/
index.js
52 lines (48 loc) · 2.18 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
const azure = require('./controllers/azure');
const policy = require('./bin/scopeDownPolicy').policy;
exports.handler = async (event) => {
/** Getting our function environment Variables - these were set via the cloudformation stack */
const bucket = process.env.S3BucketName;
const s3Role = process.env.S3RoleArn;
const domain = process.env.PrincipleDomain;
const clientId = process.env.AzureClientId;
const secret = process.env.AzureClientSecret;
const grant = process.env.AzureGrantType;
const groupId = process.env.AzureGroupMemberID;
const userName = event.username.toLowerCase() + domain.toLowerCase();
/** attempting to login user via API to get the Azure Tenant the user is a part of */
var user = await azure.login(userName, event.password);
if (!user.userId) {
/** no user found returning from function and failing login via SFTP */
return {};
} else {
/** We have a user - logging into tenant with app credentials to get our access token for Azure App */
var appLogin = await azure.appLogin(user.tenantId, clientId, secret, grant);
if (!appLogin.access_token) {
/** No Access token recieved - Returning with to fail login via SFTP */
return {};
} else {
/** Getting our member list from the supplied Azure AD group ID */
var groupCheck = await azure.getGroupMembers(user.tenantId, groupId, appLogin.access_token);
var member = false;
/** validating our user is a member of the specified Azure AD Group */
groupCheck.forEach(x => {
if (x.toLowerCase() === userName) {
member = true;
}
});
/** We have a group memeber - returning access via SFTP */
if (member === true) {
var response = {
Role: s3Role,
HomeBucket: bucket,
HomeDirectory: "/" + bucket + '/' + event.username.toLowerCase(),
Policy: JSON.stringify(policy)
}
return response;
} else {
return {}
}
}
}
}