chore: add section manager lambda key id to config (#367)

* chore: add section manager lambda keys to config

- remove terraform cloud for incident management
- clean up a buggy spec test

Author: jpetto

.aws/src/main.ts

@@ -1,10 +1,5 @@
 import { Construct } from 'constructs';
-import {
-  App,
-  DataTerraformRemoteState,
-  S3Backend,
-  TerraformStack,
-} from 'cdktf';
+import { App, S3Backend, TerraformStack } from 'cdktf';
 import { AwsProvider, datasources, kms, sns } from '@cdktf/provider-aws';
 import { config } from './config';
 import {
@@ -91,27 +86,12 @@ class AdminAPI extends TerraformStack {
       return null;
     }
 
-    const incidentManagement = new DataTerraformRemoteState(
-      this,
-      'incident_management',
-      {
-        organization: 'Pocket',
-        workspaces: {
-          name: 'incident-management',
-        },
-      },
-    );
-
     return new PocketPagerDuty(this, 'pagerduty', {
       prefix: config.prefix,
       service: {
         // This is a Tier 2 service and as such only raises non-critical alarms.
-        criticalEscalationPolicyId: incidentManagement
-          .get('policy_default_non_critical_id')
-          .toString(),
-        nonCriticalEscalationPolicyId: incidentManagement
-          .get('policy_default_non_critical_id')
-          .toString(),
+        criticalEscalationPolicyId: 'PXOQVEP',
+        nonCriticalEscalationPolicyId: 'PXOQVEP',
       },
     });
   }

src/config.ts

@@ -26,31 +26,40 @@ const config = {
     //Mozilla Auth Proxy supports a larger number of user groups for a user.
     cognito: {
       jwtIssuer:
+        // COGNITO_JWT_ISSUER is not set in this repo (or anywhere?)
         process.env.COGNITO_JWT_ISSUER ||
         'cognito-idp.us-east-1.amazonaws.com/us-east-1_1alKls4qw',
+      // COGNITO_KIDS is not set in this repo (or anywhere?)
       kids: process.env.COGNITO_KIDS?.split(',') || [
         'kze4M0CiXoDO7Qkpig1oH0F6OInzZg6ugk0PyojOlzc=',
         '4w35mrh4EBECpjJnyIjdQ60yjh3xeI1m0VF1H/z0T/c=',
       ],
     },
     mozillaAuthProxy: {
       jwtIssuer:
+        // MOZILLA_AUTH_PROXY_JWT_ISSUER is not set in this repo (or anywhere?)
         process.env.MOZILLA_AUTH_PROXY_JWT_ISSUER ||
         'cognito-idp.us-east-1.amazonaws.com/us-east-1_qYkccPmmu',
+      // MOZILLA_AUTH_PROXY_KIDS is not set in this repo (or anywhere?)
       kids: process.env.MOZILLA_AUTH_PROXY_KIDS?.split(',') || [
         'OR8erz5A8/hCkVdHczk879k2zUQXoAke9p8TQXsgKLQ=',
         'QtBbT/twDz6JmT99PQkAOB+QBhG4eJvxk8pOr7YzfWU=',
       ],
     },
     pocket: {
+      // POCKET_JWT_ISSUER is not set in this repo (or anywhere?)
       jwtIssuer: process.env.POCKET_JWT_ISSUER || 'getpocket.com',
       kids:
+        // POCKET_KIDS is not set in this repo (or anywhere?)
         process.env.POCKET_KIDS?.split(',') ||
+        // if you add a new JWK to https://github.com/Pocket/dotcom-gateway/blob/main/static/.well-known/jwk
+        // you must also specify it here for the environment you want
         process.env.NODE_ENV === 'production'
-          ? ['CURMIG', 'CORPSL']
-          : ['CMGDEV', 'CORDEV'],
+          ? ['CURMIG', 'CORPSL', 'SEMGRL']
+          : ['CMGDEV', 'CORDEV', 'SMGRDV'],
     },
     defaultKid:
+      // DEFAULT_KID is not set in this repo (or anywhere?)
       process.env.DEFAULT_KID || 'OR8erz5A8/hCkVdHczk879k2zUQXoAke9p8TQXsgKLQ=',
   },
 };

src/jwtUtils.spec.ts

@@ -145,6 +145,22 @@ describe('jwtUtils', () => {
           alg: 'RS256',
           n: 'q8ft1Rs-kUFWlsiGZeZLgc85iNi3dKWQUhAurSfh00q7oltZFam4djkwLMfTJ2mTlobMMXYppilGN_liZkRZg8W3hFxYY_lwGseDvCtiUMXrPDauF4fjCxnc3RNFsaeqfouOsTktBVuwGC2j-aEPVbdyIqppZ3kwkiRRkYioJae4I1Djabzc8Q48VhVbuWDc1-QWpyGHel73mUFVbLPleLqu-4-LrDquaxRDrd65d3CP0LpYwQSzb6bsVvvCB0YSJKCi1top-ZkrVfw_O0toukAJIK-QN7vxcOga_CEraa-J-I9VdEtY0gjsO_70FZ9BNueBMpCJoGbrMQR923YxBQ',
         },
+        {
+          kty: 'RSA',
+          e: 'AQAB',
+          use: 'sig',
+          kid: 'SEMGRL',
+          alg: 'RS256',
+          n: 'sjOK-Rmytt_g8F-9FImGHCKwkPBlgr_DpBTw3Y5esLYTJAqXsQwGtJf2OR4azGcbec5796fE9lhnLEmi6MFz0oBDxhPHwMCyf9DBZhsCVUmAIysosOqeDdxFB_9upCCcYvMpty8hrgoJp9U01ITnYVxRYCSwnJnjJFkxyA2ZXhlMjYwI0W5qo9tUXMwyEnt8408gK_etKrj6A24-oxMpau_gSxSgZDxAi2vpNEapX-hYV0grofnEy25dtHu_5xVVPlDpeQzGWdfRbFQKJKv8km3wvgvv0CsC-CukPZd40kHQiq71a47zNL4OyM-FcGt_KfuZDuFy79g5I8KEFsZOJw',
+        },
+        {
+          kty: 'RSA',
+          e: 'AQAB',
+          use: 'sig',
+          kid: 'SMGRDV',
+          alg: 'RS256',
+          n: 'ja9Fr70SvubM7UFsQKUAHWk86nLCgX3zpUnutqMcfrUfFkWRZ3PQiFuE0UL96ao3RPEuY0eXZaIy3ts0B3YgBo_XUEefbW4V_bRFgsZKJwRvQNUzvYincKxOPQPWqGZqXemqqQFkZguBKiYxBMmhgJytcuFGZ1VfpkttOVGvJS1_Qp2Dp-vimjYaLzTCYTmERsjVXDkWUisMeYY-Sifm4ZdXebVUOs3t4by3mKcdVdoELWjuU_OXlkwREEZACWiA4hVr4PsmaEHF5JDMUaNKb-0pJ0S3YyEUCRy7AYC4GMl24_aHJbKxZEKtsfqYVtWWKSuAg4S7HJmHnIGrliIV9w',
+        },
       ],
     };
 
@@ -161,8 +177,8 @@ describe('jwtUtils', () => {
           'OR8erz5A8/hCkVdHczk879k2zUQXoAke9p8TQXsgKLQ=',
           'QtBbT/twDz6JmT99PQkAOB+QBhG4eJvxk8pOr7YzfWU=',
           ...(env === 'development'
-            ? ['CMGDEV', 'CORDEV']
-            : ['CURMIG', 'CORPSL']),
+            ? ['CMGDEV', 'CORDEV', 'SMGRDV']
+            : ['CURMIG', 'CORPSL', 'SEMGRL']),
         ];
 
         const cognitoMock = nock('https://' + config.auth.cognito.jwtIssuer)

src/server/context.ts

@@ -49,8 +49,10 @@ export async function getAppContext(
 let publicKeys: Record<string, string>;
 
 async function getSigningKeys() {
-  if (publicKeys) return publicKeys;
-  publicKeys = await getSigningKeysFromServer();
+  if (!publicKeys) {
+    publicKeys = await getSigningKeysFromServer();
+  }
+
   return publicKeys;
 }
 

src/server/main.spec.ts

@@ -4,10 +4,15 @@ import * as jwtUtils from '../jwtUtils';
 
 describe('Context factory function', () => {
   it('multiple invocations only fetch public keys once', async () => {
-    const keySpy = sinon.spy(jwtUtils, 'getSigningKeysFromServer');
+    const keyStub = sinon.stub(jwtUtils, 'getSigningKeysFromServer').resolves({
+      testKID: 'hereisalongkidstring',
+    });
     await contextFactory({ req: { headers: {} } });
     await contextFactory({ req: { headers: {} } });
     await contextFactory({ req: { headers: {} } });
-    expect(keySpy.callCount).toEqual(1);
+
+    expect(keyStub.callCount).toEqual(1);
+
+    keyStub.restore();
   });
 });