enable authorizer caching and switch to v2 payload version

mantil-io · Mar 10, 2022 · 007807e · 007807e
1 parent 7207130
commit 007807e
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 40 deletions.
diff --git a/domain/auth.go b/domain/auth.go
@@ -2,6 +2,7 @@ package domain
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"strings"
@@ -57,7 +58,8 @@ func verifyAccessToken(at, pk string) (*AccessTokenClaims, error) {
 
 func StoreUserClaims(claims *AccessTokenClaims, context map[string]interface{}) {
 	buf, _ := json.Marshal(claims)
-	context[ContextUserClaimsKey] = string(buf)
+	b64 := base64.StdEncoding.EncodeToString(buf)
+	context[ContextUserClaimsKey] = b64
 }
 
 func IsAdmin(ctx context.Context) (bool, error) {
@@ -81,10 +83,14 @@ func claimsFromAuthorizerContext(ac map[string]interface{}) (*AccessTokenClaims,
 	if !ok {
 		return nil, fmt.Errorf("claims not found")
 	}
-	buf, ok := c.(string)
+	encoded, ok := c.(string)
 	if !ok {
 		return nil, fmt.Errorf("invalid claims format")
 	}
+	buf, err := base64.StdEncoding.DecodeString(encoded)
+	if err != nil {
+		return nil, err
+	}
 	var claims AccessTokenClaims
 	if err := json.Unmarshal([]byte(buf), &claims); err != nil {
 		return nil, err

diff --git a/domain/auth_test.go b/domain/auth_test.go
@@ -2,6 +2,7 @@ package domain
 
 import (
 	"context"
+	"encoding/base64"
 	"strings"
 	"testing"
 	"time"
@@ -21,8 +22,8 @@ func TestStoreReadUserClaims(t *testing.T) {
 	}
 	ctx := make(map[string]interface{})
 	StoreUserClaims(&c, ctx)
-	claimsMarshaled := "{\"w\":\"workspace\",\"p\":\"project\",\"s\":\"stage\",\"r\":\"runtime\",\"u\":\"username\",\"o\":1}"
-	require.Equal(t, ctx["mantilUserClaims"], claimsMarshaled)
+	claimsEncoded := base64.StdEncoding.EncodeToString([]byte("{\"w\":\"workspace\",\"p\":\"project\",\"s\":\"stage\",\"r\":\"runtime\",\"u\":\"username\",\"o\":1}"))
+	require.Equal(t, ctx["mantilUserClaims"], claimsEncoded)
 }
 
 func TestReadUserClaims(t *testing.T) {
@@ -80,7 +81,7 @@ func TestClaimsFromContext(t *testing.T) {
 	require.Nil(t, c)
 
 	ac = map[string]interface{}{
-		ContextUserClaimsKey: "{\"w\":\"workspace\",\"p\":\"project\",\"s\":\"stage\",\"r\":\"runtime\",\"u\":\"username\",\"o\":1}",
+		ContextUserClaimsKey: base64.StdEncoding.EncodeToString([]byte("{\"w\":\"workspace\",\"p\":\"project\",\"s\":\"stage\",\"r\":\"runtime\",\"u\":\"username\",\"o\":1}")),
 	}
 	c, err = claimsFromAuthorizerContext(ac)
 	require.Nil(t, err)

diff --git a/node/functions/authorizer/main.go b/node/functions/authorizer/main.go
@@ -13,34 +13,7 @@ import (
 	"github.com/mantil-io/mantil/kit/aws"
 )
 
-func generatePolicy(principalId, effect, resource string) *events.APIGatewayCustomAuthorizerResponse {
-	rsp := events.APIGatewayCustomAuthorizerResponse{PrincipalID: principalId}
-
-	if effect != "" && resource != "" {
-		rsp.PolicyDocument = events.APIGatewayCustomAuthorizerPolicy{
-			Version: "2012-10-17",
-			Statement: []events.IAMPolicyStatement{
-				{
-					Action:   []string{"execute-api:Invoke"},
-					Effect:   effect,
-					Resource: []string{resource},
-				},
-			},
-		}
-	}
-	return &rsp
-}
-
-func allow(req *events.APIGatewayCustomAuthorizerRequestTypeRequest) *events.APIGatewayCustomAuthorizerResponse {
-	return generatePolicy("Mantil", "Allow", req.MethodArn)
-}
-
-func errorResponse(err error) (*events.APIGatewayCustomAuthorizerResponse, error) {
-	log.Print(err)
-	return nil, err
-}
-
-func handleRequest(ctx context.Context, req *events.APIGatewayCustomAuthorizerRequestTypeRequest) (*events.APIGatewayCustomAuthorizerResponse, error) {
+func handleRequest(ctx context.Context, req *events.APIGatewayCustomAuthorizerRequestTypeRequest) (*events.APIGatewayV2CustomAuthorizerSimpleResponse, error) {
 	buf, _ := json.Marshal(req)
 	log.Printf("req %s", buf)
 
@@ -52,11 +25,9 @@ func handleRequest(ctx context.Context, req *events.APIGatewayCustomAuthorizerRe
 	if err != nil {
 		return errorResponse(fmt.Errorf("read runtime access token error %w", err))
 	}
-	rsp := allow(req)
-	if rsp.Context == nil {
-		rsp.Context = make(map[string]interface{})
-	}
-	domain.StoreUserClaims(claims, rsp.Context)
+	rsp := allowResponse(claims)
+	buf, _ = json.Marshal(rsp)
+	log.Printf("rsp %s", buf)
 	return rsp, nil
 }
 
@@ -80,6 +51,20 @@ func publicKey() (string, error) {
 	return pk, nil
 }
 
+func allowResponse(claims *domain.AccessTokenClaims) *events.APIGatewayV2CustomAuthorizerSimpleResponse {
+	rsp := &events.APIGatewayV2CustomAuthorizerSimpleResponse{
+		IsAuthorized: true,
+		Context:      make(map[string]interface{}),
+	}
+	domain.StoreUserClaims(claims, rsp.Context)
+	return rsp
+}
+
+func errorResponse(err error) (*events.APIGatewayV2CustomAuthorizerSimpleResponse, error) {
+	log.Print(err)
+	return nil, err
+}
+
 func main() {
 	lambda.Start(handleRequest)
 }
diff --git a/node/terraform/modules/http-api/api.tf b/node/terraform/modules/http-api/api.tf
@@ -109,9 +109,10 @@ resource "aws_apigatewayv2_authorizer" "http" {
   authorizer_type                   = "REQUEST"
   authorizer_uri                    = var.authorizer.invoke_arn
   identity_sources                  = ["$request.header.${var.authorizer.authorization_header}"]
-  authorizer_payload_format_version = "1.0"
+  authorizer_payload_format_version = "2.0"
   name                              = format(var.naming_template, "http-authorizer")
-  authorizer_result_ttl_in_seconds  = 0
+  authorizer_result_ttl_in_seconds  = 300
+  enable_simple_responses           = true
 }
 
 resource "aws_apigatewayv2_api_mapping" "http" {