swagger 如何在OpenApi端点定义中引用已有的API网关授权器

iyr7buue  于 2023-02-22  发布在  其他
关注(0)|答案(1)|浏览(159)

我有一个用JSON编写的AWS SAM/CloudFormation模板,其中包含:

  1. API网关API的定义,端点使用OpenAPI DefinitionBody定义
  2. API网关授权者的定义,使用SAM/CF格式定义
    我试图找到一种方法来引用授权者(2)的每个端点(1),我希望使用授权者。
    下面是代码:
    • 授权人定义:**
"LambdaAuthorizer":{
    "Type": "AWS::ApiGateway::Authorizer",
    "Properties":{
        "IdentitySource":"method.request.header.Authorization",
        "Type":"TOKEN",
        "RestApiId":{
            "Ref": "ApiName"
        },
        "AuthorizerUri": {
            "Fn::Join" : ["", ["arn:aws:apigateway:", {"Ref": "AWS::Region"}, ":lambda:path/2015-03-31/functions/", {"Fn::GetAtt": ["AuthLambda", "Arn"]}, "/invocations"]]
        },
        "IdentityValidationExpression": "^[a-zA-Z0-9]{3,32}$",
        "AuthorizerResultTtlInSeconds": 300,
        "AuthorizerCredentials": {
            "Fn::GetAtt": ["LambdaAuthorizerRole", "Arn"]
        },
        "Name":"lambda-authorizer"
    }
},
    • 终点定义**
"API": {
    "Type": "AWS::Serverless::Api",
    "Properties": {
        ...
        "DefinitionBody": {
            ...
            "paths": {
                "/endpoint": {
                    "post": {
                        "responses": {
                            "200": {
                                "description": "200 response"
                            }
                        },
                        "x-amazon-apigateway-integration": {
                            "uri": {
                                "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${AuthLambda.Arn}/invocations"
                            },
                            "responses": {
                                "default": {
                                    "statusCode": "200",
                                    "contentHandling": "CONVERT_TO_TEXT"
                                }
                            },
                            "passthroughBehavior": "when_no_match",
                            "httpMethod": "POST",
                            "contentHandling": "CONVERT_TO_TEXT",
                            "type": "aws_proxy"
                        },
                        "security" : [{
                            "NAME OF OPEN API SECURITY DEFINITION":[] // Can I reference my existing Authorizer?
                        }]
                    }
                },
            }
        }
    }
}

正如您所看到的,我找到了OpenAPI security属性,根据AWS documentation,该属性用作对securityDefinitions的引用,在securityDefinitions中可以定义Authorizer。
但是我已经在CloudFormation JSON中定义了我的Authorizer,我不能引用它吗?

swagger

1条答案

按热度按时间
e3bfsja2

e3bfsja21#

API Gateway不允许您直接引用OpenAPI paths中的现有授权者ID。但是,有一个解决方案。您可以提供securitySchemes定义。securitySchemes的格式在OpenAPI 2.0(又名Swagger)和OpenAPI 3.0(此处的文档)之间会有所不同。
请确保securitySchemes的详细资料与现有API授权人完全匹配。如果所有内容都匹配,则API Gateway将使用现有授权人。如果存在差异,则将创建新授权人或覆盖现有授权人。请确保以下内容:
1.安全方案对象名称与授权者名称相同。在本例中,它是"lambda-authorizer"

  1. lambda授权人的类型为"apiKey"
  2. name是用于授权的HTTP头(通常为"Authorization"头)
  3. x-amazon-apigateway-authtype对于lambda授权者是"custom"
  4. x-amazon-apigateway-authorizer具有正确的类型("request""token")、正确的uri、ttl和身份源
    我已经用一个地区性的REST API测试过了,所以它在其他API网关类型上的表现可能会有所不同。下面的例子是AWS PetStore示例API的简化版本。
{
  "openapi" : "3.0.1",
  "info" : {
    "description" : "Your first API with Amazon API Gateway. This is a sample API that integrates via HTTP with our demo Pet Store endpoints",
    "version" : "1",
    "title" : "PetStore"
  },
  ...
  "paths" : {
    "/pets" : {
      "get" : {
        ...
        "security" : [ {
          "lambda-authorizer" : [ ]
        } ],
        "x-amazon-apigateway-integration" : {
          ...
        }
      }
    }
  },
  "components" : {
    "schemas" : {
      ...
    },
    "securitySchemes" : {
      "lambda-authorizer" : {
        "type" : "apiKey",
        "name" : "Authorization",
        "in" : "header",
        "x-amazon-apigateway-authtype" : "custom",
        "x-amazon-apigateway-authorizer" : {
          "type" : "request",
          "authorizerUri" : "arn:aws:apigateway:${region}:lambda:path/2015-03-31/functions/${lambda_authorizer_arn}/invocations",
          "authorizerResultTtlInSeconds" : 300,
          "identitySource" : "method.request.header.Authorization"
        }
      }
    }
  }
}

在这个例子中,你需要用API Gateway区域替换${region},用lambda函数的完整ARN替换${lambdaauthorizer_arn},完整的字符串如下所示:arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:lambda-authorizer-function/invocations

TL;DR:如果您想使用现有的授权者,您必须在OpenAPI文件中完全定义它。

赞(0)分享  回复(0)举报  2023-02-22
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com