Merge pull request #342 from dum0nt73/master

Added struct definition to include ClientCert information to API Gateway when using mTLS

Author: carlzogh

events/apigw.go

@@ -65,17 +65,18 @@ type APIGatewayV2HTTPRequest struct {
 
 // APIGatewayV2HTTPRequestContext contains the information to identify the AWS account and resources invoking the Lambda function.
 type APIGatewayV2HTTPRequestContext struct {
-	RouteKey     string                                               `json:"routeKey"`
-	AccountID    string                                               `json:"accountId"`
-	Stage        string                                               `json:"stage"`
-	RequestID    string                                               `json:"requestId"`
-	Authorizer   *APIGatewayV2HTTPRequestContextAuthorizerDescription `json:"authorizer,omitempty"`
-	APIID        string                                               `json:"apiId"` // The API Gateway HTTP API Id
-	DomainName   string                                               `json:"domainName"`
-	DomainPrefix string                                               `json:"domainPrefix"`
-	Time         string                                               `json:"time"`
-	TimeEpoch    int64                                                `json:"timeEpoch"`
-	HTTP         APIGatewayV2HTTPRequestContextHTTPDescription        `json:"http"`
+	RouteKey       string                                               `json:"routeKey"`
+	AccountID      string                                               `json:"accountId"`
+	Stage          string                                               `json:"stage"`
+	RequestID      string                                               `json:"requestId"`
+	Authorizer     *APIGatewayV2HTTPRequestContextAuthorizerDescription `json:"authorizer,omitempty"`
+	APIID          string                                               `json:"apiId"` // The API Gateway HTTP API Id
+	DomainName     string                                               `json:"domainName"`
+	DomainPrefix   string                                               `json:"domainPrefix"`
+	Time           string                                               `json:"time"`
+	TimeEpoch      int64                                                `json:"timeEpoch"`
+	HTTP           APIGatewayV2HTTPRequestContextHTTPDescription        `json:"http"`
+	Authentication APIGatewayV2HTTPRequestContextAuthentication         `json:"authentication"`
 }
 
 // APIGatewayV2HTTPRequestContextAuthorizerDescription contains authorizer information for the request context.
@@ -189,10 +190,46 @@ type APIGatewayWebsocketProxyRequestContext struct {
 	Status             string                    `json:"status"`
 }
 
-// APIGatewayCustomAuthorizerRequestTypeRequestIdentity contains identity information for the request caller.
+// APIGatewayCustomAuthorizerRequestTypeRequestIdentity contains identity information for the request caller including certificate information if using mTLS.
 type APIGatewayCustomAuthorizerRequestTypeRequestIdentity struct {
-	APIKey   string `json:"apiKey"`
-	SourceIP string `json:"sourceIp"`
+	APIKey     string                                                         `json:"apiKey"`
+	SourceIP   string                                                         `json:"sourceIp"`
+	ClientCert APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert `json:"clientCert"`
+}
+
+// APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert contains certificate information for the request caller if using mTLS.
+type APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert struct {
+	ClientCertPem string                                                                 `json:"clientCertPem"`
+	IssuerDN      string                                                                 `json:"issuerDN"`
+	SerialNumber  string                                                                 `json:"serialNumber"`
+	SubjectDN     string                                                                 `json:"subjectDN"`
+	Validity      APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity `json:"validity"`
+}
+
+// APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity contains certificate validity information for the request caller if using mTLS.
+type APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCertValidity struct {
+	NotAfter  string `json:"notAfter"`
+	NotBefore string `json:"notBefore"`
+}
+
+// APIGatewayV2HTTPRequestContextAuthentication contains authentication context information for the request caller including client certificate information if using mTLS.
+type APIGatewayV2HTTPRequestContextAuthentication struct {
+	ClientCert APIGatewayV2HTTPRequestContextAuthenticationClientCert `json:"clientCert"`
+}
+
+// APIGatewayV2HTTPRequestContextAuthenticationClientCert contains client certificate information for the request caller if using mTLS.
+type APIGatewayV2HTTPRequestContextAuthenticationClientCert struct {
+	ClientCertPem string                                                         `json:"clientCertPem"`
+	IssuerDN      string                                                         `json:"issuerDN"`
+	SerialNumber  string                                                         `json:"serialNumber"`
+	SubjectDN     string                                                         `json:"subjectDN"`
+	Validity      APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity `json:"validity"`
+}
+
+// APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity contains client certificate validity information for the request caller if using mTLS.
+type APIGatewayV2HTTPRequestContextAuthenticationClientCertValidity struct {
+	NotAfter  string `json:"notAfter"`
+	NotBefore string `json:"notBefore"`
 }
 
 // APIGatewayCustomAuthorizerContext represents the expected format of an API Gateway custom authorizer response.

events/testdata/apigw-custom-auth-request-type-request.json

@@ -68,7 +68,17 @@
         "requestId": "...",
         "identity": {
             "apiKey": "...",
-            "sourceIp": "..."
+            "sourceIp": "...",
+            "clientCert": {
+                "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
+                "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
+                "serialNumber": "1",
+                "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
+                "validity": {
+                    "notAfter": "Aug  5 00:28:21 2120 GMT",
+                    "notBefore": "Aug 29 00:28:21 2020 GMT"
+                }
+            }
         },
         "resourcePath": "/request",
         "httpMethod": "GET",

events/testdata/apigw-v2-request-iam.json

@@ -39,6 +39,18 @@
             }
         },
         "apiId": "api-id",
+        "authentication": {
+            "clientCert": {
+                "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
+                "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
+                "serialNumber": "1",
+                "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
+                "validity": {
+                    "notAfter": "Aug  5 00:28:21 2120 GMT",
+                    "notBefore": "Aug 29 00:28:21 2020 GMT"
+                }
+            }            
+        },
         "domainName": "id.execute-api.us-east-1.amazonaws.com",
         "domainPrefix": "id",
         "time": "12/Mar/2020:19:03:58+0000",

events/testdata/apigw-v2-request-jwt-authorizer.json

@@ -36,6 +36,18 @@
             }
         },
         "apiId": "api-id",
+        "authentication": {
+            "clientCert": {
+                "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
+                "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
+                "serialNumber": "1",
+                "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
+                "validity": {
+                    "notAfter": "Aug  5 00:28:21 2120 GMT",
+                    "notBefore": "Aug 29 00:28:21 2020 GMT"
+                }
+            }            
+        },
         "domainName": "id.execute-api.us-east-1.amazonaws.com",
         "domainPrefix": "id",
         "time": "12/Mar/2020:19:03:58+0000",

events/testdata/apigw-v2-request-lambda-authorizer.json

@@ -29,6 +29,18 @@
             }
         },
         "apiId": "api-id",
+        "authentication": {
+            "clientCert": {
+                "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
+                "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
+                "serialNumber": "1",
+                "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
+                "validity": {
+                    "notAfter": "Aug  5 00:28:21 2120 GMT",
+                    "notBefore": "Aug 29 00:28:21 2020 GMT"
+                }
+            }            
+        },
         "domainName": "id.execute-api.us-east-1.amazonaws.com",
         "domainPrefix": "id",
         "time": "12/Mar/2020:19:03:58+0000",

events/testdata/apigw-v2-request-no-authorizer.json

@@ -16,6 +16,18 @@
     "requestContext": {
         "accountId": "123456789012",
         "apiId": "aaaaaaaaaa",
+        "authentication": {
+            "clientCert": {
+                "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
+                "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
+                "serialNumber": "1",
+                "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
+                "validity": {
+                    "notAfter": "Aug  5 00:28:21 2120 GMT",
+                    "notBefore": "Aug 29 00:28:21 2020 GMT"
+                }
+            }            
+        },
         "domainName": "aaaaaaaaaa.execute-api.us-west-2.amazonaws.com",
         "domainPrefix": "aaaaaaaaaa",
         "http": {