support aws iam authorized for api gw (#59)

* support aws iam authorized for api gw
fogfish · Oct 18, 2024 · b10e4c3 · b10e4c3
1 parent ba7f969
commit b10e4c3
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 13 deletions.
diff --git a/.github/workflows/check-code.yml b/.github/workflows/check-code.yml
@@ -20,6 +20,6 @@ jobs:
 
       - uses: actions/checkout@v4
 
-      - uses: dominikh/staticcheck-action@v1.2.0
+      - uses: dominikh/staticcheck-action@v1.3.1
         with:
           install-go: false
diff --git a/.github/workflows/check-triage.yml b/.github/workflows/check-triage.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - uses: actions/labeler@v4
       with:

diff --git a/request_test.go b/request_test.go
@@ -261,6 +261,39 @@ func TestBodyText(t *testing.T) {
 	}
 }
 
+func TestBodyOctetStream(t *testing.T) {
+	spec := []struct {
+		Mock   *µ.Context
+		Expect string
+	}{
+		{
+			mock.Input(
+				mock.Header("Content-Type", "application/octet-stream"),
+				mock.Text("foobar"),
+			),
+			"foobar",
+		},
+	}
+
+	type request struct {
+		FooBar string
+	}
+	var lens = µ.Optics1[request, string]()
+
+	for _, tt := range spec {
+		var req request
+		foo := mock.Endpoint(µ.GET(µ.URI(), µ.Body(lens)))
+		err := foo(tt.Mock)
+
+		it.Then(t).Should(
+			it.Nil(err),
+			it.Nil(µ.FromContext(tt.Mock, &req)),
+			it.Equiv(req.FooBar, tt.Expect),
+		)
+	}
+
+}
+
 func TestFMapSuccess(t *testing.T) {
 	type T struct{ A string }
 	a := µ.Optics1[T, string]()

diff --git a/server/aws/apigateway/apigateway.go b/server/aws/apigateway/apigateway.go
@@ -20,6 +20,7 @@ package apigateway
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"net/http"
@@ -31,14 +32,10 @@ import (
 	"github.com/fogfish/logger"
 )
 
-/*
-Request is events.APIGatewayProxyRequest ⟼ µ.Input
-*/
+// Request is events.APIGatewayProxyRequest ⟼ µ.Input
 func Request(r *events.APIGatewayProxyRequest) *µ.Context {
 	ctx := µ.NewContext(context.Background())
-	body := io.NopCloser(strings.NewReader(r.Body))
-
-	req, err := http.NewRequest(r.HTTPMethod, r.Path, body)
+	req, err := http.NewRequest(r.HTTPMethod, r.Path, requestBody(r))
 	if err != nil {
 		return nil
 	}
@@ -59,15 +56,35 @@ func Request(r *events.APIGatewayProxyRequest) *µ.Context {
 	return ctx
 }
 
+func requestBody(r *events.APIGatewayProxyRequest) io.ReadCloser {
+	reader := strings.NewReader(r.Body)
+
+	if r.IsBase64Encoded {
+		return io.NopCloser(
+			base64.NewDecoder(base64.StdEncoding, reader),
+		)
+	}
+
+	return io.NopCloser(reader)
+}
+
 func jwtFromAuthorizer(r *events.APIGatewayProxyRequest) µ.Token {
-	if r.RequestContext.Authorizer == nil {
+	if r.RequestContext.Authorizer != nil {
+		if jwt, isJwt := r.RequestContext.Authorizer["claims"]; isJwt {
+			switch tkn := jwt.(type) {
+			case map[string]interface{}:
+				return µ.NewToken(tkn)
+			}
+		}
+
 		return nil
 	}
 
-	if jwt, isJwt := r.RequestContext.Authorizer["claims"]; isJwt {
-		switch tkn := jwt.(type) {
-		case map[string]interface{}:
-			return µ.NewToken(tkn)
+	if r.RequestContext.Identity.UserArn != "" {
+		return µ.Token{
+			"iss":      "https://aws.amazon.com/iam",
+			"sub":      r.RequestContext.Identity.User,
+			"username": r.RequestContext.Identity.UserArn,
 		}
 	}