public AccessDetails ExecuteUserAuth(AuthorizerRequest authorizerRequest)
{
LambdaLogger.Log("Begins user auth flow");
var validTokenClaims = ValidateTokenHelper.ValidateToken(authorizerRequest.Token, Environment.GetEnvironmentVariable("hackneyUserAuthTokenJwtSecret"));
if (validTokenClaims == null || validTokenClaims.Count == 0)
{
return(ReturnNotAuthorised(authorizerRequest));
}
var user = new HackneyUser();
user.Groups = validTokenClaims.Where(x => x.Type == "groups").Select(y => y.Value).ToList();
user.Email = validTokenClaims.Find(x => x.Type == "email").Value;
//get STS credentials and pass them to API gateway
var credentials = _awsStsGateway.GetTemporaryCredentials(authorizerRequest.AwsAccountId).Credentials;
//get API name
var apiName = _awsApiGateway.GetApiName(authorizerRequest.ApiAwsId, credentials);
LambdaLogger.Log($"API name retrieved - {apiName}");
//check if API is in the DynamoDB
var apiDataInDb = _dynamoDbGateway.GetAPIDataByNameAndEnvironmentAsync(apiName, authorizerRequest.Environment);
return(new AccessDetails
{
Allow = VerifyAccessHelper.ShouldHaveAccessUserFlow(user, authorizerRequest, apiDataInDb, apiName),
User = validTokenClaims.Find(x => x.Type == "email").Value
});
}
public void IfGroupsInDbDoMatchUserGroupsShouldReturnTrue()
{
var allowedGroups = new List <string> {
_faker.Random.Word(), _faker.Random.Word()
};
var userGroups = allowedGroups;
var dbData = GenerateTokenDataUserFlow(_request, _apiName, allowedGroups);
var hackneyUser = new HackneyUser()
{
Groups = userGroups
};
var result = VerifyAccessHelper.ShouldHaveAccessUserFlow(hackneyUser, _request, dbData, _apiName);
result.Should().BeTrue();
}
public void IfAWSAccounttInRequestDoesNotMatchAWSAccountInDbShouldReturnFalse()
{
var allowedGroups = new List <string> {
_faker.Random.Word(), _faker.Random.Word()
};
var userGroups = allowedGroups;
var dbData = GenerateTokenDataUserFlow(_request, _apiName, allowedGroups);
dbData.AwsAccount = _faker.Random.Word();
var hackneyUser = new HackneyUser()
{
Groups = userGroups
};
var result = VerifyAccessHelper.ShouldHaveAccessUserFlow(hackneyUser, _request, dbData, _apiName);
result.Should().BeFalse();
}
public static bool ShouldHaveAccessUserFlow(HackneyUser user, AuthorizerRequest authorizerRequest, APIDataUserFlow apiData, string apiName)
{
bool groupIsAllowed = apiData.AllowedGroups.Any(x => user.Groups.Contains(x));
if (!groupIsAllowed ||
apiData.ApiName != apiName ||
apiData.Environment != authorizerRequest.Environment ||
apiData.AwsAccount != authorizerRequest.AwsAccountId)
{
LambdaLogger.Log($"User with email {user.Email} is DENIED access for {apiName} " +
$" in {authorizerRequest.Environment} stage. User does not have access to {apiName} " +
$"for {apiData.Environment} stage in the following AWS account {apiData.AwsAccount}. User is in the following" +
$"Google groups: {user.Groups}");
return(false);
}
LambdaLogger.Log($"User with email {user.Email} is ALLOWED access for {apiName} " +
$" in {authorizerRequest.Environment} stage. The API, as described in the database," +
$"is deployed to the following AWS account {apiData.AwsAccount}");
return(true);
}
