From 96b563bdc07e44a79fd1afa76211c3bf36b91ff4 Mon Sep 17 00:00:00 2001 From: Claude OSS Fixer Date: Fri, 20 Feb 2026 12:44:14 +0000 Subject: [PATCH] fix(data_classes): support path parameters in APIGatewayAuthorizerResponse Update the path_regex pattern to support API Gateway path parameters including standard path parameters ({param}) and greedy path parameters ({proxy+}). Previously the regex would reject these valid resource paths. The updated regex allows {, }, and + characters in addition to the existing allowed characters (/, ., alphanumerics, -, _, *). Fixes #7979 Co-Authored-By: Claude Opus 4.6 Signed-off-by: Claude OSS Fixer --- .../api_gateway_authorizer_event.py | 11 +++- .../test_api_gateway_authorizer.py | 57 +++++++++++++++++++ 2 files changed, 66 insertions(+), 2 deletions(-) diff --git a/aws_lambda_powertools/utilities/data_classes/api_gateway_authorizer_event.py b/aws_lambda_powertools/utilities/data_classes/api_gateway_authorizer_event.py index e9b77209860..13e6590508a 100644 --- a/aws_lambda_powertools/utilities/data_classes/api_gateway_authorizer_event.py +++ b/aws_lambda_powertools/utilities/data_classes/api_gateway_authorizer_event.py @@ -437,8 +437,15 @@ class APIGatewayAuthorizerResponse: - https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html """ - path_regex = r"^[/.a-zA-Z0-9-_\*]+$" - """The regular expression used to validate resource paths for the policy""" + path_regex = r"^[/.a-zA-Z0-9-_\*{}+]+$" + """The regular expression used to validate resource paths for the policy. + + Supports standard path characters and API Gateway path parameters: + - Standard: `/path/to/resource` + - Wildcard: `/path/*` or `/path/*/resource` + - Path parameter: `/path/{param}` + - Greedy path parameter: `/{proxy+}` or `/path/{proxy+}` + """ def __init__( self, diff --git a/tests/unit/data_classes/required_dependencies/test_api_gateway_authorizer.py b/tests/unit/data_classes/required_dependencies/test_api_gateway_authorizer.py index 1fad5176672..377e78556d1 100644 --- a/tests/unit/data_classes/required_dependencies/test_api_gateway_authorizer.py +++ b/tests/unit/data_classes/required_dependencies/test_api_gateway_authorizer.py @@ -221,3 +221,60 @@ def test_parse_api_gateway_arn_with_resource(): response = authorizer_policy.asdict() assert mock_event["methodArn"] == response["policyDocument"]["Statement"][0]["Resource"][0] + + +def test_authorizer_response_allow_route_with_proxy_plus(builder: APIGatewayAuthorizerResponse): + """Test that {proxy+} greedy path parameter is supported. + + See: https://github.com/aws-powertools/powertools-lambda-python/issues/7979 + """ + builder.allow_route(http_method="*", resource="/{proxy+}") + assert builder.asdict() == { + "principalId": "foo", + "policyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Resource": ["arn:aws:execute-api:us-west-1:123456789:fantom/dev/*/{proxy+}"], + }, + ], + }, + } + + +def test_authorizer_response_allow_route_with_path_parameter(builder: APIGatewayAuthorizerResponse): + """Test that standard path parameters like {id} are supported.""" + builder.allow_route(http_method="GET", resource="/users/{userId}") + assert builder.asdict() == { + "principalId": "foo", + "policyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Resource": ["arn:aws:execute-api:us-west-1:123456789:fantom/dev/GET/users/{userId}"], + }, + ], + }, + } + + +def test_authorizer_response_allow_route_with_nested_proxy(builder: APIGatewayAuthorizerResponse): + """Test that {proxy+} can be used with a path prefix.""" + builder.allow_route(http_method="*", resource="/api/v1/{proxy+}") + assert builder.asdict() == { + "principalId": "foo", + "policyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Resource": ["arn:aws:execute-api:us-west-1:123456789:fantom/dev/*/api/v1/{proxy+}"], + }, + ], + }, + }