himari-aws 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eb42481e34029c9e1ae8c3594dd64995f423a53818cbc867a0fd2c65c64c3ff1
-  data.tar.gz: 55e743a182643484f59544428a9384661a161d4a5657895bd9bed70714c19024
+  metadata.gz: 85a23ea8f8d589be0168080f22f979e78d26113119166ba0a99936448b74ed7c
+  data.tar.gz: 1837996eac719023197e7e56544c77b2b4d93426e6942cf60e37053bf007d2c5
 SHA512:
-  metadata.gz: fc863a5752789f4b83b030c5bb44fc6de47d52acdc44225baf74d97e04f4c2de6ff3b3e1a4fb03bde80b377c956bd70137c8dc0d2cdb2c2e33238d107644c4c1
-  data.tar.gz: d5093ed3e72bae790f76b9709443b37bf97be5686b53b676cb35fc1d01568685c93d228a1c9825157480328439d6c638e8846afb746a522f9a24320fe61239d8
+  metadata.gz: 6e74908b3c34af13b018436918b6a83f87d4180d28505348c9aba6e25024ddcab1cc323df5c151c2e45aa3ec00afb4d40b2fb2c7c6a9b6bc77193010a0d757ae
+  data.tar.gz: 2b5bcd9303a70d87b51c80ef9dead217844d13ec68b942941088aa3ba6e9398bd09419d102321600efa9e311c11ae596e23e404988bd8763e30d8c802cf9166b

data/CHANGELOG.md

@@ -0,0 +1,15 @@
+## [0.3.0] - 2026-06-03
+
+### Enhancements
+
+- Lambda image: copy the prebuilt image with skopeo instead of docker (gains an `architecture` input), with Terraform AWS provider v6 compatibility and a `role_name` output [#18](https://github.com/sorah/himari/pull/18)
+- DynamoDB storage: compare-and-swap writes backing refresh-token rotation [#14](https://github.com/sorah/himari/pull/14)
+- Lambda image: bundle `omniauth-entra-id` and `omniauth-okta`, depend explicitly on `aws-sdk-ssm` and `aws-sdk-secretsmanager`, and make `rack-cors` available.
+
+### Changes
+
+- Lambda image: Ruby 4.0, build on dnf, and rolled dependencies (including `apigatewayv2_rack` 0.5.0).
+
+## [0.2.0] - 2023-03-22
+
+- Initial release: `Himari::Aws::DynamodbStorage`, Secrets Manager signing key provider and rotation handler, prebuilt Lambda container image, and Terraform modules.

data/README.md

@@ -1,24 +1,137 @@
-# Himari::Aws
+# himari-aws: AWS related plugins for Himari
 
-TODO: Delete this and the text below, and describe your gem
+- DynamoDB storage backend
+- Secrets Manager automatic rotation Lambda function for signing keys
+- Secrets Manager signing key provider
+- Lambda container image to host Himari itself (TODO)
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/himari/aws`. To experiment with that code, run `bin/console` for an interactive prompt.
+## Deploy on Lambda with Terraform
 
-## Installation
-
-TODO: Replace `UPDATE_WITH_YOUR_GEM_NAME_PRIOR_TO_RELEASE_TO_RUBYGEMS_ORG` with your gem name right after releasing it to RubyGems.org. Please do not do it earlier due to security reasons. Alternatively, replace this section with instructions to install your gem from git if you don't plan to release to RubyGems.org.
-
-Install the gem and add to the application's Gemfile by executing:
+- See [./lambda/terraform/](./lambda/terraform/) for quick deployment using Terraform modules.
 
-    $ bundle add UPDATE_WITH_YOUR_GEM_NAME_PRIOR_TO_RELEASE_TO_RUBYGEMS_ORG
-
-If bundler is not being used to manage dependencies, install the gem by executing:
+## Installation
 
-    $ gem install UPDATE_WITH_YOUR_GEM_NAME_PRIOR_TO_RELEASE_TO_RUBYGEMS_ORG
+```ruby
+gem 'himari'
+gem 'himari-aws'
+gem 'nokogiri'
+```
+
+### IAM policy
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "dynamodb:DeleteItem",
+        "dynamodb:Query",
+        "dynamodb:UpdateItem"
+      ],
+      "Resource": "arn:aws:dynamodb:[REGION]:[ACCOUNTID]:table/himari_*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:PutSecretValue",
+        "secretsmanager:UpdateSecretVersionStage"
+      ],
+      "Resource": "arn:aws:secretsmanager:[REGION]:[ACCOUNTID]:secret:himari_*"
+    }
+  ]
+}
+```
 
 ## Usage
 
-TODO: Write usage instructions here
+### Secrets Manager Rotation Handler
+
+1. Deploy [./lib/himari/aws/secretsmanager_signing_key_rotation_handler.rb](./lib/himari/aws/secretsmanager_signing_key_rotation_handler.rb) as a Lambda function. This file works standalone.
+
+   - Refer to the [./lambda](./lambda) for prebuilt container image
+
+2. Grant secrets manager a `lambda:InvokeFunction` to the function.
+3. Create a secrets manager secret and set up rotation.
+
+You can tag a secret with `HimariKey` key and the following value to customize key types:
+
+- RSA 2048-bit: `kty=rsa,len=2048`
+- RSA 4096-bit: `kty=rsa,len=4096`
+- EC P-256: `kty=ec,len=256`
+
+_you may also specify in base64'd json_
+
+### config.ru
+
+```ruby
+# config.ru
+require 'himari'
+require 'himari/aws'
+require 'json'
+require 'omniauth'
+require 'open-uri'
+require 'rack/session/cookie'
+
+use(Rack::Session::Cookie,
+  path: '/',
+  expire_after: 3600,
+  secure: true,
+  secret: ENV.fetch('SECRET_KEY_BASE'),
+)
+
+use OmniAuth::Builder do
+  provider :developer, fields: %i(login), uid_field: :login
+end
+
+use(Himari::Middlewares::Config,
+  issuer: 'https://idp.example.net',
+  providers: [
+    { name: :github, button: 'Log in with GitHub' },
+  ],
+  storage: Himari::Aws::DynamodbStorage.new(table_name: 'himari'),
+)
+
+# Signing key from Secrets Manager. For rotation deployment, read 
+use(Himari::Aws::SecretsmanagerSigningKeyProvider, 
+  secret_id: 'arn:aws:secretsmanager:ap-northeast-1:...:secret:himari-xxx',
+  group: nil,
+  kid_prefix: 'asm1',
+)
+
+# Add clients as many as you need
+use(Himari::Middlewares::Client,
+  name: 'awsalb',
+  id: '...',
+  secret_hash: '...', # sha384 hexdigest of secret
+  # secret: '...' # or in cleartext
+  redirect_uris: %w(https://app.example.net/oauth2/idpresponse),
+)
+
+use(Himari::Middlewares::ClaimsRule, name: 'developer-initialize') do |context, decision|
+  next decision.skip!("provider not in scope") unless context.provider == 'developer'
+  decision.initialize_claims!(
+    sub: "dev_#{Digest::SHA256.hexdigest(context.auth[:uid])}",
+    name: context.auth[:info][:login],
+    preferred_username: context.auth[:info][:login],
+  )
+  decision.continue!
+end
+
+use(Himari::Middlewares::AuthenticationRule, name: 'always-allow') do |context, decision|
+  next decision.skip!("provider not in scope") unless context.provider == 'developer'
+  decision.allow!
+end
+
+use(Himari::Middlewares::AuthorizationRule, name: 'always-allow') do |context, decision|
+  decision.allow! 
+end
+
+run Himari::App
+```
 
 ## Development
 
@@ -28,7 +141,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/himari-aws.
+Bug reports and pull requests are welcome on GitHub at https://github.com/sorah/himari.
 
 ## License
 

data/Rakefile

@@ -5,4 +5,6 @@ require "rspec/core/rake_task"
 
 RSpec::Core::RakeTask.new(:spec)
 
+Bundler::GemHelper.tag_prefix = "himari-aws/"
+
 task default: :spec

data/lambda/Dockerfile

@@ -0,0 +1,40 @@
+# context must be repository root
+FROM public.ecr.aws/lambda/ruby:4.0 as builder
+RUN --mount=type=cache,target=/var/cache/dnf dnf update -y && dnf install -y gcc gcc-c++ make
+
+COPY ./himari/himari.gemspec ${LAMBDA_TASK_ROOT}/app/himari/himari.gemspec
+COPY ./himari/lib/himari/version.rb ${LAMBDA_TASK_ROOT}/app/himari/lib/himari/version.rb
+
+COPY ./himari-aws/himari-aws.gemspec ${LAMBDA_TASK_ROOT}/app/himari-aws/himari-aws.gemspec
+COPY ./himari-aws/lib/himari/aws/version.rb ${LAMBDA_TASK_ROOT}/app/himari-aws/lib/himari/aws/version.rb
+
+COPY ./omniauth-himari/omniauth-himari.gemspec ${LAMBDA_TASK_ROOT}/app/omniauth-himari/omniauth-himari.gemspec
+COPY ./omniauth-himari/lib/omniauth-himari/version.rb ${LAMBDA_TASK_ROOT}/app/omniauth-himari/lib/omniauth-himari/version.rb
+
+COPY ./himari-aws/lambda/Gemfile* ${LAMBDA_TASK_ROOT}/app/himari-aws/lambda/
+WORKDIR ${LAMBDA_TASK_ROOT}/app
+
+ENV LANG=C.UTF-8
+ENV BUNDLE_GEMFILE ${LAMBDA_TASK_ROOT}/app/himari-aws/lambda/Gemfile
+ENV BUNDLE_PATH ${LAMBDA_TASK_ROOT}/vendor/bundle
+ENV BUNDLE_DEPLOYMENT 1
+ENV BUNDLE_JOBS 16
+ENV HIMARI_LAMBDA_IMAGE 1
+RUN bundle install
+
+COPY . ${LAMBDA_TASK_ROOT}/app
+
+FROM public.ecr.aws/lambda/ruby:4.0
+
+COPY --from=builder ${LAMBDA_TASK_ROOT}/vendor ${LAMBDA_TASK_ROOT}/vendor
+COPY . ${LAMBDA_TASK_ROOT}/app
+
+COPY ./himari-aws/lambda/entrypoint.rb ${LAMBDA_TASK_ROOT}/himari_lambda_entrypoint.rb
+
+WORKDIR ${LAMBDA_TASK_ROOT}/app
+ENV LANG=C.UTF-8
+ENV BUNDLE_GEMFILE ${LAMBDA_TASK_ROOT}/app/himari-aws/lambda/Gemfile
+ENV BUNDLE_PATH ${LAMBDA_TASK_ROOT}/vendor/bundle
+ENV BUNDLE_DEPLOYMENT 1
+ENV HIMARI_LAMBDA_IMAGE 1
+CMD [ "himari_lambda_entrypoint.Himari::Aws::LambdaHandler.rack_handler" ]

data/lambda/Gemfile

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+root = File.join('..', '..')
+
+gem 'himari', path: File.join(root, 'himari')
+gem 'himari-aws', path: File.join(root, 'himari-aws')
+gem 'omniauth-himari', path: File.join(root, 'omniauth-himari')
+
+gem 'aws-sdk-secretsmanager'
+gem 'aws-sdk-ssm' # paraemeter store
+gem 'nokogiri'
+# gem 'apigatewayv2_rack', git: 'https://github.com/sorah/apigatewayv2_rack'
+gem 'apigatewayv2_rack', '>= 0.5.0'
+
+# contribs
+gem 'secure_headers'
+gem 'rack-cors'
+
+gem 'omniauth-oauth2'
+gem 'omniauth-saml'
+# gem 'omniauth-twitter'
+gem 'omniauth-github'
+gem 'omniauth-auth0'
+gem 'omniauth-entra-id'
+gem 'omniauth-okta'
+# gem 'omniauth-shibboleth'
+gem 'omniauth-gitlab'
+# gem 'omniauth-kerberos'
+gem 'omniauth-google-oauth2'
+gem 'omniauth-discord'
+gem 'omniauth-apple'
+# gem 'omniauth-ldap' # omniauth < 2
+# gem 'omniauth-slack'# omniauth-oauth2 version constraints does not match with omniauth-github

data/lambda/Gemfile.lock

@@ -0,0 +1,374 @@
+PATH
+  remote: ../../himari
+  specs:
+    himari (0.6.0)
+      addressable
+      concurrent-ruby
+      httpx
+      omniauth (>= 2.0)
+      openid_connect
+      rack-oauth2
+      rack-protection
+      sinatra (>= 3.0)
+
+PATH
+  remote: ../../omniauth-himari
+  specs:
+    omniauth-himari (0.3.0)
+      faraday
+      jwt
+      oauth2
+      omniauth
+      omniauth-oauth2
+
+PATH
+  remote: ..
+  specs:
+    himari-aws (0.3.0)
+      apigatewayv2_rack
+      aws-sdk-dynamodb
+      aws-sdk-secretsmanager
+      himari
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (8.1.3)
+      activesupport (= 8.1.3)
+    activesupport (8.1.3)
+      base64
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.3.1)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      json
+      logger (>= 1.4.2)
+      minitest (>= 5.1)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
+    addressable (2.9.0)
+      public_suffix (>= 2.0.2, < 8.0)
+    aes_key_wrap (1.1.0)
+    apigatewayv2_rack (0.5.0)
+      base64
+      rack
+      stringio
+    attr_required (1.0.2)
+    auth-sanitizer (0.1.4)
+      version_gem (~> 1.1, >= 1.1.9)
+    aws-eventstream (1.4.0)
+    aws-partitions (1.1257.0)
+    aws-sdk-core (3.251.0)
+      aws-eventstream (~> 1, >= 1.3.0)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
+      base64
+      bigdecimal
+      jmespath (~> 1, >= 1.6.1)
+      logger
+    aws-sdk-dynamodb (1.168.0)
+      aws-sdk-core (~> 3, >= 3.248.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-secretsmanager (1.133.0)
+      aws-sdk-core (~> 3, >= 3.248.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-ssm (1.216.0)
+      aws-sdk-core (~> 3, >= 3.248.0)
+      aws-sigv4 (~> 1.5)
+    aws-sigv4 (1.12.1)
+      aws-eventstream (~> 1, >= 1.0.2)
+    base64 (0.3.0)
+    bigdecimal (4.1.2)
+    bindata (2.5.1)
+    cgi (0.5.1)
+    concurrent-ruby (1.3.6)
+    connection_pool (3.0.2)
+    date (3.5.1)
+    drb (2.2.3)
+    faraday (2.14.2)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-follow_redirects (0.5.0)
+      faraday (>= 1, < 3)
+    faraday-net_http (3.4.4)
+      net-http (~> 0.5)
+    hashie (5.1.0)
+      logger
+    http-2 (1.1.3)
+    httpx (1.7.8)
+      http-2 (>= 1.1.3)
+    i18n (1.14.8)
+      concurrent-ruby (~> 1.0)
+    jmespath (1.6.2)
+    json (2.19.8)
+    json-jwt (1.17.1)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      base64
+      bindata
+      faraday (~> 2.0)
+      faraday-follow_redirects
+    jwt (2.10.3)
+      base64
+    logger (1.7.0)
+    mail (2.9.0)
+      logger
+      mini_mime (>= 0.1.1)
+      net-imap
+      net-pop
+      net-smtp
+    mini_mime (1.1.5)
+    mini_portile2 (2.8.9)
+    minitest (6.0.6)
+      drb (~> 2.0)
+      prism (~> 1.5)
+    multi_xml (0.9.1)
+      bigdecimal (>= 3.1, < 5)
+    mustermann (3.1.1)
+    net-http (0.9.1)
+      uri (>= 0.11.1)
+    net-imap (0.6.4)
+      date
+      net-protocol
+    net-pop (0.1.2)
+      net-protocol
+    net-protocol (0.2.2)
+      timeout
+    net-smtp (0.5.1)
+      net-protocol
+    nokogiri (1.19.3)
+      mini_portile2 (~> 2.8.2)
+      racc (~> 1.4)
+    oauth2 (2.0.20)
+      auth-sanitizer (~> 0.1, >= 0.1.3)
+      faraday (>= 0.17.3, < 4.0)
+      jwt (>= 1.0, < 4.0)
+      logger (~> 1.2)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 4)
+      snaky_hash (~> 2.0, >= 2.0.4)
+      version_gem (~> 1.1, >= 1.1.9)
+    omniauth (2.1.4)
+      hashie (>= 3.4.6)
+      logger
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-apple (1.4.0)
+      json-jwt
+      omniauth-oauth2
+    omniauth-auth0 (3.2.0)
+      jwt (~> 2)
+      omniauth (~> 2)
+      omniauth-oauth2 (~> 1)
+    omniauth-discord (1.2.0)
+      omniauth-oauth2 (~> 1.6)
+    omniauth-entra-id (3.1.1)
+      jwt (>= 2.9.2)
+      omniauth-oauth2 (~> 1.8)
+    omniauth-github (2.0.1)
+      omniauth (~> 2.0)
+      omniauth-oauth2 (~> 1.8)
+    omniauth-gitlab (4.1.0)
+      omniauth (~> 2.0)
+      omniauth-oauth2 (~> 1.8.0)
+    omniauth-google-oauth2 (1.2.2)
+      jwt (>= 2.9.2)
+      oauth2 (~> 2.0)
+      omniauth (~> 2.0)
+      omniauth-oauth2 (~> 1.8)
+    omniauth-oauth2 (1.8.0)
+      oauth2 (>= 1.4, < 3)
+      omniauth (~> 2.0)
+    omniauth-okta (2.0.0)
+      omniauth (~> 2.0)
+      omniauth-oauth2 (~> 1.7, >= 1.7.1)
+    omniauth-saml (2.2.5)
+      omniauth (~> 2.1)
+      ruby-saml (~> 1.18)
+    openid_connect (2.5.0)
+      activemodel
+      attr_required (>= 1.0.0)
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.16)
+      mail
+      rack-oauth2 (~> 2.2)
+      swd (~> 2.0)
+      tzinfo
+      validate_url
+      webfinger (~> 2.0)
+    prism (1.9.0)
+    public_suffix (7.0.5)
+    racc (1.8.1)
+    rack (3.2.6)
+    rack-cors (3.0.0)
+      logger
+      rack (>= 3.0.14)
+    rack-oauth2 (2.3.0)
+      activesupport
+      attr_required
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
+    rack-protection (4.2.1)
+      base64 (>= 0.1.0)
+      logger (>= 1.6.0)
+      rack (>= 3.0.0, < 4)
+    rack-session (2.1.2)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0)
+    rexml (3.4.4)
+    ruby-saml (1.18.1)
+      nokogiri (>= 1.13.10)
+      rexml
+    secure_headers (7.2.0)
+      cgi (>= 0.1)
+    securerandom (0.4.1)
+    sinatra (4.2.1)
+      logger (>= 1.6.0)
+      mustermann (~> 3.0)
+      rack (>= 3.0.0, < 4)
+      rack-protection (= 4.2.1)
+      rack-session (>= 2.0.0, < 3)
+      tilt (~> 2.0)
+    snaky_hash (2.0.4)
+      hashie (>= 0.1.0, < 6)
+      version_gem (>= 1.1.8, < 3)
+    stringio (3.2.0)
+    swd (2.0.3)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      faraday (~> 2.0)
+      faraday-follow_redirects
+    tilt (2.7.0)
+    timeout (0.6.1)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+    uri (1.1.1)
+    validate_url (1.0.15)
+      activemodel (>= 3.0.0)
+      public_suffix
+    version_gem (1.1.10)
+    webfinger (2.1.3)
+      activesupport
+      faraday (~> 2.0)
+      faraday-follow_redirects
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  apigatewayv2_rack (>= 0.5.0)
+  aws-sdk-secretsmanager
+  aws-sdk-ssm
+  himari!
+  himari-aws!
+  nokogiri
+  omniauth-apple
+  omniauth-auth0
+  omniauth-discord
+  omniauth-entra-id
+  omniauth-github
+  omniauth-gitlab
+  omniauth-google-oauth2
+  omniauth-himari!
+  omniauth-oauth2
+  omniauth-okta
+  omniauth-saml
+  rack-cors
+  secure_headers
+
+CHECKSUMS
+  activemodel (8.1.3) sha256=90c05cbe4cef3649b8f79f13016191ea94c4525ce4a5c0fb7ef909c4b91c8219
+  activesupport (8.1.3) sha256=21a5e0dfbd4c3ddd9e1317ec6a4d782fa226e7867dc70b0743acda81a1dca20e
+  addressable (2.9.0) sha256=7fdf6ac3660f7f4e867a0838be3f6cf722ace541dd97767fa42bc6cfa980c7af
+  aes_key_wrap (1.1.0) sha256=b935f4756b37375895db45669e79dfcdc0f7901e12d4e08974d5540c8e0776a5
+  apigatewayv2_rack (0.5.0) sha256=30fb327ddacfeb0490657052791cea327ef852348ca32c21fa412161bfe492b2
+  attr_required (1.0.2) sha256=f0ebfc56b35e874f4d0ae799066dbc1f81efefe2364ca3803dc9ea6a4de6cb99
+  auth-sanitizer (0.1.4) sha256=ded72221d4d3a7c91e34e8a87b21e6a42cbf7829697f140dcf49d542422faedc
+  aws-eventstream (1.4.0) sha256=116bf85c436200d1060811e6f5d2d40c88f65448f2125bc77ffce5121e6e183b
+  aws-partitions (1.1257.0) sha256=03c531f40fdd979a9ae2aae70140c60e59000e6f62a60b3d6171b78cdded960c
+  aws-sdk-core (3.251.0) sha256=ef8186cb5509147e590310da58fab4c5b0901eba0e85a72955abdf772e425c87
+  aws-sdk-dynamodb (1.168.0) sha256=9bd479a23c6ab006130c7c1ebf5f9dd4c05d90ce03255f69ca8d04748fef0aec
+  aws-sdk-secretsmanager (1.133.0) sha256=467d64d44aa5206fa45d9fc9d5b90290ed7aa9101ed18393caf9b8fbe5c277dc
+  aws-sdk-ssm (1.216.0) sha256=7d03b033d183025ae5a4b473766d215fc0fca6a2978b347a16f2a3cdff49b62c
+  aws-sigv4 (1.12.1) sha256=6973ff95cb0fd0dc58ba26e90e9510a2219525d07620c8babeb70ef831826c00
+  base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
+  bigdecimal (4.1.2) sha256=53d217666027eab4280346fba98e7d5b66baaae1b9c3c1c0ffe89d48188a3fbd
+  bindata (2.5.1) sha256=53186a1ec2da943d4cb413583d680644eb810aacbf8902497aac8f191fad9e58
+  bundler (4.0.12) sha256=7f8b757d28dfb636e7b24fba2344ac6dd13b5b24f4b46d62573d483f211825ac
+  cgi (0.5.1) sha256=e93fcafc69b8a934fe1e6146121fa35430efa8b4a4047c4893764067036f18e9
+  concurrent-ruby (1.3.6) sha256=6b56837e1e7e5292f9864f34b69c5a2cbc75c0cf5338f1ce9903d10fa762d5ab
+  connection_pool (3.0.2) sha256=33fff5ba71a12d2aa26cb72b1db8bba2a1a01823559fb01d29eb74c286e62e0a
+  date (3.5.1) sha256=750d06384d7b9c15d562c76291407d89e368dda4d4fff957eb94962d325a0dc0
+  drb (2.2.3) sha256=0b00d6fdb50995fe4a45dea13663493c841112e4068656854646f418fda13373
+  faraday (2.14.2) sha256=73ccb9994a9e8648f010e32eca2ae82e41c57860aa10932cda29418b9e0223ad
+  faraday-follow_redirects (0.5.0) sha256=5cde93c894b30943a5d2b93c2fe9284216a6b756f7af406a1e55f211d97d10ad
+  faraday-net_http (3.4.4) sha256=0e78af151747ed1b00f33e25973b4bc220d7f16c00c39676817c8b12331eb588
+  hashie (5.1.0) sha256=c266471896f323c446ea8207f8ffac985d2718df0a0ba98651a3057096ca3870
+  himari (0.6.0)
+  himari-aws (0.3.0)
+  http-2 (1.1.3) sha256=1b2f379d35a11dbae94f8a1a52c053d8c161eb4a0c98b5d1605ff1b2bf171c9c
+  httpx (1.7.8) sha256=6d769465ed608287a272ba0e4700fc22cee6f0335d80bd5c2effaf7fb7bd2a3a
+  i18n (1.14.8) sha256=285778639134865c5e0f6269e0b818256017e8cde89993fdfcbfb64d088824a5
+  jmespath (1.6.2) sha256=238d774a58723d6c090494c8879b5e9918c19485f7e840f2c1c7532cf84ebcb1
+  json (2.19.8) sha256=6354310fd76ef69b87d5bd1f38b40d730613baf90b6803d2d0a48f618d32dfaa
+  json-jwt (1.17.1) sha256=5e1ced0f7b206b4c567efee19e6503c1426a819749132926cda579ec013d1f46
+  jwt (2.10.3) sha256=e4d9352fbc7309b1a7448c7dd713dfe4d8c47077af80759cdbed8f878ea0b484
+  logger (1.7.0) sha256=196edec7cc44b66cfb40f9755ce11b392f21f7967696af15d274dde7edff0203
+  mail (2.9.0) sha256=6fa6673ecd71c60c2d996260f9ee3dd387d4673b8169b502134659ece6d34941
+  mini_mime (1.1.5) sha256=8681b7e2e4215f2a159f9400b5816d85e9d8c6c6b491e96a12797e798f8bccef
+  mini_portile2 (2.8.9) sha256=0cd7c7f824e010c072e33f68bc02d85a00aeb6fce05bb4819c03dfd3c140c289
+  minitest (6.0.6) sha256=153ea36d1d987a62942382b61075745042a2b3123b1cd48f4c3675af9cc7d6f1
+  multi_xml (0.9.1) sha256=7ce766b59c17241ed62976caeae1fae9b2431b263398c35396239a68c4a64e57
+  mustermann (3.1.1) sha256=4c6170c7234d5499c345562ba7c7dfe73e1754286dcc1abb053064d66a127198
+  net-http (0.9.1) sha256=25ba0b67c63e89df626ed8fac771d0ad24ad151a858af2cc8e6a716ca4336996
+  net-imap (0.6.4) sha256=9a5598c67a3022c284d98430ef1d4948e7dbdb62596f61081ea8ca933270a02b
+  net-pop (0.1.2) sha256=848b4e982013c15b2f0382792268763b748cce91c9e91e36b0f27ed26420dff3
+  net-protocol (0.2.2) sha256=aa73e0cba6a125369de9837b8d8ef82a61849360eba0521900e2c3713aa162a8
+  net-smtp (0.5.1) sha256=ed96a0af63c524fceb4b29b0d352195c30d82dd916a42f03c62a3a70e5b70736
+  nokogiri (1.19.3) sha256=78312cbac32a40c812780d9678221b79d51288eec00054c1a8d15f7ce05960e8
+  oauth2 (2.0.20) sha256=790c6316346da12f9dcaf27a67530f802950af05d35c3874918da84f2deae674
+  omniauth (2.1.4) sha256=42a05b0496f0d22e1dd85d42aaf602f064e36bb47a6826a27ab55e5ba608763c
+  omniauth-apple (1.4.0) sha256=f449ce4c206e784536cbaf64b7c36072ac5e7c73103b1a01ba3c1d9454bf6e24
+  omniauth-auth0 (3.2.0) sha256=9241a8ce3ead46070f101f8f5170f09d7c2c3841321734d7a4852d954815db9c
+  omniauth-discord (1.2.0) sha256=e6e92649a645862ccb29ce3d5f2f876de9e26198722b9d05f9f6d4f3805d5c70
+  omniauth-entra-id (3.1.1) sha256=16622979423891352f916709f0698401e692e60bb41d4dbf5f7a17d98fee27ef
+  omniauth-github (2.0.1) sha256=8ff8e70ac6d6db9d52485eef52cfa894938c941496e66b52b5e2773ade3ccad4
+  omniauth-gitlab (4.1.0) sha256=543f1fa710488220b382bd683a3f314f5b29c36de85ad746f356f37795959613
+  omniauth-google-oauth2 (1.2.2) sha256=74c3f3d0221c048f938846092fb15a1f15237526f50a7c93d9793f9a4ff1be11
+  omniauth-himari (0.3.0)
+  omniauth-oauth2 (1.8.0) sha256=b2f8e9559cc7e2d4efba57607691d6d2b634b879fc5b5b6ccfefa3da85089e78
+  omniauth-okta (2.0.0) sha256=6425fd3140c3130bc8793a536f8200bfc154faac69fe6661d03959d841639655
+  omniauth-saml (2.2.5) sha256=552ad464564d711f0dfd169e0ad801de809cf3ac71c4bc9094f152d5a0d7ab59
+  openid_connect (2.5.0) sha256=659aff8edce0907798e3f6837e5f27ae2937ae8735216f3e900ab8daa29e39c4
+  prism (1.9.0) sha256=7b530c6a9f92c24300014919c9dcbc055bf4cdf51ec30aed099b06cd6674ef85
+  public_suffix (7.0.5) sha256=1a8bb08f1bbea19228d3bed6e5ed908d1cb4f7c2726d18bd9cadf60bc676f623
+  racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
+  rack (3.2.6) sha256=5ed78e1f73b2e25679bec7d45ee2d4483cc4146eb1be0264fc4d94cb5ef212c2
+  rack-cors (3.0.0) sha256=7b95be61db39606906b61b83bd7203fa802b0ceaaad8fcb2fef39e097bf53f68
+  rack-oauth2 (2.3.0) sha256=43e02cf73f13886a0a06499603caeec58aeba6eae1fefc4977c9678b7652c632
+  rack-protection (4.2.1) sha256=cf6e2842df8c55f5e4d1a4be015e603e19e9bc3a7178bae58949ccbb58558bac
+  rack-session (2.1.2) sha256=595434f8c0c3473ae7d7ac56ecda6cc6dfd9d37c0b2b5255330aa1576967ffe8
+  rexml (3.4.4) sha256=19e0a2c3425dfbf2d4fc1189747bdb2f849b6c5e74180401b15734bc97b5d142
+  ruby-saml (1.18.1) sha256=1b0e7a44aef150b4197955f5e015d593672e242cfdc5d06aa7554ec2350b9107
+  secure_headers (7.2.0) sha256=713b3d20af12b8c6633d97e276b286f1520e57be0d84b00f3bf43d22a1b70f83
+  securerandom (0.4.1) sha256=cc5193d414a4341b6e225f0cb4446aceca8e50d5e1888743fac16987638ea0b1
+  sinatra (4.2.1) sha256=b7aeb9b11d046b552972ade834f1f9be98b185fa8444480688e3627625377080
+  snaky_hash (2.0.4) sha256=2b12758c57defa6796341a1620f84b1a23737421d8d7e2575d0550b53cc4fece
+  stringio (3.2.0) sha256=c37cb2e58b4ffbd33fe5cd948c05934af997b36e0b6ca6fdf43afa234cf222e1
+  swd (2.0.3) sha256=4cdbe2a4246c19f093fce22e967ec3ebdd4657d37673672e621bf0c7eb770655
+  tilt (2.7.0) sha256=0d5b9ba69f6a36490c64b0eee9f6e9aad517e20dcc848800a06eb116f08c6ab3
+  timeout (0.6.1) sha256=78f57368a7e7bbadec56971f78a3f5ecbcfb59b7fcbb0a3ed6ddc08a5094accb
+  tzinfo (2.0.6) sha256=8daf828cc77bcf7d63b0e3bdb6caa47e2272dcfaf4fbfe46f8c3a9df087a829b
+  uri (1.1.1) sha256=379fa58d27ffb1387eaada68c749d1426738bd0f654d812fcc07e7568f5c57c6
+  validate_url (1.0.15) sha256=72fe164c0713d63a9970bd6700bea948babbfbdcec392f2342b6704042f57451
+  version_gem (1.1.10) sha256=d0575dc9f2949b2db9497051f96e5c36d7c6c2f2e81afd1a73cacccd4690e506
+  webfinger (2.1.3) sha256=567a52bde77fb38ca6b67e55db755f988766ec4651c1d24916a65aa70540695c
+
+BUNDLED WITH
+  4.0.12

data/lambda/README.md

@@ -0,0 +1,42 @@
+# Himari Lambda Container Image
+
+## Deploy
+
+- See [./terraform/](./terraform/) for quick deployment using Terraform modules.
+
+## Image
+
+### Prebuilt image
+
+- https://gallery.ecr.aws/sorah/himari-lambda
+- `public.ecr.aws/sorah/himari-lambda`
+
+Images are tagged with commit SHA.
+
+### Build an image
+
+Run the following at the repository root:
+
+```
+docker build -f himari-aws/lambda/Dockerfile .
+```
+
+### Usage
+
+The same container image supports multiple handlers:
+
+#### Rack app for API Gateway v2, Function URL, ALB target
+
+- Handler: `himari_lambda_entrypoint.Himari::Aws::LambdaHandler.rack_handler`
+
+Served through [apigatewayv2_rack](https://github.com/sorah/apigatewayv2_rack).
+
+This handler reads `config.ru` from:
+
+- `${LAMBDA_TASK_ROOT}/config.ru` in a container image
+- DynamoDB Table item (pk=`rack`, sk=`rack:${HIMARI_RACK_DIGEST}`, file=config.ru content) on table `$HIMARI_RACK_DYNAMODB_TABLE`
+  - where HIMARI_RACK_DIGEST must be [base64'd sha256 hash](https://developer.hashicorp.com/terraform/language/functions/base64sha256) of `file` attribute
+
+#### Secrets Manager automatic rotation handler
+
+- Handler: `himari_lambda_entrypoint.Himari::Aws::LambdaHandler.secrets_rotation_handler`