website/accounts/authorizer/__init__.py

import base64
from os import environ

from passlib.hash import bcrypt


def build_api_arn(method_arn):
    arn_chunks = method_arn.split(":")
    aws_region = arn_chunks[3]
    aws_account_id = arn_chunks[4]

    gateway_arn_chunks = arn_chunks[5].split("/")
    rest_api_id = gateway_arn_chunks[0]
    stage = gateway_arn_chunks[1]

    return "arn:aws:execute-api:{}:{}:{}/{}/*/*".format(
        aws_region, aws_account_id, rest_api_id, stage
    )


def build_response(api_arn, allow):
    effect = "Deny"
    if allow:
        effect = "Allow"

    return {
        "principalId": "offen",
        "policyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": ["execute-api:Invoke"],
                    "Effect": effect,
                    "Resource": [api_arn],
                }
            ],
        },
    }


def handler(event, context):
    api_arn = build_api_arn(event["methodArn"])

    encoded_auth = event["authorizationToken"].lstrip("Basic ")
    auth_string = base64.standard_b64decode(encoded_auth).decode()
    if not auth_string:
        return build_response(api_arn, False)

    credentials = auth_string.split(":")
    user = credentials[0]
    password = credentials[1]

    if user != environ.get("BASIC_AUTH_USER"):
        return build_response(api_arn, False)

    hashed_password = environ.get("HASHED_BASIC_AUTH_PASSWORD")
    if not bcrypt.verify(password, hashed_password):
        return build_response(api_arn, False)

    return build_response(api_arn, True)
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`import base64`
			`from os import environ`

			`from passlib.hash import bcrypt`


			`def build_api_arn(method_arn):`
			`arn_chunks = method_arn.split(":")`
			`aws_region = arn_chunks[3]`
			`aws_account_id = arn_chunks[4]`

			`gateway_arn_chunks = arn_chunks[5].split("/")`
			`rest_api_id = gateway_arn_chunks[0]`
			`stage = gateway_arn_chunks[1]`

			`return "arn:aws:execute-api:{}:{}:{}/{}//".format(`
			`aws_region, aws_account_id, rest_api_id, stage`
			`)`

increase test coverage for vault and login api 2019-07-16 09:39:31 +02:00
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`def build_response(api_arn, allow):`
			`effect = "Deny"`
			`if allow:`
			`effect = "Allow"`

			`return {`
			`"principalId": "offen",`
			`"policyDocument": {`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Action": ["execute-api:Invoke"],`
			`"Effect": effect,`
increase test coverage for vault and login api 2019-07-16 09:39:31 +02:00			`"Resource": [api_arn],`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`}`
increase test coverage for vault and login api 2019-07-16 09:39:31 +02:00			`],`
			`},`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`}`


			`def handler(event, context):`
			`api_arn = build_api_arn(event["methodArn"])`

increase test coverage for vault and login api 2019-07-16 09:39:31 +02:00			`encoded_auth = event["authorizationToken"].lstrip("Basic ")`
			`auth_string = base64.standard_b64decode(encoded_auth).decode()`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`if not auth_string:`
			`return build_response(api_arn, False)`

			`credentials = auth_string.split(":")`
			`user = credentials[0]`
			`password = credentials[1]`

			`if user != environ.get("BASIC_AUTH_USER"):`
			`return build_response(api_arn, False)`

clean up and add missing tests 2019-07-16 10:29:24 +02:00			`hashed_password = environ.get("HASHED_BASIC_AUTH_PASSWORD")`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`if not bcrypt.verify(password, hashed_password):`
			`return build_response(api_arn, False)`

			`return build_response(api_arn, True)`