Task-7: Authorization

authorization-service/.gitignore

@@ -0,0 +1,9 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+.env

authorization-service/.npmignore

@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

authorization-service/README.md

@@ -0,0 +1,14 @@
+# Welcome to your CDK TypeScript project
+
+This is a blank project for CDK development with TypeScript.
+
+The `cdk.json` file tells the CDK Toolkit how to execute your app.
+
+## Useful commands
+
+* `npm run build`   compile typescript to js
+* `npm run watch`   watch for changes and compile
+* `npm run test`    perform the jest unit tests
+* `cdk deploy`      deploy this stack to your default AWS account/region
+* `cdk diff`        compare deployed stack with current state
+* `cdk synth`       emits the synthesized CloudFormation template

authorization-service/bin/authorization-service.ts

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+import "source-map-support/register";
+import * as cdk from "aws-cdk-lib";
+import { AuthorizationServiceStack } from "../lib/authorization-service-stack";
+import { config } from "dotenv";
+
+config();
+
+const app = new cdk.App();
+new AuthorizationServiceStack(app, "AuthorizationServiceStack", {
+  env: {
+    account: process.env.AWS_ACCOUNT,
+    region: process.env.BASE_AWS_REGION,
+  },
+});

authorization-service/cdk.json

@@ -0,0 +1,64 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/authorization-service.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true
+  }
+}

authorization-service/handlers/basicAuthorizer.ts

@@ -0,0 +1,74 @@
+interface AuthResponse {
+  principalId: string;
+  policyDocument?: {
+    Version: string;
+    Statement: {
+      Action: string;
+      Effect: string;
+      Resource: string;
+    }[];
+  };
+}
+
+const generatePolicy = (
+  principalId: string,
+  effect: string,
+  resource: string
+): AuthResponse => {
+  if (effect && resource) {
+    return {
+      principalId,
+      policyDocument: {
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Action: "execute-api:Invoke",
+            Effect: effect,
+            Resource: resource,
+          },
+        ],
+      },
+    };
+  } else {
+    return { principalId };
+  }
+};
+
+const getAuthToken = (authHeader: string) => {
+  const matchBase64 = authHeader.match(/^Basic (.+)$/);
+
+  if (matchBase64) {
+    return matchBase64[1];
+  } else {
+    return "";
+  }
+};
+
+export const handler = async (event: any, context: any, callback: any) => {
+  const authHeader = event.headers && event.headers.Authorization;
+  console.log(authHeader);
+  if (!authHeader) {
+    return { statusCode: 401, body: "No Authorization header" };
+  }
+
+  const authToken = getAuthToken(authHeader);
+
+  const decodedCredentials = Buffer.from(authToken, "base64").toString("utf8");
+  console.log("Decoded credentials ", decodedCredentials);
+
+  const [login, password] = decodedCredentials.split(":");
+  console.log("Login&Password ", login, password);
+
+  if (
+    login === process.env.GITHUB_LOGIN &&
+    password === process.env.GITHUB_PASSWORD
+  ) {
+    return generatePolicy(
+      "user",
+      "Allow",
+      `arn:aws:execute-api:${process.env.BASE_AWS_REGION}:946060570212:*/*/*`
+    );
+  } else {
+    throw new Error("Unauthorized");
+  }
+};

authorization-service/jest.config.js

@@ -0,0 +1,8 @@
+module.exports = {
+  testEnvironment: 'node',
+  roots: ['<rootDir>/test'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.tsx?$': 'ts-jest'
+  }
+};

authorization-service/lib/authorization-service-stack.ts

@@ -0,0 +1,44 @@
+import * as cdk from "aws-cdk-lib";
+import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
+import * as lambda from "aws-cdk-lib/aws-lambda";
+import { Construct } from "constructs";
+import { IAM, Lambda, config } from "aws-sdk";
+import * as dotenv from "dotenv";
+import { PolicyStatement, Role, ServicePrincipal } from "aws-cdk-lib/aws-iam";
+// import * as sqs from 'aws-cdk-lib/aws-sqs';
+
+dotenv.config();
+
+export class AuthorizationServiceStack extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    const role = new Role(this, "LambdaExecutionRole", {
+      assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
+    });
+
+    role.addToPolicy(
+      new PolicyStatement({
+        actions: ["lambda:UpdateFunctionConfiguration"],
+        resources: ["*"],
+      })
+    );
+
+    const basicAuthorizer = new NodejsFunction(this, "basicAuthorizer", {
+      runtime: lambda.Runtime.NODEJS_18_X,
+      environment: {
+        BASE_AWS_REGION: process.env.BASE_AWS_REGION!,
+        GITHUB_LOGIN: process.env.GITHUB_LOGIN!,
+        GITHUB_PASSWORD: process.env.GITHUB_PASSWORD!,
+      },
+      functionName: "basicAuthorizer",
+      entry: "handlers/basicAuthorizer.ts",
+      role: role,
+    });
+
+    new cdk.CfnOutput(this, "basicAuthorizerExport", {
+      value: basicAuthorizer.functionArn,
+      exportName: "basicAuthorizerArn",
+    });
+  }
+}