All files / validators RuleGroupAuthenticationValidator.ts

100% Statements 25/25
100% Branches 6/6
100% Functions 3/3
100% Lines 23/23

Press n or j to go to the next uncovered block, b, p or k for the previous block.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 486x   6x 6x 6x 6x       6x       4x   4x         4x 4x   1x   3x 3x     3x 3x 2x     1x       3x 3x   3x   3x 3x 3x    
import { build, parse } from "@aws-sdk/util-arn-parser";
import { Logger, LoggerFactory } from "shared_types";
import { ServerlessResponse } from "src/common/ServerlessResponse";
import { RuleGroupDataSourceService } from "src/service/RuleGroupDataSourceService";
import { inject, injectable } from 'tsyringe';
const STS_ROLE_REGEX = /(assumed-role)\/(.*)\/(.*)/;
 
export type RuleGroupActionType = "LIST" | "UPDATE" | "DELETE" | "CREATE" |"GET"
@injectable()
export class RuleGroupAuthenticationValidator {
    private readonly logger: Logger;
    constructor(
        @inject('LoggerFactory') loggerFactory: LoggerFactory,
        @inject('RuleGroupDataSourceService') private ruleGroupDataSourceService: RuleGroupDataSourceService
    ) {
        this.logger = loggerFactory.getLogger('RuleGroupAuthenticationValidator');
    }
 
    public async checkRuleGroupAccess(requestorArn: string, ruleGroupId: string, requestingAccount: string, actionType: RuleGroupActionType): Promise<ServerlessResponse | null> {
 
        const ruleGroup = await this.ruleGroupDataSourceService.getRuleGroupBy(ruleGroupId);
        if (!ruleGroup) {
            //return 403
            return ServerlessResponse.ofObject(404, { message: 'rule group not exists' });
        }
        const requestorIdentity = requestorArn;
        this.logger.debug(
            `${actionType} ruleGroups for ${requestorIdentity}`
        );
        const requestorAssumedRole = this.extractRequestorAssumedRole(requestorIdentity, requestingAccount);
        if (!ruleGroup.ownerGroup.includes(requestorAssumedRole)) {
            return ServerlessResponse.ofObject(403, { messsage: `User ${requestorIdentity} is not authorized to ${actionType} rules in group ` });
        }
 
        return null;
    }
 
    private extractRequestorAssumedRole(requestorIdentity: string, accountId: string) {
        const result = parse(requestorIdentity);
        const match = result.resource.match(STS_ROLE_REGEX);
 
        const roleName = match && match[2];
 
        const requestorAssumedRole = build({ accountId: accountId, region: '', service: 'iam', resource: `role/${roleName}` });
        this.logger.info(`requestorAssumedRole ${requestorAssumedRole}`,)
        return requestorAssumedRole;
    }
}