基于自定义请求的 lambda AWS 授权方 API 网关未触发 API 创新
[英]Custom request-based lambda authorizer for AWS API Gateway is not triggered for API innovations
问题描述
Have created a simple basic request-based authorizer for my AWS API Gateway following documentation ( https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html )
已根据文档 ( https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html ) 为我的 AWS API 网关创建了一个简单的基于请求的授权方
While testing the Authorizer (with dummy setup which validates if Authorization header has key 'test' in it) the authorizer works fine, but while calling the API directly from the endpoint the authorizer is not called at all and I get my API response (which should be blocked as no header is passed).在测试授权方时(使用虚拟设置验证授权 header 是否在其中包含密钥“测试”)授权方工作正常,但是在直接从端点调用 API 时,授权方根本没有被调用,我得到了我的 API 响应(应该被阻止,因为没有通过 header)。
Authorizer test with invalid key: getting expected 401使用无效密钥的授权方测试:得到预期的 401
Authorizer test with valid key: getting expected 200使用有效密钥的授权方测试:获得预期的 200
Directly calling API endpoing from web with success:从 web 直接调用 API endpoing 成功:
My resource policy for API Gateway as want to limit the innvocation from specific IP ranges only:我的 API 网关的资源策略只是想限制来自特定 IP 范围的调用:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:111111111111:6mm9kw17uf/*/*/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:111111111111:6mm9kw17uf/*/*/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "XXXXXXX"
}
}
}
]
}
Authorizer Lambda Code:授权人 Lambda 代码:
exports.handler = function(event, context, callback) {
console.log('Received event:', JSON.stringify(event, null, 2));
// Retrieve request parameters from the Lambda function input:
var headers = event.headers;
// Parse the input for the parameter values
var tmp = event.methodArn.split(':');
var apiGatewayArnTmp = tmp[5].split('/');
var awsAccountId = tmp[4];
var region = tmp[3];
var restApiId = apiGatewayArnTmp[0];
var stage = apiGatewayArnTmp[1];
var method = apiGatewayArnTmp[2];
var resource = '/'; // root resource
if (apiGatewayArnTmp[3]) {
resource += apiGatewayArnTmp[3];
}
// Perform authorization to return the Allow policy for correct parameters and
// the 'Unauthorized' error, otherwise.
var authResponse = {};
var condition = {};
condition.IpAddress = {};
if (headers.Authorization === "test") {
callback(null, generateAllow('me', event.methodArn));
} else {
callback("Unauthorized");
}
}
// Help function to generate an IAM policy
var generatePolicy = function(principalId, effect, resource) {
// Required output:
var authResponse = {};
authResponse.principalId = principalId;
if (effect && resource) {
var policyDocument = {};
policyDocument.Version = '2012-10-17';
policyDocument.Statement = [];
var statementOne = {};
statementOne.Action = 'execute-api:Invoke';
statementOne.Effect = effect;
statementOne.Resource = resource;
policyDocument.Statement[0] = statementOne;
authResponse.policyDocument = policyDocument;
}
return authResponse;
}
var generateAllow = function(principalId, resource) {
return generatePolicy(principalId, 'Allow', resource);
}
var generateDeny = function(principalId, resource) {
return generatePolicy(principalId, 'Deny', resource);
}
What I have tried already:我已经尝试过的:
- I already re-deployed the APIs again after adding the authorizer.添加授权方后,我已经重新部署了 API。
- I am testing this from postman and web browser, not Gateway test as it will bypass authorizer.我正在从 postman 和 web 浏览器进行测试,而不是网关测试,因为它会绕过授权方。
1 个解决方案
解决方案1
1 已采纳 2020-09-06 11:28:53
I tried to replicate that issue using my own API Gateway, and I haven't identified any problems with your lambda function. It works as expected.我尝试使用我自己的 API 网关复制该问题,但我没有发现您的 lambda function 有任何问题。它按预期工作。
Example of authorized call :授权调用示例:
curl -i -w "\n" --http1.1 -H 'Authorization: test' https://xxxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2020 11:22:30 GMT
Content-Type: application/json
Content-Length: 67
Connection: keep-alive
x-amzn-RequestId: 4213f276-737c-4481-bbac-3c4ecd767b6f
x-amz-apigw-id: ScPyeFInoAMFYKg=
X-Amzn-Trace-Id: Root=1-5f54c676-9e0c8bbe6093d8889f6b2035;Sampled=0
{
"statusCode": 200,
"message": "Hello from API Gateway!"
}
Example of non-authorized call :非授权调用示例:
curl -i -w "\n" --http1.1 -H 'Authorization: invalid' https://xxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld
HTTP/1.1 401 Unauthorized
Date: Sun, 06 Sep 2020 11:25:36 GMT
Content-Type: application/json
Content-Length: 26
Connection: keep-alive
x-amzn-RequestId: 42a1d47c-aab5-4b72-b8eb-469fed383b26
x-amzn-ErrorType: UnauthorizedException
x-amz-apigw-id: ScQPpFUwoAMFRdA=
{"message":"Unauthorized"}
Example of no-header value provided:提供的无标头值示例:
curl -i -w "\n" --http1.1 https://xxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld
HTTP/1.1 401 Unauthorized
Date: Sun, 06 Sep 2020 11:26:15 GMT
Content-Type: application/json
Content-Length: 26
Connection: keep-alive
x-amzn-RequestId: 982944f2-ac1d-4eee-8776-7bfa76314d2b
x-amzn-ErrorType: UnauthorizedException
x-amz-apigw-id: ScQVwGmpoAMFfSA=
{"message":"Unauthorized"}
Things to consider though:需要考虑的事情:
- When you add your authorizer to your api method, you have to deploy stage again.当您将授权方添加到 api 方法时,您必须再次部署阶段。
- It takes time until new authorizer starts working.新授权方开始工作需要时间。 Thus after you enable it and create new stage, have to wait few minutes until it starts working因此,在您启用它并创建新阶段后,必须等待几分钟才能开始工作
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.