npm - raindancers-cloudfront - Versions diffs - 0.0.0 → 0.0.1 - Mend

raindancers-cloudfront 0.0.0 → 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (36) hide show

package/lib/cloudfront/cloudfront-functions/tls-enforcer.js ADDED Viewed

@@ -0,0 +1,55 @@
+// tls-enforcer.js - CloudFront Function (viewer-request)
+// Enforces TLS 1.3 with strongest ciphers only
+// Requires: CloudFront-Viewer-TLS header in Origin Request Policy
+function handler(event) {
+  var request = event.request;
+  var headers = request.headers;
+  // Get TLS info from CloudFront-Viewer-TLS header
+  // Format: TLSv1.3:TLS_AES_128_GCM_SHA256:sessionResumed
+  var tlsInfo = headers['cloudfront-viewer-tls']
+    ? headers['cloudfront-viewer-tls'].value
+    : '';
+  // Parse TLS version and cipher
+  var parts = tlsInfo.split(':');
+  var tlsVersion = parts[0] || 'unknown';
+  var cipher = parts[1] || 'unknown';
+  // Check if using TLS 1.3
+  if (!tlsVersion.startsWith('TLSv1.3')) {
+    // Redirect to upgrade page with Request ID for incident tracking
+    var requestId = event.context.requestId;
+    return {
+      statusCode: 302,
+      statusDescription: 'Found',
+      headers: {
+        'location': { value: '/upgrade.html?ref=' + requestId },
+        'cache-control': { value: 'no-store' },
+      },
+    };
+  }
+  // Verify strong cipher (TLS 1.3 GCM only)
+  var allowedCiphers = [
+    'TLS_AES_128_GCM_SHA256',
+    'TLS_AES_256_GCM_SHA384'
+  ];
+  if (allowedCiphers.indexOf(cipher) === -1) {
+    // Redirect to upgrade page with Request ID for incident tracking
+    var requestId = event.context.requestId;
+    return {
+      statusCode: 302,
+      statusDescription: 'Found',
+      headers: {
+        'location': { value: '/upgrade.html?ref=' + requestId },
+        'cache-control': { value: 'no-store' },
+      },
+    };
+  }
+  // Allow request to proceed
+  return request;
+}

package/lib/cloudfront/cloudfront-functions/userinfo-endpoint.js ADDED Viewed

@@ -0,0 +1,208 @@
+// CloudFront Function: User Info Endpoint (viewer-request)
+// Purpose: Validate JWT and return user info JSON without exposing full JWT
+// Security: Validates JWT signature, returns only name and roles, calculates cache expiration
+import cf from 'cloudfront';
+var crypto = require('crypto');
+const kvsHandle = cf.kvs();
+function base64urlDecode(str) {
+    var base64 = str.replace(/-/g, '+').replace(/_/g, '/');
+    while (base64.length % 4) {
+        base64 += '=';
+    }
+    return atob(base64);
+}
+function constantTimeCompare(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    var result = 0;
+    for (var i = 0; i < a.length; i++) {
+        result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return result === 0;
+}
+async function validateHmacSignature(token) {
+    var parts = token.split('.');
+    if (parts.length !== 3) {
+        return false;
+    }
+    var signingInput = parts[0] + '.' + parts[1];
+    var providedSignature = parts[2];
+    try {
+        var secret = await kvsHandle.get('jwt.secret');
+        if (!secret) {
+            return false;
+        }
+        var hmac = crypto.createHmac('sha256', secret);
+        hmac.update(signingInput);
+        var computedSignature = hmac.digest('base64url');
+        if (constantTimeCompare(computedSignature, providedSignature)) {
+            return true;
+        }
+        try {
+            var oldSecret = await kvsHandle.get('jwt.secret.old');
+            if (oldSecret) {
+                var oldHmac = crypto.createHmac('sha256', oldSecret);
+                oldHmac.update(signingInput);
+                var oldComputedSignature = oldHmac.digest('base64url');
+                if (constantTimeCompare(oldComputedSignature, oldComputedSignature)) {
+                    return true;
+                }
+            }
+        } catch (e) {
+            // Old secret doesn't exist
+        }
+        return false;
+    } catch (e) {
+        return false;
+    }
+}
+function extractUserInfo(token, nameFields) {
+    try {
+        var parts = token.split('.');
+        if (parts.length !== 3) {
+            return null;
+        }
+        var payload = JSON.parse(base64urlDecode(parts[1]));
+        // Extract name using ordered fallback list
+        var username = 'User';
+        for (var i = 0; i < nameFields.length; i++) {
+            if (payload[nameFields[i]]) {
+                username = payload[nameFields[i]];
+                break;
+            }
+        }
+        // Extract roles (default to empty array)
+        var roles = payload.roles || [];
+        // Extract expiration for cache control
+        var exp = payload.exp || 0;
+        return {
+            name: username,
+            roles: roles,
+            exp: exp
+        };
+    } catch (e) {
+        console.log('Failed to extract user info from JWT: ' + e);
+        return null;
+    }
+}
+async function handler(event) {
+    var request = event.request;
+    // Extract JWT from request cookies
+    var cookies = request.cookies;
+    if (!cookies['__Host-auth_session']) {
+        return {
+            statusCode: 401,
+            statusDescription: 'Unauthorized',
+            headers: {
+                'content-type': { value: 'application/json' },
+                'cache-control': { value: 'no-store' }
+            },
+            body: {
+                encoding: 'text',
+                data: JSON.stringify({ error: 'No session found' })
+            }
+        };
+    }
+    var token = cookies['__Host-auth_session'].value;
+    if (!token) {
+        return {
+            statusCode: 401,
+            statusDescription: 'Unauthorized',
+            headers: {
+                'content-type': { value: 'application/json' },
+                'cache-control': { value: 'no-store' }
+            },
+            body: {
+                encoding: 'text',
+                data: JSON.stringify({ error: 'Invalid session' })
+            }
+        };
+    }
+    // Validate JWT signature
+    var isValid = await validateHmacSignature(token);
+    if (!isValid) {
+        return {
+            statusCode: 401,
+            statusDescription: 'Unauthorized',
+            headers: {
+                'content-type': { value: 'application/json' },
+                'cache-control': { value: 'no-store' }
+            },
+            body: {
+                encoding: 'text',
+                data: JSON.stringify({ error: 'Invalid JWT signature' })
+            }
+        };
+    }
+    // NOTE: This array is automatically replaced by CDK with configured JWT claim fields
+    var nameFields = ['key1', 'key2', 'key3'];
+    // Extract user info from JWT
+    var userInfo = extractUserInfo(token, nameFields);
+    if (!userInfo) {
+        return {
+            statusCode: 500,
+            statusDescription: 'Internal Server Error',
+            headers: {
+                'content-type': { value: 'application/json' },
+                'cache-control': { value: 'no-store' }
+            },
+            body: {
+                encoding: 'text',
+                data: JSON.stringify({ error: 'Failed to parse JWT' })
+            }
+        };
+    }
+    // Calculate cache duration from JWT expiration
+    var now = Math.floor(Date.now() / 1000);
+    var maxAge = userInfo.exp - now;
+    // Ensure maxAge is positive and reasonable
+    if (maxAge <= 0) {
+        maxAge = 0;
+    } else if (maxAge > 3600) {
+        maxAge = 3600; // Cap at 1 hour for safety
+    }
+    // Return user info as JSON with dynamic cache control
+    return {
+        statusCode: 200,
+        statusDescription: 'OK',
+        headers: {
+            'content-type': { value: 'application/json' },
+            'cache-control': { value: 'private, max-age=' + maxAge }
+        },
+        body: {
+            encoding: 'text',
+            data: JSON.stringify({
+                name: userInfo.name,
+                roles: userInfo.roles
+            })
+        }
+    };
+}

package/lib/cloudfront/lambda/certificate/index.py ADDED Viewed

@@ -0,0 +1,219 @@
+import json
+import boto3
+import time
+from typing import Any, Dict
+acm = boto3.client('acm', region_name='us-east-1')
+route53 = boto3.client('route53')
+def handler(event: Dict[str, Any], context: Any) -> Dict[str, Any]:
+    """
+    Custom resource handler for creating ACM certificates in us-east-1.
+    """
+    print(f"Event: {json.dumps(event)}")
+    try:
+        request_type = event['RequestType']
+        props = event['ResourceProperties']
+        domain_name = props['DomainName']
+        sans = props.get('SubjectAlternativeNames', [])
+        hosted_zone_id = props['HostedZoneId']
+        print(f"Processing {request_type} for domain: {domain_name}")
+        print(f"Hosted Zone ID: {hosted_zone_id}")
+        if request_type == 'Create':
+            return create_certificate(domain_name, sans, hosted_zone_id)
+        elif request_type == 'Update':
+            # For updates, delete old and create new
+            old_props = event['OldResourceProperties']
+            old_cert_arn = event['PhysicalResourceId']
+            # Create new certificate first
+            result = create_certificate(domain_name, sans, hosted_zone_id)
+            # Delete old certificate (best effort)
+            try:
+                acm.delete_certificate(CertificateArn=old_cert_arn)
+            except Exception as e:
+                print(f"Failed to delete old certificate: {e}")
+            return result
+        elif request_type == 'Delete':
+            cert_arn = event['PhysicalResourceId']
+            return delete_certificate(cert_arn, hosted_zone_id)
+        return {
+            'PhysicalResourceId': event.get('PhysicalResourceId', 'unknown'),
+            'Data': {}
+        }
+    except Exception as e:
+        print(f"ERROR: {str(e)}")
+        import traceback
+        traceback.print_exc()
+        raise
+def create_certificate(domain_name: str, sans: list, hosted_zone_id: str) -> Dict[str, Any]:
+    """Create and validate an ACM certificate."""
+    # Request certificate
+    request_params = {
+        'DomainName': domain_name,
+        'ValidationMethod': 'DNS',
+    }
+    if sans:
+        request_params['SubjectAlternativeNames'] = sans
+    response = acm.request_certificate(**request_params)
+    cert_arn = response['CertificateArn']
+    print(f"Certificate requested: {cert_arn}")
+    # Wait for validation records to be available
+    validation_records = wait_for_validation_records(cert_arn)
+    # Create DNS validation records
+    create_validation_records(validation_records, hosted_zone_id)
+    # Wait for certificate to be issued
+    wait_for_certificate_validation(cert_arn)
+    return {
+        'PhysicalResourceId': cert_arn,
+        'Data': {
+            'CertificateArn': cert_arn
+        }
+    }
+def delete_certificate(cert_arn: str, hosted_zone_id: str) -> Dict[str, Any]:
+    """Delete certificate and cleanup validation records."""
+    try:
+        # Get validation records before deleting
+        cert = acm.describe_certificate(CertificateArn=cert_arn)
+        validation_records = cert['Certificate'].get('DomainValidationOptions', [])
+        # Delete validation records
+        delete_validation_records(validation_records, hosted_zone_id)
+        # Delete certificate
+        acm.delete_certificate(CertificateArn=cert_arn)
+        print(f"Certificate deleted: {cert_arn}")
+    except acm.exceptions.ResourceNotFoundException:
+        print(f"Certificate not found: {cert_arn}")
+    except Exception as e:
+        print(f"Error deleting certificate: {e}")
+    return {
+        'PhysicalResourceId': cert_arn,
+        'Data': {}
+    }
+def wait_for_validation_records(cert_arn: str, max_attempts: int = 60) -> list:
+    """Wait for validation records to be available."""
+    for attempt in range(max_attempts):
+        cert = acm.describe_certificate(CertificateArn=cert_arn)
+        validation_options = cert['Certificate'].get('DomainValidationOptions', [])
+        # Check if all domains have validation records
+        all_ready = all(
+            'ResourceRecord' in option
+            for option in validation_options
+        )
+        if all_ready:
+            return validation_options
+        time.sleep(5)
+    raise Exception("Timeout waiting for validation records")
+def create_validation_records(validation_options: list, hosted_zone_id: str) -> None:
+    """Create DNS validation records in Route53."""
+    changes = []
+    for option in validation_options:
+        if 'ResourceRecord' in option:
+            record = option['ResourceRecord']
+            print(f"Creating validation record: {record['Name']} -> {record['Value']}")
+            changes.append({
+                'Action': 'UPSERT',
+                'ResourceRecordSet': {
+                    'Name': record['Name'],
+                    'Type': record['Type'],
+                    'TTL': 300,
+                    'ResourceRecords': [{'Value': record['Value']}]
+                }
+            })
+    if changes:
+        print(f"Applying {len(changes)} DNS changes to hosted zone {hosted_zone_id}")
+        response = route53.change_resource_record_sets(
+            HostedZoneId=hosted_zone_id,
+            ChangeBatch={'Changes': changes}
+        )
+        # Wait for change to propagate
+        change_id = response['ChangeInfo']['Id']
+        print(f"Waiting for Route53 change {change_id} to complete")
+        wait_for_route53_change(change_id)
+        print(f"Route53 change completed")
+    else:
+        print("No validation records to create")
+def delete_validation_records(validation_options: list, hosted_zone_id: str) -> None:
+    """Delete DNS validation records from Route53."""
+    changes = []
+    for option in validation_options:
+        if 'ResourceRecord' in option:
+            record = option['ResourceRecord']
+            changes.append({
+                'Action': 'DELETE',
+                'ResourceRecordSet': {
+                    'Name': record['Name'],
+                    'Type': record['Type'],
+                    'TTL': 300,
+                    'ResourceRecords': [{'Value': record['Value']}]
+                }
+            })
+    if changes:
+        try:
+            route53.change_resource_record_sets(
+                HostedZoneId=hosted_zone_id,
+                ChangeBatch={'Changes': changes}
+            )
+        except Exception as e:
+            print(f"Error deleting validation records: {e}")
+def wait_for_route53_change(change_id: str, max_attempts: int = 60) -> None:
+    """Wait for Route53 change to complete."""
+    for attempt in range(max_attempts):
+        response = route53.get_change(Id=change_id)
+        if response['ChangeInfo']['Status'] == 'INSYNC':
+            return
+        time.sleep(5)
+    raise Exception("Timeout waiting for Route53 change")
+def wait_for_certificate_validation(cert_arn: str, max_attempts: int = 120) -> None:
+    """Wait for certificate to be validated and issued."""
+    for attempt in range(max_attempts):
+        cert = acm.describe_certificate(CertificateArn=cert_arn)
+        status = cert['Certificate']['Status']
+        if status == 'ISSUED':
+            print(f"Certificate issued: {cert_arn}")
+            return
+        elif status == 'FAILED':
+            raise Exception(f"Certificate validation failed: {cert_arn}")
+        time.sleep(10)
+    raise Exception("Timeout waiting for certificate validation")

package/lib/cloudfront/lambda/cognito-auth/oauth-callback.py ADDED Viewed

@@ -0,0 +1,215 @@
+import json
+import urllib.parse
+import urllib.request
+from jwt import PyJWK
+import jwt
+import boto3
+import logging
+import hmac
+import hashlib
+import base64
+import time
+import uuid
+from datetime import datetime
+from config_generated import get_config
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+dynamodb = None
+CONFIG = None
+HMAC_SECRET = None
+def get_config_cached():
+    global CONFIG, dynamodb
+    if CONFIG is None:
+        CONFIG = get_config()
+        dynamodb_region = CONFIG.get('dynamodb_region', 'us-east-1')
+        dynamodb = boto3.client('dynamodb', region_name=dynamodb_region)
+    return CONFIG
+def get_hmac_secret():
+    global HMAC_SECRET
+    if HMAC_SECRET is not None:
+        return HMAC_SECRET
+    config = get_config_cached()
+    HMAC_SECRET = config.get('hmac_key')
+    if not HMAC_SECRET:
+        raise ValueError('hmac_key not found in config')
+    return HMAC_SECRET
+def exchange_code_for_token(code, cognito_domain, client_id, redirect_uri, code_verifier):
+    token_url = f'https://{cognito_domain}/oauth2/token'
+    data = {
+        'grant_type': 'authorization_code',
+        'client_id': client_id,
+        'code': code,
+        'redirect_uri': redirect_uri,
+        'code_verifier': code_verifier,
+    }
+    req = urllib.request.Request(
+        token_url,
+        data=urllib.parse.urlencode(data).encode('utf-8'),
+        headers={'Content-Type': 'application/x-www-form-urlencoded'},
+    )
+    try:
+        with urllib.request.urlopen(req) as response:
+            return json.loads(response.read().decode('utf-8'))
+    except urllib.error.HTTPError as e:
+        logger.error(f'Token exchange HTTP error: {e.code} {e.read().decode()}')
+        raise
+def validate_jwt_token(id_token, client_id, user_pool_id, cognito_region):
+    jwks_url = f'https://cognito-idp.{cognito_region}.amazonaws.com/{user_pool_id}/.well-known/jwks.json'
+    with urllib.request.urlopen(jwks_url) as response:
+        jwks = json.loads(response.read().decode('utf-8'))
+    unverified_header = jwt.get_unverified_header(id_token)
+    rsa_key = next((k for k in jwks['keys'] if k['kid'] == unverified_header['kid']), None)
+    if not rsa_key:
+        raise ValueError('Unable to find matching key')
+    jwk = PyJWK.from_dict(rsa_key)
+    issuer = f'https://cognito-idp.{cognito_region}.amazonaws.com/{user_pool_id}'
+    return jwt.decode(id_token, jwk.key, algorithms=['RS256'], audience=client_id, issuer=issuer)
+def lambda_handler(event, context):
+    request = event['Records'][0]['cf']['request']
+    try:
+        config = get_config_cached()
+        cognito_domain = config['cognito_domain']
+        client_id = config['cognito_client_id']
+        user_pool_id = config['cognito_user_pool_id']
+        cognito_region = config['cognito_region']
+        redirect_uri = config['redirect_uri']
+        table_name = config.get('dynamodb_table_name')
+        auto_revoke_on_reuse = config.get('auto_revoke_on_reuse', 'false').lower() == 'true'
+        jwt_claims_whitelist_str = config.get('jwt_claims_whitelist', '')
+    except Exception as e:
+        logger.error(f'Config load failed: {e}')
+        return {'status': '500', 'statusDescription': 'Internal Server Error', 'body': 'Configuration error'}
+    params = urllib.parse.parse_qs(request.get('querystring', ''))
+    code = params.get('code', [None])[0]
+    state = params.get('state', [None])[0]
+    if not code:
+        return {'status': '400', 'statusDescription': 'Bad Request', 'body': 'Missing authorization code'}
+    cookies = {}
+    for cookie in (request.get('headers', {}).get('cookie') or [{}])[0].get('value', '').split('; '):
+        if '=' in cookie:
+            name, value = cookie.split('=', 1)
+            cookies[name] = value
+    code_verifier = cookies.get('code_verifier')
+    if not code_verifier:
+        return {'status': '400', 'statusDescription': 'Bad Request', 'body': 'Authentication failed'}
+    stored_state = cookies.get('oauth_state')
+    if not stored_state or stored_state != state:
+        return {'status': '400', 'statusDescription': 'Bad Request', 'body': 'Invalid state parameter'}
+    if table_name and state:
+        try:
+            resp = dynamodb.get_item(
+                TableName=table_name,
+                Key={'pk': {'S': f'STATE#{state}'}, 'sk': {'S': f'STATE#{state}'}},
+            )
+            if not resp.get('Item'):
+                dynamodb.put_item(TableName=table_name, Item={
+                    'pk': {'S': f'STATE#{state}'}, 'sk': {'S': f'STATE#{state}'},
+                    'used': {'BOOL': True},
+                    'createdAt': {'N': str(int(time.time()))},
+                    'expiresAt': {'N': str(int(time.time()) + 600)},
+                })
+            elif resp['Item'].get('used', {}).get('BOOL') and auto_revoke_on_reuse:
+                return {'status': '400', 'statusDescription': 'Bad Request', 'body': 'Invalid or reused state token'}
+        except Exception as e:
+            logger.error(f'DynamoDB state check error: {e}')
+    redirect_path = '/'
+    try:
+        padded = state + '=' * (4 - len(state) % 4)
+        state_obj = json.loads(base64.urlsafe_b64decode(padded.replace('-', '+').replace('_', '/')))
+        redirect_path = state_obj.get('p', '/')
+    except Exception:
+        pass
+    try:
+        token_response = exchange_code_for_token(code, cognito_domain, client_id, redirect_uri, code_verifier)
+        id_token = token_response['id_token']
+        payload = validate_jwt_token(id_token, client_id, user_pool_id, cognito_region)
+        logger.info(f'JWT validated for: {payload.get("email", payload.get("cognito:username", "unknown"))}')
+        jti = f'sess_{uuid.uuid4().hex}'
+        user_id = payload.get('sub') or payload.get('email') or payload.get('cognito:username')
+        if jwt_claims_whitelist_str:
+            whitelist = json.loads(jwt_claims_whitelist_str)
+            filtered_payload = {k: v for k, v in payload.items() if k in whitelist}
+        else:
+            filtered_payload = {k: v for k, v in payload.items() if not k.startswith('cognito:')}
+        session_payload = {
+            **filtered_payload,
+            'jti': jti,
+            'exp': payload.get('exp', int(time.time()) + 3600),
+            'iat': int(time.time()),
+            'iss': redirect_uri,
+            'idp': payload.get('iss'),
+        }
+        if table_name and user_id:
+            try:
+                dynamodb.put_item(TableName=table_name, Item={
+                    'pk': {'S': f'SESSION#{user_id}'}, 'sk': {'S': f'SESSION#{jti}'},
+                    'gsi1pk': {'S': f'USER#{user_id}'}, 'gsi1sk': {'S': f'SESSION#{int(time.time())}'},
+                    'jti': {'S': jti}, 'userId': {'S': user_id},
+                    'email': {'S': payload.get('email', '')},
+                    'createdAt': {'N': str(int(time.time()))},
+                    'revoked': {'BOOL': False},
+                    'expiresAt': {'N': str(int(time.time()) + 3600)},
+                })
+            except Exception as e:
+                logger.error(f'Failed to store session: {e}')
+        header_b64 = base64.urlsafe_b64encode(
+            json.dumps({'alg': 'HS256', 'typ': 'JWT'}, separators=(',', ':')).encode()
+        ).decode().rstrip('=')
+        payload_b64 = base64.urlsafe_b64encode(
+            json.dumps(session_payload, separators=(',', ':')).encode()
+        ).decode().rstrip('=')
+        signing_input = f'{header_b64}.{payload_b64}'
+        hmac_secret = get_hmac_secret()
+        sig = hmac.new(hmac_secret.encode(), signing_input.encode(), hashlib.sha256).digest()
+        cookie_value = f'{signing_input}.{base64.urlsafe_b64encode(sig).decode().rstrip("=")}'
+        exp_ts = payload.get('exp', int(time.time()) + 3600)
+        expires_str = datetime.utcfromtimestamp(exp_ts).strftime('%a, %d %b %Y %H:%M:%S GMT')
+        return {
+            'status': '302',
+            'statusDescription': 'Found',
+            'headers': {
+                'location': [{'key': 'Location', 'value': redirect_path}],
+                'set-cookie': [
+                    {'key': 'Set-Cookie', 'value': f'__Host-auth_session={cookie_value}; HttpOnly; Secure; SameSite=Lax; Path=/; Expires={expires_str}'},
+                    {'key': 'Set-Cookie', 'value': 'oauth_state=; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0'},
+                    {'key': 'Set-Cookie', 'value': 'code_verifier=; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0'},
+                ],
+                'cache-control': [{'key': 'Cache-Control', 'value': 'no-store'}],
+            },
+        }
+    except Exception as e:
+        import traceback
+        logger.error(f'OAuth callback error: {traceback.format_exc()}')
+        return {'status': '500', 'statusDescription': 'Internal Server Error', 'body': 'Authentication failed'}