Authorization

[underbluewaters]

Implement access control scheme described here: https://github.com/seasketch/geoprocessing/wiki/OriginalDesignDoc#access-control-tokens

This system should protect user sketch data and support locking down report outputs to specific authorized projects.

[twelch]

Example of adding authorizer to gateway/lambdas in Typescript with latest CDK

• https://github.com/elthrasher/planetstack/blob/main/fns/authorizer.ts
• https://github.com/elthrasher/planetstack/blob/main/cdk/authorizer.ts

[twelch]

Access control of Lambda endpoints so they are not publicly accessible:

• geoprocessing functions only? might as well do preprocessing too
• geoprocessing function authors that want to limit access will set the following options via GeoprocessingHandler:
  • restrictedAccess: true
• These options are then published in project service metadata for each geoprocessing function.
• service metadata should also include allowed token issuers
  • issAllowList: ["seasketch.org"]. This could be hard-coded or made configurable
• It will be possible to have some functions publicly accessible and some restricted.
• When a geoprocessing service is added to a sketch class in SeaSketch, it will parse the service metadata.
• If restrictedAccess is true for any geoprocessing function, then SeaSketch will generate and provide a single JWT to geoprocessing React App via PostMessage event on init (interface TBD).
• gp React App will receive JWT via PostMessage event and store token in context.
• gp React App will make JWT available via useToken hook, along with decoded claims. (better name?)
• gp useFunction hook will pass JWT to all geoprocessing function requests with restrictedAccess set to true (what about web socket requests?)
• all geoprocessing function API requests will first go through an API Gateway authorizer Lambda function:
  • If functions restrictedAccess is true:
  • verify token present in Authorization header
  • verify token is not expired
  • verify token is valid using the issuer's JSON Web Key Set endpoint.
  • If any fail, return 403 Forbidden. Could give reason so that if expired tell user to reload their report.

Access control of sensitive reports (in addition to above):

• Access control should be by user group and geoprocessing function (tab-level is not fine grained enough
• geoprocessing function authors that want to limit access to functions will set the following options via GeoprocessingHandler:
  • restrictedAccess: true, //whether publicly accessible or not

SeaSketch manages which groups can access a geoprocessing function:

• SeaSketch provides an access-control GUI for each sketch class that lets admin choose a geoprocessing function by title (from service manifest), and then choose one or more user groups that should be able to access that function (whitelist).
• SeaSketch converts those choices to an array of geoprocessing function titles that the user is allowed to view and inserts them into the JWT as functionAllowList.
• projectAllow claim is also included as JWT claim, because the project name is not part of the issuer URL (subdomain) and the gp project authorizer needs to make sure request isn't being made with token for another project.

  {
  "claims": {
  "projectAllow": "sensitive-project",  // ID of seasketch project this is for, since can verify as part of issuer URL
  "functionAllowList": ["sensitiveFunction1", "sensitiveFunction2"]
  }
  }

• SeaSketch admin would need to make sure to restrict access to worker functions as well because those are currently publicly accessible. Fix could also be made so that worker functions are simply not accessible via REST API endpoint.
• If a ResultsCard finds that its functionTitle matches a name from functionAllowList, then it doesn't render that card or make Lambda request.
• For each geoprocessing function request, Authorizer Lambda compares the function name in the request URL to the forbiddenFunctions array and if not allowed return a 403 Forbidden, otherwise proceed to run geoprocessing function Lambda.
• If ResultsCard receives a 403 Forbidden, then the ResultsCard is not displayed. This shouldn't happen but if client-side validation is compromised this will be backup. If 200 OK then render the report results as normal.

Sources:

• https://github.com/seasketch/geoprocessing/wiki/OriginalDesignDoc#access-control-tokens
• AWS API Gateway custom authorizer using Auth0 - https://auth0.com/docs/customize/integrations/aws/aws-api-gateway-custom-authorizers
• https://circleci.com/blog/rest-api-lambda-authorizer/

[twelch]

Could potentially use the same token provided in sketch URL. Add additional claims there. Could provide an easier way to get token for debugging purposes - context menu item in sketch menu?

[twelch]

Should be able to use a jwt library to verify token with issuer, etc.