Merge pull request #7 from FIAP-3SOAT-G15/feature-auth-authorizer

Feat (auth-authorizer): adding api gateway authorizer
FIAP-3SOAT-G15 · Mar 19, 2024 · 28847e5 · 28847e5
2 parents 0352246 + 08a8a24
commit 28847e5
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 0 deletions.
diff --git a/src/auth-authorizer/lambda_function.py b/src/auth-authorizer/lambda_function.py
@@ -0,0 +1,56 @@
+import os
+import jwt
+from jwt.algorithms import RSAAlgorithm
+import requests
+from urllib.request import urlopen
+
+
+AWS_REGION = os.environ.get('REGION')
+USER_POOL_ID = os.environ.get('USER_POOL_ID')
+APP_CLIENT_ID = os.environ.get('CLIENT_ID')
+
+KEYS_URL = f'https://cognito-idp.{AWS_REGION}.amazonaws.com/{USER_POOL_ID}/.well-known/jwks.json'
+KEYS = requests.get(KEYS_URL).json()['keys']
+
+def lambda_handler(event, context):
+    print('event: ', event)
+
+    groups = []
+
+    if 'authorizationToken' in event:
+        groups = extract_and_decode_token(event).get('cognito:groups', [])
+
+    if 'admin' in event['methodArn'] and 'admin' not in groups:
+        return generate_policy('user', 'Deny', event['methodArn'])
+
+    return generate_policy('user', 'Allow', event['methodArn'])
+
+def generate_policy(principal_id, effect, resource):
+    auth_response = {}
+    auth_response['principalId'] = principal_id
+    if effect and resource:
+        policy_document = {
+            'Version': '2012-10-17',
+            'Statement': [{
+                'Action': 'execute-api:Invoke',
+                'Effect': effect,
+                'Resource': resource
+            }]
+        }
+        auth_response['policyDocument'] = policy_document
+    return auth_response
+
+def extract_and_decode_token(event):
+    try:
+        token = event['authorizationToken']
+        if token.startswith('Bearer '):
+            token = token.split(' ')[1]
+        headers = jwt.get_unverified_header(token)
+        key = [k for k in KEYS if k['kid'] == headers['kid']][0]
+        public_key = RSAAlgorithm.from_jwk(key)
+        claims = jwt.decode(token, public_key, algorithms = ['RS256'], audience = APP_CLIENT_ID)
+        print('claims: ', claims)
+        return claims
+    except Exception as e:
+        print('Error: ', e)
+        return generate_policy('user', 'Deny', event['methodArn'])    
diff --git a/src/auth-authorizer/requirements.txt b/src/auth-authorizer/requirements.txt
@@ -0,0 +1,3 @@
+pyjwt
+pyjwt[crypto]
+requests
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -187,3 +187,22 @@ module "lambda_auth_challenge" {
 
   tags = var.tags
 }
+
+module "lambda_auth_authorizer" {
+  source  = "terraform-aws-modules/lambda/aws"
+  version = "7.2.2"
+
+  function_name = "auth-authorizer"
+  handler       = "lambda_function.lambda_handler"
+  runtime       = local.runtime
+
+  source_path = "../src/auth-authorizer"
+
+  environment_variables = {
+    AWS_REGION   = var.region
+    USER_POOL_ID = aws_cognito_user_pool.user_pool.id
+    CLIENT_ID    = aws_cognito_user_pool_client.client.id
+  }
+
+  tags = var.tags
+}