public AccessDetails ExecuteUserAuth(AuthorizerRequest authorizerRequest)
{
LambdaLogger.Log("Begins user auth flow");
var validTokenClaims = ValidateTokenHelper.ValidateToken(authorizerRequest.Token, Environment.GetEnvironmentVariable("hackneyUserAuthTokenJwtSecret"));
if (validTokenClaims == null || validTokenClaims.Count == 0)
{
return(ReturnNotAuthorised(authorizerRequest));
}
var user = new HackneyUser();
user.Groups = validTokenClaims.Where(x => x.Type == "groups").Select(y => y.Value).ToList();
user.Email = validTokenClaims.Find(x => x.Type == "email").Value;
//get STS credentials and pass them to API gateway
var credentials = _awsStsGateway.GetTemporaryCredentials(authorizerRequest.AwsAccountId).Credentials;
//get API name
var apiName = _awsApiGateway.GetApiName(authorizerRequest.ApiAwsId, credentials);
LambdaLogger.Log($"API name retrieved - {apiName}");
//check if API is in the DynamoDB
var apiDataInDb = _dynamoDbGateway.GetAPIDataByNameAndEnvironmentAsync(apiName, authorizerRequest.Environment);
return(new AccessDetails
{
Allow = VerifyAccessHelper.ShouldHaveAccessUserFlow(user, authorizerRequest, apiDataInDb, apiName),
User = validTokenClaims.Find(x => x.Type == "email").Value
});
}
public AccessDetails ExecuteServiceAuth(AuthorizerRequest authorizerRequest)
{
LambdaLogger.Log("Begins service auth flow");
var validTokenClaims = ValidateTokenHelper.ValidateToken(authorizerRequest.Token, Environment.GetEnvironmentVariable("jwtSecret"));
if (validTokenClaims == null || validTokenClaims.Count == 0)
{
return(ReturnNotAuthorised(authorizerRequest));
}
var tokenId = validTokenClaims.Find(x => x.Type == "id").Value;
if (!int.TryParse(tokenId, out int id))
{
return(ReturnNotAuthorised(authorizerRequest));
}
var tokenData = _databaseGateway.GetTokenData(id);
var credentials = _awsStsGateway.GetTemporaryCredentials(authorizerRequest.AwsAccountId).Credentials;
var apiName = _awsApiGateway.GetApiName(authorizerRequest.ApiAwsId, credentials);
LambdaLogger.Log($"API name retrieved - {apiName}");
return(new AccessDetails
{
Allow = VerifyAccessHelper.ShouldHaveAccessServiceFlow(authorizerRequest, tokenData, apiName),
User = $"{tokenData.ConsumerName}{tokenData.Id}"
});
}
private static APIDataUserFlow GenerateTokenDataUserFlow(AuthorizerRequest request, string apiName, List <string> groups)
{
return(new APIDataUserFlow
{
ApiName = apiName,
AwsAccount = request.AwsAccountId,
Environment = request.Environment,
AllowedGroups = groups
});
}
private static AccessDetails ReturnNotAuthorised(AuthorizerRequest authorizerRequest)
{
LambdaLogger.Log(
$"Token beginning with {authorizerRequest.Token.Substring(0, 8)} is invalid or should not have access to" +
$" {authorizerRequest.ApiAwsId} - {authorizerRequest.ApiEndpointName}" +
$" in {authorizerRequest.Environment}");
return(new AccessDetails {
Allow = false, User = "******"
});
}
private static AuthTokenServiceFlow GenerateTokenData(AuthorizerRequest request, string apiName)
{
return(new AuthTokenServiceFlow
{
ApiEndpointName = request.ApiEndpointName,
ApiName = apiName,
Environment = request.Environment,
HttpMethodType = request.HttpMethodType,
ExpirationDate = null,
Enabled = true,
});
}
public static bool ShouldHaveAccessUserFlow(HackneyUser user, AuthorizerRequest authorizerRequest, APIDataUserFlow apiData, string apiName)
{
bool groupIsAllowed = apiData.AllowedGroups.Any(x => user.Groups.Contains(x));
if (!groupIsAllowed ||
apiData.ApiName != apiName ||
apiData.Environment != authorizerRequest.Environment ||
apiData.AwsAccount != authorizerRequest.AwsAccountId)
{
LambdaLogger.Log($"User with email {user.Email} is DENIED access for {apiName} " +
$" in {authorizerRequest.Environment} stage. User does not have access to {apiName} " +
$"for {apiData.Environment} stage in the following AWS account {apiData.AwsAccount}. User is in the following" +
$"Google groups: {user.Groups}");
return(false);
}
LambdaLogger.Log($"User with email {user.Email} is ALLOWED access for {apiName} " +
$" in {authorizerRequest.Environment} stage. The API, as described in the database," +
$"is deployed to the following AWS account {apiData.AwsAccount}");
return(true);
}
public static bool ShouldHaveAccessServiceFlow(AuthorizerRequest authorizerRequest, AuthTokenServiceFlow tokenData, string apiName)
{
//Check that the token is enabled or that the expiration date is valid
if (!tokenData.Enabled ||
(tokenData.ExpirationDate != null && tokenData.ExpirationDate < DateTime.Now) ||
tokenData.ApiName != apiName ||
tokenData.HttpMethodType != authorizerRequest.HttpMethodType ||
tokenData.Environment != authorizerRequest.Environment ||
!authorizerRequest.ApiEndpointName.Contains(tokenData.ApiEndpointName, StringComparison.InvariantCulture))
{
LambdaLogger.Log($"Token with id {tokenData.Id} denying access for {tokenData.ApiName} with endpoint {tokenData.ApiEndpointName}" +
$" in {tokenData.Environment} stage does not have access to {apiName} with endpoint {authorizerRequest.ApiEndpointName} " +
$"for {authorizerRequest.Environment} stage { tokenData.Enabled }");
return(false);
}
LambdaLogger.Log($"Token with id {tokenData.Id} allowing access for {tokenData.ApiName} with endpoint {tokenData.ApiEndpointName}" +
$" in {tokenData.Environment} stage has access to {apiName} with endpoint {authorizerRequest.ApiEndpointName} " +
$"for {authorizerRequest.Environment} stage { tokenData.Enabled }");
return(true);
}
public void Setup()
{
_request = GenerateAuthorizerRequest();
_apiName = _faker.Random.Word();
}
