public async Task <APIGatewayCustomAuthorizerResponse> Authorize(APIGatewayCustomAuthorizerRequest request, ILambdaContext context)
{
try
{
_request = request;
_token = request.AuthorizationToken;
_oidcIssuer = Environment.GetEnvironmentVariable("OIDC_ISSUER");
_claimsPrincipal = await AuthorizeViaOidc();
}
catch (Exception ex)
{
Console.WriteLine($"Exception in {nameof(Authorize)}: {ex}");
throw;
}
if (_claimsPrincipal?.Identity == null)
{
Console.WriteLine("The token is NOT authorized");
throw new Exception(HttpStatusCode.Unauthorized.ToString()); // this is the recommended way to invoke a 401 response
}
Console.WriteLine("The token is authorized");
return(GenerateAllowResponse());
}
public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest apigAuthRequest, ILambdaContext context)
{
var TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = SecurityConstants.Issuer,
ValidateAudience = true,
ValidAudience = SecurityConstants.Issuer,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SecurityConstants.SecurityKey)),
ClockSkew = TimeSpan.FromMinutes(5),
ValidateIssuerSigningKey = true
};
SecurityToken validatedToken;
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
bool authorized = false;
if (!string.IsNullOrWhiteSpace(apigAuthRequest.AuthorizationToken))
{
try
{
var user = handler.ValidateToken(apigAuthRequest.AuthorizationToken, TokenValidationParameters, out validatedToken);
var claim = user.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Name);
if (claim != null)
{
authorized = claim.Value == SecurityConstants.ClaimName; // Ensure that the claim value matches the assertion
}
}
catch (Exception ex)
{
LambdaLogger.Log($"Error occurred validating token: {ex.Message}");
}
}
APIGatewayCustomAuthorizerPolicy policy = new APIGatewayCustomAuthorizerPolicy
{
Version = "2012-10-17",
Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>()
};
policy.Statement.Add(new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
{
Action = new HashSet <string>(new string[] { "execute-api:Invoke" }),
Effect = authorized ? "Allow" : "Deny",
Resource = new HashSet <string>(new string[] { apigAuthRequest.MethodArn })
});
APIGatewayCustomAuthorizerContextOutput contextOutput = new APIGatewayCustomAuthorizerContextOutput();
contextOutput["User"] = authorized ? SecurityConstants.ClaimName : "User";
contextOutput["Path"] = apigAuthRequest.MethodArn;
return(new APIGatewayCustomAuthorizerResponse
{
PrincipalID = authorized ? SecurityConstants.ClaimName : "User",
Context = contextOutput,
PolicyDocument = policy
});
}
private static string FindToken(APIGatewayCustomAuthorizerRequest request)
{
var authorizationHeader = GetAuthorizationHeaderValue(request);
if (authorizationHeader != null)
{
return(RemoveBearer(request.Headers["Authorization"]));
}
var queryAuthToken = GetAuthTokenFromQuery(request);
if (queryAuthToken != null)
{
return(GetAuthTokenFromQuery(request));
}
var cookie = GetCookieValueFromRequest(request, "hackneyToken");
if (cookie != null)
{
return(cookie);
}
return(request.AuthorizationToken != null
? RemoveBearer(request.AuthorizationToken)
: null);
}
public APIGatewayCustomAuthorizerResponse Execute(APIGatewayCustomAuthorizerRequest request)
{
var secret = Environment.GetEnvironmentVariable("JWT_SECRET");
var authorisedGroup = Environment.GetEnvironmentVariable("ALLOWED_USER_GROUP");
var token = FindToken(request);
if (token == null)
{
return(AccessDenied(request));
}
var decodedToken = DecodeToken(secret, token);
if (!decodedToken.Identity.IsAuthenticated)
{
return(AccessDenied(request));
}
var groups = decodedToken.Claims.Where(c => c.Type == "groups").ToList();
if (groups.Any(grp => grp.Value == authorisedGroup))
{
return(AccessAuthorized(request));
}
return(AccessDenied(request));
}
/// <summary>
///验证Token的Lambda函数
/// </summary>
/// <param name="apigAuthRequest">请求</param>
/// <param name="context">上下文</param>
/// <returns></returns>
public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest apigAuthRequest, ILambdaContext context)
{
LambdaLogger.Log($"AWS Lambda函数验证Token开始");
var TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
ValidIssuer = SecurityConstants.Issuer,
ValidateAudience = true,
ValidAudience = SecurityConstants.Audience,
ValidateLifetime = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(SecurityConstants.SecurityKey)),
ClockSkew = TimeSpan.Zero,
};
var authorized = false;
//删除Bearer再来验证
var token = apigAuthRequest.AuthorizationToken?.Replace("Bearer ", "");
if (!string.IsNullOrWhiteSpace(token))
{
try
{
SecurityToken validatedToken;
var handler = new JwtSecurityTokenHandler();
var user = handler.ValidateToken(token, TokenValidationParameters, out validatedToken);
var claim = user.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Name);
if (claim != null)
{
authorized = claim.Value == SecurityConstants.ClaimName;
}
}
catch (Exception ex)
{
LambdaLogger.Log($"Error occurred validating token: {ex.Message}");
}
}
var policy = new APIGatewayCustomAuthorizerPolicy
{
Version = "2012-10-17",
Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>(),
};
policy.Statement.Add(new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
{
Action = new HashSet <string>(new string[] { "execute-api:Invoke" }),
Effect = authorized ? "Allow" : "Deny",
Resource = new HashSet <string>(new string[] { apigAuthRequest.MethodArn })
});
var contextOutput = new APIGatewayCustomAuthorizerContextOutput();
contextOutput["User"] = authorized ? SecurityConstants.ClaimName : "User";
contextOutput["Path"] = apigAuthRequest.MethodArn;
LambdaLogger.Log($"AWS Lambda函数验证Token结束");
return(new APIGatewayCustomAuthorizerResponse
{
PrincipalID = authorized ? SecurityConstants.ClaimName : "User",
Context = contextOutput,
PolicyDocument = policy,
});
}
public async Task<APIGatewayCustomAuthorizerResponse> FunctionHandler(APIGatewayCustomAuthorizerRequest authEvent, ILambdaContext context)
{
if (string.IsNullOrEmpty(authEvent.AuthorizationToken))
{
Console.WriteLine("no token passed");
return null;
}
var tokenParts = authEvent.AuthorizationToken.Split(' ');
var jwtTokenString = tokenParts.Length > 1 ? tokenParts[1] : null;
if (string.IsNullOrEmpty(jwtTokenString))
{
Console.WriteLine("no jwt token found");
return null;
}
var auth0Domain = System.Environment.GetEnvironmentVariable("AUTH0_DOMAIN");
var auth0Audience = System.Environment.GetEnvironmentVariable("AUTH0_AUDIENCE");
if (string.IsNullOrEmpty(auth0Domain) || string.IsNullOrEmpty(auth0Audience))
{
Console.WriteLine("no authroziation config found");
return null;
}
Console.WriteLine("domain:" + auth0Domain);
Console.WriteLine("audience:" + auth0Audience);
Console.WriteLine("token:" + jwtTokenString);
var configUrl = $"https://{auth0Domain}/.well-known/openid-configuration";
var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(
configUrl, new OpenIdConnectConfigurationRetriever());
var openIdConfig = await configManager.GetConfigurationAsync(CancellationToken.None);
var validationParameters = new TokenValidationParameters
{
ValidIssuer = $"https://{auth0Domain}/",
ValidAudiences = new[] { auth0Audience },
IssuerSigningKeys = openIdConfig.SigningKeys
};
SecurityToken validatedToken;
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
try
{
handler.ValidateToken(jwtTokenString, validationParameters, out validatedToken);
}
catch (SecurityTokenException)
{
Console.WriteLine("Failed authorization " + authEvent.AuthorizationToken);
return null;
}
if (validatedToken == null)
{
Console.WriteLine("Failed authorization " + authEvent.AuthorizationToken);
return null;
}
return GenerateAllowResponse(authEvent.MethodArn);
}
public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest input, ILambdaContext context)
{
bool ok = false;
// authorization logic here...
if (input.AuthorizationToken == "up-down-left-right-a-b-select-start")
{
ok = true;
}
return(new APIGatewayCustomAuthorizerResponse
{
PrincipalID = "***", //principal info here...
UsageIdentifierKey = "***", //usage identifier here (optional)
PolicyDocument = new APIGatewayCustomAuthorizerPolicy
{
Version = "2012-10-17",
Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>()
{
new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
{
Action = new HashSet <string>()
{
"execute-api:Invoke"
},
Effect = ok ? "Allow" : "Deny",
Resource = new HashSet <string>()
{
"***"
} // resource arn here
}
},
}
});
}
public async Task <APIGatewayCustomAuthorizerResponse> Authorize(APIGatewayCustomAuthorizerRequest request, ILambdaContext context)
{
context.Logger.LogLine($"Query request: {_jsonConverter.SerializeObject(request)}");
var userInfo = await _userManager.Authorize(request.AuthorizationToken?.Replace("Bearer ", string.Empty));
return(new APIGatewayCustomAuthorizerResponse
{
PrincipalID = userInfo.UserId,
PolicyDocument = new APIGatewayCustomAuthorizerPolicy
{
Version = "2012-10-17",
Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>
{
new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
{
Action = new HashSet <string> {
"execute-api:Invoke"
},
Effect = userInfo.Effect.ToString(),
Resource = new HashSet <string> {
request.MethodArn
}
}
}
}
});
}
public async Task TestSoarAuthorizerEthereum()
{
//todo rewrite this test with mocked ethereum service
var secret = "768eafe9ba984e2ca799f8829738c0ba";
var challenge = "63f20673bd324ab78c7b059ddad5cccf";
var fileHash = "438269b95b997fc736cf8c4801843db3";
var address = "0x7Bcbb6Ca8De198f97Ac9Bb3B263216EB1E22AA6D";
IStorageService storageService = new StorageServiceMock();
var temp = await storageService.PutSecret(secret, challenge, address, fileHash);
var function = new Function(storageService);
var context = new TestLambdaContext();
var req = new APIGatewayCustomAuthorizerRequest()
{
QueryStringParameters = new Dictionary <string, string>()
{
{ "soarSecret", "768eafe9ba984e2ca799f8829738c0ba" },
{ "txnHash", "0x5be37b8355d44138272e860b675fd91928b3ac77ec70f6825ad5543dee4b4c79" }
},
StageVariables = new Dictionary <string, string>()
{
{ "soar_contract_address", "0xf413a66fe07b49d2ca798acf6e43a47462e7081b" },
{ "infura_address", "https://rinkeby.infura.io/trgLCqvmmrvTb46D5Iz4" }
}
};
var upperCase = await function.FunctionHandler(req, context);
}
public async Task <APIGatewayCustomAuthorizerResponse> FunctionHandler(APIGatewayCustomAuthorizerRequest authEvent, ILambdaContext context)
{
try
{
(bool authorized, string username) = await CheckAuthorization(authEvent.AuthorizationToken);
return(new APIGatewayCustomAuthorizerResponse
{
PrincipalID = username,
PolicyDocument = new APIGatewayCustomAuthorizerPolicy
{
Version = "2012-10-17",
Statement = new AutoConstructedList <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>
{
new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
{
Action = new HashSet <string> {
"execute-api:Invoke"
},
Resource = new HashSet <string> {
authEvent.MethodArn
},
Effect = authorized ? "Allow" : "Deny"
}
}
}
});
}
catch (Exception e)
{
Console.WriteLine("Error authorizing request. " + e.Message);
throw;
}
}
public async Task <APIGatewayCustomAuthorizerResponse> FunctionHandler(APIGatewayCustomAuthorizerRequest authEvent, ILambdaContext context)
{
context.Logger.LogLine(JsonConvert.SerializeObject(authEvent));
VerificationEventType verificationType;
if (authEvent.Path.StartsWith("/upload/"))
{
verificationType = VerificationEventType.VerificationUpload;
}
else if (authEvent.Path.StartsWith("/download/"))
{
verificationType = VerificationEventType.VerificationSale;
}
else
{
return(GetDenyResponse(authEvent.AuthorizationToken));
}
string secret = null;
string txnHash = null;
authEvent.QueryStringParameters.TryGetValue("soarSecret", out secret);
authEvent.QueryStringParameters.TryGetValue("txnHash", out txnHash);
if (string.IsNullOrEmpty(secret) || string.IsNullOrEmpty(txnHash))
{
return(GetDenyResponse(authEvent.AuthorizationToken));
}
string infuraAddress = authEvent.StageVariables["infura_address"];
string soarContractAddress = authEvent.StageVariables["soar_contract_address"];
IEthereumService ethereumService = new EthereumService(infuraAddress, soarContractAddress);
using (var storageService = _storageService == null ? new DynamoDbStorageService(context.Logger.LogLine) : _storageService)
{
var sdDb = await storageService.GetSecretDetails(secret);
var sdEth = await ethereumService.GetSecretDetails(txnHash, verificationType);
if (sdDb == null || sdEth == null)
{
return(GetDenyResponse(authEvent.AuthorizationToken));
}
context.Logger.LogLine($"secret: {secret}");
context.Logger.LogLine($"address: {sdDb.Address} addressEth: {sdEth.Address}");
context.Logger.LogLine($"challenge: {sdDb.Challenge} challengeEth: {sdEth.Challenge}");
context.Logger.LogLine($"fileHash: {sdDb.FileHash} fileHashEth: {sdEth.FileHash}");
if (sdDb.Challenge.Equals(sdEth.Challenge) && sdDb.Address.EqualsIgnoreCase(sdEth.Address) && sdDb.FileHash.Equals(sdEth.FileHash))
{
context.Logger.LogLine("Success");
//todo mark secret as used one in db to disable to use it again
return(GetAllowResponse(authEvent.AuthorizationToken));
}
return(GetDenyResponse(authEvent.AuthorizationToken));
}
}
private static string GetAuthorizationHeaderValue(APIGatewayCustomAuthorizerRequest request)
{
if (request.Headers == null)
{
return(null);
}
return(request.Headers.ContainsKey("Authorization")
? request.Headers["Authorization"]
: null);
}
private static string GetAuthTokenFromQuery(APIGatewayCustomAuthorizerRequest request)
{
if (request.QueryStringParameters == null)
{
return(null);
}
return(request.QueryStringParameters.ContainsKey("authToken")
? request.QueryStringParameters["authToken"]
: null);
}
/// <summary>
/// A simple function that takes a string and does a ToUpper
/// </summary>
/// <param name="input"></param>
/// <param name="context"></param>
/// <returns></returns>
public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest input, ILambdaContext context)
{
var inputToken = input.AuthorizationToken;
var ok = false;
var subject = "<< NOT FOUND >>";
context.Logger.Log($"Token: {inputToken}");
if (!string.IsNullOrWhiteSpace(inputToken))
{
try
{
inputToken = inputToken.Replace("Bearer", string.Empty).Trim();
var token = new JwtSecurityToken(inputToken);
ok = token.Issuer == "https://sts.windows.net/6ab8b79b-42b6-40fd-a177-4540c8f1b365/";
context.Logger.Log($"Issuer: {token.Issuer}");
context.Logger.Log($"Issuer Valid: {ok}");
context.Logger.Log($"Subject: {token.Subject}");
subject = token.Subject;
}
catch (Exception e)
{
context.Logger.Log($"Exception: {e.Message}");
context.Logger.Log(e.StackTrace);
}
}
return(new APIGatewayCustomAuthorizerResponse
{
PrincipalID = subject, //principal info here...
UsageIdentifierKey = "API", //usage identifier here (optional)
PolicyDocument = new APIGatewayCustomAuthorizerPolicy
{
Version = "2012-10-17",
Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>()
{
new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
{
Action = new HashSet <string>()
{
"execute-api:Invoke"
},
Effect = ok ? "Allow" : "Deny",
Resource = new HashSet <string>()
{
input.MethodArn
} // resource arn here
}
},
}
});
}
public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest input, ILambdaContext context)
{
var token = input.AuthorizationToken;
switch (token)
{
case "allow":
return(GeneratePolicy("user", "Allow", input.MethodArn));
default:
return(GeneratePolicy("user", "Deny", input.MethodArn));
}
}
public void TetGetMethod()
{
TestLambdaContext context;
APIGatewayCustomAuthorizerRequest request;
APIGatewayCustomAuthorizerResponse response;
Functions functions = new Functions();
request = new APIGatewayCustomAuthorizerRequest();
request.AuthorizationToken = "Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6ImF0K2p3dCJ9.eyJuYmYiOjE1OTIyMTY3MzMsImV4cCI6MTU5MjIyMDMzMywiaXNzIjoiaHR0cHM6Ly91ZDg1Y3JzOTM5LmV4ZWN1dGUtYXBpLmFwLXNvdXRoZWFzdC0yLmFtYXpvbmF3cy5jb20vcHJvZCIsImF1ZCI6ImFwaSIsImNsaWVudF9pZCI6ImNsaWVudCIsInNjb3BlIjpbImFwaSJdfQ.bGKaVK1V9M2kGPyK3EFaaNG2h3ceLQJ-1SNv6CZr9y0TUSDaTiNsCcXLVbxVrB2tzXzDn3fBG313uO-T35TlVhGy4EwfZaz2yY0Oh5_mIMvKlYSqA9PjoFQklTZCOsMwX30nVeXh6LPlbuRIA2gvnSEhLOXKr0ydtXA_KQROHGKbimQwbZAuCdPL6LPHX7mffw4nYfBCfZ7J0HL6_-LW8JRccoubsTa6ESnTNoQvoXxKSL2-HA96vku3E9u5kJEgT_BTuPrQ2F4z_s40HSC4iQHY3SMlmpzLVnwrlWD_wBPNO28yCqxY5TjpVv23Q6zHEAIkVwOyiVyhwX6Dz9FRbA";
context = new TestLambdaContext();
response = functions.Get(request, context);
Assert.Equal("", response.PolicyDocument.Version);
}
/// <summary>
/// A simple function that takes a string and does a ToUpper
/// </summary>
/// <param name="input"></param>
/// <param name="context"></param>
/// <returns></returns>
public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest aPIGatewayCustomAuthorizerRequest, ILambdaContext context)
{
context.Logger.Log(JsonConvert.SerializeObject(aPIGatewayCustomAuthorizerRequest));
var authPolicy = new APIGatewayCustomAuthorizerResponse();
// attach policy document for resource policy to allow or deny.
AddAuthPolicyDocument(authPolicy);
//Custom
var response = AuthResponse(authPolicy, "Deny", aPIGatewayCustomAuthorizerRequest.MethodArn);
context.Logger.Log(JsonConvert.SerializeObject(response));
return(response);
}
public void AuthSuccessWithValidToken()
{
var function = new Function();
var validRequest = new APIGatewayCustomAuthorizerRequest()
{
AuthorizationToken = AuthHelper.GenerateAuthToken(this.payload),
MethodArn = "arn:aws:execute-api:<regionId>:<accountId>:<apiId>/<stage>/<method>/<resourcePath>"
};
var validPolicy = function.FunctionHandler(validRequest).PolicyDocument;
Assert.Equal(validPolicy.Statement[0].Effect, Effect.Allow.GetStringValue());
Assert.True(validPolicy.Statement[0].Action.Contains(CustomAuthorizerHelper.ComposeAction(Action.Invoke)));
Assert.True(validPolicy.Statement[0].Resource.Contains("arn:aws:execute-api:<regionId>:<accountId>:<apiId>/<stage>/*/*"));
}
public void AuthFailForInvalidTokenWithin5Min()
{
var function = new Function();
var invalidRequest = new APIGatewayCustomAuthorizerRequest()
{
AuthorizationToken = "invalid",
MethodArn = "arn:aws:execute-api:<regionId>:<accountId>:<apiId>/<stage>/<method>/<resourcePath>"
};
var invalidPolicy = function.FunctionHandler(invalidRequest).PolicyDocument;
Assert.Equal(invalidPolicy.Statement[0].Effect, Effect.Deny.GetStringValue());
Assert.True(invalidPolicy.Statement[0].Action.Contains(CustomAuthorizerHelper.ComposeAction(Action.All)));
Assert.True(invalidPolicy.Statement[0].Resource.Contains("arn:aws:execute-api:*:*:*/*/*/*"));
}
public Policy FunctionHandler(APIGatewayCustomAuthorizerRequest authEvent, ILambdaContext context)
{
try
{
// validate the token -- SIMPLY accept a silly tokens ;)
var token = authEvent.AuthorizationToken;
Policy policy;
if (CheckAuthorization(token) && "get".Equals(authEvent.HttpMethod, StringComparison.OrdinalIgnoreCase))
{
var policyStatementList = new List <Statement>();
var policyStatement = new Statement(Statement.StatementEffect.Allow);
var actionIdentifier = SNSActionIdentifiers.Publish; // ;)
policyStatement.Actions.Add(actionIdentifier);
policyStatement.Principals.Add(Principal.AllUsers);
var resource = new Resource("arn:aws:lambda:eu-west-1:166778461577:function:TriggerNotification");
policyStatement.Resources.Add(resource);
policyStatementList.Add(policyStatement);
// Add conditions
var condition = ConditionFactory.NewSourceArnCondition("*");
policyStatement.Conditions.Add(condition);
policy = new Policy("CallNotifierLambdaPolicy", policyStatementList);
}
else
{
var policyStatementList = new List <Statement>();
var policyStatement = new Statement(Statement.StatementEffect.Deny);
var actionIdentifier = SNSActionIdentifiers.AllSNSActions;
policyStatement.Actions.Add(actionIdentifier);
policy = new Policy("AccessDeniedPolicy", policyStatementList);
}
return(policy);
}
catch (Exception e)
{
Console.WriteLine("Error authorizing request. " + e.Message);
throw;
}
}
private static string GetCookieValueFromRequest(APIGatewayCustomAuthorizerRequest request, string cookieName)
{
if (request.Headers == null)
{
return(null);
}
if (!request.Headers.ContainsKey("Cookie"))
{
return(null);
}
var responseHeaders = request.Headers.Where(header => header.Key == "Cookie").Select(header => header.Value).ToList();
return((
from header in responseHeaders
where header.Trim().StartsWith($"{cookieName}=")
let start = header.IndexOf('=')
let end = header.Contains(';') ? header.IndexOf(';') : header.Length
select header.Substring(start + 1, end - start - 1)).FirstOrDefault());
}
public AuthPolicy FunctionHandler(APIGatewayCustomAuthorizerRequest authEvent, ILambdaContext context)
{
try
{
// validate the token
var token = authEvent.AuthorizationToken;
bool authorized = CheckAuthorization(token);
// Create the policy statement
// This matches the policy statement example in the documentation, including the ARN
var authPolicy = new AuthPolicy();
authPolicy.prinicpalId = token;
authPolicy.policyStatement = new PolicyStatement();
authPolicy.policyStatement.Version = "2012-10-17";
authPolicy.policyStatement.Statement = new List <States>();
if (authorized)
{
var statement = new States();
statement.Action = "execute-api:Invoke";
statement.Effect = "Allow";
statement.Resource = "arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/*/GET/";
authPolicy.policyStatement.Statement.Add(statement);
}
else
{
var statement = new States();
statement.Action = "execute-api:Invoke";
statement.Effect = "Deny";
statement.Resource = "arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/*/GET/";
authPolicy.policyStatement.Statement.Add(statement);
}
return(authPolicy);
}
catch (Exception e)
{
Console.WriteLine("Error authorizing request. " + e.Message);
throw;
}
}
/// <summary>
/// A simple function that takes a string and does a ToUpper
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public async Task <response> FunctionHandler(APIGatewayCustomAuthorizerRequest request, ILambdaContext context)
{
try
{
Get get_til = new Get("reddit_til", context);
string child_str = JsonConvert.SerializeObject(await get_til.Child(), Formatting.Indented);
//Response
var response = new response()
{
statusCode = "200",
headers = new Dictionary <string, string>()
{
{ "Access-Control-Allow-Origin", "*" }
},
body = child_str
};
//Return
return(response);
}
catch (Exception e)
{
//Response
var response = new response()
{
statusCode = "400",
headers = new Dictionary <string, string>()
{
{ "Access-Control-Allow-Origin", "*" }
},
body = e.Message
};
//Return
return(response);
}
}
public void TestTokenValidation()
{
try
{
// Invoke the lambda function and confirm the string was upper cased.
var function = new Function();
var context = new TestLambdaContext();
context.ClientContext = new TestClientContext();
context.ClientContext.Environment["Auth0Domain"] = "https://pse-addons.auth0.com/";
context.ClientContext.Environment["Auth0Audience"] = "urn:backend:api";
APIGatewayCustomAuthorizerRequest request = new APIGatewayCustomAuthorizerRequest();
request.AuthorizationToken =
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlEwVkdOelU0UXpFNE1EZzNRVU01TnpSRVFUVTVSRGRFUTBKRk5USXlOa0k1TkRZek5UWXlRUSJ9.eyJpc3MiOiJodHRwczovL3BzZS1hZGRvbnMuYXV0aDAuY29tLyIsInN1YiI6ImF1dGgwfDVhOTA0ZjA2ZGZhZGQ3MGYyOWEzYmNkZCIsImF1ZCI6WyJ1cm46YmFja2VuZDphcGkiLCJodHRwczovL3BzZS1hZGRvbnMuYXV0aDAuY29tL3VzZXJpbmZvIl0sImlhdCI6MTU0MjQyMzk4MiwiZXhwIjoxNTQyNDMxMTgyLCJhenAiOiJuNW1UYThxMVpyS0l5Z094VzJ4aGxXQkNTaWZ1QXRyQSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgcmVhZDptZXNzYWdlcyJ9.jldcrBdgGR5Ys68CXiWizS-sgI4bRF3nzUiMhZSY2gHDrye64iDp_YwYnwMAYhR16jp7e3ejspcNM9ymXjdlUb5h9nx8MSYXxoD9xZ-TwkR0mspeCXwdl-qYuQPb0ArcXVraiaiFkrmBfIWDyIiAJGgGUTIC6z1r_oAEv8zrK46kOCKiwqa4rg5dqR3iWsk4DfySG3_Ap9VUyTu8fsN3zz__FAy4N0Dnhs7NtSmn4ZKEBEtP0eanPPso7o0tUBkcGjw_R6PwVPi0fK7K1v7YpNFsYl4M1_stTv6o6uHhQWxWMJNJCgWf68MHJVIeCtNa9gZa03imY8-JXujLrLOxGQ";
request.MethodArn = "/path";
var response = function.FunctionHandler(request, context);
Assert.Equal("auth0|5a904f06dfadd70f29a3bcdd", response.PrincipalID);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
public Policy FunctionHandler(APIGatewayCustomAuthorizerRequest authRequest, ILambdaContext context)
{
var token = authRequest.AuthorizationToken;
Policy policy;
if (ValidateToken(token))
{
var statement = new Statement(Statement.StatementEffect.Allow);
var policyStatements = new List <Statement> {
statement
};
policy = new Policy("TokenValidationPassed", policyStatements);
}
else
{
var statement = new Statement(Statement.StatementEffect.Deny);
var policyStatements = new List <Statement> {
statement
};
policy = new Policy("TokenValidationFailed", policyStatements);
}
return(policy);
}
private static APIGatewayCustomAuthorizerResponse ConstructResponse(APIGatewayCustomAuthorizerRequest request, bool authorized)
{
return(new APIGatewayCustomAuthorizerResponse
{
PrincipalID = "user",
PolicyDocument = new APIGatewayCustomAuthorizerPolicy
{
Version = "2012-10-17",
Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>
{
new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
{
Effect = authorized ? "Allow" : "Deny",
Resource = new HashSet <string> {
request.MethodArn
},
Action = new HashSet <string> {
"execute-api:Invoke"
},
}
}
}
});
}
/// <summary>
/// A simple function that takes a string and does a ToUpper
/// </summary>
/// <param name="input"></param>
/// <param name="context"></param>
/// <returns></returns>
public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest apiRequest, ILambdaContext context)
{
bool authorized = false;
if (!string.IsNullOrWhiteSpace(apiRequest.AuthorizationToken))
{
authorized = ValidateToken(apiRequest.AuthorizationToken, context);
}
var policy = new APIGatewayCustomAuthorizerPolicy
{
Version = "2012-10-17",
Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>
{
new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
{
Action = new HashSet <string>(new string[] { "execute-api:Invoke" }),
Effect = authorized ? "Allow" : "Deny",
Resource = new HashSet <string>(new string[] { apiRequest.MethodArn }) // api gateway endpoint arn
}
}
};
var contextOutput = new APIGatewayCustomAuthorizerContextOutput();
contextOutput["User"] = authorized ? AllowedUserName : "******";
contextOutput["Path"] = apiRequest.MethodArn;
var response = new APIGatewayCustomAuthorizerResponse
{
Context = contextOutput,
PolicyDocument = policy
};
return(response);
}
public async Task <APIGatewayCustomAuthorizerResponse> FunctionHandler(APIGatewayCustomAuthorizerRequest request)
{
var token = request.AuthorizationToken;
var type = AuthTokenType.JWT;
var response = new APIGatewayCustomAuthorizerResponse();
var policy = response.PolicyDocument;
var statement = new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement()
{
Action = new HashSet <string>(),
Resource = new HashSet <string>()
};
if (Validator.Validate(type, token))
{
var vars = request.MethodArn.Split(':');
var apiVars = vars[5].Split('/');
var region = vars[3];
var accountId = vars[4];
var apiId = apiVars[0];
var stage = apiVars[1];
Console.WriteLine(apiVars.Length);
if (apiVars.Length > 4)
{
int id;
if (int.TryParse(apiVars[4], out id))
{
var service = apiVars[3];
Console.WriteLine(service);
Console.WriteLine(id);
var req = new Request()
{
Operation = Operation.VerifyUser,
AuthToken = token,
Payload = JObject.FromObject(new VerifyUserPayload()
{
ResourceId = id
})
};
var lambdaClient = new AmazonLambdaClient();
var invokeRequest = new InvokeRequest()
{
FunctionName = Enum.GetName(typeof(Service), serviceMapping[service]),
Payload = JsonConvert.SerializeObject(req)
};
var lambdaRes = await lambdaClient.InvokeAsync(invokeRequest);
var res = new StreamReader(lambdaRes.Payload).ReadToEnd();
if (res.Contains(Enum.GetName(typeof(VerifyResult), VerifyResult.Allow)))
{
var any = Resource.Any.GetStringValue();
this.AllowOperation(
statement,
CustomAuthorizerHelper.ComposeAction(Policy.Action.Invoke),
CustomAuthorizerHelper.ComposeResource(region, accountId, apiId, stage, new ResourceAccess(any, any))
);
}
else
{
this.DenyAll(statement);
}
}
else
{
var any = Resource.Any.GetStringValue();
this.AllowOperation(
statement,
CustomAuthorizerHelper.ComposeAction(Policy.Action.Invoke),
CustomAuthorizerHelper.ComposeResource(region, accountId, apiId, stage, new ResourceAccess(any, any))
);
}
}
else
{
var any = Resource.Any.GetStringValue();
this.AllowOperation(
statement,
CustomAuthorizerHelper.ComposeAction(Policy.Action.Invoke),
CustomAuthorizerHelper.ComposeResource(region, accountId, apiId, stage, new ResourceAccess(any, any))
);
}
}
else
{
this.DenyAll(statement);
}
policy.Statement.Add(statement);
return(response);
}
/// <summary>
/// A Lambda function to respond to HTTP Get methods from API Gateway
/// </summary>
/// <param name="request"></param>
/// <returns>The list of blogs</returns>
public APIGatewayCustomAuthorizerResponse Get(APIGatewayCustomAuthorizerRequest request, ILambdaContext context)
{
context.Logger.LogLine("Get Request\n");
context.Logger.LogLine(request.AuthorizationToken.ToString());
context.Logger.LogLine(ablUrl);
var accessToken = request.AuthorizationToken.Substring("Bearer ".Length).Trim();
context.Logger.LogLine(accessToken);
RSA publicRsa = RSA.Create();
publicRsa.FromXmlString("<RSAKeyValue><Modulus>niwszppYY81jN+LO9riMlDVFXCuChYK4NpmnhV7SjRksFfs397jYu07fcGNVWEBppeJ1WZEFILypPjRRfARgwKa4Lu0633cPYG+amyKRYgTGyvbEjvWJ/yvyqimuPrbrI8Bv6FemwCrOoxYIST0pwEHPx6f8SMxKAE9nXP5xcshrudNUZkK9/B17T1HLk9uAzg52cPIM0SChrhfsklcToaycrUQgtFLYWdVEacaSXNo4q1G2ItgHqhM6vHQ5SMcrQ7O+7hlyD5dXkIXItHY4KlHx6yhBp6o0C2237cjIpP1bJaaarFYkHIyWnJ4BET5JXhgVx8j4N6T4S5cNsuy0Rw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>");
RsaSecurityKey signingKey = new RsaSecurityKey(publicRsa);
bool authorized = false;
var tokenHandler = new JwtSecurityTokenHandler();
try
{
tokenHandler.ValidateToken(accessToken, new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidateIssuer = false,
ValidateAudience = true,
ValidAudience = "api",
IssuerSigningKey = signingKey,
ClockSkew = TimeSpan.FromMinutes(5),
}, out SecurityToken validatedToken);
authorized = true;
}
catch (Exception ex)
{
context.Logger.LogLine(ex.Message);
}
// var TokenValidationParams = new TokenValidationParameters
// {
// //IssuerSigningKey=signingKey,
// ValidateIssuer=false,
// ValidIssuer=ablUrl,
// ValidateAudience=false,
// ValidAudience="api",
// ClockSkew=TimeSpan.FromMinutes(5),
// };
// SecurityToken validatedToken;
// JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
// try
// {
// var token = handler.ValidateToken(accessToken, TokenValidationParams, out validatedToken);
// foreach (Claim claim in token.Claims){
// context.Logger.LogLine($"CLAIM TYPE: {claim.Type} CLAIM VALUE: {claim.Value}");
// }
// var getClaimIss = token.Claims.FirstOrDefault(c => c.Type == "iss");
// context.Logger.LogLine($"{getClaimIss}");
// if (getClaimIss != null){
// authorized = true;
// }
// }
// catch (Exception ex)
// {
// context.Logger.LogLine($"Error occurred validating token: {ex.Message}");
// }
context.Logger.LogLine($"{authorized}");
APIGatewayCustomAuthorizerPolicy policy = new APIGatewayCustomAuthorizerPolicy
{
Version = "2012-10-17",
Statement = new List <APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>()
};
policy.Statement.Add(new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
{
Action = new HashSet <string>(new string[] { "execute-api:Invoke" }),
Effect = authorized ? "Allow" : "Deny",
Resource = new HashSet <string>(new string[] { request.MethodArn })
});
APIGatewayCustomAuthorizerContextOutput contextOutput = new APIGatewayCustomAuthorizerContextOutput();
contextOutput["User"] = "******";
contextOutput["Path"] = request.MethodArn;
return(new APIGatewayCustomAuthorizerResponse
{
PrincipalID = "User",
Context = contextOutput,
PolicyDocument = policy
});
}
private static APIGatewayCustomAuthorizerResponse AccessDenied(APIGatewayCustomAuthorizerRequest request)
{
return(ConstructResponse(request, false));
}
