Allow claims coming in from the RequestContext to of an API Gateway request to be serialized into APIGatewayCustomAuthorizerContext.

If there are claims create ClaimsPrincipal for the HttpContext.User with the claims for the AspNetCoreServer

This address GitHub issue #98

Author: normj

Libraries/src/Amazon.Lambda.APIGatewayEvents/APIGatewayCustomAuthorizerContext.cs

@@ -1,35 +1,139 @@
 namespace Amazon.Lambda.APIGatewayEvents
 {
+    using System;
+    using System.Collections.Generic;
     using System.Runtime.Serialization;
+    using Newtonsoft.Json.Linq;
 
     /// <summary>
     /// An object representing the expected format of an API Gateway custom authorizer response.
     /// </summary>
     [DataContract]
-    public class APIGatewayCustomAuthorizerContext
+    public class APIGatewayCustomAuthorizerContext : Dictionary<string, object>
     {
         /// <summary>
         /// Gets or sets the 'principalId' property.
         /// </summary>
-        [DataMember(Name = "principalId", IsRequired = false)]
-        public string PrincipalId { get; set; }
+        [Obsolete("This property is obsolete. Code should be updated to use the string index property like authorizer[\"principalId\"]")]
+        public string PrincipalId
+        {
+            get
+            {
+                object value;
+                if (this.TryGetValue("principalId", out value))
+                    return value.ToString();
+                return null;
+            }
+            set
+            {
+                this["principalId"] = value;
+            }
+        }
 
         /// <summary>
         /// Gets or sets the 'stringKey' property.
         /// </summary>
-        [DataMember(Name = "stringKey", IsRequired = false)]
-        public string StringKey { get; set; }
+        [Obsolete("This property is obsolete. Code should be updated to use the string index property like authorizer[\"stringKey\"]")]
+        public string StringKey
+        {
+            get
+            {
+                object value;
+                if (this.TryGetValue("stringKey", out value))
+                    return value.ToString();
+                return null;
+            }
+            set
+            {
+                this["stringKey"] = value;
+            }
+        }
 
         /// <summary>
         /// Gets or sets the 'numKey' property.
         /// </summary>
-        [DataMember(Name = "numKey", IsRequired = false)]
-        public int? NumKey { get; set; }
+        [Obsolete("This property is obsolete. Code should be updated to use the string index property like authorizer[\"numKey\"]")]
+        public int? NumKey
+        {
+            get
+            {
+                object value;
+                if (this.TryGetValue("numKey", out value))
+                {
+                    int i;
+                    if (int.TryParse(value?.ToString(), out i))
+                    {
+                        return i;
+                    }
+                }
+
+                return null;
+            }
+            set
+            {
+                this["numKey"] = value;
+            }
+        }
 
         /// <summary>
         /// Gets or sets the 'boolKey' property.
         /// </summary>
-        [DataMember(Name = "boolKey", IsRequired = false)]
-        public bool? BoolKey { get; set; }
+        [Obsolete("This property is obsolete. Code should be updated to use the string index property like authorizer[\"boolKey\"]")]
+        public bool? BoolKey
+        {
+            get
+            {
+                object value;
+                if (this.TryGetValue("boolKey", out value))
+                {
+                    bool b;
+                    if(bool.TryParse(value?.ToString(), out b))
+                    {
+                        return b;
+                    }
+                }
+                    
+                return null;
+            }
+            set
+            {
+                this["boolKey"] = value;
+            }
+        }
+
+        Dictionary<string, string> _claims;
+        /// <summary>
+        /// Gets or sets the claims coming from Cognito
+        /// </summary>
+        public Dictionary<string, string> Claims
+        {
+            get
+            {
+                if(_claims == null)
+                {
+                    _claims = new Dictionary<string, string>();
+
+                    object value;
+                    if(this.TryGetValue("claims", out value))
+                    {
+                        JObject jsonClaims = value as JObject;
+                        if (jsonClaims != null)
+                        {
+                            foreach (JProperty property in jsonClaims.Properties())
+                            {
+                                _claims[property.Name] = property.Value?.ToString();
+
+                            }
+                        }
+                    }
+                }
+
+                return _claims;
+            }
+            set
+            {
+                this._claims = value;
+            }
+        }
     }
 }

Libraries/src/Amazon.Lambda.APIGatewayEvents/Amazon.Lambda.APIGatewayEvents.csproj

@@ -15,6 +15,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Newtonsoft.Json" Version="9.0.1" />
     <PackageReference Include="System.Collections" Version="4.0.11" />
     <PackageReference Include="System.Runtime" Version="4.1.0" />
     <PackageReference Include="System.Runtime.Serialization.Primitives" Version="4.1.1" />

Libraries/src/Amazon.Lambda.AspNetCoreServer/APIGatewayProxyFunction.cs

@@ -10,8 +10,10 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Net;
 using System.Reflection;
+using System.Security.Claims;
 using System.Text;
 using System.Text.Encodings.Web;
 using System.Threading.Tasks;
@@ -177,6 +179,15 @@ public virtual async Task<APIGatewayProxyResponse> FunctionHandlerAsync(APIGatew
 
             var context = this.CreateContext(features);
 
+            if (request?.RequestContext?.Authorizer?.Claims != null)
+            {
+                var identity = new ClaimsIdentity(request.RequestContext.Authorizer.Claims.Select(
+                    entry => new Claim(entry.Key, entry.Value.ToString())), "AuthorizerIdentity");
+
+                lambdaContext.Logger.LogLine($"Configuring HttpContext.User with {request.RequestContext.Authorizer.Claims.Count} claims coming from API Gateway's Request Context");
+                context.HttpContext.User = new ClaimsPrincipal(identity);
+            }
+
             // Add along the Lambda objects to the HttpContext to give access to Lambda to them in the ASP.NET Core application
             context.HttpContext.Items[LAMBDA_CONTEXT] = lambdaContext;
             context.HttpContext.Items[APIGATEWAY_REQUEST] = request;

Libraries/test/Amazon.Lambda.AspNetCoreServer.Test/Amazon.Lambda.AspNetCoreServer.Test.csproj

@@ -11,12 +11,24 @@
     <GenerateAssemblyProductAttribute>false</GenerateAssemblyProductAttribute>
   </PropertyGroup>
 
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
+    <NoWarn>1701;1702;1705;CS0618</NoWarn>
+  </PropertyGroup>
+
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
+    <NoWarn>1701;1702;1705;CS0618</NoWarn>
+  </PropertyGroup>
+
   <ItemGroup>
     <Content Include="*.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </Content>
   </ItemGroup>
 
+  <ItemGroup>
+    <None Remove="authtest-access-request.json" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\TestWebApp\TestWebApp.csproj" />
     <ProjectReference Include="..\..\src\Amazon.Lambda.TestUtilities\Amazon.Lambda.TestUtilities.csproj" />

Libraries/test/Amazon.Lambda.AspNetCoreServer.Test/TestCallingWebAPI.cs

@@ -189,6 +189,24 @@ public async Task TestEscapeCharacterInResourcePath()
             Assert.Equal("value=query string", response.Body);
         }
 
+        [Fact]
+        public async Task TestAuthTestAccess()
+        {
+            var response = await this.InvokeAPIGatewayRequest("authtest-access-request.json");
+
+            Assert.Equal(200, response.StatusCode);
+            Assert.Equal("You Have Access", response.Body);
+        }
+
+
+        [Fact]
+        public async Task TestAuthTestNoAccess()
+        {
+            var response = await this.InvokeAPIGatewayRequest("authtest-noaccess-request.json");
+
+            Assert.NotEqual(200, response.StatusCode);
+        }
+
         private async Task<APIGatewayProxyResponse> InvokeAPIGatewayRequest(string fileName)
         {
             var context = new TestLambdaContext();

Libraries/test/Amazon.Lambda.AspNetCoreServer.Test/authtest-access-request.json

@@ -0,0 +1,66 @@
+{
+  "resource": "/{proxy+}",
+  "path": "/api/authtest",
+  "httpMethod": "GET",
+  "headers": {
+    "Authorization": "eyJraWQiOiJLdXprWCtcL0E4MWlVZGU5QSt2SFBMdzZCTUFmQzVqUGJ1NTZiT0VGNXdkaz0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI4ZWYzZTQ1NS0zODY5LTQwMmUtYWM5ZS1mODhlODZjMzIwYjMiLCJjb2duaXRvOmdyb3VwcyI6WyJBZG1pbiJdLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfUExpM2NmMHUwIiwicGhvbmVfbnVtYmVyX3ZlcmlmaWVkIjp0cnVlLCJjb2duaXRvOnVzZXJuYW1lIjoibm9ybWoiLCJhdWQiOiIzbXVzaGZjOHNnbTh1b2FjdmlmNXZoa3Q0OSIsImV2ZW50X2lkIjoiNzU3NjBmNTgtZjk4NC0xMWU3LThkNGEtMjM4OWVmYzUwZDY4IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1MTU5NzMyOTYsInBob25lX251bWJlciI6IisxNDI1NzM2NzM0OSIsImV4cCI6MTUxNTk3Njg5NiwiaWF0IjoxNTE1OTczMjk2LCJlbWFpbCI6ImpvaGFuc28yQGdtYWlsLmNvbSJ9.v1zIeTutUMzgXGoQy5dpOXUW6km9Ye-X-iLehgn1fO4HeJPZ9rOY9jDRMyRjyF5I57sAsN1v9uB3f98gEdStzO4qpASlYK7F7CtcenJ2lZYNU4gJPDQqEDdoMvE5Nir89RL09PYFceKaZw2Qr53VTLBfwaNGJYeSYeiZN09RL6fXwciH5h15rGwgNpl3kvzZOTLCqHNv3J7Y5POr8BjT2DvqUVJv7X1M5pOzHxWIqtBfAfyhEzZftIDqNKsI_aKZolkRd_UI77dSMNuZokJSAKlEuXc6fNJ556R3xSAhEli5DeZUIMdQLQVB7pIQzRlXvt2M0MMK-uC2d7_kUWAkVg",
+    "CloudFront-Forwarded-Proto": "https",
+    "CloudFront-Is-Desktop-Viewer": "true",
+    "CloudFront-Is-Mobile-Viewer": "false",
+    "CloudFront-Is-SmartTV-Viewer": "false",
+    "CloudFront-Is-Tablet-Viewer": "false",
+    "CloudFront-Viewer-Country": "US",
+    "Host": "zzqupfvhrk.execute-api.us-west-2.amazonaws.com",
+    "Via": "1.1 ca79756ec49e2babf1b916300304b2fb.cloudfront.net (CloudFront)",
+    "X-Amz-Cf-Id": "3OhHlF5fim8xxjG1-RZEFK4nos0t-JtPu6vvpNkUg9NOcl-Os53gBg==",
+    "X-Amzn-Trace-Id": "Root=1-5a5beab2-7cd6a52c614f43910ab9be30",
+    "X-Forwarded-For": "50.35.77.7, 52.46.17.45",
+    "X-Forwarded-Port": "443",
+    "X-Forwarded-Proto": "https"
+  },
+  "queryStringParameters": null,
+  "pathParameters": {
+    "proxy": "api/authtest"
+  },
+  "stageVariables": null,
+  "requestContext": {
+    "resourceId": "8gffya",
+    "authorizer": {
+      "claims": {
+        "cognito:groups": "Admin",
+        "phone_number_verified": "true",
+        "cognito:username": "normj",
+        "aud": "3mushfc8sgm8uoacvif5vhkt49",
+        "event_id": "75760f58-f984-11e7-8d4a-2389efc50d68",
+        "token_use": "id",
+        "auth_time": "1515973296",
+        "you_are_special" : "true"
+      }
+    },
+    "resourcePath": "/{proxy+}",
+    "httpMethod": "GET",
+    "requestTime": "14/Jan/2018:23:41:38 +0000",
+    "path": "/Prod/api/authtest",
+    "accountId": "626492997873",
+    "protocol": "HTTP/1.1",
+    "stage": "Prod",
+    "requestTimeEpoch": 1515973298687,
+    "requestId": "7713b963-f984-11e7-b02a-f346964d4540",
+    "identity": {
+      "cognitoIdentityPoolId": null,
+      "accountId": null,
+      "cognitoIdentityId": null,
+      "caller": null,
+      "sourceIp": "50.35.77.7",
+      "accessKey": null,
+      "cognitoAuthenticationType": null,
+      "cognitoAuthenticationProvider": null,
+      "userArn": null,
+      "userAgent": null,
+      "user": null
+    },
+    "apiId": "zzqupfvhrk"
+  },
+  "body": null,
+  "isBase64Encoded": false
+}

Libraries/test/Amazon.Lambda.AspNetCoreServer.Test/authtest-noaccess-request.json

@@ -0,0 +1,65 @@
+{
+  "resource": "/{proxy+}",
+  "path": "/api/authtest",
+  "httpMethod": "GET",
+  "headers": {
+    "Authorization": "eyJraWQiOiJLdXprWCtcL0E4MWlVZGU5QSt2SFBMdzZCTUFmQzVqUGJ1NTZiT0VGNXdkaz0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI4ZWYzZTQ1NS0zODY5LTQwMmUtYWM5ZS1mODhlODZjMzIwYjMiLCJjb2duaXRvOmdyb3VwcyI6WyJBZG1pbiJdLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfUExpM2NmMHUwIiwicGhvbmVfbnVtYmVyX3ZlcmlmaWVkIjp0cnVlLCJjb2duaXRvOnVzZXJuYW1lIjoibm9ybWoiLCJhdWQiOiIzbXVzaGZjOHNnbTh1b2FjdmlmNXZoa3Q0OSIsImV2ZW50X2lkIjoiNzU3NjBmNTgtZjk4NC0xMWU3LThkNGEtMjM4OWVmYzUwZDY4IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1MTU5NzMyOTYsInBob25lX251bWJlciI6IisxNDI1NzM2NzM0OSIsImV4cCI6MTUxNTk3Njg5NiwiaWF0IjoxNTE1OTczMjk2LCJlbWFpbCI6ImpvaGFuc28yQGdtYWlsLmNvbSJ9.v1zIeTutUMzgXGoQy5dpOXUW6km9Ye-X-iLehgn1fO4HeJPZ9rOY9jDRMyRjyF5I57sAsN1v9uB3f98gEdStzO4qpASlYK7F7CtcenJ2lZYNU4gJPDQqEDdoMvE5Nir89RL09PYFceKaZw2Qr53VTLBfwaNGJYeSYeiZN09RL6fXwciH5h15rGwgNpl3kvzZOTLCqHNv3J7Y5POr8BjT2DvqUVJv7X1M5pOzHxWIqtBfAfyhEzZftIDqNKsI_aKZolkRd_UI77dSMNuZokJSAKlEuXc6fNJ556R3xSAhEli5DeZUIMdQLQVB7pIQzRlXvt2M0MMK-uC2d7_kUWAkVg",
+    "CloudFront-Forwarded-Proto": "https",
+    "CloudFront-Is-Desktop-Viewer": "true",
+    "CloudFront-Is-Mobile-Viewer": "false",
+    "CloudFront-Is-SmartTV-Viewer": "false",
+    "CloudFront-Is-Tablet-Viewer": "false",
+    "CloudFront-Viewer-Country": "US",
+    "Host": "zzqupfvhrk.execute-api.us-west-2.amazonaws.com",
+    "Via": "1.1 ca79756ec49e2babf1b916300304b2fb.cloudfront.net (CloudFront)",
+    "X-Amz-Cf-Id": "3OhHlF5fim8xxjG1-RZEFK4nos0t-JtPu6vvpNkUg9NOcl-Os53gBg==",
+    "X-Amzn-Trace-Id": "Root=1-5a5beab2-7cd6a52c614f43910ab9be30",
+    "X-Forwarded-For": "50.35.77.7, 52.46.17.45",
+    "X-Forwarded-Port": "443",
+    "X-Forwarded-Proto": "https"
+  },
+  "queryStringParameters": null,
+  "pathParameters": {
+    "proxy": "api/authtest"
+  },
+  "stageVariables": null,
+  "requestContext": {
+    "resourceId": "8gffya",
+    "authorizer": {
+      "claims": {
+        "cognito:groups": "Admin",
+        "phone_number_verified": "true",
+        "cognito:username": "normj",
+        "aud": "3mushfc8sgm8uoacvif5vhkt49",
+        "event_id": "75760f58-f984-11e7-8d4a-2389efc50d68",
+        "token_use": "id",
+        "auth_time": "1515973296"
+      }
+    },
+    "resourcePath": "/{proxy+}",
+    "httpMethod": "GET",
+    "requestTime": "14/Jan/2018:23:41:38 +0000",
+    "path": "/Prod/api/authtest",
+    "accountId": "626492997873",
+    "protocol": "HTTP/1.1",
+    "stage": "Prod",
+    "requestTimeEpoch": 1515973298687,
+    "requestId": "7713b963-f984-11e7-b02a-f346964d4540",
+    "identity": {
+      "cognitoIdentityPoolId": null,
+      "accountId": null,
+      "cognitoIdentityId": null,
+      "caller": null,
+      "sourceIp": "50.35.77.7",
+      "accessKey": null,
+      "cognitoAuthenticationType": null,
+      "cognitoAuthenticationProvider": null,
+      "userArn": null,
+      "userAgent": null,
+      "user": null
+    },
+    "apiId": "zzqupfvhrk"
+  },
+  "body": null,
+  "isBase64Encoded": false
+}

Libraries/test/Amazon.Lambda.Tools.Test/ValidateAspNetCoreAllReferenceTest.cs

@@ -18,7 +18,7 @@ public void NewerAspNetCoreReference()
             var manifest = File.ReadAllText(@"ManifestTestFiles/SampleManifest.xml");
             var projectFile = File.ReadAllText(@"ManifestTestFiles/NewerAspNetCoreReference.xml");
 
-            Assert.Throws<AmazonLambdaException>(() => Utilities.ValidateMicrosoftAspNetCoreAllReferenceWithManifest(logger, manifest, projectFile));
+            Assert.Throws<LambdaToolsException>(() => Utilities.ValidateMicrosoftAspNetCoreAllReferenceWithManifest(logger, manifest, projectFile));
         }
 
         [Fact]