Skip to content

Commit

Permalink
Adds support for Condition element in APIGatewayCustomAuthorizerPolic…
Browse files Browse the repository at this point in the history 
…y.IAMPolicyStatement.
  • Loading branch information
@ashishdhingra
ashishdhingra committed Jul 22, 2024
1 parent 1f0b6a5 commit 629c3b8
Show file tree
Hide file tree
Showing 5 changed files with 161 additions and 2 deletions.
9 changes: 9 additions & 0 deletions Libraries/src/Amazon.Lambda.APIGatewayEvents/APIGatewayCustomAuthorizerPolicy.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,15 @@ public class IAMPolicyStatement
[System.Text.Json.Serialization.JsonPropertyName("Resource")]
#endif
public HashSet<string> Resource { get; set; }

/// <summary>
/// Gets or sets the conditions for when a policy is in effect.
/// https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
/// </summary>
#if NETCOREAPP3_1_OR_GREATER
[System.Text.Json.Serialization.JsonPropertyName("Condition")]
#endif
public IDictionary<string, IDictionary<string, object>> Condition { get; set; }
}
}
}
2 changes: 1 addition & 1 deletion Libraries/src/Amazon.Lambda.APIGatewayEvents/Amazon.Lambda.APIGatewayEvents.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<TargetFrameworks>netstandard2.0;netcoreapp3.1;net8.0</TargetFrameworks>
<Description>Amazon Lambda .NET Core support - API Gateway package.</Description>
<AssemblyTitle>Amazon.Lambda.APIGatewayEvents</AssemblyTitle>
<VersionPrefix>2.7.0</VersionPrefix>
<VersionPrefix>2.7.1</VersionPrefix>
<AssemblyName>Amazon.Lambda.APIGatewayEvents</AssemblyName>
<PackageId>Amazon.Lambda.APIGatewayEvents</PackageId>
<PackageTags>AWS;Amazon;Lambda</PackageTags>
Expand Down
2 changes: 1 addition & 1 deletion Libraries/src/Amazon.Lambda.Serialization.Json/Amazon.Lambda.Serialization.Json.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
<AssemblyName>Amazon.Lambda.Serialization.Json</AssemblyName>
<PackageId>Amazon.Lambda.Serialization.Json</PackageId>
<PackageTags>AWS;Amazon;Lambda</PackageTags>
<VersionPrefix>2.2.1</VersionPrefix>
<VersionPrefix>2.2.2</VersionPrefix>
</PropertyGroup>

<ItemGroup>
Expand Down
1 change: 1 addition & 0 deletions Libraries/src/Amazon.Lambda.Serialization.Json/JsonSerializer.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ public JsonSerializer(Action<JsonSerializerSettings> customizeSerializerSettings
resolver.NamingStrategy = namingStrategy;
};
settings.ContractResolver = resolver;
settings.NullValueHandling = NullValueHandling.Ignore;

serializer = Newtonsoft.Json.JsonSerializer.Create(settings);

Expand Down
149 changes: 149 additions & 0 deletions Libraries/test/EventsTests.Shared/EventTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ namespace Amazon.Lambda.Tests
using Amazon.Lambda.SimpleEmailEvents;
using Amazon.Lambda.SNSEvents;
using Amazon.Lambda.SQSEvents;
using Amazon.Runtime.Internal.Transform;
using Newtonsoft.Json;
using Newtonsoft.Json.Linq;
using Newtonsoft.Json.Serialization;
Expand Down Expand Up @@ -2007,6 +2008,154 @@ public void APIGatewayAuthorizerResponseTest(Type serializerType)
Assert.Equal("execute-api:Invoke", root["policyDocument"]["Statement"][0]["Action"][0]);
Assert.Equal("Allow", root["policyDocument"]["Statement"][0]["Effect"]);
Assert.Equal("*", root["policyDocument"]["Statement"][0]["Resource"][0]);
Assert.Null(root["policyDocument"]["Statement"][0]["Condition"]);
}

[Theory]
[InlineData(typeof(JsonSerializer))]
#if NETCOREAPP3_1_OR_GREATER
[InlineData(typeof(Amazon.Lambda.Serialization.SystemTextJson.LambdaJsonSerializer))]
[InlineData(typeof(Amazon.Lambda.Serialization.SystemTextJson.DefaultLambdaJsonSerializer))]
#endif
public void APIGatewayAuthorizerWithSimpleIAMConditionResponseTest(Type serializerType)
{
var serializer = Activator.CreateInstance(serializerType) as ILambdaSerializer;
var context = new APIGatewayCustomAuthorizerContextOutput();
context["field1"] = "value1";
context["field2"] = "value2";

var response = new APIGatewayCustomAuthorizerResponse
{
PrincipalID = "prin1",
UsageIdentifierKey = "usageKey",
Context = context,
PolicyDocument = new APIGatewayCustomAuthorizerPolicy
{
Version = "2012-10-17",
Statement = new List<APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>
{
new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
{
Action = new HashSet<string>{ "execute-api:Invoke" },
Effect = "Allow",
Resource = new HashSet<string>{ "*" },
Condition = new Dictionary<string, IDictionary<string, object>>()
{
{ "StringEquals", new Dictionary<string, object>()
{
{ "aws:PrincipalTag/job-category", "iamuser-admin" }
}
}
}
}
}
}
};

string serializedJson;
using (MemoryStream stream = new MemoryStream())
{
serializer.Serialize(response, stream);

stream.Position = 0;
serializedJson = Encoding.UTF8.GetString(stream.ToArray());
}

JObject root = Newtonsoft.Json.JsonConvert.DeserializeObject(serializedJson) as JObject;

Assert.Equal("prin1", root["principalId"]);
Assert.Equal("usageKey", root["usageIdentifierKey"]);
Assert.Equal("value1", root["context"]["field1"]);
Assert.Equal("value2", root["context"]["field2"]);

Assert.Equal("2012-10-17", root["policyDocument"]["Version"]);
Assert.Equal("execute-api:Invoke", root["policyDocument"]["Statement"][0]["Action"][0]);
Assert.Equal("Allow", root["policyDocument"]["Statement"][0]["Effect"]);
Assert.Equal("*", root["policyDocument"]["Statement"][0]["Resource"][0]);
Assert.Equal("iamuser-admin", root["policyDocument"]["Statement"][0]["Condition"]["StringEquals"]["aws:PrincipalTag/job-category"].ToString());
}

[Theory]
[InlineData(typeof(JsonSerializer))]
#if NETCOREAPP3_1_OR_GREATER
[InlineData(typeof(Amazon.Lambda.Serialization.SystemTextJson.LambdaJsonSerializer))]
[InlineData(typeof(Amazon.Lambda.Serialization.SystemTextJson.DefaultLambdaJsonSerializer))]
#endif
public void APIGatewayAuthorizerWithMultiValueIAMConditionResponseTest(Type serializerType)
{
var serializer = Activator.CreateInstance(serializerType) as ILambdaSerializer;
var context = new APIGatewayCustomAuthorizerContextOutput();
context["field1"] = "value1";
context["field2"] = "value2";

var response = new APIGatewayCustomAuthorizerResponse
{
PrincipalID = "prin1",
UsageIdentifierKey = "usageKey",
Context = context,
PolicyDocument = new APIGatewayCustomAuthorizerPolicy
{
Version = "2012-10-17",
Statement = new List<APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>
{
new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
{
Action = new HashSet<string>{ "execute-api:Invoke" },
Effect = "Allow",
Resource = new HashSet<string>{ "*" },
Condition = new Dictionary<string, IDictionary<string, object>>()
{
{
"StringEquals",
new Dictionary<string, object>()
{
{ "aws:PrincipalTag/department", new List<string>{ "finance", "hr", "legal" } },
{ "aws:PrincipalTag/role", new List<string>{ "audit", "security" } }
}
},
{
"ArnLike",
new Dictionary<string, object>()
{
{ "aws:PrincipalArn", new List<string>{ "arn:aws:iam::XXXXXXXXXXXX:user/User1", "arn:aws:iam::XXXXXXXXXXXX:user/User2" } }
}
}
}
}
}
}
};

string serializedJson;
using (MemoryStream stream = new MemoryStream())
{
serializer.Serialize(response, stream);

stream.Position = 0;
serializedJson = Encoding.UTF8.GetString(stream.ToArray());
}

JObject root = Newtonsoft.Json.JsonConvert.DeserializeObject(serializedJson) as JObject;

Assert.Equal("prin1", root["principalId"]);
Assert.Equal("usageKey", root["usageIdentifierKey"]);
Assert.Equal("value1", root["context"]["field1"]);
Assert.Equal("value2", root["context"]["field2"]);

Assert.Equal("2012-10-17", root["policyDocument"]["Version"]);
Assert.Equal("execute-api:Invoke", root["policyDocument"]["Statement"][0]["Action"][0]);
Assert.Equal("Allow", root["policyDocument"]["Statement"][0]["Effect"]);
Assert.Equal("*", root["policyDocument"]["Statement"][0]["Resource"][0]);
Assert.Equal(3, root["policyDocument"]["Statement"][0]["Condition"]["StringEquals"]["aws:PrincipalTag/department"].Values<string>().ToList().Count);
Assert.Equal("finance", root["policyDocument"]["Statement"][0]["Condition"]["StringEquals"]["aws:PrincipalTag/department"][0]);
Assert.Equal("hr", root["policyDocument"]["Statement"][0]["Condition"]["StringEquals"]["aws:PrincipalTag/department"][1]);
Assert.Equal("legal", root["policyDocument"]["Statement"][0]["Condition"]["StringEquals"]["aws:PrincipalTag/department"][2]);
Assert.Equal(2, root["policyDocument"]["Statement"][0]["Condition"]["StringEquals"]["aws:PrincipalTag/role"].Values<string>().ToList().Count);
Assert.Equal("audit", root["policyDocument"]["Statement"][0]["Condition"]["StringEquals"]["aws:PrincipalTag/role"][0]);
Assert.Equal("security", root["policyDocument"]["Statement"][0]["Condition"]["StringEquals"]["aws:PrincipalTag/role"][1]);
Assert.Equal(2, root["policyDocument"]["Statement"][0]["Condition"]["ArnLike"]["aws:PrincipalArn"].Values<string>().ToList().Count);
Assert.Equal("arn:aws:iam::XXXXXXXXXXXX:user/User1", root["policyDocument"]["Statement"][0]["Condition"]["ArnLike"]["aws:PrincipalArn"][0]);
Assert.Equal("arn:aws:iam::XXXXXXXXXXXX:user/User2", root["policyDocument"]["Statement"][0]["Condition"]["ArnLike"]["aws:PrincipalArn"][1]);
}

[Theory]
Expand Down

0 comments on commit 629c3b8

Please sign in to comment.