Press n or j to go to the next uncovered block, b, p or k for the previous block.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | 6x 6x 6x 6x 6x 6x 4x 4x 4x 4x 1x 3x 3x 3x 3x 2x 1x 3x 3x 3x 3x 3x 3x | import { build, parse } from "@aws-sdk/util-arn-parser"; import { Logger, LoggerFactory } from "shared_types"; import { ServerlessResponse } from "src/common/ServerlessResponse"; import { RuleGroupDataSourceService } from "src/service/RuleGroupDataSourceService"; import { inject, injectable } from 'tsyringe'; const STS_ROLE_REGEX = /(assumed-role)\/(.*)\/(.*)/; export type RuleGroupActionType = "LIST" | "UPDATE" | "DELETE" | "CREATE" |"GET" @injectable() export class RuleGroupAuthenticationValidator { private readonly logger: Logger; constructor( @inject('LoggerFactory') loggerFactory: LoggerFactory, @inject('RuleGroupDataSourceService') private ruleGroupDataSourceService: RuleGroupDataSourceService ) { this.logger = loggerFactory.getLogger('RuleGroupAuthenticationValidator'); } public async checkRuleGroupAccess(requestorArn: string, ruleGroupId: string, requestingAccount: string, actionType: RuleGroupActionType): Promise<ServerlessResponse | null> { const ruleGroup = await this.ruleGroupDataSourceService.getRuleGroupBy(ruleGroupId); if (!ruleGroup) { //return 403 return ServerlessResponse.ofObject(404, { message: 'rule group not exists' }); } const requestorIdentity = requestorArn; this.logger.debug( `${actionType} ruleGroups for ${requestorIdentity}` ); const requestorAssumedRole = this.extractRequestorAssumedRole(requestorIdentity, requestingAccount); if (!ruleGroup.ownerGroup.includes(requestorAssumedRole)) { return ServerlessResponse.ofObject(403, { messsage: `User ${requestorIdentity} is not authorized to ${actionType} rules in group ` }); } return null; } private extractRequestorAssumedRole(requestorIdentity: string, accountId: string) { const result = parse(requestorIdentity); const match = result.resource.match(STS_ROLE_REGEX); const roleName = match && match[2]; const requestorAssumedRole = build({ accountId: accountId, region: '', service: 'iam', resource: `role/${roleName}` }); this.logger.info(`requestorAssumedRole ${requestorAssumedRole}`,) return requestorAssumedRole; } } |