Adding RBAC for AuthZ (awslabs#8)

Why?
Customer will want more AuthZ than just a access to all or none. This introduces RBAC that enables roles to be assigned to Interactions and Resources.

Changes:
* Created configuration for RBAC (RBACRules.ts)
* Bundles AuthZ is in two steps (preliminary check & then again on the
resource side)
* Changing cognito to be OAuth2 endpoints
* To hit the endpoint you must ask for profile & openid or just aws.cognito.signin.user.admin scopes

Test:
* Created/updated tests
* sls deploy locally

Author: rsmayda

Diff for: README.md

@@ -25,7 +25,7 @@ To change what this FHIR server supports please check out the [config.ts](src/co
 
 ### Architecture
 
-The system architecture consists of multiple layers of AWS serverless services. The endpoints are hosted using API Gateway. The database and storage layer consists of Amazon DynamoDB and S3, with ElasticSearch as the search index for the data written to DynamoDB. The endpoints are secured by Cognito for user-level authentication (and future authorization), with API keys for anonymous service level access. The diagram below shows the FHIR server’s system architecture components and how they are related.
+The system architecture consists of multiple layers of AWS serverless services. The endpoints are hosted using API Gateway. The database and storage layer consists of Amazon DynamoDB and S3, with ElasticSearch as the search index for the data written to DynamoDB. The endpoints are secured by Cognito for user-level authentication and user-group authorization, with API keys for anonymous service level access. The diagram below shows the FHIR server’s system architecture components and how they are related.
 ![Architecture](resources/architecture.png)
 
 ## Prerequisites
@@ -213,7 +213,7 @@ From the command’s output note down the following data
 
 ### Initialize Cognito
 
-Initially, AWS Cognito must be set up with default user credentials in order to support authentication. Without this step, the APIs won’t be accessible through user authentication.
+Initially, AWS Cognito is set up supporting OAuth2 requests in order to support authentication and authorization. When first created there will be no users. This step creates a `workshopuser` and assigns the user to the `practitioner` User Group.
 
 Execute the following command substituting all variables with previously noted
 values:
@@ -237,7 +237,7 @@ For Mac:
 AWS_ACCESS_KEY_ID=<ACCESS_KEY> AWS_SECRET_ACCESS_KEY=<SECRET_KEY> python3 scripts/provision-user.py <USER_POOL_ID> <USER_POOL_APP_CLIENT_ID> <REGION>
 ```
 
-This will create a user in your Cognito User Pool. The return value will be a token that can be used for authentication with the FHIR API.
+This will create a user in your Cognito User Pool. The return value will be an access token that can be used for authentication with the FHIR API.
 
 ### Accessing ElasticSearch Kibana Server
 
@@ -250,15 +250,15 @@ In order to be able to access the Kibana server for your ElasticSearch Service I
 ```sh
 # Find ELASTIC_SEARCH_KIBANA_USER_POOL_APP_CLIENT_ID in the printout
 serverless info --verbose
- 
-# Create new user 
+
+# Create new user
 aws cognito-idp sign-up \
   --region <REGION> \
   --client-id <ELASTIC_SEARCH_KIBANA_USER_POOL_APP_CLIENT_ID> \
   --username <[email protected]> \
   --password <TEMP_PASSWORD> \
   --user-attributes Name="email",Value="<[email protected]>"
- 
+
 # Find ELASTIC_SEARCH_KIBANA_USER_POOL_ID in the printout
 # Notice this is a different ID from the one used in the last step
 serverless info --verbose
@@ -281,8 +281,7 @@ aws cognito-idp admin-confirm-sign-up \
   --user-pool-id us-west-2_sOmeStRing \
   --username [email protected] \
   --region us-west-2
-
-``` 
+```
 
 #### Get Kibana Url
 
@@ -304,7 +303,7 @@ aws cloudformation create-stack --stack-name fhir-server-backups --template-body
 
 ## Usage Instructions
 
-### Retrieving an authentication token
+### Retrieving an access token
 
 In order to access the FHIR API, a COGNITO_AUTH_TOKEN is required. This can be obtained using the following command substituting all variables with previously noted values
 
@@ -352,7 +351,7 @@ Instructions for importing the environment JSON is located [here](https://thinks
 - Fhir_Dev_Env.json
 - Fhir_Prod_Env.json
 
-The COGNITO*AUTH_TOKEN required for each of these files can be obtained by following the instructions under [Retrieving an authentication token](#retrieving-an-authentication-token).
+The COGNITO_AUTH_TOKEN required for each of these files can be obtained by following the instructions under [Retrieving an authentication token](#retrieving-an-authentication-token).
 Other parameters required can be found by running `serverless info --verbose`
 
 ### Accessing Binary resources

Diff for: cloudformation/cognito.yaml

@@ -2,6 +2,12 @@ Resources:
   UserPool:
     Type: AWS::Cognito::UserPool
     Properties:
+      AccountRecoverySetting:
+        RecoveryMechanisms:
+          - Name: verified_email
+            Priority: 1
+      AdminCreateUserConfig:
+        AllowAdminCreateUserOnly: true
       AutoVerifiedAttributes:
         - email
       UserPoolName: !Ref AWS::StackName
@@ -14,12 +20,30 @@ Resources:
   UserPoolClient:
     Type: AWS::Cognito::UserPoolClient
     Properties:
+      AllowedOAuthFlows:
+        - code
+        - implicit
+      AllowedOAuthFlowsUserPoolClient: true
+      AllowedOAuthScopes:
+        - email
+        - openid
+        - profile
       ClientName: !Sub '${AWS::StackName}-UserPool'
-      GenerateSecret: false
       UserPoolId: !Ref UserPool
+      CallbackURLs:
+        - ${self:custom.oauthCallback}
+      DefaultRedirectURI: ${self:custom.oauthRedirect}
       ExplicitAuthFlows:
-        - ADMIN_NO_SRP_AUTH
-        - USER_PASSWORD_AUTH
+        - ALLOW_USER_PASSWORD_AUTH
+        - ALLOW_REFRESH_TOKEN_AUTH
+      SupportedIdentityProviders:
+        - COGNITO
+      PreventUserExistenceErrors: ENABLED
+  UserPoolDomain:
+    Type: AWS::Cognito::UserPoolDomain
+    Properties:
+      Domain: !Ref UserPoolClient
+      UserPoolId: !Ref UserPool
   PractitionerUserGroup:
     Type: AWS::Cognito::UserPoolGroup
     Properties:

Diff for: package.json

@@ -30,6 +30,7 @@
     "errorhandler": "^1.5.1",
     "express": "^4.17.1",
     "flat": "^5.0.0",
+    "jsonwebtoken": "^8.5.1",
     "lodash": "^4.17.15",
     "mime-types": "^2.1.26",
     "serverless-http": "^2.3.1",
@@ -43,6 +44,7 @@
     "@types/node": "^12",
     "@types/sinon": "^9.0.0",
     "@types/uuid": "^3.4.7",
+    "@types/jsonwebtoken": "^8.5.0",
     "@typescript-eslint/eslint-plugin": "^2.18.0",
     "@typescript-eslint/parser": "^2.18.0",
     "aws-sdk-mock": "^5.1.0",

Diff for: sampleData/r3FhirConfigWithExclusions.ts

@@ -5,7 +5,7 @@ const config: FhirConfig = {
     orgName: 'Organization Name',
     auth: {
         strategy: {
-            cognito: true,
+            oauthUrl: 'http://example.com',
         },
     },
     server: {

Diff for: sampleData/r4FhirConfigGeneric.ts

@@ -5,7 +5,7 @@ const config: FhirConfig = {
     orgName: 'Organization Name',
     auth: {
         strategy: {
-            cognito: true,
+            oauthUrl: 'http://example.com',
         },
     },
     server: {

Diff for: sampleData/r4FhirConfigNoGeneric.ts

@@ -5,7 +5,7 @@ const config: FhirConfig = {
     orgName: 'Organization Name',
     auth: {
         strategy: {
-            cognito: true,
+            oauthUrl: 'http://example.com',
         },
     },
     server: {

Diff for: sampleData/r4FhirConfigWithExclusions.ts

@@ -5,7 +5,7 @@ const config: FhirConfig = {
     orgName: 'Organization Name',
     auth: {
         strategy: {
-            cognito: true,
+            oauthUrl: 'http://example.com',
         },
     },
     server: {

Diff for: scripts/init-auth.py

@@ -17,5 +17,5 @@
     ClientId=sys.argv[1]
 )
 
-sessionid = response['AuthenticationResult']['IdToken']
+sessionid = response['AuthenticationResult']['AccessToken']
 print(sessionid)

Diff for: scripts/provision-user.py

@@ -55,6 +55,12 @@
     }
 )
 
+response = client.admin_add_user_to_group(
+    UserPoolId=sys.argv[1],
+    Username='workshopuser',
+    GroupName='practitioner'
+)
+
 response = client.initiate_auth(
     AuthFlow='USER_PASSWORD_AUTH',
     AuthParameters={
@@ -65,5 +71,5 @@
     ClientId=sys.argv[2]
 )
 
-sessionid = response['AuthenticationResult']['IdToken']
+sessionid = response['AuthenticationResult']['AccessToken']
 print(sessionid)

Diff for: serverless.yaml

@@ -4,6 +4,8 @@ custom:
   resourceTableName: 'resource-${self:custom.stage}'
   stage: ${opt:stage, self:provider.stage}
   region: ${opt:region, self:provider.region}
+  oauthCallback: ${opt:oauthCallback, 'http://localhost'}
+  oauthRedirect: ${opt:oauthRedirect, 'http://localhost'}
   config: ${file(serverless_config.json)}
 
 provider:
@@ -24,6 +26,7 @@ provider:
     FHIR_BINARY_BUCKET:
       Ref: FHIRBinaryBucket
     ELASTICSEARCH_DOMAIN_ENDPOINT: !Join ['', ['https://', !GetAtt ElasticSearchDomain.DomainEndpoint]]
+    OAUTH2_DOMAIN_ENDPOINT: !Join ['', ['https://', !Ref UserPoolDomain, '.auth.${self:custom.region}.amazoncognito.com/oauth2']]
   apiKeys:
     - name: developer-key
       description: Key for developer to access the FHIR Api
@@ -84,6 +87,10 @@ functions:
             type: COGNITO_USER_POOLS
             authorizerId:
               Ref: ApiGatewayAuthorizer
+            scopes: # must have both scopes
+              - 'openid'
+              - 'profile'
+              - 'aws.cognito.signin.user.admin'
           method: ANY
           path: /
           private: true
@@ -92,6 +99,10 @@ functions:
             type: COGNITO_USER_POOLS
             authorizerId:
               Ref: ApiGatewayAuthorizer
+            scopes: # must have both scopes
+              - 'openid'
+              - 'profile'
+              - 'aws.cognito.signin.user.admin'
           method: ANY
           path: '{proxy+}'
           private: true
@@ -277,11 +288,11 @@ resources:
       ElasticSearchDomainKibanaEndpoint:
         Condition: isDev
         Description: ElasticSearch Kibana endpoint
-        Value: !Join ['', ['https://', !GetAtt ElasticSearchDomain.DomainEndpoint, '/_plugin/kibana']]      
+        Value: !Join ['', ['https://', !GetAtt ElasticSearchDomain.DomainEndpoint, '/_plugin/kibana']]
       ElasticSearchKibanaUserPoolId:
         Condition: isDev
         Description: User pool id for the provisioning ES Kibana users.
-        Value: !Ref KibanaUserPool      
+        Value: !Ref KibanaUserPool
       ElasticSearchKibanaUserPoolAppClientId:
         Condition: isDev
         Description: App client id for the provisioning ES Kibana users.

Diff for: src/FHIRServerConfig.ts

@@ -1,7 +1,7 @@
 import { R4_RESOURCE, R3_RESOURCE, VERSION, INTERACTION } from './constants';
 
 export interface Strategy {
-    cognito?: boolean;
+    oauthUrl?: string;
 }
 
 export interface Auth {

Diff for: src/app.ts

@@ -11,6 +11,9 @@ import S3ObjectStorageService from './objectStorageService/s3ObjectStorageServic
 import ElasticSearchService from './searchService/elasticSearchService';
 import BundleResourceRoute from './routes/bundleResourceRoute';
 import { DynamoDb } from './dataServices/ddb/dynamoDb';
+import RBACHandler from './authorization/RBACHandler';
+import RBACRules from './authorization/RBACRules';
+import { cleanAuthHeader } from './common/utilities';
 
 // TODO handle multi versions in one server
 const configHandler: ConfigHandler = new ConfigHandler(fhirConfig);
@@ -21,6 +24,7 @@ const genericInteractions: INTERACTION[] = configHandler.getGenericInteractions(
 const searchParams = configHandler.getSearchParam();
 
 const dynamoDbDataService = new DynamoDbDataService(DynamoDb);
+const authService = new RBACHandler(RBACRules);
 
 const genericResourceHandler: ResourceHandler = new ResourceHandler(
     dynamoDbDataService,
@@ -45,6 +49,24 @@ const app = express();
 app.use(express.urlencoded({ extended: true }));
 app.use(express.json());
 
+// AuthZ
+app.use(async (req: express.Request, res: express.Response, next) => {
+    try {
+        const isAllowed: boolean = authService.isAuthorized(
+            cleanAuthHeader(req.headers.authorization),
+            req.method,
+            req.path,
+        );
+        if (isAllowed) {
+            next();
+        } else {
+            res.status(403).json({ message: 'Forbidden' });
+        }
+    } catch (e) {
+        res.status(403).json({ message: `Forbidden. ${e.message}` });
+    }
+});
+
 // Capability Statement
 app.use('/metadata', metadataRoute.router);
 
@@ -65,7 +87,7 @@ genericFhirResources.forEach((resourceType: string) => {
 });
 
 // We're not using the GenericResourceRoute because Bundle '/' path only support POST
-const bundleResourceRoute = new BundleResourceRoute(dynamoDbDataService, fhirVersion, serverUrl);
+const bundleResourceRoute = new BundleResourceRoute(dynamoDbDataService, authService, fhirVersion, serverUrl);
 app.use('/', bundleResourceRoute.router);
 
 // Handle errors

Diff for: src/authorization/RBACConfig.ts

@@ -0,0 +1,14 @@
+import { INTERACTION, R4_RESOURCE } from '../constants';
+
+export interface RBACConfig {
+    version: number;
+    groupRules: GroupRule;
+}
+
+export interface GroupRule {
+    [groupName: string]: Rule;
+}
+export interface Rule {
+    interactions: INTERACTION[];
+    resources: R4_RESOURCE[];
+}