Skip to content

Commit e0a67d8

Browse files
authored
Merge pull request #70 from zillow/master
modernize sample for Feb 2024
2 parents ee46337 + bbde60a commit e0a67d8

6 files changed

Lines changed: 25 additions & 28 deletions

File tree

cli/utils/generator.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
"AUTH_REQUEST": {
66
"client_id": "$CLIENT_ID_FROM_IDP",
77
"response_type": "code",
8-
"scope": "openid email",
8+
"scope": "openid email profile",
99
"redirect_uri": "https://$CLOUDFRONT_DIST_URL/_callback"
1010
},
1111
"TOKEN_REQUEST": {
@@ -19,7 +19,7 @@
1919
"PRIVATE_KEY": "$PRIVATE_KEY_GOES_HERE",
2020
"PUBLIC_KEY": "$PUBLIC_KEY_GOES_HERE",
2121
"DISCOVERY_DOCUMENT": "https://$IDP_DOMAIN_NAME/.well-known/openid-configuration",
22-
"SESSION_DURATION": 30,
22+
"SESSION_DURATION": 300,
2323
"BASE_URL": "https://$IDP_DOMAIN_NAME/",
2424
"CALLBACK_PATH": "/_callback",
2525
"AUTHZ": "$IDP_NAME"
@@ -61,7 +61,7 @@ def generate_rendered_config_file(
6161
"AUTH_REQUEST": {
6262
"client_id": f"{client_id}",
6363
"response_type": "code",
64-
"scope": "openid email",
64+
"scope": "openid email profile",
6565
"redirect_uri": f"https://{cloudfront_host}/_callback"
6666
},
6767
"TOKEN_REQUEST": {
@@ -75,7 +75,7 @@ def generate_rendered_config_file(
7575
"PRIVATE_KEY": f"{openssl_private_key}",
7676
"PUBLIC_KEY": f"{openssl_public_key}",
7777
"DISCOVERY_DOCUMENT": f"https://{idp_domain_name}/.well-known/openid-configuration",
78-
"SESSION_DURATION": 30,
78+
"SESSION_DURATION": 300,
7979
"BASE_URL": f"https://{idp_domain_name}/",
8080
"CALLBACK_PATH": "/_callback",
8181
"AUTHZ": f"{idp_name}"

docs/baseconfiguration.md

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -14,11 +14,7 @@ The first step for deploying this solution is to create a dummy configuration pl
1414

1515
![Placeholder Secret](images/secretsmanager/sm-kv-pair.png)
1616
6. Select the appropriate `Encryption key` settings for your organization's needs. The default is to use the `aws/secretsmanager` key.
17-
7. Provide an appropriate `Secret name` - this is your choice - along with an appropriate `Description` and a set of `Tags` that make it easy to identify the Secret. For now, you can skip `Resource permissions` - you will come back to this later.
18-
19-
![Secrets Manager Key Name](images/secretsmanager/sm-key-name.png)
20-
21-
**NOTE:** This Secret Name should match the name found in the [src/js/sm-key.txt file](../src/js/sm-key.txt) as seen below and as mentioned above:
17+
7. Provide the `Secret name` - which is "cloudfront/DISTRIBUTION_ID", along with an appropriate `Description` and a set of `Tags` that make it easy to identify the Secret. For now, you can skip `Resource permissions` - you will come back to this later.
2218

2319
![Secrets Manager Key File](images/secretsmanager/sm-key-name-file.png)
2420

docs/cloudfront.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,8 @@ If there are issues, ensure that all IdP configurations are set up correctly, in
1515

1616
### AWS Secrets Manager Configuration
1717

18-
Ensure that the `src/js/sm-key.txt` file is set up with the correct AWS Secrets Manager Secret name. Also, ensure that the Key-Value pair is set up correctly in AWS Secrets Manager including a Base64-encoded value that is the JSON configuration.
18+
Ensure that the correct AWS Secrets Manager Secret name in use which is "cloudfront/DISTRIBUTION_ID" Also, ensure that the Key-Value pair is set up correctly in AWS Secrets Manager including a Base64-encoded value that is the JSON configuration.
19+
1920

2021
### AWS Secrets Manager Customer-Managed KMS Key Policy
2122

src/js/auth.js

Lines changed: 16 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,15 @@
11
// eslint-disable-next-line import/no-extraneous-dependencies
22
// Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
33
// SPDX-License-Identifier: MIT-0
4-
const AWS = require('aws-sdk');
4+
5+
const { SecretsManager } = require('@aws-sdk/client-secrets-manager');
6+
57
const Axios = require('axios');
68
const Cookie = require('cookie');
79
const Crypto = require('crypto');
810
const JsonWebToken = require('jsonwebtoken');
911
const JwkToPem = require('jwk-to-pem');
1012
const QueryString = require('querystring');
11-
const fs = require('fs');
1213
const Log = require('./lib/log');
1314
const Base64Url = require('base64url');
1415

@@ -33,12 +34,12 @@ let pkceCodeChallenge;
3334
* dependencies. If this value is specified (as it will be in tests) then deps will be
3435
* overwritten with the specified dependencies.
3536
*/
36-
exports.handle = async (event, ctx, cb, setDeps = setDependencies) => {
37+
exports.handler = async (event, ctx, cb, setDeps = setDependencies) => {
3738
log = new Log(event, ctx);
3839
// log.info('init lambda', { event: event });
3940
deps = setDeps(deps);
4041
try {
41-
await prepareConfigGlobals();
42+
await prepareConfigGlobals(event);
4243
return await authenticate(event);
4344
} catch (err) {
4445
log.error(err.message, { event: event }, err);
@@ -53,7 +54,7 @@ function setDependencies(dependencies) {
5354
// log.info('setting up dependencies');
5455
return {
5556
axios: Axios,
56-
sm: new AWS.SecretsManager({ apiVersion: '2017-10-17', region: 'us-east-1' })
57+
sm: new SecretsManager({ region: 'us-east-1' })
5758
};
5859
}
5960
return dependencies;
@@ -233,26 +234,25 @@ function validateNonce(nonce, hash) {
233234
}
234235

235236
// fetchConfigFromSecretsManager pulls the specified configuration from SecretsManager
236-
async function fetchConfigFromSecretsManager() {
237+
async function fetchConfigFromSecretsManager(evt) {
237238
// Get Secrets Manager Config Key from File since we cannot use environment variables.
238239
if (secretId == undefined) {
239240
try {
240-
secretId = fs.readFileSync('./sm-key.txt', 'utf-8');
241-
secretId = secretId.replace(/(\r\n|\n|\r)/gm, '');
241+
secretId = "cloudfront/" + evt.Records[0].cf.config.distributionId;
242242
} catch (err) {
243243
log.error(err);
244244
}
245-
} // Attempted to read from CloudFront Custom Header due to Environment variable limitations // Must be an Origin Request, but we need this to be a Viewer Request.
246-
const secret = await deps.sm.getSecretValue({ SecretId: secretId }).promise(); // eslint-disable-next-line no-buffer-constructor
247-
const buff = new Buffer(JSON.parse(secret.SecretString).config, 'base64');
245+
}
246+
const secret = await deps.sm.getSecretValue({ SecretId: secretId }); // eslint-disable-next-line no-buffer-constructor
247+
const buff = Buffer.from(JSON.parse(secret.SecretString).config, 'base64');
248248
const decodedval = JSON.parse(buff.toString('utf-8'));
249249
return decodedval;
250250
}
251251

252252
// setConfig sets the config object to the value from SecretsManager if it wasn't already set.
253-
async function setConfig() {
253+
async function setConfig(event) {
254254
if (config === undefined) {
255-
config = await fetchConfigFromSecretsManager();
255+
config = await fetchConfigFromSecretsManager(event);
256256
}
257257

258258
// set PKCE values if client_secret is not present in configurations
@@ -306,9 +306,9 @@ async function setPkceConfigs() {
306306
}
307307

308308
// prepareConfigGlobals sets up all the lambda globals if they are not already set.
309-
async function prepareConfigGlobals() {
309+
async function prepareConfigGlobals(event) {
310310
await setPkceConfigs();
311-
await setConfig();
311+
await setConfig(event);
312312
await setDiscoveryDocument();
313313
await setJwks();
314314
}
@@ -329,6 +329,7 @@ function getRedirectPayload({ evt, queryString, decodedToken, headers }) {
329329
: queryString.state
330330
}
331331
],
332+
'login': [ { key: 'login', value: decodedToken.payload.email } ],
332333
'set-cookie': [
333334
{
334335
key: 'Set-Cookie',

src/js/sm-key.txt

Lines changed: 0 additions & 1 deletion
This file was deleted.

template.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -95,8 +95,8 @@ Resources:
9595
Properties:
9696
CodeUri: src/js/
9797
Role: !GetAtt LambdaEdgeFunctionRole.Arn
98-
Runtime: nodejs14.x
99-
Handler: auth.handle
98+
Runtime: nodejs20.x
99+
Handler: auth.handler
100100
Timeout: 5
101101
AutoPublishAlias: LIVE
102102
LambdaEdgeFunctionRole:

0 commit comments

Comments
 (0)