112 lines
3.0 KiB
Python
112 lines
3.0 KiB
Python
from http.cookies import SimpleCookie
|
|
|
|
import jwt
|
|
from authlib.oauth2.rfc6749 import errors
|
|
from authlib.oauth2.rfc6749.util import scope_to_list
|
|
from aws_lambda_powertools import Logger
|
|
from aws_lambda_powertools.event_handler.api_gateway import Router
|
|
from aws_lambda_powertools.event_handler.exceptions import (
|
|
BadRequestError,
|
|
ForbiddenError,
|
|
ServiceError,
|
|
UnauthorizedError,
|
|
)
|
|
from layercake.dynamodb import DynamoDBPersistenceLayer, KeyPair, SortKey
|
|
|
|
from boto3clients import dynamodb_client
|
|
from config import ISSUER, OAUTH2_TABLE, SESSION_SECRET
|
|
from oauth2 import server
|
|
|
|
router = Router()
|
|
logger = Logger(__name__)
|
|
dyn = DynamoDBPersistenceLayer(OAUTH2_TABLE, dynamodb_client)
|
|
|
|
|
|
@router.get('/authorize')
|
|
def authorize():
|
|
current_event = router.current_event
|
|
cookies = _parse_cookies(current_event.get('cookies', []))
|
|
session_id = cookies.get('session_id')
|
|
|
|
if not session_id:
|
|
raise BadRequestError('Missing session_id')
|
|
|
|
try:
|
|
sub, session_scope = verify_session(session_id)
|
|
grant = server.get_consent_grant(
|
|
request=router.current_event,
|
|
end_user=sub,
|
|
)
|
|
client_scopes = set(scope_to_list(grant.client.scope))
|
|
user_scopes = set(scope_to_list(session_scope)) if session_scope else set()
|
|
|
|
# Deny authorization if user lacks scopes requested by client
|
|
if not client_scopes.issubset(user_scopes):
|
|
raise ForbiddenError('Access denied')
|
|
|
|
return server.create_authorization_response(
|
|
request=router.current_event,
|
|
grant_user=sub,
|
|
grant=grant,
|
|
)
|
|
except jwt.exceptions.InvalidTokenError as err:
|
|
logger.exception(err)
|
|
raise BadRequestError(str(err))
|
|
except errors.OAuth2Error as err:
|
|
logger.exception(err)
|
|
raise ServiceError(
|
|
status_code=err.status_code,
|
|
msg=dict(err.get_body()), # type: ignore
|
|
)
|
|
|
|
|
|
def verify_session(session_id: str) -> tuple[str, str | None]:
|
|
payload = jwt.decode(
|
|
session_id,
|
|
SESSION_SECRET,
|
|
algorithms=['HS256'],
|
|
issuer=ISSUER,
|
|
options={
|
|
'require': ['exp', 'sub', 'iss', 'sid'],
|
|
},
|
|
)
|
|
|
|
user = dyn.collection.get_items(
|
|
KeyPair(
|
|
pk='SESSION',
|
|
sk=payload['sid'],
|
|
rename_key='session',
|
|
)
|
|
+ KeyPair(
|
|
pk=payload['sub'],
|
|
sk=SortKey(
|
|
sk='SCOPE',
|
|
path_spec='scope',
|
|
rename_key='scope',
|
|
),
|
|
),
|
|
flatten_top=False,
|
|
)
|
|
|
|
if 'session' not in user:
|
|
raise SessionRevokedError('Session revoked')
|
|
|
|
return payload['sub'], user.get('scope')
|
|
|
|
|
|
def _parse_cookies(cookies: list[str] | None) -> dict[str, str]:
|
|
parsed_cookies = {}
|
|
|
|
if not cookies:
|
|
return parsed_cookies
|
|
|
|
for s in cookies:
|
|
c = SimpleCookie()
|
|
c.load(s)
|
|
parsed_cookies.update({k: morsel.value for k, morsel in c.items()})
|
|
|
|
return parsed_cookies
|
|
|
|
|
|
class SessionRevokedError(UnauthorizedError): ...
|