From e0132f3bdbd1f8e72162a964f03cf8595974179a Mon Sep 17 00:00:00 2001 From: Alex Youssefinia Date: Tue, 10 Dec 2024 18:41:52 -0600 Subject: [PATCH] added getUserV2 api method --- services/admin/serverless.yml | 2 +- services/app-api/getUser.js | 89 +--------------- services/app-api/getUserV2.js | 126 +++++++++++++++++++++++ services/app-api/serverless.yml | 16 ++- services/ui-src/src/utils/UserDataApi.ts | 2 +- 5 files changed, 143 insertions(+), 92 deletions(-) create mode 100644 services/app-api/getUserV2.js diff --git a/services/admin/serverless.yml b/services/admin/serverless.yml index 6645dd4ea..7fe5c8353 100644 --- a/services/admin/serverless.yml +++ b/services/admin/serverless.yml @@ -15,7 +15,7 @@ plugins: custom: stage: ${opt:stage, 'dev'} # Ensure the 'stage' is being passed correctly iamPermissionsBoundaryPolicy: ${ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""} - oneMacTableName: onemac-${self:custom.stage}-one + oneMacTableName: onemac-develop-one provider: name: aws diff --git a/services/app-api/getUser.js b/services/app-api/getUser.js index d5ae0fcd3..5f84d751f 100644 --- a/services/app-api/getUser.js +++ b/services/app-api/getUser.js @@ -1,8 +1,7 @@ import handler from "./libs/handler-lib"; import dynamoDb from "./libs/dynamodb-lib"; -import jwt_decode from "jwt-decode"; -import { getUserRoleObj, RESPONSE_CODE } from "cmscommonlib"; +import { getUserRoleObj } from "cmscommonlib"; /** * returns the User Table entry who's id is this email @@ -67,94 +66,10 @@ export const getUser = async (userEmail) => { return returnUser; }; -const allowedRoles = [ - "cmsroleapprover", - "systemadmin", - "statesystemadmin", - "helpdesk", - "defaultcmsuser", - "cmsreviewer" -]; - -function checkMatchingRoles(arr1, arr2) { - // Iterate through each element in array1 - for (let i = 0; i { - console.log("get user invoked") - let body; - try { - body = JSON.parse(event.body); - } catch (e) { - console.error("Failed to parse body", e); - return RESPONSE_CODE.USER_SUBMISSION_FAILED; - } - console.log("body: ", body) - const idToken = body.idToken; - console.log("Received idToken:", idToken); - if (!idToken) { - console.log("idToken header is missing"); - return { - statusCode: 400, - body: JSON.stringify({ error: "idToken header is missing" }), - }; - } - - const decodedIdToken = jwt_decode(idToken); - const idTokenEmail = decodedIdToken.email; - console.log("id token email: ", idTokenEmail); - console.log("event query email: ",event.queryStringParameters.email ) const userItem = (await getUser(event.queryStringParameters.email)) ?? {}; - - if(idTokenEmail !== event.queryStringParameters.email) { - let userRoles = decodedIdToken.user_roles; - try { - userRoles = JSON.parse(userRoles); - } catch (error) { - console.error('Error parsing user_roles:', error); - userRoles = []; - } - const loggedInUserItem = await getUser(idTokenEmail) - console.log("loggedInUserItem: ", loggedInUserItem) - const loggedInUserRoleList = JSON.parse(loggedInUserItem.roleList); - const queryUserRoleList = JSON.parse(userItem.roleList); - const hasMatchingRoles = checkMatchingRoles(loggedInUserRoleList, queryUserRoleList); - const isAdminUser = checkAdminUser(userRoles); - if(!hasMatchingRoles && !isAdminUser ) { - console.log("permission denied"); - return { - statusCode: 400, - body: JSON.stringify({ error: "permission denied" }), - }; - } - } userItem.validRoutes = getUserRoleObj(userItem.roleList).getAccesses(); return userItem; -}); +}); \ No newline at end of file diff --git a/services/app-api/getUserV2.js b/services/app-api/getUserV2.js new file mode 100644 index 000000000..6a951a702 --- /dev/null +++ b/services/app-api/getUserV2.js @@ -0,0 +1,126 @@ +import handler from "./libs/handler-lib"; +import dynamoDb from "./libs/dynamodb-lib"; +import jwt_decode from "jwt-decode"; +import {getUser} from "./getUser"; + +import { getUserRoleObj, RESPONSE_CODE } from "cmscommonlib"; + +/** + * returns the User Table entry who's id is this email + * @param {String} userEmail User to return + * @returns {Object} the User json object + */ + + +const allowedRoles = [ + "cmsroleapprover", + "systemadmin", + "statesystemadmin", + "helpdesk", + "defaultcmsuser", + "cmsreviewer" +]; + +function checkMatchingRoles(arr1, arr2) { + // Iterate through each element in array1 + for (let i = 0; i { + console.log("get user invoked") + let body = JSON.parse(event.body); + console.log("body: ", body) + const idToken = body.idToken; + console.log("Received idToken:", idToken); + if (!idToken) { + console.log("idToken header is missing"); + return { + statusCode: 400, + body: JSON.stringify({ error: "idToken event body missing" }), + }; + } + const decodedIdToken = jwt_decode(idToken); + console.log("decoded id token: ", decodedIdToken); + const idTokenEmail = decodedIdToken.email; + let userRoles = decodedIdToken.user_roles; + try { + userRoles = JSON.parse(userRoles); + } catch (error) { + console.error('Error parsing user_roles:', error); + return { + statusCode: 400, + body: JSON.stringify({ error: "no user roles for user: ", idTokenEmail}), + }; + } + console.log("id token email: ", idTokenEmail); + console.log("event query email: ",event.queryStringParameters.email ) + if(checkAdminUser(userRoles) || idTokenEmail === event.queryStringParameters.email) { + const userItem = (await getUser(event.queryStringParameters.email)) ?? {}; + userItem.validRoutes = getUserRoleObj(userItem.roleList).getAccesses(); + return userItem; + } else { + const userItem = (await getUser(event.queryStringParameters.email)) ?? {}; + const loggedInUserItem = await getUser(idTokenEmail); + const queryUserRoleList = JSON.parse(userItem.roleList) + const loggedInUserRoleList = JSON.parse(loggedInUserItem.roleList); + const hasMatchingRoles = checkMatchingRoles(loggedInUserRoleList, queryUserRoleList); + if(!hasMatchingRoles) { + console.log("permission denied"); + return { + statusCode: 400, + body: JSON.stringify({ error: "permission denied" }), + } + } else { + userItem.validRoutes = getUserRoleObj(userItem.roleList).getAccesses(); + return userItem; + } + } + // const userItem = (await getUser(event.queryStringParameters.email)) ?? {}; + // if(idTokenEmail !== event.queryStringParameters.email) { + // let userRoles = decodedIdToken.user_roles; + // try { + // userRoles = JSON.parse(userRoles); + // } catch (error) { + // console.error('Error parsing user_roles:', error); + // userRoles = []; + // } + // const loggedInUserItem = await getUser(idTokenEmail) + // console.log("loggedInUserItem: ", loggedInUserItem) + // const loggedInUserRoleList = JSON.parse(loggedInUserItem.roleList); + // const queryUserRoleList = JSON.parse(userItem.roleList); + // const hasMatchingRoles = checkMatchingRoles(loggedInUserRoleList, queryUserRoleList); + // // const isAdminUser = checkAdminUser(userRoles); + // if(!hasMatchingRoles && !isAdminUser ) { + // console.log("permission denied"); + // return { + // statusCode: 400, + // body: JSON.stringify({ error: "permission denied" }), + // }; + // } + // } + // // userItem.validRoutes = getUserRoleObj(userItem.roleList).getAccesses(); + + // return userItem; +}); diff --git a/services/app-api/serverless.yml b/services/app-api/serverless.yml index dbe513002..95a66cc22 100644 --- a/services/app-api/serverless.yml +++ b/services/app-api/serverless.yml @@ -14,11 +14,11 @@ plugins: - serverless-dynamodb-local - serverless-associate-waf - serverless-offline - - serverless-iam-helper - - serverless-s3-bucket-helper + # - serverless-iam-helper + # - serverless-s3-bucket-helper custom: stage: ${opt:stage, self:provider.stage} - oneMacTableName: onemac-${self:custom.stage}-one + oneMacTableName: onemac-develop-one iamPath: ${ssm:/configuration/${self:custom.stage}/iam/path, ssm:/configuration/default/iam/path, "/"} iamPermissionsBoundaryPolicy: ${ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""} emailSource: ${ssm:/configuration/${self:custom.stage}/email/cms_spa_form_from_email, ssm:/configuration/default/email/cms_spa_form_from_email, file(resources/ssm-params.yml):Resources.CmsSpaFormFromEmail.Properties.Value} @@ -567,6 +567,16 @@ functions: events: - http: path: getUser + method: get + cors: true + authorizer: aws_iam + + getUserV2: + handler: getUserV2.main + role: LambdaApiRole + events: + - http: + path: getUserV2 method: post cors: true authorizer: aws_iam diff --git a/services/ui-src/src/utils/UserDataApi.ts b/services/ui-src/src/utils/UserDataApi.ts index e826c994c..626aef111 100644 --- a/services/ui-src/src/utils/UserDataApi.ts +++ b/services/ui-src/src/utils/UserDataApi.ts @@ -62,7 +62,7 @@ class UserDataApi { try { const idToken = await this.getIdToken(); - return await API.post("oneMacAPI", `/getUser`, { + return await API.post("oneMacAPI", `/getUserV2`, { queryStringParameters: { email: userEmail }, body: {idToken: idToken} });