response error code
+	// "InvalidRelativePath".
+	//
+	// The relative path is too big, is not URL-encoded, or does not begin with
+	// a slash (/).
+	ErrCodeInvalidRelativePath = "InvalidRelativePath"
+
+	// ErrCodeInvalidRequiredProtocol for service response error code
+	// "InvalidRequiredProtocol".
+	//
+	// This operation requires the HTTPS protocol. Ensure that you specify the HTTPS
+	// protocol in your request, or omit the RequiredProtocols element from your
+	// distribution configuration.
+	ErrCodeInvalidRequiredProtocol = "InvalidRequiredProtocol"
+
+	// ErrCodeInvalidResponseCode for service response error code
+	// "InvalidResponseCode".
+	ErrCodeInvalidResponseCode = "InvalidResponseCode"
+
+	// ErrCodeInvalidTTLOrder for service response error code
+	// "InvalidTTLOrder".
+	ErrCodeInvalidTTLOrder = "InvalidTTLOrder"
+
+	// ErrCodeInvalidTagging for service response error code
+	// "InvalidTagging".
+	ErrCodeInvalidTagging = "InvalidTagging"
+
+	// ErrCodeInvalidViewerCertificate for service response error code
+	// "InvalidViewerCertificate".
+	ErrCodeInvalidViewerCertificate = "InvalidViewerCertificate"
+
+	// ErrCodeInvalidWebACLId for service response error code
+	// "InvalidWebACLId".
+	ErrCodeInvalidWebACLId = "InvalidWebACLId"
+
+	// ErrCodeMissingBody for service response error code
+	// "MissingBody".
+	//
+	// This operation requires a body. Ensure that the body is present and the Content-Type
+	// header is set.
+	ErrCodeMissingBody = "MissingBody"
+
+	// ErrCodeNoSuchCloudFrontOriginAccessIdentity for service response error code
+	// "NoSuchCloudFrontOriginAccessIdentity".
+	//
+	// The specified origin access identity does not exist.
+	ErrCodeNoSuchCloudFrontOriginAccessIdentity = "NoSuchCloudFrontOriginAccessIdentity"
+
+	// ErrCodeNoSuchDistribution for service response error code
+	// "NoSuchDistribution".
+	//
+	// The specified distribution does not exist.
+	ErrCodeNoSuchDistribution = "NoSuchDistribution"
+
+	// ErrCodeNoSuchFieldLevelEncryptionConfig for service response error code
+	// "NoSuchFieldLevelEncryptionConfig".
+	//
+	// The specified configuration for field-level encryption doesn't exist.
+	ErrCodeNoSuchFieldLevelEncryptionConfig = "NoSuchFieldLevelEncryptionConfig"
+
+	// ErrCodeNoSuchFieldLevelEncryptionProfile for service response error code
+	// "NoSuchFieldLevelEncryptionProfile".
+	//
+	// The specified profile for field-level encryption doesn't exist.
+	ErrCodeNoSuchFieldLevelEncryptionProfile = "NoSuchFieldLevelEncryptionProfile"
+
+	// ErrCodeNoSuchInvalidation for service response error code
+	// "NoSuchInvalidation".
+	//
+	// The specified invalidation does not exist.
+	ErrCodeNoSuchInvalidation = "NoSuchInvalidation"
+
+	// ErrCodeNoSuchOrigin for service response error code
+	// "NoSuchOrigin".
+	//
+	// No origin exists with the specified Origin Id.
+	ErrCodeNoSuchOrigin = "NoSuchOrigin"
+
+	// ErrCodeNoSuchPublicKey for service response error code
+	// "NoSuchPublicKey".
+	//
+	// The specified public key doesn't exist.
+	ErrCodeNoSuchPublicKey = "NoSuchPublicKey"
+
+	// ErrCodeNoSuchResource for service response error code
+	// "NoSuchResource".
+	ErrCodeNoSuchResource = "NoSuchResource"
+
+	// ErrCodeNoSuchStreamingDistribution for service response error code
+	// "NoSuchStreamingDistribution".
+	//
+	// The specified streaming distribution does not exist.
+	ErrCodeNoSuchStreamingDistribution = "NoSuchStreamingDistribution"
+
+	// ErrCodeOriginAccessIdentityAlreadyExists for service response error code
+	// "OriginAccessIdentityAlreadyExists".
+	//
+	// If the CallerReference is a value you already sent in a previous request
+	// to create an identity but the content of the CloudFrontOriginAccessIdentityConfig
+	// is different from the original request, CloudFront returns a CloudFrontOriginAccessIdentityAlreadyExists
+	// error.
+	ErrCodeOriginAccessIdentityAlreadyExists = "OriginAccessIdentityAlreadyExists"
+
+	// ErrCodeOriginAccessIdentityInUse for service response error code
+	// "OriginAccessIdentityInUse".
+	ErrCodeOriginAccessIdentityInUse = "OriginAccessIdentityInUse"
+
+	// ErrCodePreconditionFailed for service response error code
+	// "PreconditionFailed".
+	//
+	// The precondition given in one or more of the request-header fields evaluated
+	// to false.
+	ErrCodePreconditionFailed = "PreconditionFailed"
+
+	// ErrCodePublicKeyAlreadyExists for service response error code
+	// "PublicKeyAlreadyExists".
+	//
+	// The specified public key already exists.
+	ErrCodePublicKeyAlreadyExists = "PublicKeyAlreadyExists"
+
+	// ErrCodePublicKeyInUse for service response error code
+	// "PublicKeyInUse".
+	//
+	// The specified public key is in use.
+	ErrCodePublicKeyInUse = "PublicKeyInUse"
+
+	// ErrCodeQueryArgProfileEmpty for service response error code
+	// "QueryArgProfileEmpty".
+	//
+	// No profile specified for the field-level encryption query argument.
+	ErrCodeQueryArgProfileEmpty = "QueryArgProfileEmpty"
+
+	// ErrCodeResourceInUse for service response error code
+	// "ResourceInUse".
+	ErrCodeResourceInUse = "ResourceInUse"
+
+	// ErrCodeStreamingDistributionAlreadyExists for service response error code
+	// "StreamingDistributionAlreadyExists".
+	ErrCodeStreamingDistributionAlreadyExists = "StreamingDistributionAlreadyExists"
+
+	// ErrCodeStreamingDistributionNotDisabled for service response error code
+	// "StreamingDistributionNotDisabled".
+	ErrCodeStreamingDistributionNotDisabled = "StreamingDistributionNotDisabled"
+
+	// ErrCodeTooManyCacheBehaviors for service response error code
+	// "TooManyCacheBehaviors".
+	//
+	// You cannot create more cache behaviors for the distribution.
+	ErrCodeTooManyCacheBehaviors = "TooManyCacheBehaviors"
+
+	// ErrCodeTooManyCertificates for service response error code
+	// "TooManyCertificates".
+	//
+	// You cannot create anymore custom SSL/TLS certificates.
+	ErrCodeTooManyCertificates = "TooManyCertificates"
+
+	// ErrCodeTooManyCloudFrontOriginAccessIdentities for service response error code
+	// "TooManyCloudFrontOriginAccessIdentities".
+	//
+	// Processing your request would cause you to exceed the maximum number of origin
+	// access identities allowed.
+	ErrCodeTooManyCloudFrontOriginAccessIdentities = "TooManyCloudFrontOriginAccessIdentities"
+
+	// ErrCodeTooManyCookieNamesInWhiteList for service response error code
+	// "TooManyCookieNamesInWhiteList".
+	//
+	// Your request contains more cookie names in the whitelist than are allowed
+	// per cache behavior.
+	ErrCodeTooManyCookieNamesInWhiteList = "TooManyCookieNamesInWhiteList"
+
+	// ErrCodeTooManyDistributionCNAMEs for service response error code
+	// "TooManyDistributionCNAMEs".
+	//
+	// Your request contains more CNAMEs than are allowed per distribution.
+	ErrCodeTooManyDistributionCNAMEs = "TooManyDistributionCNAMEs"
+
+	// ErrCodeTooManyDistributions for service response error code
+	// "TooManyDistributions".
+	//
+	// Processing your request would cause you to exceed the maximum number of distributions
+	// allowed.
+	ErrCodeTooManyDistributions = "TooManyDistributions"
+
+	// ErrCodeTooManyDistributionsAssociatedToFieldLevelEncryptionConfig for service response error code
+	// "TooManyDistributionsAssociatedToFieldLevelEncryptionConfig".
+	//
+	// The maximum number of distributions have been associated with the specified
+	// configuration for field-level encryption.
+	ErrCodeTooManyDistributionsAssociatedToFieldLevelEncryptionConfig = "TooManyDistributionsAssociatedToFieldLevelEncryptionConfig"
+
+	// ErrCodeTooManyDistributionsWithLambdaAssociations for service response error code
+	// "TooManyDistributionsWithLambdaAssociations".
+	//
+	// Processing your request would cause the maximum number of distributions with
+	// Lambda function associations per owner to be exceeded.
+	ErrCodeTooManyDistributionsWithLambdaAssociations = "TooManyDistributionsWithLambdaAssociations"
+
+	// ErrCodeTooManyFieldLevelEncryptionConfigs for service response error code
+	// "TooManyFieldLevelEncryptionConfigs".
+	//
+	// The maximum number of configurations for field-level encryption have been
+	// created.
+	ErrCodeTooManyFieldLevelEncryptionConfigs = "TooManyFieldLevelEncryptionConfigs"
+
+	// ErrCodeTooManyFieldLevelEncryptionContentTypeProfiles for service response error code
+	// "TooManyFieldLevelEncryptionContentTypeProfiles".
+	//
+	// The maximum number of content type profiles for field-level encryption have
+	// been created.
+	ErrCodeTooManyFieldLevelEncryptionContentTypeProfiles = "TooManyFieldLevelEncryptionContentTypeProfiles"
+
+	// ErrCodeTooManyFieldLevelEncryptionEncryptionEntities for service response error code
+	// "TooManyFieldLevelEncryptionEncryptionEntities".
+	//
+	// The maximum number of encryption entities for field-level encryption have
+	// been created.
+	ErrCodeTooManyFieldLevelEncryptionEncryptionEntities = "TooManyFieldLevelEncryptionEncryptionEntities"
+
+	// ErrCodeTooManyFieldLevelEncryptionFieldPatterns for service response error code
+	// "TooManyFieldLevelEncryptionFieldPatterns".
+	//
+	// The maximum number of field patterns for field-level encryption have been
+	// created.
+	ErrCodeTooManyFieldLevelEncryptionFieldPatterns = "TooManyFieldLevelEncryptionFieldPatterns"
+
+	// ErrCodeTooManyFieldLevelEncryptionProfiles for service response error code
+	// "TooManyFieldLevelEncryptionProfiles".
+	//
+	// The maximum number of profiles for field-level encryption have been created.
+	ErrCodeTooManyFieldLevelEncryptionProfiles = "TooManyFieldLevelEncryptionProfiles"
+
+	// ErrCodeTooManyFieldLevelEncryptionQueryArgProfiles for service response error code
+	// "TooManyFieldLevelEncryptionQueryArgProfiles".
+	//
+	// The maximum number of query arg profiles for field-level encryption have
+	// been created.
+	ErrCodeTooManyFieldLevelEncryptionQueryArgProfiles = "TooManyFieldLevelEncryptionQueryArgProfiles"
+
+	// ErrCodeTooManyHeadersInForwardedValues for service response error code
+	// "TooManyHeadersInForwardedValues".
+	ErrCodeTooManyHeadersInForwardedValues = "TooManyHeadersInForwardedValues"
+
+	// ErrCodeTooManyInvalidationsInProgress for service response error code
+	// "TooManyInvalidationsInProgress".
+	//
+	// You have exceeded the maximum number of allowable InProgress invalidation
+	// batch requests, or invalidation objects.
+	ErrCodeTooManyInvalidationsInProgress = "TooManyInvalidationsInProgress"
+
+	// ErrCodeTooManyLambdaFunctionAssociations for service response error code
+	// "TooManyLambdaFunctionAssociations".
+	//
+	// Your request contains more Lambda function associations than are allowed
+	// per distribution.
+	ErrCodeTooManyLambdaFunctionAssociations = "TooManyLambdaFunctionAssociations"
+
+	// ErrCodeTooManyOriginCustomHeaders for service response error code
+	// "TooManyOriginCustomHeaders".
+	ErrCodeTooManyOriginCustomHeaders = "TooManyOriginCustomHeaders"
+
+	// ErrCodeTooManyOrigins for service response error code
+	// "TooManyOrigins".
+	//
+	// You cannot create more origins for the distribution.
+	ErrCodeTooManyOrigins = "TooManyOrigins"
+
+	// ErrCodeTooManyPublicKeys for service response error code
+	// "TooManyPublicKeys".
+	//
+	// The maximum number of public keys for field-level encryption have been created.
+	// To create a new public key, delete one of the existing keys.
+	ErrCodeTooManyPublicKeys = "TooManyPublicKeys"
+
+	// ErrCodeTooManyQueryStringParameters for service response error code
+	// "TooManyQueryStringParameters".
+	ErrCodeTooManyQueryStringParameters = "TooManyQueryStringParameters"
+
+	// ErrCodeTooManyStreamingDistributionCNAMEs for service response error code
+	// "TooManyStreamingDistributionCNAMEs".
+	ErrCodeTooManyStreamingDistributionCNAMEs = "TooManyStreamingDistributionCNAMEs"
+
+	// ErrCodeTooManyStreamingDistributions for service response error code
+	// "TooManyStreamingDistributions".
+	//
+	// Processing your request would cause you to exceed the maximum number of streaming
+	// distributions allowed.
+	ErrCodeTooManyStreamingDistributions = "TooManyStreamingDistributions"
+
+	// ErrCodeTooManyTrustedSigners for service response error code
+	// "TooManyTrustedSigners".
+	//
+	// Your request contains more trusted signers than are allowed per distribution.
+	ErrCodeTooManyTrustedSigners = "TooManyTrustedSigners"
+
+	// ErrCodeTrustedSignerDoesNotExist for service response error code
+	// "TrustedSignerDoesNotExist".
+	//
+	// One or more of your trusted signers don't exist.
+	ErrCodeTrustedSignerDoesNotExist = "TrustedSignerDoesNotExist"
+)

vendor/github.com/aws/aws-sdk-go/service/cloudfront/service.go

@@ -0,0 +1,93 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+package cloudfront
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/aws/client/metadata"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/aws/signer/v4"
+	"github.com/aws/aws-sdk-go/private/protocol/restxml"
+)
+
+// CloudFront provides the API operation methods for making requests to
+// Amazon CloudFront. See this package's package overview docs
+// for details on the service.
+//
+// CloudFront methods are safe to use concurrently. It is not safe to
+// modify mutate any of the struct's properties though.
+type CloudFront struct {
+	*client.Client
+}
+
+// Used for custom client initialization logic
+var initClient func(*client.Client)
+
+// Used for custom request initialization logic
+var initRequest func(*request.Request)
+
+// Service information constants
+const (
+	ServiceName = "cloudfront" // Service endpoint prefix API calls made to.
+	EndpointsID = ServiceName  // Service ID for Regions and Endpoints metadata.
+)
+
+// New creates a new instance of the CloudFront client with a session.
+// If additional configuration is needed for the client instance use the optional
+// aws.Config parameter to add your extra config.
+//
+// Example:
+//     // Create a CloudFront client from just a session.
+//     svc := cloudfront.New(mySession)
+//
+//     // Create a CloudFront client with additional configuration
+//     svc := cloudfront.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
+func New(p client.ConfigProvider, cfgs ...*aws.Config) *CloudFront {
+	c := p.ClientConfig(EndpointsID, cfgs...)
+	return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion, c.SigningName)
+}
+
+// newClient creates, initializes and returns a new service client instance.
+func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion, signingName string) *CloudFront {
+	svc := &CloudFront{
+		Client: client.New(
+			cfg,
+			metadata.ClientInfo{
+				ServiceName:   ServiceName,
+				SigningName:   signingName,
+				SigningRegion: signingRegion,
+				Endpoint:      endpoint,
+				APIVersion:    "2017-10-30",
+			},
+			handlers,
+		),
+	}
+
+	// Handlers
+	svc.Handlers.Sign.PushBackNamed(v4.SignRequestHandler)
+	svc.Handlers.Build.PushBackNamed(restxml.BuildHandler)
+	svc.Handlers.Unmarshal.PushBackNamed(restxml.UnmarshalHandler)
+	svc.Handlers.UnmarshalMeta.PushBackNamed(restxml.UnmarshalMetaHandler)
+	svc.Handlers.UnmarshalError.PushBackNamed(restxml.UnmarshalErrorHandler)
+
+	// Run custom client initialization if present
+	if initClient != nil {
+		initClient(svc.Client)
+	}
+
+	return svc
+}
+
+// newRequest creates a new request for a CloudFront operation and runs any
+// custom request initialization.
+func (c *CloudFront) newRequest(op *request.Operation, params, data interface{}) *request.Request {
+	req := c.NewRequest(op, params, data)
+
+	// Run custom request initialization if present
+	if initRequest != nil {
+		initRequest(req)
+	}
+
+	return req
+}

vendor/github.com/aws/aws-sdk-go/service/cloudfront/sign/policy.go

@@ -0,0 +1,226 @@
+package sign
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/url"
+	"strings"
+	"time"
+	"unicode"
+)
+
+// An AWSEpochTime wraps a time value providing JSON serialization needed for
+// AWS Policy epoch time fields.
+type AWSEpochTime struct {
+	time.Time
+}
+
+// NewAWSEpochTime returns a new AWSEpochTime pointer wrapping the Go time provided.
+func NewAWSEpochTime(t time.Time) *AWSEpochTime {
+	return &AWSEpochTime{t}
+}
+
+// MarshalJSON serializes the epoch time as AWS Profile epoch time.
+func (t AWSEpochTime) MarshalJSON() ([]byte, error) {
+	return []byte(fmt.Sprintf(`{"AWS:EpochTime":%d}`, t.UTC().Unix())), nil
+}
+
+// An IPAddress wraps an IPAddress source IP providing JSON serialization information
+type IPAddress struct {
+	SourceIP string `json:"AWS:SourceIp"`
+}
+
+// A Condition defines the restrictions for how a signed URL can be used.
+type Condition struct {
+	// Optional IP address mask the signed URL must be requested from.
+	IPAddress *IPAddress `json:"IpAddress,omitempty"`
+
+	// Optional date that the signed URL cannot be used until. It is invalid
+	// to make requests with the signed URL prior to this date.
+	DateGreaterThan *AWSEpochTime `json:",omitempty"`
+
+	// Required date that the signed URL will expire. A DateLessThan is required
+	// sign cloud front URLs
+	DateLessThan *AWSEpochTime `json:",omitempty"`
+}
+
+// A Statement is a collection of conditions for resources
+type Statement struct {
+	// The Web or RTMP resource the URL will be signed for
+	Resource string
+
+	// The set of conditions for this resource
+	Condition Condition
+}
+
+// A Policy defines the resources that a signed will be signed for.
+//
+// See the following page for more information on how policies are constructed.
+// http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html#private-content-custom-policy-statement
+type Policy struct {
+	// List of resource and condition statements.
+	// Signed URLs should only provide a single statement.
+	Statements []Statement `json:"Statement"`
+}
+
+// Override for testing to mock out usage of crypto/rand.Reader
+var randReader = rand.Reader
+
+// Sign will sign a policy using an RSA private key. It will return a base 64
+// encoded signature and policy if no error is encountered.
+//
+// The signature and policy should be added to the signed URL following the
+// guidelines in:
+// http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
+func (p *Policy) Sign(privKey *rsa.PrivateKey) (b64Signature, b64Policy []byte, err error) {
+	if err = p.Validate(); err != nil {
+		return nil, nil, err
+	}
+
+	// Build and escape the policy
+	b64Policy, jsonPolicy, err := encodePolicy(p)
+	if err != nil {
+		return nil, nil, err
+	}
+	awsEscapeEncoded(b64Policy)
+
+	// Build and escape the signature
+	b64Signature, err = signEncodedPolicy(randReader, jsonPolicy, privKey)
+	if err != nil {
+		return nil, nil, err
+	}
+	awsEscapeEncoded(b64Signature)
+
+	return b64Signature, b64Policy, nil
+}
+
+// Validate verifies that the policy is valid and usable, and returns an
+// error if there is a problem.
+func (p *Policy) Validate() error {
+	if len(p.Statements) == 0 {
+		return fmt.Errorf("at least one policy statement is required")
+	}
+	for i, s := range p.Statements {
+		if s.Resource == "" {
+			return fmt.Errorf("statement at index %d does not have a resource", i)
+		}
+		if !isASCII(s.Resource) {
+			return fmt.Errorf("unable to sign resource, [%s]. "+
+				"Resources must only contain ascii characters. "+
+				"Hostnames with unicode should be encoded as Punycode, (e.g. golang.org/x/net/idna), "+
+				"and URL unicode path/query characters should be escaped.", s.Resource)
+		}
+	}
+
+	return nil
+}
+
+// CreateResource constructs, validates, and returns a resource URL string. An
+// error will be returned if unable to create the resource string.
+func CreateResource(scheme, u string) (string, error) {
+	scheme = strings.ToLower(scheme)
+
+	if scheme == "http" || scheme == "https" || scheme == "http*" || scheme == "*" {
+		return u, nil
+	}
+
+	if scheme == "rtmp" {
+		parsed, err := url.Parse(u)
+		if err != nil {
+			return "", fmt.Errorf("unable to parse rtmp URL, err: %s", err)
+		}
+
+		rtmpURL := strings.TrimLeft(parsed.Path, "/")
+		if parsed.RawQuery != "" {
+			rtmpURL = fmt.Sprintf("%s?%s", rtmpURL, parsed.RawQuery)
+		}
+
+		return rtmpURL, nil
+	}
+
+	return "", fmt.Errorf("invalid URL scheme must be http, https, or rtmp. Provided: %s", scheme)
+}
+
+// NewCannedPolicy returns a new Canned Policy constructed using the resource
+// and expires time. This can be used to generate the basic model for a Policy
+// that can be then augmented with additional conditions.
+//
+// See the following page for more information on how policies are constructed.
+// http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html#private-content-custom-policy-statement
+func NewCannedPolicy(resource string, expires time.Time) *Policy {
+	return &Policy{
+		Statements: []Statement{
+			{
+				Resource: resource,
+				Condition: Condition{
+					DateLessThan: NewAWSEpochTime(expires),
+				},
+			},
+		},
+	}
+}
+
+// encodePolicy encodes the Policy as JSON and also base 64 encodes it.
+func encodePolicy(p *Policy) (b64Policy, jsonPolicy []byte, err error) {
+	jsonPolicy, err = json.Marshal(p)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to encode policy, %s", err.Error())
+	}
+
+	// Remove leading and trailing white space, JSON encoding will note include
+	// whitespace within the encoding.
+	jsonPolicy = bytes.TrimSpace(jsonPolicy)
+
+	b64Policy = make([]byte, base64.StdEncoding.EncodedLen(len(jsonPolicy)))
+	base64.StdEncoding.Encode(b64Policy, jsonPolicy)
+	return b64Policy, jsonPolicy, nil
+}
+
+// signEncodedPolicy will sign and base 64 encode the JSON encoded policy.
+func signEncodedPolicy(randReader io.Reader, jsonPolicy []byte, privKey *rsa.PrivateKey) ([]byte, error) {
+	hash := sha1.New()
+	if _, err := bytes.NewReader(jsonPolicy).WriteTo(hash); err != nil {
+		return nil, fmt.Errorf("failed to calculate signing hash, %s", err.Error())
+	}
+
+	sig, err := rsa.SignPKCS1v15(randReader, privKey, crypto.SHA1, hash.Sum(nil))
+	if err != nil {
+		return nil, fmt.Errorf("failed to sign policy, %s", err.Error())
+	}
+
+	b64Sig := make([]byte, base64.StdEncoding.EncodedLen(len(sig)))
+	base64.StdEncoding.Encode(b64Sig, sig)
+	return b64Sig, nil
+}
+
+// special characters to be replaced with awsEscapeEncoded
+var invalidEncodedChar = map[byte]byte{
+	'+': '-',
+	'=': '_',
+	'/': '~',
+}
+
+// awsEscapeEncoded will replace base64 encoding's special characters to be URL safe.
+func awsEscapeEncoded(b []byte) {
+	for i, v := range b {
+		if r, ok := invalidEncodedChar[v]; ok {
+			b[i] = r
+		}
+	}
+}
+
+func isASCII(u string) bool {
+	for _, c := range u {
+		if c > unicode.MaxASCII {
+			return false
+		}
+	}
+	return true
+}

vendor/github.com/aws/aws-sdk-go/service/cloudfront/sign/policy_test.go

@@ -0,0 +1,139 @@
+package sign
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/rsa"
+	"crypto/sha1"
+	"encoding/base64"
+	"fmt"
+	"math/rand"
+	"strings"
+	"testing"
+	"time"
+)
+
+func TestEpochTimeMarshal(t *testing.T) {
+	v := AWSEpochTime{time.Now()}
+	b, err := v.MarshalJSON()
+	if err != nil {
+		t.Fatalf("Unexpected error, %#v", err)
+	}
+
+	expected := fmt.Sprintf(`{"AWS:EpochTime":%d}`, v.UTC().Unix())
+	if string(b) != expected {
+		t.Errorf("Expected marshaled time to match, expect: %s, actual: %s",
+			expected, string(b))
+	}
+}
+
+var testCreateResource = []struct {
+	scheme, u string
+	expect    string
+	errPrefix string
+}{
+	{
+		"https", "https://example.com/a?b=1",
+		"https://example.com/a?b=1", "",
+	},
+	{
+		"http", "http*://example.com/a?b=1",
+		"http*://example.com/a?b=1", "",
+	},
+	{
+		"rtmp", "https://example.com/a?b=1",
+		"a?b=1", "",
+	},
+	{
+		"ftp", "ftp://example.com/a?b=1",
+		"", "invalid URL scheme",
+	},
+}
+
+func TestCreateResource(t *testing.T) {
+	for i, v := range testCreateResource {
+		r, err := CreateResource(v.scheme, v.u)
+		if err != nil {
+			if v.errPrefix == "" {
+				t.Errorf("%d, Unexpected error %s", i, err.Error())
+				continue
+			}
+			if !strings.HasPrefix(err.Error(), v.errPrefix) {
+				t.Errorf("%d, Expected to find prefix\nexpect: %s\nactual: %s", i, v.errPrefix, err.Error())
+				continue
+			}
+		} else if v.errPrefix != "" {
+			t.Errorf("%d, Expected error %s", i, v.errPrefix)
+			continue
+		}
+
+		if v.expect != r {
+			t.Errorf("%d, Expected to find prefix\nexpect: %s\nactual: %s", i, v.expect, r)
+		}
+	}
+}
+
+var testTime = time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
+
+const expectedJSONPolicy = `{"Statement":[{"Resource":"https://example.com/a","Condition":{"DateLessThan":{"AWS:EpochTime":1257894000}}}]}`
+const expectedB64Policy = `eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9hIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxMjU3ODk0MDAwfX19XX0=`
+
+func TestEncodePolicy(t *testing.T) {
+	p := NewCannedPolicy("https://example.com/a", testTime)
+
+	b64Policy, jsonPolicy, err := encodePolicy(p)
+	if err != nil {
+		t.Fatalf("Unexpected error, %#v", err)
+	}
+
+	if string(jsonPolicy) != expectedJSONPolicy {
+		t.Errorf("Expected json encoding to match, \nexpect: %s\nactual: %s\n", expectedJSONPolicy, jsonPolicy)
+	}
+
+	if string(b64Policy) != expectedB64Policy {
+		t.Errorf("Expected b64 encoding to match, \nexpect: %s\nactual: %s\n", expectedB64Policy, b64Policy)
+	}
+}
+
+func TestSignEncodedPolicy(t *testing.T) {
+	p := NewCannedPolicy("https://example.com/a", testTime)
+	_, jsonPolicy, err := encodePolicy(p)
+	if err != nil {
+		t.Fatalf("Unexpected policy encode error, %#v", err)
+	}
+
+	r := newRandomReader(rand.New(rand.NewSource(1)))
+
+	privKey, err := rsa.GenerateKey(r, 1024)
+	if err != nil {
+		t.Fatalf("Unexpected priv key error, %#v", err)
+	}
+
+	b64Signature, err := signEncodedPolicy(r, jsonPolicy, privKey)
+	if err != nil {
+		t.Fatalf("Unexpected policy sign error, %#v", err)
+	}
+
+	hash := sha1.New()
+	if _, err = bytes.NewReader(jsonPolicy).WriteTo(hash); err != nil {
+		t.Fatalf("Unexpected hash error, %#v", err)
+	}
+
+	decodedSig, err := base64.StdEncoding.DecodeString(string(b64Signature))
+	if err != nil {
+		t.Fatalf("Unexpected base64 decode signature, %#v", err)
+	}
+
+	if err := rsa.VerifyPKCS1v15(&privKey.PublicKey, crypto.SHA1, hash.Sum(nil), decodedSig); err != nil {
+		t.Fatalf("Unable to verify signature, %#v", err)
+	}
+}
+
+func TestAWSEscape(t *testing.T) {
+	expect := "a-b_c~"
+	actual := []byte("a+b=c/")
+	awsEscapeEncoded(actual)
+	if string(actual) != expect {
+		t.Errorf("expect: %s, actual: %s", expect, string(actual))
+	}
+}

vendor/github.com/aws/aws-sdk-go/service/cloudfront/sign/privkey.go

@@ -0,0 +1,68 @@
+package sign
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+)
+
+// LoadPEMPrivKeyFile reads a PEM encoded RSA private key from the file name.
+// A new RSA private key will be returned if no error.
+func LoadPEMPrivKeyFile(name string) (*rsa.PrivateKey, error) {
+	file, err := os.Open(name)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	return LoadPEMPrivKey(file)
+}
+
+// LoadPEMPrivKey reads a PEM encoded RSA private key from the io.Reader.
+// A new RSA private key will be returned if no error.
+func LoadPEMPrivKey(reader io.Reader) (*rsa.PrivateKey, error) {
+	block, err := loadPem(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	return x509.ParsePKCS1PrivateKey(block.Bytes)
+}
+
+// LoadEncryptedPEMPrivKey decrypts the PEM encoded private key using the
+// password provided returning a RSA private key. If the PEM data is invalid,
+// or unable to decrypt an error will be returned.
+func LoadEncryptedPEMPrivKey(reader io.Reader, password []byte) (*rsa.PrivateKey, error) {
+	block, err := loadPem(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	decryptedBlock, err := x509.DecryptPEMBlock(block, password)
+	if err != nil {
+		return nil, err
+	}
+
+	return x509.ParsePKCS1PrivateKey(decryptedBlock)
+}
+
+func loadPem(reader io.Reader) (*pem.Block, error) {
+	b, err := ioutil.ReadAll(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	block, _ := pem.Decode(b)
+	if block == nil {
+		// pem.Decode will set block to nil if there is no PEM data in the input
+		// the second parameter will contain the provided bytes that failed
+		// to be decoded.
+		return nil, fmt.Errorf("no valid PEM data provided")
+	}
+
+	return block, nil
+}

vendor/github.com/aws/aws-sdk-go/service/cloudfront/sign/privkey_test.go

@@ -0,0 +1,90 @@
+package sign
+
+import (
+	"bytes"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"io"
+	"math/rand"
+	"strings"
+	"testing"
+)
+
+func generatePEM(randReader io.Reader, password []byte) (buf *bytes.Buffer, err error) {
+	k, err := rsa.GenerateKey(randReader, 1024)
+	if err != nil {
+		return nil, err
+	}
+
+	derBytes := x509.MarshalPKCS1PrivateKey(k)
+
+	var block *pem.Block
+	if password != nil {
+		block, err = x509.EncryptPEMBlock(randReader, "RSA PRIVATE KEY", derBytes, password, x509.PEMCipherAES128)
+	} else {
+		block = &pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: derBytes,
+		}
+	}
+
+	buf = &bytes.Buffer{}
+	err = pem.Encode(buf, block)
+	return buf, err
+}
+
+func TestLoadPemPrivKey(t *testing.T) {
+	reader, err := generatePEM(newRandomReader(rand.New(rand.NewSource(1))), nil)
+	if err != nil {
+		t.Errorf("Unexpected pem generation err %s", err.Error())
+	}
+
+	privKey, err := LoadPEMPrivKey(reader)
+	if err != nil {
+		t.Errorf("Unexpected key load error, %s", err.Error())
+	}
+	if privKey == nil {
+		t.Errorf("Expected valid privKey, but got nil")
+	}
+}
+
+func TestLoadPemPrivKeyInvalidPEM(t *testing.T) {
+	reader := strings.NewReader("invalid PEM data")
+	privKey, err := LoadPEMPrivKey(reader)
+
+	if err == nil {
+		t.Errorf("Expected error invalid PEM data error")
+	}
+	if privKey != nil {
+		t.Errorf("Expected nil privKey but got %#v", privKey)
+	}
+}
+
+func TestLoadEncryptedPEMPrivKey(t *testing.T) {
+	reader, err := generatePEM(newRandomReader(rand.New(rand.NewSource(1))), []byte("password"))
+	if err != nil {
+		t.Errorf("Unexpected pem generation err %s", err.Error())
+	}
+
+	privKey, err := LoadEncryptedPEMPrivKey(reader, []byte("password"))
+
+	if err != nil {
+		t.Errorf("Unexpected key load error, %s", err.Error())
+	}
+	if privKey == nil {
+		t.Errorf("Expected valid privKey, but got nil")
+	}
+}
+
+func TestLoadEncryptedPEMPrivKeyWrongPassword(t *testing.T) {
+	reader, err := generatePEM(newRandomReader(rand.New(rand.NewSource(1))), []byte("password"))
+	privKey, err := LoadEncryptedPEMPrivKey(reader, []byte("wrong password"))
+
+	if err == nil {
+		t.Errorf("Expected error invalid PEM data error")
+	}
+	if privKey != nil {
+		t.Errorf("Expected nil privKey but got %#v", privKey)
+	}
+}

vendor/github.com/aws/aws-sdk-go/service/cloudfront/sign/randomreader.go

@@ -0,0 +1,30 @@
+package sign
+
+import (
+	"bytes"
+	"encoding/binary"
+	"math/rand"
+)
+
+// A randomReader wraps a math/rand.Rand within an reader so that it can used
+// as a predictable testing replacement for crypto/rand.Reader
+type randomReader struct {
+	b *bytes.Buffer
+	r *rand.Rand
+}
+
+// newRandomReader returns a new instance of the random reader
+func newRandomReader(r *rand.Rand) *randomReader {
+	return &randomReader{b: &bytes.Buffer{}, r: r}
+}
+
+// Read will read random bytes from up to the length of b.
+func (m *randomReader) Read(b []byte) (int, error) {
+	for i := 0; i < len(b); {
+		binary.Write(m.b, binary.LittleEndian, m.r.Int63())
+		n, _ := m.b.Read(b[i:])
+		i += n
+	}
+
+	return len(b), nil
+}

vendor/github.com/aws/aws-sdk-go/service/cloudfront/sign/sign_cookie.go

@@ -0,0 +1,241 @@
+package sign
+
+import (
+	"crypto/rsa"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+)
+
+const (
+	// CookiePolicyName name of the policy cookie
+	CookiePolicyName = "CloudFront-Policy"
+	// CookieSignatureName name of the signature cookie
+	CookieSignatureName = "CloudFront-Signature"
+	// CookieKeyIDName name of the signing Key ID cookie
+	CookieKeyIDName = "CloudFront-Key-Pair-Id"
+)
+
+// A CookieOptions optional additional options that can be applied to the signed
+// cookies.
+type CookieOptions struct {
+	Path   string
+	Domain string
+	Secure bool
+}
+
+// apply will integration the options provided into the base cookie options
+// a new copy will be returned. The base CookieOption will not be modified.
+func (o CookieOptions) apply(opts ...func(*CookieOptions)) CookieOptions {
+	if len(opts) == 0 {
+		return o
+	}
+
+	for _, opt := range opts {
+		opt(&o)
+	}
+
+	return o
+}
+
+// A CookieSigner provides signing utilities to sign Cookies for Amazon CloudFront
+// resources. Using a private key and Credential Key Pair key ID the CookieSigner
+// only needs to be created once per Credential Key Pair key ID and private key.
+//
+// More information about signed Cookies and their structure can be found at:
+// http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.html
+//
+// To sign a Cookie, create a CookieSigner with your private key and credential
+// pair key ID. Once you have a CookieSigner instance you can call Sign or
+// SignWithPolicy to sign the URLs.
+//
+// The signer is safe to use concurrently, but the optional cookies options
+// are not safe to modify concurrently.
+type CookieSigner struct {
+	keyID   string
+	privKey *rsa.PrivateKey
+
+	Opts CookieOptions
+}
+
+// NewCookieSigner constructs and returns a new CookieSigner to be used to for
+// signing Amazon CloudFront URL resources with.
+func NewCookieSigner(keyID string, privKey *rsa.PrivateKey, opts ...func(*CookieOptions)) *CookieSigner {
+	signer := &CookieSigner{
+		keyID:   keyID,
+		privKey: privKey,
+		Opts:    CookieOptions{}.apply(opts...),
+	}
+
+	return signer
+}
+
+// Sign returns the cookies needed to allow user agents to make arbetrary
+// requests to cloudfront for the resource(s) defined by the policy.
+//
+// Sign will create a CloudFront policy with only a resource and condition of
+// DateLessThan equal to the expires time provided.
+//
+// The returned slice cookies should all be added to the Client's cookies or
+// server's response.
+//
+// Example:
+//    s := sign.NewCookieSigner(keyID, privKey)
+//
+//    // Get Signed cookies for a resource that will expire in 1 hour
+//    cookies, err := s.Sign("*", time.Now().Add(1 * time.Hour))
+//    if err != nil {
+//        fmt.Println("failed to create signed cookies", err)
+//        return
+//    }
+//
+//    // Or get Signed cookies for a resource that will expire in 1 hour
+//    // and set path and domain of cookies
+//    cookies, err := s.Sign("*", time.Now().Add(1 * time.Hour), func(o *sign.CookieOptions) {
+//        o.Path = "/"
+//        o.Domain = ".example.com"
+//    })
+//    if err != nil {
+//        fmt.Println("failed to create signed cookies", err)
+//        return
+//    }
+//
+//    // Server Response via http.ResponseWriter
+//    for _, c := range cookies {
+//        http.SetCookie(w, c)
+//    }
+//
+//    // Client request via the cookie jar
+//    if client.CookieJar != nil {
+//        for _, c := range cookies {
+//           client.Cookie(w, c)
+//        }
+//    }
+func (s CookieSigner) Sign(u string, expires time.Time, opts ...func(*CookieOptions)) ([]*http.Cookie, error) {
+	scheme, err := cookieURLScheme(u)
+	if err != nil {
+		return nil, err
+	}
+
+	resource, err := CreateResource(scheme, u)
+	if err != nil {
+		return nil, err
+	}
+
+	p := NewCannedPolicy(resource, expires)
+	return createCookies(p, s.keyID, s.privKey, s.Opts.apply(opts...))
+}
+
+// Returns and validates the URL's scheme.
+// http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.html#private-content-custom-policy-statement-cookies
+func cookieURLScheme(u string) (string, error) {
+	parts := strings.SplitN(u, "://", 2)
+	if len(parts) != 2 {
+		return "", fmt.Errorf("invalid cookie URL, missing scheme")
+	}
+
+	scheme := strings.ToLower(parts[0])
+	if scheme != "http" && scheme != "https" && scheme != "http*" {
+		return "", fmt.Errorf("invalid cookie URL scheme. Expect http, https, or http*. Go, %s", scheme)
+	}
+
+	return scheme, nil
+}
+
+// SignWithPolicy returns the cookies needed to allow user agents to make
+// arbetrairy requets to cloudfront for the resource(s) defined by the policy.
+//
+// The returned slice cookies should all be added to the Client's cookies or
+// server's response.
+//
+// Example:
+//    s := sign.NewCookieSigner(keyID, privKey)
+//
+//    policy := &sign.Policy{
+//        Statements: []sign.Statement{
+//            {
+//                // Read the provided documentation on how to set this
+//                // correctly, you'll probably want to use wildcards.
+//                Resource: rawCloudFrontURL,
+//                Condition: sign.Condition{
+//                    // Optional IP source address range
+//                    IPAddress: &sign.IPAddress{SourceIP: "192.0.2.0/24"},
+//                    // Optional date URL is not valid until
+//                    DateGreaterThan: &sign.AWSEpochTime{time.Now().Add(30 * time.Minute)},
+//                    // Required date the URL will expire after
+//                    DateLessThan: &sign.AWSEpochTime{time.Now().Add(1 * time.Hour)},
+//                },
+//            },
+//        },
+//    }
+//
+//    // Get Signed cookies for a resource that will expire in 1 hour
+//    cookies, err := s.SignWithPolicy(policy)
+//    if err != nil {
+//        fmt.Println("failed to create signed cookies", err)
+//        return
+//    }
+//
+//    // Or get Signed cookies for a resource that will expire in 1 hour
+//    // and set path and domain of cookies
+//    cookies, err := s.Sign(policy, func(o *sign.CookieOptions) {
+//        o.Path = "/"
+//        o.Domain = ".example.com"
+//    })
+//    if err != nil {
+//        fmt.Println("failed to create signed cookies", err)
+//        return
+//    }
+//
+//    // Server Response via http.ResponseWriter
+//    for _, c := range cookies {
+//        http.SetCookie(w, c)
+//    }
+//
+//    // Client request via the cookie jar
+//    if client.CookieJar != nil {
+//        for _, c := range cookies {
+//           client.Cookie(w, c)
+//        }
+//    }
+func (s CookieSigner) SignWithPolicy(p *Policy, opts ...func(*CookieOptions)) ([]*http.Cookie, error) {
+	return createCookies(p, s.keyID, s.privKey, s.Opts.apply(opts...))
+}
+
+// Prepares the cookies to be attached to the header. An (optional) options
+// struct is provided in case people don't want to manually edit their cookies.
+func createCookies(p *Policy, keyID string, privKey *rsa.PrivateKey, opt CookieOptions) ([]*http.Cookie, error) {
+	b64Sig, b64Policy, err := p.Sign(privKey)
+	if err != nil {
+		return nil, err
+	}
+
+	// Creates proper cookies
+	cPolicy := &http.Cookie{
+		Name:     CookiePolicyName,
+		Value:    string(b64Policy),
+		HttpOnly: true,
+	}
+	cSignature := &http.Cookie{
+		Name:     CookieSignatureName,
+		Value:    string(b64Sig),
+		HttpOnly: true,
+	}
+	cKey := &http.Cookie{
+		Name:     CookieKeyIDName,
+		Value:    keyID,
+		HttpOnly: true,
+	}
+
+	cookies := []*http.Cookie{cPolicy, cSignature, cKey}
+
+	// Applie the cookie options
+	for _, c := range cookies {
+		c.Path = opt.Path
+		c.Domain = opt.Domain
+		c.Secure = opt.Secure
+	}
+
+	return cookies, nil
+}

vendor/github.com/aws/aws-sdk-go/service/cloudfront/sign/sign_cookie_example_test.go

@@ -0,0 +1,163 @@
+package sign
+
+import (
+	"fmt"
+	"io"
+	"math/rand"
+	"net/http"
+	"time"
+)
+
+func examplePEMReader() io.Reader {
+	reader, err := generatePEM(randReader, nil)
+	if err != nil {
+		panic(fmt.Sprintf("Unexpected pem generation err %v", err))
+	}
+
+	return reader
+}
+
+func ExampleCookieSigner_Sign() {
+	origRandReader := randReader
+	randReader = newRandomReader(rand.New(rand.NewSource(1)))
+	defer func() {
+		randReader = origRandReader
+	}()
+
+	// Load your private key so it can be used by the CookieSigner
+	// To load private key from file use `sign.LoadPEMPrivKeyFile`.
+	privKey, err := LoadPEMPrivKey(examplePEMReader())
+	if err != nil {
+		fmt.Println("failed to load private key", err)
+		return
+	}
+
+	cookieSigner := NewCookieSigner("keyID", privKey)
+
+	// Use the signer to sign the URL
+	cookies, err := cookieSigner.Sign("http://example.com/somepath/*", testSignTime.Add(30*time.Minute))
+	if err != nil {
+		fmt.Println("failed to sign cookies with policy,", err)
+		return
+	}
+
+	printExampleCookies(cookies)
+	// Output:
+	// Cookies:
+	// CloudFront-Policy: eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cDovL2V4YW1wbGUuY29tL3NvbWVwYXRoLyoiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyNTc4OTU4MDB9fX1dfQ__, , , false
+	// CloudFront-Signature: o~jvj~CFkvGZB~yYED3elicKZag-CRijy8yD2E5yF1s7VNV7kNeQWC7MDtEcBQ8-eh7Xgjh0wMPQdAVdh09gBObd-hXDpKUyh8YKxogj~oloV~8KOvqE5xzWiKcqjdfJjmT5iEqIui~H1ExYjyKjgir79npmlyYkaJS5s62EQa8_, , , false
+	// CloudFront-Key-Pair-Id: keyID, , , false
+}
+
+func ExampleCookieSigner_SignWithPolicy() {
+	origRandReader := randReader
+	randReader = newRandomReader(rand.New(rand.NewSource(1)))
+	defer func() {
+		randReader = origRandReader
+	}()
+
+	// Sign cookie to be valid for 30 minutes from now, expires one hour
+	// from now, and restricted to the 192.0.2.0/24 IP address range.
+	// http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.html
+	p := &Policy{
+		// Only a single policy statement can be used with CloudFront
+		// cookie signatures.
+		Statements: []Statement{{
+			// Read the provided documentation on how to set this correctly,
+			// you'll probably want to use wildcards
+			Resource: "http://sub.cloudfront.com",
+			Condition: Condition{
+				// Optional IP source address range
+				IPAddress: &IPAddress{SourceIP: "192.0.2.0/24"},
+				// Optional date URL is not valid until
+				DateGreaterThan: &AWSEpochTime{testSignTime.Add(30 * time.Minute)},
+				// Required date the URL will expire after
+				DateLessThan: &AWSEpochTime{testSignTime.Add(1 * time.Hour)},
+			},
+		},
+		},
+	}
+
+	// Load your private key so it can be used by the CookieSigner
+	// To load private key from file use `sign.LoadPEMPrivKeyFile`.
+	privKey, err := LoadPEMPrivKey(examplePEMReader())
+	if err != nil {
+		fmt.Println("failed to load private key", err)
+		return
+	}
+
+	// Key ID that represents the key pair associated with the private key
+	keyID := "privateKeyID"
+
+	// Set credentials to the CookieSigner.
+	cookieSigner := NewCookieSigner(keyID, privKey)
+
+	// Avoid adding an Expire or MaxAge. See provided AWS Documentation for
+	// more info.
+	cookies, err := cookieSigner.SignWithPolicy(p)
+	if err != nil {
+		fmt.Println("failed to sign cookies with policy,", err)
+		return
+	}
+
+	printExampleCookies(cookies)
+	// Output:
+	// Cookies:
+	// CloudFront-Policy: eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cDovL3N1Yi5jbG91ZGZyb250LmNvbSIsIkNvbmRpdGlvbiI6eyJJcEFkZHJlc3MiOnsiQVdTOlNvdXJjZUlwIjoiMTkyLjAuMi4wLzI0In0sIkRhdGVHcmVhdGVyVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxMjU3ODk1ODAwfSwiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyNTc4OTc2MDB9fX1dfQ__, , , false
+	// CloudFront-Signature: JaWdcbr98colrDAhOpkyxqCZev2IAxURu1RKKo1wS~sI5XdNXWYbZJs2FdpbJ475ZvmhZ1-r4ENUqBXAlRfPfOc21Hm4~24jRmPTO3512D4uuJHrPVxSfgeGuFeigfCGWAqyfYYH1DsFl5JQDpzetsNI3ZhGRkQb8V-oYFanddg_, , , false
+	// CloudFront-Key-Pair-Id: privateKeyID, , , false
+}
+
+func ExampleCookieOptions() {
+	origRandReader := randReader
+	randReader = newRandomReader(rand.New(rand.NewSource(1)))
+	defer func() {
+		randReader = origRandReader
+	}()
+
+	// Load your private key so it can be used by the CookieSigner
+	// To load private key from file use `sign.LoadPEMPrivKeyFile`.
+	privKey, err := LoadPEMPrivKey(examplePEMReader())
+	if err != nil {
+		fmt.Println("failed to load private key", err)
+		return
+	}
+
+	// Create the CookieSigner with options set. These options can be set
+	// directly with cookieSigner.Opts. These values can be overridden on
+	// individual Sign and SignWithProfile calls.
+	cookieSigner := NewCookieSigner("keyID", privKey, func(o *CookieOptions) {
+		//provide an optional struct fields to specify other options
+		o.Path = "/"
+
+		// http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html
+		o.Domain = ".cNameAssociatedWithMyDistribution.com"
+
+		// Make sure your app/site can handle https payloads, otherwise
+		// set this to false.
+		o.Secure = true
+	})
+
+	// Use the signer to sign the URL
+	cookies, err := cookieSigner.Sign("http*://*", testSignTime.Add(30*time.Minute), func(o *CookieOptions) {
+		o.Path = "/mypath/"
+	})
+	if err != nil {
+		fmt.Println("failed to sign cookies with policy,", err)
+		return
+	}
+
+	printExampleCookies(cookies)
+	// Output:
+	// Cookies:
+	// CloudFront-Policy: eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cCo6Ly8qIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxMjU3ODk1ODAwfX19XX0_, /mypath/, .cNameAssociatedWithMyDistribution.com, true
+	// CloudFront-Signature: Yco06vgowwvSYgTSY9XbXpBcTlUlqpyyYXgRhus3nfnC74A7oQ~fMBH0we-rGxvph8ZyHnTxC5ubbPKSzo3EHUm2IcQeEo4p6WCgZZMzCuLlkpeMKhMAkCqX7rmUfkXhTslBHe~ylcmaZqo-hdnOiWrXk2U974ZQbbt5cOjwQG0_, /mypath/, .cNameAssociatedWithMyDistribution.com, true
+	// CloudFront-Key-Pair-Id: keyID, /mypath/, .cNameAssociatedWithMyDistribution.com, true
+}
+
+func printExampleCookies(cookies []*http.Cookie) {
+	fmt.Println("Cookies:")
+	for _, c := range cookies {
+		fmt.Printf("%s: %s, %s, %s, %t\n", c.Name, c.Value, c.Path, c.Domain, c.Secure)
+	}
+}

vendor/github.com/aws/aws-sdk-go/service/cloudfront/sign/sign_cookie_test.go

@@ -0,0 +1,121 @@
+package sign
+
+import (
+	"crypto/rsa"
+	"testing"
+	"time"
+)
+
+func TestNewCookieSigner(t *testing.T) {
+	privKey, err := rsa.GenerateKey(randReader, 1024)
+	if err != nil {
+		t.Fatalf("Unexpected priv key error, %#v", err)
+	}
+
+	signer := NewCookieSigner("keyID", privKey)
+	if e, a := "keyID", signer.keyID; e != a {
+		t.Errorf("expect %v, got %v", e, a)
+	}
+	if e, a := privKey, signer.privKey; e != a {
+		t.Errorf("expect %v, got %v", e, a)
+	}
+}
+
+func TestSignCookie(t *testing.T) {
+	privKey, err := rsa.GenerateKey(randReader, 1024)
+	if err != nil {
+		t.Errorf("expect no error, got %v", err)
+	}
+
+	signer := NewCookieSigner("keyID", privKey)
+	cookies, err := signer.Sign("http*://*", time.Now().Add(1*time.Hour))
+
+	if err != nil {
+		t.Errorf("expect no error, got %v", err)
+	}
+	if e, a := CookiePolicyName, cookies[0].Name; e != a {
+		t.Errorf("expect %v, got %v", e, a)
+	}
+	if e, a := CookieSignatureName, cookies[1].Name; e != a {
+		t.Errorf("expect %v, got %v", e, a)
+	}
+	if e, a := CookieKeyIDName, cookies[2].Name; e != a {
+		t.Errorf("expect %v, got %v", e, a)
+	}
+}
+
+func TestSignCookie_WithPolicy(t *testing.T) {
+	privKey, err := rsa.GenerateKey(randReader, 1024)
+	if err != nil {
+		t.Errorf("expect no error, got %v", err)
+	}
+
+	p := &Policy{
+		Statements: []Statement{
+			{
+				Resource: "*",
+				Condition: Condition{
+					DateLessThan: &AWSEpochTime{time.Now().Add(1 * time.Hour)},
+				},
+			},
+		},
+	}
+
+	signer := NewCookieSigner("keyID", privKey)
+	cookies, err := signer.SignWithPolicy(p)
+
+	if err != nil {
+		t.Errorf("expect no error, got %v", err)
+	}
+	if e, a := CookiePolicyName, cookies[0].Name; e != a {
+		t.Errorf("expect %v, got %v", e, a)
+	}
+	if e, a := CookieSignatureName, cookies[1].Name; e != a {
+		t.Errorf("expect %v, got %v", e, a)
+	}
+	if e, a := CookieKeyIDName, cookies[2].Name; e != a {
+		t.Errorf("expect %v, got %v", e, a)
+	}
+}
+
+func TestSignCookie_WithCookieOptions(t *testing.T) {
+	privKey, err := rsa.GenerateKey(randReader, 1024)
+	if err != nil {
+		t.Errorf("expect no error, got %v", err)
+	}
+
+	expires := time.Now().Add(1 * time.Hour)
+
+	signer := NewCookieSigner("keyID", privKey)
+	cookies, err := signer.Sign("https://example.com/*", expires, func(o *CookieOptions) {
+		o.Path = "/"
+		o.Domain = ".example.com"
+		o.Secure = true
+
+	})
+
+	if err != nil {
+		t.Errorf("expect no error, got %v", err)
+	}
+	if e, a := CookiePolicyName, cookies[0].Name; e != a {
+		t.Errorf("expect %v, got %v", e, a)
+	}
+	if e, a := CookieSignatureName, cookies[1].Name; e != a {
+		t.Errorf("expect %v, got %v", e, a)
+	}
+	if e, a := CookieKeyIDName, cookies[2].Name; e != a {
+		t.Errorf("expect %v, got %v", e, a)
+	}
+
+	for _, c := range cookies {
+		if e, a := "/", c.Path; e != a {
+			t.Errorf("expect %v, got %v", e, a)
+		}
+		if e, a := ".example.com", c.Domain; e != a {
+			t.Errorf("expect %v, got %v", e, a)
+		}
+		if !c.Secure {
+			t.Errorf("expect to be true")
+		}
+	}
+}

vendor/github.com/aws/aws-sdk-go/service/cloudfront/sign/sign_url.go

@@ -0,0 +1,205 @@
+// Package sign provides utilities to generate signed URLs for Amazon CloudFront.
+//
+// More information about signed URLs and their structure can be found at:
+// http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.html
+//
+// To sign a URL create a URLSigner with your private key and credential pair key ID.
+// Once you have a URLSigner instance you can call Sign or SignWithPolicy to
+// sign the URLs.
+//
+// Example:
+//
+//    // Sign URL to be valid for 1 hour from now.
+//    signer := sign.NewURLSigner(keyID, privKey)
+//    signedURL, err := signer.Sign(rawURL, time.Now().Add(1*time.Hour))
+//    if err != nil {
+//        log.Fatalf("Failed to sign url, err: %s\n", err.Error())
+//    }
+//
+package sign
+
+import (
+	"crypto/rsa"
+	"fmt"
+	"net/url"
+	"strings"
+	"time"
+)
+
+// An URLSigner provides URL signing utilities to sign URLs for Amazon CloudFront
+// resources. Using a private key and Credential Key Pair key ID the URLSigner
+// only needs to be created once per Credential Key Pair key ID and private key.
+//
+// The signer is safe to use concurrently.
+type URLSigner struct {
+	keyID   string
+	privKey *rsa.PrivateKey
+}
+
+// NewURLSigner constructs and returns a new URLSigner to be used to for signing
+// Amazon CloudFront URL resources with.
+func NewURLSigner(keyID string, privKey *rsa.PrivateKey) *URLSigner {
+	return &URLSigner{
+		keyID:   keyID,
+		privKey: privKey,
+	}
+}
+
+// Sign will sign a single URL to expire at the time of expires sign using the
+// Amazon CloudFront default Canned Policy. The URL will be signed with the
+// private key and Credential Key Pair Key ID previously provided to URLSigner.
+//
+// This is the default method of signing Amazon CloudFront URLs. If extra policy
+// conditions are need other than URL expiry use SignWithPolicy instead.
+//
+// Example:
+//
+//    // Sign URL to be valid for 1 hour from now.
+//    signer := sign.NewURLSigner(keyID, privKey)
+//    signedURL, err := signer.Sign(rawURL, time.Now().Add(1*time.Hour))
+//    if err != nil {
+//        log.Fatalf("Failed to sign url, err: %s\n", err.Error())
+//    }
+//
+func (s URLSigner) Sign(url string, expires time.Time) (string, error) {
+	scheme, cleanedURL, err := cleanURLScheme(url)
+	if err != nil {
+		return "", err
+	}
+
+	resource, err := CreateResource(scheme, url)
+	if err != nil {
+		return "", err
+	}
+
+	return signURL(scheme, cleanedURL, s.keyID, NewCannedPolicy(resource, expires), false, s.privKey)
+}
+
+// SignWithPolicy will sign a URL with the Policy provided.  The URL will be
+// signed with the private key and Credential Key Pair Key ID previously provided to URLSigner.
+//
+// Use this signing method if you are looking to sign a URL with more than just
+// the URL's expiry time, or reusing Policies between multiple URL signings.
+// If only the expiry time is needed you can use Sign and provide just the
+// URL's expiry time. A minimum of at least one policy statement is required for a signed URL.
+//
+// Note: It is not safe to use Polices between multiple signers concurrently
+//
+// Example:
+//
+//     // Sign URL to be valid for 30 minutes from now, expires one hour from now, and
+//     // restricted to the 192.0.2.0/24 IP address range.
+//     policy := &sign.Policy{
+//         Statements: []sign.Statement{
+//             {
+//                 Resource: rawURL,
+//                 Condition: sign.Condition{
+//                     // Optional IP source address range
+//                     IPAddress: &sign.IPAddress{SourceIP: "192.0.2.0/24"},
+//                     // Optional date URL is not valid until
+//                     DateGreaterThan: &sign.AWSEpochTime{time.Now().Add(30 * time.Minute)},
+//                     // Required date the URL will expire after
+//                     DateLessThan: &sign.AWSEpochTime{time.Now().Add(1 * time.Hour)},
+//                 },
+//             },
+//         },
+//     }
+//
+//     signer := sign.NewURLSigner(keyID, privKey)
+//     signedURL, err := signer.SignWithPolicy(rawURL, policy)
+//     if err != nil {
+//         log.Fatalf("Failed to sign url, err: %s\n", err.Error())
+//     }
+//
+func (s URLSigner) SignWithPolicy(url string, p *Policy) (string, error) {
+	scheme, cleanedURL, err := cleanURLScheme(url)
+	if err != nil {
+		return "", err
+	}
+
+	return signURL(scheme, cleanedURL, s.keyID, p, true, s.privKey)
+}
+
+func signURL(scheme, url, keyID string, p *Policy, customPolicy bool, privKey *rsa.PrivateKey) (string, error) {
+	// Validation URL elements
+	if err := validateURL(url); err != nil {
+		return "", err
+	}
+
+	b64Signature, b64Policy, err := p.Sign(privKey)
+	if err != nil {
+		return "", err
+	}
+
+	// build and return signed URL
+	builtURL := buildSignedURL(url, keyID, p, customPolicy, b64Policy, b64Signature)
+	if scheme == "rtmp" {
+		return buildRTMPURL(builtURL)
+	}
+
+	return builtURL, nil
+}
+
+func buildSignedURL(baseURL, keyID string, p *Policy, customPolicy bool, b64Policy, b64Signature []byte) string {
+	pred := "?"
+	if strings.Contains(baseURL, "?") {
+		pred = "&"
+	}
+	signedURL := baseURL + pred
+
+	if customPolicy {
+		signedURL += "Policy=" + string(b64Policy)
+	} else {
+		signedURL += fmt.Sprintf("Expires=%d", p.Statements[0].Condition.DateLessThan.UTC().Unix())
+	}
+	signedURL += fmt.Sprintf("&Signature=%s&Key-Pair-Id=%s", string(b64Signature), keyID)
+
+	return signedURL
+}
+
+func buildRTMPURL(u string) (string, error) {
+	parsed, err := url.Parse(u)
+	if err != nil {
+		return "", fmt.Errorf("unable to parse rtmp signed URL, err: %s", err)
+	}
+
+	rtmpURL := strings.TrimLeft(parsed.Path, "/")
+	if parsed.RawQuery != "" {
+		rtmpURL = fmt.Sprintf("%s?%s", rtmpURL, parsed.RawQuery)
+	}
+
+	return rtmpURL, nil
+}
+
+func cleanURLScheme(u string) (scheme, cleanedURL string, err error) {
+	parts := strings.SplitN(u, "://", 2)
+	if len(parts) != 2 {
+		return "", "", fmt.Errorf("invalid URL, missing scheme and domain/path")
+	}
+	scheme = strings.Replace(parts[0], "*", "", 1)
+	cleanedURL = fmt.Sprintf("%s://%s", scheme, parts[1])
+
+	return strings.ToLower(scheme), cleanedURL, nil
+}
+
+var illegalQueryParms = []string{"Expires", "Policy", "Signature", "Key-Pair-Id"}
+
+func validateURL(u string) error {
+	parsed, err := url.Parse(u)
+	if err != nil {
+		return fmt.Errorf("unable to parse URL, err: %s", err.Error())
+	}
+
+	if parsed.Scheme == "" {
+		return fmt.Errorf("URL missing valid scheme, %s", u)
+	}
+
+	q := parsed.Query()
+	for _, p := range illegalQueryParms {
+		if _, ok := q[p]; ok {
+			return fmt.Errorf("%s cannot be a query parameter for a signed URL", p)
+		}
+	}
+
+	return nil
+}

vendor/github.com/aws/aws-sdk-go/service/cloudfront/sign/sign_url_test.go

@@ -0,0 +1,149 @@
+package sign
+
+import (
+	"crypto/rsa"
+	"math/rand"
+	"strings"
+	"testing"
+	"time"
+)
+
+var testSignTime = time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
+
+var testSignURL = []struct {
+	u            string
+	p            *Policy
+	t            time.Time
+	customPolicy bool
+	expectErr    bool
+	out          string
+}{
+	{
+		"http://example.com/a", NewCannedPolicy("http://example.com/a", testSignTime), time.Time{}, true, false,
+		"http://example.com/a?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cDovL2V4YW1wbGUuY29tL2EiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyNTc4OTQwMDB9fX1dfQ__&Signature=Y6qvWOZNl99uNPMGprvrKXEmXpLWJ-xXKVHL~nmF0BR1jPb2XA2jor0MUYKBE4ViTkWZZ1dz46zSFMsEEfw~n6-SVYXZ2QHBBTkSAoxGtH6dH33Ph9pz~f9Wy7aYXq~9I-Ah0E6yC~BMiQuXe5qAOucuMPorKgPfC0dvLMw2EF0_&Key-Pair-Id=KeyID",
+	},
+	{
+		"http://example.com/a", nil, testSignTime, false, false,
+		"http://example.com/a?Expires=1257894000&Signature=Y6qvWOZNl99uNPMGprvrKXEmXpLWJ-xXKVHL~nmF0BR1jPb2XA2jor0MUYKBE4ViTkWZZ1dz46zSFMsEEfw~n6-SVYXZ2QHBBTkSAoxGtH6dH33Ph9pz~f9Wy7aYXq~9I-Ah0E6yC~BMiQuXe5qAOucuMPorKgPfC0dvLMw2EF0_&Key-Pair-Id=KeyID",
+	},
+	{
+		"http://example.com/Ƿ", nil, testSignTime, false, true,
+		"http://example.com/Ƿ?Expires=1257894000&Signature=Y6qvWOZNl99uNPMGprvrKXEmXpLWJ-xXKVHL~nmF0BR1jPb2XA2jor0MUYKBE4ViTkWZZ1dz46zSFMsEEfw~n6-SVYXZ2QHBBTkSAoxGtH6dH33Ph9pz~f9Wy7aYXq~9I-Ah0E6yC~BMiQuXe5qAOucuMPorKgPfC0dvLMw2EF0_&Key-Pair-Id=KeyID",
+	},
+	{
+		"http://example.com/a", &Policy{}, time.Time{}, true, true,
+		"http://example.com/a?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cDovL2V4YW1wbGUuY29tL2EiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyNTc4OTQwMDB9fX1dfQ__&Signature=Y6qvWOZNl99uNPMGprvrKXEmXpLWJ-xXKVHL~nmF0BR1jPb2XA2jor0MUYKBE4ViTkWZZ1dz46zSFMsEEfw~n6-SVYXZ2QHBBTkSAoxGtH6dH33Ph9pz~f9Wy7aYXq~9I-Ah0E6yC~BMiQuXe5qAOucuMPorKgPfC0dvLMw2EF0_&Key-Pair-Id=KeyID",
+	},
+	{
+		"http://example.com/a", NewCannedPolicy("", testSignTime), time.Time{}, true, true,
+		"http://example.com/a?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cDovL2V4YW1wbGUuY29tL2EiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyNTc4OTQwMDB9fX1dfQ__&Signature=Y6qvWOZNl99uNPMGprvrKXEmXpLWJ-xXKVHL~nmF0BR1jPb2XA2jor0MUYKBE4ViTkWZZ1dz46zSFMsEEfw~n6-SVYXZ2QHBBTkSAoxGtH6dH33Ph9pz~f9Wy7aYXq~9I-Ah0E6yC~BMiQuXe5qAOucuMPorKgPfC0dvLMw2EF0_&Key-Pair-Id=KeyID",
+	},
+	{
+		"rtmp://example.com/a", nil, testSignTime, false, false,
+		"a?Expires=1257894000&Signature=Ds9NbpGwIcDKG1iZDyjfPXp0ZFYSIzfvGzJj-x28XlXfrarHrJbTOQj3bec~aAyb8NAqghBYRdKF9~RdjNrdyxyiequo-SCjFgFHnRNIk0FiqH0fVt2NO63f0X8-Kbur9cPtJoHR9Jzk0I1CQnECqhL6A0OgPhijTfKUITocmzA_&Key-Pair-Id=KeyID",
+	},
+	{
+		"rtmp://example.com/a", NewCannedPolicy("a", testSignTime), time.Time{}, true, false,
+		"a?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiYSIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTI1Nzg5NDAwMH19fV19&Signature=Ds9NbpGwIcDKG1iZDyjfPXp0ZFYSIzfvGzJj-x28XlXfrarHrJbTOQj3bec~aAyb8NAqghBYRdKF9~RdjNrdyxyiequo-SCjFgFHnRNIk0FiqH0fVt2NO63f0X8-Kbur9cPtJoHR9Jzk0I1CQnECqhL6A0OgPhijTfKUITocmzA_&Key-Pair-Id=KeyID",
+	},
+}
+
+// TODO Sign URL HTTP
+// TODO Sign URL RMTP
+func TestSignURL(t *testing.T) {
+	origRandReader := randReader
+	randReader = newRandomReader(rand.New(rand.NewSource(1)))
+	defer func() {
+		randReader = origRandReader
+	}()
+
+	privKey, err := rsa.GenerateKey(randReader, 1024)
+	if err != nil {
+		t.Fatalf("Unexpected priv key error, %#v", err)
+	}
+
+	s := NewURLSigner("KeyID", privKey)
+
+	for i, v := range testSignURL {
+		var u string
+		var err error
+
+		if v.customPolicy {
+			u, err = s.SignWithPolicy(v.u, v.p)
+		} else {
+			u, err = s.Sign(v.u, v.t)
+		}
+
+		if err != nil {
+			if v.expectErr {
+				continue
+			}
+			t.Errorf("%d, Unexpected error, %s", i, err.Error())
+			continue
+		} else if v.expectErr {
+			t.Errorf("%d Expected error, but got none", i)
+			continue
+		}
+
+		if u != v.out {
+			t.Errorf("%d, Unexpected URL\nexpect: %s\nactual: %s\n", i, v.out, u)
+		}
+	}
+
+}
+
+var testBuildSignedURL = []struct {
+	u, keyID          string
+	p                 *Policy
+	customPolicy      bool
+	b64Policy, b64Sig []byte
+	out               string
+}{
+	{
+		"https://example.com/a?b=1", "KeyID", NewCannedPolicy("", testSignTime), true, []byte("b64Policy"), []byte("b64Sig"),
+		"https://example.com/a?b=1&Policy=b64Policy&Signature=b64Sig&Key-Pair-Id=KeyID",
+	},
+	{
+		"https://example.com/a", "KeyID", NewCannedPolicy("", testSignTime), true, []byte("b64Policy"), []byte("b64Sig"),
+		"https://example.com/a?Policy=b64Policy&Signature=b64Sig&Key-Pair-Id=KeyID",
+	},
+	{
+		"https://example.com/a?b=1", "KeyID", NewCannedPolicy("https://example.com/a?b=1", testSignTime), false, []byte("b64Policy"), []byte("b64Sig"),
+		"https://example.com/a?b=1&Expires=1257894000&Signature=b64Sig&Key-Pair-Id=KeyID",
+	},
+}
+
+func TestBuildSignedURL(t *testing.T) {
+	for i, v := range testBuildSignedURL {
+		u := buildSignedURL(v.u, v.keyID, v.p, v.customPolicy, v.b64Policy, v.b64Sig)
+		if u != v.out {
+			t.Errorf("%d, Unexpected URL\nexpect: %s\nactual: %s\n", i, v.out, u)
+		}
+	}
+}
+
+var testValidURL = []struct {
+	in, errPrefix string
+}{
+	{"https://example.com/a?b=1&else=b", ""},
+	{"https://example.com/a?b=1&Policy=something&else=b", "Policy"},
+	{"https://example.com/a?b=1&Signature=something&else=b", "Signature"},
+	{"https://example.com/a?b=1&Key-Pair-Id=something&else=b", "Key-Pair-Id"},
+	{"http?://example.com/a?b=1", "URL missing valid scheme"},
+}
+
+func TestValidateURL(t *testing.T) {
+	for i, v := range testValidURL {
+		err := validateURL(v.in)
+		if err != nil {
+			if v.errPrefix == "" {
+				t.Errorf("%d, Unexpected error %s", i, err.Error())
+			}
+			if !strings.HasPrefix(err.Error(), v.errPrefix) {
+				t.Errorf("%d, Expected to find prefix\nexpect: %s\nactual: %s", i, v.errPrefix, err.Error())
+			}
+		} else if v.errPrefix != "" {
+			t.Errorf("%d, Expected error %s", i, v.errPrefix)
+		}
+	}
+}

vendor/github.com/aws/aws-sdk-go/service/cloudfront/waiters.go

@@ -0,0 +1,148 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+package cloudfront
+
+import (
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/request"
+)
+
+// WaitUntilDistributionDeployed uses the CloudFront API operation
+// GetDistribution to wait for a condition to be met before returning.
+// If the condition is not met within the max attempt window, an error will
+// be returned.
+func (c *CloudFront) WaitUntilDistributionDeployed(input *GetDistributionInput) error {
+	return c.WaitUntilDistributionDeployedWithContext(aws.BackgroundContext(), input)
+}
+
+// WaitUntilDistributionDeployedWithContext is an extended version of WaitUntilDistributionDeployed.
+// With the support for passing in a context and options to configure the
+// Waiter and the underlying request options.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *CloudFront) WaitUntilDistributionDeployedWithContext(ctx aws.Context, input *GetDistributionInput, opts ...request.WaiterOption) error {
+	w := request.Waiter{
+		Name:        "WaitUntilDistributionDeployed",
+		MaxAttempts: 25,
+		Delay:       request.ConstantWaiterDelay(60 * time.Second),
+		Acceptors: []request.WaiterAcceptor{
+			{
+				State:   request.SuccessWaiterState,
+				Matcher: request.PathWaiterMatch, Argument: "Distribution.Status",
+				Expected: "Deployed",
+			},
+		},
+		Logger: c.Config.Logger,
+		NewRequest: func(opts []request.Option) (*request.Request, error) {
+			var inCpy *GetDistributionInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.GetDistributionRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+	w.ApplyOptions(opts...)
+
+	return w.WaitWithContext(ctx)
+}
+
+// WaitUntilInvalidationCompleted uses the CloudFront API operation
+// GetInvalidation to wait for a condition to be met before returning.
+// If the condition is not met within the max attempt window, an error will
+// be returned.
+func (c *CloudFront) WaitUntilInvalidationCompleted(input *GetInvalidationInput) error {
+	return c.WaitUntilInvalidationCompletedWithContext(aws.BackgroundContext(), input)
+}
+
+// WaitUntilInvalidationCompletedWithContext is an extended version of WaitUntilInvalidationCompleted.
+// With the support for passing in a context and options to configure the
+// Waiter and the underlying request options.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *CloudFront) WaitUntilInvalidationCompletedWithContext(ctx aws.Context, input *GetInvalidationInput, opts ...request.WaiterOption) error {
+	w := request.Waiter{
+		Name:        "WaitUntilInvalidationCompleted",
+		MaxAttempts: 30,
+		Delay:       request.ConstantWaiterDelay(20 * time.Second),
+		Acceptors: []request.WaiterAcceptor{
+			{
+				State:   request.SuccessWaiterState,
+				Matcher: request.PathWaiterMatch, Argument: "Invalidation.Status",
+				Expected: "Completed",
+			},
+		},
+		Logger: c.Config.Logger,
+		NewRequest: func(opts []request.Option) (*request.Request, error) {
+			var inCpy *GetInvalidationInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.GetInvalidationRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+	w.ApplyOptions(opts...)
+
+	return w.WaitWithContext(ctx)
+}
+
+// WaitUntilStreamingDistributionDeployed uses the CloudFront API operation
+// GetStreamingDistribution to wait for a condition to be met before returning.
+// If the condition is not met within the max attempt window, an error will
+// be returned.
+func (c *CloudFront) WaitUntilStreamingDistributionDeployed(input *GetStreamingDistributionInput) error {
+	return c.WaitUntilStreamingDistributionDeployedWithContext(aws.BackgroundContext(), input)
+}
+
+// WaitUntilStreamingDistributionDeployedWithContext is an extended version of WaitUntilStreamingDistributionDeployed.
+// With the support for passing in a context and options to configure the
+// Waiter and the underlying request options.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *CloudFront) WaitUntilStreamingDistributionDeployedWithContext(ctx aws.Context, input *GetStreamingDistributionInput, opts ...request.WaiterOption) error {
+	w := request.Waiter{
+		Name:        "WaitUntilStreamingDistributionDeployed",
+		MaxAttempts: 25,
+		Delay:       request.ConstantWaiterDelay(60 * time.Second),
+		Acceptors: []request.WaiterAcceptor{
+			{
+				State:   request.SuccessWaiterState,
+				Matcher: request.PathWaiterMatch, Argument: "StreamingDistribution.Status",
+				Expected: "Deployed",
+			},
+		},
+		Logger: c.Config.Logger,
+		NewRequest: func(opts []request.Option) (*request.Request, error) {
+			var inCpy *GetStreamingDistributionInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.GetStreamingDistributionRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+	w.ApplyOptions(opts...)
+
+	return w.WaitWithContext(ctx)
+}