initial code commit

Lambda/Dockerfile

@@ -0,0 +1,24 @@
+FROM public.ecr.aws/lambda/python:3.9
+
+# Install the function's dependencies using file requirements.txt
+# from your project folder.
+RUN yum install -y \
+gcc \
+gcc-c++ \
+Cython \
+make \
+libxml2 \
+libxslt \
+xmlsec1 \
+xmlsec1-devel \
+xmlsec1-openssl \
+libtool-ltdl-devel
+
+COPY requirements.txt  .
+RUN  pip3 install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
+
+# Copy function code
+COPY lambda_function/* ${LAMBDA_TASK_ROOT}/
+
+# Set the CMD to your handler (could also be done as a parameter override outside of the Dockerfile)
+CMD [ "lambda_function.lambda_handler" ] 

Lambda/lambda_function.py

@@ -0,0 +1,139 @@
+#!/usr/bin/env python3
+
+import base64
+import json
+import sys
+import os
+import requests
+import xmlsec
+import boto3
+from lxml import etree
+from datetime import datetime, timedelta
+
+
+region = os.environ.get('AWS_REGION')
+secret_id= os.environ.get('SECRET_ID')
+template_file = 'sf_saml_template.xml'
+private_keyfile = '/tmp/successfactors-private.pem'
+
+def get_secret(region, secret_name, session):
+
+    client = session.client(
+        service_name='secretsmanager',
+        region_name=region
+    )
+
+    try:
+        get_secret_value_response = client.get_secret_value(
+            SecretId=secret_name
+        )
+
+        if 'SecretString' in get_secret_value_response:
+            secret = get_secret_value_response['SecretString']
+
+    except Exception as x:
+        print(x)
+        sys.exit(1)
+
+    return secret
+
+
+def get_access_token(sf_url, company_id, client_id, assertion):
+
+    token_request = dict(
+        client_id=client_id,
+        company_id=company_id,
+        grant_type='urn:ietf:params:oauth:grant-type:saml2-bearer',
+        assertion=assertion
+    )
+    response = requests.post(f"{sf_url}/oauth/token", data=token_request)
+    token_data = response.json()
+    return token_data['access_token']
+
+
+def generate_assertion(sf_root_url, user_id, client_id, template_file):
+    issue_instant = datetime.utcnow()
+    auth_instant = issue_instant
+    not_valid_before = issue_instant - timedelta(minutes=10)
+    not_valid_after = issue_instant + timedelta(minutes=10)
+
+    audience = 'www.successfactors.com'
+
+    context = dict(
+        issue_instant=issue_instant.isoformat(),
+        auth_instant=auth_instant.isoformat(),
+        not_valid_before=not_valid_before.isoformat(),
+        not_valid_after=not_valid_after.isoformat(),
+        sf_root_url=sf_root_url,
+        audience=audience,
+        user_id=user_id,
+        client_id=client_id,
+        session_id='mock_session_index',
+    )
+    saml_template = open(template_file).read()
+
+    return saml_template.format(**context)
+
+
+def sign_assertion(xml_string, private_key):
+    key = xmlsec.Key.from_file(private_key, xmlsec.KeyFormat.PEM)
+
+    root = etree.fromstring(xml_string)
+    signature_node = xmlsec.tree.find_node(root, xmlsec.Node.SIGNATURE)
+
+    sign_context = xmlsec.SignatureContext()
+    sign_context.key = key
+    sign_context.sign(signature_node)
+
+    return etree.tostring(root)
+
+
+def auth(sf_url, sf_company_id, sf_oauth_client_id,
+         sf_admin_user, sf_saml_private_key, template_file):
+
+    unsigned_assertion = generate_assertion(sf_url,
+                                            sf_admin_user,
+                                            sf_oauth_client_id,
+                                            template_file)
+
+    signed_assertion = sign_assertion(unsigned_assertion, sf_saml_private_key)
+    signed_assertion_b64 = base64.b64encode(signed_assertion).replace(b'\n', b'')
+    access_token = get_access_token(sf_url,
+                                    sf_company_id,
+                                    sf_oauth_client_id,
+                                    signed_assertion_b64)
+
+    return access_token
+
+
+def lambda_handler(event, context):
+
+    session = boto3.session.Session()
+
+    print(event)
+
+    if event['rawPath'] == '/token':
+        body = json.loads(event['body'])
+        sf_url = body['odata_url']
+        sf_company_id = body['company_id']
+        sf_oauth_client_id = body['oauth_client_id']
+        sf_admin_user = body['admin_user']
+
+        private_key = get_secret(region,
+                                 secret_id,
+                                 session)
+
+        with open(private_keyfile, 'w') as f:
+            f.write(private_key)
+
+        token = auth(sf_url, sf_company_id, sf_oauth_client_id, sf_admin_user,
+                     private_keyfile, template_file)
+
+        payload = {
+            "token": token
+        }
+
+        return {
+            'statusCode': 200,
+            'body': json.dumps(payload)
+        }

Lambda/requirements.txt

@@ -0,0 +1,3 @@
+requests
+lxml
+xmlsec