Add new auth function in parallel upgraded to dotnet 8

[adamtry]

I modified Adams's deployment strategy for the following reasons:

1. We cannot redeploy the original 3.1 version, so there is little benefit in keeping the code. By changing the service name, a new lambda will be created and the existing one will remain
2. I didn't know what code had been modified when it had been copied, making this PR more difficult

Policies

Most of the policies were added manually via the console. I have added these policies to the Serverless template.

The deployment needs to work for both staging and production environments (there is a dev environment, but I don't think it's used). I've included the accountIds for the HousingProd and HousingStaging accounts.

custom:
  housingAccountIds:
    staging: "087586271961"
    production: "282997303675"

We need a policy for the authorizer to be called from each AWS account. The first policy is for the StagingAPIs or ProductionAPIs account. The second is for HousingStaging and HousingProduction. If there are more AWS accounts required, they will need to be added here.

    AllowApisAccountAuthorizer:
      # ProductionApis or StagingApis
      Type: AWS::Lambda::Permission
      Properties:
        FunctionName:
          Fn::GetAtt:
            - ApiAuthVerifyTokenNewLambdaFunction
            - Arn
        Action: lambda:InvokeFunction
        Principal: apigateway.amazonaws.com
        SourceArn:
          Fn::Join:
            - ""
            - - "arn:aws:execute-api:"
              - Ref: AWS::Region
              - ":"
              - Ref: AWS::AccountId
              - ":*"
    AllowHousingCrossAccountAuthorizer:
      # Housing-Production or Housing-Staging
      Type: AWS::Lambda::Permission
      Properties:
        FunctionName:
          Fn::GetAtt:
            - ApiAuthVerifyTokenNewLambdaFunction
            - Arn
        Action: lambda:InvokeFunction
        Principal: apigateway.amazonaws.com
        SourceArn:
          Fn::Join:
            - ""
            - - "arn:aws:execute-api:"
              - Ref: AWS::Region
              - ":"
              - ${self:custom.housingAccountIds.${self:provider.stage}}
              - ":*/authorizers/*"

Additionally, we need a policy for each account to assume the role when calling the GetRestApiAsync method in ApiGateway. This policy might be redundant if we remove the call to API Gateway in a later PR.

- PolicyName: assumeRoleForGettingCredentialsApiAccount
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: Allow
                  Action:
                    - "sts:AssumeRole"
                  Resource:
                    Fn::Join:
                      - ""
                      - - "arn:aws:iam::"
                        - Ref: "AWS::AccountId"
                        - ":role/LBH_Api_Gateway_Allow_GET"
          - PolicyName: assumeRoleForGettingCredentialsHousingAccount
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: Allow
                  Action:
                    - "sts:AssumeRole"
                  Resource:
                    Fn::Join:
                      - ""
                      - - "arn:aws:iam::"
                        - ${self:custom.housingAccountIds.${self:provider.stage}}
                        - ":role/LBH_Api_Gateway_Allow_GET"                        

Updating the ValidateToken Method

When testing the ValidateToken method, I repeatedly encountered the following error IDX10503: Signature validation failed. Token does not have a kid. Keys tried: .... I'm unsure if this change was due to updating the JWT library or upgrading to DOTNET 8, but I could not find a workaround. Our JWT tokens don't contain a KID header, and there was no way to disable the check without turning off signature verification entirely.

For that reason, I've taken the approach to use the JWT library (https://www.nuget.org/packages/JWT). It enables us to verify the token in the same way, but without requiring the missing KID header.

Previous PR Description

Context: We need to update the auth-verify-token function to dotnet 8 due to a deadline where dotnet 6 lambda functions will no longer be deployable on AWS. We will need this function to be deployable in a short time-frame so that we can fix a timeout issue in the VerifyAccessUseCase _awsApiGateway.GetApiName that is suspected to be surpassing account-level usage limits.

This verify-token function is used by many of our APIs across multiple AWS accounts, so any errors could cause serious widespread disruption. For this reason it was decided to deploy the dotnet 8 version of this token verifier in parallel with the existing one, and phasing the old one out more carefully after testing with the new one in a limited way.

The main Files changed will be somewhat difficult to read through because the original ApiAuthVerifyToken and ApiAuthVerifyToken.Tests folders were copied into new folders ApiAuthVerifyTokenNew and ApiAuthVerifyTokenNew.Tests so that we can deploy the dotnet 8 version of this function in parallel and keep the original deployment and tests as-is.

After the dotnet 8 function is in production and well-tested, it's assumed that a task will be taken to remove it from this code base. The new solutions are parallel to the existing ones so that the old should be removable without affecting the new.

See a7619bd for the actual changes to get dotnet 8 and parallel deployment working

The dotnet 8 upgrade steps were mostly copied from an existing dotnet 8 upgrade PR that was before we decided to deploy in parallel: #65 - see this for further comments and explanations

Note: It is expected that the existing 3.1 deployment will fail because deploying 3.1 isn't supported anymore, but at least it shouldn't try to destroy the existing function. The dotnet 8 deployment is in parallel with this in the CircleCI workflow so should not be blocked

[adamtry]

Only deploy the new one to staging for now. I didn't want to risk accidental production deployments when I don't yet know how it will interact with other infrastructure

[adamtry]

This is due to the new requirements in dotnet 8 that these secrets must be longer. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/IDX10720

[martapederiva]

@LBHCallumM

[LBHCallumM]

@LBHCallumM

:(

[Duslerke]

If you want a temporary test (because let's face it - that's what it is - a spike to see whether the upgrade would work), you don't need to commit this to master branch source control.

1. Just do these changes to the existing project files (no need for dupes) on a spike dummy/test branch where you'll tweak the pipeline to deploy from your spike branch instead of master.
2. Make sure to change the CF stack name in the serverless file so it gets deployed as a separate stack.
3. Deploy a temp version of dotnet 8 lambda under a new stack.
4. Once you're done testing, you can raise the PR from your spike branch onto the main branch after you've tweaked back the pipeline to deploy as normal.

This avoids the messy git history, excessive duplicated files, hard-to-read PR diff, and potentially forever lingering confusing suffixes like -new here or -2 in housing-repairs-online-2.

Lastly, if you'll notice the CircleCI pipeline, to deploy to development environment, you need the development branch. Your PR is targeting master. You should fix the development branch first and merge whatever PR to this branch first, otherwise you'd be skipping updating development environment and going straight to staging. Huge nono.

Doing 'request changes' only to pull some attention to the comment given 2 approvals are already present.

[Duslerke]

Approving to unblock it because of reported lack of time and will for this to be re-done via the proper approach mentioned in the previous review (as this piece of work is taken over due to original author being on leave).

[Duslerke]

Seems alright at a glance.
Nice switch to a different JWT.

[Duslerke]

ignore master and development

[Duslerke]

Is this PR for this temp deploy, are you planning to move onto live now?
Wondering whether this configuration is something leftover from your testing.

[Duslerke]

The project GUID somehow changed?

[adamtry]

We cannot redeploy the original 3.1 version, so there is little benefit in keeping the code. By changing the service name, a new lambda will be created and the existing one will remain
I didn't know what code had been modified when it had been copied, making this PR more difficult
Policies
Most of the policies were added manually via the console. I have added these policies to the Serverless template.

The deployment needs to work for both staging and production environments (there is a dev environment, but I don't think it's used). I've included the accountIds for the HousingProd and HousingStaging accounts.

custom:
housingAccountIds:
staging: "087586271961"
production: "282997303675"
We need a policy for the authorizer to be called from each AWS account. The first policy is for the StagingAPIs or ProductionAPIs account. The second is for HousingStaging and HousingProduction. If there are more AWS accounts required, they will need to be added here.

AllowApisAccountAuthorizer:
  # ProductionApis or StagingApis
  Type: AWS::Lambda::Permission
  Properties:
    FunctionName:
      Fn::GetAtt:
        - ApiAuthVerifyTokenNewLambdaFunction
        - Arn
    Action: lambda:InvokeFunction
    Principal: apigateway.amazonaws.com
    SourceArn:
      Fn::Join:
        - ""
        - - "arn:aws:execute-api:"
          - Ref: AWS::Region
          - ":"
          - Ref: AWS::AccountId
          - ":*"
AllowHousingCrossAccountAuthorizer:
  # Housing-Production or Housing-Staging
  Type: AWS::Lambda::Permission
  Properties:
    FunctionName:
      Fn::GetAtt:
        - ApiAuthVerifyTokenNewLambdaFunction
        - Arn
    Action: lambda:InvokeFunction
    Principal: apigateway.amazonaws.com
    SourceArn:
      Fn::Join:
        - ""
        - - "arn:aws:execute-api:"
          - Ref: AWS::Region
          - ":"
          - ${self:custom.housingAccountIds.${self:provider.stage}}
          - ":*/authorizers/*"

Additionally, we need a policy for each account to assume the role when calling the GetRestApiAsync method in ApiGateway. This policy might be redundant if we remove the call to API Gateway in a later PR.

• PolicyName: assumeRoleForGettingCredentialsApiAccount
  PolicyDocument:
  Version: "2012-10-17"
  Statement:
  - Effect: Allow
  Action:
  - "sts:AssumeRole"
  Resource:
  Fn::Join:
  - ""
  - - "arn:aws:iam::"
  - Ref: "AWS::AccountId"
  - ":role/LBH_Api_Gateway_Allow_GET"
  - PolicyName: assumeRoleForGettingCredentialsHousingAccount
  PolicyDocument:
  Version: "2012-10-17"
  Statement:
  - Effect: Allow
  Action:
  - "sts:AssumeRole"
  Resource:
  Fn::Join:
  - ""
  - - "arn:aws:iam::"
  - ${self:custom.housingAccountIds.${self:provider.stage}}
  - ":role/LBH_Api_Gateway_Allow_GET"
  Updating the ValidateToken Method
  When testing the ValidateToken method, I repeatedly encountered the following error IDX10503: Signature validation failed. Token does not have a kid. Keys tried: .... I'm unsure if this change was due to updating the JWT library or upgrading to DOTNET 8, but I could not find a workaround. Our JWT tokens don't contain a KID header, and there was no way to disable the check without turning off signature verification entirely.

For that reason, I've taken the approach to use the JWT library (https://www.nuget.org/packages/JWT). It enables us to verify the token in the same way, but without requiring the missing KID header.

Previous PR Description
Context: We need to update the auth-verify-token function to dotnet 8 due to a deadline where dotnet 6 lambda functions will no longer be deployable on AWS. We will need this function to be deployable in a short time-frame so that we can fix a timeout issue in the VerifyAccessUseCase _awsApiGateway.GetApiName that is suspected to be surpassing account-level usage limits.

This verify-token function is used by many of our APIs across multiple AWS accounts, so any errors could cause serious widespread disruption. For this reason it was decided to deploy the dotnet 8 version of this token verifier in parallel with the existing one, and phasing the old one out more carefully after testing with the new one in a limited way.

The main Files changed will be somewhat difficult to read through because the original ApiAuthVerifyToken and ApiAuthVerifyToken.Tests folders were copied into new folders ApiAuthVerifyTokenNew and ApiAuthVerifyTokenNew.Tests so that we can deploy the dotnet 8 version of this function in parallel and keep the original deployment and tests as-is.

After the dotnet 8 function is in production and well-tested, it's assumed that a task will be taken to remove it from this code base. The new solutions are parallel to the existing ones so that the old should be removable without affecting the new.

See a7619bd for the actual changes to get dotnet 8 and parallel deployment working

The dotnet 8 upgrade steps were mostly copied from an existing dotnet 8 upgrade PR that was before we decided to deploy in parallel: #65 - see this for further comments and explanations

Note: It is expected that the existing 3.1 deployment will fail because deploying 3.1 isn't supported anymore, but at least it shouldn't try to destroy the existing function. The dotnet 8 deployment is in parallel with this in the CircleCI workflow so should not be blocked