我在AWS ApiGateway上配置/使用身份验证时遇到了一些麻烦。我已经用代码设置了lambda函数,该代码接收AWS身份验证模型,请参见下文,该模型基本上将JWT令牌解码并验证给定用户是否可以访问资源:
{
"type": "TOKEN",
"authorizationToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjotMTU1LCJwcm9kdWN0IjoiQmlsbGlvblJ1biIsInBlcm1pc3Npb25fbGV2ZWwiOjEsInNhbHQiOiJzZWNyZXRfcGhyYXNlIn0.3gZUFITe8or2mPWBAZlOxdcGF6-ybykHVsMRsqoUI_8",
"methodArn": "arn:aws:execute-api:us-east-1:123456789012:example/prod/POST/{proxy+}"
}
请参阅下面的ApiGateway文档中的示例输出。第一个是用户成功验证(授予权限)时,第二个是用户无法验证(拒绝权限)时:
{
"principalId": "users",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": "arn:aws:execute-api:REGION:AWS_ACCOUNT:example/prod/POST/{proxy+}"
}
]
},
"context": {
"user_id": XXX,
}
}
权限被拒绝:
{
"principalId": "users",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": "arn:aws:execute-api:REGION:AWS_ACCOUNT:example/prod/POST/{proxy+}"
}
]
}
}
问题是:每次我测试自定义授权功能时,返回状态都是200(而不是401),并且授予了许可(即使我发送了错误的令牌)。
尽管屏幕上显示启用了自定义身份验证功能,但我真的感觉它甚至都没有测试任何东西。
Resource showing custom authorizer
-------编辑-------
以下是我实现输出的代码:
def generate_policy(principal_id, effect, resource, context=None):
doc = {
'principalId': principal_id,
'policyDocument': {
'Version': '2012-10-17',
'Statement': [{
'Action': 'execute-api:Invoke',
'Effect': effect,
'Resource': resource
}]
}
}
if context:
doc["context"] = context
return doc
因此您可以这样称呼“允许”:
generate_policy("users", "Allow", method_arn, auth_info)
或者像这样“拒绝”:
generate_policy("users", "Deny", method_arn)
--------再次编辑------ 要点与我所有的代码:
https://gist.github.com/hermogenes-db18/1ccf3eb8273f266a3fa02643dcfd39bd
答案 0 :(得分:0)
.Net Core(C#)版本的自定义授权者
public class Function
{
public AuthPolicy FunctionHandler(TokenAuthorizerContext request,
ILambdaContext context)
{
var token = request.AuthorizationToken;
var resourcePath = Environment.GetEnvironmentVariable("resourcePath");
if (string.IsNullOrEmpty(token))
{
return generatePolicy("user", "Deny", request.MethodArn);
}
AuthPolicy policy;
var client = new HttpClient();
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Add("Authorization", token);
var dsresponse =
client.GetAsync(Environment.GetEnvironmentVariable("validationURL")).Result;
if (dsresponse.IsSuccessStatusCode)
{
policy = generatePolicy("user", "Allow", resourcePath);
}
else
{
policy = generatePolicy("user", "Deny", resourcePath);
}
return policy;
}
private AuthPolicy generatePolicy(string principalId, string effect, string
resourcePath)
{
AuthPolicy authResponse = new AuthPolicy();
authResponse.policyDocument = new PolicyDocument();
authResponse.policyDocument.Version = "2012-10-17";// default version
authResponse.policyDocument.Statement = new Statement[1];
Statement statement = new Statement();
statement.Action = "execute-api:Invoke"; // default action
statement.Effect = effect;
statement.Resource = resourcePath;
authResponse.policyDocument.Statement[0] = statement;
return authResponse;
}
}
public class TokenAuthorizerContext
{
public string Type { get; set; }
public string AuthorizationToken { get; set; }
public string MethodArn { get; set; }
}
public class AuthPolicy
{
public PolicyDocument policyDocument { get; set; }
public string principalId { get; set; }
}
public class PolicyDocument
{
public string Version { get; set; }
public Statement[] Statement { get; set; }
}
public class Statement
{
public string Action { get; set; }
public string Effect { get; set; }
public string Resource { get; set; }
}
响应:
请求被拒绝:
{
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": "arn:aws:execute-api:us-east-2:AccountId:API_Id/*"
}
]
},
"principalId": null
}
允许的请求:
{ "policyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Effect": "Allow", "Resource": "arn:aws:execute-api:us-east-2:AccountId:API_Id/*" } ] }, "principalId": null }