public async Task <APIGatewayCustomAuthorizerResponse> Authorize(APIGatewayCustomAuthorizerRequest request, ILambdaContext context) { try { _request = request; _token = request.AuthorizationToken; _oidcIssuer = Environment.GetEnvironmentVariable("OIDC_ISSUER"); _claimsPrincipal = await AuthorizeViaOidc(); } catch (Exception ex) { Console.WriteLine($"Exception in {nameof(Authorize)}: {ex}"); throw; } if (_claimsPrincipal?.Identity == null) { Console.WriteLine("The token is NOT authorized"); throw new Exception(HttpStatusCode.Unauthorized.ToString()); // this is the recommended way to invoke a 401 response } Console.WriteLine("The token is authorized"); return(GenerateAllowResponse()); }
public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest apigAuthRequest, ILambdaContext context) { var TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidIssuer = SecurityConstants.Issuer, ValidateAudience = true, ValidAudience = SecurityConstants.Issuer, IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SecurityConstants.SecurityKey)), ClockSkew = TimeSpan.FromMinutes(5), ValidateIssuerSigningKey = true }; SecurityToken validatedToken; JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); bool authorized = false; if (!string.IsNullOrWhiteSpace(apigAuthRequest.AuthorizationToken)) { try { var user = handler.ValidateToken(apigAuthRequest.AuthorizationToken, TokenValidationParameters, out validatedToken); var claim = user.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Name); if (claim != null) { authorized = claim.Value == SecurityConstants.ClaimName; // Ensure that the claim value matches the assertion } } catch (Exception ex) { LambdaLogger.Log($"Error occurred validating token: {ex.Message}"); } } APIGatewayCustomAuthorizerPolicy policy = new APIGatewayCustomAuthorizerPolicy { Version = "2012-10-17", Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>() }; policy.Statement.Add(new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement { Action = new HashSet <string>(new string[] { "execute-api:Invoke" }), Effect = authorized ? "Allow" : "Deny", Resource = new HashSet <string>(new string[] { apigAuthRequest.MethodArn }) }); APIGatewayCustomAuthorizerContextOutput contextOutput = new APIGatewayCustomAuthorizerContextOutput(); contextOutput["User"] = authorized ? SecurityConstants.ClaimName : "User"; contextOutput["Path"] = apigAuthRequest.MethodArn; return(new APIGatewayCustomAuthorizerResponse { PrincipalID = authorized ? SecurityConstants.ClaimName : "User", Context = contextOutput, PolicyDocument = policy }); }
private static string FindToken(APIGatewayCustomAuthorizerRequest request) { var authorizationHeader = GetAuthorizationHeaderValue(request); if (authorizationHeader != null) { return(RemoveBearer(request.Headers["Authorization"])); } var queryAuthToken = GetAuthTokenFromQuery(request); if (queryAuthToken != null) { return(GetAuthTokenFromQuery(request)); } var cookie = GetCookieValueFromRequest(request, "hackneyToken"); if (cookie != null) { return(cookie); } return(request.AuthorizationToken != null ? RemoveBearer(request.AuthorizationToken) : null); }
public APIGatewayCustomAuthorizerResponse Execute(APIGatewayCustomAuthorizerRequest request) { var secret = Environment.GetEnvironmentVariable("JWT_SECRET"); var authorisedGroup = Environment.GetEnvironmentVariable("ALLOWED_USER_GROUP"); var token = FindToken(request); if (token == null) { return(AccessDenied(request)); } var decodedToken = DecodeToken(secret, token); if (!decodedToken.Identity.IsAuthenticated) { return(AccessDenied(request)); } var groups = decodedToken.Claims.Where(c => c.Type == "groups").ToList(); if (groups.Any(grp => grp.Value == authorisedGroup)) { return(AccessAuthorized(request)); } return(AccessDenied(request)); }
/// <summary> ///验证Token的Lambda函数 /// </summary> /// <param name="apigAuthRequest">请求</param> /// <param name="context">上下文</param> /// <returns></returns> public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest apigAuthRequest, ILambdaContext context) { LambdaLogger.Log($"AWS Lambda函数验证Token开始"); var TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidateIssuerSigningKey = true, ValidIssuer = SecurityConstants.Issuer, ValidateAudience = true, ValidAudience = SecurityConstants.Audience, ValidateLifetime = true, IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(SecurityConstants.SecurityKey)), ClockSkew = TimeSpan.Zero, }; var authorized = false; //删除Bearer再来验证 var token = apigAuthRequest.AuthorizationToken?.Replace("Bearer ", ""); if (!string.IsNullOrWhiteSpace(token)) { try { SecurityToken validatedToken; var handler = new JwtSecurityTokenHandler(); var user = handler.ValidateToken(token, TokenValidationParameters, out validatedToken); var claim = user.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Name); if (claim != null) { authorized = claim.Value == SecurityConstants.ClaimName; } } catch (Exception ex) { LambdaLogger.Log($"Error occurred validating token: {ex.Message}"); } } var policy = new APIGatewayCustomAuthorizerPolicy { Version = "2012-10-17", Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>(), }; policy.Statement.Add(new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement { Action = new HashSet <string>(new string[] { "execute-api:Invoke" }), Effect = authorized ? "Allow" : "Deny", Resource = new HashSet <string>(new string[] { apigAuthRequest.MethodArn }) }); var contextOutput = new APIGatewayCustomAuthorizerContextOutput(); contextOutput["User"] = authorized ? SecurityConstants.ClaimName : "User"; contextOutput["Path"] = apigAuthRequest.MethodArn; LambdaLogger.Log($"AWS Lambda函数验证Token结束"); return(new APIGatewayCustomAuthorizerResponse { PrincipalID = authorized ? SecurityConstants.ClaimName : "User", Context = contextOutput, PolicyDocument = policy, }); }
public async Task<APIGatewayCustomAuthorizerResponse> FunctionHandler(APIGatewayCustomAuthorizerRequest authEvent, ILambdaContext context) { if (string.IsNullOrEmpty(authEvent.AuthorizationToken)) { Console.WriteLine("no token passed"); return null; } var tokenParts = authEvent.AuthorizationToken.Split(' '); var jwtTokenString = tokenParts.Length > 1 ? tokenParts[1] : null; if (string.IsNullOrEmpty(jwtTokenString)) { Console.WriteLine("no jwt token found"); return null; } var auth0Domain = System.Environment.GetEnvironmentVariable("AUTH0_DOMAIN"); var auth0Audience = System.Environment.GetEnvironmentVariable("AUTH0_AUDIENCE"); if (string.IsNullOrEmpty(auth0Domain) || string.IsNullOrEmpty(auth0Audience)) { Console.WriteLine("no authroziation config found"); return null; } Console.WriteLine("domain:" + auth0Domain); Console.WriteLine("audience:" + auth0Audience); Console.WriteLine("token:" + jwtTokenString); var configUrl = $"https://{auth0Domain}/.well-known/openid-configuration"; var configManager = new ConfigurationManager<OpenIdConnectConfiguration>( configUrl, new OpenIdConnectConfigurationRetriever()); var openIdConfig = await configManager.GetConfigurationAsync(CancellationToken.None); var validationParameters = new TokenValidationParameters { ValidIssuer = $"https://{auth0Domain}/", ValidAudiences = new[] { auth0Audience }, IssuerSigningKeys = openIdConfig.SigningKeys }; SecurityToken validatedToken; JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); try { handler.ValidateToken(jwtTokenString, validationParameters, out validatedToken); } catch (SecurityTokenException) { Console.WriteLine("Failed authorization " + authEvent.AuthorizationToken); return null; } if (validatedToken == null) { Console.WriteLine("Failed authorization " + authEvent.AuthorizationToken); return null; } return GenerateAllowResponse(authEvent.MethodArn); }
public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest input, ILambdaContext context) { bool ok = false; // authorization logic here... if (input.AuthorizationToken == "up-down-left-right-a-b-select-start") { ok = true; } return(new APIGatewayCustomAuthorizerResponse { PrincipalID = "***", //principal info here... UsageIdentifierKey = "***", //usage identifier here (optional) PolicyDocument = new APIGatewayCustomAuthorizerPolicy { Version = "2012-10-17", Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>() { new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement { Action = new HashSet <string>() { "execute-api:Invoke" }, Effect = ok ? "Allow" : "Deny", Resource = new HashSet <string>() { "***" } // resource arn here } }, } }); }
public async Task <APIGatewayCustomAuthorizerResponse> Authorize(APIGatewayCustomAuthorizerRequest request, ILambdaContext context) { context.Logger.LogLine($"Query request: {_jsonConverter.SerializeObject(request)}"); var userInfo = await _userManager.Authorize(request.AuthorizationToken?.Replace("Bearer ", string.Empty)); return(new APIGatewayCustomAuthorizerResponse { PrincipalID = userInfo.UserId, PolicyDocument = new APIGatewayCustomAuthorizerPolicy { Version = "2012-10-17", Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement> { new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement { Action = new HashSet <string> { "execute-api:Invoke" }, Effect = userInfo.Effect.ToString(), Resource = new HashSet <string> { request.MethodArn } } } } }); }
public async Task TestSoarAuthorizerEthereum() { //todo rewrite this test with mocked ethereum service var secret = "768eafe9ba984e2ca799f8829738c0ba"; var challenge = "63f20673bd324ab78c7b059ddad5cccf"; var fileHash = "438269b95b997fc736cf8c4801843db3"; var address = "0x7Bcbb6Ca8De198f97Ac9Bb3B263216EB1E22AA6D"; IStorageService storageService = new StorageServiceMock(); var temp = await storageService.PutSecret(secret, challenge, address, fileHash); var function = new Function(storageService); var context = new TestLambdaContext(); var req = new APIGatewayCustomAuthorizerRequest() { QueryStringParameters = new Dictionary <string, string>() { { "soarSecret", "768eafe9ba984e2ca799f8829738c0ba" }, { "txnHash", "0x5be37b8355d44138272e860b675fd91928b3ac77ec70f6825ad5543dee4b4c79" } }, StageVariables = new Dictionary <string, string>() { { "soar_contract_address", "0xf413a66fe07b49d2ca798acf6e43a47462e7081b" }, { "infura_address", "https://rinkeby.infura.io/trgLCqvmmrvTb46D5Iz4" } } }; var upperCase = await function.FunctionHandler(req, context); }
public async Task <APIGatewayCustomAuthorizerResponse> FunctionHandler(APIGatewayCustomAuthorizerRequest authEvent, ILambdaContext context) { try { (bool authorized, string username) = await CheckAuthorization(authEvent.AuthorizationToken); return(new APIGatewayCustomAuthorizerResponse { PrincipalID = username, PolicyDocument = new APIGatewayCustomAuthorizerPolicy { Version = "2012-10-17", Statement = new AutoConstructedList <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement> { new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement { Action = new HashSet <string> { "execute-api:Invoke" }, Resource = new HashSet <string> { authEvent.MethodArn }, Effect = authorized ? "Allow" : "Deny" } } } }); } catch (Exception e) { Console.WriteLine("Error authorizing request. " + e.Message); throw; } }
public async Task <APIGatewayCustomAuthorizerResponse> FunctionHandler(APIGatewayCustomAuthorizerRequest authEvent, ILambdaContext context) { context.Logger.LogLine(JsonConvert.SerializeObject(authEvent)); VerificationEventType verificationType; if (authEvent.Path.StartsWith("/upload/")) { verificationType = VerificationEventType.VerificationUpload; } else if (authEvent.Path.StartsWith("/download/")) { verificationType = VerificationEventType.VerificationSale; } else { return(GetDenyResponse(authEvent.AuthorizationToken)); } string secret = null; string txnHash = null; authEvent.QueryStringParameters.TryGetValue("soarSecret", out secret); authEvent.QueryStringParameters.TryGetValue("txnHash", out txnHash); if (string.IsNullOrEmpty(secret) || string.IsNullOrEmpty(txnHash)) { return(GetDenyResponse(authEvent.AuthorizationToken)); } string infuraAddress = authEvent.StageVariables["infura_address"]; string soarContractAddress = authEvent.StageVariables["soar_contract_address"]; IEthereumService ethereumService = new EthereumService(infuraAddress, soarContractAddress); using (var storageService = _storageService == null ? new DynamoDbStorageService(context.Logger.LogLine) : _storageService) { var sdDb = await storageService.GetSecretDetails(secret); var sdEth = await ethereumService.GetSecretDetails(txnHash, verificationType); if (sdDb == null || sdEth == null) { return(GetDenyResponse(authEvent.AuthorizationToken)); } context.Logger.LogLine($"secret: {secret}"); context.Logger.LogLine($"address: {sdDb.Address} addressEth: {sdEth.Address}"); context.Logger.LogLine($"challenge: {sdDb.Challenge} challengeEth: {sdEth.Challenge}"); context.Logger.LogLine($"fileHash: {sdDb.FileHash} fileHashEth: {sdEth.FileHash}"); if (sdDb.Challenge.Equals(sdEth.Challenge) && sdDb.Address.EqualsIgnoreCase(sdEth.Address) && sdDb.FileHash.Equals(sdEth.FileHash)) { context.Logger.LogLine("Success"); //todo mark secret as used one in db to disable to use it again return(GetAllowResponse(authEvent.AuthorizationToken)); } return(GetDenyResponse(authEvent.AuthorizationToken)); } }
private static string GetAuthorizationHeaderValue(APIGatewayCustomAuthorizerRequest request) { if (request.Headers == null) { return(null); } return(request.Headers.ContainsKey("Authorization") ? request.Headers["Authorization"] : null); }
private static string GetAuthTokenFromQuery(APIGatewayCustomAuthorizerRequest request) { if (request.QueryStringParameters == null) { return(null); } return(request.QueryStringParameters.ContainsKey("authToken") ? request.QueryStringParameters["authToken"] : null); }
/// <summary> /// A simple function that takes a string and does a ToUpper /// </summary> /// <param name="input"></param> /// <param name="context"></param> /// <returns></returns> public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest input, ILambdaContext context) { var inputToken = input.AuthorizationToken; var ok = false; var subject = "<< NOT FOUND >>"; context.Logger.Log($"Token: {inputToken}"); if (!string.IsNullOrWhiteSpace(inputToken)) { try { inputToken = inputToken.Replace("Bearer", string.Empty).Trim(); var token = new JwtSecurityToken(inputToken); ok = token.Issuer == "https://sts.windows.net/6ab8b79b-42b6-40fd-a177-4540c8f1b365/"; context.Logger.Log($"Issuer: {token.Issuer}"); context.Logger.Log($"Issuer Valid: {ok}"); context.Logger.Log($"Subject: {token.Subject}"); subject = token.Subject; } catch (Exception e) { context.Logger.Log($"Exception: {e.Message}"); context.Logger.Log(e.StackTrace); } } return(new APIGatewayCustomAuthorizerResponse { PrincipalID = subject, //principal info here... UsageIdentifierKey = "API", //usage identifier here (optional) PolicyDocument = new APIGatewayCustomAuthorizerPolicy { Version = "2012-10-17", Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>() { new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement { Action = new HashSet <string>() { "execute-api:Invoke" }, Effect = ok ? "Allow" : "Deny", Resource = new HashSet <string>() { input.MethodArn } // resource arn here } }, } }); }
public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest input, ILambdaContext context) { var token = input.AuthorizationToken; switch (token) { case "allow": return(GeneratePolicy("user", "Allow", input.MethodArn)); default: return(GeneratePolicy("user", "Deny", input.MethodArn)); } }
public void TetGetMethod() { TestLambdaContext context; APIGatewayCustomAuthorizerRequest request; APIGatewayCustomAuthorizerResponse response; Functions functions = new Functions(); request = new APIGatewayCustomAuthorizerRequest(); request.AuthorizationToken = "Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6ImF0K2p3dCJ9.eyJuYmYiOjE1OTIyMTY3MzMsImV4cCI6MTU5MjIyMDMzMywiaXNzIjoiaHR0cHM6Ly91ZDg1Y3JzOTM5LmV4ZWN1dGUtYXBpLmFwLXNvdXRoZWFzdC0yLmFtYXpvbmF3cy5jb20vcHJvZCIsImF1ZCI6ImFwaSIsImNsaWVudF9pZCI6ImNsaWVudCIsInNjb3BlIjpbImFwaSJdfQ.bGKaVK1V9M2kGPyK3EFaaNG2h3ceLQJ-1SNv6CZr9y0TUSDaTiNsCcXLVbxVrB2tzXzDn3fBG313uO-T35TlVhGy4EwfZaz2yY0Oh5_mIMvKlYSqA9PjoFQklTZCOsMwX30nVeXh6LPlbuRIA2gvnSEhLOXKr0ydtXA_KQROHGKbimQwbZAuCdPL6LPHX7mffw4nYfBCfZ7J0HL6_-LW8JRccoubsTa6ESnTNoQvoXxKSL2-HA96vku3E9u5kJEgT_BTuPrQ2F4z_s40HSC4iQHY3SMlmpzLVnwrlWD_wBPNO28yCqxY5TjpVv23Q6zHEAIkVwOyiVyhwX6Dz9FRbA"; context = new TestLambdaContext(); response = functions.Get(request, context); Assert.Equal("", response.PolicyDocument.Version); }
/// <summary> /// A simple function that takes a string and does a ToUpper /// </summary> /// <param name="input"></param> /// <param name="context"></param> /// <returns></returns> public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest aPIGatewayCustomAuthorizerRequest, ILambdaContext context) { context.Logger.Log(JsonConvert.SerializeObject(aPIGatewayCustomAuthorizerRequest)); var authPolicy = new APIGatewayCustomAuthorizerResponse(); // attach policy document for resource policy to allow or deny. AddAuthPolicyDocument(authPolicy); //Custom var response = AuthResponse(authPolicy, "Deny", aPIGatewayCustomAuthorizerRequest.MethodArn); context.Logger.Log(JsonConvert.SerializeObject(response)); return(response); }
public void AuthSuccessWithValidToken() { var function = new Function(); var validRequest = new APIGatewayCustomAuthorizerRequest() { AuthorizationToken = AuthHelper.GenerateAuthToken(this.payload), MethodArn = "arn:aws:execute-api:<regionId>:<accountId>:<apiId>/<stage>/<method>/<resourcePath>" }; var validPolicy = function.FunctionHandler(validRequest).PolicyDocument; Assert.Equal(validPolicy.Statement[0].Effect, Effect.Allow.GetStringValue()); Assert.True(validPolicy.Statement[0].Action.Contains(CustomAuthorizerHelper.ComposeAction(Action.Invoke))); Assert.True(validPolicy.Statement[0].Resource.Contains("arn:aws:execute-api:<regionId>:<accountId>:<apiId>/<stage>/*/*")); }
public void AuthFailForInvalidTokenWithin5Min() { var function = new Function(); var invalidRequest = new APIGatewayCustomAuthorizerRequest() { AuthorizationToken = "invalid", MethodArn = "arn:aws:execute-api:<regionId>:<accountId>:<apiId>/<stage>/<method>/<resourcePath>" }; var invalidPolicy = function.FunctionHandler(invalidRequest).PolicyDocument; Assert.Equal(invalidPolicy.Statement[0].Effect, Effect.Deny.GetStringValue()); Assert.True(invalidPolicy.Statement[0].Action.Contains(CustomAuthorizerHelper.ComposeAction(Action.All))); Assert.True(invalidPolicy.Statement[0].Resource.Contains("arn:aws:execute-api:*:*:*/*/*/*")); }
public Policy FunctionHandler(APIGatewayCustomAuthorizerRequest authEvent, ILambdaContext context) { try { // validate the token -- SIMPLY accept a silly tokens ;) var token = authEvent.AuthorizationToken; Policy policy; if (CheckAuthorization(token) && "get".Equals(authEvent.HttpMethod, StringComparison.OrdinalIgnoreCase)) { var policyStatementList = new List <Statement>(); var policyStatement = new Statement(Statement.StatementEffect.Allow); var actionIdentifier = SNSActionIdentifiers.Publish; // ;) policyStatement.Actions.Add(actionIdentifier); policyStatement.Principals.Add(Principal.AllUsers); var resource = new Resource("arn:aws:lambda:eu-west-1:166778461577:function:TriggerNotification"); policyStatement.Resources.Add(resource); policyStatementList.Add(policyStatement); // Add conditions var condition = ConditionFactory.NewSourceArnCondition("*"); policyStatement.Conditions.Add(condition); policy = new Policy("CallNotifierLambdaPolicy", policyStatementList); } else { var policyStatementList = new List <Statement>(); var policyStatement = new Statement(Statement.StatementEffect.Deny); var actionIdentifier = SNSActionIdentifiers.AllSNSActions; policyStatement.Actions.Add(actionIdentifier); policy = new Policy("AccessDeniedPolicy", policyStatementList); } return(policy); } catch (Exception e) { Console.WriteLine("Error authorizing request. " + e.Message); throw; } }
private static string GetCookieValueFromRequest(APIGatewayCustomAuthorizerRequest request, string cookieName) { if (request.Headers == null) { return(null); } if (!request.Headers.ContainsKey("Cookie")) { return(null); } var responseHeaders = request.Headers.Where(header => header.Key == "Cookie").Select(header => header.Value).ToList(); return(( from header in responseHeaders where header.Trim().StartsWith($"{cookieName}=") let start = header.IndexOf('=') let end = header.Contains(';') ? header.IndexOf(';') : header.Length select header.Substring(start + 1, end - start - 1)).FirstOrDefault()); }
public AuthPolicy FunctionHandler(APIGatewayCustomAuthorizerRequest authEvent, ILambdaContext context) { try { // validate the token var token = authEvent.AuthorizationToken; bool authorized = CheckAuthorization(token); // Create the policy statement // This matches the policy statement example in the documentation, including the ARN var authPolicy = new AuthPolicy(); authPolicy.prinicpalId = token; authPolicy.policyStatement = new PolicyStatement(); authPolicy.policyStatement.Version = "2012-10-17"; authPolicy.policyStatement.Statement = new List <States>(); if (authorized) { var statement = new States(); statement.Action = "execute-api:Invoke"; statement.Effect = "Allow"; statement.Resource = "arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/*/GET/"; authPolicy.policyStatement.Statement.Add(statement); } else { var statement = new States(); statement.Action = "execute-api:Invoke"; statement.Effect = "Deny"; statement.Resource = "arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/*/GET/"; authPolicy.policyStatement.Statement.Add(statement); } return(authPolicy); } catch (Exception e) { Console.WriteLine("Error authorizing request. " + e.Message); throw; } }
/// <summary> /// A simple function that takes a string and does a ToUpper /// </summary> /// <param name="context"></param> /// <returns></returns> public async Task <response> FunctionHandler(APIGatewayCustomAuthorizerRequest request, ILambdaContext context) { try { Get get_til = new Get("reddit_til", context); string child_str = JsonConvert.SerializeObject(await get_til.Child(), Formatting.Indented); //Response var response = new response() { statusCode = "200", headers = new Dictionary <string, string>() { { "Access-Control-Allow-Origin", "*" } }, body = child_str }; //Return return(response); } catch (Exception e) { //Response var response = new response() { statusCode = "400", headers = new Dictionary <string, string>() { { "Access-Control-Allow-Origin", "*" } }, body = e.Message }; //Return return(response); } }
public void TestTokenValidation() { try { // Invoke the lambda function and confirm the string was upper cased. var function = new Function(); var context = new TestLambdaContext(); context.ClientContext = new TestClientContext(); context.ClientContext.Environment["Auth0Domain"] = "https://pse-addons.auth0.com/"; context.ClientContext.Environment["Auth0Audience"] = "urn:backend:api"; APIGatewayCustomAuthorizerRequest request = new APIGatewayCustomAuthorizerRequest(); request.AuthorizationToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlEwVkdOelU0UXpFNE1EZzNRVU01TnpSRVFUVTVSRGRFUTBKRk5USXlOa0k1TkRZek5UWXlRUSJ9.eyJpc3MiOiJodHRwczovL3BzZS1hZGRvbnMuYXV0aDAuY29tLyIsInN1YiI6ImF1dGgwfDVhOTA0ZjA2ZGZhZGQ3MGYyOWEzYmNkZCIsImF1ZCI6WyJ1cm46YmFja2VuZDphcGkiLCJodHRwczovL3BzZS1hZGRvbnMuYXV0aDAuY29tL3VzZXJpbmZvIl0sImlhdCI6MTU0MjQyMzk4MiwiZXhwIjoxNTQyNDMxMTgyLCJhenAiOiJuNW1UYThxMVpyS0l5Z094VzJ4aGxXQkNTaWZ1QXRyQSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgcmVhZDptZXNzYWdlcyJ9.jldcrBdgGR5Ys68CXiWizS-sgI4bRF3nzUiMhZSY2gHDrye64iDp_YwYnwMAYhR16jp7e3ejspcNM9ymXjdlUb5h9nx8MSYXxoD9xZ-TwkR0mspeCXwdl-qYuQPb0ArcXVraiaiFkrmBfIWDyIiAJGgGUTIC6z1r_oAEv8zrK46kOCKiwqa4rg5dqR3iWsk4DfySG3_Ap9VUyTu8fsN3zz__FAy4N0Dnhs7NtSmn4ZKEBEtP0eanPPso7o0tUBkcGjw_R6PwVPi0fK7K1v7YpNFsYl4M1_stTv6o6uHhQWxWMJNJCgWf68MHJVIeCtNa9gZa03imY8-JXujLrLOxGQ"; request.MethodArn = "/path"; var response = function.FunctionHandler(request, context); Assert.Equal("auth0|5a904f06dfadd70f29a3bcdd", response.PrincipalID); } catch (Exception e) { Console.WriteLine(e.Message); } }
public Policy FunctionHandler(APIGatewayCustomAuthorizerRequest authRequest, ILambdaContext context) { var token = authRequest.AuthorizationToken; Policy policy; if (ValidateToken(token)) { var statement = new Statement(Statement.StatementEffect.Allow); var policyStatements = new List <Statement> { statement }; policy = new Policy("TokenValidationPassed", policyStatements); } else { var statement = new Statement(Statement.StatementEffect.Deny); var policyStatements = new List <Statement> { statement }; policy = new Policy("TokenValidationFailed", policyStatements); } return(policy); }
private static APIGatewayCustomAuthorizerResponse ConstructResponse(APIGatewayCustomAuthorizerRequest request, bool authorized) { return(new APIGatewayCustomAuthorizerResponse { PrincipalID = "user", PolicyDocument = new APIGatewayCustomAuthorizerPolicy { Version = "2012-10-17", Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement> { new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement { Effect = authorized ? "Allow" : "Deny", Resource = new HashSet <string> { request.MethodArn }, Action = new HashSet <string> { "execute-api:Invoke" }, } } } }); }
/// <summary> /// A simple function that takes a string and does a ToUpper /// </summary> /// <param name="input"></param> /// <param name="context"></param> /// <returns></returns> public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest apiRequest, ILambdaContext context) { bool authorized = false; if (!string.IsNullOrWhiteSpace(apiRequest.AuthorizationToken)) { authorized = ValidateToken(apiRequest.AuthorizationToken, context); } var policy = new APIGatewayCustomAuthorizerPolicy { Version = "2012-10-17", Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement> { new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement { Action = new HashSet <string>(new string[] { "execute-api:Invoke" }), Effect = authorized ? "Allow" : "Deny", Resource = new HashSet <string>(new string[] { apiRequest.MethodArn }) // api gateway endpoint arn } } }; var contextOutput = new APIGatewayCustomAuthorizerContextOutput(); contextOutput["User"] = authorized ? AllowedUserName : "******"; contextOutput["Path"] = apiRequest.MethodArn; var response = new APIGatewayCustomAuthorizerResponse { Context = contextOutput, PolicyDocument = policy }; return(response); }
public async Task <APIGatewayCustomAuthorizerResponse> FunctionHandler(APIGatewayCustomAuthorizerRequest request) { var token = request.AuthorizationToken; var type = AuthTokenType.JWT; var response = new APIGatewayCustomAuthorizerResponse(); var policy = response.PolicyDocument; var statement = new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement() { Action = new HashSet <string>(), Resource = new HashSet <string>() }; if (Validator.Validate(type, token)) { var vars = request.MethodArn.Split(':'); var apiVars = vars[5].Split('/'); var region = vars[3]; var accountId = vars[4]; var apiId = apiVars[0]; var stage = apiVars[1]; Console.WriteLine(apiVars.Length); if (apiVars.Length > 4) { int id; if (int.TryParse(apiVars[4], out id)) { var service = apiVars[3]; Console.WriteLine(service); Console.WriteLine(id); var req = new Request() { Operation = Operation.VerifyUser, AuthToken = token, Payload = JObject.FromObject(new VerifyUserPayload() { ResourceId = id }) }; var lambdaClient = new AmazonLambdaClient(); var invokeRequest = new InvokeRequest() { FunctionName = Enum.GetName(typeof(Service), serviceMapping[service]), Payload = JsonConvert.SerializeObject(req) }; var lambdaRes = await lambdaClient.InvokeAsync(invokeRequest); var res = new StreamReader(lambdaRes.Payload).ReadToEnd(); if (res.Contains(Enum.GetName(typeof(VerifyResult), VerifyResult.Allow))) { var any = Resource.Any.GetStringValue(); this.AllowOperation( statement, CustomAuthorizerHelper.ComposeAction(Policy.Action.Invoke), CustomAuthorizerHelper.ComposeResource(region, accountId, apiId, stage, new ResourceAccess(any, any)) ); } else { this.DenyAll(statement); } } else { var any = Resource.Any.GetStringValue(); this.AllowOperation( statement, CustomAuthorizerHelper.ComposeAction(Policy.Action.Invoke), CustomAuthorizerHelper.ComposeResource(region, accountId, apiId, stage, new ResourceAccess(any, any)) ); } } else { var any = Resource.Any.GetStringValue(); this.AllowOperation( statement, CustomAuthorizerHelper.ComposeAction(Policy.Action.Invoke), CustomAuthorizerHelper.ComposeResource(region, accountId, apiId, stage, new ResourceAccess(any, any)) ); } } else { this.DenyAll(statement); } policy.Statement.Add(statement); return(response); }
/// <summary> /// A Lambda function to respond to HTTP Get methods from API Gateway /// </summary> /// <param name="request"></param> /// <returns>The list of blogs</returns> public APIGatewayCustomAuthorizerResponse Get(APIGatewayCustomAuthorizerRequest request, ILambdaContext context) { context.Logger.LogLine("Get Request\n"); context.Logger.LogLine(request.AuthorizationToken.ToString()); context.Logger.LogLine(ablUrl); var accessToken = request.AuthorizationToken.Substring("Bearer ".Length).Trim(); context.Logger.LogLine(accessToken); RSA publicRsa = RSA.Create(); publicRsa.FromXmlString("<RSAKeyValue><Modulus>niwszppYY81jN+LO9riMlDVFXCuChYK4NpmnhV7SjRksFfs397jYu07fcGNVWEBppeJ1WZEFILypPjRRfARgwKa4Lu0633cPYG+amyKRYgTGyvbEjvWJ/yvyqimuPrbrI8Bv6FemwCrOoxYIST0pwEHPx6f8SMxKAE9nXP5xcshrudNUZkK9/B17T1HLk9uAzg52cPIM0SChrhfsklcToaycrUQgtFLYWdVEacaSXNo4q1G2ItgHqhM6vHQ5SMcrQ7O+7hlyD5dXkIXItHY4KlHx6yhBp6o0C2237cjIpP1bJaaarFYkHIyWnJ4BET5JXhgVx8j4N6T4S5cNsuy0Rw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"); RsaSecurityKey signingKey = new RsaSecurityKey(publicRsa); bool authorized = false; var tokenHandler = new JwtSecurityTokenHandler(); try { tokenHandler.ValidateToken(accessToken, new TokenValidationParameters { ValidateIssuerSigningKey = true, ValidateIssuer = false, ValidateAudience = true, ValidAudience = "api", IssuerSigningKey = signingKey, ClockSkew = TimeSpan.FromMinutes(5), }, out SecurityToken validatedToken); authorized = true; } catch (Exception ex) { context.Logger.LogLine(ex.Message); } // var TokenValidationParams = new TokenValidationParameters // { // //IssuerSigningKey=signingKey, // ValidateIssuer=false, // ValidIssuer=ablUrl, // ValidateAudience=false, // ValidAudience="api", // ClockSkew=TimeSpan.FromMinutes(5), // }; // SecurityToken validatedToken; // JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); // try // { // var token = handler.ValidateToken(accessToken, TokenValidationParams, out validatedToken); // foreach (Claim claim in token.Claims){ // context.Logger.LogLine($"CLAIM TYPE: {claim.Type} CLAIM VALUE: {claim.Value}"); // } // var getClaimIss = token.Claims.FirstOrDefault(c => c.Type == "iss"); // context.Logger.LogLine($"{getClaimIss}"); // if (getClaimIss != null){ // authorized = true; // } // } // catch (Exception ex) // { // context.Logger.LogLine($"Error occurred validating token: {ex.Message}"); // } context.Logger.LogLine($"{authorized}"); APIGatewayCustomAuthorizerPolicy policy = new APIGatewayCustomAuthorizerPolicy { Version = "2012-10-17", Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>() }; policy.Statement.Add(new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement { Action = new HashSet <string>(new string[] { "execute-api:Invoke" }), Effect = authorized ? "Allow" : "Deny", Resource = new HashSet <string>(new string[] { request.MethodArn }) }); APIGatewayCustomAuthorizerContextOutput contextOutput = new APIGatewayCustomAuthorizerContextOutput(); contextOutput["User"] = "******"; contextOutput["Path"] = request.MethodArn; return(new APIGatewayCustomAuthorizerResponse { PrincipalID = "User", Context = contextOutput, PolicyDocument = policy }); }
private static APIGatewayCustomAuthorizerResponse AccessDenied(APIGatewayCustomAuthorizerRequest request) { return(ConstructResponse(request, false)); }