implement reading permissions from dynamodb

devksingh4 · devksingh4 · commit 8fc3b148040f · 2025-01-22T13:10:02.000-06:00
diff --git a/src/api/functions/authorization.ts b/src/api/functions/authorization.ts
@@ -0,0 +1,103 @@
+import {
+  DynamoDBClient,
+  GetItemCommand,
+  QueryCommand,
+} from "@aws-sdk/client-dynamodb";
+import { unmarshall } from "@aws-sdk/util-dynamodb";
+import { genericConfig } from "common/config.js";
+import { DatabaseFetchError } from "common/errors/index.js";
+import { allAppRoles, AppRoles } from "common/roles.js";
+import { FastifyInstance } from "fastify";
+
+export const AUTH_DECISION_CACHE_SECONDS = 60;
+
+export async function getUserRoles(
+  dynamoClient: DynamoDBClient,
+  fastifyApp: FastifyInstance,
+  userId: string,
+): Promise<AppRoles[]> {
+  const cachedValue = fastifyApp.nodeCache.get(`userroles-${userId}`);
+  if (cachedValue) {
+    fastifyApp.log.info(`Returning cached auth decision for user ${userId}`);
+    return cachedValue as AppRoles[];
+  }
+  const tableName = `${genericConfig["IAMTablePrefix"]}-userroles`;
+  const command = new GetItemCommand({
+    TableName: tableName,
+    Key: {
+      userEmail: { S: userId },
+    },
+  });
+  const response = await dynamoClient.send(command);
+  if (!response || !response.Item) {
+    throw new DatabaseFetchError({
+      message: "Could not get user roles",
+    });
+  }
+  const items = unmarshall(response.Item) as { roles: AppRoles[] | ["all"] };
+  if (!("roles" in items)) {
+    return [];
+  }
+  if (items["roles"][0] === "all") {
+    fastifyApp.nodeCache.set(
+      `userroles-${userId}`,
+      allAppRoles,
+      AUTH_DECISION_CACHE_SECONDS,
+    );
+    return allAppRoles;
+  }
+  fastifyApp.nodeCache.set(
+    `userroles-${userId}`,
+    items["roles"],
+    AUTH_DECISION_CACHE_SECONDS,
+  );
+  return items["roles"] as AppRoles[];
+}
+
+export async function getGroupRoles(
+  dynamoClient: DynamoDBClient,
+  fastifyApp: FastifyInstance,
+  groupId: string,
+) {
+  const cachedValue = fastifyApp.nodeCache.get(`grouproles-${groupId}`);
+  if (cachedValue) {
+    fastifyApp.log.info(`Returning cached auth decision for group ${groupId}`);
+    return cachedValue as AppRoles[];
+  }
+  const tableName = `${genericConfig["IAMTablePrefix"]}-grouproles`;
+  const command = new GetItemCommand({
+    TableName: tableName,
+    Key: {
+      groupUuid: { S: groupId },
+    },
+  });
+  const response = await dynamoClient.send(command);
+  if (!response || !response.Item) {
+    throw new DatabaseFetchError({
+      message: "Could not get group roles for user",
+    });
+  }
+  const items = unmarshall(response.Item) as { roles: AppRoles[] | ["all"] };
+  if (!("roles" in items)) {
+    fastifyApp.nodeCache.set(
+      `grouproles-${groupId}`,
+      [],
+      AUTH_DECISION_CACHE_SECONDS,
+    );
+    return [];
+  }
+  if (items["roles"][0] === "all") {
+    fastifyApp.nodeCache.set(
+      `grouproles-${groupId}`,
+      allAppRoles,
+      AUTH_DECISION_CACHE_SECONDS,
+    );
+    return allAppRoles;
+  }
+  fastifyApp.nodeCache.set(
+    `grouproles-${groupId}`,
+    items["roles"],
+    AUTH_DECISION_CACHE_SECONDS,
+  );
+  return items["roles"] as AppRoles[];
+}
diff --git a/src/api/index.ts b/src/api/index.ts
@@ -18,6 +18,7 @@ import * as dotenv from "dotenv";
 import iamRoutes from "./routes/iam.js";
 import ticketsPlugin from "./routes/tickets.js";
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
+import NodeCache from "node-cache";
 
 dotenv.config();
 
@@ -68,6 +69,7 @@ async function init() {
   app.runEnvironment = process.env.RunEnvironment as RunEnvironment;
   app.environmentConfig =
     environmentConfig[app.runEnvironment as RunEnvironment];
+  app.nodeCache = new NodeCache({ checkperiod: 30 });
   app.addHook("onRequest", (req, _, done) => {
     req.startTime = now();
     const hostname = req.hostname;
diff --git a/src/api/package.json b/src/api/package.json
@@ -15,6 +15,7 @@
     "prettier:write": "prettier --write *.ts **/*.ts"
   },
   "dependencies": {
-    "@aws-sdk/client-sts": "^3.726.0"
+    "@aws-sdk/client-sts": "^3.726.0",
+    "node-cache": "^5.1.2"
   }
 }
diff --git a/src/api/plugins/auth.ts b/src/api/plugins/auth.ts
@@ -14,6 +14,8 @@ import {
   UnauthorizedError,
 } from "../../common/errors/index.js";
 import { genericConfig, SecretConfig } from "../../common/config.js";
+import { getGroupRoles, getUserRoles } from "api/functions/authorization.js";
+import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 
 function intersection<T>(setA: Set<T>, setB: Set<T>): Set<T> {
   const _intersection = new Set<T>();
@@ -55,6 +57,10 @@ const smClient = new SecretsManagerClient({
   region: genericConfig.AwsRegion,
 });
 
+const dynamoClient = new DynamoDBClient({
+  region: genericConfig.AwsRegion,
+});
+
 export const getSecretValue = async (
   secretId: string,
 ): Promise<Record<string, string | number | boolean> | null | SecretConfig> => {
@@ -163,13 +169,18 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
           verifiedTokenData.groups &&
           fastify.environmentConfig.GroupRoleMapping
         ) {
-          for (const group of verifiedTokenData.groups) {
-            if (fastify.environmentConfig["GroupRoleMapping"][group]) {
-              for (const role of fastify.environmentConfig["GroupRoleMapping"][
-                group
-              ]) {
+          const groupRoles = await Promise.allSettled(
+            verifiedTokenData.groups.map((x) =>
+              getGroupRoles(dynamoClient, fastify, x),
+            ),
+          );
+          for (const result of groupRoles) {
+            if (result.status === "fulfilled") {
+              for (const role of result.value) {
                 userRoles.add(role);
               }
+            } else {
+              request.log.warn(`Failed to get group roles: ${result.reason}`);
             }
           }
         } else {
@@ -188,13 +199,24 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
             }
           }
         }
+
         // add user-specific role overrides
         if (request.username && fastify.environmentConfig.UserRoleMapping) {
           if (fastify.environmentConfig["UserRoleMapping"][request.username]) {
-            for (const role of fastify.environmentConfig["UserRoleMapping"][
-              request.username
-            ]) {
-              userRoles.add(role);
+            try {
+              const userAuth = await getUserRoles(
+                dynamoClient,
+                fastify,
+                request.username,
+              );
+              for (const role of userAuth) {
+                userRoles.add(role);
+              }
+            } catch (e) {
+              request.log.warn(
+                `Failed to get user role mapping for ${request.username}`,
+                e,
+              );
             }
           }
         }
diff --git a/src/api/types.d.ts b/src/api/types.d.ts
@@ -2,6 +2,7 @@ import { FastifyRequest, FastifyInstance, FastifyReply } from "fastify";
 import { AppRoles, RunEnvironment } from "../common/roles.js";
 import { AadToken } from "./plugins/auth.js";
 import { ConfigType } from "../common/config.js";
+import NodeCache from "node-cache";
 declare module "fastify" {
   interface FastifyInstance {
     authenticate: (
@@ -20,6 +21,7 @@ declare module "fastify" {
     ) => Promise<void>;
     runEnvironment: RunEnvironment;
     environmentConfig: ConfigType;
+    nodeCache: NodeCache;
   }
   interface FastifyRequest {
     startTime: number;
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@`
`15`	`15`	`"prettier:write": "prettier --write .ts /.ts"`
`16`	`16`	`},`
`17`	`17`	`"dependencies": {`
`18`		`- "@aws-sdk/client-sts": "^3.726.0"`
	`18`	`+ "@aws-sdk/client-sts": "^3.726.0",`
	`19`	`+ "node-cache": "^5.1.2"`
`19`	`20`	`}`
`20`	`21`	`}`