read from external membership v2 table

Author: devksingh4

cloudformation/main.yml

@@ -444,6 +444,12 @@ Resources:
               KeyType: "RANGE"
           Projection:
             ProjectionType: "KEYS_ONLY"
+        - IndexName: "keysOnlyIndex"
+          KeySchema:
+            - AttributeName: "memberList"
+              KeyType: "HASH"
+          Projection:
+            ProjectionType: "KEYS_ONLY"
 
 
   RoomRequestsTable:

generate_jwt.js

@@ -4,6 +4,7 @@ import {
   GetSecretValueCommand,
 } from "@aws-sdk/client-secrets-manager";
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
+import { randomUUID } from "crypto";
 
 export const getSecretValue = async (secretId) => {
   const smClient = new SecretsManagerClient();
@@ -56,7 +57,7 @@ const payload = {
   sub: "subject",
   tid: "tenant-id",
   unique_name: username,
-  uti: "uti-value",
+  uti: randomUUID(),
   ver: "1.0",
 };
 

src/api/functions/membership.ts

@@ -1,10 +1,11 @@
 import {
+  BatchWriteItemCommand,
   ConditionalCheckFailedException,
   DynamoDBClient,
   PutItemCommand,
   QueryCommand,
 } from "@aws-sdk/client-dynamodb";
-import { marshall } from "@aws-sdk/util-dynamodb";
+import { marshall, unmarshall } from "@aws-sdk/util-dynamodb";
 import { genericConfig } from "common/config.js";
 import {
   addToTenant,
@@ -13,15 +14,126 @@ import {
   patchUserProfile,
   resolveEmailToOid,
 } from "./entraId.js";
-import { EntraGroupError } from "common/errors/index.js";
+import { EntraGroupError, ValidationError } from "common/errors/index.js";
 import { EntraGroupActions } from "common/types/iam.js";
 import { pollUntilNoError } from "./general.js";
 import Redis from "ioredis";
-import { getKey } from "./redisCache.js";
+import { getKey, setKey } from "./redisCache.js";
 import { FastifyBaseLogger } from "fastify";
+import type pino from "pino";
 
 export const MEMBER_CACHE_SECONDS = 43200; // 12 hours
 
+export async function patchExternalMemberList({
+  listId: oldListId,
+  add: oldAdd,
+  remove: oldRemove,
+  clients: { dynamoClient, redisClient },
+  logger,
+}: {
+  listId: string;
+  add: string[];
+  remove: string[];
+  clients: { dynamoClient: DynamoDBClient; redisClient: Redis.default };
+  logger: pino.Logger | FastifyBaseLogger;
+}) {
+  const listId = oldListId.toLowerCase();
+  const add = oldAdd.map((x) => x.toLowerCase());
+  const remove = oldRemove.map((x) => x.toLowerCase());
+  if (add.length === 0 && remove.length === 0) {
+    return;
+  }
+  const addSet = new Set(add);
+
+  const conflictingNetId = remove.find((netId) => addSet.has(netId));
+
+  if (conflictingNetId) {
+    throw new ValidationError({
+      message: `The netId '${conflictingNetId}' cannot be in both the 'add' and 'remove' lists simultaneously.`,
+    });
+  }
+  const writeRequests = [];
+  // Create PutRequest objects for each member to be added.
+  for (const netId of add) {
+    writeRequests.push({
+      PutRequest: {
+        Item: {
+          memberList: { S: listId },
+          netId: { S: netId },
+        },
+      },
+    });
+  }
+  // Create DeleteRequest objects for each member to be removed.
+  for (const netId of remove) {
+    writeRequests.push({
+      DeleteRequest: {
+        Key: {
+          memberList: { S: listId },
+          netId: { S: netId },
+        },
+      },
+    });
+  }
+  const BATCH_SIZE = 25;
+  const batchPromises = [];
+  for (let i = 0; i < writeRequests.length; i += BATCH_SIZE) {
+    const batch = writeRequests.slice(i, i + BATCH_SIZE);
+    const command = new BatchWriteItemCommand({
+      RequestItems: {
+        [genericConfig.ExternalMembershipTableName]: batch,
+      },
+    });
+    batchPromises.push(dynamoClient.send(command));
+  }
+  const removeCacheInvalidation = remove.map((x) =>
+    setKey({
+      redisClient,
+      key: `membership:${x}:${listId}`,
+      data: JSON.stringify({ isMember: false }),
+      expiresIn: MEMBER_CACHE_SECONDS,
+      logger,
+    }),
+  );
+  const addCacheInvalidation = add.map((x) =>
+    setKey({
+      redisClient,
+      key: `membership:${x}:${listId}`,
+      data: JSON.stringify({ isMember: true }),
+      expiresIn: MEMBER_CACHE_SECONDS,
+      logger,
+    }),
+  );
+  await Promise.all([
+    ...removeCacheInvalidation,
+    ...addCacheInvalidation,
+    ...batchPromises,
+  ]);
+}
+export async function getExternalMemberList(
+  list: string,
+  dynamoClient: DynamoDBClient,
+): Promise<string[]> {
+  const { Items } = await dynamoClient.send(
+    new QueryCommand({
+      TableName: genericConfig.ExternalMembershipTableName,
+      KeyConditionExpression: "#pk = :pk",
+      ExpressionAttributeNames: {
+        "#pk": "memberList",
+      },
+      ExpressionAttributeValues: marshall({
+        ":pk": list,
+      }),
+    }),
+  );
+  if (!Items || Items.length === 0) {
+    return [];
+  }
+  return Items.map((x) => unmarshall(x))
+    .filter((x) => !!x)
+    .map((x) => x.netId);
+}
+
 export async function checkExternalMembership(
   netId: string,
   list: string,
@@ -31,6 +143,7 @@ export async function checkExternalMembership(
     new QueryCommand({
       TableName: genericConfig.ExternalMembershipTableName,
       KeyConditionExpression: "#pk = :pk and #sk = :sk",
+      IndexName: "invertedIndex",
       ExpressionAttributeNames: {
         "#pk": "netId",
         "#sk": "memberList",