himari-aws 0.1.0 → 0.3.0

data/lib/himari/aws/dynamodb_storage.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'himari/storages/base'
 require 'aws-sdk-dynamodb'
 
@@ -8,34 +10,55 @@ module Himari
 
       # @param client [Aws::DynamoDB::Client]
       # @param table_name [String] name of DynamoDB table with hash=pk/range=sk key.
-      def initialize(client: ::Aws::DynamoDB::Client.new, table_name:)
+      # @param consistent_read [Boolean] use consitent read when querying. default to true.
+      def initialize(client: ::Aws::DynamoDB::Client.new, table_name:, consistent_read: true)
         @client = client
         @table_name = table_name
+        @consistent_read = consistent_read
       end
 
       attr_reader :client, :table_name
 
-      private def write(kind, key, content, overwrite: false)
+      def consistent_read?; !!@consistent_read; end
+
+      private def write(kind, key, content, overwrite: false, if_version: nil)
         pk = "storage:#{kind}:#{key}"
-        payload = {
+        # version and updated_at are mirrored to top-level attributes (besides living inside
+        # content_json) so the refresh-token compare-and-swap can reference them in a condition.
+        attrs = {
           content_json: JSON.pretty_generate(content),
-          ttl: content[:ttl] || content[:expiry],
-        }
+          version: content[:version],
+          updated_at: content[:updated_at],
+        }.compact
+        ttl = content[:ttl] || content[:expiry]
+        attrs[:ttl] = ttl if ttl
+
+        update_expression = +"SET #{attrs.keys.map { |k| "##{k} = :#{k}" }.join(", ")}"
+        update_expression << "\nREMOVE #ttl" unless attrs.key?(:ttl)
+
+        expression_attribute_names = attrs.keys.to_h { |k| ["##{k}", k.to_s] }
+        expression_attribute_names['#ttl'] = 'ttl' unless attrs.key?(:ttl)
+        expression_attribute_values = attrs.transform_keys { ":#{_1}" }
+
+        condition_expression =
+          if if_version
+            expression_attribute_names['#version'] = 'version'
+            expression_attribute_values[':expected_version'] = if_version
+            'attribute_exists(pk) AND #version = :expected_version'
+          elsif !overwrite
+            'attribute_not_exists(pk)'
+          end
+
         @client.update_item(
           table_name: @table_name,
           key: {
             'pk' => pk,
             'sk' => pk,
           },
-          # #{payload.each_key.map { |k| "##{k} = :#{k}" }.join(', ')}
-          update_expression: <<~EOS,
-          SET
-            #content_json = :content_json
-          #{payload[:ttl] ? ", #ttl = :ttl" : "REMOVE #ttl"}
-          EOS
-          condition_expression: overwrite ? nil : 'attribute_not_exists(pk)',
-          expression_attribute_names: payload.each_key.map { |k| ["##{k}", k] }.to_h,
-          expression_attribute_values: payload.transform_keys { ":#{_1}" },
+          update_expression: update_expression,
+          condition_expression: condition_expression,
+          expression_attribute_names: expression_attribute_names,
+          expression_attribute_values: expression_attribute_values,
         )
         nil
       rescue ::Aws::DynamoDB::Errors::ConditionalCheckFailedException
@@ -50,9 +73,11 @@ module Himari
           limit: 1,
           key_condition_expression: 'pk = :pk AND sk = :sk',
           expression_attribute_values: {":pk" => pk, ":sk" => pk},
+          consistent_read: consistent_read?,
         ).items.first
 
-        return nil unless item
+        return unless item
+
         JSON.parse(item.fetch('content_json'), symbolize_names: true)
       end
 
@@ -60,7 +85,7 @@ module Himari
         pk = "storage:#{kind}:#{key}"
         @client.delete_item(
           table_name: @table_name,
-          key: {'pk' => pk, 'sk' => pk}
+          key: {'pk' => pk, 'sk' => pk},
         )
         nil
       end

data/lib/himari/aws/lambda_handler.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require 'himari'
+require 'himari/aws/secretsmanager_signing_key_rotation_handler'
+
+require 'digest/sha2'
+require 'aws-sdk-dynamodb'
+require 'apigatewayv2_rack'
+
+$stdout.sync = true
+
+module Himari
+  module Aws
+    module LambdaHandler
+      def self.app
+        @app ||= make_app
+      end
+
+      def self.config_ru
+        a = Time.now
+        retval = config_ru_from_task_root || config_ru_from_dynamodb
+        b = Time.now
+        $stdout.puts(JSON.generate(config_ru: {ts: b, elapsed_time: b - a}))
+        retval
+      end
+
+      def self.config_ru_from_task_root
+        return unless ENV['LAMBDA_TASK_ROOT']
+
+        File.read(File.join(ENV['LAMBDA_TASK_ROOT'], 'config.ru'))
+      rescue Errno::ENOENT, Errno::EPERM
+        nil
+      end
+
+      def self.config_ru_from_dynamodb
+        dgst = ENV.fetch('HIMARI_RACK_DIGEST')
+        table_name = ENV.fetch('HIMARI_RACK_DYNAMODB_TABLE')
+        pk = "rack"
+        sk = "rack:#{dgst}"
+
+        ddb = ::Aws::DynamoDB::Client.new
+        item = ddb.query(
+          table_name: table_name,
+          select: 'ALL_ATTRIBUTES',
+          limit: 1,
+          key_condition_expression: 'pk = :pk AND sk = :sk',
+          expression_attribute_values: {":pk" => pk, ":sk" => sk},
+        ).items.first
+
+        unless item
+          raise "item not found (pk=#{pk.inspect}, sk=#{sk.inspect}) on dynamodb table #{table_name} for config.ru"
+        end
+
+        content = item.fetch('file')
+        content_dgst = Digest::SHA256.digest(content)
+        raise "config.ru item content digest mismatch" if content_dgst != Base64.decode64(dgst)
+
+        content
+      end
+
+      def self.make_app
+        require 'rack'
+        require 'rack/builder'
+        Rack::Builder.new_from_string(config_ru)
+      end
+
+      def self.rack_handler(event:, context:)
+        Apigatewayv2Rack.handle_request(event: event, context: context, app: app)
+      end
+
+      def self.secrets_rotation_handler(event:, context:)
+        Himari::Aws::SecretsmanagerSigningKeyRotationHandler.handler(event: event, context: context)
+      end
+    end
+  end
+end

data/lib/himari/aws/secretsmanager_signing_key_provider.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'aws-sdk-secretsmanager'
 require 'himari/signing_key'
 require 'himari/middlewares/signing_key'
@@ -26,10 +28,12 @@ module Himari
 
         def collect(id: nil, active: nil, group: nil, **_remainder)
           return [] if group && group != @group
+
           case
           when id
             return [] unless id.start_with?("#{@kid_prefix}_")
-            version_id = id[(@kid_prefix.size+1)..-1] || ''
+
+            version_id = id[(@kid_prefix.size + 1)..-1] || ''
             [secret_value_to_signing_key(@client.get_secret_value(secret_id: @secret_id, version_id: version_id))].compact
 
           when active
@@ -50,10 +54,10 @@ module Himari
             JSON.parse(value.secret_string)
           rescue JSON::ParserError
             warn "JSON::ParserError while parsing #{value.arn} #{value.version_id}"
-            return nil
+            return
           end
-          
-          return nil unless json['kind'] == 'himari.signing_key'
+
+          return unless json['kind'] == 'himari.signing_key'
 
           pkey = case json.fetch('kty')
           when 'rsa'
@@ -76,4 +80,3 @@ module Himari
     end
   end
 end
-

data/lib/himari/aws/secretsmanager_signing_key_rotation_handler.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html
 require 'openssl'
 require 'json'
@@ -11,7 +13,7 @@ module Himari
       RotationRequest = Struct.new(:step, :id, :token, :secret, keyword_init: true)
 
       def self.handler(event:, context:)
-        @secretsmanager ||= ::Aws::SecretsManager::Client.new()
+        @secretsmanager ||= ::Aws::SecretsManager::Client.new
 
         secret = prerequisite_check!(event)
 
@@ -40,10 +42,12 @@ module Himari
       def self.prerequisite_check!(event)
         secret = @secretsmanager.describe_secret(secret_id: event.fetch('SecretId'))
         raise "secret #{secret.arn.inspect} have not enabled rotation" unless secret.rotation_enabled
+
         stages = secret.version_ids_to_stages[event.fetch('ClientRequestToken')]
-        raise "Secret version #{event.fetch('ClientRequestToken').inspect} has no stage for secret #{secret.arn.inspect}" unless stages
-        raise "Secret version #{event.fetch('ClientRequestToken').inspect} is on AWSCURRENT for secret #{secret.arn.inspect}" if stages.include?('AWSCURRENT') && !stages.include?('AWSPENDING')
-        raise "Secret version #{event.fetch('ClientRequestToken').inspect} is not on AWSPENDING for secret #{secret.arn.inspect}" unless stages.include?('AWSPENDING')
+        raise "Secret version #{event.fetch("ClientRequestToken").inspect} has no stage for secret #{secret.arn.inspect}" unless stages
+        raise "Secret version #{event.fetch("ClientRequestToken").inspect} is on AWSCURRENT for secret #{secret.arn.inspect}" if stages.include?('AWSCURRENT') && !stages.include?('AWSPENDING')
+        raise "Secret version #{event.fetch("ClientRequestToken").inspect} is not on AWSPENDING for secret #{secret.arn.inspect}" unless stages.include?('AWSPENDING')
+
         secret
       end
 
@@ -71,7 +75,8 @@ module Himari
       end
 
       def self.generate_secret(req, _current)
-        param = JSON.parse(req.secret.tags.find { |t| t.name == ENV.fetch('HIMARI_KEYGEN_PARAM_TAG_KEY', 'HimariKey') }&.value || ENV.fetch('HIMARI_KEYGEN_PARAM_DEFAULT', '{"kty": "rsa", "len": 2048}'), symbolize_names: true)
+        param_raw = req.secret.tags&.find { |t| t.key == ENV.fetch('HIMARI_KEYGEN_PARAM_TAG_KEY', 'HimariKey') }&.value || ENV.fetch('HIMARI_KEYGEN_PARAM_DEFAULT', '{"kty": "rsa", "len": 2048}')
+        param = parse_keygen_param(param_raw)
         puts "createSecret: generate_secret with #{param.inspect}"
 
         case param.fetch(:kty, 'rsa').downcase
@@ -80,9 +85,9 @@ module Himari
           JSON.pretty_generate({kind: 'himari.signing_key', kty: 'rsa', rsa: {pem: rsa.to_pem}})
         when 'ec'
           curve = case param.fetch(:len, 256).to_i
-          when 256; 'prime256v1'
-          when 384; 'secp384r1'
-          when 521; 'secp521r1'
+          when 256 then 'prime256v1'
+          when 384 then 'secp384r1'
+          when 521 then 'secp521r1'
           else
             raise ArgumentError, "unknown len: #{param.inspect}"
           end
@@ -93,6 +98,28 @@ module Himari
         end
       end
 
+      # Scan k=v,k2=v2
+      def self.parse_keygen_param(str)
+        begin
+          ary = str.scan(/(.+?)=(.+?)(?:,|$)/)
+          unless ary.empty?
+            return ary.to_h.transform_keys(&:to_sym)
+          end
+        end
+
+        if str.start_with?('eyJ')
+          return JSON.parse(Base64.decode64(str), symbolize_names: true)
+        end
+
+        begin
+          return JSON.parse(str, symbolize_names: true)
+        rescue JSON::ParserError
+          # fall through to raise below
+        end
+
+        raise "cannot parse keygen param #{str.inspect}"
+      end
+
       def self.set_secret(req)
         _check = @secretsmanager.get_secret_value(secret_id: req.id, version_id: req.token, version_stage: 'AWSPENDING')
         puts "setSecret: do nothing for #{req.token} @ #{req.id}"
@@ -104,7 +131,7 @@ module Himari
       end
 
       def self.finish_secret(req)
-        current_version = req.secret.version_ids_to_stages.find { |k,v| v.include?('AWSCURRENT') }.first
+        current_version = req.secret.version_ids_to_stages.find { |_k, v| v.include?('AWSCURRENT') }.first
         if current_version == req.token
           puts "finishSecret: #{current_version} on #{req.id} is on AWSCURRENT, do nothing"
           return

data/lib/himari/aws/version.rb

@@ -2,6 +2,6 @@
 
 module Himari
   module Aws
-    VERSION = "0.1.0"
+    VERSION = "0.3.0"
   end
 end

data/lib/himari-aws.rb

@@ -1 +1,3 @@
+# frozen_string_literal: true
+
 require 'himari/aws'

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: himari-aws
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Sorah Fukumori
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-03-20 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: himari
@@ -25,7 +24,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: aws-sdk-secretsmanager
+  name: apigatewayv2_rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -52,7 +51,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-secretsmanager
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 email:
 - her@sorah.jp
 executables: []
@@ -60,14 +72,43 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".rspec"
-- Gemfile
-- Gemfile.lock
+- CHANGELOG.md
 - LICENSE.txt
 - README.md
 - Rakefile
+- lambda/Dockerfile
+- lambda/Gemfile
+- lambda/Gemfile.lock
+- lambda/README.md
+- lambda/entrypoint.rb
+- lambda/terraform/README.md
+- lambda/terraform/functions/aws.tf
+- lambda/terraform/functions/dynamodb.tf
+- lambda/terraform/functions/lambda_rack.tf
+- lambda/terraform/functions/lambda_secrets_rotation.tf
+- lambda/terraform/functions/outputs.tf
+- lambda/terraform/functions/variables.tf
+- lambda/terraform/functions/versions.tf
+- lambda/terraform/iam/aws.tf
+- lambda/terraform/iam/outputs.tf
+- lambda/terraform/iam/role.tf
+- lambda/terraform/iam/variables.tf
+- lambda/terraform/iam/versions.tf
+- lambda/terraform/image/aws.tf
+- lambda/terraform/image/copy.tf
+- lambda/terraform/image/ecr.tf
+- lambda/terraform/image/outputs.tf
+- lambda/terraform/image/variables.tf
+- lambda/terraform/image/versions.tf
+- lambda/terraform/signing_key/aws.tf
+- lambda/terraform/signing_key/outputs.tf
+- lambda/terraform/signing_key/secret.tf
+- lambda/terraform/signing_key/variables.tf
+- lambda/terraform/signing_key/versions.tf
 - lib/himari-aws.rb
 - lib/himari/aws.rb
 - lib/himari/aws/dynamodb_storage.rb
+- lib/himari/aws/lambda_handler.rb
 - lib/himari/aws/secretsmanager_signing_key_provider.rb
 - lib/himari/aws/secretsmanager_signing_key_rotation_handler.rb
 - lib/himari/aws/version.rb
@@ -78,7 +119,6 @@ licenses:
 metadata:
   homepage_uri: https://github.com/sorah/himari
   source_code_uri: https://github.com/sorah/himari
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -93,8 +133,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.0.dev
-signing_key:
+rubygems_version: 4.0.10
 specification_version: 4
 summary: AWS related plugins for Himari
 test_files: []

data/Gemfile

@@ -1,12 +0,0 @@
-# frozen_string_literal: true
-
-source "https://rubygems.org"
-
-gemspec path: '../himari'
-# Specify your gem's dependencies in himari-aws.gemspec
-gemspec
-
-gem 'nokogiri'
-
-gem "rake", "~> 13.0"
-gem "rspec", "~> 3.0"

data/Gemfile.lock

@@ -1,171 +0,0 @@
-PATH
-  remote: ../himari
-  specs:
-    himari (0.1.0)
-      addressable
-      omniauth (>= 2.0)
-      openid_connect
-      rack-oauth2
-      rack-protection
-      sinatra (>= 3.0)
-
-PATH
-  remote: .
-  specs:
-    himari-aws (0.1.0)
-      aws-sdk-dynamodb
-      aws-sdk-secretsmanager
-      himari
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    activemodel (7.0.4.3)
-      activesupport (= 7.0.4.3)
-    activesupport (7.0.4.3)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 1.6, < 2)
-      minitest (>= 5.1)
-      tzinfo (~> 2.0)
-    addressable (2.8.1)
-      public_suffix (>= 2.0.2, < 6.0)
-    aes_key_wrap (1.1.0)
-    attr_required (1.0.1)
-    aws-eventstream (1.2.0)
-    aws-partitions (1.730.0)
-    aws-sdk-core (3.170.1)
-      aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.5)
-      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-dynamodb (1.83.0)
-      aws-sdk-core (~> 3, >= 3.165.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-secretsmanager (1.73.0)
-      aws-sdk-core (~> 3, >= 3.165.0)
-      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.5.2)
-      aws-eventstream (~> 1, >= 1.0.2)
-    bindata (2.4.15)
-    concurrent-ruby (1.2.2)
-    date (3.3.3)
-    diff-lcs (1.5.0)
-    faraday (2.7.4)
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-follow_redirects (0.3.0)
-      faraday (>= 1, < 3)
-    faraday-net_http (3.0.2)
-    hashie (5.0.0)
-    i18n (1.12.0)
-      concurrent-ruby (~> 1.0)
-    jmespath (1.6.2)
-    json-jwt (1.16.3)
-      activesupport (>= 4.2)
-      aes_key_wrap
-      bindata
-      faraday (~> 2.0)
-      faraday-follow_redirects
-    mail (2.8.1)
-      mini_mime (>= 0.1.1)
-      net-imap
-      net-pop
-      net-smtp
-    mini_mime (1.1.2)
-    mini_portile2 (2.8.1)
-    minitest (5.18.0)
-    mustermann (3.0.0)
-      ruby2_keywords (~> 0.0.1)
-    net-imap (0.3.4)
-      date
-      net-protocol
-    net-pop (0.1.2)
-      net-protocol
-    net-protocol (0.2.1)
-      timeout
-    net-smtp (0.3.3)
-      net-protocol
-    nokogiri (1.14.2)
-      mini_portile2 (~> 2.8.0)
-      racc (~> 1.4)
-    omniauth (2.1.1)
-      hashie (>= 3.4.6)
-      rack (>= 2.2.3)
-      rack-protection
-    openid_connect (2.2.0)
-      activemodel
-      attr_required (>= 1.0.0)
-      faraday (~> 2.0)
-      faraday-follow_redirects
-      json-jwt (>= 1.16)
-      net-smtp
-      rack-oauth2 (~> 2.2)
-      swd (~> 2.0)
-      tzinfo
-      validate_email
-      validate_url
-      webfinger (~> 2.0)
-    public_suffix (5.0.1)
-    racc (1.6.2)
-    rack (2.2.6.4)
-    rack-oauth2 (2.2.0)
-      activesupport
-      attr_required
-      faraday (~> 2.0)
-      faraday-follow_redirects
-      json-jwt (>= 1.11.0)
-      rack (>= 2.1.0)
-    rack-protection (3.0.5)
-      rack
-    rake (13.0.6)
-    rspec (3.12.0)
-      rspec-core (~> 3.12.0)
-      rspec-expectations (~> 3.12.0)
-      rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.1)
-      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.2)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.4)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-support (3.12.0)
-    ruby2_keywords (0.0.5)
-    sinatra (3.0.5)
-      mustermann (~> 3.0)
-      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.0.5)
-      tilt (~> 2.0)
-    swd (2.0.2)
-      activesupport (>= 3)
-      attr_required (>= 0.0.5)
-      faraday (~> 2.0)
-      faraday-follow_redirects
-    tilt (2.1.0)
-    timeout (0.3.2)
-    tzinfo (2.0.6)
-      concurrent-ruby (~> 1.0)
-    validate_email (0.1.6)
-      activemodel (>= 3.0)
-      mail (>= 2.2.5)
-    validate_url (1.0.15)
-      activemodel (>= 3.0.0)
-      public_suffix
-    webfinger (2.1.2)
-      activesupport
-      faraday (~> 2.0)
-      faraday-follow_redirects
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  himari!
-  himari-aws!
-  nokogiri
-  rake (~> 13.0)
-  rspec (~> 3.0)
-
-BUNDLED WITH
-   2.4.8