Add golang auth examples

Author: srbry

README.md

@@ -44,6 +44,7 @@ serverless install -u https://github.com/serverless/examples/tree/master/folder-
 |:--------------------------- |:-----|
 | [Aws Dotnet Rest Api With Dynamodb](https://github.com/serverless/examples/tree/master/aws-dotnet-rest-api-with-dynamodb/src/DotNetServerless.Lambda) <br/> Reading/Writing operations using .NET Core and DynamoDB | dotnet |
 | [Aws Lambda Layer](https://github.com/serverless/examples/tree/master/aws-ffmpeg-layer)  | nodeJS |
+| [Aws Golang Auth Examples](https://github.com/serverless/examples/tree/master/aws-golang-auth-examples) <br/> These example shows how to run a Golang lambda with authentication | golang |
 | [Aws Golang Dynamo Stream To Elasticsearch](https://github.com/serverless/examples/tree/master/aws-golang-dynamo-stream-to-elasticsearch) <br/> This example deploys a DynamoDB Table, an Elasticsearch Node, and a lambda triggered off of a Dynamo Stream which updates an elasticsearch index with the data from the Dynamo Table | golang |
 | [Aws Golang Simple Http Endpoint](https://github.com/serverless/examples/tree/master/aws-golang-simple-http-endpoint) <br/> Example demonstrates how to setup a simple HTTP GET endpoint with golang | golang |
 | [Aws Golang Stream Kinesis To Elasticsearch](https://github.com/serverless/examples/tree/master/aws-golang-stream-kinesis-to-elasticsearch) <br/> Pull data from AWS Kinesis streams and forward to elasticsearch | golang |

aws-golang-auth-examples/.gitignore

@@ -0,0 +1,4 @@
+bin/**
+vendor
+.serverless
+*.coverprofile

aws-golang-auth-examples/Makefile

@@ -0,0 +1,9 @@
+help:
+	@grep -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+functions := $(shell find functions -name \*main.go | awk -F'/' '{print $$2}')
+
+build: ## Build golang binaries
+	@for function in $(functions) ; do \
+		env GOOS=linux go build -ldflags="-s -w" -o bin/$$function functions/$$function/main.go ; \
+	done

aws-golang-auth-examples/README.md

@@ -0,0 +1,13 @@
+# Go Serverless Examples
+
+A few example of AWS lambda functions written in GoLang.
+
+Functions:
+
+- `hello-world`: Exactly what is says on the tin. Listening on a `/hello` path.
+- `auth`: An AWS API Gateway custom authorizer that sits in front of `hello-world`. It expects an auth bearer of `hello` as a header and is on the base `/` path. The auth header should be `Authorization: bearer hello`
+- `auth2` and `hello-world2`: The same as `auth` above except using auth contexts. Any name can be used as a bearer token, for example `Authorization: bearer Bob`. The response will then return `Hello, Bob!`
+
+I hope to add to these examples over time, if you have ideas please feel free to raise issues or pull requests.
+
+For more info on these example check out the [blog post](https://cloudnative.ly/lambdas-with-golang-a-technical-guide-6f381284897b)

aws-golang-auth-examples/functions/auth/auth_suite_test.go

@@ -0,0 +1,13 @@
+package main_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestAuth(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Auth Suite")
+}

aws-golang-auth-examples/functions/auth/main.go

@@ -0,0 +1,45 @@
+package main
+
+import (
+	"errors"
+	"strings"
+
+	"github.com/aws/aws-lambda-go/events"
+	"github.com/aws/aws-lambda-go/lambda"
+)
+
+func handler(request events.APIGatewayCustomAuthorizerRequest) (events.APIGatewayCustomAuthorizerResponse, error) {
+	token := request.AuthorizationToken
+	tokenSlice := strings.Split(token, " ")
+	var bearerToken string
+	if len(tokenSlice) > 1 {
+		bearerToken = tokenSlice[len(tokenSlice)-1]
+	}
+	if bearerToken != "hello" {
+		return events.APIGatewayCustomAuthorizerResponse{}, errors.New("Unauthorized")
+	}
+
+	return generatePolicy("user", "Allow", request.MethodArn), nil
+}
+
+func main() {
+	lambda.Start(handler)
+}
+
+func generatePolicy(principalID, effect, resource string) events.APIGatewayCustomAuthorizerResponse {
+	authResponse := events.APIGatewayCustomAuthorizerResponse{PrincipalID: principalID}
+
+	if effect != "" && resource != "" {
+		authResponse.PolicyDocument = events.APIGatewayCustomAuthorizerPolicy{
+			Version: "2012-10-17",
+			Statement: []events.IAMPolicyStatement{
+				{
+					Action:   []string{"execute-api:Invoke"},
+					Effect:   effect,
+					Resource: []string{resource},
+				},
+			},
+		}
+	}
+	return authResponse
+}

aws-golang-auth-examples/functions/auth/main_test.go

@@ -0,0 +1,69 @@
+package main
+
+import (
+	"github.com/aws/aws-lambda-go/events"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("the auth function", func() {
+	var (
+		response events.APIGatewayCustomAuthorizerResponse
+		request  events.APIGatewayCustomAuthorizerRequest
+		err      error
+	)
+
+	JustBeforeEach(func() {
+		response, err = handler(request)
+	})
+
+	AfterEach(func() {
+		request = events.APIGatewayCustomAuthorizerRequest{}
+		response = events.APIGatewayCustomAuthorizerResponse{}
+	})
+
+	Context("When the auth bearer is not set", func() {
+		It("Fails auth", func() {
+			Expect(err).To(MatchError("Unauthorized"))
+			Expect(response).To(Equal(events.APIGatewayCustomAuthorizerResponse{}))
+		})
+	})
+
+	Context("When the auth bearer is set", func() {
+		Context("and auth fails", func() {
+			BeforeEach(func() {
+				request = events.APIGatewayCustomAuthorizerRequest{
+					AuthorizationToken: "bearer token",
+					MethodArn:          "testARN",
+				}
+			})
+
+			It("Fails auth", func() {
+				Expect(err).To(MatchError("Unauthorized"))
+				Expect(response).To(Equal(events.APIGatewayCustomAuthorizerResponse{}))
+			})
+		})
+
+		Context("and auth succeeds", func() {
+			BeforeEach(func() {
+				request = events.APIGatewayCustomAuthorizerRequest{
+					AuthorizationToken: "bearer hello",
+					MethodArn:          "testARN",
+				}
+			})
+
+			It("authorizes", func() {
+				Expect(err).To(BeNil())
+				Expect(response.PolicyDocument.Version).To(Equal("2012-10-17"))
+				Expect(response.PolicyDocument.Statement).To(Equal([]events.IAMPolicyStatement{
+					{
+						Action:   []string{"execute-api:Invoke"},
+						Effect:   "Allow",
+						Resource: []string{"testARN"},
+					},
+				}))
+			})
+		})
+	})
+})

aws-golang-auth-examples/functions/auth2/auth_suite_test.go

@@ -0,0 +1,13 @@
+package main_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestAuth(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Auth Suite")
+}

aws-golang-auth-examples/functions/auth2/main.go

@@ -0,0 +1,46 @@
+package main
+
+import (
+	"errors"
+	"strings"
+
+	"github.com/aws/aws-lambda-go/events"
+	"github.com/aws/aws-lambda-go/lambda"
+)
+
+func handler(request events.APIGatewayCustomAuthorizerRequest) (events.APIGatewayCustomAuthorizerResponse, error) {
+	token := request.AuthorizationToken
+	tokenSlice := strings.Split(token, " ")
+	var bearerToken string
+	if len(tokenSlice) > 1 {
+		bearerToken = tokenSlice[len(tokenSlice)-1]
+	}
+	if bearerToken == "" {
+		return events.APIGatewayCustomAuthorizerResponse{}, errors.New("Unauthorized")
+	}
+
+	return generatePolicy("user", "Allow", request.MethodArn, map[string]interface{}{"name": bearerToken}), nil
+}
+
+func main() {
+	lambda.Start(handler)
+}
+
+func generatePolicy(principalID, effect, resource string, context map[string]interface{}) events.APIGatewayCustomAuthorizerResponse {
+	authResponse := events.APIGatewayCustomAuthorizerResponse{PrincipalID: principalID}
+
+	if effect != "" && resource != "" {
+		authResponse.PolicyDocument = events.APIGatewayCustomAuthorizerPolicy{
+			Version: "2012-10-17",
+			Statement: []events.IAMPolicyStatement{
+				{
+					Action:   []string{"execute-api:Invoke"},
+					Effect:   effect,
+					Resource: []string{resource},
+				},
+			},
+		}
+	}
+	authResponse.Context = context
+	return authResponse
+}

aws-golang-auth-examples/functions/auth2/main_test.go

@@ -0,0 +1,56 @@
+package main
+
+import (
+	"github.com/aws/aws-lambda-go/events"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("the auth function", func() {
+	var (
+		response events.APIGatewayCustomAuthorizerResponse
+		request  events.APIGatewayCustomAuthorizerRequest
+		err      error
+	)
+
+	JustBeforeEach(func() {
+		response, err = handler(request)
+	})
+
+	AfterEach(func() {
+		request = events.APIGatewayCustomAuthorizerRequest{}
+		response = events.APIGatewayCustomAuthorizerResponse{}
+	})
+
+	Context("When the auth bearer is not set", func() {
+		It("Fails auth", func() {
+			Expect(err).To(MatchError("Unauthorized"))
+			Expect(response).To(Equal(events.APIGatewayCustomAuthorizerResponse{}))
+		})
+	})
+
+	Context("When the auth bearer is set", func() {
+		Context("and auth succeeds", func() {
+			BeforeEach(func() {
+				request = events.APIGatewayCustomAuthorizerRequest{
+					AuthorizationToken: "bearer Bob",
+					MethodArn:          "testARN",
+				}
+			})
+
+			It("authorizes", func() {
+				Expect(err).To(BeNil())
+				Expect(response.PolicyDocument.Version).To(Equal("2012-10-17"))
+				Expect(response.PolicyDocument.Statement).To(Equal([]events.IAMPolicyStatement{
+					{
+						Action:   []string{"execute-api:Invoke"},
+						Effect:   "Allow",
+						Resource: []string{"testARN"},
+					},
+				}))
+				Expect(response.Context["name"]).To(Equal("Bob"))
+			})
+		})
+	})
+})

aws-golang-auth-examples/functions/hello-world/hello_world_suite_test.go

@@ -0,0 +1,13 @@
+package main_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestHelloWorld(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "HelloWorld Suite")
+}

aws-golang-auth-examples/functions/hello-world/main.go

@@ -0,0 +1,17 @@
+package main
+
+import (
+	"github.com/aws/aws-lambda-go/events"
+	"github.com/aws/aws-lambda-go/lambda"
+)
+
+func handler(request events.APIGatewayProxyRequest) (events.APIGatewayProxyResponse, error) {
+	return events.APIGatewayProxyResponse{
+		Body:       "Hello, World!",
+		StatusCode: 200,
+	}, nil
+}
+
+func main() {
+	lambda.Start(handler)
+}

aws-golang-auth-examples/functions/hello-world/main_test.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"net/http"
+
+	"github.com/aws/aws-lambda-go/events"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Hello world", func() {
+	var (
+		response events.APIGatewayProxyResponse
+		request  events.APIGatewayProxyRequest
+		err      error
+	)
+
+	JustBeforeEach(func() {
+		response, err = handler(request)
+		Expect(err).To(BeNil())
+	})
+
+	It(`Returns "Hello, World!" and an OK status`, func() {
+		Expect(response.Body).To(Equal("Hello, World!"))
+		Expect(response.StatusCode).To(Equal(http.StatusOK))
+	})
+})

aws-golang-auth-examples/functions/hello-world2/hello_world_suite_test.go

@@ -0,0 +1,13 @@
+package main_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestHelloWorld(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "HelloWorld Suite")
+}

aws-golang-auth-examples/functions/hello-world2/main.go

@@ -0,0 +1,30 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/aws/aws-lambda-go/events"
+	"github.com/aws/aws-lambda-go/lambda"
+)
+
+func handler(request events.APIGatewayProxyRequest) (events.APIGatewayProxyResponse, error) {
+	var name string
+	if _, ok := request.RequestContext.Authorizer["name"]; ok {
+		name = request.RequestContext.Authorizer["name"].(string)
+	} else {
+		return events.APIGatewayProxyResponse{
+			Body:       "Unauthorized: Must be an authorized user with a name",
+			StatusCode: http.StatusUnauthorized,
+		}, nil
+	}
+
+	return events.APIGatewayProxyResponse{
+		Body:       fmt.Sprintf("Hello, %s!", name),
+		StatusCode: http.StatusOK,
+	}, nil
+}
+
+func main() {
+	lambda.Start(handler)
+}