Commit 9904343a authored by David Diederich's avatar David Diederich
Browse files

Initial Import

parents
# Copyright © Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##### Sample os-entitlements-aws .env file ###########################################################
#
# Basic use: duplicate this file, and make sure the new copy is also in the root of the AWS
# 'provider' folder, and name it `.env`. Note that on macOS, by default, files starting with
# are considered hidden system files, and are not displayed by default in Finder or the file
# selector (which you will need to use when adding the environment file(s) to the run
# configuration(s). While you can change a setting to show hidden files and folders by
# default, there is also a keyboard shortcut to quickly toggle between hide/show. With either
# Finder as the active application ("Finder" appears next to the Apple logo in the Menu Bar),
# press: command + shift + . (period). You can store configurations for multiple environments
# by adding more duplicates following a naming scheme of your choosing, for example:
# `staging.env`, `uat.env`, or `local.env`.
#
# This requires installing a plugin to your IDE that allows you to use a .env
# file in your repository folder (does NOT get checked into source control;
# only the sample environment configuration (sample.env) should be committed.
#
# Download links for .env file plugins:
# IntelliJ - https://github.com/Ashald/EnvFile
dynamoDBEndpoint=dynamodb.us-east-1.amazonaws.com
dynamoDBRegion=us-east-1
groupsTablePrefix=dev
\ No newline at end of file
HELP.md
target/
!.mvn/wrapper/maven-wrapper.jar
!**/src/main/**
!**/src/test/**
### STS ###
.apt_generated
.classpath
.factorypath
.project
.settings
.springBeans
.sts4-cache
### IntelliJ IDEA ###
.idea
*.iws
*.iml
*.ipr
### NetBeans ###
/nbproject/private/
/nbbuild/
/dist/
/nbdist/
/.nb-gradle/
build/
### VS Code ###
.vscode/
\ No newline at end of file
<?xml version="1.0"?>
<!--
Copyright © Amazon Web Services
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.amazonaws.osdu.entitlements</groupId>
<artifactId>authorize-function</artifactId>
<version>0.0.3-SNAPSHOT</version>
<packaging>jar</packaging>
<name>Entitlements Authorize</name>
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>
<dependencies>
<!-- AWS managed packages -->
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-lambda-java-core</artifactId>
<version>1.2.0</version>
</dependency>
<dependency>
<groupId>com.amazonaws.serverless</groupId>
<artifactId>aws-serverless-java-container-core</artifactId>
<version>1.4</version>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk</artifactId>
<version>1.11.651</version>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-core</artifactId>
<version>1.11.651</version>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-dynamodb</artifactId>
<version>1.11.651</version>
</dependency>
<!-- third party Apache 2.0 license packages -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.9.9</version>
</dependency>
<!-- Internal packages -->
<dependency>
<groupId>org.opengroup.osdu.core.aws</groupId>
<artifactId>os-core-lib-aws</artifactId>
<version>0.0.10</version>
</dependency>
<!-- Testing packages -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-all</artifactId>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.1.1</version>
<configuration>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
// Copyright © Amazon Web Services
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.amazonaws.osdu.entitlements;
import java.io.*;
import java.util.*;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.opengroup.osdu.core.aws.entitlements.RequestKeys;
import com.amazonaws.services.lambda.runtime.Context;
import com.amazonaws.services.lambda.runtime.RequestStreamHandler;
import org.opengroup.osdu.core.aws.entitlements.Authorizer;
import org.opengroup.osdu.core.aws.lambda.HttpLambdaUtil;
import org.opengroup.osdu.core.aws.lambda.HttpStatusCodes;
import org.opengroup.osdu.core.aws.lambda.LambdaLogger;
/**
* Class that handles the authorization lambda code.
* Secret key and client id should come from environment variables and should be set at time of deployment
*/
public class Authorize implements RequestStreamHandler {
private final static String SUCCESS_MSG = "Successful authorization";
HttpLambdaUtil httpLambdaUtil = new HttpLambdaUtil();
Authorizer authorizer = new Authorizer();
/**
* Method that gets called by Lambda. We parse the inputstream and write the response to the outputstream.
* Here we call out to the keystore and verify the jwt against it. Assumes that jwks will be present
*
* header example:
* {
* "typ": "JWT",
* "alg": "HS256"
* }
*
* payload example:
* {
* "sub": "c30214ba-44af-4b52-bfb9-689cbeee8733",
* "event_id": "b4476e21-b629-4e68-bb6f-a50613be68f0",
* "token_use": "access",
* "scope": "aws.cognito.signin.user.admin",
* "auth_time": 1572884830,
* "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_LBaTvpEXx",
* "exp": 1572888455,
* "iat": 1572884830,
* "jti": "e4e1449e-a990-4b8e-a55d-e095a730b6ca",
* "client_id": "test-id",
* "username": "user"
* }
* @param inputStream
* @param outputStream
* @param context
* @throws IOException
*/
public void handleRequest(InputStream inputStream, OutputStream outputStream, Context context)
throws IOException {
ObjectMapper mapper = new ObjectMapper();
Map<String, String> headers = new HashMap<>();
try{
Map<String, Object> request = mapper.readValue(inputStream, Map.class);
headers = (HashMap<String, String>) request.get(RequestKeys.HEADERS_REQUEST_KEY);
} catch (ClassCastException e){
LambdaLogger.logException("Casting exception in parsing request, headers, httpMethod.", e);
httpLambdaUtil.unauthorizedRequest(outputStream, new HashMap<>());
} catch (IOException e){
LambdaLogger.logException("IO exception in parsing request, headers, httpMethod.", e);
httpLambdaUtil.unauthorizedRequest(outputStream, new HashMap<>());
} catch (Exception e){
LambdaLogger.logException("General exception in parsing request, headers, httpMethod.", e);
httpLambdaUtil.unauthorizedRequest(outputStream, new HashMap<>());
}
if (authorizer.validateJWT(headers.get("authorization")) != null){
httpLambdaUtil.okRequest(outputStream, SUCCESS_MSG, new HashMap<>());
} else {
httpLambdaUtil.unauthorizedRequest(outputStream, new HashMap<>());
}
}
}
// Copyright © Amazon Web Services
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.amazonaws.osdu.entitlements;
import com.amazonaws.serverless.proxy.internal.testutils.MockLambdaContext;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.junit.Test;
import org.mockito.Mockito;
import org.opengroup.osdu.core.aws.entitlements.Authorizer;
import org.opengroup.osdu.core.aws.lambda.HttpLambdaUtil;
import java.io.*;
import java.nio.charset.StandardCharsets;
public class AuthorizeTest {
private static final ObjectMapper MAPPER = new ObjectMapper();
@Test
public void successfulResponse() throws IOException, InvalidJwtException {
// arrange
String request = "{\n" +
" \"body\": \"null\",\n" +
" \"headers\": {\n" +
" \"user\": \"spencer.sutton@parivedasolutions.com\",\n" +
" \"authorization\": \"Bearer test-token\",\n" +
" \"data-partition-id\": \"common\"\n" +
" },\n" +
" \"httpMethod\": \"GET\"\n" +
"}";
InputStream stream = new ByteArrayInputStream(request.getBytes(StandardCharsets.UTF_8));
Authorize authorize = new Authorize();
ByteArrayOutputStream out = new ByteArrayOutputStream();
authorize.httpLambdaUtil = Mockito.mock(HttpLambdaUtil.class);
authorize.authorizer = Mockito.mock(Authorizer.class);
Mockito.when(authorize.authorizer.validateJWT(Mockito.anyString())).thenReturn("test-user");
// act
authorize.handleRequest(stream, out, new MockLambdaContext());
// assert
Mockito.verify(authorize.httpLambdaUtil, Mockito.times(1)).okRequest(Mockito.anyObject(),
Mockito.anyString(),
Mockito.anyMap());
}
@Test
public void failureResponse() throws IOException {
// arrange
String request = "{\n" +
" \"body\": \"null\",\n" +
" \"headers\": {\n" +
" \"user\": \"spencer.sutton@parivedasolutions.com\",\n" +
" \"authorization\": \"Bearer test-token\",\n" +
" \"data-partition-id\": \"common\"\n" +
" },\n" +
" \"httpMethod\": \"GET\"\n" +
"}";
InputStream stream = new ByteArrayInputStream(request.getBytes(StandardCharsets.UTF_8));
Authorize authorize = new Authorize();
ByteArrayOutputStream out = new ByteArrayOutputStream();
authorize.httpLambdaUtil = Mockito.mock(HttpLambdaUtil.class);
authorize.authorizer = Mockito.mock(Authorizer.class);
Mockito.when(authorize.authorizer.validateJWT(Mockito.eq("test-token"))).thenReturn(null);
// act
authorize.handleRequest(stream, out, new MockLambdaContext());
// assert
Mockito.verify(authorize.httpLambdaUtil, Mockito.times(1)).unauthorizedRequest(Mockito.anyObject(),
Mockito.anyMap());
}
}
# Copyright © Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
AWSTemplateFormatVersion: 2010-09-09
Description: >-
CloudFormation template for creating the bucket that holds all entitlements lambda code
Parameters:
Environment:
Description: The name of the environment.
Type: String
AllowedValues:
- dev
- uat
- prod
ConstraintDescription: Environment can only be "dev/uat/prod".
Default: dev
DeploymentRegion:
Description: The AWS region to deploy the resources to.
Type: String
Default: us-east-1
Resources:
EntitlementsCFBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: dev-os-entitlements-cloudformation-scripts
EntitlementsCFBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: EntitlementsCFBucket
PolicyDocument:
Statement:
- Action:
- "s3:*"
Effect: "Allow"
Resource:
Fn::Join:
- ""
- - "arn:aws:s3:::"
- Ref: EntitlementsCFBucket
- "/*"
Principal: "arn:aws:iam::888733619319:role/dev-os-entitlements-code-pipeline-CFNRole-1QT5LVOJKH239"
# Copyright © Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
AWSTemplateFormatVersion: 2010-09-09
Description: >-
CloudFormation template for creating the lambda functions associated with entitlements
Parameters:
Environment:
Description: The name of the environment.
Type: String
AllowedValues:
- dev
- uat
- prod
ConstraintDescription: Environment can only be "dev/uat/prod".
Default: dev
DeploymentRegion:
Description: The AWS region to deploy the resources to.
Type: String
Default: us-east-1
ChildTemplateBasePath:
Description: >-
The base path for where child CloudFormation templates are located – can be relative or absolute, e.g.
https://s3.amazonaws.com/dev-osdu-cloudformation-scripts/Automated/
Type: String
AllowedPattern: '^https:\/\/s3.amazonaws.com\/.*\/$'
Default: https://s3.amazonaws.com/dev-os-entitlements-cloudformation-scripts/CloudFormation/Automated/
ApplicationName:
Description: >
The name of the application, should be equal to the repository name.
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: "^[a-zA-Z]+[0-9a-zA-Z_-]*$"
ConstraintDescription: Must start with a letter. Only numbers, letters, -, and _ accepted. Max. length 64 characters.
Default: os-entitlements
Region:
Description: The AWS region to deploy the resources to.
Type: String
Default: us-east-1
GroupsDynamoDBTableName:
Description: The name of the DynamoDB table for the groups repository; will be prefixed by the environment (e.g. Groups).
AllowedPattern: "^[a-zA-Z]+[0-9a-zA-Z_]*$"
ConstraintDescription: Must start with a letter. Only numbers, letters, and _ accepted. Max. length 64 characters.
Default: 'GroupsTest'
Type: String
MinLength: '1'
MaxLength: '64'
Resources:
GroupsDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub ${Environment}-${GroupsDynamoDBTableName}
AttributeDefinitions:
- AttributeName: "groupUniqueIdentifier"
AttributeType: "S"
- AttributeName: "groupEmail"
AttributeType: "S"
- AttributeName: "role"
AttributeType: "S"
- AttributeName: "memberEmailAndDataPartition"
AttributeType: "S"
KeySchema:
- AttributeName: "groupUniqueIdentifier"
KeyType: "HASH"
GlobalSecondaryIndexes:
- IndexName: "groupEmail-role-index"
KeySchema:
- AttributeName: "groupEmail"
KeyType: "HASH"
- AttributeName: "role"
KeyType: "RANGE"
Projection:
ProjectionType: "KEYS_ONLY"
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
- IndexName: "memberEmailAndDataPartition-index"
KeySchema:
- AttributeName: "memberEmailAndDataPartition"
KeyType: "HASH"
Projection:
ProjectionType: "KEYS_ONLY"
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
GroupsFunction:
Type: AWS::Lambda::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
FunctionName: dev-os-entitlements-GroupsFunction
Handler: com.amazonaws.osdu.entitlements.GetGroups::handleRequest
Runtime: java8
Role: arn:aws:iam::888733619319:role/dev-os-entitlements-GroupsFunctionRole-TWC0MVYAPYT8
Code:
S3Bucket: dev-os-entitlements-cloudformation-scripts
S3Key: groups-function-code.zip
MemorySize: 512
Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
Variables:
dynamoDBEndpoint: dynamodb.us-east-1.amazonaws.com
dynamoDBRegion: us-east-1
groupsTablePrefix: dev-
jwksEndpoint: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_anhVORG8D/.well-known/jwks.json
# Copyright © Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
AWSTemplateFormatVersion: 2010-09-09
Description: >
This CloudFormation script creates the deployment pipeline for OSDU's entitlements
Parameters:
Environment:
Description: Environment Name. Defaults to 'dev'. Can only be dev/uat/prod.
Type: String
AllowedValues:
- dev
- uat
- prod
Default: dev
DeploymentRegion:
Description: The AWS region to deploy the application to. The default is us-east-1.
Type: String
Default: us-east-1
SNSNotificationEmail:
Description: The email address to send SNS notifications about the build to.
Type: String
Default: spencer.sutton@parivedasolutions.com
CodeCommitRepositoryName:
Description: The name of the Code Commit Repository that the CodePipeline source is connected to.
Type: String
Default: os-entitlements
CodeCommitBranchName:
Description: The name of the Code Commit branch that the CodePipeline source is connected to.
Type: String
Default: dev
MasterStackName:
Description: The name of the master stack that is being deployed by the CodePipeline.