如何解决API创新未触发适用于AWS API Gateway的基于请求的自定义Lambda授权者
已根据文档(https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html)为我的AWS API Gateway创建了一个简单的基于请求的基本授权者
在测试Authorizer时(通过虚拟设置验证Authorization标头中是否包含键“ test”),authorizer可以正常工作,但是在直接从端点调用API时,根本没有调用Authorizer,我得到了我的API响应(由于未传递标头,应将其阻止)。
使用无效密钥的授权者测试:预期获得401
具有有效密钥的授权者测试:预期达到200
直接从网络直接调用API终结点:
我的API网关资源策略只想限制从特定IP范围的调用:
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Principal": "*","Action": "execute-api:Invoke","Resource": "arn:aws:execute-api:us-east-1:111111111111:6mm9kw17uf/*/*/*"
},{
"Effect": "Deny","Resource": "arn:aws:execute-api:us-east-1:111111111111:6mm9kw17uf/*/*/*","Condition": {
"NotIpAddress": {
"aws:SourceIp": "XXXXXXX"
}
}
}
]
}
授权者Lambda代码:
exports.handler = function(event,context,callback) {
console.log('Received event:',JSON.stringify(event,null,2));
// Retrieve request parameters from the Lambda function input:
var headers = event.headers;
// Parse the input for the parameter values
var tmp = event.methodArn.split(':');
var apiGatewayArnTmp = tmp[5].split('/');
var awsAccountId = tmp[4];
var region = tmp[3];
var restApiId = apiGatewayArnTmp[0];
var stage = apiGatewayArnTmp[1];
var method = apiGatewayArnTmp[2];
var resource = '/'; // root resource
if (apiGatewayArnTmp[3]) {
resource += apiGatewayArnTmp[3];
}
// Perform authorization to return the Allow policy for correct parameters and
// the 'Unauthorized' error,otherwise.
var authResponse = {};
var condition = {};
condition.IpAddress = {};
if (headers.Authorization === "test") {
callback(null,generateallow('me',event.methodArn));
} else {
callback("Unauthorized");
}
}
// Help function to generate an IAM policy
var generatePolicy = function(principalId,effect,resource) {
// required output:
var authResponse = {};
authResponse.principalId = principalId;
if (effect && resource) {
var policyDocument = {};
policyDocument.Version = '2012-10-17';
policyDocument.Statement = [];
var statementOne = {};
statementOne.Action = 'execute-api:Invoke';
statementOne.Effect = effect;
statementOne.Resource = resource;
policyDocument.Statement[0] = statementOne;
authResponse.policyDocument = policyDocument;
}
return authResponse;
}
var generateallow = function(principalId,resource) {
return generatePolicy(principalId,'Allow',resource);
}
var generateDeny = function(principalId,'Deny',resource);
}
我已经尝试过的东西:
- 添加授权者后,我已经重新部署了API。
- 我正在通过邮递员和Web浏览器对此进行测试,而不是网关测试,因为它将绕过授权者。
解决方法
我尝试使用自己的API网关复制该问题,并且您的lambda函数没有发现任何问题。它按预期工作。
授权呼叫的示例:
curl -i -w "\n" --http1.1 -H 'Authorization: test' https://xxxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld
HTTP/1.1 200 OK
Date: Sun,06 Sep 2020 11:22:30 GMT
Content-Type: application/json
Content-Length: 67
Connection: keep-alive
x-amzn-RequestId: 4213f276-737c-4481-bbac-3c4ecd767b6f
x-amz-apigw-id: ScPyeFInoAMFYKg=
X-Amzn-Trace-Id: Root=1-5f54c676-9e0c8bbe6093d8889f6b2035;Sampled=0
{
"statusCode": 200,"message": "Hello from API Gateway!"
}
未授权呼叫的示例:
curl -i -w "\n" --http1.1 -H 'Authorization: invalid' https://xxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld
HTTP/1.1 401 Unauthorized
Date: Sun,06 Sep 2020 11:25:36 GMT
Content-Type: application/json
Content-Length: 26
Connection: keep-alive
x-amzn-RequestId: 42a1d47c-aab5-4b72-b8eb-469fed383b26
x-amzn-ErrorType: UnauthorizedException
x-amz-apigw-id: ScQPpFUwoAMFRdA=
{"message":"Unauthorized"}
提供了无标题值的示例:
curl -i -w "\n" --http1.1 https://xxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld
HTTP/1.1 401 Unauthorized
Date: Sun,06 Sep 2020 11:26:15 GMT
Content-Type: application/json
Content-Length: 26
Connection: keep-alive
x-amzn-RequestId: 982944f2-ac1d-4eee-8776-7bfa76314d2b
x-amzn-ErrorType: UnauthorizedException
x-amz-apigw-id: ScQVwGmpoAMFfSA=
{"message":"Unauthorized"}
要考虑的事情:
- 将授权者添加到api方法时,您必须再次部署阶段。
- 需要时间,直到新的授权者开始工作。因此,在启用它并创建新阶段之后,必须等待几分钟,直到它开始工作
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。