Cookie Requests: Use forwarded cookies, don't generate [RHELDST-18071]

Now that exodus-gw provides the necessary cookie data for redirect requests, origin_request can use those rather than generate them itself. This commit makes the necessary changes for that and cleans up now-unused code.
release-engineering · Oct 20, 2023 · ef71c20 · ef71c20
1 parent 9377e46
commit ef71c20
Show file tree

Hide file tree

Showing 8 changed files with 92 additions and 656 deletions.
diff --git a/docs/schemas/raw/lambda_config.yaml b/docs/schemas/raw/lambda_config.yaml
@@ -93,10 +93,7 @@ required:
 - table
 - config_table
 - config_cache_ttl
-- cookie_ttl
 - headers
-- secret_arn
-- key_id
 - lambda_version
 - index_filename
 - logging

diff --git a/exodus_lambda/functions/origin_request.py b/exodus_lambda/functions/origin_request.py
@@ -4,14 +4,13 @@
 import time
 import urllib
 import urllib.parse
+from base64 import b64decode
 from datetime import datetime, timedelta, timezone
 
-import boto3
 import cachetools
 
 from .base import LambdaBase
 from .db import QueryHelper
-from .signer import Signer
 
 CONF_FILE = os.environ.get("EXODUS_LAMBDA_CONF_FILE") or "lambda_config.json"
 
@@ -22,6 +21,12 @@
 ENDPOINT_URL = os.environ.get("EXODUS_AWS_ENDPOINT_URL") or None
 
 
+def cf_b64decode(data):
+    return b64decode(
+        data.replace("-", "+").replace("_", "=").replace("~", "/")
+    )
+
+
 class OriginRequest(LambdaBase):
     def __init__(self, conf_file=CONF_FILE):
         super().__init__("origin-request", conf_file)
@@ -36,17 +41,6 @@ def __init__(self, conf_file=CONF_FILE):
         self._db = QueryHelper(self.conf, ENDPOINT_URL)
         self.handler = self.__wrap_version_check(self.handler)
 
-    @property
-    def sm_client(self):
-        if not self._sm_client:
-            self._sm_client = boto3.client(
-                "secretsmanager",
-                region_name=self.conf.get("secret_region") or "us-east-1",
-                endpoint_url=ENDPOINT_URL,
-            )
-
-        return self._sm_client
-
     @property
     def definitions(self):
         out = self._cache.get("exodus-config")
@@ -85,45 +79,6 @@ def definitions(self):
 
         return out
 
-    @property
-    def secret(self):
-        out = self._cache.get("secret")
-        if out is None:
-            try:
-                arn = self.conf["secret_arn"]
-                self.logger.debug("Attempting to get secret from ARN: %s", arn)
-
-                response = self.sm_client.get_secret_value(SecretId=arn)
-                # get_secret_value response syntax:
-                #  {
-                #    "ARN": "string",
-                #    "Name": "string",
-                #    "VersionId": "string",
-                #    "SecretBinary": b"bytes",
-                #    "SecretString": "string",
-                #    "VersionStages": [
-                #        "string",
-                #    ],
-                #    "CreatedDate": datetime(2015, 1, 1)
-                #  }
-                #
-                # We're interested in SecretString and expect it to be a JSON string
-                # containing cookie_key.
-                out = json.loads(response["SecretString"])
-                self._cache["secret"] = out
-                self.logger.debug("Loaded and cached secret from ARN: %s", arn)
-            except Exception as exc_info:
-                self.logger.error(
-                    "Couldn't load secret %s", arn, exc_info=exc_info
-                )
-                raise exc_info
-
-        return out
-
-    @property
-    def cookie_key(self):
-        return self.secret["cookie_key"]
-
     def uri_alias(self, uri, aliases):
         # Resolve every alias between paths within the uri (e.g.
         # allow RHUI paths to be aliased to non-RHUI).
@@ -171,28 +126,13 @@ def resolve_aliases(self, uri):
         return uri
 
     def handle_cookie_request(self, event):
-        now = datetime.utcnow()
-        ttl = timedelta(minutes=self.conf.get("cookie_ttl", 720))
-        domain = event["Records"][0]["cf"]["config"]["distributionDomainName"]
-        uri = event["Records"][0]["cf"]["request"]["uri"]
+        record = event["Records"][0]["cf"]
+        uri = record["request"]["uri"]
+        querystr_dict = urllib.parse.parse_qs(record["request"]["querystring"])
+        set_cookies = json.loads(cf_b64decode(querystr_dict["Set-Cookies"][0]))
 
         self.logger.info("Handling cookie request: %s", uri)
 
-        signer = Signer(self.cookie_key, self.conf.get("key_id"))
-
-        cookies_content = signer.cookies_for_policy(
-            append="; Secure; HttpOnly; SameSite=lax; Domain=%s; Path=/content/; Max-Age=%s"
-            % (domain, int(ttl.total_seconds())),
-            resource="https://%s/content/*" % domain,
-            date_less_than=now + ttl,
-        )
-        cookies_origin = signer.cookies_for_policy(
-            append="; Secure; HttpOnly; SameSite=lax; Domain=%s; Path=/origin/; Max-Age=%s"
-            % (domain, int(ttl.total_seconds())),
-            resource="https://%s/origin/*" % domain,
-            date_less_than=now + ttl,
-        )
-
         response = {
             "status": "302",
             "headers": {
@@ -202,9 +142,7 @@ def handle_cookie_request(self, event):
                 "cache-control": [
                     {"value": "no-store"},
                 ],
-                "set-cookie": [
-                    {"value": x} for x in (cookies_content + cookies_origin)
-                ],
+                "set-cookie": [{"value": x} for x in set_cookies],
             },
         }
         self.logger.debug(

diff --git a/exodus_lambda/functions/signer.py b/exodus_lambda/functions/signer.py
diff --git a/support/signer b/support/signer