-
Notifications
You must be signed in to change notification settings - Fork 4
/
response.go
63 lines (52 loc) · 2.13 KB
/
response.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
package authorizer
import (
"errors"
"github.com/aws/aws-lambda-go/events"
log "github.com/sirupsen/logrus"
)
// PolicyBuilder interface for building API GW custom authorizer policy.
type PolicyBuilder interface {
BuildPolicy(encodedToken string) (events.APIGatewayCustomAuthorizerPolicy, error)
}
// ContextBuilder interface for building context passed to resource server.
type ContextBuilder interface {
BuildContext(encodedToken string) (map[string]interface{}, error)
}
// ResponseBuilder struct for building proper custom authorizer response.
type ResponseBuilder struct {
Context *Context
PolicyBuilder PolicyBuilder
ContextBuilder ContextBuilder
}
// BuildResponse builds a proper custom authorizer response based on context, policy and context builders.
func (b ResponseBuilder) BuildResponse(encodedToken string) (events.APIGatewayCustomAuthorizerResponse, error) {
baseClaims := &BaseTokenClaims{}
err := GetBaseClaims(encodedToken, b.Context.DecryptionKeys, baseClaims)
if err != nil {
log.WithField("error", err).Info("Failed to get token standard claims.")
return events.APIGatewayCustomAuthorizerResponse{}, errors.New("Unauthorized")
}
valid := false
for _, client := range b.Context.CognitoClients {
valid = valid || baseClaims.VerifyAudience(client, true) || baseClaims.TokenUse == "access" // Only ID Token has audience field.
}
if !valid {
log.WithField("audience", baseClaims.Audience).Error("Failed to verify token audience.")
return events.APIGatewayCustomAuthorizerResponse{}, errors.New("Unauthorized")
}
policy, err := b.PolicyBuilder.BuildPolicy(encodedToken)
if err != nil {
log.WithField("error", err).Error("Failed to build policy document.")
return events.APIGatewayCustomAuthorizerResponse{}, errors.New("Unauthorized")
}
context, err := b.ContextBuilder.BuildContext(encodedToken)
if err != nil {
log.WithField("error", err).Error("Failed to build context.")
return events.APIGatewayCustomAuthorizerResponse{}, errors.New("Unauthorized")
}
return events.APIGatewayCustomAuthorizerResponse{
PrincipalID: baseClaims.Subject,
PolicyDocument: policy,
Context: context,
}, nil
}