@quiltdata/benchling-webhook 0.4.13

package/bin/test-invalid-signature.js

@@ -0,0 +1,125 @@
+#!/usr/bin/env node
+const { createSign, generateKeyPairSync } = require('crypto');
+const fs = require('fs');
+
+// Parse command line arguments
+const args = process.argv.slice(2);
+if (args.length === 0) {
+    console.error('Usage: test-invalid-signature.js <webhook-url>');
+    console.error('Example: test-invalid-signature.js https://example.com/prod/lifecycle');
+    process.exit(1);
+}
+
+const webhookUrl = args[0];
+
+// Read the test payload
+const testPayload = JSON.parse(fs.readFileSync('test-events/app-installed.json', 'utf8'));
+const rawBody = JSON.stringify(testPayload);
+
+// Generate a WRONG key pair (not the one Benchling has)
+const { privateKey } = generateKeyPairSync('ec', {
+    namedCurve: 'prime256v1'
+});
+
+// Create realistic webhook headers
+const webhookId = 'wh_test123';
+const webhookTimestamp = Math.floor(Date.now() / 1000).toString();
+
+// Sign with the WRONG private key
+const payloadToSign = `${webhookId}.${webhookTimestamp}.${rawBody}`;
+const signer = createSign('sha256');
+signer.update(payloadToSign);
+signer.end();
+
+const invalidSignature = signer.sign(privateKey).toString('base64');
+
+console.log('Testing webhook security with INVALID signature');
+console.log('='.repeat(60));
+console.log('Target URL:', webhookUrl);
+console.log('Webhook-Id:', webhookId);
+console.log('Webhook-Timestamp:', webhookTimestamp);
+console.log('Webhook-Signature:', `v1bder,${invalidSignature}`);
+console.log('\nNote: This signature is valid ECDSA format but signed with the WRONG key.');
+console.log('The webhook MUST reject this request.\n');
+
+// Make the actual HTTP request
+(async () => {
+    try {
+        const response = await fetch(webhookUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'webhook-id': webhookId,
+                'webhook-timestamp': webhookTimestamp,
+                'webhook-signature': `v1bder,${invalidSignature}`
+            },
+            body: rawBody
+        });
+
+        const responseText = await response.text();
+        let responseBody;
+        try {
+            responseBody = JSON.parse(responseText);
+        } catch {
+            responseBody = responseText;
+        }
+
+        console.log('Response Status:', response.status, response.statusText);
+        console.log('Response Body:', JSON.stringify(responseBody, null, 2));
+        console.log();
+
+        // Validate the response
+        if (response.status === 202) {
+            console.log('⚠️  WARNING: Request was ACCEPTED (202)');
+            console.log('   This means validation happens asynchronously.');
+
+            if (responseBody.executionArn) {
+                console.log('   Checking execution status...');
+                const executionArn = responseBody.executionArn;
+
+                // Wait a bit for execution to start
+                await new Promise(resolve => setTimeout(resolve, 2000));
+
+                // Check execution status using AWS CLI
+                const { execSync } = require('child_process');
+                try {
+                    const status = execSync(
+                        `aws stepfunctions describe-execution --execution-arn "${executionArn}" --query 'status' --output text`,
+                        { encoding: 'utf8' }
+                    ).trim();
+
+                    console.log('   Execution Status:', status);
+
+                    if (status === 'FAILED') {
+                        const history = execSync(
+                            `aws stepfunctions get-execution-history --execution-arn "${executionArn}" --query 'events[?type==\`ExecutionFailed\`].executionFailedEventDetails.error' --output text`,
+                            { encoding: 'utf8' }
+                        ).trim();
+                        console.log('   Failure Reason:', history || 'WebhookVerificationError');
+                        console.log('\n✅ PASS: Webhook correctly rejected invalid signature (async)');
+                        process.exit(0);
+                    } else if (status === 'SUCCEEDED') {
+                        console.log('\n❌ FAIL: Webhook accepted invalid signature!');
+                        process.exit(1);
+                    } else {
+                        console.log(`   Status: ${status} - manual verification needed`);
+                    }
+                } catch (error) {
+                    console.log('   Could not check execution status:', error.message);
+                }
+            }
+        } else if (response.status === 401 || response.status === 403) {
+            console.log('✅ PASS: Webhook correctly rejected invalid signature (sync)');
+            process.exit(0);
+        } else if (response.status >= 400) {
+            console.log(`⚠️  Request rejected with status ${response.status}`);
+            console.log('   Manual verification needed');
+        } else if (response.status >= 200 && response.status < 300) {
+            console.log('❌ FAIL: Webhook accepted invalid signature!');
+            process.exit(1);
+        }
+    } catch (error) {
+        console.error('Error making request:', error.message);
+        process.exit(1);
+    }
+})();

package/bin/version.js

@@ -0,0 +1,178 @@
+#!/usr/bin/env node
+
+/**
+ * Version management script - bumps version numbers across all files
+ *
+ * Usage:
+ *   node bin/version.js          # Show current version
+ *   node bin/version.js patch    # 0.4.7 -> 0.4.8
+ *   node bin/version.js minor    # 0.4.7 -> 0.5.0
+ *   node bin/version.js major    # 0.4.7 -> 1.0.0
+ *   node bin/version.js dev      # 0.4.7 -> 0.4.8-dev.0
+ *   node bin/version.js dev-bump # 0.4.8-dev.0 -> 0.4.8-dev.1
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+
+const packagePath = path.join(__dirname, '..', 'package.json');
+const pyprojectPath = path.join(__dirname, '..', 'docker', 'pyproject.toml');
+const appManifestPath = path.join(__dirname, '..', 'docker', 'app-manifest.yaml');
+const pkg = JSON.parse(fs.readFileSync(packagePath, 'utf8'));
+
+function parseVersion(version) {
+  const match = version.match(/^(\d+)\.(\d+)\.(\d+)(?:-dev\.(\d+))?$/);
+  if (!match) {
+    throw new Error(`Invalid version format: ${version}`);
+  }
+  return {
+    major: parseInt(match[1]),
+    minor: parseInt(match[2]),
+    patch: parseInt(match[3]),
+    dev: match[4] ? parseInt(match[4]) : null
+  };
+}
+
+function formatVersion(ver) {
+  let version = `${ver.major}.${ver.minor}.${ver.patch}`;
+  if (ver.dev !== null) {
+    version += `-dev.${ver.dev}`;
+  }
+  return version;
+}
+
+function bumpVersion(currentVersion, bumpType) {
+  const ver = parseVersion(currentVersion);
+
+  switch (bumpType) {
+    case 'major':
+      ver.major++;
+      ver.minor = 0;
+      ver.patch = 0;
+      ver.dev = null;
+      break;
+    case 'minor':
+      ver.minor++;
+      ver.patch = 0;
+      ver.dev = null;
+      break;
+    case 'patch':
+      ver.patch++;
+      ver.dev = null;
+      break;
+    case 'dev':
+      // If already a dev version, increment dev counter
+      // Otherwise, bump patch and add dev.0
+      if (ver.dev !== null) {
+        ver.dev++;
+      } else {
+        ver.patch++;
+        ver.dev = 0;
+      }
+      break;
+    case 'dev-bump':
+      // Only bump dev counter, error if not a dev version
+      if (ver.dev === null) {
+        throw new Error('Cannot bump dev counter on non-dev version. Use "dev" instead.');
+      }
+      ver.dev++;
+      break;
+    default:
+      throw new Error(`Unknown bump type: ${bumpType}`);
+  }
+
+  return formatVersion(ver);
+}
+
+function updatePackageVersion(newVersion) {
+  pkg.version = newVersion;
+  fs.writeFileSync(packagePath, JSON.stringify(pkg, null, 2) + '\n');
+  console.log(`✅ Updated package.json to version ${newVersion}`);
+}
+
+function updatePyprojectVersion(newVersion) {
+  let content = fs.readFileSync(pyprojectPath, 'utf8');
+  content = content.replace(/^version\s*=\s*"[^"]+"/m, `version = "${newVersion}"`);
+  fs.writeFileSync(pyprojectPath, content);
+  console.log(`✅ Updated docker/pyproject.toml to version ${newVersion}`);
+}
+
+function updateAppManifestVersion(newVersion) {
+  let content = fs.readFileSync(appManifestPath, 'utf8');
+  content = content.replace(/^(\s*)version:\s*.+$/m, `$1version: ${newVersion}`);
+  fs.writeFileSync(appManifestPath, content);
+  console.log(`✅ Updated docker/app-manifest.yaml to version ${newVersion}`);
+}
+
+function main() {
+  const args = process.argv.slice(2);
+
+  // No args: just output the version number (for scripting)
+  if (args.length === 0) {
+    console.log(pkg.version);
+    process.exit(0);
+  }
+
+  // Help
+  if (args.includes('--help') || args.includes('-h')) {
+    console.log('Current version:', pkg.version);
+    console.log('');
+    console.log('Usage: node bin/version.js [command]');
+    console.log('');
+    console.log('Commands:');
+    console.log('  (no args)  - Output current version');
+    console.log('  major      - Bump major version (1.0.0 -> 2.0.0)');
+    console.log('  minor      - Bump minor version (0.4.7 -> 0.5.0)');
+    console.log('  patch      - Bump patch version (0.4.7 -> 0.4.8)');
+    console.log('  dev        - Bump to dev version (0.4.7 -> 0.4.8-dev.0 or 0.4.8-dev.0 -> 0.4.8-dev.1)');
+    console.log('  dev-bump   - Bump dev counter only (0.4.8-dev.0 -> 0.4.8-dev.1)');
+    console.log('');
+    console.log('This script only updates version numbers in:');
+    console.log('  - package.json');
+    console.log('  - docker/pyproject.toml');
+    console.log('  - docker/app-manifest.yaml');
+    console.log('');
+    console.log('To create a release tag, use: npm run release or npm run release:dev');
+    process.exit(0);
+  }
+
+  const bumpType = args[0];
+
+  // Check for uncommitted changes
+  try {
+    execSync('git diff-index --quiet HEAD --', { stdio: 'ignore' });
+  } catch (e) {
+    console.error('❌ You have uncommitted changes');
+    console.error('   Commit or stash your changes before bumping version');
+    process.exit(1);
+  }
+
+  try {
+    const currentVersion = pkg.version;
+    const newVersion = bumpVersion(currentVersion, bumpType);
+
+    console.log(`Bumping version: ${currentVersion} -> ${newVersion}`);
+    console.log('');
+
+    // Update all version files
+    updatePackageVersion(newVersion);
+    updatePyprojectVersion(newVersion);
+    updateAppManifestVersion(newVersion);
+
+    // Commit the changes
+    execSync('git add package.json docker/pyproject.toml docker/app-manifest.yaml', { stdio: 'inherit' });
+    execSync(`git commit -m "chore: bump version to ${newVersion}"`, { stdio: 'inherit' });
+    console.log(`✅ Committed version change`);
+    console.log('');
+    console.log('Next steps:');
+    console.log('  1. Push changes: git push');
+    console.log('  2. Create release: npm run release (or npm run release:dev for dev release)');
+
+  } catch (error) {
+    console.error('❌ Error:', error.message);
+    process.exit(1);
+  }
+}
+
+main();

package/cdk.context.json

@@ -0,0 +1,58 @@
+{
+  "acknowledged-issue-numbers": [
+    32775,
+    30717,
+    34293,
+    34486
+  ],
+  "vpc-provider:account=712023778557:filter.isDefault=true:region=us-east-1:returnAsymmetricSubnets=true": {
+    "vpcId": "vpc-2dda6457",
+    "vpcCidrBlock": "172.31.0.0/16",
+    "ownerAccountId": "712023778557",
+    "availabilityZones": [],
+    "subnetGroups": [
+      {
+        "name": "Public",
+        "type": "Public",
+        "subnets": [
+          {
+            "subnetId": "subnet-a9e2d0e3",
+            "cidr": "172.31.16.0/20",
+            "availabilityZone": "us-east-1a",
+            "routeTableId": "rtb-455b5e3a"
+          },
+          {
+            "subnetId": "subnet-f1a1cead",
+            "cidr": "172.31.32.0/20",
+            "availabilityZone": "us-east-1b",
+            "routeTableId": "rtb-455b5e3a"
+          },
+          {
+            "subnetId": "subnet-5853313f",
+            "cidr": "172.31.0.0/20",
+            "availabilityZone": "us-east-1c",
+            "routeTableId": "rtb-455b5e3a"
+          },
+          {
+            "subnetId": "subnet-5dbfd673",
+            "cidr": "172.31.80.0/20",
+            "availabilityZone": "us-east-1d",
+            "routeTableId": "rtb-455b5e3a"
+          },
+          {
+            "subnetId": "subnet-7a3f8944",
+            "cidr": "172.31.48.0/20",
+            "availabilityZone": "us-east-1e",
+            "routeTableId": "rtb-455b5e3a"
+          },
+          {
+            "subnetId": "subnet-30e0c43f",
+            "cidr": "172.31.64.0/20",
+            "availabilityZone": "us-east-1f",
+            "routeTableId": "rtb-455b5e3a"
+          }
+        ]
+      }
+    ]
+  }
+}

package/cdk.json

@@ -0,0 +1,85 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/benchling-webhook.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
+    "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false,
+    "@aws-cdk/aws-ecs:disableEcsImdsBlocking": true,
+    "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
+    "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
+    "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true,
+    "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true,
+    "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true,
+    "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": true,
+    "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true,
+    "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true,
+    "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true,
+    "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true,
+    "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true
+  }
+}

package/doc/NPM_OIDC_SETUP.md

@@ -0,0 +1,95 @@
+# NPM OIDC Configuration for GitHub Actions
+
+This repository now uses OpenID Connect (OIDC) for publishing to npm, eliminating the need for long-lived `NPM_TOKEN` secrets.
+
+## What Changed
+
+The GitHub Actions workflow ([.github/workflows/ci.yaml](.github/workflows/ci.yaml)) has been updated to:
+
+1. Add `id-token: write` permission for OIDC token generation
+2. Use `npm publish --provenance --access public` with automatic OIDC authentication
+3. Remove dependency on `NPM_TOKEN` GitHub secret
+
+## Required npm Configuration
+
+To enable OIDC publishing, you need to configure your npm package settings:
+
+### 1. Enable Provenance on npm
+
+The `--provenance` flag automatically uses OIDC when available. npm will:
+
+- Accept OIDC tokens from GitHub Actions
+- Generate signed provenance attestations
+- Link published packages to their source code and build process
+
+### 2. Configure npm Package Access
+
+If not already configured, ensure your npm account has:
+
+1. **Publishing access** to the `quilt-benchling-webhook` package
+2. **Provenance enabled** for your npm account/organization
+
+### 3. Update npm Settings (If First Time Using OIDC)
+
+Visit [npm automation tokens settings](https://www.npmjs.com/settings/~/tokens) and:
+
+1. You can safely **delete the old `NPM_TOKEN`** secret from GitHub after verifying OIDC works
+2. No new token needs to be created - OIDC handles authentication automatically
+3. Ensure your npm organization settings allow publishing with provenance
+
+### 4. Grant GitHub Actions Access (npm Configuration)
+
+For npm to accept OIDC tokens from your repository:
+
+1. Go to [npm package settings](https://www.npmjs.com/package/quilt-benchling-webhook/access)
+2. Ensure the package allows automated publishing
+3. npm automatically trusts GitHub Actions OIDC tokens for configured organizations
+
+## Testing the Setup
+
+To test OIDC publishing:
+
+1. Create a test tag: `git tag v0.4.14-dev.1 && git push origin v0.4.14-dev.1`
+2. Monitor the GitHub Actions workflow
+3. The "Publish to NPM" step should succeed without `NODE_AUTH_TOKEN`
+4. Verify provenance on npm: `npm view quilt-benchling-webhook`
+
+## Troubleshooting
+
+### "Unable to authenticate" errors
+
+- Verify `id-token: write` permission is set in the workflow
+- Check that `registry-url: 'https://registry.npmjs.org'` is configured in the Node.js setup
+- Ensure the package exists and your account has publishing rights
+
+### "Provenance not supported" errors
+
+- Update to npm 9.5.0 or later (the workflow uses Node.js 24 which includes npm 10.x)
+- Verify your npm account/organization supports provenance
+
+### Need to roll back?
+
+If you need to revert to token-based authentication:
+
+1. Create a new npm automation token
+2. Add it as `NPM_TOKEN` secret in GitHub
+3. Remove `--provenance` flag and add back:
+
+   ```yaml
+   env:
+     NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+   ```
+
+## Benefits of OIDC
+
+- **No secret rotation**: No long-lived tokens to manage or rotate
+- **Better security**: Tokens are short-lived and scoped to specific workflows
+- **Provenance**: Published packages include verifiable build provenance
+- **Audit trail**: Clear link between published packages and their source
+- **Supply chain security**: Helps prevent package tampering and improves trust
+
+## References
+
+- [npm Provenance Documentation](https://docs.npmjs.com/generating-provenance-statements)
+- [GitHub Actions OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
+- [npm publish with provenance](https://docs.npmjs.com/cli/v10/commands/npm-publish#provenance)