示例#1
0
    def request_auth(self, event):
        auth_type = None
        method_arn = None
        token = None
        api_key = None
        api_gateway_arn_tmp = ''
        principal_id = 'user'

        if 'type' in event:
            auth_type = event['type']

        if 'methodArn' in event:
            method_arn = event['methodArn']
            tmp = event['methodArn'].split(':')
            api_gateway_arn_tmp = tmp[5].split('/')

        if self.API_KEY in event['headers']:
            api_key = event['headers'][self.API_KEY]

        if self.TOKEN_KEY in event['headers']:
            token = event['headers'][self.TOKEN_KEY]
            token = token.replace('bearer ', '')

        auth_request = AuthRequest(auth_type=auth_type,
                                   token=api_key,
                                   method_arn=method_arn)

        is_token_valid = self.validate_token(token)
        is_api_key_valid = self.validate_api_key(api_key)

        access_allowed = is_token_valid and is_api_key_valid
        if access_allowed:
            verb = api_gateway_arn_tmp[2] if len(
                api_gateway_arn_tmp) > 2 else '*'
            resource = api_gateway_arn_tmp[3] if len(
                api_gateway_arn_tmp) > 3 else '*'

            auth_response = AuthResponse(
                routes=[AuthRoute("/" + resource, [verb])],
                principal_id=principal_id)
        else:
            auth_response = AuthResponse(routes=[], principal_id=principal_id)

        auth_response_dict = auth_response.to_dict(auth_request)

        # deny resources
        if not access_allowed:
            self.deny_resources(auth_response_dict)

        # new! -- add additional key-value pairs associated with the authenticated principal
        # these are made available by APIGW like so: $context.authorizer.<key>
        # additional context is cached
        auth_response_dict['context'] = {
            'key': api_key  # $context.authorizer.key -> value
        }

        return auth_response_dict
示例#2
0
    def token_auth(self, event):
        auth_type = 'TOKEN'
        api_key = None
        method_arn = ''
        principal_id = 'user'
        api_gateway_arn_tmp = ''

        if 'type' in event:
            auth_type = event['type']

        if 'methodArn' in event:
            method_arn = event['methodArn']
            tmp = event['methodArn'].split(':')
            api_gateway_arn_tmp = tmp[5].split('/')

        if 'authorizationToken' in event:
            api_key = event['authorizationToken']

        get_logger().info("Event: {}".format(event))

        auth_request = AuthRequest(auth_type=auth_type,
                                   token=api_key,
                                   method_arn=method_arn)

        is_api_key_valid = self.validate_api_key(api_key)

        access_allowed = is_api_key_valid
        if access_allowed:
            verb = api_gateway_arn_tmp[2] if len(
                api_gateway_arn_tmp) > 2 else '*'
            resource = api_gateway_arn_tmp[3] if len(
                api_gateway_arn_tmp) > 3 else '*'

            auth_response = AuthResponse(
                routes=[AuthRoute("/" + resource, [verb])],
                principal_id=principal_id)
        else:
            auth_response = AuthResponse(routes=[], principal_id=principal_id)

        auth_response_dict = auth_response.to_dict(auth_request)

        # deny resources
        if not access_allowed:
            self.deny_resources(auth_response_dict)

        # new! -- add additional key-value pairs associated with the authenticated principal
        # these are made available by APIGW like so: $context.authorizer.<key>
        # additional context is cached
        auth_response_dict['context'] = {
            'key': api_key  # $context.authorizer.key -> value
        }

        return auth_response_dict