From 88f1c4075dc32dec2123cdd16aed8410b8afb734 Mon Sep 17 00:00:00 2001 From: awdem Date: Tue, 19 Nov 2024 14:30:10 +0000 Subject: [PATCH 1/5] adds basic auth lambda --- democracy_club/lambda_basic_auth.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 democracy_club/lambda_basic_auth.py diff --git a/democracy_club/lambda_basic_auth.py b/democracy_club/lambda_basic_auth.py new file mode 100644 index 00000000..2bd5051a --- /dev/null +++ b/democracy_club/lambda_basic_auth.py @@ -0,0 +1,21 @@ +def lambda_handler(event, context): + headers = event.get("headers", {}) + auth = headers.get("Authorization") + dc_auth = "Basic ZGM6ZGM=" # dc:dc in base64 + + if auth == dc_auth: + return { + "principalId": "dc", + "policyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Resource": "*", + } + ], + }, + } + + raise Exception("Unauthorized") From ef36ae3db65a6cb050e67d1f577169fd534df3a3 Mon Sep 17 00:00:00 2001 From: awdem Date: Tue, 19 Nov 2024 15:42:51 +0000 Subject: [PATCH 2/5] replaces intrinsic api gateway with named one --- sam-template.yaml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/sam-template.yaml b/sam-template.yaml index 898c111c..7bc3ea07 100644 --- a/sam-template.yaml +++ b/sam-template.yaml @@ -120,14 +120,25 @@ Resources: HTTPRequests: Type: Api Properties: + RestApiId: !Ref WebsiteApiGateway Path: /{proxy+} Method: ANY HTTPRequestRoots: Type: Api Properties: + RestApiId: !Ref WebsiteApiGateway Path: / Method: ANY + WebsiteApiGateway: + Type: AWS::Serverless::Api + Properties: + AlwaysDeploy: True + StageName: Prod + Cors: + AllowMethods: "'GET'" + AllowOrigin: "'*'" + MaxAge: "'600'" DCWebsiteManagementFunction: Type: AWS::Serverless::Function @@ -171,7 +182,7 @@ Resources: Comment: 'Cloudfront Distribution pointing to Lambda origin' Origins: - Id: Dynamic - DomainName: !Sub "${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com" + DomainName: !Sub "${WebsiteApiGateway}.execute-api.${AWS::Region}.amazonaws.com" OriginPath: "/Prod" CustomOriginConfig: OriginProtocolPolicy: "https-only" @@ -254,6 +265,6 @@ Resources: Outputs: DCWebsiteFqdn: Description: "API Gateway endpoint FQDN for DC Website function" - Value: !Sub "${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com" + Value: !Sub "${WebsiteApiGateway}.execute-api.${AWS::Region}.amazonaws.com" Export: Name: !Join [ ":", [ !Ref "AWS::StackName", "DCWebsiteFqdn" ] ] From 0dc602885ad2890f29c1064a0c96d0e5a6ab89fa Mon Sep 17 00:00:00 2001 From: awdem Date: Thu, 21 Nov 2024 16:49:07 +0000 Subject: [PATCH 3/5] adds AWS::LanguageExtensions --- sam-template.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sam-template.yaml b/sam-template.yaml index 7bc3ea07..fb3fb503 100644 --- a/sam-template.yaml +++ b/sam-template.yaml @@ -1,5 +1,7 @@ AWSTemplateFormatVersion: '2010-09-09' -Transform: AWS::Serverless-2016-10-31 +Transform: + - AWS::LanguageExtensions + - AWS::Serverless-2016-10-31 Description: "DC Website Django app: Lambda, API Gateway" Globals: From a9bb3b456b078da215625355bd77d6515965dd9a Mon Sep 17 00:00:00 2001 From: awdem Date: Thu, 21 Nov 2024 16:55:08 +0000 Subject: [PATCH 4/5] adds lambda basic auth to dev and stage deploys --- sam-template.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/sam-template.yaml b/sam-template.yaml index fb3fb503..cae6e688 100644 --- a/sam-template.yaml +++ b/sam-template.yaml @@ -80,6 +80,10 @@ Parameters: Description: "The DC_ENVIRONMENT environment variable passed to the app." Type: AWS::SSM::Parameter::Value +Conditions: + UseBasicAuth: !Or + - !Equals [ !Ref DCEnvironment, development ] + - !Equals [ !Ref DCEnvironment, staging ] Resources: @@ -141,6 +145,34 @@ Resources: AllowMethods: "'GET'" AllowOrigin: "'*'" MaxAge: "'600'" + Auth: + DefaultAuthorizer: !If [ UseBasicAuth, "BasicAuthFunction", !Ref AWS::NoValue] + Authorizers: + BasicAuthFunction: + FunctionArn: !GetAtt BasicAuthFunction.Arn + FunctionPayloadType: REQUEST + Identity: + Headers: + - Authorization + ReauthorizeEvery: 3600 + + BasicAuthGatewayResponse: + Condition: UseBasicAuth + Type: AWS::ApiGateway::GatewayResponse + Properties: + ResponseParameters: + gatewayresponse.header.www-authenticate: "'Basic realm=\"Restricted\"'" + ResponseType: UNAUTHORIZED + RestApiId: !Ref WebsiteApiGateway + StatusCode: '401' + + BasicAuthFunction: + Type: AWS::Serverless::Function + Properties: + Role: !Sub "arn:aws:iam::${AWS::AccountId}:role/DCWebsiteLambdaExecutionRole" + CodeUri: ./democracy_club/ + Handler: lambda_basic_auth.lambda_handler + Runtime: python3.12 DCWebsiteManagementFunction: Type: AWS::Serverless::Function From 0e35a250f606d94195f2cf6870c367ffc963634d Mon Sep 17 00:00:00 2001 From: awdem Date: Mon, 25 Nov 2024 14:36:43 +0000 Subject: [PATCH 5/5] foward auth header to CF cache for static/* and media/* paths otherwise they'll return 401s --- sam-template.yaml | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/sam-template.yaml b/sam-template.yaml index cae6e688..d27184f1 100644 --- a/sam-template.yaml +++ b/sam-template.yaml @@ -275,14 +275,28 @@ Resources: PathPattern: static/* TargetOriginId: Dynamic Compress: true - CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6" + ForwardedValues: + QueryString: true + Cookies: + Forward: none + Headers: + - Authorization + - Origin ViewerProtocolPolicy: "redirect-to-https" + MinTTL: '50' - AllowedMethods: [ GET, HEAD ] PathPattern: media/* TargetOriginId: Media Compress: true - CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6" + ForwardedValues: + QueryString: true + Cookies: + Forward: none + Headers: + - Authorization + - Origin ViewerProtocolPolicy: "redirect-to-https" + MinTTL: '50'