api-gateway - http 代理 - 为特定资源添加 sigv4 安全性
api-gateway - http proxy - add sigv4 security to specific resources
在下面的 swagger 文件中,我为 aws api-gateway 定义了一个 api。 api 已使用 IAM 进行保护,因此只有授权用户才能访问它。 api 还使用了 http-proxy 定义,因此它可以位于 express 应用程序的前面,我不必在 swagger 文件中单独定义每个资源。这样我就可以开发我的 express 应用程序,就像我在 aws 上 运行 一样,然后简单地将它移植到 aws (tutorial on how to)!但是,我现在需要允许对所有 GET 方法的访问是不安全的,并且在所有其他方法上只有 sigv4 安全定义。
这在 api-gateway + express 的当前设置下可能吗?
---
swagger: 2.0
info:
title: ServerlessExpress
basePath: /internal
schemes:
- https
paths:
/:
x-amazon-apigateway-any-method:
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
security:
- sigv4: []
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
uri: <my uri>
passthroughBehavior: when_no_match
httpMethod: POST
type: aws_proxy
options:
consumes:
- application/json
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
headers:
Access-Control-Allow-Origin:
type: string
Access-Control-Allow-Methods:
type: string
Access-Control-Allow-Headers:
type: string
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
responseParameters:
method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS,POST'"
method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'"
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: when_no_match
requestTemplates:
application/json: "{\"statusCode\": 200}"
type: mock
/{proxy+}:
x-amazon-apigateway-any-method:
produces:
- application/json
parameters:
- name: proxy
in: path
required: true
type: string
responses: {}
security:
- sigv4: []
x-amazon-apigateway-integration:
uri: <my uri>
httpMethod: POST
type: aws_proxy
options:
consumes:
- application/json
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
headers:
Access-Control-Allow-Origin:
type: string
Access-Control-Allow-Methods:
type: string
Access-Control-Allow-Headers:
type: string
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
responseParameters:
method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS,POST'"
method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'"
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: when_no_match
requestTemplates:
application/json: "{\"statusCode\": 200}"
type: mock
securityDefinitions:
sigv4:
type: "apiKey"
name: "Authorization"
in: "header"
x-amazon-apigateway-authtype: "awsSigv4"
definitions:
Empty:
type: object
title: Empty Schema
所以我决定在这里回答我自己的问题!它比我想象的要简单得多......但是 swagger 定义有点重复,它可以节省以后在 api.
中开发新资源时的时间
---
swagger: 2.0
info:
title: YOUR_API_GATEWAY_NAME
basePath: /YOUR_API_GATEWAY_STAGE
schemes:
- https
paths:
/:
get:
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
uri: <my uri>
passthroughBehavior: when_no_match
httpMethod: POST
type: aws_proxy
post:
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
security:
- sigv4: []
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
uri: <my uri>
passthroughBehavior: when_no_match
httpMethod: POST
type: aws_proxy
patch:
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
security:
- sigv4: []
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
uri: <my uri>
passthroughBehavior: when_no_match
httpMethod: POST
type: aws_proxy
put:
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
security:
- sigv4: []
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
uri: <my uri>
passthroughBehavior: when_no_match
httpMethod: POST
type: aws_proxy
delete:
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
security:
- sigv4: []
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
uri: <my uri>
passthroughBehavior: when_no_match
httpMethod: POST
type: aws_proxy
options:
consumes:
- application/json
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
headers:
Access-Control-Allow-Origin:
type: string
Access-Control-Allow-Methods:
type: string
Access-Control-Allow-Headers:
type: string
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
responseParameters:
method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS,POST,DELETE,PUT,PATCH'"
method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token,Link,Total-Count,X-XX-Cereberus-Auth,Client-Origin'"
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: when_no_match
requestTemplates:
application/json: "{\"statusCode\": 200}"
type: mock
/{proxy+}:
get:
produces:
- application/json
parameters:
- name: proxy
in: path
required: true
type: string
responses: {}
x-amazon-apigateway-integration:
uri: <my uri>
httpMethod: POST
type: aws_proxy
post:
produces:
- application/json
parameters:
- name: proxy
in: path
required: true
type: string
responses: {}
security:
- sigv4: []
x-amazon-apigateway-integration:
uri: <my uri>
httpMethod: POST
type: aws_proxy
put:
produces:
- application/json
parameters:
- name: proxy
in: path
required: true
type: string
responses: {}
security:
- sigv4: []
x-amazon-apigateway-integration:
uri: <my uri>
httpMethod: POST
type: aws_proxy
patch:
produces:
- application/json
parameters:
- name: proxy
in: path
required: true
type: string
responses: {}
security:
- sigv4: []
x-amazon-apigateway-integration:
uri: <my uri>
httpMethod: POST
type: aws_proxy
delete:
produces:
- application/json
parameters:
- name: proxy
in: path
required: true
type: string
responses: {}
security:
- sigv4: []
x-amazon-apigateway-integration:
uri: <my uri>
httpMethod: POST
type: aws_proxy
options:
consumes:
- application/json
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
headers:
Access-Control-Allow-Origin:
type: string
Access-Control-Allow-Methods:
type: string
Access-Control-Allow-Headers:
type: string
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
responseParameters:
method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS,POST,DELETE,PUT,PATCH'"
method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token,Link,Total-Count,X-XX-Cereberus-Auth,Client-Origin'"
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: when_no_match
requestTemplates:
application/json: "{\"statusCode\": 200}"
type: mock
securityDefinitions:
sigv4:
type: "apiKey"
name: "Authorization"
in: "header"
x-amazon-apigateway-authtype: "awsSigv4"
definitions:
Empty:
type: object
title: Empty Schema
在下面的 swagger 文件中,我为 aws api-gateway 定义了一个 api。 api 已使用 IAM 进行保护,因此只有授权用户才能访问它。 api 还使用了 http-proxy 定义,因此它可以位于 express 应用程序的前面,我不必在 swagger 文件中单独定义每个资源。这样我就可以开发我的 express 应用程序,就像我在 aws 上 运行 一样,然后简单地将它移植到 aws (tutorial on how to)!但是,我现在需要允许对所有 GET 方法的访问是不安全的,并且在所有其他方法上只有 sigv4 安全定义。
这在 api-gateway + express 的当前设置下可能吗?
---
swagger: 2.0
info:
title: ServerlessExpress
basePath: /internal
schemes:
- https
paths:
/:
x-amazon-apigateway-any-method:
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
security:
- sigv4: []
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
uri: <my uri>
passthroughBehavior: when_no_match
httpMethod: POST
type: aws_proxy
options:
consumes:
- application/json
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
headers:
Access-Control-Allow-Origin:
type: string
Access-Control-Allow-Methods:
type: string
Access-Control-Allow-Headers:
type: string
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
responseParameters:
method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS,POST'"
method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'"
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: when_no_match
requestTemplates:
application/json: "{\"statusCode\": 200}"
type: mock
/{proxy+}:
x-amazon-apigateway-any-method:
produces:
- application/json
parameters:
- name: proxy
in: path
required: true
type: string
responses: {}
security:
- sigv4: []
x-amazon-apigateway-integration:
uri: <my uri>
httpMethod: POST
type: aws_proxy
options:
consumes:
- application/json
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
headers:
Access-Control-Allow-Origin:
type: string
Access-Control-Allow-Methods:
type: string
Access-Control-Allow-Headers:
type: string
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
responseParameters:
method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS,POST'"
method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'"
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: when_no_match
requestTemplates:
application/json: "{\"statusCode\": 200}"
type: mock
securityDefinitions:
sigv4:
type: "apiKey"
name: "Authorization"
in: "header"
x-amazon-apigateway-authtype: "awsSigv4"
definitions:
Empty:
type: object
title: Empty Schema
所以我决定在这里回答我自己的问题!它比我想象的要简单得多......但是 swagger 定义有点重复,它可以节省以后在 api.
中开发新资源时的时间---
swagger: 2.0
info:
title: YOUR_API_GATEWAY_NAME
basePath: /YOUR_API_GATEWAY_STAGE
schemes:
- https
paths:
/:
get:
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
uri: <my uri>
passthroughBehavior: when_no_match
httpMethod: POST
type: aws_proxy
post:
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
security:
- sigv4: []
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
uri: <my uri>
passthroughBehavior: when_no_match
httpMethod: POST
type: aws_proxy
patch:
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
security:
- sigv4: []
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
uri: <my uri>
passthroughBehavior: when_no_match
httpMethod: POST
type: aws_proxy
put:
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
security:
- sigv4: []
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
uri: <my uri>
passthroughBehavior: when_no_match
httpMethod: POST
type: aws_proxy
delete:
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
security:
- sigv4: []
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
uri: <my uri>
passthroughBehavior: when_no_match
httpMethod: POST
type: aws_proxy
options:
consumes:
- application/json
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
headers:
Access-Control-Allow-Origin:
type: string
Access-Control-Allow-Methods:
type: string
Access-Control-Allow-Headers:
type: string
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
responseParameters:
method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS,POST,DELETE,PUT,PATCH'"
method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token,Link,Total-Count,X-XX-Cereberus-Auth,Client-Origin'"
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: when_no_match
requestTemplates:
application/json: "{\"statusCode\": 200}"
type: mock
/{proxy+}:
get:
produces:
- application/json
parameters:
- name: proxy
in: path
required: true
type: string
responses: {}
x-amazon-apigateway-integration:
uri: <my uri>
httpMethod: POST
type: aws_proxy
post:
produces:
- application/json
parameters:
- name: proxy
in: path
required: true
type: string
responses: {}
security:
- sigv4: []
x-amazon-apigateway-integration:
uri: <my uri>
httpMethod: POST
type: aws_proxy
put:
produces:
- application/json
parameters:
- name: proxy
in: path
required: true
type: string
responses: {}
security:
- sigv4: []
x-amazon-apigateway-integration:
uri: <my uri>
httpMethod: POST
type: aws_proxy
patch:
produces:
- application/json
parameters:
- name: proxy
in: path
required: true
type: string
responses: {}
security:
- sigv4: []
x-amazon-apigateway-integration:
uri: <my uri>
httpMethod: POST
type: aws_proxy
delete:
produces:
- application/json
parameters:
- name: proxy
in: path
required: true
type: string
responses: {}
security:
- sigv4: []
x-amazon-apigateway-integration:
uri: <my uri>
httpMethod: POST
type: aws_proxy
options:
consumes:
- application/json
produces:
- application/json
responses:
200:
description: 200 response
schema:
$ref: "#/definitions/Empty"
headers:
Access-Control-Allow-Origin:
type: string
Access-Control-Allow-Methods:
type: string
Access-Control-Allow-Headers:
type: string
x-amazon-apigateway-integration:
responses:
default:
statusCode: 200
responseParameters:
method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS,POST,DELETE,PUT,PATCH'"
method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token,Link,Total-Count,X-XX-Cereberus-Auth,Client-Origin'"
method.response.header.Access-Control-Allow-Origin: "'*'"
passthroughBehavior: when_no_match
requestTemplates:
application/json: "{\"statusCode\": 200}"
type: mock
securityDefinitions:
sigv4:
type: "apiKey"
name: "Authorization"
in: "header"
x-amazon-apigateway-authtype: "awsSigv4"
definitions:
Empty:
type: object
title: Empty Schema