public void ShouldAllowAccessIfTokenIsValidAndDataMatchesRecords()
{
var request = GenerateAuthorizerRequest(GenerateJwtHelper.GenerateJwtToken());
var apiName = _faker.Random.Word();
var consumerName = _faker.Random.Word();
_mockAwsStsGateway.Setup(x => x.GetTemporaryCredentials(It.IsAny <string>())).Returns(new AssumeRoleResponse());
_mockAwsApiGateway.Setup(x => x.GetApiName(It.IsAny <string>(), It.IsAny <Credentials>())).Returns(apiName);
var tokenData = new AuthTokenServiceFlow
{
ApiEndpointName = request.ApiEndpointName,
ApiName = apiName,
HttpMethodType = request.HttpMethodType,
Environment = request.Environment,
ConsumerName = consumerName,
Enabled = true,
ExpirationDate = null
};
_mockDatabaseGateway.Setup(x => x.GetTokenData(It.IsAny <int>())).Returns(tokenData);
var result = _classUnderTest.ExecuteServiceAuth(request);
result.Allow.Should().BeTrue();
result.User.Should().Be(consumerName + tokenData.Id);
}
public void FunctionShouldReturnAPIGatewayCustomAuthorizerPolicyWithAllowEffectWhenTokenIsValid()
{
_serviceProvider
.Setup(x => x.GetService(typeof(IVerifyAccessUseCase)))
.Returns(new VerifyAccessUseCase(_mockDatabaseGateway.Object, _mockAwsApiGateway.Object, _mockAwsStsGateway.Object, _mockDynamoDbGateway.Object));
var lambdaRequest = _fixture.Build <APIGatewayCustomAuthorizerRequest>().Create();
lambdaRequest.Headers["Authorization"] = _jwtServiceFlow;
var apiName = _fixture.Create <string>();
var consumerName = _fixture.Create <string>();
var tokenData = new AuthTokenServiceFlow
{
ApiEndpointName = lambdaRequest.RequestContext.Path,
ApiName = apiName,
Environment = lambdaRequest.RequestContext.Stage,
HttpMethodType = lambdaRequest.RequestContext.HttpMethod,
ConsumerName = consumerName,
Enabled = true,
ExpirationDate = null
};
_mockDatabaseGateway.Setup(x => x.GetTokenData(It.IsAny <int>())).Returns(tokenData);
_mockAwsApiGateway.Setup(x => x.GetApiName(It.IsAny <string>(), It.IsAny <Credentials>())).Returns(apiName);
_mockAwsStsGateway.Setup(x => x.GetTemporaryCredentials(It.IsAny <string>())).Returns(new AssumeRoleResponse());
var result = _classUnderTest.VerifyToken(lambdaRequest);
result.Should().BeOfType <APIGatewayCustomAuthorizerResponse>();
result.PolicyDocument.Statement.First().Effect.Should().Be("Allow");
result.PrincipalID.Should().Be(consumerName + tokenData.Id);
}
public void Setup()
{
_entity = new AuthTokenServiceFlow();
}
public static bool ShouldHaveAccessServiceFlow(AuthorizerRequest authorizerRequest, AuthTokenServiceFlow tokenData, string apiName)
{
//Check that the token is enabled or that the expiration date is valid
if (!tokenData.Enabled ||
(tokenData.ExpirationDate != null && tokenData.ExpirationDate < DateTime.Now) ||
tokenData.ApiName != apiName ||
tokenData.HttpMethodType != authorizerRequest.HttpMethodType ||
tokenData.Environment != authorizerRequest.Environment ||
!authorizerRequest.ApiEndpointName.Contains(tokenData.ApiEndpointName, StringComparison.InvariantCulture))
{
LambdaLogger.Log($"Token with id {tokenData.Id} denying access for {tokenData.ApiName} with endpoint {tokenData.ApiEndpointName}" +
$" in {tokenData.Environment} stage does not have access to {apiName} with endpoint {authorizerRequest.ApiEndpointName} " +
$"for {authorizerRequest.Environment} stage { tokenData.Enabled }");
return(false);
}
LambdaLogger.Log($"Token with id {tokenData.Id} allowing access for {tokenData.ApiName} with endpoint {tokenData.ApiEndpointName}" +
$" in {tokenData.Environment} stage has access to {apiName} with endpoint {authorizerRequest.ApiEndpointName} " +
$"for {authorizerRequest.Environment} stage { tokenData.Enabled }");
return(true);
}
