@alliander-opensource/aws-jwt-sts 0.2.6

package/src/test/index.keyrotate.test.ts

@@ -0,0 +1,168 @@
+// SPDX-FileCopyrightText: 2023 Alliander NV
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { mockClient } from 'aws-sdk-client-mock'
+import { KMSClient, GetPublicKeyCommand, DescribeKeyCommand } from '@aws-sdk/client-kms'
+import { S3Client } from '@aws-sdk/client-s3'
+
+import { handler } from '../index.keyrotate'
+
+const kmsMock = mockClient(KMSClient)
+const s3Mock = mockClient(S3Client)
+
+const pubKeys = {
+  PREVIOUS: {
+    pem: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt0O+biOuAYD5FrM2R6dAliN1v9HA5XpsuoAtXTn8OVKsLvvBFEhBFlghvSXPpu71vE/JYpUj0lL7J54o/RmCz9ZRDzojLU7aWEYM2sEC9nO2ITdu8it+rr3faa70+7PGW09o4iFD+mXYUgadYT8VWxrKQ3eV/LQrSM+6/KYl3BhlNZNxwjtbHGWAldOlzvy14I59GU5W/zDPgOIWSQBbpRvoJKT2rzOZYDtn7C62197hJYAU7QIZ4mOz/ia10ayFFI7p2Uogku3tY5cyYEtSWGzlTL3EiEzSvvsfQ0717bA5ybbDqCWtShg8+IoOxmby4K9X7XuGAQZYE/fgNAXg3wIDAQAB',
+    jwk_kid: 'reND9IAI5hj2pe8UfKm2X6r-SjW1v7s23oC3_N5WPiQ'
+  },
+  CURRENT: {
+    pem: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/PC3f+8XOs6yway2FhPLdZrWU67RIqFACSPJ0A4q/eJ8GlGXDj8cxHcJBJyvTxEU/rttSe3f44ZfrvwlDUbgAmTi2zYEDrBRHr+LmR6qoyvczLNZkiMmJZygdeOMT87gPx1fb8hhFAXQkOL8dHKiBZ+s4Hls8yu5eMuBhjh+hUYxEQWw0ilDgaXCaGRjooHPSU6+I+Qbm73MuCbBAyzSIAGDKyyD50Kx9Z9Cc0i+6ZfXwWU/2Sda7u4U4R2B/PkhAy0fIjn7kMaw9sgpdQHHxygxQ8y7PduNgDBF/C1zOeKJuRa3QGoMXY9kn/OVBwnZG7bQ9Enz3RnTkM3q0nf9JQIDAQAB',
+    jwk_kid: '-NIJE4RQ8NYWrOOh5_JyGKFAobfY5_oCKo1MrNXoQOg'
+  },
+  PENDING: {
+    pem: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzeWAt2aRiX57vDd78OwF+83IdEI0mWh05hXvAzQXMqt+QR49hiIWjJtYh1B3sYvbp9BWC8yo+BlWWtsI5fu5mCXsBBp/Q/sgfArEsji+dWEXc+xGRN3hptb9tT+sabIWmd6Qyw4dYCksrBzJvSLO+Hi10Otd2NtzYbAqjZ6soaaClSnrOiw9+J4/GFHuY5gOw8P0uaMclI5sDLGN+G/ayGpUK7xegfEAd9VB6mhdgWoYEAT6yEDnFt0BwvTOYT6TI/5v6scRE7Bywsq5V2Mz5VZe43POcSt1n7vIZ9cXXHSGW8JPv1KKcniHsxIc3Fc74OjcEbqWKw49kVGCE3ayfQIDAQAB',
+    jwk_kid: 'bHyjPYB3AfII8o_X3tGkOCVzThZzQN2UKwKVCO9E9gY'
+  }
+}
+
+describe('handlers/keyrotate/keyrotate.test.ts', () => {
+  const OLD_ENV = process.env
+
+  beforeEach(() => {
+    jest.resetModules()
+    kmsMock.reset()
+    s3Mock.reset()
+    process.env = { ...OLD_ENV }
+  })
+
+  afterEach(() => {
+    kmsMock.reset()
+    s3Mock.reset()
+    process.env = OLD_ENV
+  })
+
+  test('should generate & upload correct JWKS file to S3', async () => {
+    kmsMock
+      .on(GetPublicKeyCommand, { KeyId: 'alias/sts/PREVIOUS' }).resolves({
+        PublicKey: base64ToArrayBuffer(pubKeys.PREVIOUS.pem)
+      })
+      .on(GetPublicKeyCommand, { KeyId: 'alias/sts/CURRENT' }).resolves({
+        PublicKey: base64ToArrayBuffer(pubKeys.CURRENT.pem)
+      })
+      .on(GetPublicKeyCommand, { KeyId: 'alias/sts/PENDING' }).resolves({
+        PublicKey: base64ToArrayBuffer(pubKeys.PENDING.pem)
+      })
+      .on(DescribeKeyCommand, { KeyId: 'alias/sts/PREVIOUS' }).resolves({
+        KeyMetadata: {
+          KeyId: 'key-1'
+        }
+      })
+      .on(DescribeKeyCommand, { KeyId: 'alias/sts/CURRENT' }).resolves({
+        KeyMetadata: {
+          KeyId: 'key-2'
+        }
+      })
+      .on(DescribeKeyCommand, { KeyId: 'alias/sts/PENDING' }).resolves({
+        KeyMetadata: {
+          KeyId: 'key-3'
+        }
+      })
+
+    process.env.S3_BUCKET = 'test-bucket-name'
+    process.env.ISSUER = 'test-issuer.com'
+
+    await handler({ step: 'generateArtifacts' })
+
+    // @ts-ignore
+    const tagsPrevious = kmsMock.call(2).args[0].input.Tags
+    expect(tagsPrevious[0].TagKey).toBe('jwk_kid')
+    expect(tagsPrevious[0].TagValue).toBe(pubKeys.PREVIOUS.jwk_kid)
+
+    // @ts-ignore
+    const tagsCurrent = kmsMock.call(5).args[0].input.Tags
+    expect(tagsCurrent[0].TagKey).toBe('jwk_kid')
+    expect(tagsCurrent[0].TagValue).toBe(pubKeys.CURRENT.jwk_kid)
+
+    // @ts-ignore
+    const tagsPending = kmsMock.call(8).args[0].input.Tags
+    expect(tagsPending[0].TagKey).toBe('jwk_kid')
+    expect(tagsPending[0].TagValue).toBe(pubKeys.PENDING.jwk_kid)
+
+    // @ts-ignore
+    const s3Key = s3Mock.call(0).args[0].input.Key
+    expect(s3Key).toBe('discovery/keys')
+
+    // @ts-ignore
+    const s3Bucket = s3Mock.call(0).args[0].input.Bucket
+    expect(s3Bucket).toBe('test-bucket-name')
+
+    // @ts-ignore
+    const s3Body = JSON.parse(s3Mock.call(0).args[0].input.Body.toString())
+    expect(s3Body).toEqual({
+      keys: [
+        {
+          e: 'AQAB',
+          kid: 'reND9IAI5hj2pe8UfKm2X6r-SjW1v7s23oC3_N5WPiQ',
+          kty: 'RSA',
+          n: 't0O-biOuAYD5FrM2R6dAliN1v9HA5XpsuoAtXTn8OVKsLvvBFEhBFlghvSXPpu71vE_JYpUj0lL7J54o_RmCz9ZRDzojLU7aWEYM2sEC9nO2ITdu8it-rr3faa70-7PGW09o4iFD-mXYUgadYT8VWxrKQ3eV_LQrSM-6_KYl3BhlNZNxwjtbHGWAldOlzvy14I59GU5W_zDPgOIWSQBbpRvoJKT2rzOZYDtn7C62197hJYAU7QIZ4mOz_ia10ayFFI7p2Uogku3tY5cyYEtSWGzlTL3EiEzSvvsfQ0717bA5ybbDqCWtShg8-IoOxmby4K9X7XuGAQZYE_fgNAXg3w',
+          alg: 'RS256',
+          use: 'sig'
+        }, {
+          e: 'AQAB',
+          kid: '-NIJE4RQ8NYWrOOh5_JyGKFAobfY5_oCKo1MrNXoQOg',
+          kty: 'RSA',
+          n: '_PC3f-8XOs6yway2FhPLdZrWU67RIqFACSPJ0A4q_eJ8GlGXDj8cxHcJBJyvTxEU_rttSe3f44ZfrvwlDUbgAmTi2zYEDrBRHr-LmR6qoyvczLNZkiMmJZygdeOMT87gPx1fb8hhFAXQkOL8dHKiBZ-s4Hls8yu5eMuBhjh-hUYxEQWw0ilDgaXCaGRjooHPSU6-I-Qbm73MuCbBAyzSIAGDKyyD50Kx9Z9Cc0i-6ZfXwWU_2Sda7u4U4R2B_PkhAy0fIjn7kMaw9sgpdQHHxygxQ8y7PduNgDBF_C1zOeKJuRa3QGoMXY9kn_OVBwnZG7bQ9Enz3RnTkM3q0nf9JQ',
+          alg: 'RS256',
+          use: 'sig'
+        }, {
+          e: 'AQAB',
+          kid: 'bHyjPYB3AfII8o_X3tGkOCVzThZzQN2UKwKVCO9E9gY',
+          kty: 'RSA',
+          n: 'zeWAt2aRiX57vDd78OwF-83IdEI0mWh05hXvAzQXMqt-QR49hiIWjJtYh1B3sYvbp9BWC8yo-BlWWtsI5fu5mCXsBBp_Q_sgfArEsji-dWEXc-xGRN3hptb9tT-sabIWmd6Qyw4dYCksrBzJvSLO-Hi10Otd2NtzYbAqjZ6soaaClSnrOiw9-J4_GFHuY5gOw8P0uaMclI5sDLGN-G_ayGpUK7xegfEAd9VB6mhdgWoYEAT6yEDnFt0BwvTOYT6TI_5v6scRE7Bywsq5V2Mz5VZe43POcSt1n7vIZ9cXXHSGW8JPv1KKcniHsxIc3Fc74OjcEbqWKw49kVGCE3ayfQ',
+          alg: 'RS256',
+          use: 'sig'
+        }]
+    })
+
+    // @ts-ignore
+    const s3KeyOpenidConfiguration = s3Mock.call(1).args[0].input.Key
+    expect(s3KeyOpenidConfiguration).toBe('.well-known/openid-configuration')
+
+    // @ts-ignore
+    const s3BodyOpenidConfiguration = JSON.parse(s3Mock.call(1).args[0].input.Body.toString())
+    expect(s3BodyOpenidConfiguration).toEqual({
+      issuer: 'test-issuer.com',
+      jwks_uri: 'test-issuer.com/discovery/keys',
+      response_types_supported: [
+        'token'
+      ],
+      id_token_signing_alg_values_supported: [
+        'RS256'
+      ],
+      scopes_supported: [
+        'openid'
+      ],
+      token_endpoint_auth_methods_supported: [
+        'client_secret_basic'
+      ],
+      claims_supported: [
+        'aud',
+        'exp',
+        'iat',
+        'iss',
+        'sub'
+      ]
+    })
+  })
+})
+
+function base64ToArrayBuffer (b64: string) {
+  const byteString = atob(b64)
+  const byteArray = new Uint8Array(byteString.length)
+  for (let i = 0; i < byteString.length; i++) {
+    byteArray[i] = byteString.charCodeAt(i)
+  }
+
+  return byteArray
+}

package/src/test/index.sign.test.ts

@@ -0,0 +1,187 @@
+// SPDX-FileCopyrightText: 2023 Alliander NV
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { APIGatewayProxyEvent, Context } from 'aws-lambda'
+import { mockClient } from 'aws-sdk-client-mock'
+/* eslint-disable camelcase */
+import jwt_decode from 'jwt-decode'
+
+import {
+  KMSClient,
+  DescribeKeyCommand,
+  ListResourceTagsCommand,
+  SignCommand
+} from '@aws-sdk/client-kms'
+
+import { handler } from '../index.sign'
+
+const kmsMock = mockClient(KMSClient)
+
+const VALID_IDENTITY_USER_ARN = 'arn:aws:sts:eu-central-1:123456789012:assumed-role/this-is-my-role-name/this-is-my-username'
+
+const VALID_EVENT: APIGatewayProxyEvent = {
+  requestContext: {
+    identity: {
+      userArn: VALID_IDENTITY_USER_ARN
+    }
+  }
+} as any
+
+const CONTEXT: Context = {} as any
+
+describe('handlers/sign/sign.ts', () => {
+  const OLD_ENV = process.env
+
+  beforeEach(() => {
+    jest.resetModules()
+    kmsMock.reset()
+    process.env = { ...OLD_ENV }
+  })
+
+  afterEach(() => {
+    kmsMock.reset()
+    process.env = OLD_ENV
+  })
+
+  test('it should respond bad request if no userIdentity is passed', async () => {
+    const event: APIGatewayProxyEvent = {
+      requestContext: {
+      }
+    } as any
+
+    const response = await handler(event, CONTEXT)
+
+    expect(response.statusCode).toEqual(400)
+    expect(response.body).toEqual('Unable to resolve identity')
+  })
+
+  test('it should respond bad request if an invalid userIdentity is passed', async () => {
+    const invalidServiceResponse = await handler({
+      requestContext: {
+        identity: {
+          userArn: 'arn:aws:invalid-service:eu-central-1:123456789012:assumed-role/this-is-my-role-name/this-is-my-username'
+        }
+      }
+    } as any, CONTEXT)
+
+    expect(invalidServiceResponse.statusCode).toEqual(400)
+    expect(invalidServiceResponse.body).toEqual('Unable to resolve identity')
+
+    const invalidAccountIdResponse = await handler({
+      requestContext: {
+        identity: {
+          userArn: 'arn:aws:sts:eu-central-1:account-id:assumed-role/this-is-my-role-name/this-is-my-username'
+        }
+      }
+    } as any, CONTEXT)
+
+    expect(invalidAccountIdResponse.statusCode).toEqual(400)
+    expect(invalidAccountIdResponse.body).toEqual('Unable to resolve identity')
+
+    const completelyInvalidArn = await handler({
+      requestContext: {
+        identity: {
+          userArn: 'i-am-not-even-trying'
+        }
+      }
+    } as any, CONTEXT)
+
+    expect(completelyInvalidArn.statusCode).toEqual(400)
+    expect(completelyInvalidArn.body).toEqual('Unable to resolve identity')
+  })
+
+  test('it should respond internal server error if no tag is present on the KMS key', async () => {
+    kmsMock
+      .on(DescribeKeyCommand).resolves({
+        KeyMetadata: {
+          KeyId: 'key-1'
+        }
+      })
+      .on(ListResourceTagsCommand).resolves({
+        Tags: [
+          {
+            TagKey: 'NotTheKid',
+            TagValue: 'I won\'t be resolved'
+          }
+        ]
+      })
+
+    const response = await handler(VALID_EVENT, CONTEXT)
+
+    expect(response.statusCode).toEqual(500)
+    expect(response.body).toEqual('KMS key is not correctly tagged')
+  })
+
+  test('it should respond internal server error if the KeyId is not in the metadata', async () => {
+    kmsMock
+      .on(DescribeKeyCommand).resolves({})
+
+    const response = await handler(VALID_EVENT, CONTEXT)
+
+    expect(response.statusCode).toEqual(500)
+    expect(response.body).toEqual('KMS key could not be retrieved')
+  })
+
+  test('should sign correctly', async () => {
+    jest
+      .useFakeTimers()
+      .setSystemTime(new Date('2020-01-01'))
+
+    const b64Signature = Buffer.from('i-am-a-signature').toString('base64')
+    const signature = base64ToArrayBuffer(b64Signature)
+
+    kmsMock
+      .on(DescribeKeyCommand).resolves({
+        KeyMetadata: {
+          KeyId: 'key-1'
+        }
+      })
+      .on(ListResourceTagsCommand).resolves({
+        Tags: [
+          {
+            TagKey: 'jwk_kid',
+            TagValue: 'I am the KID from the JWK'
+          }
+        ]
+      })
+      .on(SignCommand).resolves({
+        Signature: signature
+      })
+
+    process.env.ISSUER = 'https://test-issuer.com'
+    process.env.DEFAULT_AUDIENCE = 'api://default-aud'
+
+    const response = await handler(VALID_EVENT, CONTEXT)
+
+    expect(response.statusCode).toEqual(200)
+    const responseBody = JSON.parse(response.body)
+    const token = responseBody.token
+
+    const decodedHeader: any = jwt_decode(token, { header: true })
+
+    expect(decodedHeader.alg).toEqual('RS256')
+    expect(decodedHeader.typ).toEqual('JWT')
+    expect(decodedHeader.kid).toEqual('I am the KID from the JWK')
+
+    const decodedToken: any = jwt_decode(token)
+    expect(decodedToken.sub).toEqual('arn:aws:iam:eu-central-1:123456789012:role/this-is-my-role-name')
+    expect(decodedToken.aud).toEqual('api://default-aud')
+    expect(decodedToken.iss).toEqual('https://test-issuer.com')
+    expect(decodedToken.exp - decodedToken.iat).toEqual(3600)
+    expect(decodedToken.iat - decodedToken.nbf).toEqual(300)
+
+    const tokenParts = responseBody.token.split('.')
+    expect(tokenParts[2]).toEqual(`${b64Signature.replace('==', '')}`)
+  })
+})
+
+function base64ToArrayBuffer (b64: string) {
+  const byteString = atob(b64)
+  const byteArray = new Uint8Array(byteString.length)
+  for (let i = 0; i < byteString.length; i++) {
+    byteArray[i] = byteString.charCodeAt(i)
+  }
+
+  return byteArray
+}

package/src/test/index.test.ts

@@ -0,0 +1,72 @@
+// SPDX-FileCopyrightText: 2023 Alliander NV
+//
+// SPDX-License-Identifier: Apache-2.0
+
+/* eslint-disable no-new */
+import * as cdk from 'aws-cdk-lib'
+import { Match, Template } from 'aws-cdk-lib/assertions'
+import { AwsJwtSts } from '../index'
+
+test('creates sts construct correctly', () => {
+  const stack = new cdk.Stack()
+  new AwsJwtSts(stack, 'AllianderIngress', {
+    defaultAudience: 'api://default-aud'
+  })
+
+  const template = Template.fromStack(stack)
+  template.hasResourceProperties('AWS::Lambda::Function', Match.objectLike({
+    Runtime: 'nodejs18.x'
+  }))
+
+  template.hasResourceProperties('AWS::Events::Rule', Match.objectLike(
+    {
+      EventPattern: {
+        'detail-type': ['CloudFormation Stack Status Change']
+      },
+      State: 'ENABLED'
+    }
+  ))
+})
+
+test('creates sts construct with key rotation on create/update disabled', () => {
+  const stack = new cdk.Stack()
+  new AwsJwtSts(stack, 'AllianderIngress', {
+    defaultAudience: 'api://default-aud',
+    disableKeyRotateOnCreate: true
+  })
+
+  const template = Template.fromStack(stack)
+
+  template.resourcePropertiesCountIs('AWS::Events::Rule', Match.objectLike(
+    {
+      EventPattern: {
+        'detail-type': ['CloudFormation Stack Status Change']
+      }
+    }
+  ), 0)
+})
+
+test('creates sts construct with custom alarm names', () => {
+  const stack = new cdk.Stack()
+  new AwsJwtSts(stack, 'AllianderIngress', {
+    defaultAudience: 'api://default-aud',
+    alarmNameApiGateway5xx: 'alarm-api-gw-5xx',
+    alarmNameKeyRotationLambdaFailed: 'alarm-key-rotation-lambda-failed',
+    alarmNameKeyRotationStepFunctionFailed: 'alarm-step-functions-failed',
+    alarmNameSignLambdaFailed: 'alarm-sign-lambda-failed'
+  })
+
+  const template = Template.fromStack(stack)
+  template.hasResourceProperties('AWS::CloudWatch::Alarm', Match.objectLike({
+    AlarmName: 'alarm-api-gw-5xx'
+  }))
+  template.hasResourceProperties('AWS::CloudWatch::Alarm', Match.objectLike({
+    AlarmName: 'alarm-key-rotation-lambda-failed'
+  }))
+  template.hasResourceProperties('AWS::CloudWatch::Alarm', Match.objectLike({
+    AlarmName: 'alarm-step-functions-failed'
+  }))
+  template.hasResourceProperties('AWS::CloudWatch::Alarm', Match.objectLike({
+    AlarmName: 'alarm-sign-lambda-failed'
+  }))
+})