个人中心
gpt4 book ai didi

python - API 网关 - 自定义授权方无法正常工作

转载 作者:行者123 更新时间:2023-12-05 07:26:02 29 4
gpt4 key购买 nike

我在 AWS ApiGateway 上配置/使用身份验证时遇到了一些问题。我已经使用接收 AWS 身份验证模型的代码设置了我的 lambda 函数,见下文,它基本上解码 JWT token 并验证给定用户是否可以访问资源:

{
"type": "TOKEN",
"authorizationToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjotMTU1LCJwcm9kdWN0IjoiQmlsbGlvblJ1biIsInBlcm1pc3Npb25fbGV2ZWwiOjEsInNhbHQiOiJzZWNyZXRfcGhyYXNlIn0.3gZUFITe8or2mPWBAZlOxdcGF6-ybykHVsMRsqoUI_8",
"methodArn": "arn:aws:execute-api:us-east-1:123456789012:example/prod/POST/{proxy+}"

请参阅下方 ApiGateway 文档的示例输出。第一个是用户成功验证(权限授予),第二个是用户验证失败(权限被拒绝):

{
"principalId": "users",
"policyDocument": {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "execute-api:Invoke",
            "Effect": "Allow",
            "Resource": "arn:aws:execute-api:REGION:AWS_ACCOUNT:example/prod/POST/{proxy+}"
        }
    ]
},
"context": {
    "user_id": XXX,
}

权限被拒绝:

{
"principalId": "users",
"policyDocument": {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "execute-api:Invoke",
            "Effect": "Deny",
            "Resource": "arn:aws:execute-api:REGION:AWS_ACCOUNT:example/prod/POST/{proxy+}"
        }
    ]
}

问题是:每次我测试自定义授权函数时,返回状态都是 200(而不是 401)并且权限被授予(即使我发送了错误的 token )。

另外,我真的觉得它甚至没有测试任何东西,尽管屏幕显示启用了自定义身份验证功能。

Resource showing custom authorizer

Inside resource

Custom Authorizer

Invalid Token

Valid Token

-------- 编辑 --------

这是我如何实现输出的代码:

def generate_policy(principal_id, effect, resource, context=None):
doc = {
    'principalId': principal_id,
    'policyDocument': {
        'Version': '2012-10-17',
        'Statement': [{
            'Action': 'execute-api:Invoke',
            'Effect': effect,
            'Resource': resource
        }]
    }
}
if context:
    doc["context"] = context
return doc

所以你可以这样调用来“允许”:

generate_policy("users", "Allow", method_arn, auth_info)

或者像这样“拒绝”:

generate_policy("users", "Deny", method_arn)

--------再次编辑------要点是我的所有代码:

https://gist.github.com/hermogenes-db18/1ccf3eb8273f266a3fa02643dcfd39bd

最佳答案

自定义授权器的 .Net Core (C#) 版本

public class Function
{
    public AuthPolicy FunctionHandler(TokenAuthorizerContext request, ILambdaContext context)
    {
        var token = request.AuthorizationToken;
        var resourcePath = Environment.GetEnvironmentVariable("resourcePath");

        if (string.IsNullOrEmpty(token))
        {
            return generatePolicy("user", "Deny", request.MethodArn);
        }

        AuthPolicy policy;
        var client = new HttpClient();

        client.DefaultRequestHeaders.Accept.Clear();
        client.DefaultRequestHeaders.Add("Authorization", token);

        var dsresponse = client.GetAsync(Environment.GetEnvironmentVariable("validationURL")).Result;

        if (dsresponse.IsSuccessStatusCode)
        {
            policy = generatePolicy("user", "Allow", resourcePath);
        }
        else
        {
            policy = generatePolicy("user", "Deny", resourcePath);
        }
        return policy;
    }

    private AuthPolicy generatePolicy(string principalId, string effect, string resourcePath)
    {
        AuthPolicy authResponse = new AuthPolicy();
        authResponse.policyDocument = new PolicyDocument();
        authResponse.policyDocument.Version = "2012-10-17";// default version
        authResponse.policyDocument.Statement = new Statement[1];

        Statement statement = new Statement();
        statement.Action = "execute-api:Invoke"; // default action
        statement.Effect = effect;
        statement.Resource = resourcePath;
        authResponse.policyDocument.Statement[0] = statement;
        return authResponse;
    }
}

public class TokenAuthorizerContext
{
    public string Type { get; set; }
    public string AuthorizationToken { get; set; }
    public string MethodArn { get; set; }
}

public class AuthPolicy
{
    public PolicyDocument policyDocument { get; set; }
    public string principalId { get; set; }
}

public class PolicyDocument
{
    public string Version { get; set; }
    public Statement[] Statement { get; set; }
}

public class Statement
{
    public string Action { get; set; }
    public string Effect { get; set; }
    public string Resource { get; set; }
}

响应

请求被拒绝:

{
    "policyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": "execute-api:Invoke",
                "Effect": "Deny",
                "Resource": "arn:aws:execute-api:us-east-2:AccountId:API_Id/*"
            }
        ]
    },
    "principalId": null
}

允许的请求:

{
    "policyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": "execute-api:Invoke",
                "Effect": "Allow",
                "Resource": "arn:aws:execute-api:us-east-2:AccountId:API_Id/*"
            }
        ]
    },
    "principalId": null
}

关于python - API 网关 - 自定义授权方无法正常工作,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54540230/

29 4 0
文章推荐: c# - try-catch 在 IL 中如何工作?
文章推荐: graphql - Shopify graphql 客户创建
文章推荐: sql - 状态 : Failure -Test failed: IO Error: An existing connection was forcibly closed by the remote host
文章推荐: unix - 还有其他像 VIM Tutor 这样的教程吗?
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com