diff --git a/events/apigw.go b/events/apigw.go index 3260d13e..11f75e4d 100644 --- a/events/apigw.go +++ b/events/apigw.go @@ -65,17 +65,18 @@ type APIGatewayV2HTTPRequest struct { // APIGatewayV2HTTPRequestContext contains the information to identify the AWS account and resources invoking the Lambda function. type APIGatewayV2HTTPRequestContext struct { - RouteKey string `json:"routeKey"` - AccountID string `json:"accountId"` - Stage string `json:"stage"` - RequestID string `json:"requestId"` - Authorizer *APIGatewayV2HTTPRequestContextAuthorizerDescription `json:"authorizer,omitempty"` - APIID string `json:"apiId"` // The API Gateway HTTP API Id - DomainName string `json:"domainName"` - DomainPrefix string `json:"domainPrefix"` - Time string `json:"time"` - TimeEpoch int64 `json:"timeEpoch"` - HTTP APIGatewayV2HTTPRequestContextHTTPDescription `json:"http"` + RouteKey string `json:"routeKey"` + AccountID string `json:"accountId"` + Stage string `json:"stage"` + RequestID string `json:"requestId"` + Authorizer *APIGatewayV2HTTPRequestContextAuthorizerDescription `json:"authorizer,omitempty"` + APIID string `json:"apiId"` // The API Gateway HTTP API Id + DomainName string `json:"domainName"` + DomainPrefix string `json:"domainPrefix"` + Time string `json:"time"` + TimeEpoch int64 `json:"timeEpoch"` + HTTP APIGatewayV2HTTPRequestContextHTTPDescription `json:"http"` + Authentication APIGatewayV2HTTPRequestContextAuthentication `json:"authentication"` } // APIGatewayV2HTTPRequestContextAuthorizerDescription contains authorizer information for the request context. @@ -189,10 +190,46 @@ type APIGatewayWebsocketProxyRequestContext struct { Status string `json:"status"` } -// APIGatewayCustomAuthorizerRequestTypeRequestIdentity contains identity information for the request caller. +// APIGatewayCustomAuthorizerRequestTypeRequestIdentity contains identity information for the request caller including certificate information if using mTLS. type APIGatewayCustomAuthorizerRequestTypeRequestIdentity struct { - APIKey string `json:"apiKey"` - SourceIP string `json:"sourceIp"` + APIKey string `json:"apiKey"` + SourceIP string `json:"sourceIp"` + ClientCert APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert `json:"clientCert"` +} + +// APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert contains certificate information for the request caller if using mTLS. +type APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert struct { + ClientCertPem string `json:"clientCertPem"` + IssuerDN string `json:"issuerDN"` + SerialNumber string `json:"serialNumber"` + SubjectDN string `json:"subjectDN"` + Validity APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity `json:"validity"` +} + +// APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity contains certificate validity information for the request caller if using mTLS. +type APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity struct { + NotAfter string `json:"notAfter"` + NotBefore string `json:"notBefore"` +} + +// APIGatewayV2HTTPRequestContextAuthentication contains authentication context information for the request caller including client certificate information if using mTLS. +type APIGatewayV2HTTPRequestContextAuthentication struct { + ClientCert APIGatewayV2HTTPRequestContextAuthenticationClientCert `json:"clientCert"` +} + +// APIGatewayV2HTTPRequestContextAuthenticationClientCert contains client certificate information for the request caller if using mTLS. +type APIGatewayV2HTTPRequestContextAuthenticationClientCert struct { + ClientCertPem string `json:"clientCertPem"` + IssuerDN string `json:"issuerDN"` + SerialNumber string `json:"serialNumber"` + SubjectDN string `json:"subjectDN"` + Validity APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity `json:"validity"` +} + +// APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity contains client certificate validity information for the request caller if using mTLS. +type APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity struct { + NotAfter string `json:"notAfter"` + NotBefore string `json:"notBefore"` } // APIGatewayCustomAuthorizerContext represents the expected format of an API Gateway custom authorizer response. diff --git a/events/testdata/apigw-custom-auth-request-type-request.json b/events/testdata/apigw-custom-auth-request-type-request.json index f70ede04..55c8090e 100644 --- a/events/testdata/apigw-custom-auth-request-type-request.json +++ b/events/testdata/apigw-custom-auth-request-type-request.json @@ -68,7 +68,17 @@ "requestId": "...", "identity": { "apiKey": "...", - "sourceIp": "..." + "sourceIp": "...", + "clientCert": { + "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...", + "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA", + "serialNumber": "1", + "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client", + "validity": { + "notAfter": "Aug 5 00:28:21 2120 GMT", + "notBefore": "Aug 29 00:28:21 2020 GMT" + } + } }, "resourcePath": "/request", "httpMethod": "GET", diff --git a/events/testdata/apigw-v2-request-iam.json b/events/testdata/apigw-v2-request-iam.json index 73d50d78..b44d018a 100644 --- a/events/testdata/apigw-v2-request-iam.json +++ b/events/testdata/apigw-v2-request-iam.json @@ -39,6 +39,18 @@ } }, "apiId": "api-id", + "authentication": { + "clientCert": { + "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...", + "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA", + "serialNumber": "1", + "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client", + "validity": { + "notAfter": "Aug 5 00:28:21 2120 GMT", + "notBefore": "Aug 29 00:28:21 2020 GMT" + } + } + }, "domainName": "id.execute-api.us-east-1.amazonaws.com", "domainPrefix": "id", "time": "12/Mar/2020:19:03:58+0000", diff --git a/events/testdata/apigw-v2-request-jwt-authorizer.json b/events/testdata/apigw-v2-request-jwt-authorizer.json index ac40191f..ec045a97 100644 --- a/events/testdata/apigw-v2-request-jwt-authorizer.json +++ b/events/testdata/apigw-v2-request-jwt-authorizer.json @@ -36,6 +36,18 @@ } }, "apiId": "api-id", + "authentication": { + "clientCert": { + "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...", + "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA", + "serialNumber": "1", + "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client", + "validity": { + "notAfter": "Aug 5 00:28:21 2120 GMT", + "notBefore": "Aug 29 00:28:21 2020 GMT" + } + } + }, "domainName": "id.execute-api.us-east-1.amazonaws.com", "domainPrefix": "id", "time": "12/Mar/2020:19:03:58+0000", diff --git a/events/testdata/apigw-v2-request-lambda-authorizer.json b/events/testdata/apigw-v2-request-lambda-authorizer.json index 75d1574f..c056211e 100644 --- a/events/testdata/apigw-v2-request-lambda-authorizer.json +++ b/events/testdata/apigw-v2-request-lambda-authorizer.json @@ -29,6 +29,18 @@ } }, "apiId": "api-id", + "authentication": { + "clientCert": { + "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...", + "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA", + "serialNumber": "1", + "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client", + "validity": { + "notAfter": "Aug 5 00:28:21 2120 GMT", + "notBefore": "Aug 29 00:28:21 2020 GMT" + } + } + }, "domainName": "id.execute-api.us-east-1.amazonaws.com", "domainPrefix": "id", "time": "12/Mar/2020:19:03:58+0000", diff --git a/events/testdata/apigw-v2-request-no-authorizer.json b/events/testdata/apigw-v2-request-no-authorizer.json index d21c1f3f..2c69e90e 100644 --- a/events/testdata/apigw-v2-request-no-authorizer.json +++ b/events/testdata/apigw-v2-request-no-authorizer.json @@ -16,6 +16,18 @@ "requestContext": { "accountId": "123456789012", "apiId": "aaaaaaaaaa", + "authentication": { + "clientCert": { + "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...", + "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA", + "serialNumber": "1", + "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client", + "validity": { + "notAfter": "Aug 5 00:28:21 2120 GMT", + "notBefore": "Aug 29 00:28:21 2020 GMT" + } + } + }, "domainName": "aaaaaaaaaa.execute-api.us-west-2.amazonaws.com", "domainPrefix": "aaaaaaaaaa", "http": {