New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorization fails when having pathParameters and set one of them fixed when building the policy #1586
Comments
thank you for filing the issue @lkeijmel I'm not really familiar with this part of the code base. how is the if you know how to fix this PRs are always welcome! |
@dnalborczyk it's also a separate function declared in the servereless.yml. I've updated the original comment. I'm also not certain on how to solve this, as I'm also a little new for deep diving into serverless(offline). Basically it should do some translation when using the regex to test if the resource path and the policy resource path match when using pathParamaters or getting also the previous path ( |
@lkeijmel can you test our fork and let me know if that works for you. |
@zoellner I had to backport your change to an older version of serverless-offline but I can confirm the change works |
Bug Report
I don't complete know if it's a bug, wrong usage or "feature" but it has to do with #1043 which is closed with actually no comment and a related PR (#1283) which addresses the issue is also closed for being old and without tests.
Current Behavior
We're unable to authorise when using path parameters and limiting resource access in a policy because when we're building the policy we use a defined value instead of a wildcard which fails when the check of matching policy resource is done.
When a user is calling the path
base/pathParam1/pathParam2/pathParam3
we create a custom policy in the custom authorizer where we setpathParam1
to a defined value for that user andpathParam1
andpathParam2
are defined in a wildcard, e.g.GET/base/*/fixedUserValue/*
. Before the change of #980 it worked because theauthMatchPolicyResource
would receive the translated path where all path parameters are replaced and theregExp.test
succeeds.So basically before #980 the behaviour was to check resource
arn:aws:execute-api:us-east-1:random-account-id:random-api-id/dev/GET/pathParam1/pathParam2/pathParam3
against policyResourcearn:aws:execute-api:us-east-1:random-account-id:random-api-id/dev/GET/base/*/pathParam2/*
.After the change the resource has changed to
arn:aws:execute-api:us-east-1:random-account-id:random-api-id/dev/GET/base/{param1}/{param2}/{param3}
which clearly fails.Sample Code
Expected behavior/code
Successful authorization
Authorization function returned a successful response
.I can reproduce above behaviour in the integration test suite.
We're running the same custom authorizer on production which hasn't got the issue.
Environment
serverless
version: 3.22serverless-offline
version: v8.8.1node.js
version: v16OS
: MacOsThe text was updated successfully, but these errors were encountered: