From 30dcbf8bb623f3fc5c5db513c1d322d313dd4e0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mark=20Lis=C3=A9?= <mark@digitalspace.ca>
Date: Thu, 3 Oct 2024 13:13:41 -0700
Subject: [PATCH] Updating jwks handling.

---
 .github/workflows/deploy-api-dev.yaml  | 3 ++-
 .github/workflows/deploy-api-prod.yaml | 3 ++-
 .github/workflows/deploy-api-test.yaml | 3 ++-
 handlers/authorizer/index.js           | 4 ++++
 template.yaml                          | 3 +++
 5 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deploy-api-dev.yaml b/.github/workflows/deploy-api-dev.yaml
index 0ccff31..9e36d3d 100644
--- a/.github/workflows/deploy-api-dev.yaml
+++ b/.github/workflows/deploy-api-dev.yaml
@@ -78,8 +78,9 @@ jobs:
           AZURE_OIDC_URL: ${{ secrets.AZURE_OIDC_URL }}
           COGNITO_CALLBACK_URLS: ${{ vars.COGNITO_CALLBACK_URLS }}
           ALLOW_ORIGIN: ${{ vars.ALLOW_ORIGIN }}
+          JWKS: ${{ secrets.JWKS }}
         run: |
-          sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM --parameter-overrides "AllowOrigin=$ALLOW_ORIGIN" "TableName=$TABLE_NAME" "TableNameAudit=$TABLE_NAME_AUDIT" "Stage=$STAGE" "AccountId=$ACCOUNT_ID" "DomainName=$DOMAIN_NAME" "KMSKeyId=$KMS_KEY_ID" "InstanceCount=$INSTANCE_COUNT" "InstanceType=$INSTANCE_TYPE" "OpenSearchMainIndex=$OPEN_SEARCH_MAIN_INDEX" "EBSIops=$EBS_IOPS" "DataRegisterEndpoint=$DATA_REGISTER_ENDPOINT" "DataRegisterApiKey=$DATA_REGISTER_API_KEY" "AzureAppId=$AZURE_APP_ID" "AzureAppSecret=$AZURE_APP_SECRET" "AzureOIDCURL=$AZURE_OIDC_URL" "CognitoCallbackURLs=$COGNITO_CALLBACK_URLS" "Environment=dev"
+          sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM --parameter-overrides "AllowOrigin=$ALLOW_ORIGIN" "TableName=$TABLE_NAME" "TableNameAudit=$TABLE_NAME_AUDIT" "Stage=$STAGE" "AccountId=$ACCOUNT_ID" "DomainName=$DOMAIN_NAME" "KMSKeyId=$KMS_KEY_ID" "InstanceCount=$INSTANCE_COUNT" "InstanceType=$INSTANCE_TYPE" "OpenSearchMainIndex=$OPEN_SEARCH_MAIN_INDEX" "EBSIops=$EBS_IOPS" "DataRegisterEndpoint=$DATA_REGISTER_ENDPOINT" "DataRegisterApiKey=$DATA_REGISTER_API_KEY" "AzureAppId=$AZURE_APP_ID" "AzureAppSecret=$AZURE_APP_SECRET" "AzureOIDCURL=$AZURE_OIDC_URL" "CognitoCallbackURLs=$COGNITO_CALLBACK_URLS" "Jwks=$JWKS" "Environment=dev"
 
       # - shell: bash
       #   env:
diff --git a/.github/workflows/deploy-api-prod.yaml b/.github/workflows/deploy-api-prod.yaml
index 93d4d6b..5cb1e81 100644
--- a/.github/workflows/deploy-api-prod.yaml
+++ b/.github/workflows/deploy-api-prod.yaml
@@ -84,8 +84,9 @@ jobs:
           AZURE_APP_SECRET: ${{ secrets.AZURE_APP_SECRET }}
           AZURE_OIDC_URL: ${{ secrets.AZURE_OIDC_URL }}
           ALLOW_ORIGIN: ${{ vars.ALLOW_ORIGIN }}
+          JWKS: ${{ secrets.JWKS }}
         run: |
-          sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --parameter-overrides "AllowOrigin=$ALLOW_ORIGIN" "TableName=$TABLE_NAME" "TableNameAudit=$TABLE_NAME_AUDIT" "Stage=$STAGE" "AccountId=$ACCOUNT_ID" "DomainName=$DOMAIN_NAME" "KMSKeyId=$KMS_KEY_ID" "InstanceCount=$INSTANCE_COUNT" "InstanceType=$INSTANCE_TYPE" "OpenSearchMainIndex=$OPEN_SEARCH_MAIN_INDEX" "EBSIops=$EBS_IOPS" "AzureAppId=$AZURE_APP_ID" "AzureAppSecret=$AZURE_APP_SECRET" "AzureOIDCURL=$AZURE_OIDC_URL"
+          sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --parameter-overrides "AllowOrigin=$ALLOW_ORIGIN" "TableName=$TABLE_NAME" "TableNameAudit=$TABLE_NAME_AUDIT" "Stage=$STAGE" "AccountId=$ACCOUNT_ID" "DomainName=$DOMAIN_NAME" "KMSKeyId=$KMS_KEY_ID" "InstanceCount=$INSTANCE_COUNT" "InstanceType=$INSTANCE_TYPE" "OpenSearchMainIndex=$OPEN_SEARCH_MAIN_INDEX" "EBSIops=$EBS_IOPS" "AzureAppId=$AZURE_APP_ID" "AzureAppSecret=$AZURE_APP_SECRET" "AzureOIDCURL=$AZURE_OIDC_URL" "Jwks=$JWKS"
 
       # - shell: bash
       #   env:
diff --git a/.github/workflows/deploy-api-test.yaml b/.github/workflows/deploy-api-test.yaml
index 9c2bd59..9cae953 100644
--- a/.github/workflows/deploy-api-test.yaml
+++ b/.github/workflows/deploy-api-test.yaml
@@ -87,8 +87,9 @@ jobs:
           AZURE_APP_SECRET: ${{ secrets.AZURE_APP_SECRET }}
           AZURE_OIDC_URL: ${{ secrets.AZURE_OIDC_URL }}
           ALLOW_ORIGIN: ${{ vars.ALLOW_ORIGIN }}
+          JWKS: ${{ secrets.JWKS }}
         run: |
-          sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --parameter-overrides "AllowOrigin=$ALLOW_ORIGIN" "TableName=$TABLE_NAME" "TableNameAudit=$TABLE_NAME_AUDIT" "Stage=$STAGE" "AccountId=$ACCOUNT_ID" "DomainName=$DOMAIN_NAME" "KMSKeyId=$KMS_KEY_ID" "InstanceCount=$INSTANCE_COUNT" "InstanceType=$INSTANCE_TYPE" "OpenSearchMainIndex=$OPEN_SEARCH_MAIN_INDEX" "EBSIops=$EBS_IOPS" "AzureAppId=$AZURE_APP_ID" "AzureAppSecret=$AZURE_APP_SECRET" "AzureOIDCURL=$AZURE_OIDC_URL"
+          sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --parameter-overrides "AllowOrigin=$ALLOW_ORIGIN" "TableName=$TABLE_NAME" "TableNameAudit=$TABLE_NAME_AUDIT" "Stage=$STAGE" "AccountId=$ACCOUNT_ID" "DomainName=$DOMAIN_NAME" "KMSKeyId=$KMS_KEY_ID" "InstanceCount=$INSTANCE_COUNT" "InstanceType=$INSTANCE_TYPE" "OpenSearchMainIndex=$OPEN_SEARCH_MAIN_INDEX" "EBSIops=$EBS_IOPS" "AzureAppId=$AZURE_APP_ID" "AzureAppSecret=$AZURE_APP_SECRET" "AzureOIDCURL=$AZURE_OIDC_URL" "Jwks=$JWKS"
 
       # - shell: bash
       #   env:
diff --git a/handlers/authorizer/index.js b/handlers/authorizer/index.js
index f780e8e..d79338e 100644
--- a/handlers/authorizer/index.js
+++ b/handlers/authorizer/index.js
@@ -2,6 +2,8 @@ const { logger } = require('/opt/base');
 const TABLE_NAME = process.env.TABLE_NAME;
 const jwt = require('jsonwebtoken');
 const { DynamoDBClient } = require('@aws-sdk/client-dynamodb');
+const jwkToPem = require('jwk-to-pem');
+const crypto = require('crypto');
 
 exports.handler = async function (event, context, callback) {
   console.log(event);
@@ -103,6 +105,8 @@ function validateToken(token) {
   console.log('kid:', kid);
 
   // search for the kid in the downloaded public keys
+  const keys = JSON.stringify(process.env.JWKS);
+
   let keyIndex = -1;
   for (let i = 0; i < keys.length; i++) {
     if (kid === keys[i].kid) {
diff --git a/template.yaml b/template.yaml
index ea0f0f5..d79fcfd 100644
--- a/template.yaml
+++ b/template.yaml
@@ -65,6 +65,8 @@ Parameters:
   InstanceType:
     Type: String
     Default: 't3.small.search'
+  Jwks:
+    Type: String
   KMSKeyId:
     Type: String
     Default: 'arn:aws:kms:ca-central-1:637423314715:alias/aws/es'
@@ -362,6 +364,7 @@ Resources:
           COGNITO_APP_CLIENT_ID: !Ref CognitoUserPoolClient
           TABLE_NAME: !Ref TableName
           STAGE_NAME: !Ref Stage
+          JWKS: !Ref Jwks
 
   SearchFunction:
     FunctionName: SearchFunction