[#3487] Add permission to lambda:GetFunction to ApiRole

Issue https://github.com/convox/issues-private/issues/185.

AWS recommends to configure the services roles to allow access to get current state of a lambda function. As part of the new lambda-states to all functions.

CustomTopic:

![image](https://user-images.githubusercontent.com/8239709/148234496-3cfb62fb-83c6-49ed-bfa9-35c45ca3c8e4.png)

InstancesLifecycleHandler:

![image](https://user-images.githubusercontent.com/8239709/148234629-7343b5ad-024c-408b-a549-392c625789ff.png)

ApiRole:

![image](https://user-images.githubusercontent.com/8239709/148234891-4762a62f-9716-4896-97bd-4a2dca891986.png)

cmd/convox/Makefile

@@ -1,51 +1,28 @@
-.PHONY: all build clean package package-deps package-export package-gopath release
+.PHONY: all build package release
 
-pkg_darwin  = pkg/convox-darwin-10.12-amd64
-pkg_darwin_arm64  = pkg/convox-darwin-10.12-arm64
+pkg_darwin  = pkg/convox-darwin-amd64
+pkg_darwin_arm64  = pkg/convox-darwin-arm64
 pkg_linux   = pkg/convox-linux-amd64
-pkg_linux_arm64   = pkg/convox-linux-amd64
-pkg_windows = pkg/convox-windows-4.0-amd64.exe
-
-sources = $(shell find . -name '*.go')
+pkg_linux_arm64   = pkg/convox-linux-arm64
+pkg_windows = pkg/convox-windows-amd64.exe
 
 all: build
 
 build:
 	go install ./...
 
-clean:
-	rm -f pkg/convox-*
-
-package: package-deps package-gopath $(pkg_darwin) $(pkg_linux) $(pkg_windows) package-export
-
-package-deps:
-	go install github.com/crazy-max/[email protected]
-	mkdir -p pkg
-
-# copy finished packages out if running inside a container
-package-export:
-	if [ -f /.dockerenv ]; then mkdir -p pkg && docker run -v $(GOPATH):/gopath -i ubuntu tar czv /gopath/src/github.com/convox/rack/cmd/convox/pkg | tar xzv -C pkg --strip-components 8; fi
-
-# copy gopath in if running inside a container
-package-gopath:
-	if [ -f /.dockerenv ]; then tar cz $(GOPATH) | docker run -v $(GOPATH):/gopath -i ubuntu tar xz -C /gopath --strip-components 2; fi
+package:
+	mkdir -p pkg/
+	export CGO_ENABLED=0
+	env GOOS=linux GOARCH=amd64 go build -ldflags "-X main.version=$(VERSION)" -o $(pkg_linux)
+	env GOOS=linux GOARCH=arm64 go build -ldflags "-X main.version=$(VERSION)" -o $(pkg_linux_arm64)
+	env GOOS=darwin GOARCH=amd64 go build -ldflags "-X main.version=$(VERSION)" -o $(pkg_darwin)
+	env GOOS=darwin GOARCH=arm64 go build -ldflags "-X main.version=$(VERSION)" -o $(pkg_darwin_arm64)
+	env GOOS=windows GOARCH=amd64 go build -ldflags "-X main.version=$(VERSION)" -o $(pkg_windows)
 
 release: package
 	aws s3 cp $(pkg_darwin) s3://convox/release/$(VERSION)/cli/darwin/convox --acl public-read
 	aws s3 cp $(pkg_darwin_arm64) s3://convox/release/$(VERSION)/cli/darwin/convox-arm64 --acl public-read
 	aws s3 cp $(pkg_linux) s3://convox/release/$(VERSION)/cli/linux/convox --acl public-read
 	aws s3 cp $(pkg_linux_arm64) s3://convox/release/$(VERSION)/cli/linux/convox-arm64 --acl public-read
 	aws s3 cp $(pkg_windows) s3://convox/release/$(VERSION)/cli/windows/convox.exe --acl public-read
-
-
-$(pkg_darwin): $(sources)
-    # cd to root folder because we need go.mod
-	cd ../.. && $(GOPATH)/bin/xgo -branch $(shell git rev-parse HEAD) -pkg cmd/convox -out cmd/convox/pkg/convox -go 1.16.x -targets 'darwin/amd64,darwin/arm64' -ldflags "-X main.version=$(VERSION)" .
-
-$(pkg_linux): $(sources)
-    # cd to root folder because we need go.mod
-	cd ../.. && $(GOPATH)/bin/xgo -branch $(shell git rev-parse HEAD) -pkg cmd/convox -out cmd/convox/pkg/convox -go 1.16.x -targets 'linux/amd64,linux/arm64' -ldflags "-X main.version=$(VERSION)" .
-
-$(pkg_windows): $(sources)
-    # cd to root folder because we need go.mod
-	cd ../../ && $(GOPATH)/bin/xgo -branch $(shell git rev-parse HEAD) -pkg cmd/convox -out cmd/convox/pkg/convox -go 1.16.x -targets 'windows/amd64' -ldflags "-X main.version=$(VERSION)" .

go.mod

@@ -10,12 +10,10 @@ require (
 	github.com/boltdb/bolt v1.3.1
 	github.com/convox/changes v0.0.0-20190306122126-bce25ca20c47
 	github.com/convox/exec v0.0.0-20180905012044-cc13d277f897
-	github.com/convox/hid v0.0.0-20180912192857-c67381b7ffff
 	github.com/convox/logger v0.0.0-20180522214415-e39179955b52
 	github.com/convox/stdapi v0.0.0-20190628182814-148bcf53d167
 	github.com/convox/stdcli v0.0.0-20190326115454-b78bee159e98
 	github.com/convox/stdsdk v0.0.0-20190422120437-3e80a397e377
-	github.com/convox/u2f v0.0.0-20180912192910-a73404142726
 	github.com/convox/version v0.0.0-20160822184233-ffefa0d565d2
 	github.com/docker/docker v1.13.1
 	github.com/docker/go-units v0.3.2
@@ -53,6 +51,7 @@ require (
 	github.com/andybalholm/cascadia v0.0.0-20161224141413-349dd0209470 // indirect
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
 	github.com/convox/inotify v0.0.0-20170313035821-b56f5149b5c6 // indirect
+	github.com/ddollar/go-u2fhost v0.0.0-20200214123511-3ca2df7a0b44
 	github.com/docker/spdystream v0.0.0-20170912183627-bc6354cbbc29 // indirect
 	github.com/elazarl/goproxy v0.0.0-20210801061803-8e322dfb79c4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect

go.sum

@@ -51,6 +51,8 @@ github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/ddollar/go-u2fhost v0.0.0-20200214123511-3ca2df7a0b44 h1:rgLo9QMv1ri9dRyIuXs0OX0Kmz7ocyAato26L6Mmpzc=
+github.com/ddollar/go-u2fhost v0.0.0-20200214123511-3ca2df7a0b44/go.mod h1:pMqHxh1rA3zOWIpUf9w3QTyDBijoeKLvXOM8x2TIFlk=
 github.com/ddollar/yaml v0.0.0-20180504010936-3fb95e32dd8a h1:P31V3VrCLTlkAOHH/RoRILuvpK7/+3DwacrtRnHSSuc=
 github.com/ddollar/yaml v0.0.0-20180504010936-3fb95e32dd8a/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
@@ -304,6 +306,8 @@ github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/json-iterator/go v1.1.5 h1:gL2yXlmiIo4+t+y32d4WGwOjKGYcGOuyrg46vadswDE=
 github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/karalabe/hid v1.0.0 h1:+/CIMNXhSU/zIJgnIvBD2nKHxS/bnRHhhs9xBryLpPo=
+github.com/karalabe/hid v1.0.0/go.mod h1:Vr51f8rUOLYrfrWDFlV12GGQgM5AT8sVh+2fY4MPeu8=
 github.com/karrick/godirwalk v1.7.5/go.mod h1:2c9FRhkDxdIbgkOnCEvnSWs71Bhugbl46shStcFDJ34=
 github.com/karrick/godirwalk v1.7.7/go.mod h1:2c9FRhkDxdIbgkOnCEvnSWs71Bhugbl46shStcFDJ34=
 github.com/karrick/godirwalk v1.7.8/go.mod h1:2c9FRhkDxdIbgkOnCEvnSWs71Bhugbl46shStcFDJ34=
@@ -338,6 +342,8 @@ github.com/markbates/safe v1.0.0/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kN
 github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
 github.com/markbates/sigtx v1.0.0/go.mod h1:QF1Hv6Ic6Ca6W+T+DL0Y/ypborFKyvUY9HmuCD4VeTc=
 github.com/markbates/willie v1.0.9/go.mod h1:fsrFVWl91+gXpx/6dv715j7i11fYPfZ9ZGfH0DQzY7w=
+github.com/marshallbrekka/go-u2fhost v0.0.0-20200114212649-cc764c209ee9 h1:7dYglvg2+WRsvX//65GyQTYJyooO1HYKGVpKBlIAoms=
+github.com/marshallbrekka/go-u2fhost v0.0.0-20200114212649-cc764c209ee9/go.mod h1:U9kRL9P37LGrkikKWuekWsReXRKe2fkZdRSXpI7pP3A=
 github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRUIY4=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-isatty v0.0.4 h1:bnP0vzxcAdeI1zdubAl5PjU6zsERjGZb7raWodagDYs=

pkg/token/token.go

@@ -4,16 +4,11 @@ package token
 
 import (
 	"context"
-	"crypto/sha256"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"strings"
 	"time"
 
-	"github.com/convox/hid"
-	"github.com/convox/u2f/u2fhid"
-	"github.com/convox/u2f/u2ftoken"
+	"github.com/ddollar/go-u2fhost"
 )
 
 type authenticationKey struct {
@@ -36,42 +31,25 @@ type authenticationResponse struct {
 
 type tokenResponse struct {
 	Error    error
-	Response []byte
+	Response *u2fhost.AuthenticateResponse
 }
 
-func decodeBase64(s string) ([]byte, error) {
-	for i := 0; i < len(s)%4; i++ {
-		s += "="
-	}
-	return base64.URLEncoding.DecodeString(s)
-}
+func Authenticate(req []byte) ([]byte, error) {
+	ds := u2fhost.Devices()
 
-func encodeBase64(buf []byte) string {
-	s := base64.URLEncoding.EncodeToString(buf)
-	return strings.TrimRight(s, "=")
-}
+	ch := make(chan tokenResponse)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
 
-func Authenticate(req []byte) ([]byte, error) {
 	var areq authenticationRequest
 
 	if err := json.Unmarshal(req, &areq); err != nil {
 		return nil, err
 	}
 
-	ds, err := u2fhid.Devices()
-	if err != nil {
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	ch := make(chan tokenResponse)
-
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-
 	for _, d := range ds {
-		go authenticateDevice(ctx, d, areq, ch)
+		go authenticateWait(ctx, d, areq, ch)
 	}
 
 	for range ds {
@@ -82,70 +60,84 @@ func Authenticate(req []byte) ([]byte, error) {
 		}
 
 		if res.Response != nil {
-			return res.Response, nil
+			ares := authenticationResponse{
+				ClientData:    res.Response.ClientData,
+				KeyHandle:     res.Response.KeyHandle,
+				SignatureData: res.Response.SignatureData,
+			}
+
+			data, err := json.Marshal(ares)
+			if err != nil {
+				return nil, err
+			}
+
+			return data, nil
 		}
 	}
 
 	return nil, fmt.Errorf("no valid tokens found")
 }
 
-func authenticateDevice(ctx context.Context, d *hid.DeviceInfo, req authenticationRequest, rch chan tokenResponse) {
-	ud, err := u2fhid.Open(d)
-	if err != nil {
+func authenticateWait(ctx context.Context, d *u2fhost.HidDevice, req authenticationRequest, rch chan tokenResponse) {
+	if err := d.Open(); err != nil {
 		rch <- tokenResponse{Error: err}
 		return
 	}
+	defer d.Close()
 
-	cd := []byte(fmt.Sprintf(`{"challenge":"%s","origin":"%s"}`, req.Challenge, req.AppId))
-	ch := sha256.Sum256(cd)
+	timeout := time.NewTimer(2 * time.Second)
+	defer timeout.Stop()
 
-	t := u2ftoken.NewToken(ud)
+	ch := make(chan tokenResponse)
+	refresh := make(chan bool)
 
-	for _, k := range req.RegisteredKeys {
-		app := sha256.Sum256([]byte(k.AppId))
+	go authenticateDevice(ctx, d, req, ch, refresh)
 
-		key, err := decodeBase64(k.KeyHandle)
-		if err != nil {
-			rch <- tokenResponse{Error: err}
+	for {
+		select {
+		case <-timeout.C:
+			rch <- tokenResponse{Error: fmt.Errorf("timeout")}
+			return
+		case <-refresh:
+			timeout.Reset(2 * time.Second)
+		case res := <-ch:
+			rch <- res
 			return
 		}
+	}
+}
 
-		treq := u2ftoken.AuthenticateRequest{
-			Application: app[:],
-			Challenge:   ch[:],
-			KeyHandle:   key,
-		}
-
-		if err := t.CheckAuthenticate(treq); err != nil {
-			continue
-		}
-
-		for {
-			tres, err := t.Authenticate(treq)
-			if err == u2ftoken.ErrPresenceRequired {
-				time.Sleep(200 * time.Millisecond)
-				continue
-			}
-			if err != nil {
-				continue
-			}
-
-			ares := authenticationResponse{
-				ClientData:    encodeBase64(cd),
-				KeyHandle:     k.KeyHandle,
-				SignatureData: encodeBase64(tres.RawResponse),
-			}
+func authenticateDevice(ctx context.Context, d *u2fhost.HidDevice, req authenticationRequest, ch chan tokenResponse, refresh chan bool) {
+	tick := time.NewTicker(250 * time.Millisecond)
+	defer tick.Stop()
 
-			data, err := json.Marshal(ares)
-			if err != nil {
-				rch <- tokenResponse{Error: err}
-				return
-			}
-
-			rch <- tokenResponse{Response: data}
+	for {
+		select {
+		case <-ctx.Done():
 			return
+		case <-tick.C:
+			for _, k := range req.RegisteredKeys {
+				areq := &u2fhost.AuthenticateRequest{
+					AppId:     k.AppId,
+					Challenge: req.Challenge,
+					Facet:     req.AppId,
+					KeyHandle: k.KeyHandle,
+				}
+
+				refresh <- true
+
+				ares, err := d.Authenticate(areq)
+				switch err.(type) {
+				case *u2fhost.BadKeyHandleError:
+				case *u2fhost.TestOfUserPresenceRequiredError:
+				case nil:
+					ch <- tokenResponse{Response: ares}
+					return
+				default:
+					ch <- tokenResponse{Error: err}
+					return
+				}
+			}
 		}
 	}
-
-	rch <- tokenResponse{}
 }

provider/aws/formation/rack.json

@@ -2707,7 +2707,24 @@
           { "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/PowerUserAccess" },
           { "Ref": "ApiPolicy" }
         ],
-        "Path": "/convox/"
+        "Path": "/convox/",
+        "Policies": [
+          {
+            "PolicyName": "ApiRole",
+            "PolicyDocument": {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Action": [
+                    "lambda:GetFunction"
+                  ],
+                  "Resource": "*"
+                }
+              ]
+            }
+          }
+        ]
       }
     },
     "ApiMonitorService": {