@jcdubs/janus 1.0.1 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +156 -12
- package/dist/auth-lambda/auth-lambda.d.ts +2 -2
- package/dist/auth-lambda/auth-lambda.js +3 -3
- package/dist/auth-lambda/auth-lambda.js.map +1 -1
- package/dist/auth-lambda/index.d.ts +1 -1
- package/dist/authorization-middleware/authorization-middleware.d.ts +3 -3
- package/dist/authorization-middleware/authorization-middleware.js +5 -5
- package/dist/authorization-middleware/index.d.ts +1 -1
- package/dist/authorization-service/authorization-service.d.ts +4 -4
- package/dist/authorization-service/authorization-service.d.ts.map +1 -1
- package/dist/authorization-service/authorization-service.js +19 -19
- package/dist/authorization-service/authorization-service.js.map +1 -1
- package/dist/authorization-service/authorization-tests/config.d.ts +1 -1
- package/dist/authorization-service/authorization-tests/config.js +4 -4
- package/dist/authorization-service/authorization-tests/create-order-entity.d.ts +1 -1
- package/dist/authorization-service/authorization-tests/get-policy.js +2 -2
- package/dist/authorization-service/index.d.ts +2 -2
- package/dist/authorization-service/policy-parser.d.ts +1 -1
- package/dist/authorization-service/policy-parser.js +14 -14
- package/dist/entity-builder/entity-builder.d.ts +90 -0
- package/dist/entity-builder/entity-builder.d.ts.map +1 -0
- package/dist/entity-builder/entity-builder.js +159 -0
- package/dist/entity-builder/entity-builder.js.map +1 -0
- package/dist/entity-builder/index.d.ts +2 -0
- package/dist/entity-builder/index.d.ts.map +1 -0
- package/dist/entity-builder/index.js +18 -0
- package/dist/entity-builder/index.js.map +1 -0
- package/dist/errors/index.d.ts +6 -6
- package/dist/errors/missing-authenticated-user-details-error/index.d.ts +1 -1
- package/dist/errors/missing-authenticated-user-details-error/missing-authenticated-user-details-error.js +2 -2
- package/dist/errors/missing-authorization-action-error/index.d.ts +1 -1
- package/dist/errors/missing-authorization-action-error/missing-authorization-action-error.js +2 -2
- package/dist/errors/missing-authorization-policy-error/index.d.ts +1 -1
- package/dist/errors/missing-authorization-policy-error/missing-authorization-policy-error.js +2 -2
- package/dist/errors/missing-authorization-resource-error/index.d.ts +1 -1
- package/dist/errors/missing-authorization-resource-error/missing-authorization-resource-error.js +2 -2
- package/dist/errors/missing-authorization-schema-error/index.d.ts +1 -1
- package/dist/errors/missing-authorization-schema-error/missing-authorization-schema-error.js +2 -2
- package/dist/errors/unauthorized-error/index.d.ts +1 -1
- package/dist/errors/unauthorized-error/unauthorized-error.js +1 -1
- package/dist/file-loader/file-loader.js +1 -1
- package/dist/file-loader/index.d.ts +1 -1
- package/dist/index.d.ts +7 -5
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +2 -0
- package/dist/index.js.map +1 -1
- package/dist/setupTests.js +5 -5
- package/dist/types.d.ts +25 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +3 -0
- package/dist/types.js.map +1 -0
- package/dist/user-details/index.d.ts +1 -1
- package/dist/user-details/user-details-service.d.ts +1 -1
- package/dist/user-details/user-details-service.js +9 -9
- package/package.json +6 -4
package/README.md
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
# Janus
|
|
2
2
|
|
|
3
|
+
|
|
3
4
|
[](https://github.com/JCDubs/Janus/actions/workflows/main.yaml)
|
|
4
5
|
[](https://opensource.org/licenses/MIT)
|
|
5
6
|
[](https://nodejs.org)
|
|
@@ -16,6 +17,8 @@ Open source serverless authentication: A Cedar-based authorization engine for de
|
|
|
16
17
|
|
|
17
18
|
Janus is a TypeScript library that provides fine-grained, policy-based authorization for AWS Lambda functions using [Cedar](https://www.cedarpolicy.com/). It enables you to define complex authorization rules and evaluate them efficiently within your serverless applications.
|
|
18
19
|
|
|
20
|
+
Janus is based on the pattern discussed in this blog post: [Serverless: Granular Authorisation with Cedar — High control, minimal cost](https://medium.com/@jcdubs/serverless-granular-authorisation-with-cedar-high-control-minimal-cost-1149640f8cd9).
|
|
21
|
+
|
|
19
22
|
### Key Features
|
|
20
23
|
|
|
21
24
|
- 🔐 **Cedar Policy Engine** - Leverage Amazon's Cedar policy language for authorization
|
|
@@ -115,31 +118,112 @@ namespace OrderService {
|
|
|
115
118
|
}
|
|
116
119
|
```
|
|
117
120
|
|
|
121
|
+
### Implement the Auth Lambda
|
|
122
|
+
|
|
123
|
+
The following example demonstrates a simple AWS Lambda handler that uses the middleware
|
|
124
|
+
to load Cedar authorization and then performs an authorization check inside the handler.
|
|
125
|
+
|
|
126
|
+
```typescript
|
|
127
|
+
import middy from '@middy/core';
|
|
128
|
+
import type { APIGatewayProxyEvent, APIGatewayProxyResult } from 'aws-lambda';
|
|
129
|
+
import {
|
|
130
|
+
loadCedarAuthorization,
|
|
131
|
+
AuthorizationService,
|
|
132
|
+
EntityBuilder,
|
|
133
|
+
getUserName,
|
|
134
|
+
} from '@jcdubs/janus';
|
|
135
|
+
|
|
136
|
+
const authorizationConfig = {
|
|
137
|
+
namespace: 'OrderService::',
|
|
138
|
+
principleType: 'User',
|
|
139
|
+
resourceType: 'Order',
|
|
140
|
+
roleType: 'Role',
|
|
141
|
+
};
|
|
142
|
+
|
|
143
|
+
const handler = async (
|
|
144
|
+
event: APIGatewayProxyEvent,
|
|
145
|
+
): Promise<APIGatewayProxyResult> => {
|
|
146
|
+
// AuthorizationService is cached by the middleware, but retrieving it here is safe
|
|
147
|
+
// and inexpensive (cached) and makes the intent explicit in the handler.
|
|
148
|
+
const authService = await AuthorizationService.getService(authorizationConfig);
|
|
149
|
+
|
|
150
|
+
const resourceId = event.pathParameters?.orderId ?? 'order-123';
|
|
151
|
+
|
|
152
|
+
const isAuthorized = authService
|
|
153
|
+
.setAction('viewOrder')
|
|
154
|
+
.setResource(resourceId)
|
|
155
|
+
.addEntity(
|
|
156
|
+
new EntityBuilder(resourceId, authorizationConfig)
|
|
157
|
+
.withStringAttr('customerId', getUserName())
|
|
158
|
+
.build(),
|
|
159
|
+
)
|
|
160
|
+
.isAuthorized();
|
|
161
|
+
|
|
162
|
+
return {
|
|
163
|
+
statusCode: isAuthorized ? 200 : 403,
|
|
164
|
+
body: JSON.stringify({ allowed: isAuthorized }),
|
|
165
|
+
};
|
|
166
|
+
};
|
|
167
|
+
|
|
168
|
+
export const main = middy(handler).use(loadCedarAuthorization(authorizationConfig));
|
|
169
|
+
```
|
|
170
|
+
|
|
118
171
|
### 3. Use the Authorization Service
|
|
119
172
|
|
|
120
173
|
```typescript
|
|
121
|
-
import { AuthorizationService } from '@jcdubs/janus';
|
|
174
|
+
import { AuthorizationService, EntityBuilder } from '@jcdubs/janus';
|
|
122
175
|
|
|
123
|
-
//
|
|
124
|
-
const
|
|
176
|
+
// Define the authorization configuration and initialize the service (cached as a singleton)
|
|
177
|
+
const authorizationConfig = {
|
|
125
178
|
namespace: 'OrderService::',
|
|
126
179
|
principleType: 'User',
|
|
127
180
|
resourceType: 'Order',
|
|
128
181
|
roleType: 'Role'
|
|
129
|
-
}
|
|
182
|
+
};
|
|
183
|
+
|
|
184
|
+
const authService = await AuthorizationService.getService(authorizationConfig);
|
|
185
|
+
|
|
186
|
+
// Examples showing varied `EntityBuilder` usage patterns
|
|
187
|
+
|
|
188
|
+
// Minimal: build an entity with only UID
|
|
189
|
+
const isAuthorizedMinimal = authService
|
|
190
|
+
.setAction('viewOrder')
|
|
191
|
+
.setResource('order-123')
|
|
192
|
+
.addEntity(new EntityBuilder('order-123', authorizationConfig).build())
|
|
193
|
+
.isAuthorized();
|
|
130
194
|
|
|
131
|
-
//
|
|
132
|
-
const
|
|
195
|
+
// Typical: add a few simple attributes
|
|
196
|
+
const isAuthorizedTypical = authService
|
|
133
197
|
.setAction('viewOrder')
|
|
134
198
|
.setResource('order-123')
|
|
135
|
-
.addEntity(
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
199
|
+
.addEntity(
|
|
200
|
+
new EntityBuilder('order-123', authorizationConfig)
|
|
201
|
+
.withStringAttr('customerId', 'user-456')
|
|
202
|
+
.withStringAttr('status', 'PENDING')
|
|
203
|
+
.withNumberAttr('items', 3)
|
|
204
|
+
.build()
|
|
205
|
+
)
|
|
140
206
|
.isAuthorized();
|
|
141
207
|
|
|
142
|
-
|
|
208
|
+
// Full: include sets, references, extension attrs, parents and tags
|
|
209
|
+
const isAuthorizedFull = authService
|
|
210
|
+
.setAction('viewOrder')
|
|
211
|
+
.setResource('order-123')
|
|
212
|
+
.addEntity(
|
|
213
|
+
new EntityBuilder('order-123', authorizationConfig)
|
|
214
|
+
.withStringAttr('customerId', 'user-456')
|
|
215
|
+
.withBooleanAttr('active', true)
|
|
216
|
+
.withNumberAttr('items', 5)
|
|
217
|
+
.withSetAttr('flags', ['flagA', 'flagB'])
|
|
218
|
+
.withAttr('owner', 'u1', authorizationConfig.principleType)
|
|
219
|
+
.withExtnAttr('ip', 'ipaddr', '192.168.1.10')
|
|
220
|
+
.withParent('role-1', 'Role')
|
|
221
|
+
.withTag('label', 'lbl1', 'Label')
|
|
222
|
+
.build()
|
|
223
|
+
)
|
|
224
|
+
.isAuthorized();
|
|
225
|
+
|
|
226
|
+
logger.info('Create authorisation requests', isAuthorizedMinimal, isAuthorizedTypical, isAuthorizedFull);
|
|
143
227
|
```
|
|
144
228
|
|
|
145
229
|
## API Reference
|
|
@@ -243,6 +327,56 @@ const handler = middy(async (event) => {
|
|
|
243
327
|
}));
|
|
244
328
|
```
|
|
245
329
|
|
|
330
|
+
### Auth Lambda Construct
|
|
331
|
+
|
|
332
|
+
Provides a CDK construct to bundle a Node.js Lambda with Cedar policy and schema files and the Cedar WASM runtime.
|
|
333
|
+
|
|
334
|
+
- **Export:** `AuthLambda` (class)
|
|
335
|
+
- **Props:** `AuthLambdaProps` — extends `NodejsFunctionProps` and adds `authorisation: { policyFilePath: string; schemaFilePath: string }`.
|
|
336
|
+
|
|
337
|
+
Usage: Use `AuthLambda` in CDK stacks to ensure Cedar policies and schema are bundled with the Lambda package and the Cedar WASM runtime copied into `node_modules/@cedar-policy/cedar-wasm`. In particular, `AuthLambda` makes sure the `@cedar-policy/cedar-wasm` package, your Cedar policy file (for example `policies.cedar`) and your Cedar schema file (for example `schema.cedarschema`) are included in the Lambda deployment package so they are available at runtime.
|
|
338
|
+
|
|
339
|
+
### EntityBuilder
|
|
340
|
+
|
|
341
|
+
Fluent builder for creating Cedar entity JSON objects used in authorization requests.
|
|
342
|
+
|
|
343
|
+
- **Export:** `EntityBuilder` (class)
|
|
344
|
+
- **Constructor:** `new EntityBuilder(id: string, authorizationConfig: AuthorizationConfigType, type?: string)`
|
|
345
|
+
- **Common Methods:** `withAttr(name, id, type)`, `withExtnAttr(name, fn, arg)`, `withBooleanAttr(name, value)`, `withNumberAttr(name, value)`, `withStringAttr(name, value)`, `withSetAttr(name, value)`, `withParent(id, type)`, `withTag(name, id, type)`, `build()` — returns `EntityJson`.
|
|
346
|
+
|
|
347
|
+
Example usage is shown in the Quick Start section above.
|
|
348
|
+
|
|
349
|
+
### File Loader
|
|
350
|
+
|
|
351
|
+
Small utility to read bundled files (Cedar policy and schema) from the Lambda package.
|
|
352
|
+
|
|
353
|
+
- **Export:** `loadFileAsString(fileName: string): string`
|
|
354
|
+
|
|
355
|
+
Throws an `Error` if the file cannot be read. Typically used by the `AuthorizationService` to load `policies.cedar` and `schema.cedarschema`.
|
|
356
|
+
|
|
357
|
+
### Types
|
|
358
|
+
|
|
359
|
+
Shared TypeScript types used across the library.
|
|
360
|
+
|
|
361
|
+
- `TypeAndId` — `{ type: string; id: string }`
|
|
362
|
+
- `EntityUidJson` — `{ __entity: TypeAndId } | TypeAndId`
|
|
363
|
+
- `CedarValueJson` — union of entity refs, extn values, primitives, arrays, objects, or null
|
|
364
|
+
- `FnAndArg` — `{ fn: string; arg: CedarValueJson }`
|
|
365
|
+
- `EntityJson` — `{ uid: EntityUidJson; attrs: Record<string, CedarValueJson>; parents: EntityUidJson[]; tags?: Record<string, CedarValueJson> }`
|
|
366
|
+
|
|
367
|
+
### Errors
|
|
368
|
+
|
|
369
|
+
The library exports a set of specific error classes used by the authorization flow.
|
|
370
|
+
|
|
371
|
+
- `MissingAuthenticatedUserDetailsError`
|
|
372
|
+
- `MissingAuthorizationActionError`
|
|
373
|
+
- `MissingAuthorizationPolicyError`
|
|
374
|
+
- `MissingAuthorizationResourceError`
|
|
375
|
+
- `MissingAuthorizationSchemaError`
|
|
376
|
+
- `UnauthorizedError`
|
|
377
|
+
|
|
378
|
+
These are exported from the `errors` module and are thrown by the `AuthorizationService` and middleware where applicable.
|
|
379
|
+
|
|
246
380
|
## User Details
|
|
247
381
|
|
|
248
382
|
The library provides utilities to extract user information from Lambda events:
|
|
@@ -267,6 +401,15 @@ The library provides specific error classes for different authorization failures
|
|
|
267
401
|
|
|
268
402
|
## Examples
|
|
269
403
|
|
|
404
|
+
### Order Service Example
|
|
405
|
+
|
|
406
|
+
The `examples/order-service` project demonstrates a complete integration of Janus in a real-world serverless service. It shows how the Janus CDK construct, middleware and SDK are used together to provide Cedar-based authorization for AWS Lambda CRUD handlers.
|
|
407
|
+
|
|
408
|
+
- **Janus Integration**: The example uses the provided `Auth` Lambda construct and the `authorizationMiddleware` to bundle and load Cedar policy and schema files. The authorization checks inside the order CRUD Lambdas use the `AuthorizationService` from the Janus SDK (via the auth secondary adapter) to evaluate requests against the deployed Cedar policies and schema.
|
|
409
|
+
- **Full CRUD API**: The example implements a full Create/Read/Update/Delete API for `orders` backed by the included lambda handlers.
|
|
410
|
+
- **Scripts**: See the `examples/order-service/scripts` directory — it contains scripts to hydrate the database, create users and groups in the Cognito user pool, and login scripts for individual users associated with specific groups.
|
|
411
|
+
- **Postman Collection**: A Postman collection (`Auth.postman_collection.json`) is included in the example. It contains requests that exercise each user and group against the Cedar policy and schema files deployed with the order CRUD Lambdas.
|
|
412
|
+
|
|
270
413
|
See the [authorization-tests](./src/authorization-service/authorization-tests/) directory for comprehensive examples including:
|
|
271
414
|
|
|
272
415
|
- Customer role permissions
|
|
@@ -282,6 +425,7 @@ See the [authorization-tests](./src/authorization-service/authorization-tests/)
|
|
|
282
425
|
- [Cedar Policy Blog](https://www.cedarpolicy.com/blog)
|
|
283
426
|
- [Cedar SDK](https://github.com/cedar-policy)
|
|
284
427
|
- [Cedar Policy Playground](https://www.cedarpolicy.com/en/playground)
|
|
428
|
+
- [Serverless: Granular Authorisation with Cedar — High control, minimal cost (blog post)](https://medium.com/@jcdubs/serverless-granular-authorisation-with-cedar-high-control-minimal-cost-1149640f8cd9)
|
|
285
429
|
|
|
286
430
|
## Development
|
|
287
431
|
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import * as njsLambda from
|
|
2
|
-
import type { Construct } from
|
|
1
|
+
import * as njsLambda from 'aws-cdk-lib/aws-lambda-nodejs';
|
|
2
|
+
import type { Construct } from 'constructs';
|
|
3
3
|
/**
|
|
4
4
|
* Configuration properties for the AuthLambda construct.
|
|
5
5
|
*
|
|
@@ -96,7 +96,7 @@ class AuthLambda extends njsLambda.NodejsFunction {
|
|
|
96
96
|
return [
|
|
97
97
|
`echo "Copying node_modules/@cedar-policy/cedar-wasm directory to Lambda package..."`,
|
|
98
98
|
`mkdir -p ${outputDir}/node_modules/@cedar-policy/cedar-wasm/`,
|
|
99
|
-
`cp -r ${inputDir}/node_modules/janus/vendor/@cedar-policy/cedar-wasm ${outputDir}/node_modules/@cedar-policy/`,
|
|
99
|
+
`cp -r ${inputDir}/node_modules/@jcdubs/janus/vendor/@cedar-policy/cedar-wasm ${outputDir}/node_modules/@cedar-policy/`,
|
|
100
100
|
`echo "node_modules/@cedar-policy/cedar-wasm directory copied successfully to ${outputDir}/node_modules/@cedar-policy"`,
|
|
101
101
|
`echo "Copying policy and schema files to Lambda package..."`,
|
|
102
102
|
`cp ${props.authorisation.policyFilePath} ${outputDir}/policies.cedar`,
|
|
@@ -107,8 +107,8 @@ class AuthLambda extends njsLambda.NodejsFunction {
|
|
|
107
107
|
},
|
|
108
108
|
externalModules: [
|
|
109
109
|
...(props.bundling?.externalModules || []),
|
|
110
|
-
|
|
111
|
-
|
|
110
|
+
'@aws-sdk*',
|
|
111
|
+
'@cedar-policy/cedar-wasm',
|
|
112
112
|
],
|
|
113
113
|
},
|
|
114
114
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth-lambda.js","sourceRoot":"","sources":["../../src/auth-lambda/auth-lambda.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,yEAA2D;AAuC3D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAa,UAAW,SAAQ,SAAS,CAAC,cAAc;IACvD;;;;;;;;OAQG;IACH,YAAY,KAAgB,EAAE,EAAU,EAAE,KAAsB;QAC/D,KAAK,CAAC,KAAK,EAAE,EAAE,EAAE;YAChB,GAAG,KAAK;YACR,QAAQ,EAAE;gBACT,GAAG,KAAK,CAAC,QAAQ;gBACjB,YAAY,EAAE;oBACb,cAAc,CAAC,SAAiB,EAAE,UAAkB;wBACnD,OAAO,CAAC,0DAA0D,CAAC,CAAC;oBACrE,CAAC;oBACD,aAAa,CAAC,SAAiB,EAAE,UAAkB;wBAClD,OAAO,EAAE,CAAC;oBACX,CAAC;oBACD,aAAa,CAAC,QAAgB,EAAE,SAAiB;wBAChD,OAAO;4BACN,qFAAqF;4BACrF,YAAY,SAAS,yCAAyC;4BAC9D,SAAS,QAAQ,
|
|
1
|
+
{"version":3,"file":"auth-lambda.js","sourceRoot":"","sources":["../../src/auth-lambda/auth-lambda.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,yEAA2D;AAuC3D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAa,UAAW,SAAQ,SAAS,CAAC,cAAc;IACvD;;;;;;;;OAQG;IACH,YAAY,KAAgB,EAAE,EAAU,EAAE,KAAsB;QAC/D,KAAK,CAAC,KAAK,EAAE,EAAE,EAAE;YAChB,GAAG,KAAK;YACR,QAAQ,EAAE;gBACT,GAAG,KAAK,CAAC,QAAQ;gBACjB,YAAY,EAAE;oBACb,cAAc,CAAC,SAAiB,EAAE,UAAkB;wBACnD,OAAO,CAAC,0DAA0D,CAAC,CAAC;oBACrE,CAAC;oBACD,aAAa,CAAC,SAAiB,EAAE,UAAkB;wBAClD,OAAO,EAAE,CAAC;oBACX,CAAC;oBACD,aAAa,CAAC,QAAgB,EAAE,SAAiB;wBAChD,OAAO;4BACN,qFAAqF;4BACrF,YAAY,SAAS,yCAAyC;4BAC9D,SAAS,QAAQ,+DAA+D,SAAS,8BAA8B;4BACvH,gFAAgF,SAAS,8BAA8B;4BACvH,6DAA6D;4BAC7D,MAAM,KAAK,CAAC,aAAa,CAAC,cAAc,IAAI,SAAS,iBAAiB;4BACtE,MAAM,KAAK,CAAC,aAAa,CAAC,cAAc,IAAI,SAAS,qBAAqB;4BAC1E,wDAAwD,SAAS,GAAG;yBACpE,CAAC;oBACH,CAAC;iBACD;gBACD,eAAe,EAAE;oBAChB,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,eAAe,IAAI,EAAE,CAAC;oBAC1C,WAAW;oBACX,0BAA0B;iBAC1B;aACD;SACD,CAAC,CAAC;IACJ,CAAC;CACD;AA3CD,gCA2CC"}
|
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
export * from
|
|
1
|
+
export * from './auth-lambda';
|
|
2
2
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
import type middy from
|
|
2
|
-
import type { APIGatewayProxyEvent, APIGatewayProxyResult } from
|
|
3
|
-
import { type AuthorizationConfigType } from
|
|
1
|
+
import type middy from '@middy/core';
|
|
2
|
+
import type { APIGatewayProxyEvent, APIGatewayProxyResult } from 'aws-lambda';
|
|
3
|
+
import { type AuthorizationConfigType } from '../authorization-service';
|
|
4
4
|
/**
|
|
5
5
|
* Middy middleware that loads Cedar authorization and user details for policy-based authorization.
|
|
6
6
|
*
|
|
@@ -4,7 +4,7 @@ exports.loadCedarAuthorization = void 0;
|
|
|
4
4
|
const logger_1 = require("@aws-lambda-powertools/logger");
|
|
5
5
|
const authorization_service_1 = require("../authorization-service");
|
|
6
6
|
const user_details_1 = require("../user-details");
|
|
7
|
-
const logger = new logger_1.Logger({ serviceName:
|
|
7
|
+
const logger = new logger_1.Logger({ serviceName: 'authorization-middleware' });
|
|
8
8
|
/**
|
|
9
9
|
* Middy middleware that loads Cedar authorization and user details for policy-based authorization.
|
|
10
10
|
*
|
|
@@ -76,16 +76,16 @@ const logger = new logger_1.Logger({ serviceName: "authorization-middleware" });
|
|
|
76
76
|
*/
|
|
77
77
|
const loadCedarAuthorization = (authorizationConfig) => {
|
|
78
78
|
const before = async (request) => {
|
|
79
|
-
logger.debug(
|
|
79
|
+
logger.debug('Loading authorization services...', {
|
|
80
80
|
authorizationConfig,
|
|
81
81
|
});
|
|
82
|
-
const refresh = request.event.headers?.[
|
|
83
|
-
? request.event.headers[
|
|
82
|
+
const refresh = request.event.headers?.['cedar-refresh']
|
|
83
|
+
? request.event.headers['cedar-refresh'] === 'true'
|
|
84
84
|
: false;
|
|
85
85
|
(0, user_details_1.setUserDetails)(request.event);
|
|
86
86
|
await authorization_service_1.AuthorizationService.getService(authorizationConfig, refresh);
|
|
87
87
|
};
|
|
88
|
-
logger.debug(
|
|
88
|
+
logger.debug('Authorization services loaded and configured.');
|
|
89
89
|
return {
|
|
90
90
|
before,
|
|
91
91
|
};
|
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
export * from
|
|
1
|
+
export * from './authorization-middleware';
|
|
2
2
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import
|
|
2
|
-
import type { AuthorizationConfigType } from
|
|
1
|
+
import type { EntityJson } from '../types';
|
|
2
|
+
import type { AuthorizationConfigType } from './types';
|
|
3
3
|
/**
|
|
4
4
|
* Service for evaluating Cedar policy-based authorization requests.
|
|
5
5
|
*
|
|
@@ -124,7 +124,7 @@ export declare class AuthorizationService {
|
|
|
124
124
|
* });
|
|
125
125
|
* ```
|
|
126
126
|
*/
|
|
127
|
-
addEntity(entity:
|
|
127
|
+
addEntity(entity: EntityJson): AuthorizationService;
|
|
128
128
|
/**
|
|
129
129
|
* Replaces all entities with a new array of entities for the Cedar authorization request.
|
|
130
130
|
*
|
|
@@ -135,7 +135,7 @@ export declare class AuthorizationService {
|
|
|
135
135
|
* @remarks
|
|
136
136
|
* This replaces any previously added entities. Use {@link addEntity} to append individual entities.
|
|
137
137
|
*/
|
|
138
|
-
setEntities(entities:
|
|
138
|
+
setEntities(entities: EntityJson[]): AuthorizationService;
|
|
139
139
|
/**
|
|
140
140
|
* Validates that all required authorization properties are set.
|
|
141
141
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../../src/authorization-service/authorization-service.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../../src/authorization-service/authorization-service.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAG3C,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,SAAS,CAAC;AAMvD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AACH,qBAAa,oBAAoB;IAChC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAuB;IAC7C,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAA0B;IAC9D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwB;IAC/C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,QAAQ,CAAqB;IACrC,OAAO,CAAC,OAAO,CAAmD;IAClE,OAAO,CAAC,QAAQ,CAA2B;IAE3C;;;;;;;;;;;OAWG;IACH,OAAO;IAUP;;;;;;;;;;;;;OAaG;IACH,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,oBAAoB;IAK/C;;;;;;;;;;;;;OAaG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,oBAAoB;IAKnD;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,SAAS,CAAC,MAAM,EAAE,UAAU,GAAG,oBAAoB;IAQnD;;;;;;;;;OASG;IACH,WAAW,CAAC,QAAQ,EAAE,UAAU,EAAE,GAAG,oBAAoB;IAKzD;;;;;;;;OAQG;IACH,OAAO,CAAC,+BAA+B;IAsBvC;;;;;;;;;OASG;IACH,OAAO,CAAC,YAAY;IASpB;;;;;;;;;;OAUG;IACH,OAAO,CAAC,mBAAmB;IAoB3B;;;;;;;;OAQG;IACH,OAAO,CAAC,qBAAqB;IAa7B;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,KAAK;IA0Cb;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,YAAY,IAAI,OAAO;IAgBvB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAsCG;WACU,UAAU,CACtB,mBAAmB,EAAE,uBAAuB,EAC5C,OAAO,UAAQ,GACb,OAAO,CAAC,oBAAoB,CAAC;CAkChC"}
|
|
@@ -40,9 +40,9 @@ const errors_1 = require("../errors");
|
|
|
40
40
|
const file_loader_1 = require("../file-loader/file-loader");
|
|
41
41
|
const user_details_1 = require("../user-details");
|
|
42
42
|
const policy_parser_1 = require("./policy-parser");
|
|
43
|
-
const logger = new logger_1.Logger({ serviceName:
|
|
44
|
-
const POLICY_FILE_NAME =
|
|
45
|
-
const SCHEMA_FILE_NAME =
|
|
43
|
+
const logger = new logger_1.Logger({ serviceName: 'authorization-service' });
|
|
44
|
+
const POLICY_FILE_NAME = 'policies.cedar';
|
|
45
|
+
const SCHEMA_FILE_NAME = 'schema.cedarschema';
|
|
46
46
|
/**
|
|
47
47
|
* Service for evaluating Cedar policy-based authorization requests.
|
|
48
48
|
*
|
|
@@ -202,17 +202,17 @@ class AuthorizationService {
|
|
|
202
202
|
validateAuthorizationProperties() {
|
|
203
203
|
// Validate that a username and roles is available.
|
|
204
204
|
if (!(0, user_details_1.getUserName)() || !(0, user_details_1.getRoles)()) {
|
|
205
|
-
logger.error(
|
|
205
|
+
logger.error('Authenticated user username or roles has not been provided');
|
|
206
206
|
throw new errors_1.MissingAuthenticatedUserDetailsError();
|
|
207
207
|
}
|
|
208
208
|
// Validate the cedar scope
|
|
209
209
|
if (!this.action) {
|
|
210
|
-
logger.error(
|
|
210
|
+
logger.error('Cedar authorization action has not been provided');
|
|
211
211
|
throw new errors_1.MissingAuthorizationActionError();
|
|
212
212
|
}
|
|
213
213
|
// Validate the cedar scope
|
|
214
214
|
if (!this.resource) {
|
|
215
|
-
logger.error(
|
|
215
|
+
logger.error('Cedar authorization resource has not been provided');
|
|
216
216
|
throw new errors_1.MissingAuthorizationResourceError();
|
|
217
217
|
}
|
|
218
218
|
}
|
|
@@ -249,7 +249,7 @@ class AuthorizationService {
|
|
|
249
249
|
constructUserEntity() {
|
|
250
250
|
const userName = (0, user_details_1.getUserName)();
|
|
251
251
|
if (!userName) {
|
|
252
|
-
logger.error(
|
|
252
|
+
logger.error('Authenticated user username has not been provided');
|
|
253
253
|
throw new errors_1.MissingAuthenticatedUserDetailsError();
|
|
254
254
|
}
|
|
255
255
|
return {
|
|
@@ -303,15 +303,15 @@ class AuthorizationService {
|
|
|
303
303
|
const roles = this.constructRoleEntities();
|
|
304
304
|
const userName = (0, user_details_1.getUserName)();
|
|
305
305
|
if (!userName) {
|
|
306
|
-
logger.error(
|
|
306
|
+
logger.error('Authenticated user username has not been provided');
|
|
307
307
|
throw new errors_1.MissingAuthenticatedUserDetailsError();
|
|
308
308
|
}
|
|
309
309
|
if (!this.action) {
|
|
310
|
-
logger.error(
|
|
310
|
+
logger.error('Cedar authorization action has not been provided');
|
|
311
311
|
throw new errors_1.MissingAuthorizationActionError();
|
|
312
312
|
}
|
|
313
313
|
if (!this.resource) {
|
|
314
|
-
logger.error(
|
|
314
|
+
logger.error('Cedar authorization resource has not been provided');
|
|
315
315
|
throw new errors_1.MissingAuthorizationResourceError();
|
|
316
316
|
}
|
|
317
317
|
return {
|
|
@@ -365,18 +365,18 @@ class AuthorizationService {
|
|
|
365
365
|
* ```
|
|
366
366
|
*/
|
|
367
367
|
isAuthorized() {
|
|
368
|
-
logger.debug(
|
|
368
|
+
logger.debug('Authorizing request...');
|
|
369
369
|
const builtAuthRequest = this.build();
|
|
370
|
-
logger.debug(
|
|
370
|
+
logger.debug('Built Authorization request', { builtAuthRequest });
|
|
371
371
|
const authResult = cedar.isAuthorized(builtAuthRequest);
|
|
372
|
-
logger.debug(
|
|
373
|
-
if (authResult.type ===
|
|
374
|
-
logger.debug(
|
|
372
|
+
logger.debug('Auth Result', { authResult });
|
|
373
|
+
if (authResult.type === 'failure') {
|
|
374
|
+
logger.debug('A problem occurred while authorizing the request', {
|
|
375
375
|
authResult,
|
|
376
376
|
});
|
|
377
|
-
throw Error(authResult.errors.map((error) => error.message).join(
|
|
377
|
+
throw Error(authResult.errors.map((error) => error.message).join('\n'));
|
|
378
378
|
}
|
|
379
|
-
return authResult.response.decision ===
|
|
379
|
+
return authResult.response.decision === 'allow';
|
|
380
380
|
}
|
|
381
381
|
/**
|
|
382
382
|
* Retrieves the singleton AuthorizationService instance, initializing it if needed.
|
|
@@ -419,7 +419,7 @@ class AuthorizationService {
|
|
|
419
419
|
*/
|
|
420
420
|
static async getService(authorizationConfig, refresh = false) {
|
|
421
421
|
if (!refresh && AuthorizationService.service) {
|
|
422
|
-
logger.debug(
|
|
422
|
+
logger.debug('Returning cached Authorization service');
|
|
423
423
|
return AuthorizationService.service;
|
|
424
424
|
}
|
|
425
425
|
let policy;
|
|
@@ -438,7 +438,7 @@ class AuthorizationService {
|
|
|
438
438
|
logger.error(err.message, { error: err });
|
|
439
439
|
throw new errors_1.MissingAuthorizationSchemaError();
|
|
440
440
|
}
|
|
441
|
-
logger.debug(
|
|
441
|
+
logger.debug('Policy and Schema loaded', {
|
|
442
442
|
policy,
|
|
443
443
|
schema,
|
|
444
444
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorization-service.js","sourceRoot":"","sources":["../../src/authorization-service/authorization-service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,0DAAuD;AACvD,uEAAyD;AACzD,sCAMmB;AACnB,4DAA8D;
|
|
1
|
+
{"version":3,"file":"authorization-service.js","sourceRoot":"","sources":["../../src/authorization-service/authorization-service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,0DAAuD;AACvD,uEAAyD;AACzD,sCAMmB;AACnB,4DAA8D;AAE9D,kDAAwD;AACxD,mDAAqD;AAGrD,MAAM,MAAM,GAAG,IAAI,eAAM,CAAC,EAAE,WAAW,EAAE,uBAAuB,EAAE,CAAC,CAAC;AACpE,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;AAC1C,MAAM,gBAAgB,GAAG,oBAAoB,CAAC;AAE9C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AACH,MAAa,oBAAoB;IAUhC;;;;;;;;;;;OAWG;IACH,YACC,MAAc,EACd,MAAc,EACd,mBAA4C;QAE5C,IAAI,CAAC,MAAM,GAAG,IAAA,kCAAkB,EAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,mBAAmB,GAAG,mBAAmB,CAAC;IAChD,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,SAAS,CAAC,MAAc;QACvB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,OAAO,IAAI,CAAC;IACb,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,WAAW,CAAC,QAAgB;QAC3B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,OAAO,IAAI,CAAC;IACb,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,SAAS,CAAC,MAAkB;QAC3B,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpB,IAAI,CAAC,QAAQ,GAAG,EAAE,CAAC;QACpB,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,OAAO,IAAI,CAAC;IACb,CAAC;IAED;;;;;;;;;OASG;IACH,WAAW,CAAC,QAAsB;QACjC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,OAAO,IAAI,CAAC;IACb,CAAC;IAED;;;;;;;;OAQG;IACK,+BAA+B;QACtC,mDAAmD;QACnD,IAAI,CAAC,IAAA,0BAAW,GAAE,IAAI,CAAC,IAAA,uBAAQ,GAAE,EAAE,CAAC;YACnC,MAAM,CAAC,KAAK,CACX,4DAA4D,CAC5D,CAAC;YACF,MAAM,IAAI,6CAAoC,EAAE,CAAC;QAClD,CAAC;QAED,2BAA2B;QAC3B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;YACjE,MAAM,IAAI,wCAA+B,EAAE,CAAC;QAC7C,CAAC;QAED,2BAA2B;QAC3B,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpB,MAAM,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;YACnE,MAAM,IAAI,0CAAiC,EAAE,CAAC;QAC/C,CAAC;IACF,CAAC;IAED;;;;;;;;;OASG;IACK,YAAY;QACnB,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACvC,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACzB,CAAC;QAAC,OAAO,IAAI,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,MAAM,CAAC;QACpB,CAAC;IACF,CAAC;IAED;;;;;;;;;;OAUG;IACK,mBAAmB;QAC1B,MAAM,QAAQ,GAAG,IAAA,0BAAW,GAAE,CAAC;QAC/B,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;YAClE,MAAM,IAAI,6CAAoC,EAAE,CAAC;QAClD,CAAC;QACD,OAAO;YACN,GAAG,EAAE;gBACJ,IAAI,EAAE,GAAG,IAAI,CAAC,mBAAmB,CAAC,SAAS,GAAG,IAAI,CAAC,mBAAmB,CAAC,aAAa,EAAE;gBACtF,EAAE,EAAE,QAAQ;aACZ;YACD,KAAK,EAAE,EAAE;YACT,OAAO,EACN,IAAA,uBAAQ,GAAE,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;gBAC1B,IAAI,EAAE,GAAG,IAAI,CAAC,mBAAmB,CAAC,SAAS,GAAG,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE;gBACjF,EAAE,EAAE,IAAI;aACR,CAAC,CAAC,IAAI,EAAE;SACV,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACK,qBAAqB;QAC5B,OAAO,CACN,IAAA,uBAAQ,GAAE,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YAC1B,GAAG,EAAE;gBACJ,IAAI,EAAE,GAAG,IAAI,CAAC,mBAAmB,CAAC,SAAS,GAAG,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE;gBACjF,EAAE,EAAE,IAAI;aACR;YACD,KAAK,EAAE,EAAE;YACT,OAAO,EAAE,EAAE;SACX,CAAC,CAAC,IAAI,EAAE,CACT,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;;OAaG;IACK,KAAK;QACZ,IAAI,CAAC,+BAA+B,EAAE,CAAC;QAEvC,MAAM,IAAI,GAAG,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAE3C,MAAM,QAAQ,GAAG,IAAA,0BAAW,GAAE,CAAC;QAC/B,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;YAClE,MAAM,IAAI,6CAAoC,EAAE,CAAC;QAClD,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;YACjE,MAAM,IAAI,wCAA+B,EAAE,CAAC;QAC7C,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpB,MAAM,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;YACnE,MAAM,IAAI,0CAAiC,EAAE,CAAC;QAC/C,CAAC;QACD,OAAO;YACN,SAAS,EAAE;gBACV,IAAI,EAAE,GAAG,IAAI,CAAC,mBAAmB,CAAC,SAAS,GAAG,IAAI,CAAC,mBAAmB,CAAC,aAAa,EAAE;gBACtF,EAAE,EAAE,QAAQ;aACZ;YACD,MAAM,EAAE;gBACP,IAAI,EAAE,GAAG,IAAI,CAAC,mBAAmB,CAAC,SAAS,QAAQ;gBACnD,EAAE,EAAE,IAAI,CAAC,MAAM;aACf;YACD,QAAQ,EAAE;gBACT,IAAI,EAAE,GAAG,IAAI,CAAC,mBAAmB,CAAC,SAAS,GAAG,IAAI,CAAC,mBAAmB,CAAC,YAAY,EAAE;gBACrF,EAAE,EAAE,IAAI,CAAC,QAAQ;aACjB;YACD,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,EAAE;YAC3B,MAAM,EAAE,IAAI,CAAC,YAAY,EAAE;YAC3B,eAAe,EAAE,IAAI;YACrB,QAAQ,EAAE;gBACT,cAAc,EAAE,IAAI,CAAC,MAAM;aAC3B;YACD,QAAQ,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,EAAE,GAAG,KAAK,CAAC;SACpD,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,YAAY;QACX,MAAM,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QACvC,MAAM,gBAAgB,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAClE,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC;QACxD,MAAM,CAAC,KAAK,CAAC,aAAa,EAAE,EAAE,UAAU,EAAE,CAAC,CAAC;QAE5C,IAAI,UAAU,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,CAAC,KAAK,CAAC,kDAAkD,EAAE;gBAChE,UAAU;aACV,CAAC,CAAC;YACH,MAAM,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QACzE,CAAC;QACD,OAAO,UAAU,CAAC,QAAQ,CAAC,QAAQ,KAAM,OAA0B,CAAC;IACrE,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAsCG;IACH,MAAM,CAAC,KAAK,CAAC,UAAU,CACtB,mBAA4C,EAC5C,OAAO,GAAG,KAAK;QAEf,IAAI,CAAC,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,CAAC;YAC9C,MAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;YACvD,OAAO,oBAAoB,CAAC,OAAO,CAAC;QACrC,CAAC;QAED,IAAI,MAA0B,CAAC;QAC/B,IAAI,MAA0B,CAAC;QAE/B,IAAI,CAAC;YACJ,MAAM,GAAG,IAAA,8BAAgB,EAAC,gBAAgB,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,CAAC,KAAK,CAAE,GAAa,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YACrD,MAAM,IAAI,wCAA+B,EAAE,CAAC;QAC7C,CAAC;QAED,IAAI,CAAC;YACJ,MAAM,GAAG,IAAA,8BAAgB,EAAC,gBAAgB,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,CAAC,KAAK,CAAE,GAAa,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YACrD,MAAM,IAAI,wCAA+B,EAAE,CAAC;QAC7C,CAAC;QAED,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE;YACxC,MAAM;YACN,MAAM;SACN,CAAC,CAAC;QACH,oBAAoB,CAAC,OAAO,GAAG,IAAI,oBAAoB,CACtD,MAAM,EACN,MAAM,EACN,mBAAmB,CACnB,CAAC;QACF,OAAO,oBAAoB,CAAC,OAAO,CAAC;IACrC,CAAC;CACD;AA1YD,oDA0YC"}
|
|
@@ -2,9 +2,9 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.authorizationConfig = void 0;
|
|
4
4
|
exports.authorizationConfig = {
|
|
5
|
-
namespace:
|
|
6
|
-
principleType:
|
|
7
|
-
resourceType:
|
|
8
|
-
roleType:
|
|
5
|
+
namespace: 'OrderService::',
|
|
6
|
+
principleType: 'User',
|
|
7
|
+
resourceType: 'Order',
|
|
8
|
+
roleType: 'Role',
|
|
9
9
|
};
|
|
10
10
|
//# sourceMappingURL=config.js.map
|
|
@@ -37,11 +37,11 @@ exports.getSchema = exports.getPolicy = void 0;
|
|
|
37
37
|
const fs = __importStar(require("node:fs"));
|
|
38
38
|
const path = __importStar(require("node:path"));
|
|
39
39
|
const getPolicy = () => {
|
|
40
|
-
return fs.readFileSync(path.resolve(__dirname,
|
|
40
|
+
return fs.readFileSync(path.resolve(__dirname, './cedar/policies.cedar'), 'utf-8');
|
|
41
41
|
};
|
|
42
42
|
exports.getPolicy = getPolicy;
|
|
43
43
|
const getSchema = () => {
|
|
44
|
-
return fs.readFileSync(path.resolve(__dirname,
|
|
44
|
+
return fs.readFileSync(path.resolve(__dirname, './cedar/schema.cedarschema'), 'utf-8');
|
|
45
45
|
};
|
|
46
46
|
exports.getSchema = getSchema;
|
|
47
47
|
//# sourceMappingURL=get-policy.js.map
|
|
@@ -1,3 +1,3 @@
|
|
|
1
|
-
export * from
|
|
2
|
-
export * from
|
|
1
|
+
export * from './authorization-service';
|
|
2
|
+
export * from './types';
|
|
3
3
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.splitCedarPolicies = splitCedarPolicies;
|
|
4
4
|
const logger_1 = require("@aws-lambda-powertools/logger");
|
|
5
|
-
const logger = new logger_1.Logger({ serviceName:
|
|
5
|
+
const logger = new logger_1.Logger({ serviceName: 'policy-parser' });
|
|
6
6
|
/**
|
|
7
7
|
* Parses a Cedar policy file and splits it into individual policy objects.
|
|
8
8
|
*
|
|
@@ -59,18 +59,18 @@ const logger = new logger_1.Logger({ serviceName: "policy-parser" });
|
|
|
59
59
|
*/
|
|
60
60
|
function splitCedarPolicies(policyFile) {
|
|
61
61
|
const results = [];
|
|
62
|
-
let buf =
|
|
62
|
+
let buf = '';
|
|
63
63
|
let inString = false; // inside "..."
|
|
64
64
|
let inLineComment = false; // inside // ...
|
|
65
65
|
let inBlockComment = false; // inside /* ... */
|
|
66
|
-
let prev =
|
|
66
|
+
let prev = '';
|
|
67
67
|
for (let i = 0; i < policyFile.length; i++) {
|
|
68
68
|
const ch = policyFile[i];
|
|
69
|
-
const next = i + 1 < policyFile.length ? policyFile[i + 1] :
|
|
69
|
+
const next = i + 1 < policyFile.length ? policyFile[i + 1] : '';
|
|
70
70
|
// End line comment
|
|
71
71
|
if (inLineComment) {
|
|
72
72
|
buf += ch;
|
|
73
|
-
if (ch ===
|
|
73
|
+
if (ch === '\n')
|
|
74
74
|
inLineComment = false;
|
|
75
75
|
prev = ch;
|
|
76
76
|
continue;
|
|
@@ -78,32 +78,32 @@ function splitCedarPolicies(policyFile) {
|
|
|
78
78
|
// End block comment
|
|
79
79
|
if (inBlockComment) {
|
|
80
80
|
buf += ch;
|
|
81
|
-
if (prev ===
|
|
81
|
+
if (prev === '*' && ch === '/')
|
|
82
82
|
inBlockComment = false;
|
|
83
83
|
prev = ch;
|
|
84
84
|
continue;
|
|
85
85
|
}
|
|
86
86
|
// Start line comment (only when not in string)
|
|
87
|
-
if (!inString && ch ===
|
|
87
|
+
if (!inString && ch === '/' && next === '/') {
|
|
88
88
|
inLineComment = true;
|
|
89
89
|
buf += ch; // add '/'
|
|
90
90
|
// next char will be processed in next loop iteration, so add it now and skip
|
|
91
91
|
buf += next; // add second '/'
|
|
92
92
|
i++;
|
|
93
|
-
prev =
|
|
93
|
+
prev = '/';
|
|
94
94
|
continue;
|
|
95
95
|
}
|
|
96
96
|
// Start block comment (only when not in string)
|
|
97
|
-
if (!inString && ch ===
|
|
97
|
+
if (!inString && ch === '/' && next === '*') {
|
|
98
98
|
inBlockComment = true;
|
|
99
99
|
buf += ch; // add '/'
|
|
100
100
|
buf += next; // add '*'
|
|
101
101
|
i++;
|
|
102
|
-
prev =
|
|
102
|
+
prev = '*';
|
|
103
103
|
continue;
|
|
104
104
|
}
|
|
105
105
|
// Toggle string state on unescaped double quote
|
|
106
|
-
if (ch === `"` && prev !==
|
|
106
|
+
if (ch === `"` && prev !== '\\') {
|
|
107
107
|
inString = !inString;
|
|
108
108
|
buf += ch;
|
|
109
109
|
prev = ch;
|
|
@@ -112,11 +112,11 @@ function splitCedarPolicies(policyFile) {
|
|
|
112
112
|
// Normal char
|
|
113
113
|
buf += ch;
|
|
114
114
|
// Policy terminator: semicolon outside string/comments
|
|
115
|
-
if (!inString && ch ===
|
|
115
|
+
if (!inString && ch === ';') {
|
|
116
116
|
const policy = buf.trim();
|
|
117
117
|
if (policy.length > 0)
|
|
118
118
|
results.push(policy);
|
|
119
|
-
buf =
|
|
119
|
+
buf = '';
|
|
120
120
|
}
|
|
121
121
|
prev = ch;
|
|
122
122
|
}
|
|
@@ -124,7 +124,7 @@ function splitCedarPolicies(policyFile) {
|
|
|
124
124
|
const tail = buf.trim();
|
|
125
125
|
if (tail.length > 0) {
|
|
126
126
|
throw new Error("Trailing content after last policy terminator ';'. " +
|
|
127
|
-
|
|
127
|
+
'The policy file may be missing a semicolon at the end.');
|
|
128
128
|
}
|
|
129
129
|
const finalResults = {};
|
|
130
130
|
const filteredResults = results.filter((p) => p.length > 0);
|