Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added struct definition to include ClientCert information to API Gateway when using mTLS #342

Merged
merged 17 commits into from
Jul 5, 2021
Merged

Added struct definition to include ClientCert information to API Gateway when using mTLS #342

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
1d83b07
Added ClientCert to APIGatewayCustomAuthorizerRequestTypeRequestIdent…
BWPSmith73 Nov 20, 2020
283152d
Merge pull request #1 from aws/master
dum0nt73 Dec 5, 2020
411a5fc
Updated testdata to include new mTLS context objexts to go test passes
BWPSmith73 Dec 5, 2020
0e98aee
Merge branch 'master' of https://github.com/dum0nt73/aws-lambda-go
BWPSmith73 Dec 5, 2020
734e78c
Updated lambda authorizer test json to includ clientCert
BWPSmith73 Dec 5, 2020
c6725b7
Merge pull request #2 from aws/master
dum0nt73 Apr 12, 2021
e31c9a1
Rearrange struct definition order to match AWS Go project conventions
BWPSmith73 Apr 12, 2021
92a9843
Merge branch 'master' of https://github.com/dum0nt73/aws-lambda-go
BWPSmith73 Apr 12, 2021
19fe79d
Rearrange struct definition order to match AWS Go project conventions
BWPSmith73 Apr 12, 2021
ec6fee3
Rearrange struct definition order to match AWS Go project conventions…
BWPSmith73 Apr 12, 2021
87559da
Fixed space in test data file
BWPSmith73 Apr 12, 2021
45be04b
Converted Validity start and end from string to time.Time
BWPSmith73 Apr 12, 2021
e2f0235
Converted Validity start and end from string to time.Time for HTTPReq…
BWPSmith73 Apr 12, 2021
36dc632
Merge branch 'master' into master
bmoffatt May 22, 2021
3329129
Merge pull request #3 from aws/master
dum0nt73 Jun 20, 2021
1c35d15
Changing Validity notAfter and notBefore back to strings
BWPSmith73 Jun 20, 2021
bc8a460
Merge branch 'master' of https://github.com/dum0nt73/aws-lambda-go
BWPSmith73 Jun 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 51 additions & 14 deletions events/apigw.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,17 +65,18 @@ type APIGatewayV2HTTPRequest struct {

// APIGatewayV2HTTPRequestContext contains the information to identify the AWS account and resources invoking the Lambda function.
type APIGatewayV2HTTPRequestContext struct {
RouteKey string `json:"routeKey"`
AccountID string `json:"accountId"`
Stage string `json:"stage"`
RequestID string `json:"requestId"`
Authorizer *APIGatewayV2HTTPRequestContextAuthorizerDescription `json:"authorizer,omitempty"`
APIID string `json:"apiId"` // The API Gateway HTTP API Id
DomainName string `json:"domainName"`
DomainPrefix string `json:"domainPrefix"`
Time string `json:"time"`
TimeEpoch int64 `json:"timeEpoch"`
HTTP APIGatewayV2HTTPRequestContextHTTPDescription `json:"http"`
RouteKey string `json:"routeKey"`
AccountID string `json:"accountId"`
Stage string `json:"stage"`
RequestID string `json:"requestId"`
Authorizer *APIGatewayV2HTTPRequestContextAuthorizerDescription `json:"authorizer,omitempty"`
APIID string `json:"apiId"` // The API Gateway HTTP API Id
DomainName string `json:"domainName"`
DomainPrefix string `json:"domainPrefix"`
Time string `json:"time"`
TimeEpoch int64 `json:"timeEpoch"`
HTTP APIGatewayV2HTTPRequestContextHTTPDescription `json:"http"`
Authentication APIGatewayV2HTTPRequestContextAuthentication `json:"authentication"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This field is optional right? Or is it always supplied now by API GW?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Supplied by API GW when mTLS is configured, otherwise it will be ignored since we are just unmarshalling.

}

// APIGatewayV2HTTPRequestContextAuthorizerDescription contains authorizer information for the request context.
Expand Down Expand Up @@ -189,10 +190,46 @@ type APIGatewayWebsocketProxyRequestContext struct {
Status string `json:"status"`
}

// APIGatewayCustomAuthorizerRequestTypeRequestIdentity contains identity information for the request caller.
// APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity contains certificate validity information for the request caller if using mTLS..
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I usually prefer for definitions to read top to bottom in the order they are used. In this case that would mean that each of your new types would only come after they were first used. Could we make that update here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed the order of definitions to match project conventions.

type APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity struct {
NotAfter string `json:"notAfter"`
NotBefore string `json:"notBefore"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like these are timestamps. I'm not entirely sure what we do elsewhere in this package but maybe these could be time.Times?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was unable to find a way to convert the time format of the validity dates in the JSON unmarshalling not of the Tag hints I could find seam to work. I don't think writing a custom unmarshalling routine would be appropriate but am open to suggestion.

}

// APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert contains certificate information for the request caller if using mTLS..
type APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert struct {
ClientCertPem string `json:"clientCertPem"`
IssuerDN string `json:"issuerDN"`
SerialNumber string `json:"serialNumber"`
SubjectDN string `json:"subjectDN"`
Validity APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity `json:"validity"`
}

// APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity contains client certificate validity information for the request caller if using mTLS..
type APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity struct {
NotAfter string `json:"notAfter"`
NotBefore string `json:"notBefore"`
}

// APIGatewayV2HTTPRequestContextAuthenticationClientCert contains client certificate information for the request caller if using mTLS..
type APIGatewayV2HTTPRequestContextAuthenticationClientCert struct {
ClientCertPem string `json:"clientCertPem"`
IssuerDN string `json:"issuerDN"`
SerialNumber string `json:"serialNumber"`
SubjectDN string `json:"subjectDN"`
Validity APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity `json:"validity"`
}

// APIGatewayV2HTTPRequestContextAuthentication contains authentication context information for the request caller including client certificate information if using mTLS..
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit pick: here and elsewhere there is an unnecessary extra . at end of doc comment

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed the extra .

type APIGatewayV2HTTPRequestContextAuthentication struct {
ClientCert APIGatewayV2HTTPRequestContextAuthenticationClientCert `json:"clientCert"`
}

// APIGatewayCustomAuthorizerRequestTypeRequestIdentity contains identity information for the request caller including certificate information if using mTLS.
type APIGatewayCustomAuthorizerRequestTypeRequestIdentity struct {
APIKey string `json:"apiKey"`
SourceIP string `json:"sourceIp"`
APIKey string `json:"apiKey"`
SourceIP string `json:"sourceIp"`
ClientCert APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert `json:"clientCert"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This field is optional right? Or is it always supplied now by API GW?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Supplied by API GW when mTLS is configured, otherwise it will be ignored since we are just unmarshalling.

}

// APIGatewayCustomAuthorizerContext represents the expected format of an API Gateway custom authorizer response.
Expand Down
12 changes: 11 additions & 1 deletion events/testdata/apigw-custom-auth-request-type-request.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,17 @@
"requestId": "...",
"identity": {
"apiKey": "...",
"sourceIp": "..."
"sourceIp": "..." ,
"clientCert": {
"clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
"issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
"serialNumber": "1",
"subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
"validity": {
"notAfter": "Aug 5 00:28:21 2120 GMT",
"notBefore": "Aug 29 00:28:21 2020 GMT"
}
}
},
"resourcePath": "/request",
"httpMethod": "GET",
Expand Down
12 changes: 12 additions & 0 deletions events/testdata/apigw-v2-request-iam.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,18 @@
}
},
"apiId": "api-id",
"authentication": {
"clientCert": {
"clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
"issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
"serialNumber": "1",
"subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
"validity": {
"notAfter": "Aug 5 00:28:21 2120 GMT",
"notBefore": "Aug 29 00:28:21 2020 GMT"
}
}
},
"domainName": "id.execute-api.us-east-1.amazonaws.com",
"domainPrefix": "id",
"time": "12/Mar/2020:19:03:58+0000",
Expand Down
12 changes: 12 additions & 0 deletions events/testdata/apigw-v2-request-jwt-authorizer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,18 @@
}
},
"apiId": "api-id",
"authentication": {
"clientCert": {
"clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
"issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
"serialNumber": "1",
"subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
"validity": {
"notAfter": "Aug 5 00:28:21 2120 GMT",
"notBefore": "Aug 29 00:28:21 2020 GMT"
}
}
},
"domainName": "id.execute-api.us-east-1.amazonaws.com",
"domainPrefix": "id",
"time": "12/Mar/2020:19:03:58+0000",
Expand Down
12 changes: 12 additions & 0 deletions events/testdata/apigw-v2-request-lambda-authorizer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,18 @@
}
},
"apiId": "api-id",
"authentication": {
"clientCert": {
"clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
"issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
"serialNumber": "1",
"subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
"validity": {
"notAfter": "Aug 5 00:28:21 2120 GMT",
"notBefore": "Aug 29 00:28:21 2020 GMT"
}
}
},
"domainName": "id.execute-api.us-east-1.amazonaws.com",
"domainPrefix": "id",
"time": "12/Mar/2020:19:03:58+0000",
Expand Down
12 changes: 12 additions & 0 deletions events/testdata/apigw-v2-request-no-authorizer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,18 @@
"requestContext": {
"accountId": "123456789012",
"apiId": "aaaaaaaaaa",
"authentication": {
"clientCert": {
"clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
"issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
"serialNumber": "1",
"subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
"validity": {
"notAfter": "Aug 5 00:28:21 2120 GMT",
"notBefore": "Aug 29 00:28:21 2020 GMT"
}
}
},
"domainName": "aaaaaaaaaa.execute-api.us-west-2.amazonaws.com",
"domainPrefix": "aaaaaaaaaa",
"http": {
Expand Down