aj/authorizer trace context (#300)

* wip: auth trace context * wip * wip stash * feat: working surrogate authorizer span and propagation. * feat: Use the tracer implementation of inject * refactor: Clean up trace header extraction into common method * refactor: clean up unneeded vars * feat: Config for encodeAuthorizerContext. * feat: Update default config tests * feat: working authorization propagation for token-based authorizers * feat: Add spec, remove unused attribute * feat: Specs for context and span inferrer * feat: Parse JSON with try * feat: fix bad autoimport * feat: remove unused variable * feat: remove unused id class * fix: and remove unused id export * feat: Remove more POC code * feat: Coalesce isTracedAuthorizerInvocation into a bool, add comments to describe when we can't create an inferred span * httpapi + restapi handled * move the injection from onEndingInvocation to onCompleteInvocation * lint fixes * all base64encode and all use authorizing requestId * add cached test cases and websocket test cases * fix token-type authorizer * fix the endTime() of SpanWrapper * fix no-string-throw error * padding ms to ns to be compatible with lambdas in other languages * add config.decodeAuthorizerContext and httpapi no zero-length span Co-authored-by: Joey Zhao <[email protected]>
DataDog · Nov 15, 2022 · 95b00f0 · 95b00f0
1 parent 6a12c46
commit 95b00f0
Show file tree

Hide file tree

Showing 20 changed files with 1,194 additions and 164 deletions.
diff --git a/event_samples/api-gateway-traced-authorizer-request-v1-cached.json b/event_samples/api-gateway-traced-authorizer-request-v1-cached.json
@@ -0,0 +1,89 @@
+{
+  "resource": "/hello",
+  "path": "/hello",
+  "httpMethod": "POST",
+  "headers": {
+    "Accept": "*/*",
+    "Accept-Encoding": "gzip, deflate, br",
+    "Authorization": "password",
+    "CloudFront-Forwarded-Proto": "https",
+    "CloudFront-Is-Desktop-Viewer": "true",
+    "CloudFront-Is-Mobile-Viewer": "false",
+    "CloudFront-Is-SmartTV-Viewer": "false",
+    "CloudFront-Is-Tablet-Viewer": "false",
+    "CloudFront-Viewer-ASN": "174",
+    "CloudFront-Viewer-Country": "US",
+    "Host": "3gsxz7lha4.execute-api.sa-east-1.amazonaws.com",
+    "Postman-Token": "62ccb3d9-a44f-427c-9952-418c0a2eb1c3",
+    "User-Agent": "PostmanRuntime/7.29.0",
+    "Via": "1.1 xxx (CloudFront)",
+    "X-Amz-Cf-Id": "90JXZEr6stVabQV78Zwn5EADW0evkpWINdmt3jzkuHQh9KtqowKejw==",
+    "X-Amzn-Trace-Id": "Root=1-62ffee4f-373bdfda15f09a065a39ac73",
+    "X-Forwarded-For": "38.142.177.195, 64.252.135.71",
+    "X-Forwarded-Port": "443",
+    "X-Forwarded-Proto": "https"
+  },
+  "multiValueHeaders": {
+    "Accept": ["*/*"],
+    "Accept-Encoding": ["gzip, deflate, br"],
+    "Authorization": ["password"],
+    "CloudFront-Forwarded-Proto": ["https"],
+    "CloudFront-Is-Desktop-Viewer": ["true"],
+    "CloudFront-Is-Mobile-Viewer": ["false"],
+    "CloudFront-Is-SmartTV-Viewer": ["false"],
+    "CloudFront-Is-Tablet-Viewer": ["false"],
+    "CloudFront-Viewer-ASN": ["174"],
+    "CloudFront-Viewer-Country": ["US"],
+    "Host": ["3gsxz7lha4.execute-api.sa-east-1.amazonaws.com"],
+    "Postman-Token": ["62ccb3d9-a44f-427c-9952-418c0a2eb1c3"],
+    "User-Agent": ["PostmanRuntime/7.29.0"],
+    "Via": ["1.1 xxx.cloudfront.net (CloudFront)"],
+    "X-Amz-Cf-Id": ["90JXZEr6stVabQV78Zwn5EADW0evkpWINdmt3jzkuHQh9KtqowKejw=="],
+    "X-Amzn-Trace-Id": ["Root=1-62ffee4f-373bdfda15f09a065a39ac73"],
+    "X-Forwarded-For": ["38.142.177.195, 64.252.135.71"],
+    "X-Forwarded-Port": ["443"],
+    "X-Forwarded-Proto": ["https"]
+  },
+  "queryStringParameters": null,
+  "multiValueQueryStringParameters": null,
+  "pathParameters": null,
+  "stageVariables": null,
+  "requestContext": {
+    "resourceId": "oozq9u",
+    "authorizer": {
+      "_datadog": "eyJ4LWRhdGFkb2ctdHJhY2UtaWQiOiIyMDk1MzE5NzYxMDg0NzEwNzQ3IiwieC1kYXRhZG9nLXBhcmVudC1pZCI6IjIwOTUzMTk3NjEwODQ3MTA3NDciLCJ4LWRhdGFkb2ctc2FtcGxpbmctcHJpb3JpdHkiOiIxIiwieC1kYXRhZG9nLXBhcmVudC1zcGFuLWZpbmlzaC10aW1lIjoxNjYwOTM5ODU3MDUyLCJ4LWRhdGFkb2ctYXV0aG9yaXppbmctcmVxdWVzdGlkIjoiZjFmOGQ0NmQtZWY2Zi00NmFmLWEzZWQtN2EyMGEyNmUyNjUxIn0=",
+      "principalId": "foo",
+      "integrationLatency": 0,
+      "preserve": "this key set by a customer"
+    },
+    "resourcePath": "/hello",
+    "httpMethod": "POST",
+    "extendedRequestId": "XIIseElXGjQFvXg=",
+    "requestTime": "19/Aug/2022:20:10:55 +0000",
+    "path": "/dev/hello",
+    "accountId": "601427279990",
+    "protocol": "HTTP/1.1",
+    "stage": "dev",
+    "domainPrefix": "3gsxz7lha4",
+    "requestTimeEpoch": 1660939855656,
+    "requestId": "f1f8d46d-ef6f-46af-a3ed-7a20a26e2652",
+    "identity": {
+      "cognitoIdentityPoolId": null,
+      "accountId": null,
+      "cognitoIdentityId": null,
+      "caller": null,
+      "sourceIp": "38.142.177.195",
+      "principalOrgId": null,
+      "accessKey": null,
+      "cognitoAuthenticationType": null,
+      "cognitoAuthenticationProvider": null,
+      "userArn": null,
+      "userAgent": "PostmanRuntime/7.29.0",
+      "user": null
+    },
+    "domainName": "3gsxz7lha4.execute-api.sa-east-1.amazonaws.com",
+    "apiId": "3gsxz7lha4"
+  },
+  "body": null,
+  "isBase64Encoded": false
+}
diff --git a/event_samples/api-gateway-traced-authorizer-request-v1.json b/event_samples/api-gateway-traced-authorizer-request-v1.json
@@ -0,0 +1,89 @@
+{
+  "resource": "/hello",
+  "path": "/hello",
+  "httpMethod": "POST",
+  "headers": {
+    "Accept": "*/*",
+    "Accept-Encoding": "gzip, deflate, br",
+    "Authorization": "password",
+    "CloudFront-Forwarded-Proto": "https",
+    "CloudFront-Is-Desktop-Viewer": "true",
+    "CloudFront-Is-Mobile-Viewer": "false",
+    "CloudFront-Is-SmartTV-Viewer": "false",
+    "CloudFront-Is-Tablet-Viewer": "false",
+    "CloudFront-Viewer-ASN": "174",
+    "CloudFront-Viewer-Country": "US",
+    "Host": "3gsxz7lha4.execute-api.sa-east-1.amazonaws.com",
+    "Postman-Token": "62ccb3d9-a44f-427c-9952-418c0a2eb1c3",
+    "User-Agent": "PostmanRuntime/7.29.0",
+    "Via": "1.1 xxx.cloudfront.net (CloudFront)",
+    "X-Amz-Cf-Id": "90JXZEr6stVabQV78Zwn5EADW0evkpWINdmt3jzkuHQh9KtqowKejw==",
+    "X-Amzn-Trace-Id": "Root=1-62ffee4f-373bdfda15f09a065a39ac73",
+    "X-Forwarded-For": "38.142.177.195, 64.252.135.71",
+    "X-Forwarded-Port": "443",
+    "X-Forwarded-Proto": "https"
+  },
+  "multiValueHeaders": {
+    "Accept": ["*/*"],
+    "Accept-Encoding": ["gzip, deflate, br"],
+    "Authorization": ["password"],
+    "CloudFront-Forwarded-Proto": ["https"],
+    "CloudFront-Is-Desktop-Viewer": ["true"],
+    "CloudFront-Is-Mobile-Viewer": ["false"],
+    "CloudFront-Is-SmartTV-Viewer": ["false"],
+    "CloudFront-Is-Tablet-Viewer": ["false"],
+    "CloudFront-Viewer-ASN": ["174"],
+    "CloudFront-Viewer-Country": ["US"],
+    "Host": ["3gsxz7lha4.execute-api.sa-east-1.amazonaws.com"],
+    "Postman-Token": ["62ccb3d9-a44f-427c-9952-418c0a2eb1c3"],
+    "User-Agent": ["PostmanRuntime/7.29.0"],
+    "Via": ["1.1 xxx.cloudfront.net (CloudFront)"],
+    "X-Amz-Cf-Id": ["90JXZEr6stVabQV78Zwn5EADW0evkpWINdmt3jzkuHQh9KtqowKejw=="],
+    "X-Amzn-Trace-Id": ["Root=1-62ffee4f-373bdfda15f09a065a39ac73"],
+    "X-Forwarded-For": ["38.142.177.195, 64.252.135.71"],
+    "X-Forwarded-Port": ["443"],
+    "X-Forwarded-Proto": ["https"]
+  },
+  "queryStringParameters": null,
+  "multiValueQueryStringParameters": null,
+  "pathParameters": null,
+  "stageVariables": null,
+  "requestContext": {
+    "resourceId": "oozq9u",
+    "authorizer": {
+      "_datadog": "eyJ4LWRhdGFkb2ctdHJhY2UtaWQiOiIyMDk1MzE5NzYxMDg0NzEwNzQ3IiwieC1kYXRhZG9nLXBhcmVudC1pZCI6IjIwOTUzMTk3NjEwODQ3MTA3NDciLCJ4LWRhdGFkb2ctc2FtcGxpbmctcHJpb3JpdHkiOiIxIiwieC1kYXRhZG9nLXBhcmVudC1zcGFuLWZpbmlzaC10aW1lIjoxNjYwOTM5ODU3MDUyMDAwMDAwLCJ4LWRhdGFkb2ctYXV0aG9yaXppbmctcmVxdWVzdGlkIjoiZjFmOGQ0NmQtZWY2Zi00NmFmLWEzZWQtN2EyMGEyNmUyNjUxIn0=",
+      "principalId": "foo",
+      "integrationLatency": 1419,
+      "preserve": "this key set by a customer"
+    },
+    "resourcePath": "/hello",
+    "httpMethod": "POST",
+    "extendedRequestId": "XIIseElXGjQFvXg=",
+    "requestTime": "19/Aug/2022:20:10:55 +0000",
+    "path": "/dev/hello",
+    "accountId": "601427279990",
+    "protocol": "HTTP/1.1",
+    "stage": "dev",
+    "domainPrefix": "3gsxz7lha4",
+    "requestTimeEpoch": 1660939855656,
+    "requestId": "f1f8d46d-ef6f-46af-a3ed-7a20a26e2651",
+    "identity": {
+      "cognitoIdentityPoolId": null,
+      "accountId": null,
+      "cognitoIdentityId": null,
+      "caller": null,
+      "sourceIp": "38.142.177.195",
+      "principalOrgId": null,
+      "accessKey": null,
+      "cognitoAuthenticationType": null,
+      "cognitoAuthenticationProvider": null,
+      "userArn": null,
+      "userAgent": "PostmanRuntime/7.29.0",
+      "user": null
+    },
+    "domainName": "3gsxz7lha4.execute-api.sa-east-1.amazonaws.com",
+    "apiId": "3gsxz7lha4"
+  },
+  "body": null,
+  "isBase64Encoded": false
+}
diff --git a/event_samples/api-gateway-traced-authorizer-request-v2-cached.json b/event_samples/api-gateway-traced-authorizer-request-v2-cached.json
@@ -0,0 +1,47 @@
+{
+  "version": "2.0",
+  "routeKey": "GET /hello",
+  "rawPath": "/hello",
+  "rawQueryString": "",
+  "headers": {
+    "accept": "*/*",
+    "accept-encoding": "gzip, deflate, br",
+    "authorization": "secretT0k3n",
+    "authorizationtoken": "secretT0k3n",
+    "cache-control": "no-cache",
+    "content-length": "0",
+    "host": "l9flvsey83.execute-api.sa-east-1.amazonaws.com",
+    "postman-token": "e0a783f5-8f72-427f-99bb-81d28ac3b37b",
+    "user-agent": "PostmanRuntime/7.29.2",
+    "userid": "27",
+    "x-amzn-trace-id": "Root=1-6346fdb8-74147ee52ffc4c685787d44c",
+    "x-forwarded-for": "24.193.182.233",
+    "x-forwarded-port": "443",
+    "x-forwarded-proto": "https"
+  },
+  "requestContext": {
+    "accountId": "601427279990",
+    "apiId": "l9flvsey83",
+    "authorizer": {
+      "lambda": {
+        "_datadog": "eyJ4LWRhdGFkb2ctdHJhY2UtaWQiOiIzNzI2NzU1MTU4Mjk1OTIxMDQiLCJ4LWRhdGFkb2ctcGFyZW50LWlkIjoiMzcyNjc1NTE1ODI5NTkyMTA0IiwieC1kYXRhZG9nLXNhbXBsaW5nLXByaW9yaXR5IjoiMSIsIngtZGF0YWRvZy1wYXJlbnQtc3Bhbi1maW5pc2gtdGltZSI6MTY2NTU5Njc3MTgxMiwieC1kYXRhZG9nLWF1dGhvcml6aW5nLXJlcXVlc3RpZCI6Ilo1eUhmaDVFR2pRRUpCZz0ifQ==",
+        "scope": "this is just a string"
+      }
+    },
+    "domainName": "l9flvsey83.execute-api.sa-east-1.amazonaws.com",
+    "domainPrefix": "l9flvsey83",
+    "http": {
+      "method": "GET",
+      "path": "/hello",
+      "protocol": "HTTP/1.1",
+      "sourceIp": "24.193.182.233",
+      "userAgent": "PostmanRuntime/7.29.2"
+    },
+    "requestId": "Z5yU6jHVmjQEJ4Q=",
+    "routeKey": "GET /hello",
+    "stage": "$default",
+    "time": "12/Oct/2022:17:47:36 +0000",
+    "timeEpoch": 1665596856876
+  },
+  "isBase64Encoded": false
+}
diff --git a/event_samples/api-gateway-traced-authorizer-request-v2.json b/event_samples/api-gateway-traced-authorizer-request-v2.json
@@ -0,0 +1,47 @@
+{
+  "version": "2.0",
+  "routeKey": "GET /hello",
+  "rawPath": "/hello",
+  "rawQueryString": "",
+  "headers": {
+    "accept": "*/*",
+    "accept-encoding": "gzip, deflate, br",
+    "authorization": "secretT0k3n",
+    "authorizationtoken": "secretT0k3n",
+    "cache-control": "no-cache",
+    "content-length": "0",
+    "host": "l9flvsey83.execute-api.sa-east-1.amazonaws.com",
+    "postman-token": "e7c0d4f6-6af1-46dc-81ad-76dd8b02af8c",
+    "user-agent": "PostmanRuntime/7.29.2",
+    "userid": "27",
+    "x-amzn-trace-id": "Root=1-6346fd62-123a3d6477d3393b1509b50b",
+    "x-forwarded-for": "24.193.182.233",
+    "x-forwarded-port": "443",
+    "x-forwarded-proto": "https"
+  },
+  "requestContext": {
+    "accountId": "601427279990",
+    "apiId": "l9flvsey83",
+    "authorizer": {
+      "lambda": {
+        "_datadog": "eyJ4LWRhdGFkb2ctdHJhY2UtaWQiOiIzNzI2NzU1MTU4Mjk1OTIxMDQiLCJ4LWRhdGFkb2ctcGFyZW50LWlkIjoiMzcyNjc1NTE1ODI5NTkyMTA0IiwieC1kYXRhZG9nLXNhbXBsaW5nLXByaW9yaXR5IjoiMSIsIngtZGF0YWRvZy1wYXJlbnQtc3Bhbi1maW5pc2gtdGltZSI6MTY2NTU5Njc3MTgxMjAwMDAwMCwieC1kYXRhZG9nLWF1dGhvcml6aW5nLXJlcXVlc3RpZCI6Ilo1eUhmaDVFR2pRRUpCZz0ifQ==",
+        "scope": "this is just a string"
+      }
+    },
+    "domainName": "l9flvsey83.execute-api.sa-east-1.amazonaws.com",
+    "domainPrefix": "l9flvsey83",
+    "http": {
+      "method": "GET",
+      "path": "/hello",
+      "protocol": "HTTP/1.1",
+      "sourceIp": "24.193.182.233",
+      "userAgent": "PostmanRuntime/7.29.2"
+    },
+    "requestId": "Z5yHfh5EGjQEJBg=",
+    "routeKey": "GET /hello",
+    "stage": "$default",
+    "time": "12/Oct/2022:17:46:10 +0000",
+    "timeEpoch": 1665596770926
+  },
+  "isBase64Encoded": false
+}
diff --git a/event_samples/api-gateway-traced-authorizer-request-websocket-connect.json b/event_samples/api-gateway-traced-authorizer-request-websocket-connect.json
@@ -0,0 +1,48 @@
+{
+  "headers": {
+    "Auth": "secretT0k3n",
+    "Host": "85fj5nw29d.execute-api.sa-east-1.amazonaws.com",
+    "Sec-WebSocket-Extensions": "permessage-deflate; client_max_window_bits",
+    "Sec-WebSocket-Key": "4v5yA3WKtAK6EK1KUvSxew==",
+    "Sec-WebSocket-Version": "13",
+    "X-Amzn-Trace-Id": "Root=1-6356cf5d-355baf3954d8ebee6af753ef",
+    "X-Forwarded-For": "24.193.182.233",
+    "X-Forwarded-Port": "443",
+    "X-Forwarded-Proto": "https"
+  },
+  "multiValueHeaders": {
+    "Auth": ["secretT0k3n"],
+    "Host": ["85fj5nw29d.execute-api.sa-east-1.amazonaws.com"],
+    "Sec-WebSocket-Extensions": ["permessage-deflate; client_max_window_bits"],
+    "Sec-WebSocket-Key": ["4v5yA3WKtAK6EK1KUvSxew=="],
+    "Sec-WebSocket-Version": ["13"],
+    "X-Amzn-Trace-Id": ["Root=1-6356cf5d-355baf3954d8ebee6af753ef"],
+    "X-Forwarded-For": ["24.193.182.233"],
+    "X-Forwarded-Port": ["443"],
+    "X-Forwarded-Proto": ["https"]
+  },
+  "requestContext": {
+    "routeKey": "$connect",
+    "authorizer": {
+      "_datadog": "eyJ4LWRhdGFkb2ctdHJhY2UtaWQiOiI2NTQ1NDA2NzQ3NDUzNjg0NjAwIiwieC1kYXRhZG9nLXBhcmVudC1pZCI6IjY1NDU0MDY3NDc0NTM2ODQ2MDAiLCJ4LWRhdGFkb2ctc2FtcGxpbmctcHJpb3JpdHkiOiIxIiwieC1kYXRhZG9nLXBhcmVudC1zcGFuLWZpbmlzaC10aW1lIjoxNjY2NjMzNTY2OTMxMDAwMDAwLCJ4LWRhdGFkb2ctYXV0aG9yaXppbmctcmVxdWVzdGlkIjoiYWhWV3NIVkFtalFGcTZnPSJ9",
+      "scope": "this is just a string",
+      "principalId": "foo",
+      "integrationLatency": 1119
+    },
+    "eventType": "CONNECT",
+    "extendedRequestId": "ahVWsHVAmjQFq6g=",
+    "requestTime": "24/Oct/2022:17:46:05 +0000",
+    "messageDirection": "IN",
+    "stage": "dev",
+    "connectedAt": 1666633565827,
+    "requestTimeEpoch": 1666633565828,
+    "identity": {
+      "sourceIp": "24.193.182.233"
+    },
+    "requestId": "ahVWsHVAmjQFq6g=",
+    "domainName": "85fj5nw29d.execute-api.sa-east-1.amazonaws.com",
+    "connectionId": "ahVWscZqmjQCI1w=",
+    "apiId": "85fj5nw29d"
+  },
+  "isBase64Encoded": false
+}
diff --git a/event_samples/api-gateway-traced-authorizer-request-websocket-message.json b/event_samples/api-gateway-traced-authorizer-request-websocket-message.json
@@ -0,0 +1,27 @@
+{
+  "requestContext": {
+    "routeKey": "hello",
+    "authorizer": {
+      "_datadog": "eyJ4LWRhdGFkb2ctdHJhY2UtaWQiOiI2NTQ1NDA2NzQ3NDUzNjg0NjAwIiwieC1kYXRhZG9nLXBhcmVudC1pZCI6IjY1NDU0MDY3NDc0NTM2ODQ2MDAiLCJ4LWRhdGFkb2ctc2FtcGxpbmctcHJpb3JpdHkiOiIxIiwieC1kYXRhZG9nLXBhcmVudC1zcGFuLWZpbmlzaC10aW1lIjoxNjY2NjMzNTY2OTMxLCJ4LWRhdGFkb2ctYXV0aG9yaXppbmctcmVxdWVzdGlkIjoiYWhWV3NIVkFtalFGcTZnPSJ9",
+      "scope": "this is just a string",
+      "principalId": "foo"
+    },
+    "messageId": "ahVmYcavmjQCI1w=",
+    "eventType": "MESSAGE",
+    "extendedRequestId": "ahVmYGOMmjQFhyg=",
+    "requestTime": "24/Oct/2022:17:47:46 +0000",
+    "messageDirection": "IN",
+    "stage": "dev",
+    "connectedAt": 1666633565827,
+    "requestTimeEpoch": 1666633666203,
+    "identity": {
+      "sourceIp": "24.193.182.233"
+    },
+    "requestId": "ahVmYGOMmjQFhyg=",
+    "domainName": "85fj5nw29d.execute-api.sa-east-1.amazonaws.com",
+    "connectionId": "ahVWscZqmjQCI1w=",
+    "apiId": "85fj5nw29d"
+  },
+  "body": "{\"action\": \"hello\", \"message\":\"in\"}",
+  "isBase64Encoded": false
+}