website/accounts/lambdas/authorizer.py

import base64
from os import environ

import boto3
from botocore.exceptions import ClientError
from passlib.hash import bcrypt


session = boto3.session.Session()
boto_client = session.client(
    service_name="secretsmanager", region_name=environ.get("AWS_REGION")
)


def get_secret(boto_client, secret_name):
    ssm_response = boto_client.get_secret_value(
        SecretId="{}/accounts/{}".format(environ.get("STAGE"), secret_name)
    )
    if "SecretString" in ssm_response:
        return ssm_response["SecretString"]
    return base64.b64decode(ssm_response["SecretBinary"])


basic_auth_user = get_secret(boto_client, "basicAuthUser")
hashed_basic_auth_password = get_secret(boto_client, "hashedBasicAuthPassword")


def build_api_arn(method_arn):
    arn_chunks = method_arn.split(":")
    aws_region = arn_chunks[3]
    aws_account_id = arn_chunks[4]

    gateway_arn_chunks = arn_chunks[5].split("/")
    rest_api_id = gateway_arn_chunks[0]
    stage = gateway_arn_chunks[1]

    return "arn:aws:execute-api:{}:{}:{}/{}/*/*".format(
        aws_region, aws_account_id, rest_api_id, stage
    )


def build_response(api_arn, allow):
    effect = "Deny"
    if allow:
        effect = "Allow"

    return {
        "principalId": "offen",
        "policyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": ["execute-api:Invoke"],
                    "Effect": effect,
                    "Resource": [api_arn],
                }
            ],
        },
    }


def handler(event, context):
    api_arn = build_api_arn(event["methodArn"])

    encoded_auth = event["authorizationToken"].lstrip("Basic ")
    auth_string = base64.standard_b64decode(encoded_auth).decode()
    if not auth_string:
        return build_response(api_arn, False)

    credentials = auth_string.split(":")
    user = credentials[0]
    password = credentials[1]

    if user != basic_auth_user:
        return build_response(api_arn, False)

    if not bcrypt.verify(password, hashed_basic_auth_password):
        return build_response(api_arn, False)

    return build_response(api_arn, True)
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`import base64`
			`from os import environ`

allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`import boto3`
			`from botocore.exceptions import ClientError`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`from passlib.hash import bcrypt`


allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`session = boto3.session.Session()`
			`boto_client = session.client(`
			`service_name="secretsmanager", region_name=environ.get("AWS_REGION")`
			`)`

fix use before definition 2019-07-19 21:02:12 +02:00
			`def get_secret(boto_client, secret_name):`
			`ssm_response = boto_client.get_secret_value(`
			`SecretId="{}/accounts/{}".format(environ.get("STAGE"), secret_name)`
			`)`
			`if "SecretString" in ssm_response:`
			`return ssm_response["SecretString"]`
			`return base64.b64decode(ssm_response["SecretBinary"])`


allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`basic_auth_user = get_secret(boto_client, "basicAuthUser")`
			`hashed_basic_auth_password = get_secret(boto_client, "hashedBasicAuthPassword")`


add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`def build_api_arn(method_arn):`
			`arn_chunks = method_arn.split(":")`
			`aws_region = arn_chunks[3]`
			`aws_account_id = arn_chunks[4]`

			`gateway_arn_chunks = arn_chunks[5].split("/")`
			`rest_api_id = gateway_arn_chunks[0]`
			`stage = gateway_arn_chunks[1]`

			`return "arn:aws:execute-api:{}:{}:{}/{}//".format(`
			`aws_region, aws_account_id, rest_api_id, stage`
			`)`

increase test coverage for vault and login api 2019-07-16 09:39:31 +02:00
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`def build_response(api_arn, allow):`
			`effect = "Deny"`
			`if allow:`
			`effect = "Allow"`

			`return {`
			`"principalId": "offen",`
			`"policyDocument": {`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Action": ["execute-api:Invoke"],`
			`"Effect": effect,`
increase test coverage for vault and login api 2019-07-16 09:39:31 +02:00			`"Resource": [api_arn],`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`}`
increase test coverage for vault and login api 2019-07-16 09:39:31 +02:00			`],`
			`},`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`}`


			`def handler(event, context):`
			`api_arn = build_api_arn(event["methodArn"])`

increase test coverage for vault and login api 2019-07-16 09:39:31 +02:00			`encoded_auth = event["authorizationToken"].lstrip("Basic ")`
			`auth_string = base64.standard_b64decode(encoded_auth).decode()`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`if not auth_string:`
			`return build_response(api_arn, False)`

			`credentials = auth_string.split(":")`
			`user = credentials[0]`
			`password = credentials[1]`

allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`if user != basic_auth_user:`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`return build_response(api_arn, False)`

allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`if not bcrypt.verify(password, hashed_basic_auth_password):`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`return build_response(api_arn, False)`

			`return build_response(api_arn, True)`