Merge branch 'master' into improvement-of-validate-arguments

aws · Jul 15, 2021 · fbc19fd · fbc19fd
2 parents 8845e52 + 99b35f2
commit fbc19fd
Show file tree

Hide file tree

Showing 10 changed files with 221 additions and 16 deletions.
diff --git a/events/apigw.go b/events/apigw.go
@@ -65,17 +65,18 @@ type APIGatewayV2HTTPRequest struct {
 
 // APIGatewayV2HTTPRequestContext contains the information to identify the AWS account and resources invoking the Lambda function.
 type APIGatewayV2HTTPRequestContext struct {
-	RouteKey     string                                               `json:"routeKey"`
-	AccountID    string                                               `json:"accountId"`
-	Stage        string                                               `json:"stage"`
-	RequestID    string                                               `json:"requestId"`
-	Authorizer   *APIGatewayV2HTTPRequestContextAuthorizerDescription `json:"authorizer,omitempty"`
-	APIID        string                                               `json:"apiId"` // The API Gateway HTTP API Id
-	DomainName   string                                               `json:"domainName"`
-	DomainPrefix string                                               `json:"domainPrefix"`
-	Time         string                                               `json:"time"`
-	TimeEpoch    int64                                                `json:"timeEpoch"`
-	HTTP         APIGatewayV2HTTPRequestContextHTTPDescription        `json:"http"`
+	RouteKey       string                                               `json:"routeKey"`
+	AccountID      string                                               `json:"accountId"`
+	Stage          string                                               `json:"stage"`
+	RequestID      string                                               `json:"requestId"`
+	Authorizer     *APIGatewayV2HTTPRequestContextAuthorizerDescription `json:"authorizer,omitempty"`
+	APIID          string                                               `json:"apiId"` // The API Gateway HTTP API Id
+	DomainName     string                                               `json:"domainName"`
+	DomainPrefix   string                                               `json:"domainPrefix"`
+	Time           string                                               `json:"time"`
+	TimeEpoch      int64                                                `json:"timeEpoch"`
+	HTTP           APIGatewayV2HTTPRequestContextHTTPDescription        `json:"http"`
+	Authentication APIGatewayV2HTTPRequestContextAuthentication         `json:"authentication"`
 }
 
 // APIGatewayV2HTTPRequestContextAuthorizerDescription contains authorizer information for the request context.
@@ -189,10 +190,46 @@ type APIGatewayWebsocketProxyRequestContext struct {
 	Status             string                    `json:"status"`
 }
 
-// APIGatewayCustomAuthorizerRequestTypeRequestIdentity contains identity information for the request caller.
+// APIGatewayCustomAuthorizerRequestTypeRequestIdentity contains identity information for the request caller including certificate information if using mTLS.
 type APIGatewayCustomAuthorizerRequestTypeRequestIdentity struct {
-	APIKey   string `json:"apiKey"`
-	SourceIP string `json:"sourceIp"`
+	APIKey     string                                                         `json:"apiKey"`
+	SourceIP   string                                                         `json:"sourceIp"`
+	ClientCert APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert `json:"clientCert"`
+}
+
+// APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert contains certificate information for the request caller if using mTLS.
+type APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert struct {
+	ClientCertPem string                                                                 `json:"clientCertPem"`
+	IssuerDN      string                                                                 `json:"issuerDN"`
+	SerialNumber  string                                                                 `json:"serialNumber"`
+	SubjectDN     string                                                                 `json:"subjectDN"`
+	Validity      APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity `json:"validity"`
+}
+
+// APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity contains certificate validity information for the request caller if using mTLS.
+type APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity struct {
+	NotAfter  string `json:"notAfter"`
+	NotBefore string `json:"notBefore"`
+}
+
+// APIGatewayV2HTTPRequestContextAuthentication contains authentication context information for the request caller including client certificate information if using mTLS.
+type APIGatewayV2HTTPRequestContextAuthentication struct {
+	ClientCert APIGatewayV2HTTPRequestContextAuthenticationClientCert `json:"clientCert"`
+}
+
+// APIGatewayV2HTTPRequestContextAuthenticationClientCert contains client certificate information for the request caller if using mTLS.
+type APIGatewayV2HTTPRequestContextAuthenticationClientCert struct {
+	ClientCertPem string                                                         `json:"clientCertPem"`
+	IssuerDN      string                                                         `json:"issuerDN"`
+	SerialNumber  string                                                         `json:"serialNumber"`
+	SubjectDN     string                                                         `json:"subjectDN"`
+	Validity      APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity `json:"validity"`
+}
+
+// APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity contains client certificate validity information for the request caller if using mTLS.
+type APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity struct {
+	NotAfter  string `json:"notAfter"`
+	NotBefore string `json:"notBefore"`
 }
 
 // APIGatewayCustomAuthorizerContext represents the expected format of an API Gateway custom authorizer response.

diff --git a/events/ecr_scan.go b/events/ecr_scan.go
@@ -0,0 +1,30 @@
+package events
+
+type ECRScanEvent struct {
+	Version    string                 `json:"version"`
+	ID         string                 `json:"id"`
+	DetailType string                 `json:"detail-type"`
+	Source     string                 `json:"source"`
+	Time       string                 `json:"time"`
+	Region     string                 `json:"region"`
+	Resources  []string               `json:"resources"`
+	Account    string                 `json:"account"`
+	Detail     ECRScanEventDetailType `json:"detail"`
+}
+
+type ECRScanEventDetailType struct {
+	ScanStatus            string                            `json:"scan-status"`
+	RepositoryName        string                            `json:"repository-name"`
+	FindingSeverityCounts ECRScanEventFindingSeverityCounts `json:"finding-severity-counts"`
+	ImageDigest           string                            `json:"image-digest"`
+	ImageTags             []string                          `json:"image-tags"`
+}
+
+type ECRScanEventFindingSeverityCounts struct {
+	Critical      int64 `json:"CRITICAL"`
+	High          int64 `json:"HIGH"`
+	Medium        int64 `json:"MEDIUM"`
+	Low           int64 `json:"LOW"`
+	Informational int64 `json:"INFORMATIONAL"`
+	Undefined     int64 `json:"UNDEFINED"`
+}
diff --git a/events/ecr_scan_test.go b/events/ecr_scan_test.go
@@ -0,0 +1,56 @@
+// Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+package events
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/aws/aws-lambda-go/events/test"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestECRScanEventMarshaling(t *testing.T) {
+	// 1. read JSON from file
+	inputJson := test.ReadJSONFromFile(t, "./testdata/ecr-image-scan-event.json")
+
+	// 2. de-serialize into Go object
+	var inputEvent ECRScanEvent
+	if err := json.Unmarshal(inputJson, &inputEvent); err != nil {
+		t.Errorf("could not unmarshal event. details: %v", err)
+	}
+
+	// 3. Verify values populated into Go Object, at least one validation per data type
+	assert.Equal(t, "0", inputEvent.Version)
+	assert.Equal(t, "01234567-0123-0123-0123-012345678901", inputEvent.ID)
+	assert.Equal(t, "ECR Image Scan", inputEvent.DetailType)
+	assert.Equal(t, "aws.ecr", inputEvent.Source)
+	assert.Equal(t, "123456789012", inputEvent.Account)
+	assert.Equal(t, "2019-10-30T21:32:27Z", inputEvent.Time)
+	assert.Equal(t, "eu-north-1", inputEvent.Region)
+	assert.Equal(t, "arn:aws:ecr:eu-north-1:123456789012:repository/tribble-image-scan-test", inputEvent.Resources[0])
+
+	var detail = inputEvent.Detail
+	assert.Equal(t, "COMPLETE", detail.ScanStatus)
+	assert.Equal(t, "tribble-image-scan-test", detail.RepositoryName)
+	assert.Equal(t, "sha256:d4a96ee9443e641fc100e763a0c10928720b50c6e3ea3342d05d7c3435fc5355", detail.ImageDigest)
+	assert.Equal(t, "1572471135", detail.ImageTags[0])
+	assert.Equal(t, int64(10), detail.FindingSeverityCounts.Critical)
+	assert.Equal(t, int64(2), detail.FindingSeverityCounts.High)
+	assert.Equal(t, int64(9), detail.FindingSeverityCounts.Medium)
+	assert.Equal(t, int64(3), detail.FindingSeverityCounts.Low)
+	assert.Equal(t, int64(0), detail.FindingSeverityCounts.Informational)
+	assert.Equal(t, int64(0), detail.FindingSeverityCounts.Undefined)
+
+	// 4. serialize to JSON
+	outputJson, err := json.Marshal(inputEvent)
+	if err != nil {
+		t.Errorf("could not marshal event. details: %v", err)
+	}
+
+	// 5. check result
+	assert.JSONEq(t, string(inputJson), string(outputJson))
+}
+
+func TestECRScanMarshalingMalformedJson(t *testing.T) {
+	test.TestMalformedJson(t, ECRScanEvent{})
+}
diff --git a/events/testdata/apigw-custom-auth-request-type-request.json b/events/testdata/apigw-custom-auth-request-type-request.json
@@ -68,7 +68,17 @@
         "requestId": "...",
         "identity": {
             "apiKey": "...",
-            "sourceIp": "..."
+            "sourceIp": "...",
+            "clientCert": {
+                "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
+                "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
+                "serialNumber": "1",
+                "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
+                "validity": {
+                    "notAfter": "Aug  5 00:28:21 2120 GMT",
+                    "notBefore": "Aug 29 00:28:21 2020 GMT"
+                }
+            }
         },
         "resourcePath": "/request",
         "httpMethod": "GET",

diff --git a/events/testdata/apigw-v2-request-iam.json b/events/testdata/apigw-v2-request-iam.json
@@ -39,6 +39,18 @@
             }
         },
         "apiId": "api-id",
+        "authentication": {
+            "clientCert": {
+                "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
+                "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
+                "serialNumber": "1",
+                "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
+                "validity": {
+                    "notAfter": "Aug  5 00:28:21 2120 GMT",
+                    "notBefore": "Aug 29 00:28:21 2020 GMT"
+                }
+            }            
+        },
         "domainName": "id.execute-api.us-east-1.amazonaws.com",
         "domainPrefix": "id",
         "time": "12/Mar/2020:19:03:58+0000",

diff --git a/events/testdata/apigw-v2-request-jwt-authorizer.json b/events/testdata/apigw-v2-request-jwt-authorizer.json
@@ -36,6 +36,18 @@
             }
         },
         "apiId": "api-id",
+        "authentication": {
+            "clientCert": {
+                "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
+                "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
+                "serialNumber": "1",
+                "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
+                "validity": {
+                    "notAfter": "Aug  5 00:28:21 2120 GMT",
+                    "notBefore": "Aug 29 00:28:21 2020 GMT"
+                }
+            }            
+        },
         "domainName": "id.execute-api.us-east-1.amazonaws.com",
         "domainPrefix": "id",
         "time": "12/Mar/2020:19:03:58+0000",

diff --git a/events/testdata/apigw-v2-request-lambda-authorizer.json b/events/testdata/apigw-v2-request-lambda-authorizer.json
@@ -29,6 +29,18 @@
             }
         },
         "apiId": "api-id",
+        "authentication": {
+            "clientCert": {
+                "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
+                "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
+                "serialNumber": "1",
+                "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
+                "validity": {
+                    "notAfter": "Aug  5 00:28:21 2120 GMT",
+                    "notBefore": "Aug 29 00:28:21 2020 GMT"
+                }
+            }            
+        },
         "domainName": "id.execute-api.us-east-1.amazonaws.com",
         "domainPrefix": "id",
         "time": "12/Mar/2020:19:03:58+0000",

diff --git a/events/testdata/apigw-v2-request-no-authorizer.json b/events/testdata/apigw-v2-request-no-authorizer.json
@@ -16,6 +16,18 @@
     "requestContext": {
         "accountId": "123456789012",
         "apiId": "aaaaaaaaaa",
+        "authentication": {
+            "clientCert": {
+                "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
+                "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
+                "serialNumber": "1",
+                "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
+                "validity": {
+                    "notAfter": "Aug  5 00:28:21 2120 GMT",
+                    "notBefore": "Aug 29 00:28:21 2020 GMT"
+                }
+            }            
+        },
         "domainName": "aaaaaaaaaa.execute-api.us-west-2.amazonaws.com",
         "domainPrefix": "aaaaaaaaaa",
         "http": {

diff --git a/events/testdata/ecr-image-scan-event.json b/events/testdata/ecr-image-scan-event.json
@@ -0,0 +1,24 @@
+{
+  "version": "0",
+  "id": "01234567-0123-0123-0123-012345678901",
+  "detail-type": "ECR Image Scan",
+  "source": "aws.ecr",
+  "account": "123456789012",
+  "time": "2019-10-30T21:32:27Z",
+  "region": "eu-north-1",
+  "resources": ["arn:aws:ecr:eu-north-1:123456789012:repository/tribble-image-scan-test"],
+  "detail": {
+    "scan-status": "COMPLETE",
+    "repository-name": "tribble-image-scan-test",
+    "finding-severity-counts": {
+      "CRITICAL": 10,
+      "HIGH": 2,
+      "MEDIUM": 9,
+      "LOW": 3,
+      "INFORMATIONAL": 0,
+      "UNDEFINED": 0
+    },
+    "image-digest": "sha256:d4a96ee9443e641fc100e763a0c10928720b50c6e3ea3342d05d7c3435fc5355",
+    "image-tags": ["1572471135"]
+  }
+}
diff --git a/lambda/entry.go b/lambda/entry.go
@@ -57,7 +57,7 @@ func StartHandler(handler Handler) {
 
 type startFunction struct {
 	env string
-	f   func(ctx context.Context, envValue string, hander Handler) error
+	f   func(ctx context.Context, envValue string, handler Handler) error
 }
 
 var (