Merge pull request #43 from graviavu/main

lkdavies · web-flow · commit 792db6f64fe2 · 2024-06-11T09:39:56.000-07:00
KVS Samples for Conditional Read and JWT Verify
diff --git a/kvs-conditional-read/ABUriMappingFunction.js b/kvs-conditional-read/ABUriMappingFunction.js
@@ -0,0 +1,80 @@
+import cf from 'cloudfront'; 
+
+// Replace KVS_ID with actual KVS ID
+const kvsId = "KVS_ID";
+// enable stickiness by setting a cookie from origin or using another edge function
+const stickinessCookieName = "appversion";
+// set to true to enable console logging
+const loggingEnabled = false;
+   
+// function rewrites the request uri based on configuration in KVS
+// example config in KVS in key:value format
+// "latest": {"a_weightage": .8, "a_url": "v1", "b_url": "v2"}
+// given above key and value in KVS the request uri will be rewritten 
+// for example http(s)://domain/latest/something/else will be rewritten as http(s)://domain/v1/something/else or http(s)://domain/v2/something/else depending on weightage
+// if no configuration is found, then the request is returned as is
+async function handler(event) {
+    // NOTE: This example function is for a viewer request event trigger. 
+    // Choose viewer request for event trigger when you associate this function with a distribution. 
+    const request = event.request;
+    const pathSegments = request.uri.split('/');
+    const key = pathSegments[1];
+    
+    // if empty path segment or if there is valid stickiness cookie 
+    // then skip call to KVS and let the request continue.
+    if (!key || hasValidSticknessCookie(request.cookies[stickinessCookieName], key)) {
+        return event.request;
+    }
+
+    try {
+        // get the prefix replacement from KVS
+        const replacement = await getPathPrefixByWeightage(key);
+        if (!replacement) {
+            return event.request;
+        }
+        //Replace the first path with the replacement 
+        pathSegments[1] = replacement;
+        log(`using prefix ${pathSegments[1]}`)
+        const newUri = pathSegments.join('/');
+        log(`${request.uri} -> ${newUri}`);
+        request.uri = newUri;
+
+        return request;
+    } catch (err) {
+        // No change to the path if the key is not found or any other error
+        log(`request uri: ${request.uri}, error: ${err}`);
+    }
+    // no change to path - return request 
+    return event.request;
+}
+
+// function to get the prefix from KVS
+async function getPathPrefixByWeightage(key) {
+    const kvsHandle = cf.kvs(kvsId);
+    // get the weightage config from KVS
+    const kvsResponse = await kvsHandle.get(key);
+    const weightageConfig = JSON.parse(kvsResponse);
+    // no configuration - return null    
+    if (!weightageConfig || !isFinite(weightageConfig.a_weightage)) {
+        return null;
+    } 
+    // return the url based on weightage
+    // return null if no url is configured
+    if (Math.random() <= weightageConfig.a_weightage) {
+        return weightageConfig.a_url ? weightageConfig.a_url: null;
+    } else {
+        return weightageConfig.b_url ? weightageConfig.b_url : null;
+    }
+}
+
+// function to check if the stickiness cookie is valid
+function hasValidSticknessCookie(stickinessCookie, pathSegment) {
+    // if the value exists and it matches pathSegment
+    return (stickinessCookie && stickinessCookie.value === pathSegment)
+}
+
+function log(message) {
+    if (loggingEnabled) {
+        console.log(message);
+    }
+}
diff --git a/kvs-jwt-verify/generate-jwt.sh b/kvs-jwt-verify/generate-jwt.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+#
+# JWT Encoder Bash Script
+#
+
+secret='REPLACE_WITH_YOUR_KEY'
+
+# initialize time as epoch milliseconds
+time=$(date +%s)
+exp=$(($time+3600))
+# Static header fields.
+header='{
+  "alg": "HS256",
+  "typ": "JWT"
+}'
+
+
+payload='{
+  "sub": "1234567890",
+  "name": "John Doe",
+  "iat": 1516239022, 
+  "nbf" : 161623932,
+  "exp" :EXP_TIME 
+}'
+
+# Replace EPOCH_TIME with the actual epoch time.
+payload=$(echo "${payload}" | sed "s/EXP_TIME/${exp}/g")
+
+
+base64_encode()
+{
+    declare input=${1:-$(</dev/stdin)}
+    # Use `tr` to URL encode the output from base64.
+    printf '%s' "${input}" | base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'
+}
+
+json() {
+    declare input=${1:-$(</dev/stdin)}
+    printf '%s' "${input}"
+}
+
+hmacsha256_sign()
+{
+    declare input=${1:-$(</dev/stdin)}
+    printf '%s' "${input}" | openssl dgst -binary -sha256 -hmac "${secret}"
+}
+
+header_base64=$(echo "${header}" | json | base64_encode)
+payload_base64=$(echo "${payload}" | json | base64_encode)
+
+header_payload=$(echo "${header_base64}.${payload_base64}")
+signature=$(echo "${header_payload}" | hmacsha256_sign | base64_encode)
+
+echo "${header_payload}.${signature}"
diff --git a/kvs-jwt-verify/verify-jwt.js b/kvs-jwt-verify/verify-jwt.js
@@ -0,0 +1,146 @@
+import crypto from 'crypto';
+import cf from 'cloudfront';
+
+// updated the original example from below URL to use KVS 
+// https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example-function-validate-token.html
+
+//Response when JWT is not valid.
+const response401 = {
+    statusCode: 401,
+    statusDescription: 'Unauthorized'
+};
+
+// Replace the KVS_ID with your KVS ID
+const kvsId = "KVS_ID";
+const kvsKey = 'jwt.secret';
+// set to true to enable console logging
+const loggingEnabled = false;
+
+
+function jwt_decode(token, key, noVerify, algorithm) {
+    // check token
+    if (!token) {
+        throw new Error('No token supplied');
+    }
+    // check segments
+    const segments = token.split('.');
+    if (segments.length !== 3) {
+        throw new Error('Not enough or too many segments');
+    }
+
+    // All segment should be base64
+    const headerSeg = segments[0];
+    const payloadSeg = segments[1];
+    const signatureSeg = segments[2];
+
+    // base64 decode and parse JSON
+    const payload = JSON.parse(_base64urlDecode(payloadSeg));
+
+    if (!noVerify) {
+        const signingMethod = 'sha256';
+        const signingType = 'hmac';
+
+        // Verify signature. `sign` will return base64 string.
+        const signingInput = [headerSeg, payloadSeg].join('.');
+
+        if (!_verify(signingInput, key, signingMethod, signingType, signatureSeg)) {
+            throw new Error('Signature verification failed');
+        }
+
+        // Support for nbf and exp claims.
+        // According to the RFC, they should be in seconds.
+        if (payload.nbf && Date.now() < payload.nbf*1000) {
+            throw new Error('Token not yet active');
+        }
+
+        if (payload.exp && Date.now() > payload.exp*1000) {
+            throw new Error('Token expired');
+        }
+    }
+
+    return payload;
+}
+
+//Function to ensure a constant time comparison to prevent
+//timing side channels.
+function _constantTimeEquals(a, b) {
+    if (a.length != b.length) {
+        return false;
+    }
+    
+    let xor = 0;
+    for (let i = 0; i < a.length; i++) {
+    xor |= (a.charCodeAt(i) ^ b.charCodeAt(i));
+    }
+    
+    return 0 === xor;
+}
+
+function _verify(input, key, method, type, signature) {
+    if(type === "hmac") {
+        return _constantTimeEquals(signature, _sign(input, key, method));
+    }
+    else {
+        throw new Error('Algorithm type not recognized');
+    }
+}
+
+function _sign(input, key, method) {
+    return crypto.createHmac(method, key).update(input).digest('base64url');
+}
+
+function _base64urlDecode(str) {
+    return Buffer.from(str, 'base64url')
+}
+
+async function handler(event) {
+    let request = event.request;
+
+    //Secret key used to verify JWT token.
+    //Update with your own key.
+    const secret_key = await getSecret()
+
+    if(!secret_key) {
+        return response401;
+    }
+
+    // If no JWT token, then generate HTTP redirect 401 response.
+    if(!request.querystring.jwt) {
+        log("Error: No JWT in the querystring");
+        return response401;
+    }
+
+    const jwtToken = request.querystring.jwt.value;
+
+    try{ 
+        jwt_decode(jwtToken, secret_key);
+    }
+    catch(e) {
+        log(e);
+        return response401;
+    }
+
+    //Remove the JWT from the query string if valid and return.
+    delete request.querystring.jwt;
+    log("Valid JWT token");
+    return request;
+}
+
+// get secret from key value store 
+async function getSecret() {
+    // initialize cloudfront kv store and get the key value 
+    try {
+        const kvsHandle = cf.kvs(kvsId);
+        return await kvsHandle.get(kvsKey);
+    } catch (err) {
+        log(`Error reading value for key: ${kvsKey}, error: ${err}`);
+        return null;
+    }
+
+}
+
+function log(message) {
+    if (loggingEnabled) {
+        console.log(message);
+    }
+}
