raindancers-cloudfront 0.0.0 → 0.0.1

package/lib/cloudfront/cloudfront-functions/modules/auth-check.js

@@ -0,0 +1,263 @@
+import cf from 'cloudfront';
+var crypto = require('crypto');
+
+const kvsHandle = cf.kvs();
+const AZURE_TENANT_ID = 'TENANT_ID_PLACEHOLDER';
+const AZURE_CLIENT_ID = 'CLIENT_ID_PLACEHOLDER';
+const REDIRECT_URI = 'REDIRECT_URI_PLACEHOLDER';
+
+function base64urlDecode(str) {
+  var base64 = str.replace(/-/g, '+').replace(/_/g, '/');
+  while (base64.length % 4) {
+    base64 += '=';
+  }
+  return atob(base64);
+}
+
+function constantTimeCompare(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  var result = 0;
+  for (var i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+
+async function validateHmacSignature(token) {
+  var parts = token.split('.');
+  if (parts.length !== 3) {
+    return false;
+  }
+  
+  var signingInput = parts[0] + '.' + parts[1];
+  var providedSignature = parts[2];
+  
+  try {
+    var secret = await kvsHandle.get('jwt.secret');
+    if (!secret) {
+      return false;
+    }
+    
+    var hmac = crypto.createHmac('sha256', secret);
+    hmac.update(signingInput);
+    var computedSignature = hmac.digest('base64url');
+    
+    if (constantTimeCompare(computedSignature, providedSignature)) {
+      return true;
+    }
+    
+    try {
+      var oldSecret = await kvsHandle.get('jwt.secret.old');
+      if (oldSecret) {
+        var oldHmac = crypto.createHmac('sha256', oldSecret);
+        oldHmac.update(signingInput);
+        var oldComputedSignature = oldHmac.digest('base64url');
+        
+        if (constantTimeCompare(oldComputedSignature, providedSignature)) {
+          return true;
+        }
+      }
+    } catch (e) {}
+    return false;
+  } catch (e) {
+    return false;
+  }
+}
+
+function generateCodeVerifier() {
+  var chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~';
+  var result = '';
+  for (var i = 0; i < 43; i++) {
+    result += chars.charAt(Math.floor(Math.random() * chars.length));
+  }
+  return result;
+}
+
+function generateCodeChallenge(verifier) {
+  var hash = crypto.createHash('sha256');
+  hash.update(verifier);
+  return hash.digest('base64url');
+}
+
+function generateState(originalPath) {
+  var randomPart = Math.random().toString(36).substring(2) + Date.now().toString(36);
+  var stateObj = {
+    r: randomPart,
+    p: originalPath
+  };
+  return btoa(JSON.stringify(stateObj)).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+
+function buildAzureAuthUrl(state, codeChallenge) {
+  var params = [
+    'client_id=' + encodeURIComponent(AZURE_CLIENT_ID),
+    'redirect_uri=' + encodeURIComponent(REDIRECT_URI),
+    'response_type=code',
+    'scope=' + encodeURIComponent('openid profile email'),
+    'state=' + encodeURIComponent(state),
+    'code_challenge=' + encodeURIComponent(codeChallenge),
+    'code_challenge_method=S256'
+  ];
+  
+  return 'https://login.microsoftonline.com/' + AZURE_TENANT_ID + 
+         '/oauth2/v2.0/authorize?' + params.join('&');
+}
+
+function getOriginalPath(request) {
+  var qs = request.querystring;
+  if (!qs) {
+    return request.uri;
+  }
+  if (typeof qs === 'object') {
+    var params = [];
+    for (var key in qs) {
+      if (qs.hasOwnProperty(key)) {
+        var val = qs[key];
+        if (val && val.value !== undefined) {
+          params.push(encodeURIComponent(key) + '=' + encodeURIComponent(val.value));
+        } else {
+          params.push(encodeURIComponent(key) + '=' + encodeURIComponent(val));
+        }
+      }
+    }
+    return request.uri + (params.length > 0 ? '?' + params.join('&') : '');
+  }
+  return request.uri + '?' + qs;
+}
+
+function redirectToAuth(originalPath) {
+  var state = generateState(originalPath);
+  var codeVerifier = generateCodeVerifier();
+  var codeChallenge = generateCodeChallenge(codeVerifier);
+  return {
+    statusCode: 302,
+    headers: {
+      location: { value: buildAzureAuthUrl(state, codeChallenge) },
+      'cache-control': { value: 'no-store' }
+    },
+    cookies: {
+      oauth_state: {
+        value: state,
+        attributes: 'HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=600'
+      },
+      code_verifier: {
+        value: codeVerifier,
+        attributes: 'HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=600'
+      }
+    }
+  };
+}
+
+async function checkAuth(event, decodedPayload, requiredRoles, roleMatchMode) {
+  var request = event.request;
+  if (request.uri === '/oauth2/callback') {
+    return { pass: true, payload: null };
+  }
+  if (decodedPayload) {
+    return { pass: true, payload: decodedPayload };
+  }
+  var cookies = request.cookies;
+  var originalPath = getOriginalPath(request);
+  if (!cookies['__Host-auth_session']) {
+    return {
+      pass: false,
+      response: redirectToAuth(originalPath)
+    };
+  }
+  var token = cookies['__Host-auth_session'].value;
+  if (!token || token.length === 0) {
+    return {
+      pass: false,
+      response: redirectToAuth(originalPath)
+    };
+  }
+  try {
+    var parts = token.split('.');
+    if (parts.length !== 3) {
+      return {
+        pass: false,
+        response: redirectToAuth(originalPath)
+      };
+    }
+    var isValid = await validateHmacSignature(token);
+    if (!isValid) {
+      return {
+        pass: false,
+        response: redirectToAuth(originalPath)
+      };
+    }
+    var payload = JSON.parse(base64urlDecode(parts[1]));
+    var now = Math.floor(Date.now() / 1000);
+    if (payload.exp && payload.exp < now) {
+      return {
+        pass: false,
+        response: redirectToAuth(originalPath)
+      };
+    }
+    var jti = payload.jti;
+    if (jti) {
+      try {
+        var isRevoked = await kvsHandle.get('revoked:' + jti);
+        if (isRevoked) {
+          return {
+            pass: false,
+            response: redirectToAuth(originalPath)
+          };
+        }
+      } catch (e) {}
+    }
+    
+    // Role check (if required roles provided)
+    if (requiredRoles && requiredRoles.length > 0) {
+      var userRoles = payload.roles || [];
+      var hasAccess = false;
+      
+      if (roleMatchMode === 'AND') {
+        hasAccess = true;
+        for (var i = 0; i < requiredRoles.length; i++) {
+          if (userRoles.indexOf(requiredRoles[i]) === -1) {
+            hasAccess = false;
+            break;
+          }
+        }
+      } else {
+        for (var i = 0; i < requiredRoles.length; i++) {
+          if (userRoles.indexOf(requiredRoles[i]) !== -1) {
+            hasAccess = true;
+            break;
+          }
+        }
+      }
+      
+      if (!hasAccess) {
+        return {
+          pass: false,
+          response: {
+            statusCode: 403,
+            statusDescription: 'Forbidden',
+            body: 'Access denied: insufficient roles'
+          }
+        };
+      }
+    }
+    
+    return { pass: true, payload: payload };
+  } catch (e) {
+    return {
+      pass: false,
+      response: redirectToAuth(originalPath)
+    };
+  }
+}
+
+function injectAzureToken(request, cookies) {
+  var azureToken = cookies['__Host-azure_token'];
+  if (azureToken && azureToken.value) {
+    request.headers['x-azure-token'] = {
+      value: azureToken.value
+    };
+  }
+  return request;
+}

package/lib/cloudfront/cloudfront-functions/modules/cognito-auth-check.js

@@ -0,0 +1,223 @@
+import cf from 'cloudfront';
+var crypto = require('crypto');
+
+const kvsHandle = cf.kvs();
+const COGNITO_DOMAIN = 'COGNITO_DOMAIN_PLACEHOLDER';
+const COGNITO_CLIENT_ID = 'CLIENT_ID_PLACEHOLDER';
+const REDIRECT_URI = 'REDIRECT_URI_PLACEHOLDER';
+
+function base64urlDecode(str) {
+  var base64 = str.replace(/-/g, '+').replace(/_/g, '/');
+  while (base64.length % 4) {
+    base64 += '=';
+  }
+  return atob(base64);
+}
+
+function constantTimeCompare(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  var result = 0;
+  for (var i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+
+async function validateHmacSignature(token) {
+  var parts = token.split('.');
+  if (parts.length !== 3) {
+    return false;
+  }
+
+  var signingInput = parts[0] + '.' + parts[1];
+  var providedSignature = parts[2];
+
+  try {
+    var secret = await kvsHandle.get('jwt.secret');
+    if (!secret) {
+      return false;
+    }
+
+    var hmac = crypto.createHmac('sha256', secret);
+    hmac.update(signingInput);
+    var computedSignature = hmac.digest('base64url');
+
+    if (constantTimeCompare(computedSignature, providedSignature)) {
+      return true;
+    }
+
+    try {
+      var oldSecret = await kvsHandle.get('jwt.secret.old');
+      if (oldSecret) {
+        var oldHmac = crypto.createHmac('sha256', oldSecret);
+        oldHmac.update(signingInput);
+        var oldComputedSignature = oldHmac.digest('base64url');
+        if (constantTimeCompare(oldComputedSignature, providedSignature)) {
+          return true;
+        }
+      }
+    } catch (e) {}
+    return false;
+  } catch (e) {
+    return false;
+  }
+}
+
+function generateCodeVerifier() {
+  var chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~';
+  var result = '';
+  for (var i = 0; i < 43; i++) {
+    result += chars.charAt(Math.floor(Math.random() * chars.length));
+  }
+  return result;
+}
+
+function generateCodeChallenge(verifier) {
+  var hash = crypto.createHash('sha256');
+  hash.update(verifier);
+  return hash.digest('base64url');
+}
+
+function generateState(originalPath) {
+  var randomPart = Math.random().toString(36).substring(2) + Date.now().toString(36);
+  var stateObj = { r: randomPart, p: originalPath };
+  return btoa(JSON.stringify(stateObj)).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+
+function buildCognitoAuthUrl(state, codeChallenge) {
+  var params = [
+    'client_id=' + encodeURIComponent(COGNITO_CLIENT_ID),
+    'redirect_uri=' + encodeURIComponent(REDIRECT_URI),
+    'response_type=code',
+    'scope=' + encodeURIComponent('openid profile email'),
+    'state=' + encodeURIComponent(state),
+    'code_challenge=' + encodeURIComponent(codeChallenge),
+    'code_challenge_method=S256'
+  ];
+  return 'https://' + COGNITO_DOMAIN + '/oauth2/authorize?' + params.join('&');
+}
+
+function getOriginalPath(request) {
+  var qs = request.querystring;
+  if (!qs) {
+    return request.uri;
+  }
+  if (typeof qs === 'object') {
+    var params = [];
+    for (var key in qs) {
+      if (qs.hasOwnProperty(key)) {
+        var val = qs[key];
+        if (val && val.value !== undefined) {
+          params.push(encodeURIComponent(key) + '=' + encodeURIComponent(val.value));
+        } else {
+          params.push(encodeURIComponent(key) + '=' + encodeURIComponent(val));
+        }
+      }
+    }
+    return request.uri + (params.length > 0 ? '?' + params.join('&') : '');
+  }
+  return request.uri + '?' + qs;
+}
+
+function redirectToAuth(originalPath) {
+  var state = generateState(originalPath);
+  var codeVerifier = generateCodeVerifier();
+  var codeChallenge = generateCodeChallenge(codeVerifier);
+  return {
+    statusCode: 302,
+    headers: {
+      location: { value: buildCognitoAuthUrl(state, codeChallenge) },
+      'cache-control': { value: 'no-store' }
+    },
+    cookies: {
+      oauth_state: {
+        value: state,
+        attributes: 'HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=600'
+      },
+      code_verifier: {
+        value: codeVerifier,
+        attributes: 'HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=600'
+      }
+    }
+  };
+}
+
+async function checkAuth(event, decodedPayload, requiredRoles, roleMatchMode) {
+  var request = event.request;
+  if (request.uri === '/oauth2/callback') {
+    return { pass: true, payload: null };
+  }
+  if (decodedPayload) {
+    return { pass: true, payload: decodedPayload };
+  }
+  var cookies = request.cookies;
+  var originalPath = getOriginalPath(request);
+  if (!cookies['__Host-auth_session']) {
+    return { pass: false, response: redirectToAuth(originalPath) };
+  }
+  var token = cookies['__Host-auth_session'].value;
+  if (!token || token.length === 0) {
+    return { pass: false, response: redirectToAuth(originalPath) };
+  }
+  try {
+    var parts = token.split('.');
+    if (parts.length !== 3) {
+      return { pass: false, response: redirectToAuth(originalPath) };
+    }
+    var isValid = await validateHmacSignature(token);
+    if (!isValid) {
+      return { pass: false, response: redirectToAuth(originalPath) };
+    }
+    var payload = JSON.parse(base64urlDecode(parts[1]));
+    var now = Math.floor(Date.now() / 1000);
+    if (payload.exp && payload.exp < now) {
+      return { pass: false, response: redirectToAuth(originalPath) };
+    }
+    var jti = payload.jti;
+    if (jti) {
+      try {
+        var isRevoked = await kvsHandle.get('revoked:' + jti);
+        if (isRevoked) {
+          return { pass: false, response: redirectToAuth(originalPath) };
+        }
+      } catch (e) {}
+    }
+
+    if (requiredRoles && requiredRoles.length > 0) {
+      var userRoles = payload.roles || [];
+      var hasAccess = false;
+      if (roleMatchMode === 'AND') {
+        hasAccess = true;
+        for (var i = 0; i < requiredRoles.length; i++) {
+          if (userRoles.indexOf(requiredRoles[i]) === -1) {
+            hasAccess = false;
+            break;
+          }
+        }
+      } else {
+        for (var i = 0; i < requiredRoles.length; i++) {
+          if (userRoles.indexOf(requiredRoles[i]) !== -1) {
+            hasAccess = true;
+            break;
+          }
+        }
+      }
+      if (!hasAccess) {
+        return {
+          pass: false,
+          response: {
+            statusCode: 403,
+            statusDescription: 'Forbidden',
+            body: 'Access denied: insufficient roles'
+          }
+        };
+      }
+    }
+
+    return { pass: true, payload: payload };
+  } catch (e) {
+    return { pass: false, response: redirectToAuth(originalPath) };
+  }
+}

package/lib/cloudfront/cloudfront-functions/modules/shared-utils.js

@@ -0,0 +1,47 @@
+function decodeJWT(token) {
+  try {
+    var parts = token.split('.');
+    if (parts.length !== 3) {
+      return null;
+    }
+    var payloadBase64 = parts[1];
+    while (payloadBase64.length % 4 !== 0) {
+      payloadBase64 += '=';
+    }
+    var payloadJson = atob(payloadBase64);
+    return JSON.parse(payloadJson);
+  } catch (e) {
+    return null;
+  }
+}
+
+function getJWTFromHeaders(headers) {
+  var authHeader = headers['authorization'] ? headers['authorization'].value : '';
+  if (!authHeader.startsWith('Bearer ')) {
+    return null;
+  }
+  return authHeader.substring(7);
+}
+
+function createRedirect(location, requestId) {
+  return {
+    statusCode: 302,
+    statusDescription: 'Found',
+    headers: {
+      'location': { value: location + '?ref=' + requestId },
+      'cache-control': { value: 'no-store' },
+    },
+  };
+}
+
+function createErrorResponse(statusCode, message) {
+  return {
+    statusCode: statusCode,
+    statusDescription: message,
+    headers: {
+      'content-type': { value: 'text/html; charset=utf-8' },
+      'cache-control': { value: 'no-store' },
+    },
+    body: '<h1>' + statusCode + ' ' + message + '</h1>',
+  };
+}

package/lib/cloudfront/cloudfront-functions/modules/tls-check.js

@@ -0,0 +1,39 @@
+// tls-check.js - TLS 1.3 enforcement check
+// Returns null if check passes, or redirect response if fails
+
+/**
+ * Check if request uses TLS 1.3 with approved ciphers
+ * @param {object} event - CloudFront event object
+ * @returns {object|null} Redirect response or null if check passes
+ */
+function checkTLS(event) {
+  var headers = event.request.headers;
+  var requestId = event.context.requestId;
+  
+  // Get TLS info from CloudFront-Viewer-TLS header
+  var tlsInfo = headers['cloudfront-viewer-tls'] 
+    ? headers['cloudfront-viewer-tls'].value 
+    : '';
+  
+  // Parse TLS version and cipher
+  var parts = tlsInfo.split(':');
+  var tlsVersion = parts[0] || 'unknown';
+  var cipher = parts[1] || 'unknown';
+  
+  // Check if using TLS 1.3
+  if (!tlsVersion.startsWith('TLSv1.3')) {
+    return createRedirect('/upgrade.html', requestId);
+  }
+  
+  // Verify strong cipher (TLS 1.3 GCM only)
+  var allowedCiphers = [
+    'TLS_AES_128_GCM_SHA256',
+    'TLS_AES_256_GCM_SHA384'
+  ];
+  
+  if (allowedCiphers.indexOf(cipher) === -1) {
+    return createRedirect('/upgrade.html', requestId);
+  }
+  
+  return null; // Check passed
+}

package/lib/cloudfront/cloudfront-functions/modules/url-rewrite.js

@@ -0,0 +1,6 @@
+function rewriteToIndex(event) {
+  var uri = event.request.uri;
+  if (!uri.match(/\.[a-zA-Z0-9]+$/)) {
+    event.request.uri = uri.replace(/\/?$/, '/index.html');
+  }
+}

package/lib/cloudfront/cloudfront-functions/role-enforcer.js

@@ -0,0 +1,93 @@
+// role-enforcer.js - CloudFront Function (viewer-request)
+// Enforces role-based access control
+// Requires: JWT in Authorization header (validated by auth-check.js)
+// Requires: x-required-roles header set by construct
+
+function handler(event) {
+  var request = event.request;
+  var headers = request.headers;
+  
+  // Get JWT from Authorization header
+  var authHeader = headers['authorization'] ? headers['authorization'].value : '';
+  if (!authHeader.startsWith('Bearer ')) {
+    return {
+      statusCode: 401,
+      statusDescription: 'Unauthorized',
+      headers: {
+        'content-type': { value: 'text/html; charset=utf-8' },
+        'cache-control': { value: 'no-store' },
+      },
+      body: '<h1>401 Unauthorized</h1><p>Authentication required.</p>',
+    };
+  }
+  
+  var token = authHeader.substring(7);
+  
+  // Parse JWT payload (base64 decode middle section)
+  var parts = token.split('.');
+  if (parts.length !== 3) {
+    return {
+      statusCode: 401,
+      statusDescription: 'Unauthorized',
+      headers: {
+        'content-type': { value: 'text/html; charset=utf-8' },
+        'cache-control': { value: 'no-store' },
+      },
+      body: '<h1>401 Unauthorized</h1><p>Invalid token format.</p>',
+    };
+  }
+  
+  // Decode payload
+  var payload;
+  try {
+    var payloadBase64 = parts[1];
+    // Add padding if needed
+    while (payloadBase64.length % 4 !== 0) {
+      payloadBase64 += '=';
+    }
+    var payloadJson = atob(payloadBase64);
+    payload = JSON.parse(payloadJson);
+  } catch (e) {
+    return {
+      statusCode: 401,
+      statusDescription: 'Unauthorized',
+      headers: {
+        'content-type': { value: 'text/html; charset=utf-8' },
+        'cache-control': { value: 'no-store' },
+      },
+      body: '<h1>401 Unauthorized</h1><p>Invalid token.</p>',
+    };
+  }
+  
+  // Get required roles from custom header
+  var requiredRolesHeader = headers['x-required-roles'] ? headers['x-required-roles'].value : '';
+  var requiredRoles = requiredRolesHeader ? requiredRolesHeader.split(',') : [];
+  
+  // Get user roles from JWT
+  var userRoles = payload.roles || [];
+  
+  // Check if user has any required role
+  var hasRole = false;
+  for (var i = 0; i < requiredRoles.length; i++) {
+    if (userRoles.indexOf(requiredRoles[i]) !== -1) {
+      hasRole = true;
+      break;
+    }
+  }
+  
+  if (!hasRole) {
+    // Include CloudFront Request ID for incident tracking
+    var requestId = event.context.requestId;
+    return {
+      statusCode: 302,
+      statusDescription: 'Found',
+      headers: {
+        'location': { value: '/error.html?ref=' + requestId },
+        'cache-control': { value: 'no-store' },
+      },
+    };
+  }
+  
+  // Allow request to proceed
+  return request;
+}