External Membership (#215)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: devksingh4

cloudformation/iam.yml

@@ -74,8 +74,7 @@ Resources:
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-iam-grouproles
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-stripe-links
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-membership-provisioning
-              - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-membership-external
-              - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-membership-external-v2
+              - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-membership-external-v3
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-room-requests
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-room-requests-status
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-linkry
@@ -87,6 +86,8 @@ Resources:
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-room-requests/index/*
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-room-requests-status/index/*
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-linkry/index/*
+              - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-membership-provisioning/index/*
+              - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-membership-external-v3/index/*
 
           - Sid: DynamoDBCacheAccess
             Effect: Allow

cloudformation/main.yml

@@ -398,23 +398,6 @@ Resources:
         AttributeName: expiresAt
         Enabled: true
 
-  ExternalMembershipRecordsTable:
-    Type: "AWS::DynamoDB::Table"
-    DeletionPolicy: "Retain"
-    UpdateReplacePolicy: "Retain"
-    Properties:
-      BillingMode: "PAY_PER_REQUEST"
-      TableName: infra-core-api-membership-external
-      DeletionProtectionEnabled: true
-      PointInTimeRecoverySpecification:
-        PointInTimeRecoveryEnabled: !If [IsProd, true, false]
-      AttributeDefinitions:
-        - AttributeName: netid_list
-          AttributeType: S
-      KeySchema:
-        - AttributeName: netid_list
-          KeyType: HASH
-
   ExternalMembershipV3RecordsTable:
     Type: "AWS::DynamoDB::Table"
     DeletionPolicy: "Retain"
@@ -444,6 +427,12 @@ Resources:
               KeyType: "RANGE"
           Projection:
             ProjectionType: "KEYS_ONLY"
+        - IndexName: "keysOnlyIndex"
+          KeySchema:
+            - AttributeName: "memberList"
+              KeyType: "HASH"
+          Projection:
+            ProjectionType: "KEYS_ONLY"
 
 
   RoomRequestsTable:

generate_jwt.js

@@ -4,6 +4,7 @@ import {
   GetSecretValueCommand,
 } from "@aws-sdk/client-secrets-manager";
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
+import { randomUUID } from "crypto";
 
 export const getSecretValue = async (secretId) => {
   const smClient = new SecretsManagerClient();
@@ -56,7 +57,7 @@ const payload = {
   sub: "subject",
   tid: "tenant-id",
   unique_name: username,
-  uti: "uti-value",
+  uti: randomUUID(),
   ver: "1.0",
 };
 

src/api/functions/membership.ts

@@ -1,10 +1,11 @@
 import {
+  BatchWriteItemCommand,
   ConditionalCheckFailedException,
   DynamoDBClient,
   PutItemCommand,
   QueryCommand,
 } from "@aws-sdk/client-dynamodb";
-import { marshall } from "@aws-sdk/util-dynamodb";
+import { marshall, unmarshall } from "@aws-sdk/util-dynamodb";
 import { genericConfig } from "common/config.js";
 import {
   addToTenant,
@@ -13,15 +14,161 @@ import {
   patchUserProfile,
   resolveEmailToOid,
 } from "./entraId.js";
-import { EntraGroupError } from "common/errors/index.js";
+import { EntraGroupError, ValidationError } from "common/errors/index.js";
 import { EntraGroupActions } from "common/types/iam.js";
 import { pollUntilNoError } from "./general.js";
 import Redis from "ioredis";
-import { getKey } from "./redisCache.js";
+import { getKey, setKey } from "./redisCache.js";
 import { FastifyBaseLogger } from "fastify";
+import type pino from "pino";
+import { createAuditLogEntry } from "./auditLog.js";
+import { Modules } from "common/modules.js";
 
 export const MEMBER_CACHE_SECONDS = 43200; // 12 hours
 
+export async function patchExternalMemberList({
+  listId: oldListId,
+  add: oldAdd,
+  remove: oldRemove,
+  clients: { dynamoClient, redisClient },
+  logger,
+  auditLogData: { actor, requestId },
+}: {
+  listId: string;
+  add: string[];
+  remove: string[];
+  clients: { dynamoClient: DynamoDBClient; redisClient: Redis.default };
+  logger: pino.Logger | FastifyBaseLogger;
+  auditLogData: { actor: string; requestId: string };
+}) {
+  const listId = oldListId.toLowerCase();
+  const add = oldAdd.map((x) => x.toLowerCase());
+  const remove = oldRemove.map((x) => x.toLowerCase());
+  if (add.length === 0 && remove.length === 0) {
+    return;
+  }
+  const addSet = new Set(add);
+
+  const conflictingNetId = remove.find((netId) => addSet.has(netId));
+
+  if (conflictingNetId) {
+    throw new ValidationError({
+      message: `The netId '${conflictingNetId}' cannot be in both the 'add' and 'remove' lists simultaneously.`,
+    });
+  }
+  const writeRequests = [];
+  // Create PutRequest objects for each member to be added.
+  for (const netId of add) {
+    writeRequests.push({
+      PutRequest: {
+        Item: {
+          memberList: { S: listId },
+          netId: { S: netId },
+        },
+      },
+    });
+  }
+  // Create DeleteRequest objects for each member to be removed.
+  for (const netId of remove) {
+    writeRequests.push({
+      DeleteRequest: {
+        Key: {
+          memberList: { S: listId },
+          netId: { S: netId },
+        },
+      },
+    });
+  }
+  const BATCH_SIZE = 25;
+  const batchPromises = [];
+  for (let i = 0; i < writeRequests.length; i += BATCH_SIZE) {
+    const batch = writeRequests.slice(i, i + BATCH_SIZE);
+    const command = new BatchWriteItemCommand({
+      RequestItems: {
+        [genericConfig.ExternalMembershipTableName]: batch,
+      },
+    });
+    batchPromises.push(dynamoClient.send(command));
+  }
+  const removeCacheInvalidation = remove.map((x) =>
+    setKey({
+      redisClient,
+      key: `membership:${x}:${listId}`,
+      data: JSON.stringify({ isMember: false }),
+      expiresIn: MEMBER_CACHE_SECONDS,
+      logger,
+    }),
+  );
+  const addCacheInvalidation = add.map((x) =>
+    setKey({
+      redisClient,
+      key: `membership:${x}:${listId}`,
+      data: JSON.stringify({ isMember: true }),
+      expiresIn: MEMBER_CACHE_SECONDS,
+      logger,
+    }),
+  );
+  const auditLogPromises = [];
+  if (add.length > 0) {
+    auditLogPromises.push(
+      createAuditLogEntry({
+        dynamoClient,
+        entry: {
+          module: Modules.EXTERNAL_MEMBERSHIP,
+          actor,
+          requestId,
+          message: `Added ${add.length} member(s) to target list.`,
+          target: listId,
+        },
+      }),
+    );
+  }
+  if (remove.length > 0) {
+    auditLogPromises.push(
+      createAuditLogEntry({
+        dynamoClient,
+        entry: {
+          module: Modules.EXTERNAL_MEMBERSHIP,
+          actor,
+          requestId,
+          message: `Removed ${remove.length} member(s) from target list.`,
+          target: listId,
+        },
+      }),
+    );
+  }
+  await Promise.all([
+    ...removeCacheInvalidation,
+    ...addCacheInvalidation,
+    ...batchPromises,
+  ]);
+  await Promise.all(auditLogPromises);
+}
+export async function getExternalMemberList(
+  list: string,
+  dynamoClient: DynamoDBClient,
+): Promise<string[]> {
+  const { Items } = await dynamoClient.send(
+    new QueryCommand({
+      TableName: genericConfig.ExternalMembershipTableName,
+      KeyConditionExpression: "#pk = :pk",
+      ExpressionAttributeNames: {
+        "#pk": "memberList",
+      },
+      ExpressionAttributeValues: marshall({
+        ":pk": list,
+      }),
+    }),
+  );
+  if (!Items || Items.length === 0) {
+    return [];
+  }
+  return Items.map((x) => unmarshall(x))
+    .filter((x) => !!x)
+    .map((x) => x.netId)
+    .sort();
+}
+
 export async function checkExternalMembership(
   netId: string,
   list: string,
@@ -30,12 +177,15 @@ export async function checkExternalMembership(
   const { Items } = await dynamoClient.send(
     new QueryCommand({
       TableName: genericConfig.ExternalMembershipTableName,
-      KeyConditionExpression: "#pk = :pk",
+      KeyConditionExpression: "#pk = :pk and #sk = :sk",
+      IndexName: "invertedIndex",
       ExpressionAttributeNames: {
-        "#pk": "netid_list",
+        "#pk": "netId",
+        "#sk": "memberList",
       },
       ExpressionAttributeValues: marshall({
-        ":pk": `${netId}_${list}`,
+        ":pk": netId,
+        ":sk": list,
       }),
     }),
   );