Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization fails when having pathParameters and set one of them fixed when building the policy #1586

Open
lkeijmel opened this issue Sep 29, 2022 · 5 comments
Open

Authorization fails when having pathParameters and set one of them fixed when building the policy #1586

lkeijmel opened this issue Sep 29, 2022 · 5 comments
Labels
bug

Comments

@lkeijmel
Copy link

lkeijmel commented Sep 29, 2022
edited

Bug Report

I don't complete know if it's a bug, wrong usage or "feature" but it has to do with #1043 which is closed with actually no comment and a related PR (#1283) which addresses the issue is also closed for being old and without tests.

Current Behavior

We're unable to authorise when using path parameters and limiting resource access in a policy because when we're building the policy we use a defined value instead of a wildcard which fails when the check of matching policy resource is done.

When a user is calling the path base/pathParam1/pathParam2/pathParam3 we create a custom policy in the custom authorizer where we set pathParam1 to a defined value for that user and pathParam1 and pathParam2 are defined in a wildcard, e.g. GET/base/*/fixedUserValue/*. Before the change of #980 it worked because the authMatchPolicyResource would receive the translated path where all path parameters are replaced and the regExp.test succeeds.

So basically before #980 the behaviour was to check resourcearn:aws:execute-api:us-east-1:random-account-id:random-api-id/dev/GET/pathParam1/pathParam2/pathParam3 against policyResource arn:aws:execute-api:us-east-1:random-account-id:random-api-id/dev/GET/base/*/pathParam2/*.
After the change the resource has changed to arn:aws:execute-api:us-east-1:random-account-id:random-api-id/dev/GET/base/{param1}/{param2}/{param3} which clearly fails.

Sample Code

  • file: serverless.yml
service: my-service

plugins:
  - serverless-offline

provider:
  runtime: nodejs16.x
  stage: dev

functions:
    api-authorizer:
      name: api-authorizer
      handler: app/functions/api-authorizer.handler

  testing-endpoint:
    name: testing-endpoint
    handler: app/handlers/SomeHandler.handler
    events:
      - http:
          path: "base/{param1}/{param2}/{param3}"
          method: get
          request:
            parameters:
              paths:
                param1: true
                param2: true
                param3: true
          authorizer:
            name: api-authorizer
  • file: api-authorizer.ts
export class ApiAuthorizer {
    public async authorize(event, context) {
        // some auth stuff
        const principalId = 'principal123';

        const policyDocument = {
            Statement: [
                {
                    Action: 'execute-api:Invoke',
                    Effect: 'Allow',
                    Resource: 'arn:aws:execute-api:us-east-1:random-account-id:random-api-id/dev/GET/base/*/fixedUserValue/*',
                },
            ],
            Version: '2012-10-17',
        }

        return {
            context, principalId, policyDocument
        }
    }
}

Expected behavior/code

Successful authorization Authorization function returned a successful response.

I can reproduce above behaviour in the integration test suite.

We're running the same custom authorizer on production which hasn't got the issue.

Environment

  • serverless version: 3.22
  • serverless-offline version: v8.8.1
  • node.js version: v16
  • OS: MacOs
@dnalborczyk
Copy link
Collaborator

dnalborczyk commented Oct 1, 2022
edited

thank you for filing the issue @lkeijmel

I'm not really familiar with this part of the code base. how is the ApiAuthorizer class being instantiated? is this missing in your serverless.yml, or done by convention?

if you know how to fix this PRs are always welcome!

@dnalborczyk dnalborczyk added the bug label Oct 1, 2022
@lkeijmel
Copy link
Author

lkeijmel commented Oct 3, 2022

@dnalborczyk it's also a separate function declared in the servereless.yml. I've updated the original comment.

I'm also not certain on how to solve this, as I'm also a little new for deep diving into serverless(offline). Basically it should do some translation when using the regex to test if the resource path and the policy resource path match when using pathParamaters or getting also the previous path (request.path instead of request.route.path) into the authoriser.

@zoellner zoellner mentioned this issue Dec 21, 2022
Closed
@zoellner
Copy link
Contributor

zoellner commented Dec 21, 2022
edited

I reintroduced #1283 as new PR #1633 with all most tests passing

@zoellner
Copy link
Contributor

@lkeijmel can you test our fork and let me know if that works for you. npm i -D https://github.com/brightcrowd/serverless-offline/tarball/ee26a9eeeb5f470e87dc730d7d7d4de988e7f3ea should work

@lkeijmel
Copy link
Author

@lkeijmel can you test our fork and let me know if that works for you. npm i -D https://github.com/brightcrowd/serverless-offline/tarball/ee26a9eeeb5f470e87dc730d7d7d4de988e7f3ea should work

@zoellner I had to backport your change to an older version of serverless-offline but I can confirm the change works

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
3 participants
@lkeijmel @zoellner @dnalborczyk