AWS API 网关自定义授权 Lambda 的 C# 实现

C# implementation of AWS API Gateway Custom Authorization Lambda

我对使用 C# 编码的 lambda 的 AWS API 网关的自定义授权有疑问。在 AWS Lambdas 的文档中,函数签名如下:

returnType handler-name(inputType input, ILambdaContext context) {
   ...
}

需要为函数处理程序指定inputType 和returnType。 API Gateway 中的自定义授权,inputType 和 returnTypes 应该是什么?提前致谢。

您真的应该看看下面的 link 并尝试跟进。完整的教程是使用 Python 编写的,所以如果您不熟悉它,请尽最大努力阅读完整的演练,但这个 link 将解释 C# 部分:

http://docs.aws.amazon.com/lambda/latest/dg/get-started-step5-optional.html

本质上,字符串:

returnType handler-name(inputType input, ILambdaContext context) {

会是这样的(从 AWS 页面复制):

public string MyHandler(int count, ILambdaContext context) { ... }

public 添加为范围修饰符,开发人员选择的 returnTypestringhandler-nameMyHandlerinputTypeint

我想 post 我使用的对我有用的解决方案。感谢 Josh Maag 为我指明了正确的方向。基本上,我创建了一些简单的 类:

public class TokenAuthorizerContext
{
    public string Type { get; set; }
    public string AuthorizationToken { get; set; }
    public string MethodArn { get; set; }
}

public class AuthPolicy
{
    public PolicyDocument policyDocument { get; set; }
    public string principalId { get; set; }
}

public class PolicyDocument
{
    public string Version { get; set; }
    public Statement[] Statement { get; set; }
}

public class Statement
{
    public string Action { get; set; }
    public string Effect { get; set; }
    public string Resource { get; set; }
}

```

创建上述 类 后,我的处理程序的签名是:

public async Task<AuthPolicy> FunctionHandler(TokenAuthorizerContext request, ILambdaContext context)

我想我会详细说明一下。这使用了这里所做的部分内容,并试图使其像他们在这里给我们的例子一样。 http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html

我不确定它是否需要异步?我没有,这对于一个基本的开始来说似乎工作得很好。 

public class Authorize
{
    public Authorize() { }

    public AuthPolicy AuthorizeHandler(TokenAuthorizerContext request, ILambdaContext context)
    {
        var token = request.AuthorizationToken;

        switch (token.ToLower())
        {
            case "allow":
                return generatePolicy("user", "Allow", request.MethodArn);
        }

        return null;
    }

    private AuthPolicy generatePolicy(string principalId, string effect, string resource)
    {

        AuthPolicy authResponse = new AuthPolicy();
        authResponse.policyDocument = new PolicyDocument();
        authResponse.policyDocument.Version = "2012-10-17";// default version
        authResponse.policyDocument.Statement = new Statement[1];

        Statement statementOne = new Statement();
        statementOne.Action = "execute-api:Invoke"; // default action
        statementOne.Effect = effect;
        statementOne.Resource = resource;

        authResponse.policyDocument.Statement[0] = statementOne;

        return authResponse;
    }

}
public class TokenAuthorizerContext
{
    public string Type { get; set; }
    public string AuthorizationToken { get; set; }
    public string MethodArn { get; set; }
}

public class AuthPolicy
{
    public PolicyDocument policyDocument { get; set; }
    public string principalId { get; set; }
}

public class PolicyDocument
{
    public string Version { get; set; }
    public Statement[] Statement { get; set; }
}

public class Statement
{
    public string Action { get; set; }
    public string Effect { get; set; }
    public string Resource { get; set; }
}

您可以选择强类型方法,而无需发明需要遵循所需架构的自定义 类。

使用 Nuget 包:

Amazon.Lambda.APIGatewayEvents

输入模式:

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-input.html

输出模式:

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html

您的函数原型可以类似于:

using Amazon.Lambda.APIGatewayEvents;
using Amazon.Lambda.Core;

public class Function
{
    public APIGatewayCustomAuthorizerResponse FunctionHandler(APIGatewayCustomAuthorizerRequest input, ILambdaContext context)
    {
        bool ok = false;
        // authorization logic here...
        if(input.AuthorizationToken == "up-down-left-right-a-b-select-start")
        {
            ok = true;
        }
        return new APIGatewayCustomAuthorizerResponse
        {
            PrincipalID = "***",//principal info here...
            UsageIdentifierKey = "***",//usage identifier here (optional)
            PolicyDocument = new APIGatewayCustomAuthorizerPolicy
            {
                Version = "2012-10-17",
                Statement = new List<APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>() {
                      new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
                      {
                           Action = new HashSet<string>(){"execute-api:Invoke"},
                           Effect = ok ? "Allow" : "Deny",
                           Resource = new HashSet<string>(){  "***" } // resource arn here
                      }
                },
            }
        };
    }
}