@infoxchange/make-it-so-sst-v2 1.0.0-internal-testing-disambiguate-release-id-bc6e5bb.1

package/src/cdk-constructs/SiteOidcAuth/index.ts

@@ -0,0 +1,299 @@
+import { Construct } from "constructs";
+import SecretsManager from "aws-cdk-lib/aws-secretsmanager";
+import CloudFront from "aws-cdk-lib/aws-cloudfront";
+import CDK from "aws-cdk-lib";
+import Lambda from "aws-cdk-lib/aws-lambda";
+import * as SST from "sst/constructs";
+import { isCDKConstruct } from "sst/constructs/Construct.js";
+import { Config as SSTInternalConfig } from "sst/config.js";
+import CloudFrontOrigins from "aws-cdk-lib/aws-cloudfront-origins";
+import path from "node:path";
+import fs from "node:fs";
+import { TransformOptions, transformSync } from "esbuild";
+import type {
+  ExtendedNextjsSiteProps,
+  ExtendedStaticSiteProps,
+} from "../../lib/site/support.js";
+
+type ConstructScope = ConstructorParameters<typeof Construct>[0];
+type ConstructId = ConstructorParameters<typeof Construct>[1];
+
+export type Props = {
+  oidcIssuerUrl: string;
+  oidcClientId: string;
+  oidcScope: string;
+};
+export type AddToSiteProps = { prefix?: string };
+
+const defaultAuthRoutePrefix = "/auth";
+
+export class SiteOidcAuth extends Construct {
+  readonly oidcIssuerUrl: string;
+  readonly oidcClientId: string;
+  readonly oidcScope: string;
+  readonly id: string;
+
+  constructor(scope: ConstructScope, id: ConstructId, props: Props) {
+    super(scope, id);
+    this.oidcIssuerUrl = props.oidcIssuerUrl;
+    this.oidcClientId = props.oidcClientId;
+    this.oidcScope = props.oidcScope;
+    this.id = id;
+  }
+
+  addToStaticSiteProps<SiteProps extends ExtendedStaticSiteProps>(
+    scope: ConstructScope,
+    siteProps: SiteProps,
+    { prefix = defaultAuthRoutePrefix }: AddToSiteProps = {},
+  ) {
+    prefix = prefix.replace(/\/$/, ""); // Remove trailing slash from prefix if it has one
+    const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
+    const distribution = siteProps.cdk?.distribution;
+    if (isCDKConstruct(distribution)) {
+      throw new Error(
+        `CDK Construct for distribution is not supported when adding CloudFront OIDC Auth behavior for prefix ${prefix}`,
+      );
+    }
+
+    const updatedSiteProps = {
+      ...siteProps,
+      cdk: {
+        ...siteProps.cdk,
+        distribution: {
+          ...siteProps.cdk?.distribution,
+          additionalBehaviors: distribution?.additionalBehaviors ?? {},
+          defaultBehavior: {
+            ...distribution?.defaultBehavior,
+            functionAssociations:
+              distribution?.defaultBehavior?.functionAssociations ?? [],
+          },
+        },
+      },
+    };
+
+    if (updatedSiteProps.cdk.distribution.additionalBehaviors[behaviourName]) {
+      throw new Error(
+        `Behavior for prefix ${prefix} already exists in distribution definition`,
+      );
+    }
+
+    const jwtSecret = this.createJwtSecret();
+
+    updatedSiteProps.cdk.distribution.defaultBehavior.functionAssociations.push(
+      this.getFunctionAssociation(scope, jwtSecret, prefix),
+    );
+    updatedSiteProps.cdk.distribution.additionalBehaviors[behaviourName] =
+      this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
+
+    return updatedSiteProps;
+  }
+
+  addToSsrSiteProps<SiteProps extends ExtendedNextjsSiteProps>(
+    scope: ConstructScope,
+    siteProps: SiteProps,
+    { prefix = defaultAuthRoutePrefix }: AddToSiteProps = {},
+  ) {
+    prefix = prefix.replace(/\/$/, ""); // Remove trailing slash from prefix if it has one
+    const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
+    const updatedSiteProps = {
+      ...siteProps,
+      cdk: {
+        ...siteProps.cdk,
+        distribution: {
+          ...siteProps.cdk?.distribution,
+          additionalBehaviors:
+            siteProps.cdk?.distribution?.additionalBehaviors ?? {},
+        },
+      },
+    };
+    if (updatedSiteProps.cdk.distribution.additionalBehaviors[behaviourName]) {
+      throw new Error(
+        `Behavior for prefix ${prefix} already exists in distribution definition`,
+      );
+    }
+
+    const jwtSecret = this.createJwtSecret();
+
+    updatedSiteProps.cdk.transform = (plan) => {
+      siteProps?.cdk?.transform?.(plan);
+
+      plan.cloudFrontFunctions?.serverCfFunction.injections.push(
+        this.convertToCloudFrontFunctionCompatibleCode(
+          this.getAuthCheckHandlerBodyCode(jwtSecret, prefix),
+        ),
+      );
+    };
+
+    updatedSiteProps.cdk.distribution.additionalBehaviors[behaviourName] =
+      this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
+
+    return updatedSiteProps;
+  }
+
+  private createJwtSecret() {
+    return new SecretsManager.Secret(this, `${this.id}JwtSecret`, {
+      description: "JWT Signing Secret",
+      generateSecretString: {
+        passwordLength: 32,
+        excludePunctuation: true,
+        includeSpace: false,
+        requireEachIncludedType: true,
+      },
+      // Secret is only used for sessions so it's safe to delete on stack removal
+      removalPolicy: CDK.RemovalPolicy.DESTROY,
+    });
+  }
+
+  // Get the CloudFront Function Association for auth checking
+  // Roughly based off https://github.com/sst/v2/blob/4283d706f251724308b397996ff307929bf3a976/packages/sst/src/constructs/SsrSite.ts#L941
+  private getFunctionAssociation(
+    scope: ConstructScope,
+    jwtSecret: SecretsManager.Secret,
+    authRoutePrefix: string,
+  ): CloudFront.FunctionAssociation {
+    const authCheckFunction = new CloudFront.Function(
+      scope,
+      `${this.id}AuthCheckFunction`,
+      {
+        code: CloudFront.FunctionCode.fromInline(
+          this.convertToCloudFrontFunctionCompatibleCode(
+            `function handler(event) {
+              var request = event.request;
+              ${this.getAuthCheckHandlerBodyCode(jwtSecret, authRoutePrefix)}
+              return request;
+            }`,
+            { minify: true },
+          ),
+        ),
+        // We could specify the JS v2.0 runtime here but for SSR sites SST does the function creation and that currently
+        // uses JS v1.0 so no point using v2.0 here as the code has to be compatible with v1.0 anyway.
+      },
+    );
+
+    return {
+      function: authCheckFunction,
+      eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
+    };
+  }
+
+  private getAuthCheckHandlerBodyCode(
+    jwtSecret: SecretsManager.Secret,
+    authRoutePrefix: string,
+  ): string {
+    return (
+      fs
+        .readFileSync(
+          path.join(import.meta.dirname, "auth-check-handler-body.js"),
+          "utf8",
+        )
+        .replace(
+          "__placeholder-for-jwt-secret__",
+          jwtSecret.secretValue.toString(),
+        )
+        .replace("__placeholder-for-auth-route-prefix__", authRoutePrefix)
+        // When typescript builds the make-it-so code including "auth-check-handler-body.ts" it will add "export {}" to
+        // the end of the file if it's not already a module. This will cause a syntax error in CloudFront Functions so we
+        // remove it here.
+        .replace(/export {};\s*$/g, "")
+    );
+  }
+
+  private convertToCloudFrontFunctionCompatibleCode(
+    sourceCode: string,
+    esbuildOptions?: TransformOptions,
+  ): string {
+    // ESBuild doesn't currently support transforming const/let to var, which is required for CloudFront Functions
+    // JS runtime 1.0.
+    sourceCode = sourceCode
+      .replaceAll(/const /g, "var ")
+      .replaceAll(/let /g, "var ");
+    return transformSync(sourceCode, {
+      target: "es5",
+      ...esbuildOptions,
+    }).code;
+  }
+
+  // Get the behavior options for the auth route
+  private getAuthBehaviorOptions(
+    scope: ConstructScope,
+    jwtSecret: SecretsManager.Secret,
+    prefix: string,
+  ): CloudFront.BehaviorOptions {
+    const authRouteFunction = new SST.Function(
+      scope,
+      `${this.id}AuthRouteFunction`,
+      {
+        runtime: "nodejs20.x",
+        handler: path.join(import.meta.dirname, "auth-route.handler"),
+        environment: {
+          OIDC_ISSUER_URL: this.oidcIssuerUrl,
+          OIDC_CLIENT_ID: this.oidcClientId,
+          OIDC_SCOPE: this.oidcScope,
+          JWT_SECRET: jwtSecret.secretValue.toString(),
+        },
+      },
+    );
+
+    // authRouteFunction uses SST's AuthHandler construct which is normally run inside a lambda that's
+    // created by SST's Auth construct. AuthHandler expects certain environment variables to be set
+    // by the Auth construct so we have to set them ourselves here to keep it happy.
+    const envVarName = SSTInternalConfig.envFor({
+      type: "Auth",
+      id: "id", // It seems like the env var will still be found no matter what this value is
+      prop: "prefix",
+    });
+    authRouteFunction.addEnvironment(envVarName, prefix);
+
+    const authRouteFunctionUrl = authRouteFunction.addFunctionUrl({
+      authType: Lambda.FunctionUrlAuthType.NONE,
+    });
+    const forwardHostHeaderCfFunction = new CloudFront.Function(
+      scope,
+      `${this.id}ForwardHostHeaderFunction`,
+      {
+        code: CloudFront.FunctionCode.fromInline(
+          this.convertToCloudFrontFunctionCompatibleCode(
+            `function handler(event) {
+              const request = event.request;
+              request.headers["x-forwarded-host"] = { value: request.headers.host.value };
+              return request;
+            }`,
+            { minify: true },
+          ),
+        ),
+        runtime: CloudFront.FunctionRuntime.JS_2_0,
+      },
+    );
+
+    return {
+      origin: new CloudFrontOrigins.HttpOrigin(
+        CDK.Fn.parseDomainName(authRouteFunctionUrl.url),
+      ),
+      allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
+      cachePolicy: new CloudFront.CachePolicy(
+        scope,
+        `${this.id}AllowAllCookiesPolicy`,
+        {
+          cachePolicyName: `${this.id}-AllowAllCookiesPolicy`,
+          comment: "Cache policy that forwards all cookies",
+          defaultTtl: CDK.Duration.seconds(1),
+          minTtl: CDK.Duration.seconds(1),
+          maxTtl: CDK.Duration.seconds(1),
+          cookieBehavior: CloudFront.CacheCookieBehavior.all(),
+          headerBehavior:
+            CloudFront.CacheHeaderBehavior.allowList("X-Forwarded-Host"),
+          queryStringBehavior: CloudFront.CacheQueryStringBehavior.all(),
+          enableAcceptEncodingGzip: true,
+          enableAcceptEncodingBrotli: true,
+        },
+      ),
+      viewerProtocolPolicy: CloudFront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+      functionAssociations: [
+        {
+          function: forwardHostHeaderCfFunction,
+          eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
+        },
+      ],
+    };
+  }
+}

package/src/cdk-constructs/index.ts

@@ -0,0 +1,10 @@
+export * from "./IxVpcDetails.js";
+export * from "./IxCertificate.js";
+export * from "./IxDnsRecord.js";
+export * from "./IxSESIdentity.js";
+export * from "./IxNextjsSite.js";
+export * from "./IxStaticSite.js";
+export * from "./IxElasticache.js";
+export * from "./IxApi.js";
+export * from "./IxQuicksightWorkspace.js";
+export * from "./SiteOidcAuth/index.js";

package/src/deployConfig.ts

@@ -0,0 +1,87 @@
+import { z } from "zod";
+
+const getEnvVars = () =>
+  ({
+    isIxDeploy: process.env.IX_DEPLOYMENT?.toLowerCase() === "true", // This needs to start as a bool for the discriminated union
+    appName: process.env.IX_APP_NAME ?? "",
+    environment: process.env.IX_ENVIRONMENT ?? "",
+    workloadGroup: process.env.IX_WORKLOAD_GROUP ?? "",
+    primaryAwsRegion: process.env.IX_PRIMARY_AWS_REGION ?? "",
+    siteDomains: process.env.IX_SITE_DOMAINS ?? "",
+    siteDomainAliases: process.env.IX_SITE_DOMAIN_ALIASES ?? "",
+    isInternalApp: process.env.IX_INTERNAL_APP ?? "",
+    deploymentType: process.env.IX_DEPLOYMENT_TYPE ?? "",
+    sourceCommitRef: process.env.IX_SOURCE_COMMIT_REF ?? "",
+    sourceCommitHash: process.env.IX_SOURCE_COMMIT_HASH ?? "",
+    deployTriggeredBy: process.env.IX_DEPLOY_TRIGGERED_BY ?? "",
+    smtpHost: process.env.SMTP_HOST ?? "",
+    smtpPort: process.env.SMTP_PORT ?? "",
+    clamAVUrl: process.env.CLAMAV_URL ?? "",
+    vpcHttpProxy: process.env.VPC_HTTP_PROXY ?? "",
+  }) satisfies Record<string, string | boolean>;
+
+const ixDeployConfigSchema = z
+  .object({
+    isIxDeploy: z.literal(true),
+    appName: z.string().min(1),
+    environment: z.enum(["dev", "test", "uat", "prod"]),
+    workloadGroup: z.enum(["ds", "srs"]),
+    primaryAwsRegion: z.literal("ap-southeast-2"),
+    siteDomains: z
+      .string()
+      .transform((val) => val.split(",").map((domain) => domain.trim())),
+    siteDomainAliases: z
+      .string()
+      .transform((val) => val.split(",").map((domain) => domain.trim())),
+    isInternalApp: z.coerce.boolean(),
+    deploymentType: z.enum(["docker", "serverless"]),
+    sourceCommitRef: z.string().min(1),
+    sourceCommitHash: z.string().min(1),
+    deployTriggeredBy: z.string().min(1),
+    smtpHost: z.string().min(1),
+    smtpPort: z.coerce.number().int(),
+    clamAVUrl: z.string().url(),
+    vpcHttpProxy: z.string().url(),
+  } satisfies Record<keyof ReturnType<typeof getEnvVars>, unknown>)
+  .strip();
+
+const nonIxDeployConfigSchema = z
+  .object({
+    isIxDeploy: z.literal(false),
+    appName: z.string(),
+    environment: z.string(),
+    workloadGroup: z.string(),
+    primaryAwsRegion: z.string(),
+    siteDomains: z
+      .string()
+      .transform((val) => val.split(",").map((domain) => domain.trim())),
+    siteDomainAliases: z
+      .string()
+      .transform((val) => val.split(",").map((domain) => domain.trim())),
+    isInternalApp: z
+      .string()
+      .transform((val) => (val ? val.toLowerCase() === "true" : undefined)),
+    deploymentType: z.string(),
+    sourceCommitRef: z.string(),
+    sourceCommitHash: z.string(),
+    deployTriggeredBy: z.string(),
+    smtpHost: z.string(),
+    smtpPort: z
+      .string()
+      .transform((val) =>
+        isNaN(parseInt(val, 10)) ? undefined : parseInt(val, 10),
+      ),
+    clamAVUrl: z.string(),
+    vpcHttpProxy: z.string(),
+  } satisfies Record<keyof ReturnType<typeof getEnvVars>, unknown>)
+  .strip();
+
+const schema = z.discriminatedUnion("isIxDeploy", [
+  ixDeployConfigSchema,
+  nonIxDeployConfigSchema,
+]);
+
+export default schema.parse(getEnvVars());
+
+// process.env values can change at runtime so we provide a way to re-parse the config as needed
+export const getDeployConfig = () => schema.parse(getEnvVars());

package/src/lib/auth/index.ts

@@ -0,0 +1 @@
+export * from "./oidc.js";

package/src/lib/auth/oidc.ts

@@ -0,0 +1,73 @@
+import { Issuer } from "openid-client";
+import { createRemoteJWKSet, JWTPayload, jwtVerify } from "jose";
+
+type VerifyAccessTokenParams<SafeVerify extends boolean = false> = {
+  token: string;
+  issuerUrl: string;
+  audience: string;
+  safeVerify?: SafeVerify;
+};
+
+/**
+ * Checks an OIDC access token against the issuer's details to determine if it's valid.
+ *
+ * @param params - The parameters for verifying the access token.
+ * @param params.token - The JWT access token to verify.
+ * @param params.issuerUrl - The OIDC issuer URL to discover JWKS and metadata.
+ * @param params.audience - The expected audience value to match against the token's claims.
+ * @param params.safeVerify - If true, returns a result object with error and payload fields instead of throwing on error.
+ * @returns If `safeVerify` is true, returns an object with either the verified payload or an error. Otherwise, returns the verified JWT payload or throws an error.
+ */
+export async function verifyAccessToken<SafeVerify extends boolean = false>({
+  token,
+  issuerUrl,
+  audience,
+  safeVerify,
+}: VerifyAccessTokenParams<SafeVerify>): Promise<
+  SafeVerify extends true
+    ?
+        | { error: Error | unknown; payload: null }
+        | { error: null; payload: JWTPayload }
+    : JWTPayload
+> {
+  try {
+    const issuer = await Issuer.discover(issuerUrl);
+    const jwksUri = issuer.metadata.jwks_uri;
+    if (!jwksUri) {
+      throw new Error("JWKS URI not found in issuer metadata");
+    }
+    const JWKS = createRemoteJWKSet(new URL(jwksUri));
+
+    // Verify the signature and basic claims
+    const { payload } = await jwtVerify(token, JWKS, {
+      issuer: issuer.metadata.issuer,
+    });
+
+    const tokenAud = payload.aud ?? payload.client_id;
+    let audienceMatches = false;
+    for (const aud of Array.isArray(tokenAud) ? tokenAud : [tokenAud]) {
+      if (aud === audience) {
+        audienceMatches = true;
+        break;
+      }
+    }
+    if (!audienceMatches) {
+      console.info("Token data:", payload);
+      throw new Error(
+        `Token audience does not match expected audience ${audience}`,
+      );
+    }
+
+    if (safeVerify) {
+      return { payload, error: null };
+    }
+    return payload as SafeVerify extends true
+      ? { error: null; payload: JWTPayload }
+      : JWTPayload;
+  } catch (err) {
+    if (safeVerify) {
+      return { error: err, payload: null };
+    }
+    throw err;
+  }
+}

package/src/lib/proxy/fetch.ts

@@ -0,0 +1,41 @@
+import {
+  setGlobalDispatcher,
+  getGlobalDispatcher,
+  EnvHttpProxyAgent,
+  fetch as undiciFetch,
+} from "undici";
+import { bootstrap } from "global-agent";
+
+export function setupProxyGlobally() {
+  // Make operation idempotent
+  if (getGlobalDispatcher() instanceof EnvHttpProxyAgent) return;
+
+  if (!process.env.HTTP_PROXY || !process.env.HTTPS_PROXY) return;
+
+  // To cover libraries that use fetch
+  // See https://nodejs.org/api/globals.html#custom-dispatcher
+  // This might stop being needed at some point: https://github.com/actions/create-github-app-token/pull/143#discussion_r1747641337
+  const envHttpProxyAgent = new EnvHttpProxyAgent();
+  setGlobalDispatcher(envHttpProxyAgent);
+
+  // To cover libraries that use the http/https object
+  if (!process.env.GLOBAL_AGENT_HTTP_PROXY) {
+    process.env.GLOBAL_AGENT_HTTP_PROXY = process.env.HTTP_PROXY;
+    process.env.GLOBAL_AGENT_HTTPS_PROXY =
+      process.env.HTTPS_PROXY ?? process.env.HTTP_PROXY;
+  }
+  bootstrap();
+}
+
+export function getProxiedFetch() {
+  const fetch: typeof undiciFetch = (input, init = {}) => {
+    if (init.dispatcher) {
+      console.warn(
+        "A custom dispatcher was provided to fetch but this is ignored as a proxy agent is being used.",
+      );
+    }
+    const envHttpProxyAgent = new EnvHttpProxyAgent();
+    return undiciFetch(input, { ...init, dispatcher: envHttpProxyAgent });
+  };
+  return fetch;
+}

package/src/lib/proxy/index.ts

@@ -0,0 +1 @@
+export * from "./fetch.js";