Exemplo n.º 1
0
        public AuthPolicy FunctionHandler(TokenAuthorizerContext input, ILambdaContext context)
        {
            try
            {
                context.Logger.LogLine($"{nameof(input.AuthorizationToken)}: {input.AuthorizationToken}");
                context.Logger.LogLine($"{nameof(input.MethodArn)}: {input.MethodArn}");

                var tokenValidation = new TokenValidation(context);
                var principalId     = tokenValidation.GetPrincipalId(input.AuthorizationToken);

                var methodArn  = ApiGatewayArn.Parse(input.MethodArn);
                var apiOptions = new ApiOptions(methodArn.Region, methodArn.RestApiId, methodArn.Stage);

                var policyBuilder = new AuthPolicyBuilder(principalId, methodArn.AwsAccountId, apiOptions);

                // Add your API endpoints and their corresponding HTTP verb, that does not require Group authorization
                policyBuilder.AllowMethod(HttpVerb.Get, "/shop");
                policyBuilder.AllowMethod(HttpVerb.Get, "/shop/*");
                policyBuilder.AllowMethod(HttpVerb.Get, "/shop/*/products");
                policyBuilder.AllowMethod(HttpVerb.Get, "/shop/*/stock");
                policyBuilder.AllowMethod(HttpVerb.Post, "/reset");

                var groupName = tokenValidation.GroupName;

                if (groupName == null)
                {
                    context.Logger.LogLine("No group based authorization needed");
                }
                else
                {
                    // Replace the "employee" and "manager" group names below with your preferred choice
                    // Add your API endpoints and their corresponding HTTP verb, that requires Group authorization
                    if (groupName.Contains(','))
                    {
                        var groups = new List <string>(groupName.Split(','));
                        if (groups.Contains("employee") && groups.Contains("manager"))
                        {
                            policyBuilder.AllowMethod(HttpVerb.Get, "/warehouse");
                            policyBuilder.AllowMethod(HttpVerb.Get, "/warehouse/*");
                            policyBuilder.AllowMethod(HttpVerb.Get, "/warehouse/*/stock");
                            policyBuilder.AllowMethod(HttpVerb.Post, "/warehouse/*/stock/*/move/*");
                        }
                        else
                        {
                            context.Logger.LogLine("Group based authorization failed");
                        }
                    }
                    else if (groupName == "employee" || groupName == "manager")
                    {
                        switch (groupName)
                        {
                        case "employee":
                            policyBuilder.AllowMethod(HttpVerb.Get, "/warehouse");
                            policyBuilder.AllowMethod(HttpVerb.Get, "/warehouse/*");
                            policyBuilder.AllowMethod(HttpVerb.Get, "/warehouse/*/stock");
                            break;

                        case "manager":
                            policyBuilder.AllowMethod(HttpVerb.Get, "/warehouse");
                            policyBuilder.AllowMethod(HttpVerb.Get, "/warehouse/*");
                            policyBuilder.AllowMethod(HttpVerb.Get, "/warehouse/*/stock");
                            policyBuilder.AllowMethod(HttpVerb.Post, "/warehouse/*/stock/*/move/*");
                            break;
                        }
                    }
                    else
                    {
                        context.Logger.LogLine("Group based authorization failed");
                    }
                }

                var authResponse = policyBuilder.Build();
                authResponse.Context.Add("key", "value");
                authResponse.Context.Add("number", 1);
                authResponse.Context.Add("bool", true);

                return(authResponse);
            }
            catch (Exception ex)
            {
                context.Logger.LogLine(ex.ToString());
                throw new Exception("Unauthorized");
            }
        }
        public AuthPolicy FunctionHandler(TokenAuthorizerContext input, ILambdaContext context)
        {
            try
            {
                context.Logger.LogLine($"{nameof(input.AuthorizationToken)}: {input.AuthorizationToken}");
                context.Logger.LogLine($"{nameof(input.MethodArn)}: {input.MethodArn}");

                // validate the incoming token
                // and produce the principal user identifier associated with the token

                // this could be accomplished in a number of ways:
                // 1. Call out to OAuth provider
                // 2. Decode a JWT token inline
                // 3. Lookup in a self-managed DB
                var principalId = "user|a1b2c3d4";

                // you can send a 401 Unauthorized response to the client by failing like so:
                // throw new Exception("Unauthorized");

                // if the token is valid, a policy must be generated which will allow or deny access to the client

                // if access is denied, the client will receive a 403 Access Denied response
                // if access is allowed, API Gateway will proceed with the backend integration configured on the method that was called

                // build apiOptions for the AuthPolicy
                var methodArn  = ApiGatewayArn.Parse(input.MethodArn);
                var apiOptions = new ApiOptions(methodArn.Region, methodArn.RestApiId, methodArn.Stage);

                // this function must generate a policy that is associated with the recognized principal user identifier.
                // depending on your use case, you might store policies in a DB, or generate them on the fly

                // keep in mind, the policy is cached for 5 minutes by default (TTL is configurable in the authorizer)
                // and will apply to subsequent calls to any method/resource in the RestApi
                // made with the same token

                // the example policy below denies access to all resources in the RestApi
                var policyBuilder = new AuthPolicyBuilder(principalId, methodArn.AwsAccountId, apiOptions);
                policyBuilder.DenyAllMethods();
                // policyBuilder.AllowMethod(HttpVerb.GET, "/users/username");

                // finally, build the policy
                var authResponse = policyBuilder.Build();

                // new! -- add additional key-value pairs
                // these are made available by APIGW like so: $context.authorizer.<key>
                // additional context is cached
                authResponse.Context.Add("key", "value"); // $context.authorizer.key -> value
                authResponse.Context.Add("number", 1);
                authResponse.Context.Add("bool", true);

                return(authResponse);
            }
            catch (Exception ex)
            {
                if (ex is UnauthorizedException)
                {
                    throw;
                }

                // log the exception and return a 401
                context.Logger.LogLine(ex.ToString());
                throw new UnauthorizedException();
            }
        }