Merge pull request #233 from DemocracyClub/feat/basic-auth-lambda-2

Feat/basic auth lambda 2
DemocracyClub · Nov 19, 2024 · 0043dda · 0043dda
2 parents db71529 + d6d6302
commit 0043dda
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 7 deletions.
diff --git a/ec_api/lambda_frontend_auth.py b/ec_api/lambda_frontend_auth.py
@@ -0,0 +1,21 @@
+def lambda_handler(event, context):
+    headers = event.get("headers", {})
+    auth = headers.get("Authorization")
+    dc_auth = "Basic ZGM6ZGM="  # dc:dc in base64
+
+    if auth == dc_auth:
+        return {
+            "principalId": "dc",
+            "policyDocument": {
+                "Version": "2012-10-17",
+                "Statement": [
+                    {
+                        "Action": "execute-api:Invoke",
+                        "Effect": "Allow",
+                        "Resource": "*",
+                    }
+                ],
+            },
+        }
+
+    raise Exception("Unauthorized")
diff --git a/template.yaml b/template.yaml
@@ -1,5 +1,7 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Transform: AWS::Serverless-2016-10-31
+Transform:
+  - AWS::LanguageExtensions
+  - AWS::Serverless-2016-10-31
 Description: "EC API app: Lambda, API Gateway"
 
 Globals:
@@ -82,6 +84,11 @@ Parameters:
     Description: "The API to use to authenticate to devs.DC"
     Type: AWS::SSM::Parameter::Value<String>
 
+Conditions:
+  UseBasicAuth: !Or
+    - !Equals [ !Ref DCEnvironment, development ]
+    - !Equals [ !Ref DCEnvironment, staging ]
+
 Resources:
   DependenciesLayer:
     Type: AWS::Serverless::LayerVersion
@@ -121,6 +128,7 @@ Resources:
         HTTPRequests:
           Type: Api
           Properties:
+            RestApiId: !Ref FrontendAPI
             Path: /{proxy+}
             Method: ANY
         HTTPRequestRoots:
@@ -146,7 +154,26 @@ Resources:
         AllowMethods: "'GET'"
         AllowOrigin: "'*'"
         MaxAge: "'600'"
+      Auth:
+        DefaultAuthorizer: !If [ UseBasicAuth, "FrontendAuthFunction", !Ref AWS::NoValue]
+        Authorizers:
+          FrontendAuthFunction:
+            FunctionArn: !GetAtt FrontendAuthFunction.Arn
+            FunctionPayloadType: REQUEST
+            Identity:
+              Headers:
+                - Authorization
+              ReauthorizeEvery: 3600
 
+  BasicAuthGatewayResponse:
+    Condition: UseBasicAuth
+    Type: AWS::ApiGateway::GatewayResponse
+    Properties:
+      ResponseParameters:
+        gatewayresponse.header.www-authenticate: "'Basic realm=\"Restricted\"'"
+      ResponseType: UNAUTHORIZED
+      RestApiId: !Ref FrontendAPI
+      StatusCode: '401'
 
   ECAPI:
     Type: AWS::Serverless::Api
@@ -167,6 +194,14 @@ Resources:
                 - token
               ReauthorizeEvery: 3600
 
+  FrontendAuthFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      Role: !Sub "arn:aws:iam::${AWS::AccountId}:role/ECApiLambdaExecutionRole"
+      CodeUri: ./ec_api/
+      Handler: lambda_frontend_auth.lambda_handler
+      Runtime: python3.12
+
   APIAuthFunction:
     Type: AWS::Serverless::Function
     Properties:
@@ -208,12 +243,6 @@ Resources:
             Method: GET
 
 Outputs:
-  ECApiFqdn:
-    Description: "API Gateway endpoint FQDN for EC API function"
-    Value: !Sub "${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com"
-    Export:
-      Name: !Join [ ":", [ !Ref "AWS::StackName", "ECApiFqdn" ] ]
-
   ECApiFrontendFqdn:
     Description: "API Gateway endpoint FQDN for EC API function"
     Value: !Sub "${FrontendAPI}.execute-api.${AWS::Region}.amazonaws.com"