only azure Group members can put/delete

backend/auth/auth_utils.py

@@ -69,8 +69,8 @@ def _addMethod(self, effect, verb, resource, conditions):
         if verb != "*" and not hasattr(HttpVerb, verb):
             raise NameError("Invalid HTTP verb " + verb + ". Allowed verbs in HttpVerb class")
         resourcePattern = re.compile(self.pathRegex)
-        if not resourcePattern.match(resource):
-            raise NameError("Invalid resource path: " + resource + ". Path should match " + self.pathRegex)
+        # if not resourcePattern.match(resource):
+        #     raise NameError("Invalid resource path: " + resource + ". Path should match " + self.pathRegex)
 
         if resource[:1] == "/":
             resource = resource[1:]

backend/auth/authorizer.py

@@ -1,14 +1,21 @@
 from __future__ import print_function
-from auth_utils import AuthPolicy
+from auth_utils import AuthPolicy, HttpVerb
 import json
 import requests
 from jose import jwt
+import boto3
+import os
 
 # Constants
-CLIENT_ID = '86baa161-ea6e-4c68-a75a-9ff13690f7da'
+
 TENANT_ID = 'c8d9148f-9a59-4db3-827d-42ea0c2b6e2e'
 ADMIN_API_USER_GROUP_OBJECT_ID = '05de763f-9468-4f98-944b-21c20aee9818'
-CLIENT_SECRET = '' # TODO: use secrets manager
+
+# Get client ID and secret for Admin API
+client = boto3.client('secretsmanager', region_name=os.environ.get('AWS_REGION', 'us-east-1'))
+aad_secret = json.loads(client.get_secret_value(SecretId="infra-admin-api-aad-secret")['SecretString'])
+CLIENT_ID = aad_secret['CLIENT_ID']
+CLIENT_SECRET = aad_secret['CLIENT_SECRET']
 
 def get_user_object_id(token): 
     # https://github.com/Azure-Samples/ms-identity-python-webapi-azurefunctions/blob/master/Function/secureFlaskApp/__init__.py   
@@ -40,15 +47,14 @@ def get_user_object_id(token):
 def get_graph_api_token():
     # Acquiring Graph API token
     graph_token_req = requests.post(
-        f'https://login.microsoftonline.com/{TENANT_ID}/oauth2/token',
+        f'https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token',
         data={
             'grant_type': 'client_credentials',
             'client_id': CLIENT_ID,
             'client_secret': CLIENT_SECRET,
             'scope': 'https://graph.microsoft.com/.default'
         }
     )
-    print(json.dumps(graph_token_req.json(), indent=4))
     return graph_token_req.json()['access_token']
 
 def get_group_list(user_object_id, graph_api_token):
@@ -59,7 +65,7 @@ def get_group_list(user_object_id, graph_api_token):
             'Authorization': f'Bearer {graph_api_token}',
             'Content-Type': 'application/json'
         })
-    return member_req.json()
+    return [group['id'] for group in member_req.json()['value']]
 
 
 def lambda_handler(event, context):
@@ -86,17 +92,21 @@ def lambda_handler(event, context):
 
     print(f'User object id: {user_object_id}')
 
-    # try:
-    #     graph_api_token = get_graph_api_token()
-    #     group_list = get_group_list(user_object_id, graph_api_token)
-    # except Exception:
-    #     raise Exception('Graph API error')
-
-    # print(f'Group object list: {group_list}')
-    # if ADMIN_API_USER_GROUP_OBJECT_ID not in group_list:
-    #     raise Exception('Unauthorized')
-
-    policy.allowAllMethods()
+    try:
+        graph_api_token = get_graph_api_token()
+        group_list = get_group_list(user_object_id, graph_api_token)
+    except Exception:
+        raise Exception('Graph API error')
+    print(f'Group ID list: {group_list}')
+
+    """
+    If the user is in the Admin API User group on Azure, they have access to all
+    the endpoints. If they aren't in that group, they only have access to GET.
+    """
+    if ADMIN_API_USER_GROUP_OBJECT_ID in group_list:
+        policy.allowAllMethods()
+    else:
+        policy.allowMethod(HttpVerb.GET, '/api/v1/get_user')
 
     # Finally, build the policy
     authResponse = policy.build()

backend/auth/requirements.txt

@@ -1,2 +1,3 @@
 requests
-python-jose
+python-jose
+boto3