Merge pull request #12 from emmaLP/auth

emmaLP · web-flow · commit 4f1b4878b40c · 2021-07-12T16:19:54.000+01:00
Implementing simple authorisation on the api gateway
diff --git a/deploy/api_gateway.tf b/deploy/api_gateway.tf
@@ -11,9 +11,11 @@ resource "aws_apigatewayv2_stage" "default" {
 
 
 resource "aws_apigatewayv2_route" "pack_calc" {
-  api_id    = aws_apigatewayv2_api.pack_calc.id
-  route_key = "POST /calculate-packs"
-  target    = "integrations/${aws_apigatewayv2_integration.pack_calc.id}"
+  api_id             = aws_apigatewayv2_api.pack_calc.id
+  authorization_type = "CUSTOM"
+  authorizer_id      = aws_apigatewayv2_authorizer.authoriser.id
+  route_key          = "POST /calculate-packs"
+  target             = "integrations/${aws_apigatewayv2_integration.pack_calc.id}"
 }
 
 resource "aws_apigatewayv2_integration" "pack_calc" {
@@ -23,4 +25,16 @@ resource "aws_apigatewayv2_integration" "pack_calc" {
   integration_uri        = aws_lambda_function.pack_calc.invoke_arn
   integration_method     = "POST"
   payload_format_version = "2.0"
+}
+
+resource "aws_apigatewayv2_authorizer" "authoriser" {
+  api_id          = aws_apigatewayv2_api.pack_calc.id
+  authorizer_type = "REQUEST"
+  authorizer_uri  = aws_lambda_function.token_authoriser.invoke_arn
+
+  identity_sources                  = ["$request.header.Authorization"]
+  authorizer_payload_format_version = "2.0"
+  name                              = "gymshark-token-authoriser"
+  enable_simple_responses           = true
+  authorizer_result_ttl_in_seconds  = 0
 }
diff --git a/deploy/data.tf b/deploy/data.tf
@@ -1,3 +1,6 @@
 data "aws_iam_policy" "lambda_execution" {
   arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+data "aws_iam_policy" "ssm_readonly" {
+  arn = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"
 }
diff --git a/deploy/files/token_authoriser.js b/deploy/files/token_authoriser.js
@@ -0,0 +1,72 @@
+const AWS = require('aws-sdk');
+
+AWS.config.region = process.env.AWS_DEFAULT_REGION || 'eu-west-2';
+
+function getSecret(secretKey) {
+    return new Promise((resolve, reject) => {
+        const ssm = new AWS.SSM();
+        const params = {
+            Name: secretKey,
+            WithDecryption: true
+        };
+        console.log("calling sdk ssm");
+        ssm.getParameter(params, function (err, data) {
+            console.log("ssm - request made");
+            if (err) {
+                console.error(err);
+                return reject(err);
+            }
+            if (!data.Parameter) {
+                console.error("secret not found");
+                return reject(new Error('Token not found'));
+            }
+            console.log("Found secret");
+            return resolve(data.Parameter.Value);
+        });
+    });
+}
+
+exports.handler = async (event) => {
+    console.log(event)
+    let response = {
+        "isAuthorized": false,
+        "context": {
+            "stringKey": "value",
+            "numberKey": 1,
+            "booleanKey": true,
+            "arrayKey": ["value1", "value2"],
+            "mapKey": {"value1": "value2"}
+        }
+    };
+    let authHeader = event.headers['authorization']
+    console.log("Auth Header", authHeader)
+    await getSecret(process.env.SECRET_KEY)
+        .then(secret => {
+            if (!authHeader === secret) {
+                response = {
+                    "isAuthorized": false,
+                    "context": {
+                        "booleanKey": true,
+                    }
+                }
+            } else {
+                response = {
+                    "isAuthorized": true,
+                    "context": {
+                        "booleanKey": true,
+                    }
+                }
+            }
+        })
+        .catch(err => {
+            // trap any errors and respond with '500 Server Error'
+            console.error(err);
+            response = {
+                "isAuthorized": false
+            }
+        });
+
+    console.log("Response", response)
+    return response;
+
+};
diff --git a/deploy/lambda.tf b/deploy/lambda.tf
@@ -20,9 +20,43 @@ data "archive_file" "pack_calc" {
   output_path = "${path.module}/.terraform/archives/gymshark-pack-calc.zip"
 }
 
+data "archive_file" "token_authorizer" {
+  type        = "zip"
+  source_file = "${path.module}/files/token_authoriser.js"
+  output_path = "${path.module}/.terraform/archives/token_authorizer.zip"
+}
+
 resource "aws_lambda_permission" "apigateway" {
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.pack_calc.function_name
   principal     = "apigateway.amazonaws.com"
   source_arn    = "${aws_apigatewayv2_api.pack_calc.execution_arn}/*/*/*"
+}
+
+
+resource "aws_lambda_function" "token_authoriser" {
+  depends_on    = [aws_cloudwatch_log_group.token_authoriser]
+  function_name = "gymshark-pack-calc-authorizer"
+  handler       = "token_authoriser.handler"
+  role          = aws_iam_role.lambda.arn
+  runtime       = "nodejs12.x"
+  environment {
+    variables = {
+      SECRET_KEY = aws_ssm_parameter.api_token.name
+    }
+  }
+  filename         = data.archive_file.token_authorizer.output_path
+  source_code_hash = data.archive_file.token_authorizer.output_base64sha256
+
+}
+resource "aws_cloudwatch_log_group" "token_authoriser" {
+  name              = "/aws/lambda/gymshark-pack-calc-authorizer"
+  retention_in_days = 14
+}
+
+resource "aws_lambda_permission" "apigateway_auth" {
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.token_authoriser.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_apigatewayv2_api.pack_calc.execution_arn}/authorizers/${aws_apigatewayv2_authorizer.authoriser.id}"
 }
diff --git a/deploy/outputs.tf b/deploy/outputs.tf
@@ -0,0 +1,3 @@
+output "api_base_url" {
+  value = aws_apigatewayv2_api.pack_calc.api_endpoint
+}
diff --git a/deploy/provider.tf b/deploy/provider.tf
@@ -5,6 +5,10 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 3.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
     archive = {
       source  = "hashicorp/archive"
       version = "~> 2"
diff --git a/deploy/roles.tf b/deploy/roles.tf
@@ -21,3 +21,7 @@ resource "aws_iam_role_policy_attachment" "lambda_execution" {
   role       = aws_iam_role.lambda.name
   policy_arn = data.aws_iam_policy.lambda_execution.arn
 }
+resource "aws_iam_role_policy_attachment" "ssm_readonly" {
+  role       = aws_iam_role.lambda.name
+  policy_arn = data.aws_iam_policy.ssm_readonly.arn
+}
diff --git a/deploy/secrets.tf b/deploy/secrets.tf
@@ -0,0 +1,14 @@
+
+resource "aws_ssm_parameter" "api_token" {
+  name  = "gmyshark-api-token"
+  type  = "SecureString"
+  value = random_password.api_token.result
+}
+
+resource "random_password" "api_token" {
+  length           = 16
+  special          = true
+  upper            = true
+  lower            = true
+  override_special = "!@#$_-"
+}

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,6 @@`
`1`	`1`	`data "aws_iam_policy" "lambda_execution" {`
`2`	`2`	`arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"`
	`3`	`+}`
	`4`	`+data "aws_iam_policy" "ssm_readonly" {`
	`5`	`+ arn = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"`
`3`	`6`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+output "api_base_url" {`
	`2`	`+ value = aws_apigatewayv2_api.pack_calc.api_endpoint`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -21,3 +21,7 @@ resource "aws_iam_role_policy_attachment" "lambda_execution" {`
`21`	`21`	`role = aws_iam_role.lambda.name`
`22`	`22`	`policy_arn = data.aws_iam_policy.lambda_execution.arn`
`23`	`23`	`}`
	`24`	`+resource "aws_iam_role_policy_attachment" "ssm_readonly" {`
	`25`	`+ role = aws_iam_role.lambda.name`
	`26`	`+ policy_arn = data.aws_iam_policy.ssm_readonly.arn`
	`27`	`+}`