fix: api key authorizer

anct-cartographie-nationale · Oct 6, 2023 · d940e3a · d940e3a
1 parent 2986f86
commit d940e3a
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 9 deletions.
diff --git a/api-gateway.tf b/api-gateway.tf
@@ -35,12 +35,53 @@ resource "aws_apigatewayv2_stage" "cartographie_nationale" {
   }
 }
 
+data "aws_iam_policy_document" "api_assume_role_policy_document" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["apigateway.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+resource "aws_iam_role" "authorizer_role" {
+  name               = "authorizer-role"
+  description        = "Authorizer iam role references a policy document that can assume role for api gateway"
+  tags               = local.tags
+  assume_role_policy = data.aws_iam_policy_document.api_assume_role_policy_document.json
+}
+
+data "aws_iam_policy_document" "lambda_invoke_policy_document" {
+  statement {
+    actions   = ["lambda:InvokeFunction"]
+    effect    = "Allow"
+    resources = [aws_lambda_function.api_keys_authorizer.arn]
+    sid       = "ApiGatewayInvokeLambda"
+  }
+}
+
+resource "aws_iam_policy" "authorizer_policy" {
+  name        = "authorizer-policy"
+  description = "IAM policy to allow authorizer lambda invocation form api gateway"
+  policy      = data.aws_iam_policy_document.lambda_invoke_policy_document.json
+}
+
+resource "aws_iam_role_policy_attachment" "authorizer_role_policy_attachment" {
+  role       = aws_iam_role.authorizer_role.name
+  policy_arn = aws_iam_policy.authorizer_policy.arn
+}
+
 resource "aws_apigatewayv2_authorizer" "api_key_authorizer" {
+  name                              = "${local.name_prefix}.key-authorizer"
   api_id                            = aws_apigatewayv2_api.cartographie_nationale.id
   authorizer_type                   = "REQUEST"
-  authorizer_uri                    = aws_lambda_function.import_from_s3.invoke_arn
-  identity_sources                  = ["$request.header.Authorization"]
-  name                              = "${local.name_prefix}.key-authorizer"
+  authorizer_uri                    = aws_lambda_function.api_keys_authorizer.invoke_arn
+  authorizer_credentials_arn        = aws_iam_role.authorizer_role.arn
+  identity_sources                  = ["$request.header.x-api-key"]
+  enable_simple_responses           = true
   authorizer_payload_format_version = "2.0"
 }
 

diff --git a/api-keys.tf b/api-keys.tf
@@ -1,10 +1,10 @@
 resource "aws_dynamodb_table" "api_keys_table" {
   name         = "${local.product_information.context.project}.api-keys"
   billing_mode = "PAY_PER_REQUEST"
-  hash_key     = "name"
+  hash_key     = "key"
 
   attribute {
-    name = "name"
+    name = "key"
     type = "S"
   }
 
@@ -72,7 +72,7 @@ data "aws_iam_policy_document" "api_keys_authorizer_execution_policy" {
 
 resource "aws_iam_role" "api_keys_authorizer_execution_role" {
   name               = "${local.name_prefix}.keys-authorizer-execution-role"
-  description        = "Authentication iam role references a policy document that can assume role for api keys authorizer execution"
+  description        = "Authentication iam role references a policy document that can assume role for lambda authorizer"
   tags               = local.tags
   assume_role_policy = data.aws_iam_policy_document.api_keys_authorizer_execution_policy.json
 }

diff --git a/src/api-keys-authorizer/index.ts b/src/api-keys-authorizer/index.ts
@@ -1,8 +1,30 @@
-import { APIGatewayProxyResultV2 } from 'aws-lambda';
+import {
+  DynamoDBClient,
+  GetItemCommand,
+  GetItemCommandOutput,
+} from '@aws-sdk/client-dynamodb';
+import { APIGatewayEvent, APIGatewayProxyResultV2 } from 'aws-lambda';
+import { APIGatewaySimpleAuthorizerResult } from 'aws-lambda/trigger/api-gateway-authorizer';
 
-export const handler = async (): Promise<APIGatewayProxyResultV2<boolean>> => {
+export const handler = async (
+  event: APIGatewayEvent,
+): Promise<APIGatewayProxyResultV2<APIGatewaySimpleAuthorizerResult>> => {
   try {
-    return false;
+    const apiKey: string | undefined = event.headers['x-api-key'];
+
+    if (apiKey == null) return { isAuthorized: false };
+
+    const client: DynamoDBClient = new DynamoDBClient();
+    const input = {
+      Key: { key: { S: apiKey } },
+      TableName: 'cartographie-nationale.api-keys',
+    };
+    const command: GetItemCommand = new GetItemCommand(input);
+    const response: GetItemCommandOutput = await client.send(command);
+
+    return {
+      isAuthorized: response.Item != null,
+    };
   } catch (err) {
     console.log(err);
   }