Example #1
0
        public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest apigAuthRequest, ILambdaContext context)
        {
            var TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer           = true,
                ValidIssuer              = SecurityConstants.Issuer,
                ValidateAudience         = true,
                ValidAudience            = SecurityConstants.Issuer,
                IssuerSigningKey         = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SecurityConstants.SecurityKey)),
                ClockSkew                = TimeSpan.FromMinutes(5),
                ValidateIssuerSigningKey = true
            };

            SecurityToken validatedToken;

            JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
            bool authorized = false;

            if (!string.IsNullOrWhiteSpace(apigAuthRequest.AuthorizationToken))
            {
                try
                {
                    var user  = handler.ValidateToken(apigAuthRequest.AuthorizationToken, TokenValidationParameters, out validatedToken);
                    var claim = user.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Name);
                    if (claim != null)
                    {
                        authorized = claim.Value == SecurityConstants.ClaimName; // Ensure that the claim value matches the assertion
                    }
                }
                catch (Exception ex)
                {
                    LambdaLogger.Log($"Error occurred validating token: {ex.Message}");
                }
            }
            APIGatewayCustomAuthorizerPolicy policy = new APIGatewayCustomAuthorizerPolicy
            {
                Version   = "2012-10-17",
                Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>()
            };

            policy.Statement.Add(new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
            {
                Action   = new HashSet <string>(new string[] { "execute-api:Invoke" }),
                Effect   = authorized ? "Allow" : "Deny",
                Resource = new HashSet <string>(new string[] { apigAuthRequest.MethodArn })
            });


            APIGatewayCustomAuthorizerContextOutput contextOutput = new APIGatewayCustomAuthorizerContextOutput();

            contextOutput["User"] = authorized ? SecurityConstants.ClaimName : "User";
            contextOutput["Path"] = apigAuthRequest.MethodArn;

            return(new APIGatewayCustomAuthorizerResponse
            {
                PrincipalID = authorized ? SecurityConstants.ClaimName : "User",
                Context = contextOutput,
                PolicyDocument = policy
            });
        }
        /// <summary>
        ///验证Token的Lambda函数
        /// </summary>
        /// <param name="apigAuthRequest">请求</param>
        /// <param name="context">上下文</param>
        /// <returns></returns>
        public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest apigAuthRequest, ILambdaContext context)
        {
            LambdaLogger.Log($"AWS Lambda函数验证Token开始");
            var TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer           = true,
                ValidateIssuerSigningKey = true,
                ValidIssuer      = SecurityConstants.Issuer,
                ValidateAudience = true,
                ValidAudience    = SecurityConstants.Audience,
                ValidateLifetime = true,
                IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(SecurityConstants.SecurityKey)),
                ClockSkew        = TimeSpan.Zero,
            };
            var authorized = false;
            //删除Bearer再来验证
            var token = apigAuthRequest.AuthorizationToken?.Replace("Bearer ", "");

            if (!string.IsNullOrWhiteSpace(token))
            {
                try
                {
                    SecurityToken validatedToken;
                    var           handler = new JwtSecurityTokenHandler();
                    var           user    = handler.ValidateToken(token, TokenValidationParameters, out validatedToken);
                    var           claim   = user.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Name);
                    if (claim != null)
                    {
                        authorized = claim.Value == SecurityConstants.ClaimName;
                    }
                }
                catch (Exception ex)
                {
                    LambdaLogger.Log($"Error occurred validating token: {ex.Message}");
                }
            }
            var policy = new APIGatewayCustomAuthorizerPolicy
            {
                Version   = "2012-10-17",
                Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>(),
            };

            policy.Statement.Add(new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
            {
                Action   = new HashSet <string>(new string[] { "execute-api:Invoke" }),
                Effect   = authorized ? "Allow" : "Deny",
                Resource = new HashSet <string>(new string[] { apigAuthRequest.MethodArn })
            });
            var contextOutput = new APIGatewayCustomAuthorizerContextOutput();

            contextOutput["User"] = authorized ? SecurityConstants.ClaimName : "User";
            contextOutput["Path"] = apigAuthRequest.MethodArn;
            LambdaLogger.Log($"AWS Lambda函数验证Token结束");
            return(new APIGatewayCustomAuthorizerResponse
            {
                PrincipalID = authorized ? SecurityConstants.ClaimName : "User",
                Context = contextOutput,
                PolicyDocument = policy,
            });
        }
        public void APIGatewayAuthorizerResponseTest()
        {
            var context = new APIGatewayCustomAuthorizerContextOutput();

            context["field1"] = "value1";
            context["field2"] = "value2";

            var response = new APIGatewayCustomAuthorizerResponse
            {
                PrincipalID        = "prin1",
                UsageIdentifierKey = "usageKey",
                Context            = context,
                PolicyDocument     = new APIGatewayCustomAuthorizerPolicy
                {
                    Version   = "2012-10-17",
                    Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>
                    {
                        new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
                        {
                            Action = new HashSet <string> {
                                "execute-api:Invoke"
                            },
                            Effect   = "Allow",
                            Resource = new HashSet <string> {
                                "*"
                            }
                        }
                    }
                }
            };

            string serializedJson;

            using (MemoryStream stream = new MemoryStream())
            {
                var serializer = new JsonSerializer();
                serializer.Serialize(response, stream);

                stream.Position = 0;
                serializedJson  = Encoding.UTF8.GetString(stream.ToArray());
            }

            JObject root = Newtonsoft.Json.JsonConvert.DeserializeObject(serializedJson) as JObject;

            Assert.Equal("prin1", root["principalId"]);
            Assert.Equal("usageKey", root["usageIdentifierKey"]);
            Assert.Equal("value1", root["context"]["field1"]);
            Assert.Equal("value2", root["context"]["field2"]);

            Assert.Equal("2012-10-17", root["policyDocument"]["Version"]);
            Assert.Equal("execute-api:Invoke", root["policyDocument"]["Statement"][0]["Action"][0]);
            Assert.Equal("Allow", root["policyDocument"]["Statement"][0]["Effect"]);
            Assert.Equal("*", root["policyDocument"]["Statement"][0]["Resource"][0]);
        }
Example #4
0
        /// <summary>
        /// A simple function that takes a string and does a ToUpper
        /// </summary>
        /// <param name="input"></param>
        /// <param name="context"></param>
        /// <returns></returns>
        public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest apiRequest, ILambdaContext context)
        {
            bool authorized = false;

            if (!string.IsNullOrWhiteSpace(apiRequest.AuthorizationToken))
            {
                authorized = ValidateToken(apiRequest.AuthorizationToken, context);
            }

            var policy = new APIGatewayCustomAuthorizerPolicy
            {
                Version   = "2012-10-17",
                Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>
                {
                    new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
                    {
                        Action   = new HashSet <string>(new string[] { "execute-api:Invoke" }),
                        Effect   = authorized ? "Allow" : "Deny",
                        Resource = new HashSet <string>(new string[] { apiRequest.MethodArn }) // api gateway endpoint arn
                    }
                }
            };

            var contextOutput = new APIGatewayCustomAuthorizerContextOutput();

            contextOutput["User"] = authorized ? AllowedUserName : "******";
            contextOutput["Path"] = apiRequest.MethodArn;

            var response = new APIGatewayCustomAuthorizerResponse
            {
                Context        = contextOutput,
                PolicyDocument = policy
            };

            return(response);
        }
Example #5
0
        /// <summary>
        /// A Lambda function to respond to HTTP Get methods from API Gateway
        /// </summary>
        /// <param name="request"></param>
        /// <returns>The list of blogs</returns>
        public APIGatewayCustomAuthorizerResponse Get(APIGatewayCustomAuthorizerRequest request, ILambdaContext context)
        {
            context.Logger.LogLine("Get Request\n");
            context.Logger.LogLine(request.AuthorizationToken.ToString());
            context.Logger.LogLine(ablUrl);
            var accessToken = request.AuthorizationToken.Substring("Bearer ".Length).Trim();

            context.Logger.LogLine(accessToken);
            RSA publicRsa = RSA.Create();

            publicRsa.FromXmlString("<RSAKeyValue><Modulus>niwszppYY81jN+LO9riMlDVFXCuChYK4NpmnhV7SjRksFfs397jYu07fcGNVWEBppeJ1WZEFILypPjRRfARgwKa4Lu0633cPYG+amyKRYgTGyvbEjvWJ/yvyqimuPrbrI8Bv6FemwCrOoxYIST0pwEHPx6f8SMxKAE9nXP5xcshrudNUZkK9/B17T1HLk9uAzg52cPIM0SChrhfsklcToaycrUQgtFLYWdVEacaSXNo4q1G2ItgHqhM6vHQ5SMcrQ7O+7hlyD5dXkIXItHY4KlHx6yhBp6o0C2237cjIpP1bJaaarFYkHIyWnJ4BET5JXhgVx8j4N6T4S5cNsuy0Rw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>");
            RsaSecurityKey signingKey   = new RsaSecurityKey(publicRsa);
            bool           authorized   = false;
            var            tokenHandler = new JwtSecurityTokenHandler();

            try
            {
                tokenHandler.ValidateToken(accessToken, new TokenValidationParameters
                {
                    ValidateIssuerSigningKey = true,
                    ValidateIssuer           = false,
                    ValidateAudience         = true,
                    ValidAudience            = "api",
                    IssuerSigningKey         = signingKey,
                    ClockSkew = TimeSpan.FromMinutes(5),
                }, out SecurityToken validatedToken);
                authorized = true;
            }
            catch (Exception ex)
            {
                context.Logger.LogLine(ex.Message);
            }



            // var TokenValidationParams = new TokenValidationParameters
            // {
            //     //IssuerSigningKey=signingKey,
            //     ValidateIssuer=false,
            //     ValidIssuer=ablUrl,
            //     ValidateAudience=false,
            //     ValidAudience="api",
            //     ClockSkew=TimeSpan.FromMinutes(5),


            // };

            // SecurityToken validatedToken;

            // JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();


            // try
            // {
            //     var token = handler.ValidateToken(accessToken, TokenValidationParams, out validatedToken);
            //     foreach (Claim claim in token.Claims){
            //         context.Logger.LogLine($"CLAIM TYPE: {claim.Type} CLAIM VALUE: {claim.Value}");
            //     }
            //     var getClaimIss = token.Claims.FirstOrDefault(c => c.Type == "iss");
            //     context.Logger.LogLine($"{getClaimIss}");
            //     if (getClaimIss != null){
            //         authorized = true;
            //     }
            // }
            // catch (Exception ex)
            // {
            //     context.Logger.LogLine($"Error occurred validating token: {ex.Message}");
            // }

            context.Logger.LogLine($"{authorized}");

            APIGatewayCustomAuthorizerPolicy policy = new APIGatewayCustomAuthorizerPolicy
            {
                Version   = "2012-10-17",
                Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>()
            };

            policy.Statement.Add(new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
            {
                Action   = new HashSet <string>(new string[] { "execute-api:Invoke" }),
                Effect   = authorized ? "Allow" : "Deny",
                Resource = new HashSet <string>(new string[] { request.MethodArn })
            });


            APIGatewayCustomAuthorizerContextOutput contextOutput = new APIGatewayCustomAuthorizerContextOutput();

            contextOutput["User"] = "******";
            contextOutput["Path"] = request.MethodArn;

            return(new APIGatewayCustomAuthorizerResponse
            {
                PrincipalID = "User",
                Context = contextOutput,
                PolicyDocument = policy
            });
        }
        public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest apigAuthRequest, ILambdaContext context)
        {
            string auth0Domain   = context.ClientContext.Environment["Auth0Domain"];
            string auth0Audience = context.ClientContext.Environment["Auth0Audience"];
            IConfigurationManager <OpenIdConnectConfiguration> configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>($"{auth0Domain}.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
            OpenIdConnectConfiguration openIdConfig = AsyncHelper.RunSync(async() => await configurationManager.GetConfigurationAsync(CancellationToken.None));


            var tokenValidationParameters = new TokenValidationParameters
            {
                ValidIssuer       = auth0Domain,
                ValidAudiences    = new[] { auth0Audience },
                IssuerSigningKeys = openIdConfig.SigningKeys
            };

            JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
            bool  authorized = false;
            Claim subject    = null;

            string[] scopes = null;
            if (!string.IsNullOrWhiteSpace(apigAuthRequest.AuthorizationToken))
            {
                try
                {
                    var user     = handler.ValidateToken(apigAuthRequest.AuthorizationToken, tokenValidationParameters, out _);
                    var audience = user.Claims.FirstOrDefault(c => c.Type == "aud");
                    var issuer   = user.Claims.FirstOrDefault(c => c.Type == "iss");
                    subject = user.Claims.FirstOrDefault(c => c.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier");
                    if (user.Claims.Any(c => c.Type == "scope"))
                    {
                        scopes = user.Claims.First(c => c.Type == "scope").Value.Split(" ").Where(x => x.Contains(":")).ToArray();
                    }

                    if (audience != null && issuer != null)
                    {
                        authorized = issuer.Value == auth0Domain && audience.Value == auth0Audience; // Ensure that the claim value matches the assertion
                    }
                }
                catch (Exception ex)
                {
                    LambdaLogger.Log($"Error occurred validating token: {ex.Message}");
                }
            }
            APIGatewayCustomAuthorizerPolicy policy = new APIGatewayCustomAuthorizerPolicy
            {
                Version   = "2012-10-17",
                Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>()
            };

            policy.Statement.Add(new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
            {
                Action   = new HashSet <string>(new string[] { "execute-api:Invoke" }),
                Effect   = authorized ? "Allow" : "Deny",
                Resource = new HashSet <string>(new string[] { apigAuthRequest.MethodArn })
            });


            APIGatewayCustomAuthorizerContextOutput contextOutput = new APIGatewayCustomAuthorizerContextOutput();

            contextOutput["User"] = authorized ? subject.Value : null;
            contextOutput["Path"] = apigAuthRequest.MethodArn;
            var permissions = scopes ?? new string[] {};

            contextOutput["Permissions"] = string.Join(",", permissions);

            return(new APIGatewayCustomAuthorizerResponse
            {
                PrincipalID = authorized ? subject.Value : null,
                Context = contextOutput,
                PolicyDocument = policy
            });
        }