Discord slash command code to grant AWS access (Real-Dev-Squad#276)

* Discord slash command code to grant AWS access

* added test cases for the discord command

* added uuid as types

* Revert "remove feature flag (Real-Dev-Squad#275)" (Real-Dev-Squad#281)

This reverts commit b54d9c3.

* removed uuid, code refactoring and fixed test cases post changes

* correcting package.json file

* lint fix

* code refactoring to call the API outside if/else

* Updated the command options to valid one

* fix test cases

* Fixing test case - changing the return type to Promise<void>

* lint fix

* Updated the logic of signing JWT into seperate file

* added documentation for website backend API

* added feature flag to backend API

* Updated the backend route to /aws/groups/access

* Reverted the register command change

* remove package lock changes

* added the group id to config file and added more info to the async processing comment

* remove the unused import

* added feature flag

* fix the register command, as the value of ENV variable was being passed as undefined, due to recent change

* code refactor and made FF mandatory

---------

Co-authored-by: Vinit khandal <[email protected]>

Author: vikhyat187

config/config.ts

@@ -56,6 +56,9 @@ export function loadEnv(env: env, fromWorkerEnv: boolean): env {
     IDENTITY_SERVICE_PUBLIC_KEY: fromWorkerEnv
       ? env.IDENTITY_SERVICE_PUBLIC_KEY
       : process.env.IDENTITY_SERVICE_PUBLIC_KEY || "",
+    AWS_READ_ACCESS_GROUP_ID: fromWorkerEnv
+      ? env.AWS_READ_ACCESS_GROUP_ID
+      : process.env.AWS_READ_ACCESS_GROUP_ID || "",
   };
   return Env;
 }

src/constants/commands.ts

@@ -1,3 +1,7 @@
+import { config } from "dotenv";
+
+config();
+
 export const HELLO = {
   name: "hello",
   description: "Replies with hello in the channel",
@@ -27,6 +31,36 @@ export const GROUP_INVITE = {
     },
   ],
 };
+export const GRANT_AWS_ACCESS = {
+  name: "grant-aws-access",
+  description: "This command is to grant AWS access to the discord users.",
+  options: [
+    {
+      name: "user-name",
+      description: "User to be granted the AWS access",
+      type: 6, //user Id to be grant the access
+      required: true,
+    },
+    {
+      name: "aws-group-name",
+      description: "AWS group name",
+      type: 3,
+      required: true,
+      choices: [
+        {
+          name: "AWS read access",
+          value: process.env.AWS_READ_ACCESS_GROUP_ID,
+        },
+      ],
+    },
+    {
+      name: "dev",
+      description: "Feature flag",
+      type: 5,
+      required: true,
+    },
+  ],
+};
 
 export const MENTION_EACH = {
   name: "mention-each",

src/constants/urls.ts

@@ -3,6 +3,7 @@ export const RDS_BASE_STAGING_API_URL = "https://staging-api.realdevsquad.com";
 export const RDS_BASE_DEVELOPMENT_API_URL = "http://localhost:3000"; // If needed, modify the URL to your local API server run through ngrok
 
 export const DISCORD_BASE_URL = "https://discord.com/api/v10";
+export const AWS_IAM_SIGNIN_URL = "https://realdevsquad.awsapps.com/start#/";
 export const DISCORD_AVATAR_BASE_URL = "https://cdn.discordapp.com/avatars";
 
 export const VERIFICATION_SITE_URL = "https://my.realdevsquad.com";

src/controllers/baseHandler.ts

@@ -29,6 +29,7 @@ import {
   USER,
   REMOVE,
   GROUP_INVITE,
+  GRANT_AWS_ACCESS,
 } from "../constants/commands";
 import { updateNickName } from "../utils/updateNickname";
 import { discordEphemeralResponse } from "../utils/discordEphemeralResponse";
@@ -44,6 +45,7 @@ import {
 import { DevFlag } from "../typeDefinitions/filterUsersByRole";
 import { kickEachUser } from "./kickEachUser";
 import { groupInvite } from "./groupInvite";
+import { grantAWSAccessCommand } from "./grantAWSAccessCommand";
 
 export async function baseHandler(
   message: discordMessageRequest,
@@ -82,6 +84,19 @@ export async function baseHandler(
       return await mentionEachUser(transformedArgument, env, ctx);
     }
 
+    case getCommandName(GRANT_AWS_ACCESS): {
+      const data = message.data?.options as Array<messageRequestDataOptions>;
+      const transformedArgument = {
+        member: message.member,
+        userDetails: data[0],
+        awsGroupDetails: data[1],
+        channelId: message.channel_id,
+        dev: data.find((item) => item.name === "dev") as unknown as DevFlag,
+      };
+
+      return await grantAWSAccessCommand(transformedArgument, env, ctx);
+    }
+
     case getCommandName(REMOVE): {
       const data = message.data?.options as Array<messageRequestDataOptions>;
       const transformedArgument = {

src/controllers/grantAWSAccessCommand.ts

@@ -0,0 +1,38 @@
+import { discordTextResponse } from "../utils/discordResponse";
+import { SUPER_USER_ONE, SUPER_USER_TWO } from "../constants/variables";
+import { env } from "../typeDefinitions/default.types";
+import {
+  messageRequestMember,
+  messageRequestDataOptions,
+} from "../typeDefinitions/discordMessage.types";
+import { grantAWSAccess } from "../utils/awsAccess";
+import { DevFlag } from "../typeDefinitions/filterUsersByRole";
+
+export async function grantAWSAccessCommand(
+  transformedArgument: {
+    member: messageRequestMember;
+    userDetails: messageRequestDataOptions;
+    awsGroupDetails: messageRequestDataOptions;
+    channelId: number;
+    dev?: DevFlag;
+  },
+  env: env,
+  ctx: ExecutionContext
+) {
+  const dev = transformedArgument?.dev?.value || false;
+  if (!dev) {
+    return discordTextResponse("Please enable feature flag to make this work");
+  }
+  const isUserSuperUser = [SUPER_USER_ONE, SUPER_USER_TWO].includes(
+    transformedArgument.member.user.id.toString()
+  );
+  if (!isUserSuperUser) {
+    const responseText = `You're not authorized to make this request.`;
+    return discordTextResponse(responseText);
+  }
+  const roleId = transformedArgument.userDetails.value;
+  const groupId = transformedArgument.awsGroupDetails.value;
+  const channelId = transformedArgument.channelId;
+
+  return grantAWSAccess(roleId, groupId, env, ctx, channelId);
+}

src/register.ts

@@ -10,6 +10,7 @@ import {
   USER,
   REMOVE,
   GROUP_INVITE,
+  GRANT_AWS_ACCESS,
 } from "./constants/commands";
 import { config } from "dotenv";
 import { DISCORD_BASE_URL } from "./constants/urls";
@@ -42,6 +43,7 @@ async function registerGuildCommands(
     NOTIFY_ONBOARDING,
     REMOVE,
     GROUP_INVITE,
+    GRANT_AWS_ACCESS,
   ];
 
   try {

src/utils/authTokenGenerator.ts

@@ -0,0 +1,12 @@
+import jwt from "@tsndr/cloudflare-worker-jwt";
+
+export async function generateDiscordAuthToken(
+  name: string,
+  expiry: number,
+  privateKey: string,
+  algorithm: string
+) {
+  return await jwt.sign({ name: name, exp: expiry }, privateKey, {
+    algorithm: algorithm,
+  });
+}

src/utils/awsAccess.ts

@@ -0,0 +1,98 @@
+import jwt from "@tsndr/cloudflare-worker-jwt";
+import { env } from "../typeDefinitions/default.types";
+import config from "../../config/config";
+import { discordTextResponse } from "./discordResponse";
+import { DISCORD_BASE_URL, AWS_IAM_SIGNIN_URL } from "../constants/urls";
+import { generateDiscordAuthToken } from "./authTokenGenerator";
+
+export async function processAWSAccessRequest(
+  discordUserId: string,
+  awsGroupId: string,
+  env: env,
+  channelId: number
+): Promise<void> {
+  const authToken = await generateDiscordAuthToken(
+    "Cloudflare Worker",
+    Math.floor(Date.now() / 1000) + 2,
+    env.BOT_PRIVATE_KEY,
+    "RS256"
+  );
+  const discordReplyUrl = `${DISCORD_BASE_URL}/channels/${channelId}/messages`;
+  const base_url = config(env).RDS_BASE_API_URL;
+  const grantAWSAccessAPIUrl = `${base_url}/aws/groups/access?dev=true`;
+
+  try {
+    const requestData = {
+      groupId: awsGroupId,
+      userId: discordUserId,
+    };
+
+    /**
+     * Grant AWS access is the API in website backend,
+     * which takes the discordId and AWS groupId, it fetches the
+     * user based on the discordId, checks if the user is part of AWS account
+     * if not creates a new user and adds user to the AWS group.
+     */
+
+    const response = await fetch(grantAWSAccessAPIUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${authToken}`,
+      },
+      body: JSON.stringify(requestData),
+    });
+
+    let content = "";
+    if (!response.ok) {
+      const responseText = await response.text();
+      const errorData = JSON.parse(responseText);
+      content = `<@${discordUserId}> Error occurred while granting AWS access: ${errorData.error}`;
+    } else {
+      content = `AWS access granted successfully <@${discordUserId}>! Please head over to AWS - ${AWS_IAM_SIGNIN_URL}.`;
+    }
+    await fetch(discordReplyUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bot ${env.DISCORD_TOKEN}`,
+      },
+      body: JSON.stringify({
+        content: content,
+      }),
+    });
+  } catch (err) {
+    const content = `<@${discordUserId}> Error occurred while granting AWS access.`;
+    await fetch(discordReplyUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bot ${env.DISCORD_TOKEN}`,
+      },
+      body: JSON.stringify({
+        content: content,
+      }),
+    });
+  }
+}
+
+export async function grantAWSAccess(
+  discordUserId: string,
+  awsGroupId: string,
+  env: env,
+  ctx: ExecutionContext,
+  channelId: number
+) {
+  // Immediately send a Discord response to acknowledge the command, as the cloudfare workers have a limit of response time equals to 3s
+  const initialResponse = discordTextResponse(
+    `<@${discordUserId}> Processing your request to grant AWS access.`
+  );
+
+  ctx.waitUntil(
+    // Asynchronously call the function to grant AWS access
+    processAWSAccessRequest(discordUserId, awsGroupId, env, channelId)
+  );
+
+  // Return the immediate response within 3 seconds
+  return initialResponse;
+}

src/utils/sendUserDiscordData.ts

@@ -2,6 +2,7 @@ import { env } from "../typeDefinitions/default.types";
 import jwt from "@tsndr/cloudflare-worker-jwt";
 import { DISCORD_AVATAR_BASE_URL } from "../constants/urls";
 import config from "../../config/config";
+import { generateDiscordAuthToken } from "./authTokenGenerator";
 
 export const sendUserDiscordData = async (
   token: string,
@@ -12,10 +13,11 @@ export const sendUserDiscordData = async (
   discordJoinedAt: string,
   env: env
 ) => {
-  const authToken = await jwt.sign(
-    { name: "Cloudflare Worker", exp: Math.floor(Date.now() / 1000) + 2 },
+  const authToken = await generateDiscordAuthToken(
+    "Cloudflare Worker",
+    Math.floor(Date.now() / 1000) + 2,
     env.BOT_PRIVATE_KEY,
-    { algorithm: "RS256" }
+    "RS256"
   );
   const data = {
     type: "discord",