npm - raindancers-cloudfront - Versions diffs - 0.0.0 → 0.0.1 - Mend

raindancers-cloudfront 0.0.0 → 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (36) hide show

package/lib/cloudfront/lambda/hmacSecret/index.py ADDED Viewed

@@ -0,0 +1,129 @@
+import boto3
+import json
+import logging
+import urllib3
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+http = urllib3.PoolManager()
+def send_response(event, context, status, data=None):
+    """Send response to CloudFormation"""
+    response_body = {
+        'Status': status,
+        'Reason': f'See CloudWatch Log Stream: {context.log_stream_name}',
+        'PhysicalResourceId': context.log_stream_name,
+        'StackId': event['StackId'],
+        'RequestId': event['RequestId'],
+        'LogicalResourceId': event['LogicalResourceId'],
+        'Data': data or {}
+    }
+    json_response = json.dumps(response_body)
+    headers = {'content-type': '', 'content-length': str(len(json_response))}
+    try:
+        http.request('PUT', event['ResponseURL'], body=json_response, headers=headers)
+    except Exception as e:
+        logger.error(f'Failed to send response: {e}')
+def copy_secret_to_kvs(secret_arn, kvs_arn):
+    """
+    Core logic to copy HMAC secret from Secrets Manager to CloudFront KVS.
+    Implements dual-secret rotation: stores both current and old secret for zero-downtime rotation.
+    """
+    logger.info(f'Copying secret from {secret_arn} to KVS {kvs_arn}')
+    secrets_client = boto3.client('secretsmanager')
+    secret_response = secrets_client.get_secret_value(SecretId=secret_arn)
+    secret_data = json.loads(secret_response['SecretString'])
+    new_secret = secret_data['hmac_key']
+    logger.info('New secret retrieved from Secrets Manager')
+    cf_client = boto3.client('cloudfront-keyvaluestore')
+    kvs_response = cf_client.describe_key_value_store(KvsARN=kvs_arn)
+    etag = kvs_response['ETag']
+    logger.info(f'KVS ETag: {etag}')
+    try:
+        current_response = cf_client.get_key(
+            KvsARN=kvs_arn,
+            # amazonq-ignore-next-line
+            Key='jwt.secret'
+        )
+        old_secret = current_response['Value']
+        cf_client.put_key(
+            KvsARN=kvs_arn,
+            # amazonq-ignore-next-line
+            Key='jwt.secret.old',
+            Value=old_secret,
+            IfMatch=etag
+        )
+        logger.info('Current secret preserved as old secret')
+        kvs_response = cf_client.describe_key_value_store(KvsARN=kvs_arn)
+        etag = kvs_response['ETag']
+    except cf_client.exceptions.ResourceNotFoundException:
+        logger.info('No existing secret found (first deployment)')
+    except Exception as e:
+        logger.warning(f'Could not preserve old secret: {e}')
+    cf_client.put_key(
+        KvsARN=kvs_arn,
+        # amazonq-ignore-next-line
+        Key='jwt.secret',
+        Value=new_secret,
+        IfMatch=etag
+    )
+    logger.info('New secret copied to CloudFront KVS successfully')
+    logger.info('Dual-secret rotation complete: jwt.secret (new) + jwt.secret.old (previous)')
+def handler(event, context):
+    """
+    Handler supporting both CloudFormation Custom Resource and direct Lambda invocations.
+    """
+    try:
+        is_cfn_event = 'RequestType' in event and 'ResponseURL' in event
+        if is_cfn_event:
+            logger.info(f'CloudFormation Request Type: {event["RequestType"]}')
+            request_type = event['RequestType']
+            if request_type in ['Create', 'Update']:
+                secret_arn = event['ResourceProperties']['SecretArn']
+                kvs_arn = event['ResourceProperties']['KvsArn']
+                copy_secret_to_kvs(secret_arn, kvs_arn)
+                send_response(event, context, 'SUCCESS', {
+                    'Message': 'Secret rotation complete with dual-secret support'
+                })
+            elif request_type == 'Delete':
+                logger.info('Delete request - no cleanup needed')
+                send_response(event, context, 'SUCCESS')
+            else:
+                logger.warning(f'Unknown request type: {request_type}')
+                send_response(event, context, 'SUCCESS')
+        else:
+            logger.info('Direct invocation (non-CloudFormation)')
+            secret_arn = event['ResourceProperties']['SecretArn']
+            kvs_arn = event['ResourceProperties']['KvsArn']
+            copy_secret_to_kvs(secret_arn, kvs_arn)
+            return {
+                'statusCode': 200,
+                'body': json.dumps({'message': 'Secret copied successfully'})
+            }
+    except Exception as e:
+        logger.error(f'Error: {str(e)}', exc_info=True)
+        if 'ResponseURL' in event:
+            send_response(event, context, 'FAILED')
+        else:
+            raise

package/lib/cloudfront/lambda/hmacSecret/requirements.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ botocore[crt]>=1.31.0

package/lib/cloudfront/lambda/jwt-decoder/index.py ADDED Viewed

@@ -0,0 +1,88 @@
+import json
+import base64
+from datetime import datetime
+def handler(event, context):
+    cookies = event.get('cookies', [])
+    auth_token = None
+    for cookie in cookies:
+        if cookie.startswith('__Host-auth_session='):
+            auth_token = cookie.split('=', 1)[1]
+            break
+    if not auth_token:
+        return {
+            'statusCode': 200,
+            'headers': {
+                'Content-Type': 'text/html',
+                'Content-Security-Policy': "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'",
+            },
+            'body': '<html><body><h1>No JWT Found</h1><p>No auth_session cookie present.</p></body></html>'
+        }
+    try:
+        parts = auth_token.split('.')
+        if len(parts) != 3:
+            raise ValueError('Invalid JWT format')
+        header = json.loads(base64.urlsafe_b64decode(parts[0] + '=='))
+        payload = json.loads(base64.urlsafe_b64decode(parts[1] + '=='))
+        # Format timestamps
+        nbf_time = datetime.fromtimestamp(payload.get('nbf', 0)).strftime('%Y-%m-%d %H:%M:%S') if 'nbf' in payload else 'N/A'
+        exp_time = datetime.fromtimestamp(payload.get('exp', 0)).strftime('%Y-%m-%d %H:%M:%S') if 'exp' in payload else 'N/A'
+        html = f'''
+        <html>
+        <head><title>JWT Decoder</title></head>
+        <body style="font-family: monospace; padding: 20px;">
+            <h1>JWT Token Details</h1>
+            <p><strong>Not Before:</strong>	<span id="nbf">{nbf_time} UTC</span></p>
+            <p><strong>Expires:</strong>		<span id="exp">{exp_time} UTC</span></p>
+            <h2>Header</h2>
+            <pre>{json.dumps(header, indent=2)}</pre>
+            <h2>Payload</h2>
+            <pre>{json.dumps(payload, indent=2)}</pre>
+            <h2>Signature</h2>
+            <pre>{parts[2]}</pre>
+            <script>
+                const nbf = {payload.get('nbf', 0)};
+                const exp = {payload.get('exp', 0)};
+                const offset = -new Date().getTimezoneOffset();
+                const offsetHours = Math.floor(Math.abs(offset) / 60);
+                const offsetMinutes = Math.abs(offset) % 60;
+                const offsetSign = offset >= 0 ? '+' : '-';
+                const offsetStr = `${{offsetSign}}${{String(offsetHours).padStart(2, '0')}}:${{String(offsetMinutes).padStart(2, '0')}}`;
+                const options = {{ year: 'numeric', month: '2-digit', day: '2-digit', hour: '2-digit', minute: '2-digit', second: '2-digit', hour12: false }};
+                if (nbf) {{
+                    document.getElementById('nbf').textContent = `${{new Date(nbf * 1000).toLocaleString('en-NZ', options)}} (UTC${{offsetStr}})`;
+                }}
+                if (exp) {{
+                    document.getElementById('exp').textContent = `${{new Date(exp * 1000).toLocaleString('en-NZ', options)}} (UTC${{offsetStr}})`;
+                }}
+            </script>
+        </body>
+        </html>
+        '''
+        return {
+            'statusCode': 200,
+            'headers': {
+                'Content-Type': 'text/html',
+                'Content-Security-Policy': "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'",
+            },
+            'body': html
+        }
+    except Exception as e:
+        return {
+            'statusCode': 200,
+            'headers': {
+                'Content-Type': 'text/html',
+                'Content-Security-Policy': "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'",
+            },
+            'body': f'<html><body><h1>Error Decoding JWT</h1><p>{str(e)}</p></body></html>'
+        }

package/lib/cloudfront/lambda/pre-token/index.py ADDED Viewed

@@ -0,0 +1,11 @@
+def handler(event, context):
+    groups = event['request']['groupConfiguration']['groupsToOverride']
+    event['response']['claimsAndScopeOverrideDetails'] = {
+        'idTokenGeneration': {
+            'claimsToAddOrOverride': {
+                'roles': groups,
+                'https://aws.amazon.com/tags/principal_tags/Claims': ':' + ':'.join(groups) + ':',
+            }
+        }
+    }
+    return event

package/lib/cloudfront/lambda/rotateSecret/index.py ADDED Viewed

@@ -0,0 +1,86 @@
+import json
+import boto3
+import secrets
+import string
+import os
+import time
+secretsmanager = boto3.client('secretsmanager')
+lambda_client = boto3.client('lambda')
+SECRET_ARN = os.environ['SECRET_ARN']
+COPY_LAMBDA_ARN = os.environ['COPY_LAMBDA_ARN']
+KVS_ARN = os.environ['KVS_ARN']
+MAX_RETRIES = 3
+RETRY_DELAY = 2
+def generate_hmac_key(length=64):
+    alphabet = string.ascii_letters + string.digits
+    return ''.join(secrets.choice(alphabet) for _ in range(length))
+def invoke_copy_lambda_with_retry(payload):
+    """Invoke copy lambda synchronously with retry logic"""
+    for attempt in range(MAX_RETRIES):
+        try:
+            print(f'Invoking copy lambda (attempt {attempt + 1}/{MAX_RETRIES})')
+            response = lambda_client.invoke(
+                FunctionName=COPY_LAMBDA_ARN,
+                InvocationType='RequestResponse',
+                Payload=json.dumps(payload)
+            )
+            response_payload = json.loads(response['Payload'].read())
+            if response['StatusCode'] == 200:
+                if 'statusCode' in response_payload and response_payload['statusCode'] == 200:
+                    print('Copy lambda invoked successfully')
+                    return response_payload
+                elif 'FunctionError' in response:
+                    raise Exception(f"Copy lambda error: {response_payload}")
+                else:
+                    print('Copy lambda completed successfully')
+                    return response_payload
+            else:
+                raise Exception(f"Lambda invocation failed with status {response['StatusCode']}")
+        except Exception as e:
+            print(f'Attempt {attempt + 1} failed: {str(e)}')
+            if attempt < MAX_RETRIES - 1:
+                print(f'Retrying in {RETRY_DELAY} seconds...')
+                time.sleep(RETRY_DELAY)
+            else:
+                raise Exception(f'Failed to invoke copy lambda after {MAX_RETRIES} attempts: {str(e)}')
+def handler(event, context):
+    print(f"Rotating secret: {SECRET_ARN}")
+    response = secretsmanager.get_secret_value(SecretId=SECRET_ARN)
+    current_secret = json.loads(response['SecretString'])
+    new_hmac_key = generate_hmac_key()
+    current_secret['hmac_key'] = new_hmac_key
+    secretsmanager.put_secret_value(
+        SecretId=SECRET_ARN,
+        SecretString=json.dumps(current_secret)
+    )
+    print(f"Secret rotated in Secrets Manager")
+    payload = {
+        'ResourceProperties': {
+            'SecretArn': SECRET_ARN,
+            'KvsArn': KVS_ARN
+        }
+    }
+    invoke_copy_lambda_with_retry(payload)
+    print(f"KVS updated successfully")
+    return {
+        'statusCode': 200,
+        'body': json.dumps('Secret rotated and synchronized successfully')
+    }

package/lib/cloudfront/lambda/session-revocation/index.py ADDED Viewed

@@ -0,0 +1,80 @@
+import json
+import boto3
+import logging
+import os
+import time
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+dynamodb = boto3.client('dynamodb')
+kvs_client = boto3.client('cloudfront-keyvaluestore')
+TABLE_NAME = os.environ['TABLE_NAME']
+KVS_ARN = os.environ['KVS_ARN']
+def lambda_handler(event, context):
+    """Triggered by SNS message to revoke user sessions
+    Message format: {"action": "revoke", "userId": "user@example.com"}
+    """
+    for record in event['Records']:
+        try:
+            message = json.loads(record['Sns']['Message'])
+            if message.get('action') != 'revoke':
+                logger.warning(f'Unknown action: {message.get("action")}')
+                continue
+            user_id = message.get('userId')
+            if not user_id:
+                logger.error('Missing userId in revocation message')
+                continue
+            logger.info(f'Processing revocation for user: {user_id}')
+            response = dynamodb.query(
+                TableName=TABLE_NAME,
+                IndexName='GSI1',
+                KeyConditionExpression='gsi1pk = :pk',
+                FilterExpression='revoked = :false',
+                ExpressionAttributeValues={
+                    ':pk': {'S': f'USER#{user_id}'},
+                    ':false': {'BOOL': False}
+                }
+            )
+            revoked_count = 0
+            for item in response.get('Items', []):
+                jti = item['jti']['S']
+                dynamodb.update_item(
+                    TableName=TABLE_NAME,
+                    Key={
+                        'pk': {'S': f'SESSION#{user_id}'},
+                        'sk': {'S': f'SESSION#{jti}'}
+                    },
+                    UpdateExpression='SET revoked = :true, revokedAt = :now',
+                    ExpressionAttributeValues={
+                        ':true': {'BOOL': True},
+                        ':now': {'N': str(int(time.time()))}
+                    }
+                )
+                kvs_client.put_key(
+                    KvsARN=KVS_ARN,
+                    Key=f'revoked:{jti}',
+                    Value=str(int(time.time())),
+                    IfMatch='*'
+                )
+                revoked_count += 1
+            logger.info(f'Revoked {revoked_count} sessions for user: {user_id}')
+        except Exception as e:
+            logger.error(f'Error processing revocation: {str(e)}')
+            raise
+    return {'statusCode': 200, 'body': 'Revocation processed'}

package/lib/cloudfront/lambda/ssm-writer/index.py ADDED Viewed

@@ -0,0 +1,44 @@
+import boto3
+import json
+import urllib3
+http = urllib3.PoolManager()
+def send_response(event, context, status, reason, physical_id):
+    body = json.dumps({
+        'Status': status,
+        'Reason': reason,
+        'PhysicalResourceId': physical_id,
+        'StackId': event['StackId'],
+        'RequestId': event['RequestId'],
+        'LogicalResourceId': event['LogicalResourceId'],
+        'Data': {},
+    })
+    try:
+        http.request('PUT', event['ResponseURL'], body=body.encode('utf-8'), headers={'Content-Type': ''})
+    except Exception as e:
+        print(f'Failed to send response to CloudFormation: {str(e)}')
+def handler(event, context):
+    physical_id = event.get('PhysicalResourceId', context.log_stream_name)
+    try:
+        props = event['ResourceProperties']
+        prefix = props['Prefix']
+        params = json.loads(props['Params'])
+        region = props.get('Region', 'us-east-1')
+        ssm = boto3.client('ssm', region_name=region)
+        if event['RequestType'] in ('Create', 'Update'):
+            for key, value in params.items():
+                ssm.put_parameter(Name=f'{prefix}/{key}', Value=value, Type='String', Overwrite=True)
+            physical_id = prefix
+        elif event['RequestType'] == 'Delete':
+            names = [f'{prefix}/{key}' for key in params]
+            for i in range(0, len(names), 10):
+                ssm.delete_parameters(Names=names[i:i+10])
+        send_response(event, context, 'SUCCESS', 'OK', physical_id)
+    except Exception as e:
+        print(f'Error: {str(e)}')
+        send_response(event, context, 'FAILED', str(e), physical_id)

package/lib/cloudfront/lambda/stream-processor/index.py ADDED Viewed

@@ -0,0 +1,53 @@
+import boto3
+import logging
+import os
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+kvs_client = boto3.client('cloudfront-keyvaluestore')
+KVS_ARN = os.environ['KVS_ARN']
+def lambda_handler(event, context):
+    """Triggered by DynamoDB Stream when TTL deletes expired sessions
+    Automatically removes corresponding revocations from KVS.
+    Only processes revoked sessions (not all TTL deletions).
+    """
+    deleted_count = 0
+    for record in event['Records']:
+        if record['eventName'] != 'REMOVE':
+            continue
+        if 'userIdentity' not in record or record['userIdentity'].get('type') != 'Service':
+            continue
+        old_image = record['dynamodb'].get('OldImage', {})
+        pk = old_image.get('pk', {}).get('S', '')
+        if not pk.startswith('SESSION#'):
+            continue
+        revoked = old_image.get('revoked', {}).get('BOOL', False)
+        if not revoked:
+            continue
+        jti = old_image.get('jti', {}).get('S')
+        if not jti:
+            continue
+        try:
+            kvs_client.delete_key(
+                KvsARN=KVS_ARN,
+                Key=f'revoked:{jti}',
+                IfMatch='*'
+            )
+            deleted_count += 1
+            logger.info(f'Cleaned up expired revocation from KVS: {jti}')
+        except Exception as e:
+            logger.warning(f'Failed to delete revocation from KVS: {jti}, error: {e}')
+    logger.info(f'Processed {len(event["Records"])} stream records, cleaned {deleted_count} revocations')
+    return {'statusCode': 200, 'deletedCount': deleted_count}