Widen · apgrucza · May 28, 2020 · May 29, 2020 · May 29, 2020 · May 31, 2020
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,30 @@
+name: Generic Package CI
+on: push
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [14.x, 16.x]
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v1
+      with:
+        node-version: ${{ matrix.node-version }}
+
+    - run: npm run-script test-ci
+
+    - run: npm run-script build-ci okta_native
+    - run: test -f distributions/okta_native/okta_native.zip
+    - run: npm run-script build-ci rotate_key_pair
+    - run: test -f distributions/rotate_key_pair/rotate_key_pair.zip
+
+    - uses: actions/upload-artifact@v2
+      with:
+        name: packages_${{ matrix.node-version }}
+        path: distributions/*/*.zip
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,36 @@
+name: Upload Release Assets
+
+on:
+  push:
+    # Match against refs/tags
+    tags:
+    - 'v*' # Push events matching v*, e.g. v1.0.0, v1.1.0
+
+jobs:
+  build:
+    name: Upload Release Assets
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Use Node.js 14
+        uses: actions/setup-node@v2
+        with:
+          node-version: '14'
+
+      - name: Run tests
+        run: npm run-script test-ci
+
+      - name: Build okta_native
+        run: npm run-script build-ci okta_native
+      - name: Build rotate_key_pair
+        run: npm run-script build-ci rotate_key_pair
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: |
+            ./distributions/okta_native/okta_native.zip
+            ./distributions/rotate_key_pair/rotate_key_pair.zip
diff --git a/.gitignore b/.gitignore
@@ -13,3 +13,6 @@ tests/logs/*
 tests/config
 /distributions
 packaged.yaml
+.terraform*
+terraform.tfstate*
+/infra/terraform/modules/_lambda/packages/*
diff --git a/README.md b/README.md
@@ -1,14 +1,36 @@
+# Cloudfront Auth
+
 [Google Apps (G Suite)](https://developers.google.com/identity/protocols/OpenIDConnect), [Microsoft Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code), [GitHub](https://developer.github.com/apps/building-oauth-apps/authorization-options-for-oauth-apps/), [OKTA](https://www.okta.com/), [Auth0](https://auth0.com/), [Centrify](https://centrify.com) authentication for [CloudFront](https://aws.amazon.com/cloudfront/) using [Lambda@Edge](http://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html). The original use case for `cloudfront-auth` was to serve private S3 content over HTTPS without running a proxy server in EC2 to authenticate requests; but `cloudfront-auth` can be used authenticate requests of any Cloudfront origin configuration.
 
 ## Description
+
 Upon successful authentication, a cookie (named `TOKEN`) with the value of a signed JWT is set and the user redirected back to the originally requested path. Upon each request, Lambda@Edge checks the JWT for validity (signature, expiration date, audience and matching hosted domain) and will redirect the user to configured provider's login when their session has timed out.
 
 ## Usage
+
 If your CloudFront distribution is pointed at a S3 bucket, [configure origin access identity](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-creating-oai-console) so S3 objects can be stored with private permissions. (Origin access identity requires the S3 ACL owner be the account owner. Use our [s3-object-owner-monitor](https://github.com/Widen/s3-object-owner-monitor) Lambda function if writing objects across multiple accounts.)
 
 Enable SSL/HTTPS on your CloudFront distribution; AWS Certificate Manager can be used to provision a no-cost certificate.
 
-Session duration is defined as the number of hours that the JWT is valid for. After session expiration, cloudfront-auth will redirect the user to the configured provider to re-authenticate. RSA keys are used to sign and validate the JWT. If the files `id_rsa` and `id_rsa.pub` do not exist they will be automatically generated by the build. To disable all issued JWTs upload a new ZIP using the Lambda Console after deleting the `id_rsa` and `id_rsa.pub` files (a new key will be automatically generated).
+Session duration is defined as the number of hours that the JWT is valid for. After session expiration, cloudfront-auth will redirect the user to the configured provider to re-authenticate. RSA keys are used to sign and validate the JWT.
+
+## Lambda Deployment Packages
+
+### Custom Packages
+
+A custom package has all the configuration baked into it (including secrets). To build a custom package, execute:
+
+```bash
+./build.sh
+```
+
+The build script prompts you for the required configuration parameters, which are described in [Identity Provider Guides](#identity-provider-guides). If the files `id_rsa` and `id_rsa.pub` do not exist they will be automatically generated by the build. To disable all issued JWTs upload a new ZIP using the Lambda Console after deleting the `id_rsa` and `id_rsa.pub` files (a new key will be automatically generated).
+
+### Generic Packages
+
+A generic package retrieves its configuration at runtime from the [AWS Systems Manager](https://aws.amazon.com/systems-manager/) Parameter Store and [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). Currently, support for this type of package has been added for OKTA Native only. To disable all issued JWTs, rotate the key pair using the Secrets Manager console.
+
+Generic packages are pre-built and available for download from the Releases page of this GitHub repository. [Terraform modules](./infra/terraform/README.md) are available for downloading and deploying generic packages and their configuration resources.
 
 ## Identity Provider Guides
 
@@ -20,7 +42,7 @@ Session duration is defined as the number of hours that the JWT is valid for. Af
     1. For **Authorization callback URL** enter your Cloudfront hostname with your preferred path value for the authorization callback. Example: `https://my-cloudfront-site.example.com/_callback`
 1. Execute `./build.sh` in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.
     1. Choose `Github` as the authorization method and enter the values for Client ID, Client Secret, Redirect URI, Session Duration and Organization
-        -  cloudfront-auth will check that users are a member of the entered Organization.
+        * cloudfront-auth will check that users are a member of the entered Organization.
 1. Upload the resulting `zip` file found in your distribution folder using the AWS Lambda console and jump to the [configuration step](#configure-lambda-and-cloudfront)
 
 ### Google
@@ -47,7 +69,7 @@ Session duration is defined as the number of hours that the JWT is valid for. Af
 1. In your Azure portal, go to Azure Active Directory and select **App registrations**
     1. Create a new application registration with an application type of **Web app / api**
     1. Once created, go to your application `Settings -> Keys` and make a new key with your desired duration. Click save and copy the value. This will be your `client_secret`
-    1. Above where you selected `Keys`, go to `Reply URLs` and enter your Cloudfront hostname with your preferred path value for the authorization callback. Example: https://my-cloudfront-site.example.com/_callback
+    1. Above where you selected `Keys`, go to `Reply URLs` and enter your Cloudfront hostname with your preferred path value for the authorization callback. Example: `https://my-cloudfront-site.example.com/_callback`
 1. Execute `./build.sh` in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.
 1. Choose `Microsoft` as the authorization method and enter the values for [Tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant), Client ID (**Application ID**), Client Secret (**previously created key**), Redirect URI and Session Duration
 1. Select the preferred authentication method
@@ -115,32 +137,57 @@ Session duration is defined as the number of hours that the JWT is valid for. Af
     1. Client Id from the application created in our previous step (can be found at the bottom of the general tab)
     1. Base Url
         1. This is named the 'Org URL' and can be found in the top right of the Dashboard tab.
+1. To use the [generic package](#generic-packages), jump straight to [Terraform Modules for CloudFront Authentication](./infra/terraform/README.md).
 1. Execute `./build.sh` in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated.
 1. Choose `OKTA Native` as the authorization method and enter the values for Base URL (Org URL), Client ID, PKCE Code Verifier Length, Redirect URI, and Session Duration
 1. Upload the resulting `zip` file found in your distribution folder using the AWS Lambda console and jump to the [configuration step](#configure-lambda-and-cloudfront)
 
 ## Configure Lambda and CloudFront
 
-[Manual Deployment](https://github.com/Widen/cloudfront-auth/wiki/Manual-Deployment) __*or*__ [AWS SAM Deployment](https://github.com/Widen/cloudfront-auth/wiki/AWS-SAM-Deployment)
+See [Manual Deployment](https://github.com/Widen/cloudfront-auth/wiki/Manual-Deployment) __*or*__ [AWS SAM Deployment](https://github.com/Widen/cloudfront-auth/wiki/AWS-SAM-Deployment)
 
 ## Authorization Method Examples
 
-- [Use Google Groups to authorize users](https://github.com/Widen/cloudfront-auth/wiki/Google-Groups-Setup)
+* [Use Google Groups to authorize users](https://github.com/Widen/cloudfront-auth/wiki/Google-Groups-Setup)
 
-- JSON array of email addresses
+* JSON array of email addresses
 
-    ```
+    ```json
     [ "[email protected]", "[email protected]" ]
     ```
+
 ## Testing
+
 Detailed instructions on testing your function can be found [in the Wiki](https://github.com/Widen/cloudfront-auth/wiki/Debug-&-Test).
 
 ## Build Requirements
- - [npm](https://www.npmjs.com/) ^5.6.0
- - [node](https://nodejs.org/en/) ^10.0
- - [openssl](https://www.openssl.org)
+
+* [npm](https://www.npmjs.com/) ^7.20.0
+* [node](https://nodejs.org/en/) ^14.0
+* [openssl](https://www.openssl.org)
+
+## Building Generic Packages
+
+If you need to build a generic package yourself, execute:
+
+```bash
+./build.sh package
+```
+
+The supported values of `package` are:
+
+* `okta_native` - builds a generic Lambda package for OKTA Native authentication
+* `rotate_key_pair` - builds a Lambda package for rotating the RSA keys in AWS Secrets Manager
+
+GitHub Actions automatically creates a new GitHub release when the repository owner pushes a tag that begins with `v`:
+
+```sh
+git tag -a -m "Target AWS Lambda Node.js 14.x runtime" v3.0.0
+git push origin v3.0.0
+```
 
 ## Contributing
+
 All contributions are welcome. Please create an issue in order open up communication with the community.
 
 When implementing a new flow or using an already implemented flow, be sure to follow the same style used in `build.js`. The config.json file should have an object for each request made. For example, `openid.index.js` converts config.AUTH_REQUEST and config.TOKEN_REQUEST to querystrings for simplified requests (after adding dynamic variables such as state or nonce). For implementations that are not generic (most), endpoints are hardcoded in to the config (or discovery documents).

diff --git a/authn/openid.index.js b/authn/openid.index.js
@@ -294,9 +294,9 @@ function unauthorized(error, error_description, error_uri, callback) {
   </html>
   `;
 
-  page = page.replace(/%error%/g, error);
-  page = page.replace(/%error_description%/g, error_description);
-  page = page.replace(/%error_uri%/g, error_uri);
+  page = page.replace(/%error%/g, encodeURI(error).replace(/%20/g,' '));
+  page = page.replace(/%error_description%/g, encodeURI(error_description).replace(/%20/g,' '));
+  page = page.replace(/%error_uri%/g, encodeURI(error_uri));
 
   // Unauthorized access attempt. Reset token and nonce cookies
   const response = {

diff --git a/authn/pkce.index.js b/authn/pkce.index.js
@@ -1,53 +1,60 @@
 const qs = require('querystring');
-const fs = require('fs');
 const jwt = require('jsonwebtoken');
 const cookie = require('cookie');
 const jwkToPem = require('jwk-to-pem');
 const auth = require('./auth.js');
 const nonce = require('./nonce.js');
 const codeChallenge = require('./code-challenge.js');
+const cfg = require('./config.js');
 const axios = require('axios');
 var discoveryDocument;
 var jwks;
 var config;
 
 exports.handler = (event, context, callback) => {
   if (typeof jwks == 'undefined' || typeof discoveryDocument == 'undefined' || typeof config == 'undefined') {
-    config = JSON.parse(fs.readFileSync('config.json', 'utf8'));
+    cfg.getConfig('config.json', context.functionName, function(error, result) {
+      if (error) {
+        console.log("Internal server error: " + error.message);
+        internalServerError(callback);
+      } else {
+        config = result;
 
-    // Get Discovery Document data
-    console.log("Get discovery document data");
-    axios.get(config.DISCOVERY_DOCUMENT)
-      .then(function(response) {
-        console.log(response);
+        // Get Discovery Document data
+        console.log("Get discovery document data");
+        axios.get(config.DISCOVERY_DOCUMENT)
+          .then(function(response) {
+            console.log(response);
 
-        // Get jwks from discovery document url
-        console.log("Get jwks from discovery document");
-        discoveryDocument = response.data;
-        if (discoveryDocument.hasOwnProperty('jwks_uri')) {
+            // Get jwks from discovery document url
+            console.log("Get jwks from discovery document");
+            discoveryDocument = response.data;
+            if (discoveryDocument.hasOwnProperty('jwks_uri')) {
 
-          // Get public key and verify JWT
-          axios.get(discoveryDocument.jwks_uri)
-            .then(function(response) {
-              console.log(response);
-              jwks = response.data;
+              // Get public key and verify JWT
+              axios.get(discoveryDocument.jwks_uri)
+                .then(function(response) {
+                  console.log(response);
+                  jwks = response.data;
 
-              // Callback to main function
-              mainProcess(event, context, callback);
-            })
-            .catch(function(error) {
-              console.log("Internal server error: " + error.message);
+                  // Callback to main function
+                  mainProcess(event, context, callback);
+                })
+                .catch(function(error) {
+                  console.log("Internal server error: " + error.message);
+                  internalServerError(callback);
+                });
+            } else {
+              console.log("Internal server error: Unable to find JWK in discovery document");
               internalServerError(callback);
-            });
-        } else {
-          console.log("Internal server error: Unable to find JWK in discovery document");
-          internalServerError(callback);
-        }
-      })
-      .catch(function(error) {
-        console.log("Internal server error: " + error.message);
-        internalServerError(callback);
-      });
+            }
+          })
+          .catch(function(error) {
+            console.log("Internal server error: " + error.message);
+            internalServerError(callback);
+          });
+      }
+    });
   } else {
     mainProcess(event, context, callback);
   }
@@ -123,21 +130,19 @@ function mainProcess(event, context, callback) {
       .then(function(response) {
         console.log(response);
         const decodedData = jwt.decode(response.data.id_token, {complete: true});
-        console.log(decodedData);
+        const decodedAccessTokenData = jwt.decode(response.data.access_token, {complete: true});
+        console.log("Decoded id_token: ", decodedData);
+        console.log("Decoded access_token", decodedAccessTokenData);
         try {
           console.log("Searching for JWK from discovery document");
 
           // Search for correct JWK from discovery document and create PEM
-          var pem = "";
-          for (var i = 0; i < jwks.keys.length; i++) {
-            if (decodedData.header.kid === jwks.keys[i].kid) {
-              pem = jwkToPem(jwks.keys[i]);
-            }
-          }
-          console.log("Verifying JWT");
+          var pem = createPEM(decodedAccessTokenData.header.kid); //We are verifying the access token
 
-          // Verify the JWT, the payload email, and that the email ends with configured hosted domain
-          jwt.verify(response.data.id_token, pem, { algorithms: ['RS256'] }, function(err, decoded) {
+          console.log("Verifying JWT");
+          const access_token = response.data.access_token;
+          // Verify the access token JWT, the payload email, and that the email ends with configured hosted domain
+          jwt.verify(access_token, pem, { algorithms: ['RS256'] }, function(err, decoded) {
             if (err) {
               switch (err.name) {
                 case 'TokenExpiredError':
@@ -157,7 +162,7 @@ function mainProcess(event, context, callback) {
               // Validate nonce
               if ("cookie" in headers
                   && "NONCE" in cookie.parse(headers["cookie"][0].value)
-                  && nonce.validateNonce(decoded.nonce, cookie.parse(headers["cookie"][0].value).NONCE)) {
+                  && nonce.validateNonce(decodedData.payload.nonce, cookie.parse(headers["cookie"][0].value).NONCE)) {
                 console.log("Setting cookie and redirecting.");
 
                 // Once verified, create new JWT for this server
@@ -175,18 +180,11 @@ function mainProcess(event, context, callback) {
                     "set-cookie" : [
                       {
                         "key": "Set-Cookie",
-                        "value" : cookie.serialize('TOKEN', jwt.sign(
-                          { },
-                          config.PRIVATE_KEY.trim(),
-                          {
-                            "audience": headers.host[0].value,
-                            "subject": auth.getSubject(decodedData),
-                            "expiresIn": config.SESSION_DURATION,
-                            "algorithm": "RS256"
-                          } // Options
-                        ), {
+                        "value" : cookie.serialize('TOKEN', access_token, {
                           path: '/',
-                          maxAge: config.SESSION_DURATION
+                          httpOnly: true,
+                          secure: true,
+                          maxAge: parseInt(config.SESSION_DURATION)
                         })
                       },
                       {
@@ -217,9 +215,11 @@ function mainProcess(event, context, callback) {
   } else if ("cookie" in headers
               && "TOKEN" in cookie.parse(headers["cookie"][0].value)) {
     console.log("Request received with TOKEN cookie. Validating.");
-
+    const decodedToken = jwt.decode(cookie.parse(headers["cookie"][0].value).TOKEN, {complete: true});
+    // Search for correct JWK from discovery document and create PEM
+    var pem = createPEM(decodedToken.header.kid);
     // Verify the JWT, the payload email, and that the email ends with configured hosted domain
-    jwt.verify(cookie.parse(headers["cookie"][0].value).TOKEN, config.PUBLIC_KEY.trim(), { algorithms: ['RS256'] }, function(err, decoded) {
+    jwt.verify(cookie.parse(headers["cookie"][0].value).TOKEN, pem, { algorithms: ['RS256'] }, function(err, decoded) {
       if (err) {
         switch (err.name) {
           case 'TokenExpiredError':
@@ -243,6 +243,16 @@ function mainProcess(event, context, callback) {
     console.log("Redirecting to OIDC provider.");
     redirect(request, headers, callback);
   }
+
+  function createPEM(kid) {
+    var pem = "";
+    for (var i = 0; i < jwks.keys.length; i++) {
+      if (kid === jwks.keys[i].kid) {
+        pem = jwkToPem(jwks.keys[i]);
+      }
+    }
+    return pem;
+  }
 }
 
 function redirect(request, headers, callback) {

diff --git a/build.sh b/build.sh
@@ -7,4 +7,4 @@ if [ ! -d "distributions" ]; then
   fi
 fi
 
-npm run-script build
+npm run-script build-ci "$@"