gpt4 book ai didi

amazon-web-services - API 创新不会触发 AWS API Gateway 的基于请求的自定义 lambda 授权方

转载 作者:行者123 更新时间:2023-12-04 13:33:23 27 4
gpt4 key购买 nike

按照文档 ( https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html ) 为我的 AWS API 网关创建了一个简单的基于请求的授权器
在测试授权方(使用虚拟设置验证授权 header 中是否包含 key “test”)时,授权方工作正常,但是在直接从端点调用 API 时,授权方根本没有被调用,我得到了我的 API 响应(其中应该被阻止,因为没有传递 header )。
使用无效 key 的授权方测试:得到预期的 401
enter image description here
具有有效 key 的授权方测试:预期为 200
enter image description here
直接从 web 调用 API 端点并成功:
enter image description here
我的 API Gateway 资源策略希望限制仅来自特定 IP 范围的调用:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:111111111111:6mm9kw17uf/*/*/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:111111111111:6mm9kw17uf/*/*/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "XXXXXXX"
}
}
}
]
}
授权方 Lambda 代码:
exports.handler = function(event, context, callback) {        
console.log('Received event:', JSON.stringify(event, null, 2));

// Retrieve request parameters from the Lambda function input:
var headers = event.headers;

// Parse the input for the parameter values
var tmp = event.methodArn.split(':');
var apiGatewayArnTmp = tmp[5].split('/');
var awsAccountId = tmp[4];
var region = tmp[3];
var restApiId = apiGatewayArnTmp[0];
var stage = apiGatewayArnTmp[1];
var method = apiGatewayArnTmp[2];
var resource = '/'; // root resource
if (apiGatewayArnTmp[3]) {
resource += apiGatewayArnTmp[3];
}

// Perform authorization to return the Allow policy for correct parameters and
// the 'Unauthorized' error, otherwise.
var authResponse = {};
var condition = {};
condition.IpAddress = {};

if (headers.Authorization === "test") {
callback(null, generateAllow('me', event.methodArn));
} else {
callback("Unauthorized");
}
}

// Help function to generate an IAM policy
var generatePolicy = function(principalId, effect, resource) {
// Required output:
var authResponse = {};
authResponse.principalId = principalId;
if (effect && resource) {
var policyDocument = {};
policyDocument.Version = '2012-10-17';
policyDocument.Statement = [];
var statementOne = {};
statementOne.Action = 'execute-api:Invoke';
statementOne.Effect = effect;
statementOne.Resource = resource;
policyDocument.Statement[0] = statementOne;
authResponse.policyDocument = policyDocument;
}
return authResponse;
}

var generateAllow = function(principalId, resource) {
return generatePolicy(principalId, 'Allow', resource);
}

var generateDeny = function(principalId, resource) {
return generatePolicy(principalId, 'Deny', resource);
}
我已经尝试过的:
  • 添加授权方后,我已经重新部署了 API。
  • 我正在从 postman 和网络浏览器测试这个,而不是网关测试,因为它会绕过授权者。
  • 最佳答案

    我试过 复制 该问题使用我自己的 API 网关,我 没有发现任何问题用你的 lambda 函数。它按预期工作。
    enter image description here
    的示例授权电话 :

    curl -i -w "\n" --http1.1 -H 'Authorization: test' https://xxxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld


    HTTP/1.1 200 OK
    Date: Sun, 06 Sep 2020 11:22:30 GMT
    Content-Type: application/json
    Content-Length: 67
    Connection: keep-alive
    x-amzn-RequestId: 4213f276-737c-4481-bbac-3c4ecd767b6f
    x-amz-apigw-id: ScPyeFInoAMFYKg=
    X-Amzn-Trace-Id: Root=1-5f54c676-9e0c8bbe6093d8889f6b2035;Sampled=0

    {
    "statusCode": 200,
    "message": "Hello from API Gateway!"
    }
    的示例非授权电话 :
    curl -i -w "\n" --http1.1 -H 'Authorization: invalid' https://xxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld


    HTTP/1.1 401 Unauthorized
    Date: Sun, 06 Sep 2020 11:25:36 GMT
    Content-Type: application/json
    Content-Length: 26
    Connection: keep-alive
    x-amzn-RequestId: 42a1d47c-aab5-4b72-b8eb-469fed383b26
    x-amzn-ErrorType: UnauthorizedException
    x-amz-apigw-id: ScQPpFUwoAMFRdA=

    {"message":"Unauthorized"}
    的示例无 header 值 假如:
    curl -i -w "\n" --http1.1  https://xxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld

    HTTP/1.1 401 Unauthorized
    Date: Sun, 06 Sep 2020 11:26:15 GMT
    Content-Type: application/json
    Content-Length: 26
    Connection: keep-alive
    x-amzn-RequestId: 982944f2-ac1d-4eee-8776-7bfa76314d2b
    x-amzn-ErrorType: UnauthorizedException
    x-amz-apigw-id: ScQVwGmpoAMFfSA=

    {"message":"Unauthorized"}

    需要考虑的事情:
  • 当您将授权方添加到 api 方法时,您必须部署阶段 再次。
  • 需要时间直到新的授权人开始工作。因此,在启用它并创建新阶段后,必须等待几分钟才能开始工作
  • 关于amazon-web-services - API 创新不会触发 AWS API Gateway 的基于请求的自定义 lambda 授权方,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63671026/

    27 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com