include binaries for the release

jetbrains-infra · Sep 10, 2021 · 4dd2427 · 4dd2427
1 parent 95f8bfb
commit 4dd2427
Show file tree

Hide file tree

Showing 192 changed files with 24,328 additions and 0 deletions.
diff --git a/lambda-release/jwks-generated.template b/lambda-release/jwks-generated.template
@@ -0,0 +1,9 @@
+
+// this text contains an JSON array of JWKS files
+const CLIENT_JWKS = {
+    'jba' : ${jba_jwks_key}
+    ,
+    'jbt' : ${jbt_jwks_key}
+}
+
+exports.CLIENT_SECRET = CLIENT_JWKS;
diff --git a/lambda-release/lambda.js b/lambda-release/lambda.js
@@ -0,0 +1,127 @@
+const jwt = require('jsonwebtoken');
+const jwkToPem = require('jwk-to-pem');
+
+// if the file is missing, make sure build-lambda.js was executed
+const {CLIENT_SECRET: {jba: jba_keys_data = {}, jbt: jbt_keys_data = {}}} = require('./jwks-generated.js');
+
+function prepareKey(modeName, json, handler) {
+    console.log("The JWKS for " + modeName + " :")
+    console.log(JSON.stringify(json, null, '  '))
+
+    const keys = json.keys || [];
+    const selectedKeys = [];
+    for (const key of keys) {
+        const ourAlg = key.alg;
+        if (!ourAlg) throw new Error("Unexpected different key alg: " + ourAlg)
+        const ourKid = key.kid || null;
+        const keyPem = jwkToPem(key);
+        selectedKeys.push({
+                modeName: modeName,
+                algorithms: [ourAlg],
+                jwksGetKey: function (header, callback) {
+                    let theirKid = header.kid || null;
+                    let theirAlg = header.alg;
+
+                    if (ourAlg !== theirAlg) {
+                        callback(new Error("Unknown alg"), null);
+                        return;
+                    }
+
+                    if (ourKid !== theirKid) {
+                        callback(new Error("Unknown kid"), null);
+                        return;
+                    }
+
+                    callback(null, keyPem);
+                },
+
+                verifyCallback: payload => handler(payload)
+            }
+        );
+    }
+
+    return selectedKeys;
+}
+
+const jbaJwtKeys = prepareKey('JBA', jba_keys_data, ({email = '', sub = ''}) => sub.toString().toLowerCase().endsWith("@jetbrains.com") || email.toString().toLowerCase().endsWith("@jetbrains.com"));
+const jbtJwtKeys = prepareKey('JBT', jbt_keys_data, ({orgDomain = ''}) => orgDomain.toString().toLowerCase() === 'jetbrains');
+const allJwtKeys = [...jbtJwtKeys, ...jbaJwtKeys];
+
+function parseAuthorizationHeader(authorization) {
+    for (let i = 0; i < authorization.length; i++) {
+        const token = authorization[i].value || ''
+        const prefix = 'bearer ';
+        if (token.toLowerCase().startsWith(prefix)) {
+            return token.substring(prefix.length)
+        }
+    }
+
+    return null;
+}
+
+function errorResponse(status, message) {
+    return {
+        status: status.toString(),
+        statusDescription: message,
+        body: status.toString() + '. ' + message,
+        headers: {
+            'cache-control': [{
+                key: 'Cache-Control',
+                value: 'no-cache, max-age=0'
+            }],
+            'content-type': [{
+                key: 'Content-Type',
+                value: 'text/plain; charset=UTF-8'
+            }],
+            'x-content-type-options': [{
+                key: 'X-Content-Type-Options',
+                value: 'nosniff'
+            }]
+        },
+    };
+}
+
+async function handler(request) {
+    //see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html
+    const {authorization = []} = request.headers;
+    if (authorization.length === 0) {
+        return errorResponse(401, 'Missing JetBrains Authorization header')
+    }
+
+    const token = parseAuthorizationHeader(authorization)
+    if (!token) {
+        return errorResponse(401, 'Failed to parse JetBrains authorization token')
+    }
+
+    let allErrors = ''
+
+    for (const jwtKey of allJwtKeys) {
+        let result = await new Promise((resolve) => {
+            jwt.verify(token, jwtKey.jwksGetKey, {algorithms: jwtKey.algorithms}, (err, payload) => {
+                if (err != null || payload === undefined || payload === null) {
+                    console.log(jwtKey.modeName + ': Failed to verify token.', (err.message || err));
+                    allErrors += 'Failed to verify JetBrains authorization token: '+ (err.message || err) + '\n';
+                    resolve(false);
+                    return;
+                }
+                console.log(jwtKey.modeName + ": payload " + JSON.stringify(payload, null, '  '));
+                resolve(jwtKey.verifyCallback(payload));
+            });
+        });
+
+        if (result === true) return request;
+    }
+
+    return errorResponse(403, allErrors)
+}
+
+exports.handler = async (event, context) => {
+    try {
+        const request = event.Records[0].cf.request;
+        return await handler(request)
+    } catch (err) {
+        // token exists but is invalid
+        console.log('Crashed to verify a token', err);
+        return errorResponse(500, 'Failed to verify JetBrains authorization token: ' + err);
+    }
+};
diff --git a/lambda-release/node_modules/.bin/semver b/lambda-release/node_modules/.bin/semver
diff --git a/lambda-release/node_modules/asn1.js/.eslintrc.js b/lambda-release/node_modules/asn1.js/.eslintrc.js
diff --git a/lambda-release/node_modules/asn1.js/LICENSE b/lambda-release/node_modules/asn1.js/LICENSE
diff --git a/lambda-release/node_modules/asn1.js/README.md b/lambda-release/node_modules/asn1.js/README.md
diff --git a/lambda-release/node_modules/asn1.js/lib/asn1.js b/lambda-release/node_modules/asn1.js/lib/asn1.js
diff --git a/lambda-release/node_modules/asn1.js/lib/asn1/api.js b/lambda-release/node_modules/asn1.js/lib/asn1/api.js