diff --git a/Cargo.lock b/Cargo.lock index 87d9ba0..f831689 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1427,7 +1427,7 @@ dependencies = [ [[package]] name = "oidc-authorizer" -version = "0.1.0" +version = "0.1.1" dependencies = [ "chrono", "futures-util", diff --git a/Cargo.toml b/Cargo.toml index 26d3096..0e81da4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "oidc-authorizer" -version = "0.1.0" +version = "0.1.1" edition = "2021" license = "MIT" diff --git a/docs/deploy.md b/docs/deploy.md index 2fbdc4d..cacf311 100644 --- a/docs/deploy.md +++ b/docs/deploy.md @@ -1,16 +1,18 @@ # Deploy -There are a few different ways of getting and using the binary for this Lambda function: - - 1. [From SAR (Serverless Application Repository)](#deploy-from-sar-serverless-application-repository) - 2. [Download a pre-built binary from GitHub](#download-a-pre-built-binary-from-github) - 3. [Build the binary yourself](#build-the-binary-yourself) - 4. [Other approaches](#other-approaches) +There are a few different ways of getting and using the binary for this Lambda +function: +1. [From SAR (Serverless Application Repository)](#deploy-from-sar-serverless-application-repository) +2. [Download a pre-built binary from GitHub](#download-a-pre-built-binary-from-github) +3. [Build the binary yourself](#build-the-binary-yourself) +4. [Other approaches](#other-approaches) ## Deploy from SAR (Serverless Application Repository) -This Lambda is [hosted on SAR](https://serverlessrepo.aws.amazon.com/applications/eu-west-1/795006566846/oidc-authorizer) which means you can deploy it directly from there. +This Lambda is +[hosted on SAR](https://serverlessrepo.aws.amazon.com/applications/eu-west-1/795006566846/oidc-authorizer) +which means you can deploy it directly from there. ### Use the SAR application with SAM: @@ -26,7 +28,7 @@ Resources: Properties: Location: ApplicationId: arn:aws:serverlessrepo:eu-west-1:795006566846:applications/oidc-authorizer - SemanticVersion: 0.1.0 # ⬅️ CHANGE: SPECIFY THE EXACT VERSION + SemanticVersion: 0.1.1 # ⬅️ CHANGE: SPECIFY THE EXACT VERSION Parameters: # 👀 CHANGE THE FOLLOWING PARAMETERS AcceptedAlgorithms: "" @@ -53,20 +55,24 @@ Resources: FunctionArn: !GetAtt oidcauthorizer.Outputs.OidcAuthorizerArn # ⬅️ This is how your reference the actual lambda deployed by the SAR app ``` -To deploy this stack with sam you'll need to enable the following capabilites: `CAPABILITY_AUTO_EXPAND`, `CAPABILITY_NAMED_IAM`, and `CAPABILITY_IAM`. +To deploy this stack with sam you'll need to enable the following capabilites: +`CAPABILITY_AUTO_EXPAND`, `CAPABILITY_NAMED_IAM`, and `CAPABILITY_IAM`. -A full example is available in the [`examples` folder](https://github.com/lmammino/oidc-authorizer/blob/main/examples/sam-from-sar/template.yml). +A full example is available in the +[`examples` folder](https://github.com/lmammino/oidc-authorizer/blob/main/examples/sam-from-sar/template.yml). ### Use the SAR application with CDK: -The following snippet shows how to use the SAR application with CDK (using Typescript): +The following snippet shows how to use the SAR application with CDK (using +Typescript): ```typescript // import the authorizer lambda for the Serverless Application Repository -const authorizerApp = new cdk.aws_sam.CfnApplication(this, 'AuthorizerApp', { +const authorizerApp = new cdk.aws_sam.CfnApplication(this, "AuthorizerApp", { location: { - applicationId: 'arn:aws:serverlessrepo:eu-west-1:795006566846:applications/oidc-authorizer', - semanticVersion: '0.1.0' // 👀 CHANGE ME + applicationId: + "arn:aws:serverlessrepo:eu-west-1:795006566846:applications/oidc-authorizer", + semanticVersion: "0.1.1", // 👀 CHANGE ME }, parameters: { // 👀 CHANGE THE FOLLOWING PARAMETERS @@ -74,34 +80,39 @@ const authorizerApp = new cdk.aws_sam.CfnApplication(this, 'AuthorizerApp', { AcceptedAudiences: "", AcceptedIssuers: "", DefaultPrincipalId: "unknown", - JwksUri: "https://login.microsoftonline.com/3e4abf5a-fdc9-485c-9853-af03c4a32976/discovery/v2.0/keys", + JwksUri: + "https://login.microsoftonline.com/3e4abf5a-fdc9-485c-9853-af03c4a32976/discovery/v2.0/keys", MinRefreshRate: "900", PrincipalIdClaims: "preferred_username, sub", // The amount of memory (in MB) to give to the authorizer Lambda. LambdaMemorySize: "128", // The timeout to give to the authorizer Lambda. - LambdaTimeout: "3" - } -}) + LambdaTimeout: "3", + }, +}); -const lambdaAuthorizer = aws_lambda.Function.fromFunctionAttributes(this, 'AuthorizerFunction', { - functionArn: authorizerApp.getAtt('Outputs.OidcAuthorizerArn').toString(), - sameEnvironment: true, // Note: this is important since the lambda is created in another stack we need to make sure CDK knows it's in the same region -}) +const lambdaAuthorizer = aws_lambda.Function.fromFunctionAttributes( + this, + "AuthorizerFunction", + { + functionArn: authorizerApp.getAtt("Outputs.OidcAuthorizerArn").toString(), + sameEnvironment: true, // Note: this is important since the lambda is created in another stack we need to make sure CDK knows it's in the same region + }, +); // creates the authorizer definition -const authorizer = new aws_apigw.TokenAuthorizer(this, 'Authorizer', { +const authorizer = new aws_apigw.TokenAuthorizer(this, "Authorizer", { handler: lambdaAuthorizer, - identitySource: aws_apigw.IdentitySource.header('authorization'), - authorizerName: 'OidcAuthorizer', + identitySource: aws_apigw.IdentitySource.header("authorization"), + authorizerName: "OidcAuthorizer", }); // Your API is here -const apiGw = new aws_apigw.RestApi(this, 'api', { - restApiName: 'OIDC Authorizer Demo', - description: 'A demo app to test the OIDC authorizer', +const apiGw = new aws_apigw.RestApi(this, "api", { + restApiName: "OIDC Authorizer Demo", + description: "A demo app to test the OIDC authorizer", deployOptions: { - stageName: 'prod', + stageName: "prod", }, defaultCorsPreflightOptions: { allowOrigins: aws_apigw.Cors.ALL_ORIGINS, @@ -111,63 +122,64 @@ const apiGw = new aws_apigw.RestApi(this, 'api', { deploy: true, }); -const sampleApiLambda1 = new aws_lambda.Function(this, 'sampleApiLambda1', { +const sampleApiLambda1 = new aws_lambda.Function(this, "sampleApiLambda1", { runtime: aws_lambda.Runtime.PYTHON_3_9, - handler: 'index.handler', + handler: "index.handler", code: aws_lambda.Code.fromInline(` def handler(event, context): return {'body': 'Hello from endpoint1!', 'statusCode': 200} -`) +`), }); -const sampleApiLambda2 = new aws_lambda.Function(this, 'sampleApiLambda2', { +const sampleApiLambda2 = new aws_lambda.Function(this, "sampleApiLambda2", { runtime: aws_lambda.Runtime.PYTHON_3_9, - handler: 'index.handler', + handler: "index.handler", code: aws_lambda.Code.fromInline(` def handler(event, context): return {'body': 'Hello ' + event['requestContext']['authorizer']['principalId'] + ' from endpoint2! These are your claims: ' + event['requestContext']['authorizer']['jwtClaims'], 'statusCode': 200} -`) +`), }); apiGw .root - .addResource('1') - .addMethod('GET', new aws_apigw.LambdaIntegration(sampleApiLambda1), { + .addResource("1") + .addMethod("GET", new aws_apigw.LambdaIntegration(sampleApiLambda1), { authorizer: authorizer, authorizationType: aws_apigw.AuthorizationType.CUSTOM, }); apiGw .root - .addResource('2') - .addMethod('GET', new aws_apigw.LambdaIntegration(sampleApiLambda2), { + .addResource("2") + .addMethod("GET", new aws_apigw.LambdaIntegration(sampleApiLambda2), { authorizer: authorizer, authorizationType: aws_apigw.AuthorizationType.CUSTOM, }); -const apiGwEndpoint1Output = new cdk.CfnOutput(this, 'ApiEndpoint1', { - description: 'API Gateway endpoint 1', - value: `${apiGw.url}1` +const apiGwEndpoint1Output = new cdk.CfnOutput(this, "ApiEndpoint1", { + description: "API Gateway endpoint 1", + value: `${apiGw.url}1`, }); -const apiGwEndpoint2Output = new cdk.CfnOutput(this, 'ApiEndpoint2', { - description: 'API Gateway endpoint 2', - value: `${apiGw.url}2` +const apiGwEndpoint2Output = new cdk.CfnOutput(this, "ApiEndpoint2", { + description: "API Gateway endpoint 2", + value: `${apiGw.url}2`, }); ``` -A full example is available in the [`examples` folder](https://github.com/lmammino/oidc-authorizer/blob/main/examples/cdk-from-sar/lib/cdk-stacks.ts). - - -> **Note** -If you don't want to use the public SAR application, you can [publish your own](#maintain-your-own-sar-application). +A full example is available in the +[`examples` folder](https://github.com/lmammino/oidc-authorizer/blob/main/examples/cdk-from-sar/lib/cdk-stacks.ts). +> **Note** If you don't want to use the public SAR application, you can +> [publish your own](#maintain-your-own-sar-application). ## Download a pre-built binary from GitHub -Every new release of this project is automatically built and published to GitHub as a release asset. +Every new release of this project is automatically built and published to GitHub +as a release asset. -You can easily download the `ARM64` binary for a given release by using the following URL template: +You can easily download the `ARM64` binary for a given release by using the +following URL template: ```plain https://github.com/lmammino/oidc-authorizer/releases/download//bootstrap.zip @@ -175,7 +187,9 @@ https://github.com/lmammino/oidc-authorizer/releases/download//bootstra Make sure to replace `` with the actual version you intend to use. -Once you download the binary, you can easily add it to your project and reference it in your SAM template, CDK project, Terraform configuration or whatever you are using to deploy your Lambda functions. +Once you download the binary, you can easily add it to your project and +reference it in your SAM template, CDK project, Terraform configuration or +whatever you are using to deploy your Lambda functions. Just make sure to define set the following Lambda properties as follow: @@ -186,23 +200,25 @@ Runtime: provided.al2 Architectures: [arm64] ``` -> **Note** -`x86` binaries are currently not provided. If you want to use those, you have to build them by yourself. - +> **Note** `x86` binaries are currently not provided. If you want to use those, +> you have to build them by yourself. ## Build the binary yourself -If you have the [Rust toolchain](https://rustup.rs/) and [Cargo Lambda](https://www.cargo-lambda.info/) installed in your system. You can compile the binary yourself with the following command: +If you have the [Rust toolchain](https://rustup.rs/) and +[Cargo Lambda](https://www.cargo-lambda.info/) installed in your system. You can +compile the binary yourself with the following command: ```bash cargo lambda build --arm64 --release ``` -The compiled binary will be available in `target/lambda/oidc-authorizer/bootstrap`. - -> **Note**: -`cargo lambda` also allows you to cross-compile for other architectures and operative systems. [Check out the official documentation to learn how to do that](https://www.cargo-lambda.info/guide/cross-compiling.html). +The compiled binary will be available in +`target/lambda/oidc-authorizer/bootstrap`. +> **Note**: `cargo lambda` also allows you to cross-compile for other +> architectures and operative systems. +> [Check out the official documentation to learn how to do that](https://www.cargo-lambda.info/guide/cross-compiling.html). ## Other approaches @@ -210,8 +226,10 @@ Other ways of building and deploying the Lambda function. ### Maintain your own SAR application -This application is already published to SAR and [you can deploy it directly from there](#deploy-from-sar-serverless-application-repository). -But, if you want to publish and maintain your own version, here's how you can do it. +This application is already published to SAR and +[you can deploy it directly from there](#deploy-from-sar-serverless-application-repository). +But, if you want to publish and maintain your own version, here's how you can do +it. #### 1. Create a new S3 bucket and give it the right permissions @@ -223,30 +241,32 @@ Then apply the following policy to the bucket: ```json { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "serverlessrepo.amazonaws.com" - }, - "Action": "s3:GetObject", - "Resource": "arn:aws:s3:::${YOUR_OWN_BUCKET_NAME}/*", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "${YOUR_OWN_ACCOUNT}" - } - } + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "serverlessrepo.amazonaws.com" + }, + "Action": "s3:GetObject", + "Resource": "arn:aws:s3:::${YOUR_OWN_BUCKET_NAME}/*", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "${YOUR_OWN_ACCOUNT}" } - ] + } + } + ] } ``` -Make sure to replace both `${YOUR_OWN_BUCKET_NAME}` and `${YOUR_OWN_ACCOUNT}` with the right values. +Make sure to replace both `${YOUR_OWN_BUCKET_NAME}` and `${YOUR_OWN_ACCOUNT}` +with the right values. #### 2. Build the lambda -Requires the Rust toolchain to be installed, an updated version of `cargo-lambda` and `sam`: +Requires the Rust toolchain to be installed, an updated version of +`cargo-lambda` and `sam`: ```bash sam build @@ -261,4 +281,4 @@ Make sure to replace `${YOUR_OWN_BUCKET_NAME}` with the right value. sam publish --template .aws-sam/packaged.yml --region ${YOUR_OWN_REGION} ``` -Make sure to replace `${YOUR_OWN_REGION}` with the right value. \ No newline at end of file +Make sure to replace `${YOUR_OWN_REGION}` with the right value. diff --git a/examples/cdk-from-sar/cloudformation.yaml b/examples/cdk-from-sar/cloudformation.yaml index ce7f856..a84f99d 100644 --- a/examples/cdk-from-sar/cloudformation.yaml +++ b/examples/cdk-from-sar/cloudformation.yaml @@ -5,7 +5,7 @@ Resources: Properties: Location: ApplicationId: arn:aws:serverlessrepo:eu-west-1:795006566846:applications/oidc-authorizer - SemanticVersion: 0.1.0 + SemanticVersion: 0.1.1 Parameters: AcceptedAlgorithms: "" AcceptedAudiences: "" @@ -293,7 +293,7 @@ Resources: Properties: Code: ZipFile: | - + def handler(event, context): return {'body': 'Hello from endpoint1!', 'statusCode': 200} Handler: index.handler @@ -329,7 +329,7 @@ Resources: Properties: Code: ZipFile: | - + def handler(event, context): return {'body': 'Hello ' + event['requestContext']['authorizer']['principalId'] + ' from endpoint2! These are your claims: ' + event['requestContext']['authorizer']['jwtClaims'], 'statusCode': 200} @@ -488,4 +488,3 @@ Rules: - "5" - Ref: BootstrapVersion AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI. - diff --git a/examples/cdk-from-sar/lib/cdk-stack.ts b/examples/cdk-from-sar/lib/cdk-stack.ts index ff7a5f5..587cf16 100644 --- a/examples/cdk-from-sar/lib/cdk-stack.ts +++ b/examples/cdk-from-sar/lib/cdk-stack.ts @@ -11,7 +11,7 @@ export class CdkStack extends cdk.Stack { const authorizerApp = new cdk.aws_sam.CfnApplication(this, 'AuthorizerApp', { location: { applicationId: 'arn:aws:serverlessrepo:eu-west-1:795006566846:applications/oidc-authorizer', - semanticVersion: '0.1.0' // 👀 CHANGE ME + semanticVersion: '0.1.1' // 👀 CHANGE ME }, parameters: { // 👀 CHANGE THE FOLLOWING PARAMETERS diff --git a/examples/sam-from-sar/template.yml b/examples/sam-from-sar/template.yml index 9261e14..9ae211d 100644 --- a/examples/sam-from-sar/template.yml +++ b/examples/sam-from-sar/template.yml @@ -24,7 +24,7 @@ Resources: Properties: Location: ApplicationId: arn:aws:serverlessrepo:eu-west-1:795006566846:applications/oidc-authorizer - SemanticVersion: 0.1.0 # 👀 CHANGE ME + SemanticVersion: 0.1.1 # 👀 CHANGE ME Parameters: # 👀 CHANGE THE FOLLOWING PARAMETERS AcceptedAlgorithms: "" diff --git a/template.yml b/template.yml index a0baa19..2264d43 100644 --- a/template.yml +++ b/template.yml @@ -11,7 +11,7 @@ Metadata: ReadmeUrl: README.md Labels: ["apigateway", "authorizer", "lambda", "oidc"] HomePageUrl: https://github.com/lmammino/oidc-authorizer - SemanticVersion: 0.1.0 + SemanticVersion: 0.1.1 SourceCodeUrl: https://github.com/lmammino/oidc-authorizer Parameters: