@infoxchange/make-it-so-sst-v2 3.0.1

package/src/cdk-constructs/IxStaticSite.ts

@@ -0,0 +1,69 @@
+import { StaticSite } from "sst/constructs";
+import ixDeployConfig from "../deployConfig.js";
+import {
+  ExtendedStaticSiteProps,
+  getAliasDomain,
+  getAlternativeDomains,
+  getCustomDomains,
+  getPrimaryCustomDomain,
+  getPrimaryDomain,
+  getPrimaryOrigin,
+  processAuthProps,
+  setupCertificate,
+  setupCustomDomain,
+  setupDnsRecords,
+  setupDomainAliasRedirect,
+} from "../lib/site/support.js";
+
+type ConstructScope = ConstructorParameters<typeof StaticSite>[0];
+type ConstructId = ConstructorParameters<typeof StaticSite>[1];
+type ConstructProps = ExtendedStaticSiteProps;
+
+export class IxStaticSite extends StaticSite {
+  // StaticSite's props are private, so we need to store them separately
+  private propsExtended: ConstructProps;
+
+  constructor(
+    scope: ConstructScope,
+    id: ConstructId,
+    props: ConstructProps = {},
+  ) {
+    if (ixDeployConfig.isIxDeploy) {
+      props = setupCustomDomain(scope, id, props);
+      props = setupCertificate(scope, id, props);
+      props = setupDomainAliasRedirect(scope, id, props);
+    }
+    props = processAuthProps(scope, id, "StaticSite", props);
+
+    super(scope, id, props);
+    this.propsExtended = props;
+
+    if (ixDeployConfig.isIxDeploy) {
+      setupDnsRecords(this, scope, id, props);
+    }
+  }
+
+  public get customDomains(): string[] {
+    return getCustomDomains(this.propsExtended);
+  }
+
+  public get primaryCustomDomain(): string | null {
+    return getPrimaryCustomDomain(this.propsExtended);
+  }
+
+  public get aliasDomain(): string | null {
+    return getAliasDomain(this.propsExtended);
+  }
+
+  public get alternativeDomains(): string[] {
+    return getAlternativeDomains(this.propsExtended);
+  }
+
+  public get primaryDomain(): string | null {
+    return getPrimaryDomain(this, this.propsExtended);
+  }
+
+  public get primaryOrigin(): string | null {
+    return getPrimaryOrigin(this, this.propsExtended);
+  }
+}

package/src/cdk-constructs/IxVpcDetails.ts

@@ -0,0 +1,38 @@
+import { Construct } from "constructs";
+import { StringParameter } from "aws-cdk-lib/aws-ssm";
+import { Vpc, IVpc } from "aws-cdk-lib/aws-ec2";
+import ixDeployConfig from "../deployConfig.js";
+
+type ConstructScope = ConstructorParameters<typeof Construct>[0];
+type ConstructId = ConstructorParameters<typeof Construct>[1];
+
+export class IxVpcDetails extends Construct {
+  public vpc: IVpc;
+
+  constructor(scope: ConstructScope, id: ConstructId) {
+    super(scope, id);
+    this.vpc = this.getVpc(scope, id);
+  }
+
+  private getVpc(scope: ConstructScope, id: ConstructId): IVpc {
+    const vpcId = StringParameter.valueForStringParameter(scope, "/vpc/id");
+    return Vpc.fromVpcAttributes(this, id + "-Vpc", {
+      vpcId,
+      availabilityZones: [
+        "ap-southeast-2a",
+        "ap-southeast-2b",
+        "ap-southeast-2c",
+      ],
+      isolatedSubnetIds: IxVpcDetails.getVpcSubnetIds(scope),
+    });
+  }
+
+  static getVpcSubnetIds(scope: ConstructScope): Array<string> {
+    return [1, 2, 3].map((subnetNum) =>
+      StringParameter.valueForStringParameter(
+        scope,
+        `/vpc/subnet/private-${ixDeployConfig.workloadGroup}/${subnetNum}/id`,
+      ),
+    );
+  }
+}

package/src/cdk-constructs/IxWebsiteRedirect.ts

@@ -0,0 +1,133 @@
+// Based off https://github.com/sst/v2/blob/37578037ff80638e2f0eaf0dc59a83dae52e4e45/packages/sst/src/constructs/cdk/website-redirect.ts
+// Not quite sure why an s3 bucket is used for generating the redirect rather than a cloudfront edge lambda,
+// maybe it's cheaper? In any case it's what SST uses and those devs have put a lot more thought into
+// this that we have so I'm going to trust them on this one.
+
+import { ICertificate } from "aws-cdk-lib/aws-certificatemanager";
+import {
+  CloudFrontWebDistribution,
+  OriginProtocolPolicy,
+  PriceClass,
+  ViewerCertificate,
+  ViewerProtocolPolicy,
+} from "aws-cdk-lib/aws-cloudfront";
+import { CloudFrontTarget } from "aws-cdk-lib/aws-route53-targets";
+import {
+  BlockPublicAccess,
+  Bucket,
+  RedirectProtocol,
+} from "aws-cdk-lib/aws-s3";
+import { ArnFormat, RemovalPolicy, Stack, Token } from "aws-cdk-lib/core";
+import { Construct } from "constructs";
+import { convertToBase62Hash } from "../lib/utils/hash.js";
+import { IxDnsRecord } from "./IxDnsRecord.js";
+import { IxCertificate } from "./IxCertificate.js";
+
+/**
+ * Properties to configure an HTTPS Redirect
+ */
+export interface WebsiteRedirectProps {
+  /**
+   * The redirect target fully qualified domain name (FQDN). An alias record
+   * will be created that points to your CloudFront distribution. Root domain
+   * or sub-domain can be supplied.
+   */
+  readonly targetDomain: string;
+
+  /**
+   * The domain names that will redirect to `targetDomain`
+   *
+   * @default - the domain name of the hosted zone
+   */
+  readonly recordNames: string[];
+
+  /**
+   * The AWS Certificate Manager (ACM) certificate that will be associated with
+   * the CloudFront distribution that will be created. If provided, the certificate must be
+   * stored in us-east-1 (N. Virginia)
+   *
+   * @default - A new certificate is created in us-east-1 (N. Virginia)
+   */
+  readonly certificate?: ICertificate;
+}
+
+/**
+ * Allows creating a domainA -> domainB redirect using CloudFront and S3.
+ * You can specify multiple domains to be redirected.
+ */
+export class IxWebsiteRedirect extends Construct {
+  constructor(scope: Construct, id: string, props: WebsiteRedirectProps) {
+    super(scope, id);
+
+    const domainNames = props.recordNames;
+
+    let redirectCert = props.certificate;
+
+    if (!redirectCert) {
+      const newCert = new IxCertificate(scope, id + "-IxRedirectCertificate", {
+        domainName: domainNames[0],
+        subjectAlternativeNames: domainNames.slice(1),
+        region: "us-east-1", // CloudFront will only use certificates in us-east-1
+      });
+      redirectCert = newCert.acmCertificate;
+    }
+
+    const certificateRegion = Stack.of(this).splitArn(
+      redirectCert.certificateArn,
+      ArnFormat.SLASH_RESOURCE_NAME,
+    ).region;
+    if (
+      !Token.isUnresolved(certificateRegion) &&
+      certificateRegion !== "us-east-1"
+    ) {
+      throw new Error(
+        `The certificate must be in the us-east-1 region and the certificate you provided is in ${certificateRegion}.`,
+      );
+    }
+
+    const redirectBucket = new Bucket(this, "RedirectBucket", {
+      websiteRedirect: {
+        hostName: props.targetDomain,
+        protocol: RedirectProtocol.HTTPS,
+      },
+      removalPolicy: RemovalPolicy.DESTROY,
+      blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
+    });
+    const redirectDist = new CloudFrontWebDistribution(
+      this,
+      "RedirectDistribution",
+      {
+        defaultRootObject: "",
+        originConfigs: [
+          {
+            behaviors: [{ isDefaultBehavior: true }],
+            customOriginSource: {
+              domainName: redirectBucket.bucketWebsiteDomainName,
+              originProtocolPolicy: OriginProtocolPolicy.HTTP_ONLY,
+            },
+          },
+        ],
+        viewerCertificate: ViewerCertificate.fromAcmCertificate(redirectCert, {
+          aliases: domainNames,
+        }),
+        comment: `Redirect to ${props.targetDomain} from ${domainNames.join(
+          ", ",
+        )}`,
+        priceClass: PriceClass.PRICE_CLASS_ALL,
+        viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+      },
+    );
+
+    for (const domainName of domainNames) {
+      const domainNameLogicalId = convertToBase62Hash(domainName);
+
+      new IxDnsRecord(scope, `DnsRecord-Redirect-${domainNameLogicalId}`, {
+        type: "ALIAS",
+        name: domainName,
+        value: redirectDist.distributionDomainName,
+        aliasZoneId: CloudFrontTarget.getHostedZoneId(scope),
+        ttl: 900,
+      });
+    }
+  }
+}

package/src/cdk-constructs/SiteOidcAuth/auth-check-handler-body.ts

@@ -0,0 +1,168 @@
+// Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
+// Note that as a CloudFront Function, this code has limitations compared to a Lambda@Edge function. For example, no
+// external libraries can be used, and the runtime is more limited. Because SST v2's SsrSite construct uses JS v1.0
+// runtime for CloudFront Functions, this code must also be compatible with that runtime. Also this is used in the body
+// of a function where the variables event and request are already defined.
+
+declare const request: AWSCloudFrontFunction.Request;
+
+// eslint-disable-next-line @typescript-eslint/no-var-requires -- v1 runtime for CloudFront Functions do not support import statements
+const crypto: typeof import("crypto") = require("crypto");
+
+const jwtSecret = "__placeholder-for-jwt-secret__";
+const authRoutePrefix = "__placeholder-for-auth-route-prefix__";
+
+// Set to true to enable console logging
+const loggingEnabled = false;
+
+// Simple logger that can be enabled/disabled via the loggingEnabled variable.
+const log: typeof console.log = function () {
+  if (!loggingEnabled) return;
+
+  // CloudFront Function runtime only prints first argument passed to console.log so add other args to the first one if given.
+  // eslint-disable-next-line prefer-rest-params -- We can't use spread or rest parameters in CloudFront Functions
+  let message = arguments[0];
+  if (arguments.length > 1) {
+    const otherArgs = [];
+    for (let i = 1; i < arguments.length; i++) {
+      // eslint-disable-next-line prefer-rest-params
+      otherArgs[i - 1] = arguments[i];
+    }
+
+    message += " - additional args: " + JSON.stringify(otherArgs);
+  }
+  console.log(message);
+};
+
+//Response when JWT is not valid.
+const redirectResponse = {
+  statusCode: 302,
+  headers: {
+    location: { value: `${authRoutePrefix}/oidc/authorize` },
+  },
+};
+
+// Takes a JWT token to decode and throws an error if invalid
+function jwtDecode(token: string, key: string, noVerify?: boolean) {
+  // check segments
+  const segments = token.split(".");
+  if (segments.length !== 3) {
+    throw new Error("Not enough or too many segments");
+  }
+
+  // All segment should be base64
+  const headerSeg = segments[0];
+  const payloadSeg = segments[1];
+  const signatureSeg = segments[2];
+
+  // base64 decode and parse JSON
+  const payload = JSON.parse(_base64urlDecode(payloadSeg));
+
+  if (noVerify) {
+    return payload;
+  }
+
+  const signingMethod = "sha256";
+  const signingType = "hmac";
+
+  // Verify signature. `sign` will return base64 string.
+  const signingInput = [headerSeg, payloadSeg].join(".");
+
+  if (!_verify(signingInput, key, signingMethod, signingType, signatureSeg)) {
+    throw new Error("Signature verification failed");
+  }
+
+  // Support for nbf and exp claims.
+  // According to the RFC, they should be in seconds.
+  if (payload.nbf && Date.now() < payload.nbf * 1000) {
+    throw new Error("Token not yet active");
+  }
+
+  if (payload.exp && Date.now() > payload.exp * 1000) {
+    throw new Error("Token expired");
+  }
+
+  return payload;
+}
+
+// Function to ensure a constant time comparison to prevent timing side channels.
+function _constantTimeEquals(a: string, b: string) {
+  if (a.length != b.length) {
+    return false;
+  }
+
+  let xor = 0;
+  for (let i = 0; i < a.length; i++) {
+    xor |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+
+  return 0 === xor;
+}
+
+// Verifies some input matches an expected signature.
+function _verify(
+  input: string,
+  key: string,
+  method: string,
+  type: string,
+  signature: string,
+) {
+  if (type === "hmac") {
+    return _constantTimeEquals(signature, _sign(input, key, method));
+  } else {
+    throw new Error("Algorithm type not recognized");
+  }
+}
+
+// Signs some input with a key and method.
+function _sign(input: string, key: string, method: string) {
+  return crypto.createHmac(method, key).update(input).digest("base64url");
+}
+
+// Very annoying that we have to implement this ourselves but it seems like the v1 runtime does not have atob/btoa or
+// Buffer available.
+function _base64urlDecode(str: string) {
+  str = str.replace(/-/g, "+").replace(/_/g, "/");
+  while (str.length % 4) str += "=";
+
+  const chars =
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+  let output = "";
+
+  let bc = 0,
+    bs = 0,
+    buffer,
+    i = 0;
+  for (; i < str.length; i++) {
+    buffer = chars.indexOf(str.charAt(i));
+    if (buffer === -1) continue;
+
+    bs = (bs << 6) | buffer;
+    bc += 6;
+
+    if (bc >= 8) {
+      bc -= 8;
+      output += String.fromCharCode((bs >> bc) & 0xff);
+    }
+  }
+
+  return output;
+}
+
+const jwtToken =
+  request.cookies["auth-token"] && request.cookies["auth-token"].value;
+
+if (!jwtToken) {
+  log("Error: No JWT in the cookies");
+  // @ts-expect-error -- This code is added to a function body so we can use return here but typescript doesn't know that.
+  return redirectResponse;
+}
+try {
+  jwtDecode(jwtToken, jwtSecret);
+} catch (e) {
+  log(e);
+  // @ts-expect-error -- This code is added to a function body so we can use return here but typescript doesn't know that.
+  return redirectResponse;
+}
+
+log("Valid JWT token");

package/src/cdk-constructs/SiteOidcAuth/auth-route.ts

@@ -0,0 +1,71 @@
+import { AuthHandler, OidcAdapter } from "sst/node/auth";
+import { Issuer } from "openid-client";
+import jwt from "jsonwebtoken";
+
+const oidcClientId = process.env.OIDC_CLIENT_ID;
+if (!oidcClientId) {
+  throw new Error("OIDC_CLIENT_ID not set");
+}
+const oidcIssuerUrl = process.env.OIDC_ISSUER_URL;
+if (!oidcIssuerUrl) {
+  throw new Error("OIDC_ISSUER_URL not set");
+}
+const oidcScope = process.env.OIDC_SCOPE;
+if (!oidcScope) {
+  throw new Error("OIDC_SCOPE not set");
+}
+const jwtSecret = process.env.JWT_SECRET;
+if (!jwtSecret) {
+  throw new Error("JWT_SECRET not set");
+}
+
+const oidcIssuerConfigUrl = new URL(
+  `${process.env.OIDC_ISSUER_URL?.replace(/\/$/, "")}/.well-known/openid-configuration`,
+);
+
+export const handler = addRequiredContext(
+  AuthHandler({
+    providers: {
+      oidc: OidcAdapter({
+        issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
+        clientID: oidcClientId,
+        scope: oidcScope,
+        onSuccess: async (tokenset) => {
+          // Payload to include in the token
+          const payload = {
+            userID: tokenset.claims().sub,
+          };
+          const expiresInMs = 1000 * 60 * 60;
+
+          // Create the token
+          const token = jwt.sign(payload, jwtSecret, {
+            algorithm: "HS256",
+            expiresIn: expiresInMs / 1000,
+          });
+          const expiryDate = new Date(Date.now() + expiresInMs);
+          return {
+            statusCode: 302,
+            headers: {
+              location: "/",
+            },
+            cookies: [
+              `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expiryDate}`,
+            ],
+          };
+        },
+      }),
+    },
+  }),
+);
+
+function addRequiredContext(
+  handler: ReturnType<typeof AuthHandler>,
+): ReturnType<typeof AuthHandler> {
+  return async function (...args) {
+    const [event] = args;
+    // Used by AuthHandler to create callback url sent to oidc server
+    event.requestContext.domainName = event.headers["x-forwarded-host"];
+
+    return await handler(...args);
+  };
+}