Add client certificate struct as field to APIGatewayRequestIdentity (#573)

Jon-Miao · Jonathan Miao · bmoffatt · web-flow · commit d406b1366f00 · 2025-05-22T14:49:21.000-07:00
As seen in the docs https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html this field should be present. Used a pointer so that field is omitted when not set. Co-authored-by: Jonathan Miao <jonamiao@amazon.com> Co-authored-by: Bryan Moffatt <bmoffatt@users.noreply.github.com>
diff --git a/events/apigw.go b/events/apigw.go
@@ -133,19 +133,20 @@ type APIGatewayV2HTTPResponse struct {
 
 // APIGatewayRequestIdentity contains identity information for the request caller.
 type APIGatewayRequestIdentity struct {
-	CognitoIdentityPoolID         string `json:"cognitoIdentityPoolId,omitempty"`
-	AccountID                     string `json:"accountId,omitempty"`
-	CognitoIdentityID             string `json:"cognitoIdentityId,omitempty"`
-	Caller                        string `json:"caller,omitempty"`
-	APIKey                        string `json:"apiKey,omitempty"`
-	APIKeyID                      string `json:"apiKeyId,omitempty"`
-	AccessKey                     string `json:"accessKey,omitempty"`
-	SourceIP                      string `json:"sourceIp"`
-	CognitoAuthenticationType     string `json:"cognitoAuthenticationType,omitempty"`
-	CognitoAuthenticationProvider string `json:"cognitoAuthenticationProvider,omitempty"`
-	UserArn                       string `json:"userArn,omitempty"` //nolint: stylecheck
-	UserAgent                     string `json:"userAgent"`
-	User                          string `json:"user,omitempty"`
+	CognitoIdentityPoolID         string                                                          `json:"cognitoIdentityPoolId,omitempty"`
+	AccountID                     string                                                          `json:"accountId,omitempty"`
+	CognitoIdentityID             string                                                          `json:"cognitoIdentityId,omitempty"`
+	Caller                        string                                                          `json:"caller,omitempty"`
+	APIKey                        string                                                          `json:"apiKey,omitempty"`
+	APIKeyID                      string                                                          `json:"apiKeyId,omitempty"`
+	AccessKey                     string                                                          `json:"accessKey,omitempty"`
+	SourceIP                      string                                                          `json:"sourceIp"`
+	CognitoAuthenticationType     string                                                          `json:"cognitoAuthenticationType,omitempty"`
+	CognitoAuthenticationProvider string                                                          `json:"cognitoAuthenticationProvider,omitempty"`
+	UserArn                       string                                                          `json:"userArn,omitempty"` //nolint: stylecheck
+	UserAgent                     string                                                          `json:"userAgent"`
+	User                          string                                                          `json:"user,omitempty"`
+	ClientCert                    *APIGatewayCustomAuthorizerRequestTypeRequestIdentityClientCert `json:"clientCert,omitempty"`
 }
 
 // APIGatewayWebsocketProxyRequest contains data coming from the API Gateway proxy
diff --git a/events/apigw_test.go b/events/apigw_test.go
@@ -33,6 +33,16 @@ func TestApiGatewayRequestMarshaling(t *testing.T) {
 		t.Errorf("could not extract authorizer context: %v", authContext)
 	}
 
+	clientCert := inputEvent.RequestContext.Identity.ClientCert
+	if clientCert.ClientCertPem != "CERT_CONTENT" ||
+		clientCert.SubjectDN != "www.example.com" ||
+		clientCert.IssuerDN != "Example issuer" ||
+		clientCert.SerialNumber != "a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1" ||
+		clientCert.Validity.NotBefore != "May 28 12:30:02 2019 GMT" ||
+		clientCert.Validity.NotAfter != "Aug  5 09:36:04 2021 GMT" {
+		t.Errorf("could not extract client certificate content: %v", clientCert)
+	}
+
 	// serialize to json
 	outputJSON, err := json.Marshal(inputEvent)
 	if err != nil {
diff --git a/events/testdata/apigw-request.json b/events/testdata/apigw-request.json
@@ -79,7 +79,17 @@
 			"cognitoAuthenticationProvider": "theCognitoAuthenticationProvider",
 			"userArn": "theUserArn",
 			"userAgent": "PostmanRuntime/2.4.5",
-			"user": "theUser"
+			"user": "theUser",
+			"clientCert": {
+				"clientCertPem": "CERT_CONTENT",
+				"subjectDN": "www.example.com",
+				"issuerDN": "Example issuer",
+				"serialNumber": "a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1",
+				"validity": {
+					"notBefore": "May 28 12:30:02 2019 GMT",
+					"notAfter": "Aug  5 09:36:04 2021 GMT"
+				}
+			}
 		},
 		"authorizer": {
 			"principalId": "admin",
