Merge pull request #308 from AlisProject/release/β0.36.1

Release/β0.36.1

Author: hayago

api-template.yaml

@@ -277,6 +277,10 @@ Resources:
                 type: string
               send_value:
                 type: string
+              access_token:
+                type: string
+              pin_code:
+                type: string
           MeExternalProviderUserCreate:
             type: object
             properties:

src/common/lambda_base.py

@@ -2,6 +2,8 @@
 import json
 import logging
 import traceback
+import copy
+import settings
 from jsonschema import ValidationError
 from record_not_found_error import RecordNotFoundError
 from not_authorized_error import NotAuthorizedError
@@ -47,31 +49,31 @@ def main(self):
             return self.exec_main_proc()
         except ValidationError as err:
             logger.fatal(err)
-            logger.info(self.event)
+            logger.info(self.__filter_event_for_log(self.event))
 
             return {
                 'statusCode': 400,
                 'body': json.dumps({'message': "Invalid parameter: {0}".format(err)})
             }
         except NotVerifiedUserError as err:
             logger.fatal(err)
-            logger.info(self.event)
+            logger.info(self.__filter_event_for_log(self.event))
 
             return {
                 'statusCode': 400,
                 'body': json.dumps({'message': "Bad Request: {0}".format(err)})
             }
         except NotAuthorizedError as err:
             logger.fatal(err)
-            logger.info(self.event)
+            logger.info(self.__filter_event_for_log(self.event))
 
             return {
                 'statusCode': 403,
                 'body': json.dumps({'message': str(err)})
             }
         except RecordNotFoundError as err:
             logger.fatal(err)
-            logger.info(self.event)
+            logger.info(self.__filter_event_for_log(self.event))
 
             return {
                 'statusCode': 404,
@@ -80,7 +82,7 @@ def main(self):
 
         except Exception as err:
             logger.fatal(err)
-            logger.info(self.event)
+            logger.info(self.__filter_event_for_log(self.event))
             traceback.print_exc()
 
             return {
@@ -120,3 +122,21 @@ def __get_headers(self):
         if self.event.get('headers') is not None:
             result.update(self.event.get('headers'))
         return result
+
+    def __filter_event_for_log(self, event):
+        copied_event = copy.deepcopy(event)
+
+        if 'body' not in copied_event:
+            return copied_event
+
+        try:
+            body = json.loads(copied_event['body'])
+        except Exception:
+            return copied_event
+
+        for not_logging_param in settings.not_logging_parameters:
+            if not_logging_param in body:
+                body[not_logging_param] = 'xxxxx'
+        copied_event['body'] = json.dumps(body)
+
+        return copied_event

src/common/settings.py

@@ -204,9 +204,18 @@
     'eth_address': {
         'type': 'string',
         'pattern': r'^0x[a-fA-F0-9]{40}$'
+    },
+    'access_token': {
+        'type': 'string'
+    },
+    'pin_code': {
+        'type': 'string'
     }
 }
 
+# ログに出力されてはいけないパラメータ(ログ出力時に値がマスクされる)
+not_logging_parameters = {'access_token', 'pin_code'}
+
 article_recent_default_limit = 20
 users_articles_public_default_limit = 10
 articles_popular_default_limit = 20

src/handlers/cognito_trigger/custommessage/custom_message.py

@@ -5,6 +5,7 @@
 from jsonschema import validate, ValidationError
 from lambda_base import LambdaBase
 from user_util import UserUtil
+from private_chain_util import PrivateChainUtil
 
 
 class CustomMessage(LambdaBase):
@@ -36,6 +37,12 @@ def validate_params(self):
                 for attribute in user['Attributes']:
                     if attribute['Name'] == 'phone_number_verified' and attribute['Value'] == 'true':
                         raise ValidationError('This phone_number is already exists')
+        # セキュリティ観点より、電話番号変更を実行させない。
+        # これにより XSS が発生したとしても、電話番号認証が必要な処理は回避が可能
+        if self.event['triggerSource'] == 'CustomMessage_VerifyUserAttribute':
+            # phone_number_verified が true の場合は電話番号変更を行っていないため当チェックは不要
+            if params.get('phone_number_verified', '') != 'true':
+                self.__validate_has_not_token(params)
 
     def exec_main_proc(self):
         if self.event['triggerSource'] == 'CustomMessage_ForgotPassword':
@@ -73,3 +80,14 @@ def exec_main_proc(self):
                 user=self.event['userName']
             ).replace("\n", "<br />")
         return self.event
+
+    # トークンを保持していた場合は例外を出力
+    def __validate_has_not_token(self, params):
+        address = params.get('custom:private_eth_address')
+        if address is None:
+            raise ValidationError('Not exists private_eth_address. user_id: ' + self.event['userName'])
+        url = 'https://' + os.environ['PRIVATE_CHAIN_EXECUTE_API_HOST'] + '/production/wallet/balance'
+        payload = {'private_eth_address': address[2:]}
+        token = PrivateChainUtil.send_transaction(request_url=url, payload_dict=payload)
+        if token is not None and token != '0x0000000000000000000000000000000000000000000000000000000000000000':
+            raise ValidationError("Do not allow phone number updates")

src/handlers/me/wallet/token/send/me_wallet_token_send.py

@@ -6,6 +6,7 @@
 from decimal import Decimal
 from db_util import DBUtil
 from boto3.dynamodb.conditions import Key
+from botocore.exceptions import ClientError
 from private_chain_util import PrivateChainUtil
 from time_util import TimeUtil
 from jsonschema import validate
@@ -23,8 +24,10 @@ def get_schema(self):
             'properties': {
                 'recipient_eth_address': settings.parameters['eth_address'],
                 'send_value': settings.parameters['token_send_value'],
+                'access_token': settings.parameters['access_token'],
+                'pin_code': settings.parameters['pin_code']
             },
-            'required': ['recipient_eth_address', 'send_value']
+            'required': ['recipient_eth_address', 'send_value', 'access_token', 'pin_code']
         }
 
     def validate_params(self):
@@ -35,6 +38,10 @@ def validate_params(self):
             self.params['send_value'] = int(self.params['send_value'])
         except ValueError:
             raise ValidationError('send_value must be numeric')
+
+        # pinコードを検証
+        self.__validate_pin_code(self.params['access_token'], self.params['pin_code'])
+
         validate(self.params, self.get_schema())
 
     def exec_main_proc(self):
@@ -197,3 +204,26 @@ def __update_send_info_with_send_status(self, sort_key, user_id, send_status):
                 ':send_status': send_status,
             }
         )
+
+    def __validate_pin_code(self, access_token, pin_code):
+        try:
+            self.__verify_user_attribute(access_token, pin_code)
+        except ClientError as client_error:
+            code = client_error.response['Error']['Code']
+            if code == 'NotAuthorizedException':
+                raise ValidationError('Access token is invalid')
+            elif code == 'CodeMismatchException':
+                raise ValidationError('Pin code is invalid')
+            elif code == 'ExpiredCodeException':
+                raise ValidationError('Pin code is expired')
+            elif code == 'LimitExceededException':
+                raise ValidationError('Verification limit is exceeded')
+            else:
+                raise client_error
+
+    def __verify_user_attribute(self, access_token, pin_code):
+        self.cognito.verify_user_attribute(
+            AccessToken=access_token,
+            AttributeName='phone_number',
+            Code=pin_code
+        )

tests/common/test_lambda_base.py

@@ -1,7 +1,7 @@
 import json
 from tests_util import TestsUtil
 from unittest import TestCase
-from unittest.mock import MagicMock
+from unittest.mock import patch, MagicMock
 from jsonschema import ValidationError
 from lambda_base import LambdaBase
 from record_not_found_error import RecordNotFoundError
@@ -116,3 +116,51 @@ def test_get_headers_ok(self):
             'test_key2': 'test2'
         }
         self.assertEqual(expected_headers, lambda_impl.headers)
+
+    def test_filter_event_for_log_ok(self):
+        with patch('settings.not_logging_parameters', {"not_logging_param_1", "not_logging_param_2"}), \
+                patch('logging.Logger.info') as mock_logger_info:
+
+            event = {
+                'body': '{"logging_param": "aaaaa", "not_logging_param_1": "bbbbb", "not_logging_param_2": "ccccc"}',
+                'other_part': {}
+            }
+            lambda_impl = self.TestLambdaImpl(event, {})
+            lambda_impl.exec_main_proc = MagicMock(side_effect=Exception())
+
+            lambda_impl.main()
+
+            mock_logger_info.assert_called_with({
+                'body': '{"logging_param": "aaaaa", "not_logging_param_1": "xxxxx", "not_logging_param_2": "xxxxx"}',
+                'other_part': {}
+            })
+
+    def test_filter_event_for_log_ok_with_no_body(self):
+        with patch('logging.Logger.info') as mock_logger_info:
+
+            event = {
+                'other_part': {}
+            }
+            lambda_impl = self.TestLambdaImpl(event, {})
+            lambda_impl.exec_main_proc = MagicMock(side_effect=Exception())
+
+            lambda_impl.main()
+
+            mock_logger_info.assert_called_with({
+                'other_part': {}
+            })
+
+    def test_filter_event_for_log_ok_with_invalid_body(self):
+        with patch('logging.Logger.info') as mock_logger_info:
+
+            event = {
+                'body': 'invalid body'
+            }
+            lambda_impl = self.TestLambdaImpl(event, {})
+            lambda_impl.exec_main_proc = MagicMock(side_effect=Exception())
+
+            lambda_impl.main()
+
+            mock_logger_info.assert_called_with({
+                'body': 'invalid body'
+            })