From f679a3e5a4e09afa0cfcaa0321aa0900f2c2b83e Mon Sep 17 00:00:00 2001 From: Jonathan Petto Date: Fri, 14 Feb 2025 14:16:24 -0600 Subject: [PATCH 1/3] chore: add section manager lambda key id to config --- src/config.ts | 11 ++++++++++- src/jwtUtils.spec.ts | 10 +++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/config.ts b/src/config.ts index ed0dfc9b..3766b8df 100644 --- a/src/config.ts +++ b/src/config.ts @@ -26,8 +26,10 @@ const config = { //Mozilla Auth Proxy supports a larger number of user groups for a user. cognito: { jwtIssuer: + // COGNITO_JWT_ISSUER is not set in this repo (or anywhere?) process.env.COGNITO_JWT_ISSUER || 'cognito-idp.us-east-1.amazonaws.com/us-east-1_1alKls4qw', + // COGNITO_KIDS is not set in this repo (or anywhere?) kids: process.env.COGNITO_KIDS?.split(',') || [ 'kze4M0CiXoDO7Qkpig1oH0F6OInzZg6ugk0PyojOlzc=', '4w35mrh4EBECpjJnyIjdQ60yjh3xeI1m0VF1H/z0T/c=', @@ -35,22 +37,29 @@ const config = { }, mozillaAuthProxy: { jwtIssuer: + // MOZILLA_AUTH_PROXY_JWT_ISSUER is not set in this repo (or anywhere?) process.env.MOZILLA_AUTH_PROXY_JWT_ISSUER || 'cognito-idp.us-east-1.amazonaws.com/us-east-1_qYkccPmmu', + // MOZILLA_AUTH_PROXY_KIDS is not set in this repo (or anywhere?) kids: process.env.MOZILLA_AUTH_PROXY_KIDS?.split(',') || [ 'OR8erz5A8/hCkVdHczk879k2zUQXoAke9p8TQXsgKLQ=', 'QtBbT/twDz6JmT99PQkAOB+QBhG4eJvxk8pOr7YzfWU=', ], }, pocket: { + // POCKET_JWT_ISSUER is not set in this repo (or anywhere?) jwtIssuer: process.env.POCKET_JWT_ISSUER || 'getpocket.com', kids: + // POCKET_KIDS is not set in this repo (or anywhere?) process.env.POCKET_KIDS?.split(',') || + // if you add a new JWK to https://github.com/Pocket/dotcom-gateway/blob/main/static/.well-known/jwk + // you must also specify it here for the environment you want process.env.NODE_ENV === 'production' - ? ['CURMIG', 'CORPSL'] + ? ['CURMIG', 'CORPSL', 'SEMGRL'] : ['CMGDEV', 'CORDEV'], }, defaultKid: + // DEFAULT_KID is not set in this repo (or anywhere?) process.env.DEFAULT_KID || 'OR8erz5A8/hCkVdHczk879k2zUQXoAke9p8TQXsgKLQ=', }, }; diff --git a/src/jwtUtils.spec.ts b/src/jwtUtils.spec.ts index 6a66a027..879924f2 100644 --- a/src/jwtUtils.spec.ts +++ b/src/jwtUtils.spec.ts @@ -145,6 +145,14 @@ describe('jwtUtils', () => { alg: 'RS256', n: 'q8ft1Rs-kUFWlsiGZeZLgc85iNi3dKWQUhAurSfh00q7oltZFam4djkwLMfTJ2mTlobMMXYppilGN_liZkRZg8W3hFxYY_lwGseDvCtiUMXrPDauF4fjCxnc3RNFsaeqfouOsTktBVuwGC2j-aEPVbdyIqppZ3kwkiRRkYioJae4I1Djabzc8Q48VhVbuWDc1-QWpyGHel73mUFVbLPleLqu-4-LrDquaxRDrd65d3CP0LpYwQSzb6bsVvvCB0YSJKCi1top-ZkrVfw_O0toukAJIK-QN7vxcOga_CEraa-J-I9VdEtY0gjsO_70FZ9BNueBMpCJoGbrMQR923YxBQ', }, + { + kty: 'RSA', + e: 'AQAB', + use: 'sig', + kid: 'SEMGRL', + alg: 'RS256', + n: 'sjOK-Rmytt_g8F-9FImGHCKwkPBlgr_DpBTw3Y5esLYTJAqXsQwGtJf2OR4azGcbec5796fE9lhnLEmi6MFz0oBDxhPHwMCyf9DBZhsCVUmAIysosOqeDdxFB_9upCCcYvMpty8hrgoJp9U01ITnYVxRYCSwnJnjJFkxyA2ZXhlMjYwI0W5qo9tUXMwyEnt8408gK_etKrj6A24-oxMpau_gSxSgZDxAi2vpNEapX-hYV0grofnEy25dtHu_5xVVPlDpeQzGWdfRbFQKJKv8km3wvgvv0CsC-CukPZd40kHQiq71a47zNL4OyM-FcGt_KfuZDuFy79g5I8KEFsZOJw', + }, ], }; @@ -162,7 +170,7 @@ describe('jwtUtils', () => { 'QtBbT/twDz6JmT99PQkAOB+QBhG4eJvxk8pOr7YzfWU=', ...(env === 'development' ? ['CMGDEV', 'CORDEV'] - : ['CURMIG', 'CORPSL']), + : ['CURMIG', 'CORPSL', 'SEMGRL']), ]; const cognitoMock = nock('https://' + config.auth.cognito.jwtIssuer) From 9d8ffe7516dd9f04d1b2ca7bcc193418fa00ff5e Mon Sep 17 00:00:00 2001 From: Jonathan Petto Date: Fri, 14 Feb 2025 14:50:51 -0600 Subject: [PATCH 2/3] remove terraform cloud for incident management. - should be no terraform changes! - see also https://github.com/Pocket/content-monorepo/pull/253 --- .aws/src/main.ts | 26 +++----------------------- 1 file changed, 3 insertions(+), 23 deletions(-) diff --git a/.aws/src/main.ts b/.aws/src/main.ts index 25cd6e26..74a6eaf6 100644 --- a/.aws/src/main.ts +++ b/.aws/src/main.ts @@ -1,10 +1,5 @@ import { Construct } from 'constructs'; -import { - App, - DataTerraformRemoteState, - S3Backend, - TerraformStack, -} from 'cdktf'; +import { App, S3Backend, TerraformStack } from 'cdktf'; import { AwsProvider, datasources, kms, sns } from '@cdktf/provider-aws'; import { config } from './config'; import { @@ -91,27 +86,12 @@ class AdminAPI extends TerraformStack { return null; } - const incidentManagement = new DataTerraformRemoteState( - this, - 'incident_management', - { - organization: 'Pocket', - workspaces: { - name: 'incident-management', - }, - }, - ); - return new PocketPagerDuty(this, 'pagerduty', { prefix: config.prefix, service: { // This is a Tier 2 service and as such only raises non-critical alarms. - criticalEscalationPolicyId: incidentManagement - .get('policy_default_non_critical_id') - .toString(), - nonCriticalEscalationPolicyId: incidentManagement - .get('policy_default_non_critical_id') - .toString(), + criticalEscalationPolicyId: 'PXOQVEP', + nonCriticalEscalationPolicyId: 'PXOQVEP', }, }); } From dc0393e8d8460b69c3ae15965722c20ba58a326b Mon Sep 17 00:00:00 2001 From: Jonathan Petto Date: Fri, 14 Feb 2025 17:35:41 -0600 Subject: [PATCH 3/3] - add section manager lambda dev jwt - clean up a buggy spec test --- src/config.ts | 2 +- src/jwtUtils.spec.ts | 10 +++++++++- src/server/context.ts | 6 ++++-- src/server/main.spec.ts | 9 +++++++-- 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/src/config.ts b/src/config.ts index 3766b8df..aa7e0e84 100644 --- a/src/config.ts +++ b/src/config.ts @@ -56,7 +56,7 @@ const config = { // you must also specify it here for the environment you want process.env.NODE_ENV === 'production' ? ['CURMIG', 'CORPSL', 'SEMGRL'] - : ['CMGDEV', 'CORDEV'], + : ['CMGDEV', 'CORDEV', 'SMGRDV'], }, defaultKid: // DEFAULT_KID is not set in this repo (or anywhere?) diff --git a/src/jwtUtils.spec.ts b/src/jwtUtils.spec.ts index 879924f2..7460e143 100644 --- a/src/jwtUtils.spec.ts +++ b/src/jwtUtils.spec.ts @@ -153,6 +153,14 @@ describe('jwtUtils', () => { alg: 'RS256', n: 'sjOK-Rmytt_g8F-9FImGHCKwkPBlgr_DpBTw3Y5esLYTJAqXsQwGtJf2OR4azGcbec5796fE9lhnLEmi6MFz0oBDxhPHwMCyf9DBZhsCVUmAIysosOqeDdxFB_9upCCcYvMpty8hrgoJp9U01ITnYVxRYCSwnJnjJFkxyA2ZXhlMjYwI0W5qo9tUXMwyEnt8408gK_etKrj6A24-oxMpau_gSxSgZDxAi2vpNEapX-hYV0grofnEy25dtHu_5xVVPlDpeQzGWdfRbFQKJKv8km3wvgvv0CsC-CukPZd40kHQiq71a47zNL4OyM-FcGt_KfuZDuFy79g5I8KEFsZOJw', }, + { + kty: 'RSA', + e: 'AQAB', + use: 'sig', + kid: 'SMGRDV', + alg: 'RS256', + n: 'ja9Fr70SvubM7UFsQKUAHWk86nLCgX3zpUnutqMcfrUfFkWRZ3PQiFuE0UL96ao3RPEuY0eXZaIy3ts0B3YgBo_XUEefbW4V_bRFgsZKJwRvQNUzvYincKxOPQPWqGZqXemqqQFkZguBKiYxBMmhgJytcuFGZ1VfpkttOVGvJS1_Qp2Dp-vimjYaLzTCYTmERsjVXDkWUisMeYY-Sifm4ZdXebVUOs3t4by3mKcdVdoELWjuU_OXlkwREEZACWiA4hVr4PsmaEHF5JDMUaNKb-0pJ0S3YyEUCRy7AYC4GMl24_aHJbKxZEKtsfqYVtWWKSuAg4S7HJmHnIGrliIV9w', + }, ], }; @@ -169,7 +177,7 @@ describe('jwtUtils', () => { 'OR8erz5A8/hCkVdHczk879k2zUQXoAke9p8TQXsgKLQ=', 'QtBbT/twDz6JmT99PQkAOB+QBhG4eJvxk8pOr7YzfWU=', ...(env === 'development' - ? ['CMGDEV', 'CORDEV'] + ? ['CMGDEV', 'CORDEV', 'SMGRDV'] : ['CURMIG', 'CORPSL', 'SEMGRL']), ]; diff --git a/src/server/context.ts b/src/server/context.ts index eabce990..1a6c3da3 100644 --- a/src/server/context.ts +++ b/src/server/context.ts @@ -49,8 +49,10 @@ export async function getAppContext( let publicKeys: Record; async function getSigningKeys() { - if (publicKeys) return publicKeys; - publicKeys = await getSigningKeysFromServer(); + if (!publicKeys) { + publicKeys = await getSigningKeysFromServer(); + } + return publicKeys; } diff --git a/src/server/main.spec.ts b/src/server/main.spec.ts index e92b06bf..3989a16c 100644 --- a/src/server/main.spec.ts +++ b/src/server/main.spec.ts @@ -4,10 +4,15 @@ import * as jwtUtils from '../jwtUtils'; describe('Context factory function', () => { it('multiple invocations only fetch public keys once', async () => { - const keySpy = sinon.spy(jwtUtils, 'getSigningKeysFromServer'); + const keyStub = sinon.stub(jwtUtils, 'getSigningKeysFromServer').resolves({ + testKID: 'hereisalongkidstring', + }); await contextFactory({ req: { headers: {} } }); await contextFactory({ req: { headers: {} } }); await contextFactory({ req: { headers: {} } }); - expect(keySpy.callCount).toEqual(1); + + expect(keyStub.callCount).toEqual(1); + + keyStub.restore(); }); });