public AccessDetails ExecuteUserAuth(AuthorizerRequest authorizerRequest) { LambdaLogger.Log("Begins user auth flow"); var validTokenClaims = ValidateTokenHelper.ValidateToken(authorizerRequest.Token, Environment.GetEnvironmentVariable("hackneyUserAuthTokenJwtSecret")); if (validTokenClaims == null || validTokenClaims.Count == 0) { return(ReturnNotAuthorised(authorizerRequest)); } var user = new HackneyUser(); user.Groups = validTokenClaims.Where(x => x.Type == "groups").Select(y => y.Value).ToList(); user.Email = validTokenClaims.Find(x => x.Type == "email").Value; //get STS credentials and pass them to API gateway var credentials = _awsStsGateway.GetTemporaryCredentials(authorizerRequest.AwsAccountId).Credentials; //get API name var apiName = _awsApiGateway.GetApiName(authorizerRequest.ApiAwsId, credentials); LambdaLogger.Log($"API name retrieved - {apiName}"); //check if API is in the DynamoDB var apiDataInDb = _dynamoDbGateway.GetAPIDataByNameAndEnvironmentAsync(apiName, authorizerRequest.Environment); return(new AccessDetails { Allow = VerifyAccessHelper.ShouldHaveAccessUserFlow(user, authorizerRequest, apiDataInDb, apiName), User = validTokenClaims.Find(x => x.Type == "email").Value }); }
public AccessDetails ExecuteServiceAuth(AuthorizerRequest authorizerRequest) { LambdaLogger.Log("Begins service auth flow"); var validTokenClaims = ValidateTokenHelper.ValidateToken(authorizerRequest.Token, Environment.GetEnvironmentVariable("jwtSecret")); if (validTokenClaims == null || validTokenClaims.Count == 0) { return(ReturnNotAuthorised(authorizerRequest)); } var tokenId = validTokenClaims.Find(x => x.Type == "id").Value; if (!int.TryParse(tokenId, out int id)) { return(ReturnNotAuthorised(authorizerRequest)); } var tokenData = _databaseGateway.GetTokenData(id); var credentials = _awsStsGateway.GetTemporaryCredentials(authorizerRequest.AwsAccountId).Credentials; var apiName = _awsApiGateway.GetApiName(authorizerRequest.ApiAwsId, credentials); LambdaLogger.Log($"API name retrieved - {apiName}"); return(new AccessDetails { Allow = VerifyAccessHelper.ShouldHaveAccessServiceFlow(authorizerRequest, tokenData, apiName), User = $"{tokenData.ConsumerName}{tokenData.Id}" }); }
private static APIDataUserFlow GenerateTokenDataUserFlow(AuthorizerRequest request, string apiName, List <string> groups) { return(new APIDataUserFlow { ApiName = apiName, AwsAccount = request.AwsAccountId, Environment = request.Environment, AllowedGroups = groups }); }
private static AccessDetails ReturnNotAuthorised(AuthorizerRequest authorizerRequest) { LambdaLogger.Log( $"Token beginning with {authorizerRequest.Token.Substring(0, 8)} is invalid or should not have access to" + $" {authorizerRequest.ApiAwsId} - {authorizerRequest.ApiEndpointName}" + $" in {authorizerRequest.Environment}"); return(new AccessDetails { Allow = false, User = "******" }); }
private static AuthTokenServiceFlow GenerateTokenData(AuthorizerRequest request, string apiName) { return(new AuthTokenServiceFlow { ApiEndpointName = request.ApiEndpointName, ApiName = apiName, Environment = request.Environment, HttpMethodType = request.HttpMethodType, ExpirationDate = null, Enabled = true, }); }
public static bool ShouldHaveAccessUserFlow(HackneyUser user, AuthorizerRequest authorizerRequest, APIDataUserFlow apiData, string apiName) { bool groupIsAllowed = apiData.AllowedGroups.Any(x => user.Groups.Contains(x)); if (!groupIsAllowed || apiData.ApiName != apiName || apiData.Environment != authorizerRequest.Environment || apiData.AwsAccount != authorizerRequest.AwsAccountId) { LambdaLogger.Log($"User with email {user.Email} is DENIED access for {apiName} " + $" in {authorizerRequest.Environment} stage. User does not have access to {apiName} " + $"for {apiData.Environment} stage in the following AWS account {apiData.AwsAccount}. User is in the following" + $"Google groups: {user.Groups}"); return(false); } LambdaLogger.Log($"User with email {user.Email} is ALLOWED access for {apiName} " + $" in {authorizerRequest.Environment} stage. The API, as described in the database," + $"is deployed to the following AWS account {apiData.AwsAccount}"); return(true); }
public static bool ShouldHaveAccessServiceFlow(AuthorizerRequest authorizerRequest, AuthTokenServiceFlow tokenData, string apiName) { //Check that the token is enabled or that the expiration date is valid if (!tokenData.Enabled || (tokenData.ExpirationDate != null && tokenData.ExpirationDate < DateTime.Now) || tokenData.ApiName != apiName || tokenData.HttpMethodType != authorizerRequest.HttpMethodType || tokenData.Environment != authorizerRequest.Environment || !authorizerRequest.ApiEndpointName.Contains(tokenData.ApiEndpointName, StringComparison.InvariantCulture)) { LambdaLogger.Log($"Token with id {tokenData.Id} denying access for {tokenData.ApiName} with endpoint {tokenData.ApiEndpointName}" + $" in {tokenData.Environment} stage does not have access to {apiName} with endpoint {authorizerRequest.ApiEndpointName} " + $"for {authorizerRequest.Environment} stage { tokenData.Enabled }"); return(false); } LambdaLogger.Log($"Token with id {tokenData.Id} allowing access for {tokenData.ApiName} with endpoint {tokenData.ApiEndpointName}" + $" in {tokenData.Environment} stage has access to {apiName} with endpoint {authorizerRequest.ApiEndpointName} " + $"for {authorizerRequest.Environment} stage { tokenData.Enabled }"); return(true); }
public void Setup() { _request = GenerateAuthorizerRequest(); _apiName = _faker.Random.Word(); }