search

spring-cloud / spring-cloud-function

Apache License 2.0
1.04k stars 618 forks source link

AWS API Gateway Authorizer Events not supported #833

Closed dcowan-e-courier closed 2 years ago

dcowan-e-courier commented 2 years ago

Describe the bug Spring Cloud 3.2.2 attempting to create an api gateway authorizer. Found no examples, initially tried building native and had failures. Then tried non native and also have failures. Looking at AWSLambdaUtils.java there does not appear to be support for the needed classes https://github.com/spring-cloud/spring-cloud-function/blob/9994503deac26572e52740767b7bd4bd7e5bacca/spring-cloud-function-adapters/spring-cloud-function-adapter-aws/src/main/java/org/springframework/cloud/function/adapter/aws/AWSLambdaUtils.java#L63-L71

APIGatewayCustomAuthorizerEvent is the class needed to support authorizers.

Example failure

2022-03-18T13:21:14.441-05:00   2022-03-18 18:21:14.441 INFO 10 --- [pool-3-thread-1] o.s.c.f.a.aws.CustomRuntimeEventLoop : Entering event loop

2022-03-18T13:21:14.448-05:00   2022-03-18 18:21:14.448 INFO 10 --- [pool-3-thread-1] o.s.c.f.a.aws.CustomRuntimeEventLoop : Located function call

2022-03-18T13:21:14.448-05:00   2022-03-18 18:21:14.448 INFO 10 --- [pool-3-thread-1] o.s.c.f.adapter.aws.AWSLambdaUtils : Incoming JSON Event: {"type":"REQUEST","methodArn":"arn:aws:execute-api:us-east-1:12345:12345/dev/GET/customers/call/list","resource":"/customers/{proxy+}","path":"/customers/call/list","httpMethod":"GET","headers":{"Accept":"*/*","Accept-Encoding":"gzip, deflate, br","Authorization":"Bearer ABC","CloudFront-Forwarded-Proto":"https","CloudFront-Is-Desktop-Viewer":"true","CloudFront-Is-Mobile-Viewer":"false","CloudFront-Is-SmartTV-Viewer":"false","CloudFront-Is-Tablet-Viewer":"false","CloudFront-Viewer-Country":"US","Host":"abc.execute-api.us-east-1.amazonaws.com","User-Agent":"PostmanRuntime/7.26.8","Via":"1.1 f0349139bb2a6e0cfe6c70f0cb2f5d08.cloudfront.net (CloudFront)","X-Amz-Cf-Id":"TrArYpUSOjhWcGDay7ejWfITTxVDBWD5Zeh4MRmTZL_Zg05LKo8NSK4Q==","X-Amzn-Trace-Id":"Root=1-6234cd99-1099701a78a9ffb4416347c0","X-Forwarded-For":"8.97.83.253, 10.132.39.137","X-Forwarded-Port":"443","X-Forwarded-Proto":"https"},"multiValueHeaders":{"Accept":["*/*"],"Accept-Encoding":["gzip, deflate, br"],"Authorization":["Bearer ABC"],"CloudFront-Forwarded-Proto":["https"],"CloudFront-Is-Desktop-Viewer":["true"],"CloudFront-Is-Mobile-Viewer":["false"],"CloudFront-Is-SmartTV-Viewer":["false"],"CloudFront-Is-Tablet-Viewer":["false"],"CloudFront-Viewer-Country":["US"],"Host":["12345.execute-api.us-east-1.amazonaws.com"],"Postman-Token":["226fa423-6718-40e9-8cf6-1a9efc109467"],"User-Agent":["PostmanRuntime/7.26.8"],"Via":["1.1 f0349139bb2a6e0cfe6c70f0cb2f5d08.cloudfront.net (CloudFront)"],"X-Amz-Cf-Id":["TrArYpUSOjhWcGDay7ejWfIxVDBWD5Zeh4MRmTZL_Zg05LKo8NSK4Q=="],"X-Amzn-Trace-Id":["Root=1-6234cd99-1099701a78a9ffb4416347c0"],"X-Forwarded-For":["8.97.83.253, 10.132.39.137"],"X-Forwarded-Port":["443"],"X-Forwarded-Proto":["https"]},"queryStringParameters":{},"multiValueQueryStringParameters":{},"pathParameters":{"proxy":"call/list"},"stageVariables":{},"requestContext":{"resourceId":"6qvwgn","resourcePath":"/customers/{proxy+}","httpMethod":"GET","extendedRequestId":"AB=","requestTime":"18/Mar/2022:18:21:13 +0000","path":"/dev/customers/call/list","accountId":"1234","protocol":"HTTP/1.1","stage":"dev","domainPrefix":"12345","requestTimeEpoch":1647627673764,"requestId":"b880765a-b3f5-42ff-a5a5-d8f5fcf30234","identity":{"cognitoIdentityPoolId":null,"accountId":null,"cognitoIdentityId":null,"caller":null,"sourceIp":"1.97.83.253","principalOrgId":null,"accessKey":null,"cognitoAuthenticationType":null,"cognitoAuthenticationProvider":null,"userArn":null,"userAgent":"PostmanRuntime/7.26.8","user":null},"domainName":"abc.execute-api.us-east-1.amazonaws.com","apiId":"2aayv3j9"}}

2022-03-18T13:21:14.453-05:00   2022-03-18 18:21:14.453 INFO 10 --- [pool-3-thread-1] o.s.c.f.adapter.aws.AWSLambdaUtils : Incoming MAP: {type=REQUEST, methodArn=arn:aws:execute-api:us-east-1:12345:12345/dev/GET/customers/call/list, resource=/customers/{proxy+}, path=/customers/call/list, httpMethod=GET, headers={Accept=*/*, Accept-Encoding=gzip, deflate, br, Authorization=Bearer abc, CloudFront-Forwarded-Proto=https, CloudFront-Is-Desktop-Viewer=true, CloudFront-Is-Mobile-Viewer=false, CloudFront-Is-SmartTV-Viewer=false, CloudFront-Is-Tablet-Viewer=false, CloudFront-Viewer-Country=US, Host=12345.execute-api.us-east-1.amazonaws.com, Postman-Token=226fa423-6718-40e9-8cf6-1c9efc109467, User-Agent=PostmanRuntime/7.26.8, Via=1.1 f0349139bb2a6e0cfe6c70f0cb2f5d08.cloudfront.net (CloudFront), X-Amz-Cf-Id=TrArYpUSOjhWcGDay7ejWfIxVDBWD5Zeh4MRmTZL_Zg05LKo8NSK4Q==, X-Amzn-Trace-Id=Root=1-6234cd99-1099701a78a9ffb4416347c0, X-Forwarded-For=98.97.83.253, 70.132.39.137, X-Forwarded-Port=443, X-Forwarded-Proto=https}, multiValueHeaders={Accept=[*/*], Accept-Encoding=[gzip, deflate, br], Authorization=[Bearer eyJraWQiOiJPcVJkQTNzZlhnRTJldjhxWDY3MEFEM1FQdlUyalllUGF2TTlaVmpSZkN3IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlZnRXFyUDU2Smc3dUVKMHQ0WFVUaDV2c3NPRFNDazNIbVZfOFFUT1pnYlkiLCJpc3MiOiJodHRwczovL2Vjb3VyaWVyLm9rdGEuY29tL29hdXRoMi9hdXMzdTJibDIzN01USXdTeDVkNyIsImF1ZCI6ImFwaTovL2Vjb3VyaWVyLWFwcCIsImlhdCI6MTY0NzYxODE5OCwiZXhwIjoxNjQ3NjIxNzk4LCJjaWQiOiIwb2EzbWdnMGdjSTN2WGdlczVkNyIsInVpZCI6IjAwdTN6MGd1bnF1dWFSNGRFNWQ3Iiwic2NwIjpbIm9wZW5pZCJdLCJhdXRoX3RpbWUiOjE2NDc2MTgxNzcsInN1YiI6Im9rdGFhdXRvbWF0ZWR0ZXN0QGUtY291cmllci5jb20ifQ.O5S8_BO7TyATBua159BIQfGKbdxtOrZqf6VjwG9O2SX3qeuOi4Drg87rXca_HUX4A-gsi1d332S-CprHYU5EgUHXyeXiFtFszPfzClk-SLOZP6lLeHyo0SDtqDYMJ2-AQtklqdenwSRcyS2TtgVwvHVHl9lstQQ0RYBFZXUpr_EPZXjRIEsnhnNmuofdoPDjmdsF2J7MowJhz6VOXYqLvy8QXIBdrCebddi3GxcsAmvUsQKjSeX7w9oZ6hRue_aOvcYrsbgLdPKGk7hjLdX_QFUDJ9b4_w6rUgvX6Aw2PEUBDTGR3v1X31Hc7YlJ0oVY9WPAWv64mxMldfMULGpvww], CloudFront-Forwarded-Proto=[https], CloudFront-Is-Desktop-Viewer=[true], CloudFront-Is-Mobile-Viewer=[false], CloudFront-Is-SmartTV-Viewer=[false], CloudFront-Is-Tablet-Viewer=[false], CloudFront-Viewer-Country=[US], Host=[12345.execute-api.us-east-1.amazonaws.com], Postman-Token=[226fa423-6718-40e9-8cf6-1c9efc109467], User-Agent=[PostmanRuntime/7.26.8], Via=[1.1 f0349139bb2a6e0cfe6c70f0cb2f5d08.cloudfront.net (CloudFront)], X-Amz-Cf-Id=[TrArYpUSOjhWcGDay7ejWfIxVDBWD5Zeh4MRmTZL_Zg05LKo8NSK4Q==], X-Amzn-Trace-Id=[Root=1-6234cd99-1099701a78a9ffb4416347c0], X-Forwarded-For=[98.97.83.253, 70.132.39.137], X-Forwarded-Port=[443], X-Forwarded-Proto=[https]}, queryStringParameters={}, multiValueQueryStringParameters={}, pathParameters={proxy=call/list}, stageVariables={}, requestContext={resourceId=6qvwgn, resourcePath=/customers/{proxy+}, httpMethod=GET, extendedRequestId=PMUQDHY8IAMF85A=, requestTime=18/Mar/2022:18:21:13 +0000, path=/dev/customers/call/list, accountId=12345, protocol=HTTP/1.1, stage=dev, domainPrefix=12345, requestTimeEpoch=1647627673764, requestId=b880765a-b3f5-42ff-a5a5-d8f5fcf30234, identity={cognitoIdentityPoolId=null, accountId=null, cognitoIdentityId=null, caller=null, sourceIp=98.97.83.253, principalOrgId=null, accessKey=null, cognitoAuthenticationType=null, cognitoAuthenticationProvider=null, userArn=null, userAgent=PostmanRuntime/7.26.8, user=null}, domainName=12345.execute-api.us-east-1.amazonaws.com, apiId=12345}}

2022-03-18T13:21:14.453-05:00   2022-03-18 18:21:14.453 INFO 10 --- [pool-3-thread-1] o.s.c.f.adapter.aws.AWSLambdaUtils : Incoming request is API Gateway

2022-03-18T13:21:14.453-05:00   2022-03-18 18:21:14.453 INFO 10 --- [pool-3-thread-1] o.s.c.f.adapter.aws.AWSLambdaUtils : Body is [B@19c24a28

2022-03-18T13:21:14.453-05:00   2022-03-18 18:21:14.453 INFO 10 --- [pool-3-thread-1] o.s.c.f.adapter.aws.AWSLambdaUtils : Incoming request headers: {date=Fri, 18 Mar 2022 18:21:14 GMT, transfer-encoding=chunked, lambda-runtime-trace-id=Root=1-6234cd99-1099701a78a9ffb4416347c0;Parent=2a8f1e4b5a562f59;Sampled=0, lambda-runtime-aws-request-id=a09344c4-fe62-4693-9b42-d7532b60ecb9, id=b4b90825-1897-2116-35ee-0a159705a853, contentType=application/json, lambda-runtime-invoked-function-arn=arn:aws:lambda:us-east-1:12345:function:NxtGenServices-NXTGEN-77-OktaAuthorizerNXTGEN7754F-7e4IaegSZ2CX, lambda-runtime-deadline-ms=1647627684444, timestamp=1647627674448}

2022-03-18T13:21:14.454-05:00   Exception in thread "pool-3-thread-1" java.lang.ClassCastException: byte[] cannot be cast to java.util.HashMap

2022-03-18T13:21:14.454-05:00   at org.springframework.cloud.function.context.catalog.SimpleFunctionRegistry$FunctionInvocationWrapper.invokeFunctionAndEnrichResultIfNecessary(SimpleFunctionRegistry.java:897)

2022-03-18T13:21:14.454-05:00   at org.springframework.cloud.function.context.catalog.SimpleFunctionRegistry$FunctionInvocationWrapper.invokeFunction(SimpleFunctionRegistry.java:853)

2022-03-18T13:21:14.454-05:00   at org.springframework.cloud.function.context.catalog.SimpleFunctionRegistry$FunctionInvocationWrapper.doApply(SimpleFunctionRegistry.java:708)

2022-03-18T13:21:14.454-05:00   at org.springframework.cloud.function.context.catalog.SimpleFunctionRegistry$FunctionInvocationWrapper.apply(SimpleFunctionRegistry.java:551)

2022-03-18T13:21:14.454-05:00   at org.springframework.cloud.function.adapter.aws.CustomRuntimeEventLoop.eventLoop(CustomRuntimeEventLoop.java:144)

2022-03-18T13:21:14.454-05:00   at org.springframework.cloud.function.adapter.aws.CustomRuntimeEventLoop.lambda$run$0(CustomRuntimeEventLoop.java:84)

2022-03-18T13:21:14.454-05:00   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)

2022-03-18T13:21:14.454-05:00   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)

2022-03-18T13:21:14.454-05:00   at java.lang.Thread.run(Thread.java:829)

2022-03-18T13:21:14.454-05:00   at com.oracle.svm.core.thread.JavaThreads.threadStartRoutine(JavaThreads.java:597)

2022-03-18T13:21:14.454-05:00   at com.oracle.svm.core.posix.thread.PosixJavaThreads.pthreadStartRoutine(PosixJavaThreads.java:194)

2022-03-18T13:21:24.454-05:00   END RequestId: a09344c4-fe62-4693-9b42-d7532b60ecb9

2022-03-18T13:21:24.454-05:00   REPORT RequestId: a09344c4-fe62-4693-9b42-d7532b60ecb9 Duration: 10009.10 ms Billed Duration: 10435 ms Memory Size: 1024 MB Max Memory Used: 90 MB Init Duration: 425.00 ms

2022-03-18T13:21:24.454-05:00   2022-03-18T18:21:24.453Z a09344c4-fe62-4693-9b42-d7532b60ecb9 Task timed out after 10.01 seconds

2022-03-18T13:21:24.933-05:00   2022-03-18 18:21:24.933 INFO 9 --- [ main] o.s.nativex.NativeListener : AOT mode enabled
Twometer commented 2 years ago

There was a problem with the authorizers that i fixed in #827. I have a private fork of SCF 3.2.x with that fix installed, and they work for me now.

dcowan-e-courier commented 2 years ago

@Twometer I don't see APIGatewayCustomAuthorizerEvent in your pull request. Do you have an example of how you are implementing the authorizer?

Twometer commented 2 years ago

I'm using the gateway proxy request event, it seems to work fine. I have my code something like this, and it works fine:

@Bean
Function<APIGatewayProxyRequestEvent, IamPolicyResponse> auth() {
    return event -> {
        IamPolicyResponse.builder() ...
    };
}
olegz commented 2 years ago

I believe what @dcowan-e-courier is saying we need to ensure that we support APIGatewayCustomAuthorizerEvent

olegz commented 2 years ago

Basically at the moment we support only events that have beeb requested by the community, so this is basically a request to support APIGatewayCustomAuthorizerEvent