search

awslabs / aws-lambda-rust-runtime

A Rust runtime for AWS Lambda
Apache License 2.0
3.29k stars 335 forks source link

[Bug] ApiGatewayCustomAuthorizerPolicy gives a AuthorizerConfigurationException #863

Closed hffmnn closed 4 months ago

hffmnn commented 4 months ago

I have a Token authorizer in rust that returns a ApiGatewayCustomAuthorizerResponse like this:

let response = aws_lambda_events::apigw::ApiGatewayCustomAuthorizerResponse {
        principal_id: Some(principal_id.to_string()),
        policy_document: aws_lambda_events::apigw::ApiGatewayCustomAuthorizerPolicy {
            version: Some("2012-10-17".to_string()),
            statement: vec![aws_lambda_events::apigw::IamPolicyStatement {
                effect: Some("Allow".into()),
                action: vec!["execute-api:Invoke".to_string()],
                resource: vec!["resource_arn".to_string()],
            }],
        },
        context: json!({}),
        usage_identifier_key: None,
    };

This version uses aws_lambda_events = "0.15.0" and works. The policy_document looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "execute-api:Invoke"
      ],
      "Effect": "Allow",
      "Resource": [
        "resource_arn"
      ]
    }
  ]
}

Using current main it no longer works: Because of https://github.com/awslabs/aws-lambda-rust-runtime/pull/856 I updated the IamPolicyStatement and IamPolicyEffect.

The code looks like this now:

let response = aws_lambda_events::apigw::ApiGatewayCustomAuthorizerResponse {
        principal_id: Some(principal_id.to_string()),
        policy_document: aws_lambda_events::apigw::ApiGatewayCustomAuthorizerPolicy {
            version: Some("2012-10-17".to_string()),
            statement: vec![aws_lambda_events::iam::IamPolicyStatement {
                effect: aws_lambda_events::iam::IamPolicyEffect::Allow,
                action: vec!["execute-api:Invoke".to_string()],
                resource: vec!["resource_arn".to_string()],
                condition: None,
            }],
        },
        context: json!({}),
        usage_identifier_key: None,
    };

This change breaks the authorizer and protected methods are no longer reachable, a response looks like this:

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Content-Length: 16
x-amzn-ErrorType: AuthorizerConfigurationException

{
  "message": null
}

The only difference I see in the authorizers JSON response is that the Condition key is now in there, set to null: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "execute-api:Invoke"
      ],
      "Effect": "Allow",
      "Resource": [
        "resource_arn"
      ],
      "Condition": null
    }
  ]
}

Add a #[serde(skip_serializing_if = "Option::is_none")] seems to fix the problem:

#[serde(default, deserialize_with = "deserialize_policy_condition")]
#[serde(skip_serializing_if = "Option::is_none")]
pub condition: Option<IamPolicyCondition>,
bnusunny commented 4 months ago

Thanks for reporting the issue. Would you like to send a PR?

hffmnn commented 4 months ago

@bnusunny Sure, will do.

github-actions[bot] commented 4 months ago

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one.