initial self hosted configuration

Author: cnuss

.github/workflows/push-main.yml

@@ -0,0 +1,37 @@
+name: Deploy
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+env:
+  NODE_ENV: nonlive
+
+permissions:
+  id-token: write
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    if: >-
+      !startsWith(github.event.head_commit.message, 'Initial commit') && 
+      !startsWith(github.event.head_commit.message, '🤖') &&
+      !contains(github.event.head_commit.message, '[skip ci]')
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "18"
+          cache: yarn
+
+      - run: yarn
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::339712900631:role/OrganizationAccountAccessRole
+          aws-region: us-east-1
+
+      - run: yarn deploy --stage $NODE_ENV

.gitignore

@@ -0,0 +1 @@
+node_modules/

INSTALLATION.md

@@ -0,0 +1,35 @@
+# SAML.to Self Hosted Installation
+
+## AWS IAM RBAC
+
+### GitHub Identity Provider
+
+1. Provider URL: `https://token.actions.githubusercontent.com`
+1. Audience: `sts.amazonaws.com`
+
+### AWS IAM Role
+
+Trust Relationship:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringLike": {
+          "token.actions.githubusercontent.com:sub": "repo:saml-to/self-hosted:*"
+        },
+        "StringEquals": {
+          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+        }
+      }
+    }
+  ]
+}
+```

README.md

@@ -0,0 +1,16 @@
+{
+  "name": "@saml-to/self-hosted",
+  "version": "1.0.0",
+  "description": "Host SAML.to in your own AWS Account",
+  "main": "index.js",
+  "repository": "[email protected]:saml-to/self-hosted.git",
+  "author": "SAML.to",
+  "license": "BUSL-1.1",
+  "private": false,
+  "scripts": {
+    "deploy": "serverless deploy"
+  },
+  "devDependencies": {
+    "serverless": "3.38.0"
+  }
+}

package.json

@@ -0,0 +1,188 @@
+service: saml-to
+
+frameworkVersion: 3.38.0
+variablesResolutionMode: "20210326"
+configValidationMode: off
+disabledDeprecations:
+  - "*"
+
+# plugins:
+#   - serverless-esbuild
+#   - serverless-react
+#   - serverless-dotenv-plugin
+#   - serverless-offline-resources
+#   - serverless-offline
+
+provider:
+  name: aws
+  runtime: nodejs18.x
+  iam:
+    role:
+      statements:
+        - Effect: Allow
+          Action:
+            - "dynamodb:*"
+            - "secretsmanager:*"
+            - "sns:*"
+            - "sqs:*"
+          Resource: "*"
+  stage: ${opt:stage, "local"}
+  logRetentionInDays: 1
+  tracing:
+    apiGateway: true
+    lambda: true
+  environment:
+    STAGE: ${self:provider.stage}
+
+functions:
+  github:
+    handler: src/lambda.handler
+    timeout: 29
+    layers:
+      - arn:aws:lambda:us-east-1:034541671702:layer:openssl-lambda:1
+      - arn:aws:lambda:us-east-1:580360238192:layer:nonlive-github-sls-rest-api:3
+    environment:
+      SERVICE_NAME: github-sls-rest-api
+      SERVICE_SLUG: github
+    events:
+      - httpApi:
+          method: "*"
+          path: /github/{proxy+}
+      # - sns:
+      #     arn: ${file(serverless.config.js):topic-arn}
+      # - sns:
+      #     arn: ${file(serverless.config.js):auth-topic-arn}
+      # - sns:
+      #     arn: arn:aws:sns:us-east-1:580360238192:cf-hook
+      - stream:
+          type: dynamodb
+          batchSize: 1
+          maximumRecordAgeInSeconds: 600
+          arn:
+            Fn::GetAtt: [GithubTable, StreamArn]
+      # - stream:
+      #     type: kinesis
+      #     batchSize: 1
+      #     maximumRecordAgeInSeconds: 86400
+      #     arn:
+      #       Fn::GetAtt: [Stream, Arn]
+
+resources:
+  Resources:
+    # Secret:
+    #   Type: AWS::SecretsManager::Secret
+    #   Properties:
+    #     Name: ${self:service}-${self:provider.stage}
+    #     SecretString: ${file(scripts/config.js):SECRETS}
+
+    # Topic:
+    #   Type: AWS::SNS::Topic
+    #   Properties:
+    #     TopicName: ${self:service}-${self:provider.stage}
+
+    # Queue:
+    #   Type: AWS::SQS::Queue
+    #   Properties:
+    #     QueueName: ${self:service}-${self:provider.stage}
+
+    GithubTable:
+      Type: AWS::DynamoDB::Table
+      Properties:
+        TableName: ${self:provider.stage}-github-sls-rest-api
+        KeySchema:
+          - AttributeName: pk
+            KeyType: HASH
+          - AttributeName: sk
+            KeyType: RANGE
+        AttributeDefinitions:
+          - AttributeName: pk
+            AttributeType: S
+          - AttributeName: sk
+            AttributeType: S
+        GlobalSecondaryIndexes:
+          - IndexName: sk-pk-index
+            KeySchema:
+              - AttributeName: sk
+                KeyType: HASH
+              - AttributeName: pk
+                KeyType: RANGE
+            Projection:
+              ProjectionType: ALL
+        StreamSpecification:
+          StreamViewType: NEW_AND_OLD_IMAGES
+        TimeToLiveSpecification:
+          AttributeName: expires
+          Enabled: true
+        PointInTimeRecoverySpecification:
+          PointInTimeRecoveryEnabled: true
+        SSESpecification:
+          SSEEnabled: true
+        BillingMode: PAY_PER_REQUEST
+
+    IdpRequestsTable:
+      Type: AWS::DynamoDB::Table
+      Properties:
+        TableName: ${self:provider.stage}-github-sls-rest-api-idp-requests
+        KeySchema:
+          - AttributeName: pk
+            KeyType: HASH
+          - AttributeName: sk
+            KeyType: RANGE
+        AttributeDefinitions:
+          - AttributeName: pk
+            AttributeType: S
+          - AttributeName: sk
+            AttributeType: S
+        GlobalSecondaryIndexes:
+          - IndexName: sk-pk-index
+            KeySchema:
+              - AttributeName: sk
+                KeyType: HASH
+              - AttributeName: pk
+                KeyType: RANGE
+            Projection:
+              ProjectionType: ALL
+        StreamSpecification:
+          StreamViewType: NEW_AND_OLD_IMAGES
+        TimeToLiveSpecification:
+          AttributeName: expires
+          Enabled: true
+        PointInTimeRecoverySpecification:
+          PointInTimeRecoveryEnabled: true
+        SSESpecification:
+          SSEEnabled: true
+        BillingMode: PAY_PER_REQUEST
+
+    CachedConfigTable:
+      Type: AWS::DynamoDB::Table
+      Properties:
+        TableName: ${self:provider.stage}-github-sls-rest-api-cached-config
+        KeySchema:
+          - AttributeName: pk
+            KeyType: HASH
+          - AttributeName: sk
+            KeyType: RANGE
+        AttributeDefinitions:
+          - AttributeName: pk
+            AttributeType: S
+          - AttributeName: sk
+            AttributeType: S
+        GlobalSecondaryIndexes:
+          - IndexName: sk-pk-index
+            KeySchema:
+              - AttributeName: sk
+                KeyType: HASH
+              - AttributeName: pk
+                KeyType: RANGE
+            Projection:
+              ProjectionType: ALL
+        StreamSpecification:
+          StreamViewType: NEW_AND_OLD_IMAGES
+        TimeToLiveSpecification:
+          AttributeName: expires
+          Enabled: true
+        PointInTimeRecoverySpecification:
+          PointInTimeRecoveryEnabled: true
+        SSESpecification:
+          SSEEnabled: true
+        BillingMode: PAY_PER_REQUEST