Skip to content

Commit

Permalink
Merge pull request #342 from dum0nt73/master
Browse files Browse the repository at this point in the history 
Added struct definition to include ClientCert information to API Gateway when using mTLS
  • Loading branch information
@carlzogh
carlzogh committed Jul 5, 2021
2 parents 5d64132 + bc8a460 commit 159d1c6
Show file tree
Hide file tree
Showing 6 changed files with 110 additions and 15 deletions.
65 changes: 51 additions & 14 deletions events/apigw.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,17 +65,18 @@ type APIGatewayV2HTTPRequest struct {

// APIGatewayV2HTTPRequestContext contains the information to identify the AWS account and resources invoking the Lambda function.
type APIGatewayV2HTTPRequestContext struct {
RouteKey string `json:"routeKey"`
AccountID string `json:"accountId"`
Stage string `json:"stage"`
RequestID string `json:"requestId"`
Authorizer *APIGatewayV2HTTPRequestContextAuthorizerDescription `json:"authorizer,omitempty"`
APIID string `json:"apiId"` // The API Gateway HTTP API Id
DomainName string `json:"domainName"`
DomainPrefix string `json:"domainPrefix"`
Time string `json:"time"`
TimeEpoch int64 `json:"timeEpoch"`
HTTP APIGatewayV2HTTPRequestContextHTTPDescription `json:"http"`
RouteKey string `json:"routeKey"`
AccountID string `json:"accountId"`
Stage string `json:"stage"`
RequestID string `json:"requestId"`
Authorizer *APIGatewayV2HTTPRequestContextAuthorizerDescription `json:"authorizer,omitempty"`
APIID string `json:"apiId"` // The API Gateway HTTP API Id
DomainName string `json:"domainName"`
DomainPrefix string `json:"domainPrefix"`
Time string `json:"time"`
TimeEpoch int64 `json:"timeEpoch"`
HTTP APIGatewayV2HTTPRequestContextHTTPDescription `json:"http"`
Authentication APIGatewayV2HTTPRequestContextAuthentication `json:"authentication"`
}

// APIGatewayV2HTTPRequestContextAuthorizerDescription contains authorizer information for the request context.
Expand Down Expand Up @@ -189,10 +190,46 @@ type APIGatewayWebsocketProxyRequestContext struct {
Status string `json:"status"`
}

// APIGatewayCustomAuthorizerRequestTypeRequestIdentity contains identity information for the request caller.
// APIGatewayCustomAuthorizerRequestTypeRequestIdentity contains identity information for the request caller including certificate information if using mTLS.
type APIGatewayCustomAuthorizerRequestTypeRequestIdentity struct {
APIKey string `json:"apiKey"`
SourceIP string `json:"sourceIp"`
APIKey string `json:"apiKey"`
SourceIP string `json:"sourceIp"`
ClientCert APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert `json:"clientCert"`
}

// APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert contains certificate information for the request caller if using mTLS.
type APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert struct {
ClientCertPem string `json:"clientCertPem"`
IssuerDN string `json:"issuerDN"`
SerialNumber string `json:"serialNumber"`
SubjectDN string `json:"subjectDN"`
Validity APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity `json:"validity"`
}

// APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity contains certificate validity information for the request caller if using mTLS.
type APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity struct {
NotAfter string `json:"notAfter"`
NotBefore string `json:"notBefore"`
}

// APIGatewayV2HTTPRequestContextAuthentication contains authentication context information for the request caller including client certificate information if using mTLS.
type APIGatewayV2HTTPRequestContextAuthentication struct {
ClientCert APIGatewayV2HTTPRequestContextAuthenticationClientCert `json:"clientCert"`
}

// APIGatewayV2HTTPRequestContextAuthenticationClientCert contains client certificate information for the request caller if using mTLS.
type APIGatewayV2HTTPRequestContextAuthenticationClientCert struct {
ClientCertPem string `json:"clientCertPem"`
IssuerDN string `json:"issuerDN"`
SerialNumber string `json:"serialNumber"`
SubjectDN string `json:"subjectDN"`
Validity APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity `json:"validity"`
}

// APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity contains client certificate validity information for the request caller if using mTLS.
type APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity struct {
NotAfter string `json:"notAfter"`
NotBefore string `json:"notBefore"`
}

// APIGatewayCustomAuthorizerContext represents the expected format of an API Gateway custom authorizer response.
Expand Down
12 changes: 11 additions & 1 deletion events/testdata/apigw-custom-auth-request-type-request.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,17 @@
"requestId": "...",
"identity": {
"apiKey": "...",
"sourceIp": "..."
"sourceIp": "...",
"clientCert": {
"clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
"issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
"serialNumber": "1",
"subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
"validity": {
"notAfter": "Aug 5 00:28:21 2120 GMT",
"notBefore": "Aug 29 00:28:21 2020 GMT"
}
}
},
"resourcePath": "/request",
"httpMethod": "GET",
Expand Down
12 changes: 12 additions & 0 deletions events/testdata/apigw-v2-request-iam.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,18 @@
}
},
"apiId": "api-id",
"authentication": {
"clientCert": {
"clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
"issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
"serialNumber": "1",
"subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
"validity": {
"notAfter": "Aug 5 00:28:21 2120 GMT",
"notBefore": "Aug 29 00:28:21 2020 GMT"
}
}
},
"domainName": "id.execute-api.us-east-1.amazonaws.com",
"domainPrefix": "id",
"time": "12/Mar/2020:19:03:58+0000",
Expand Down
12 changes: 12 additions & 0 deletions events/testdata/apigw-v2-request-jwt-authorizer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,18 @@
}
},
"apiId": "api-id",
"authentication": {
"clientCert": {
"clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
"issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
"serialNumber": "1",
"subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
"validity": {
"notAfter": "Aug 5 00:28:21 2120 GMT",
"notBefore": "Aug 29 00:28:21 2020 GMT"
}
}
},
"domainName": "id.execute-api.us-east-1.amazonaws.com",
"domainPrefix": "id",
"time": "12/Mar/2020:19:03:58+0000",
Expand Down
12 changes: 12 additions & 0 deletions events/testdata/apigw-v2-request-lambda-authorizer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,18 @@
}
},
"apiId": "api-id",
"authentication": {
"clientCert": {
"clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
"issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
"serialNumber": "1",
"subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
"validity": {
"notAfter": "Aug 5 00:28:21 2120 GMT",
"notBefore": "Aug 29 00:28:21 2020 GMT"
}
}
},
"domainName": "id.execute-api.us-east-1.amazonaws.com",
"domainPrefix": "id",
"time": "12/Mar/2020:19:03:58+0000",
Expand Down
12 changes: 12 additions & 0 deletions events/testdata/apigw-v2-request-no-authorizer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,18 @@
"requestContext": {
"accountId": "123456789012",
"apiId": "aaaaaaaaaa",
"authentication": {
"clientCert": {
"clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
"issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
"serialNumber": "1",
"subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
"validity": {
"notAfter": "Aug 5 00:28:21 2120 GMT",
"notBefore": "Aug 29 00:28:21 2020 GMT"
}
}
},
"domainName": "aaaaaaaaaa.execute-api.us-west-2.amazonaws.com",
"domainPrefix": "aaaaaaaaaa",
"http": {
Expand Down

0 comments on commit 159d1c6

Please sign in to comment.