private void DenyAll(APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement statement)
        {
            var any = Resource.Any.GetStringValue();

            statement.Effect = Effect.Deny.GetStringValue();
            statement.Action.Add(CustomAuthorizerHelper.ComposeAction(Policy.Action.All));
            statement.Resource.Add(CustomAuthorizerHelper.ComposeResource(
                                       any, any, any, any, new ResourceAccess(any, any)));
        }
Esempio n. 2
0
        private APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement GetPolicy(string access, string methodArn)
        {
            var statement = new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
            {
                Action = new HashSet <string>(new string[] { EXECUTE_API_INVOKE }),
                Effect = access,
                //statement.Resource = new HashSet<string>(new string[] { authorizationSettings.AuthorizerApiArn });
                Resource = new HashSet <string>(new string[] { methodArn })
            };

            return(statement);
        }
        public async Task <APIGatewayCustomAuthorizerResponse> FunctionHandler(APIGatewayCustomAuthorizerRequest request)
        {
            var token = request.AuthorizationToken;
            var type  = AuthTokenType.JWT;

            var response  = new APIGatewayCustomAuthorizerResponse();
            var policy    = response.PolicyDocument;
            var statement = new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement()
            {
                Action   = new HashSet <string>(),
                Resource = new HashSet <string>()
            };

            if (Validator.Validate(type, token))
            {
                var vars      = request.MethodArn.Split(':');
                var apiVars   = vars[5].Split('/');
                var region    = vars[3];
                var accountId = vars[4];
                var apiId     = apiVars[0];
                var stage     = apiVars[1];

                Console.WriteLine(apiVars.Length);

                if (apiVars.Length > 4)
                {
                    int id;
                    if (int.TryParse(apiVars[4], out id))
                    {
                        var service = apiVars[3];

                        Console.WriteLine(service);
                        Console.WriteLine(id);

                        var req = new Request()
                        {
                            Operation = Operation.VerifyUser,
                            AuthToken = token,
                            Payload   = JObject.FromObject(new VerifyUserPayload()
                            {
                                ResourceId = id
                            })
                        };

                        var lambdaClient  = new AmazonLambdaClient();
                        var invokeRequest = new InvokeRequest()
                        {
                            FunctionName = Enum.GetName(typeof(Service), serviceMapping[service]),
                            Payload      = JsonConvert.SerializeObject(req)
                        };

                        var lambdaRes = await lambdaClient.InvokeAsync(invokeRequest);

                        var res = new StreamReader(lambdaRes.Payload).ReadToEnd();

                        if (res.Contains(Enum.GetName(typeof(VerifyResult), VerifyResult.Allow)))
                        {
                            var any = Resource.Any.GetStringValue();
                            this.AllowOperation(
                                statement,
                                CustomAuthorizerHelper.ComposeAction(Policy.Action.Invoke),
                                CustomAuthorizerHelper.ComposeResource(region, accountId, apiId, stage, new ResourceAccess(any, any))
                                );
                        }
                        else
                        {
                            this.DenyAll(statement);
                        }
                    }
                    else
                    {
                        var any = Resource.Any.GetStringValue();
                        this.AllowOperation(
                            statement,
                            CustomAuthorizerHelper.ComposeAction(Policy.Action.Invoke),
                            CustomAuthorizerHelper.ComposeResource(region, accountId, apiId, stage, new ResourceAccess(any, any))
                            );
                    }
                }
                else
                {
                    var any = Resource.Any.GetStringValue();
                    this.AllowOperation(
                        statement,
                        CustomAuthorizerHelper.ComposeAction(Policy.Action.Invoke),
                        CustomAuthorizerHelper.ComposeResource(region, accountId, apiId, stage, new ResourceAccess(any, any))
                        );
                }
            }
            else
            {
                this.DenyAll(statement);
            }

            policy.Statement.Add(statement);
            return(response);
        }
 private void AllowOperation(APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement statement, string action, string resource)
 {
     statement.Effect = Effect.Allow.GetStringValue();
     statement.Action.Add(action);
     statement.Resource.Add(resource);
 }