serverless-java-container icon indicating copy to clipboard operation
serverless-java-container copied to clipboard

Published 20 hours ago verified publisher icon aws

API Gateway MTLS "clientCert" Availability?

Open coreyowensbillgo opened this issue 2 years ago • 5 comments

Serverless Java Container version: eg. 1.5 1.6

Implementations: Jersey / Spring / Spring Boot / Spring Boot 2 / Spark Spring Boot

Framework version: eg SpringBoot 2.2.6.RELEASE 2.6.6

Frontend service: REST API / HTTP API / ALB REST API

Scenario

I am utilizing MTLS authentication for my API Gateway: https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/

In the documentation, it mentions that the clientCert is populated in the API GW's event payload when it is passed along to Lambda authorizers via the requestContext.

I want to base my authorization on the clientCert's subjectDN's CN within my java code, but I am not sure if it's possible or how I can access the clientCert from within my Java lambda utilizing aws-serverless-java-container. (I realize the lambda isn't a lambda authorizer, but I was hoping it may still be accessible) Any suggestions?

Expected behavior

I would expect that clientCert is available within AwsProxyRequest's AwsProxyRequestContext EX:

    "authentication": {
        "clientCert": {
            "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
            "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
            "serialNumber": "1",
            "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
            "validity": {
                "notAfter": "Aug  5 00:28:21 2120 GMT",
                "notBefore": "Aug 29 00:28:21 2020 GMT"
            }
        }
    },
    ...

Actual behavior

I don't see anything in AwsProxyRequest or AwsProxyRequestContext related to certs or authentication.

Steps to reproduce

Set up a REST API Gateway pointing to your aws-serverless-java-container lambda. Add custom domain. Create certs. Enable MTLS. Make call to the REST API Gateway and attempt to find clientCert object from API GW event payload.

Full log output

N/A

coreyowensbillgo avatar Jul 25 '22 15:07 coreyowensbillgo

Hi @coreyowensbillgo, thanks for reporting this issue. Would you be willing to work on a pull request for it? I'm happy to review, merge it and release a new version. Otherwise I'll look into it mid/ end of August.

deki avatar Jul 25 '22 15:07 deki

@deki I'll dig further in and confirm if API Gateway is even expanding the event payload with the the clientCert information when it is sent to a Lambda that's not an "lambda authorizer". Thank you for the quick reply.

coreyowensbillgo avatar Jul 25 '22 16:07 coreyowensbillgo

Hi @coreyowensbillgo, have you made progress in the meantime? I plan to get a 1.9 release next month and would like to include a fix.

deki avatar Aug 26 '22 13:08 deki

@deki Apologies for the late response, I've been away on vacation. My work around this had been put on the back-burner, but I'm happy to see you've made some progress!

coreyowensbillgo avatar Sep 06 '22 14:09 coreyowensbillgo

Yeah I just added the missing properties but haven't made further progress (unittests, testing, docs, ...).

deki avatar Sep 06 '22 15:09 deki