Enhance pre-hook auth example to use SecretsManager (#380)

Author: Phil Varner

CHANGELOG.md

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Changed
 
 - ESM modules are used instead of CommonJS
+- Updated pre-hook auth token example to use SecretsManager rather than single values.
 
 ## [0.6.0] - 2023-01-24
 

README.md

@@ -907,10 +907,12 @@ which provides an example rudimentary authorization mechanism via a hard-coded t
 
 To enable this example pre-hook:
 
-- Modify bin/build.sh to not exclude the "pre-hook" package from being built.
+- Either (1) in package.json, pass the env var `BUILD_PRE_HOOK=true` in the `build`
+  command, or (2) modify bin/build.sh to always build the "pre-hook" package.
 - In the serverless.yml file, uncomment the `preHook` function, the `preHook` IAM
-  permissions and the environment variables
-  `PRE_HOOK`, `PRE_HOOK_AUTH_TOKEN`, and `PRE_HOOK_AUTH_TOKEN_TXN`.
+  permissions, and the environment variables `PRE_HOOK` and `API_KEYS_SECRET_ID`
+- Create a Secrets Manager secret with the name used in `API_KEYS_SECRET_ID` with
+  the keys as the strings allowed for API Keys and the values as `read`.
 - Build and deploy.
 
 ### Post-Hook

bin/build.sh

@@ -1,9 +1,9 @@
-#!/bin/sh
+#!/bin/bash
 
 set -e
 
-for x in src/lambdas/*; do
-  if [ "$x" != "src/lambdas/pre-hook" ] && [ "$x" != "src/lambdas/post-hook" ]; then
-    (cd "$x" && webpack)
-  fi
-done
+(cd src/lambdas/api && webpack)
+(cd src/lambdas/ingest && webpack)
+
+if [[ -n "${BUILD_PRE_HOOK}" ]]; then (cd src/lambdas/pre-hook && webpack); fi
+if [[ -n "${BUILD_POST_HOOK}" ]]; then (cd src/lambdas/post-hook && webpack); fi

package-lock.json

@@ -61,6 +61,7 @@
   },
   "dependencies": {
     "@acuris/aws-es-connection": "^1.1.0",
+    "@aws-sdk/client-secrets-manager": "^3.258.0",
     "@elastic/elasticsearch": "^7.9.0",
     "@mapbox/extent": "^0.4.0",
     "@opensearch-project/opensearch": "^2.2.0",
@@ -99,7 +100,8 @@
     "@typescript-eslint/parser": "^5.49.0",
     "ava": "^5.1.1",
     "aws-event-mocks": "^0.0.0",
-    "aws-sdk": "^2.1301.0",
+    "aws-sdk": "^2.1302.0",
+    "aws-sdk-client-mock": "^2.0.1",
     "c8": "^7.12.0",
     "copy-webpack-plugin": "^11.0.0",
     "crypto-random-string": "^5.0.0",

package.json

@@ -20,8 +20,7 @@ provider:
     # comment STAC_API_ROOTPATH if deployed with a custom domain
     STAC_API_ROOTPATH: "/${self:provider.stage}"
     # PRE_HOOK: ${self:service}-${self:provider.stage}-preHook
-    # PRE_HOOK_AUTH_TOKEN: xxx
-    # PRE_HOOK_AUTH_TOKEN_TXN: xxx
+    # API_KEYS_SECRET_ID: ${self:service}-${self:provider.stage}-api-keys
     # POST_HOOK: ${self:service}-${self:provider.stage}-postHook
   iam:
     role:
@@ -40,12 +39,15 @@ provider:
         - Effect: Allow
           Action: s3:GetObject
           Resource: 'arn:aws:s3:::usgs-landsat/*'
-        # - Effect: "Allow"
-        #   Action: "lambda:InvokeFunction"
-        #   Resource: "arn:aws:lambda:${aws:region}:${aws:accountId}:function:${self:service}-${self:provider.stage}-preHook"
-        # - Effect: "Allow"
-        #   Action: "lambda:InvokeFunction"
-        #   Resource: "arn:aws:lambda:${aws:region}:${aws:accountId}:function:${self:service}-${self:provider.stage}-postHook"
+        # - Effect: Allow
+        #   Action: lambda:InvokeFunction
+        #   Resource: arn:aws:lambda:${aws:region}:${aws:accountId}:function:${self:service}-${self:provider.stage}-preHook
+        # - Effect: Allow
+        #   Action: secretsmanager:GetSecretValue
+        #   Resource: arn:aws:secretsmanager:${aws:region}:${aws:accountId}:secret:${self:service}-${self:provider.stage}-api-keys-*
+        # - Effect: Allow
+        #   Action: lambda:InvokeFunction
+        #   Resource: arn:aws:lambda:${aws:region}:${aws:accountId}:function:${self:service}-${self:provider.stage}-postHook
 
 package:
   individually: true

serverless.example.yml

@@ -1,46 +1,62 @@
 /* eslint-disable import/prefer-default-export */
-import logger from '../../lib/logger.js'
+import {
+  SecretsManagerClient,
+  GetSecretValueCommand,
+} from '@aws-sdk/client-secrets-manager'
 
-export const handler = async (event, _context) => {
-  logger.debug('Event: %j', event)
+const TTL = 60 * 1000 // in ms
 
-  const authTokenValue = process.env['PRE_HOOK_AUTH_TOKEN']
-  const authTokenTxnValue = process.env['PRE_HOOK_AUTH_TOKEN_TXN']
-  const txnEnabled = process.env['ENABLE_TRANSACTIONS_EXTENSION'] === 'true'
+const response401 = {
+  statusCode: 401,
+  body: '',
+  headers: { 'access-control-allow-origin': '*' },
+}
 
-  if (!authTokenValue || (txnEnabled && !authTokenTxnValue)) {
-    return {
-      statusCode: 500,
-      body: 'auth token(s) are not configured'
-    }
-  }
+// eslint-disable-next-line import/no-mutable-exports
+export let apiKeys = new Map()
+
+const updateApiKeys = async () => {
+  await new SecretsManagerClient({ region: process.env['AWS_REGION'] || 'us-west-2' })
+    .send(
+      new GetSecretValueCommand({
+        SecretId: process.env['API_KEYS_SECRET_ID'],
+      })
+    )
+    .then((data) => {
+      apiKeys = new Map(Object.entries(JSON.parse(data.SecretString || '')))
+    })
+    .catch((error) => {
+      console.error(
+        `Error updating API keys: ${JSON.stringify(error, undefined, 2)}`
+      )
+    })
+    .finally(() => {
+      setTimeout(() => updateApiKeys(), TTL)
+    })
+}
 
-  let token = null
+const READ = ['read']
+const isValidReadToken = (token) => READ.includes(apiKeys.get(token))
 
-  const authHeader = event.headers['Authorization']
+export const handler = async (event, _context) => {
+  let token = null
 
-  if (authHeader) {
-    token = authHeader.split('Bearer ')[1]
-  } else if (event.queryStringParameters) {
+  if (event.headers && event.headers['Authorization']) {
+    token = event.headers['Authorization'].split('Bearer ')[1]
+  } else if (
+    event.queryStringParameters
+    && event.queryStringParameters['auth_token']
+  ) {
     token = event.queryStringParameters['auth_token']
-  } else {
-    return {
-      statusCode: 401,
-      body: '',
-      headers: { 'access-control-allow-origin': '*' }
-    }
   }
 
-  if (event.httpMethod !== 'GET' && event.path.startsWith('/collections')) {
-    if (token === authTokenTxnValue) {
-      return event
-    }
-  } else if (token === authTokenValue || token === authTokenTxnValue) {
-    return event
+  if (!apiKeys.size) {
+    await updateApiKeys()
   }
 
-  return {
-    statusCode: 403,
-    body: ''
+  if (isValidReadToken(token)) {
+    return event
   }
+
+  return response401
 }

src/lambdas/pre-hook/index.js

@@ -0,0 +1,134 @@
+/* eslint-disable @typescript-eslint/no-empty-function */
+
+import test from 'ava'
+import { mockClient } from 'aws-sdk-client-mock'
+import {
+  SecretsManagerClient,
+  GetSecretValueCommand,
+} from '@aws-sdk/client-secrets-manager'
+import { handler, apiKeys } from '../../src/lambdas/pre-hook/index.js'
+
+const DEFAULT_EVENT = {
+  body: 'eyJ0ZXN0IjoiYm9keSJ9',
+  resource: '/{proxy+}',
+  path: '/path/to/resource',
+  httpMethod: 'POST',
+  isBase64Encoded: true,
+  queryStringParameters: {
+    foo: 'bar',
+  },
+  pathParameters: {
+    proxy: '/path/to/resource',
+  },
+  headers: {},
+  multiValueHeaders: {},
+  multiValueQueryStringParameters: null,
+  stageVariables: null,
+  requestContext: {
+    authorizer: null,
+    accountId: '123456789012',
+    resourceId: '123456',
+    stage: 'prod',
+    requestId: 'c6af9ac6-7b61-11e6-9a41-93e8deadbeef',
+    requestTime: '09/Apr/2015:12:34:56 +0000',
+    requestTimeEpoch: 1428582896000,
+    identity: {
+      cognitoIdentityPoolId: null,
+      accountId: null,
+      cognitoIdentityId: null,
+      caller: null,
+      accessKey: null,
+      sourceIp: '127.0.0.1',
+      cognitoAuthenticationType: null,
+      cognitoAuthenticationProvider: null,
+      userArn: null,
+      userAgent: 'Custom User Agent String',
+      user: null,
+      apiKey: null,
+      apiKeyId: null,
+      clientCert: null,
+      principalOrgId: null,
+    },
+    path: '/prod/path/to/resource',
+    resourcePath: '/{proxy+}',
+    httpMethod: 'POST',
+    apiId: '1234567890',
+    protocol: 'HTTP/1.1',
+  },
+}
+const DEFAULT_CONTEXT = {
+  callbackWaitsForEmptyEventLoop: false,
+  functionName: '',
+  functionVersion: '',
+  invokedFunctionArn: '',
+  memoryLimitInMB: '',
+  awsRequestId: '',
+  logGroupName: '',
+  logStreamName: '',
+  getRemainingTimeInMillis: () => 0,
+  done: () => {},
+  fail: () => {},
+  succeed: () => {},
+}
+
+// @ts-ignore
+const secretsManagerMock = mockClient(SecretsManagerClient)
+
+const response401 = {
+  statusCode: 401,
+  body: '',
+  headers: { 'access-control-allow-origin': '*' },
+}
+
+test.beforeEach(() => {
+  secretsManagerMock.reset()
+  apiKeys.clear()
+})
+
+test.serial('authenticate cases', async (t) => {
+  secretsManagerMock
+    // @ts-ignore
+    .on(GetSecretValueCommand)
+    // @ts-ignore
+    .resolves({ SecretString: JSON.stringify({ ABC: 'read', DEF: 'other' }) })
+
+  const event = { ...DEFAULT_EVENT }
+  const context = { ...DEFAULT_CONTEXT }
+
+  // no credentials
+  t.deepEqual(await handler(event, context), response401)
+
+  // invalid credentials
+  event.headers['Authorization'] = 'Bearer invalid'
+  t.deepEqual(await handler(event, context), response401)
+
+  // valid credentials
+  event.headers['Authorization'] = 'Bearer ABC'
+  t.deepEqual(await handler(event, context), event)
+
+  delete event.headers['Authorization']
+
+  // credentials don't have read permissions
+  event.headers['Authorization'] = 'Bearer DEF'
+  t.deepEqual(await handler(event, context), response401)
+
+  delete event.headers['Authorization']
+
+  // invalid credentials
+  event.queryStringParameters['auth_token'] = 'invalid'
+  t.deepEqual(await handler(event, context), response401)
+
+  // valid credentials
+  event.queryStringParameters['auth_token'] = 'ABC'
+  t.deepEqual(await handler(event, context), event)
+})
+
+test.serial('authenticate failure with retrieving keys', async (t) => {
+  // @ts-ignore
+  secretsManagerMock.on(GetSecretValueCommand).rejectsOnce('mocked rejection')
+
+  const event = { ...DEFAULT_EVENT }
+  const context = { ...DEFAULT_CONTEXT }
+
+  t.deepEqual(await handler(event, context), response401)
+})