APIGatewayRouteArn does not work with a proxy resource.

[brysontyrrell]

What were you trying to accomplish?

API Gateway with a Lambda Authorizer.

Path is /name/{proxy+}.

Allowing the route requested in the policy using APIGatewayAuthorizerResponse:

# APIGatewayAuthorizerTokenEvent
event_arn = event.parsed_arn
authorizer_policy = APIGatewayAuthorizerResponse(...)
authorizer_policy.allow_route(
    http_method=event_arn.http_method, resource=event_arn.resource
)
authorizer_policy.asdict()

Expected Behavior

The policy contains the correct resource path and can be returned to API Gateway.

Current Behavior

The resource is blank which causes this error to be thrown:

[ERROR] ValueError: Invalid resource path: . Path should match ^[/.a-zA-Z0-9-_\*]+$

I tracked it down to this line:

https://github.com/awslabs/aws-lambda-powertools-python/blame/develop/aws_lambda_powertools/utilities/data_classes/api_gateway_authorizer_event.py#L63

I don't know what the reason was for a hard check on the length of the parts for the path. @michaelbrewer could you share some light there?

Possible Solution

This issue is resolved with the following modification:

def alt_parse_api_gateway_arn(arn: str) -> APIGatewayRouteArn:
    """Parses a gateway route arn as a APIGatewayRouteArn class

    Parameters
    ----------
    arn : str
        ARN string for a methodArn or a routeArn
    Returns
    -------
    APIGatewayRouteArn
    """
    arn_parts = arn.split(":")
    api_gateway_arn_parts = arn_parts[5].split("/")
    return APIGatewayRouteArn(
        region=arn_parts[3],
        aws_account_id=arn_parts[4],
        api_id=api_gateway_arn_parts[0],
        stage=api_gateway_arn_parts[1],
        http_method=api_gateway_arn_parts[2],
        resource="/".join(api_gateway_arn_parts[3:]) if len(api_gateway_arn_parts) >= 4 else "",
    )

Steps to Reproduce (for bugs)

Create a proxy resource and setup a Lambda Authorizer using Powertools as described above.

Environment

• Powertools version used: 1.25.1
• Packaging format (Layers, PyPi): Both
• AWS Lambda function runtime: Python 3.9

[michaelbrewer]

Thanks. I will have a look

[michaelbrewer]

@brysontyrrell can you add a sample event to make it easier for the failing test :-)

[michaelbrewer]

@brysontyrrell this fix will shift the error to the allow_route call next and {proxy+} is included in the resource

        if not self._resource_pattern.match(resource):
>           raise ValueError(f"Invalid resource path: {resource}. Path should match {self.path_regex}")
E           ValueError: Invalid resource path: name/{proxy+}. Path should match ^[/.a-zA-Z0-9-_\*]+$

[michaelbrewer]

@brysontyrrell i have a partial fix for the arn parsing:

• fix(lambda-authorizer): allow proxy resources path in arn #1051

But this will still fail to handle {proxy+} part

[brysontyrrell]

@michaelbrewer sorry for not including an example event. The path does not actually contain {proxy+} in the Lambda Function's event.

{
    "type": "TOKEN",
    "methodArn": "arn:aws:execute-api:us-east-2:1234567890:abcd1234/latest/GET/path/part/part/1",
    "authorizationToken": "Bearer TOKEN"
}

In the above my API Gateway route may be configured to have /path/{proxy+} but the APIGatewayAuthorizerTokenEvent event methodArn is /path/part/part/1.

[michaelbrewer]

Ok, @brysontyrrell then the PR should be valid!

[heitorlessa]

Thanks everyone, just merged and hope to make a patch release with this and another fix by end of the week.

I suspect we might not need this hard check in case additional changes occur to ARNs, but it's also hard to predict whether this will happen - leaving as-is and will add to the maintenance list to revisit in the future with more time to test unhappy paths.

[github-actions]

This is now released under 1.25.2 version!

[michaelbrewer]

Thanks everyone, just merged and hope to make a patch release with this and another fix by end of the week.

I suspect we might not need this hard check in case additional changes occur to ARNs, but it's also hard to predict whether this will happen - leaving as-is and will add to the maintenance list to revisit in the future with more time to test unhappy paths.

If there is an AWS regex or ARN parser then we can incorporate it into the tests. Otherwise a general purpose ARN parser could be used in many other places.