Esempio n. 1
0
        public AccessDetails ExecuteUserAuth(AuthorizerRequest authorizerRequest)
        {
            LambdaLogger.Log("Begins user auth flow");
            var validTokenClaims = ValidateTokenHelper.ValidateToken(authorizerRequest.Token, Environment.GetEnvironmentVariable("hackneyUserAuthTokenJwtSecret"));

            if (validTokenClaims == null || validTokenClaims.Count == 0)
            {
                return(ReturnNotAuthorised(authorizerRequest));
            }

            var user = new HackneyUser();

            user.Groups = validTokenClaims.Where(x => x.Type == "groups").Select(y => y.Value).ToList();
            user.Email  = validTokenClaims.Find(x => x.Type == "email").Value;

            //get STS credentials and pass them to API gateway
            var credentials = _awsStsGateway.GetTemporaryCredentials(authorizerRequest.AwsAccountId).Credentials;
            //get API name
            var apiName = _awsApiGateway.GetApiName(authorizerRequest.ApiAwsId, credentials);

            LambdaLogger.Log($"API name retrieved - {apiName}");
            //check if API is in the DynamoDB
            var apiDataInDb = _dynamoDbGateway.GetAPIDataByNameAndEnvironmentAsync(apiName, authorizerRequest.Environment);

            return(new AccessDetails
            {
                Allow = VerifyAccessHelper.ShouldHaveAccessUserFlow(user, authorizerRequest, apiDataInDb, apiName),
                User = validTokenClaims.Find(x => x.Type == "email").Value
            });
        }
Esempio n. 2
0
        public void IfGroupsInDbDoMatchUserGroupsShouldReturnTrue()
        {
            var allowedGroups = new List <string> {
                _faker.Random.Word(), _faker.Random.Word()
            };
            var userGroups  = allowedGroups;
            var dbData      = GenerateTokenDataUserFlow(_request, _apiName, allowedGroups);
            var hackneyUser = new HackneyUser()
            {
                Groups = userGroups
            };
            var result = VerifyAccessHelper.ShouldHaveAccessUserFlow(hackneyUser, _request, dbData, _apiName);

            result.Should().BeTrue();
        }
Esempio n. 3
0
        public void IfAWSAccounttInRequestDoesNotMatchAWSAccountInDbShouldReturnFalse()
        {
            var allowedGroups = new List <string> {
                _faker.Random.Word(), _faker.Random.Word()
            };
            var userGroups = allowedGroups;
            var dbData     = GenerateTokenDataUserFlow(_request, _apiName, allowedGroups);

            dbData.AwsAccount = _faker.Random.Word();
            var hackneyUser = new HackneyUser()
            {
                Groups = userGroups
            };
            var result = VerifyAccessHelper.ShouldHaveAccessUserFlow(hackneyUser, _request, dbData, _apiName);

            result.Should().BeFalse();
        }
        public static bool ShouldHaveAccessUserFlow(HackneyUser user, AuthorizerRequest authorizerRequest, APIDataUserFlow apiData, string apiName)
        {
            bool groupIsAllowed = apiData.AllowedGroups.Any(x => user.Groups.Contains(x));

            if (!groupIsAllowed ||
                apiData.ApiName != apiName ||
                apiData.Environment != authorizerRequest.Environment ||
                apiData.AwsAccount != authorizerRequest.AwsAccountId)
            {
                LambdaLogger.Log($"User with email {user.Email} is DENIED access for {apiName} " +
                                 $" in {authorizerRequest.Environment} stage. User does not have access to {apiName} " +
                                 $"for {apiData.Environment} stage in the following AWS account {apiData.AwsAccount}. User is in the following" +
                                 $"Google groups: {user.Groups}");
                return(false);
            }

            LambdaLogger.Log($"User with email {user.Email} is ALLOWED access for {apiName} " +
                             $" in {authorizerRequest.Environment} stage. The API, as described in the database," +
                             $"is deployed to the following AWS account {apiData.AwsAccount}");

            return(true);
        }