serverless-offline 8.7.0 → 9.0.0

package/src/events/http/OfflineEndpoint.js

@@ -0,0 +1,33 @@
+export default class OfflineEndpoint {
+  apiKeyRequired = false
+
+  authorizationType = 'none'
+
+  authorizerFunction = false
+
+  path = ''
+
+  requestParameters = {}
+
+  requestTemplates = {
+    'application/json': '',
+  }
+
+  responses = {
+    default: {
+      400: {
+        statusCode: '400',
+      },
+      responseModels: {
+        'application/json;charset=UTF-8': 'Empty',
+      },
+      responseParameters: {},
+      responseTemplates: {
+        'application/json;charset=UTF-8': '',
+      },
+      statusCode: 200,
+    },
+  }
+
+  type = 'AWS'
+}

package/src/events/http/authJWTSettingsExtractor.js

@@ -0,0 +1,70 @@
+import { log } from '@serverless/utils/log.js'
+
+export default function authJWTSettingsExtractor(
+  endpoint,
+  provider,
+  ignoreJWTSignature,
+) {
+  const buildFailureResult = (warningMessage) => {
+    log.warning(warningMessage)
+
+    return {
+      unsupportedAuth: true,
+    }
+  }
+
+  const buildSuccessResult = (authorizerName) => ({ authorizerName })
+
+  const { authorizer } = endpoint
+
+  if (!authorizer) {
+    return buildSuccessResult(null)
+  }
+
+  if (!provider.httpApi || !provider.httpApi.authorizers) {
+    return buildSuccessResult(null)
+  }
+
+  // TODO: add code that will actually validate a JWT.
+  if (!ignoreJWTSignature) {
+    return buildSuccessResult(null)
+  }
+
+  if (!authorizer.name) {
+    return buildFailureResult(
+      'Serverless Offline supports only JWT authorizers referenced by name',
+    )
+  }
+
+  const httpApiAuthorizer = provider.httpApi.authorizers[authorizer.name]
+
+  if (!httpApiAuthorizer) {
+    return buildFailureResult(`JWT authorizer ${authorizer.name} not found`)
+  }
+
+  if (!httpApiAuthorizer.identitySource) {
+    return buildFailureResult(
+      `JWT authorizer ${authorizer.name} missing identity source`,
+    )
+  }
+
+  if (!httpApiAuthorizer.issuerUrl) {
+    return buildFailureResult(
+      `JWT authorizer ${authorizer.name} missing issuer url`,
+    )
+  }
+
+  if (!httpApiAuthorizer.audience || httpApiAuthorizer.audience.length === 0) {
+    return buildFailureResult(
+      `JWT authorizer ${authorizer.name} missing audience`,
+    )
+  }
+
+  const result = {
+    authorizerName: authorizer.name,
+    ...authorizer,
+    ...httpApiAuthorizer,
+  }
+
+  return result
+}

package/src/events/http/createAuthScheme.js

@@ -0,0 +1,176 @@
+import Boom from '@hapi/boom'
+import { log } from '@serverless/utils/log.js'
+import authCanExecuteResource from '../authCanExecuteResource.js'
+import authValidateContext from '../authValidateContext.js'
+import {
+  nullIfEmpty,
+  parseHeaders,
+  parseMultiValueHeaders,
+  parseMultiValueQueryStringParameters,
+  parseQueryStringParameters,
+} from '../../utils/index.js'
+
+export default function createAuthScheme(authorizerOptions, provider, lambda) {
+  const authFunName = authorizerOptions.name
+  let identityHeader = 'authorization'
+
+  if (authorizerOptions.type !== 'request') {
+    const identitySourceMatch = /^method.request.header.((?:\w+-?)+\w+)$/.exec(
+      authorizerOptions.identitySource,
+    )
+
+    if (!identitySourceMatch || identitySourceMatch.length !== 2) {
+      throw new Error(
+        `Serverless Offline only supports retrieving tokens from the headers (λ: ${authFunName})`,
+      )
+    }
+
+    identityHeader = identitySourceMatch[1].toLowerCase()
+  }
+
+  // Create Auth Scheme
+  return () => ({
+    async authenticate(request, h) {
+      log.notice()
+      log.notice(
+        `Running Authorization function for ${request.method} ${request.path} (λ: ${authFunName})`,
+      )
+
+      // Get Authorization header
+      const { req } = request.raw
+
+      // Get path params
+      // aws doesn't auto decode path params - hapi does
+      const pathParams = { ...request.params }
+
+      const accountId = 'random-account-id'
+      const apiId = 'random-api-id'
+      const httpMethod = request.method.toUpperCase()
+      const resourcePath = request.route.path.replace(
+        new RegExp(`^/${provider.stage}`),
+        '',
+      )
+
+      let event = {
+        enhancedAuthContext: {},
+        methodArn: `arn:aws:execute-api:${provider.region}:${accountId}:${apiId}/${provider.stage}/${httpMethod}${resourcePath}`,
+        requestContext: {
+          accountId,
+          apiId,
+          httpMethod,
+          path: request.path,
+          requestId: 'random-request-id',
+          resourceId: 'random-resource-id',
+          resourcePath,
+          stage: provider.stage,
+        },
+        resource: resourcePath,
+      }
+
+      // Create event Object for authFunction
+      //   methodArn is the ARN of the function we are running we are authorizing access to (or not)
+      //   Account ID and API ID are not simulated
+      if (authorizerOptions.type === 'request') {
+        const { rawHeaders, url } = req
+
+        event = {
+          ...event,
+          headers: parseHeaders(rawHeaders),
+          httpMethod: request.method.toUpperCase(),
+          multiValueHeaders: parseMultiValueHeaders(rawHeaders),
+          multiValueQueryStringParameters:
+            parseMultiValueQueryStringParameters(url),
+          path: request.path,
+          pathParameters: nullIfEmpty(pathParams),
+          queryStringParameters: parseQueryStringParameters(url),
+          type: 'REQUEST',
+        }
+      } else {
+        const authorization = req.headers[identityHeader]
+
+        const identityValidationExpression = new RegExp(
+          authorizerOptions.identityValidationExpression,
+        )
+        const matchedAuthorization =
+          identityValidationExpression.test(authorization)
+        const finalAuthorization = matchedAuthorization ? authorization : ''
+
+        log.debug(`Retrieved ${identityHeader} header "${finalAuthorization}"`)
+
+        event = {
+          ...event,
+          authorizationToken: finalAuthorization,
+          type: 'TOKEN',
+        }
+      }
+
+      const lambdaFunction = lambda.get(authFunName)
+      lambdaFunction.setEvent(event)
+
+      try {
+        const result = await lambdaFunction.runHandler()
+        if (result === 'Unauthorized') return Boom.unauthorized('Unauthorized')
+
+        // Validate that the policy document has the principalId set
+        if (!result.principalId) {
+          log.notice(
+            `Authorization response did not include a principalId: (λ: ${authFunName})`,
+          )
+
+          return Boom.forbidden('No principalId set on the Response')
+        }
+
+        if (!authCanExecuteResource(result.policyDocument, event.methodArn)) {
+          log.notice(
+            `Authorization response didn't authorize user to access resource: (λ: ${authFunName})`,
+          )
+
+          return Boom.forbidden(
+            'User is not authorized to access this resource',
+          )
+        }
+
+        // validate the resulting context, ensuring that all
+        // values are either string, number, or boolean types
+        if (result.context) {
+          const validationResult = authValidateContext(
+            result.context,
+            authFunName,
+          )
+
+          if (validationResult instanceof Error) {
+            return validationResult
+          }
+
+          result.context = validationResult
+        }
+
+        log.notice(
+          `Authorization function returned a successful response: (λ: ${authFunName})`,
+        )
+
+        const authorizer = {
+          integrationLatency: '42',
+          principalId: result.principalId,
+          ...result.context,
+        }
+
+        // Set the credentials for the rest of the pipeline
+        return h.authenticated({
+          credentials: {
+            authorizer,
+            context: result.context,
+            principalId: result.principalId,
+            usageIdentifierKey: result.usageIdentifierKey,
+          },
+        })
+      } catch {
+        log.notice(
+          `Authorization function returned an error response: (λ: ${authFunName})`,
+        )
+
+        return Boom.unauthorized('Unauthorized')
+      }
+    },
+  })
+}

package/src/events/http/createJWTAuthScheme.js

@@ -0,0 +1,106 @@
+import Boom from '@hapi/boom'
+import { log } from '@serverless/utils/log.js'
+import { decode } from 'jsonwebtoken'
+
+const { isArray } = Array
+
+export default function createAuthScheme(jwtOptions) {
+  const authorizerName = jwtOptions.name
+
+  const identitySourceMatch = /^\$request.header.((?:\w+-?)+\w+)$/.exec(
+    jwtOptions.identitySource,
+  )
+
+  if (!identitySourceMatch || identitySourceMatch.length !== 2) {
+    throw new Error(
+      `Serverless Offline only supports retrieving JWT from the headers (${authorizerName})`,
+    )
+  }
+
+  const identityHeader = identitySourceMatch[1].toLowerCase()
+
+  // Create Auth Scheme
+  return () => ({
+    async authenticate(request, h) {
+      log.notice()
+      log.notice(
+        `Running JWT Authorization function for ${request.method} ${request.path} (${authorizerName})`,
+      )
+
+      // Get Authorization header
+      const { req } = request.raw
+      let jwtToken = req.headers[identityHeader]
+      if (jwtToken && jwtToken.split(' ')[0] === 'Bearer') {
+        ;[, jwtToken] = jwtToken.split(' ')
+      }
+
+      try {
+        const decoded = decode(jwtToken, { complete: true })
+        if (!decoded) {
+          return Boom.unauthorized('JWT not decoded')
+        }
+
+        const expirationDate = new Date(decoded.payload.exp * 1000)
+        if (expirationDate.valueOf() < Date.now()) {
+          return Boom.unauthorized('JWT Token expired')
+        }
+
+        const { aud, iss, scope } = decoded.payload
+        const clientId = decoded.payload.client_id
+        if (iss !== jwtOptions.issuerUrl) {
+          log.notice(`JWT Token not from correct issuer url`)
+
+          return Boom.unauthorized('JWT Token not from correct issuer url')
+        }
+
+        const validAudiences = isArray(jwtOptions.audience)
+          ? jwtOptions.audience
+          : [jwtOptions.audience]
+        const providedAudiences = isArray(aud) ? aud : [aud]
+        const validAudienceProvided = providedAudiences.some((a) =>
+          validAudiences.includes(a),
+        )
+
+        if (!validAudienceProvided && !validAudiences.includes(clientId)) {
+          log.notice(`JWT Token does not contain correct audience`)
+
+          return Boom.unauthorized(
+            'JWT Token does not contain correct audience',
+          )
+        }
+
+        let scopes = null
+        if (jwtOptions.scopes && jwtOptions.scopes.length) {
+          if (!scope) {
+            log.notice(`JWT Token missing valid scope`)
+
+            return Boom.forbidden('JWT Token missing valid scope')
+          }
+
+          scopes = scope.split(' ')
+          if (scopes.every((s) => !jwtOptions.scopes.includes(s))) {
+            log.notice(`JWT Token missing valid scope`)
+
+            return Boom.forbidden('JWT Token missing valid scope')
+          }
+        }
+
+        log.notice(`JWT Token validated`)
+
+        // Set the credentials for the rest of the pipeline
+        // return resolve(
+        return h.authenticated({
+          credentials: {
+            claims: decoded.payload,
+            scopes,
+          },
+        })
+      } catch (err) {
+        log.notice(`JWT could not be decoded`)
+        log.error(err)
+
+        return Boom.unauthorized('Unauthorized')
+      }
+    },
+  })
+}

package/src/events/http/index.js

@@ -0,0 +1 @@
+export { default } from './Http.js'

package/src/events/http/javaHelpers.js

@@ -0,0 +1,102 @@
+// String functions
+// For velocity templates to access java functions, to mimick AWS
+
+function javaContains(value) {
+  return this.includes(value)
+}
+
+function javaEquals(anObject) {
+  return this.toString() === anObject.toString()
+}
+
+function javaEqualsIgnoreCase(anotherString) {
+  return anotherString === null
+    ? false
+    : this === anotherString ||
+        this.toLowerCase() === anotherString.toLowerCase()
+}
+
+function javaMatches(value) {
+  return this.match(new RegExp(value, 'm'))
+}
+
+function javaReplaceAll(oldValue, newValue) {
+  return this.replace(new RegExp(oldValue, 'gm'), newValue)
+}
+
+function javaReplaceFirst(oldValue, newValue) {
+  return this.replace(new RegExp(oldValue, 'm'), newValue)
+}
+
+// method has 2 function signatures:
+// regionMatches(toffset: number, other: string, ooffset: number, len: number): boolean
+// regionMatches(ignoreCase: boolean, toffset: number, other: string, ooffset: number, len: number): boolean
+function javaRegionMatches(...args) {
+  let ignoreCase
+  let toffset
+  let other
+  let ooffset
+  let len
+
+  if (args.length === 4) {
+    ;[toffset, other, ooffset, len] = args
+    ignoreCase = false
+  } else {
+    ;[ignoreCase, toffset, other, ooffset, len] = args
+  }
+
+  // Note: toffset, ooffset, or len might be near -1>>>1.
+  if (
+    ooffset < 0 ||
+    toffset < 0 ||
+    toffset > this.length - len ||
+    ooffset > other.length - len
+  ) {
+    return false
+  }
+
+  let s1 = this.substring(toffset, toffset + len)
+  let s2 = other.substring(ooffset, ooffset + len)
+
+  if (ignoreCase) {
+    s1 = s1.toLowerCase()
+    s2 = s2.toLowerCase()
+  }
+
+  return s1 === s2
+}
+
+const {
+  prototype,
+  prototype: {
+    contains,
+    equals,
+    equalsIgnoreCase,
+    matches,
+    regionMatches,
+    replaceAll,
+    replaceFirst,
+  },
+} = String
+
+export default function runInPollutedScope(runScope) {
+  prototype.contains = javaContains
+  prototype.equals = javaEquals
+  prototype.equalsIgnoreCase = javaEqualsIgnoreCase
+  prototype.matches = javaMatches
+  prototype.regionMatches = javaRegionMatches
+  prototype.replaceAll = javaReplaceAll
+  prototype.replaceFirst = javaReplaceFirst
+
+  const result = runScope()
+
+  prototype.contains = contains
+  prototype.equals = equals
+  prototype.equalsIgnoreCase = equalsIgnoreCase
+  prototype.matches = matches
+  prototype.regionMatches = regionMatches
+  prototype.replaceAll = replaceAll
+  prototype.replaceFirst = replaceFirst
+
+  return result
+}

package/src/events/http/lambda-events/LambdaIntegrationEvent.js

@@ -0,0 +1,57 @@
+import { env } from 'node:process'
+import { log } from '@serverless/utils/log.js'
+import renderVelocityTemplateObject from './renderVelocityTemplateObject.js'
+import VelocityContext from './VelocityContext.js'
+
+const { parse } = JSON
+
+export default class LambdaIntegrationEvent {
+  #path = null
+
+  #request = null
+
+  #requestTemplate = null
+
+  #stage = null
+
+  constructor(request, stage, requestTemplate, path) {
+    this.#path = path
+    this.#request = request
+    this.#requestTemplate = requestTemplate
+    this.#stage = stage
+  }
+
+  create() {
+    if (env.AUTHORIZER) {
+      try {
+        const authorizerContext = parse(env.AUTHORIZER)
+        if (authorizerContext) {
+          this.#request.auth = {
+            ...this.#request.auth,
+            credentials: {
+              authorizer: authorizerContext,
+            },
+          }
+        }
+      } catch {
+        log.error(
+          'Could not parse process.env.AUTHORIZER, make sure it is correct JSON',
+        )
+      }
+    }
+
+    const velocityContext = new VelocityContext(
+      this.#request,
+      this.#stage,
+      this.#request.payload || {},
+      this.#path,
+    ).getContext()
+
+    const event = renderVelocityTemplateObject(
+      this.#requestTemplate,
+      velocityContext,
+    )
+
+    return event
+  }
+}