From 266112931b8e7ac4b1039b442c6568a902c11aa6 Mon Sep 17 00:00:00 2001 From: tmokmss Date: Sun, 7 Nov 2021 03:29:49 +0900 Subject: [PATCH] feat(apigatewayv2-authorizers): http api - allow multiple user pool clients per HttpUserPoolAuthorizer (#16903) closes #15431 BREAKING CHANGE: `userPoolClient` property in `UserPoolAuthorizerProps` is now renamed to `userPoolClients`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-apigatewayv2-authorizers/README.md | 2 +- .../lib/http/user-pool.ts | 10 ++--- .../test/http/integ.user-pool.ts | 2 +- .../test/http/user-pool.test.ts | 44 ++++++++++++++++++- 4 files changed, 49 insertions(+), 9 deletions(-) diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers/README.md b/packages/@aws-cdk/aws-apigatewayv2-authorizers/README.md index 7dd9c2f5e61bd..a7da95a29c682 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers/README.md +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers/README.md @@ -150,7 +150,7 @@ const userPoolClient = userPool.addClient('UserPoolClient'); const authorizer = new HttpUserPoolAuthorizer({ userPool, - userPoolClient, + userPoolClients: [userPoolClient], }); const api = new HttpApi(stack, 'HttpApi'); diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/http/user-pool.ts b/packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/http/user-pool.ts index 702a3a05576ec..21cef2e478756 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/http/user-pool.ts +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/http/user-pool.ts @@ -7,9 +7,9 @@ import { Stack, Token } from '@aws-cdk/core'; */ export interface UserPoolAuthorizerProps { /** - * The user pool client that should be used to authorize requests with the user pool. + * The user pool clients that should be used to authorize requests with the user pool. */ - readonly userPoolClient: IUserPoolClient; + readonly userPoolClients: IUserPoolClient[]; /** * The associated user pool @@ -33,7 +33,7 @@ export interface UserPoolAuthorizerProps { * * @default ['$request.header.Authorization'] */ - readonly identitySource?: string[], + readonly identitySource?: string[]; } /** @@ -56,7 +56,7 @@ export class HttpUserPoolAuthorizer implements IHttpRouteAuthorizer { identitySource: this.props.identitySource ?? ['$request.header.Authorization'], type: HttpAuthorizerType.JWT, authorizerName: this.props.authorizerName, - jwtAudience: [this.props.userPoolClient.userPoolClientId], + jwtAudience: this.props.userPoolClients.map((c) => c.userPoolClientId), jwtIssuer: `https://cognito-idp.${region}.amazonaws.com/${this.props.userPool.userPoolId}`, }); } @@ -66,4 +66,4 @@ export class HttpUserPoolAuthorizer implements IHttpRouteAuthorizer { authorizationType: 'JWT', }; } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/http/integ.user-pool.ts b/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/http/integ.user-pool.ts index edf455f4a787c..3e607b4474365 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/http/integ.user-pool.ts +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/http/integ.user-pool.ts @@ -25,7 +25,7 @@ const userPoolClient = userPool.addClient('my-client'); const authorizer = new HttpUserPoolAuthorizer({ userPool, - userPoolClient, + userPoolClients: [userPoolClient], }); const handler = new lambda.Function(stack, 'lambda', { diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/http/user-pool.test.ts b/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/http/user-pool.test.ts index 0e3c339e7f744..127b389b8b0f2 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/http/user-pool.test.ts +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/http/user-pool.test.ts @@ -13,7 +13,7 @@ describe('HttpUserPoolAuthorizer', () => { const userPoolClient = userPool.addClient('UserPoolClient'); const authorizer = new HttpUserPoolAuthorizer({ userPool, - userPoolClient, + userPoolClients: [userPoolClient], }); // WHEN @@ -52,7 +52,7 @@ describe('HttpUserPoolAuthorizer', () => { const userPoolClient = userPool.addClient('UserPoolClient'); const authorizer = new HttpUserPoolAuthorizer({ userPool, - userPoolClient, + userPoolClients: [userPoolClient], }); // WHEN @@ -70,6 +70,46 @@ describe('HttpUserPoolAuthorizer', () => { // THEN Template.fromStack(stack).resourceCountIs('AWS::ApiGatewayV2::Authorizer', 1); }); + + test('multiple userPoolClients are attached', () => { + // GIVEN + const stack = new Stack(); + const api = new HttpApi(stack, 'HttpApi'); + const userPool = new UserPool(stack, 'UserPool'); + const userPoolClient1 = userPool.addClient('UserPoolClient1'); + const userPoolClient2 = userPool.addClient('UserPoolClient2'); + const authorizer = new HttpUserPoolAuthorizer({ + userPool, + userPoolClients: [userPoolClient1, userPoolClient2], + }); + + // WHEN + api.addRoutes({ + integration: new DummyRouteIntegration(), + path: '/books', + authorizer, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Authorizer', { + AuthorizerType: 'JWT', + IdentitySource: ['$request.header.Authorization'], + JwtConfiguration: { + Audience: [stack.resolve(userPoolClient1.userPoolClientId), stack.resolve(userPoolClient2.userPoolClientId)], + Issuer: { + 'Fn::Join': [ + '', + [ + 'https://cognito-idp.', + { Ref: 'AWS::Region' }, + '.amazonaws.com/', + stack.resolve(userPool.userPoolId), + ], + ], + }, + }, + }); + }); }); class DummyRouteIntegration implements IHttpRouteIntegration {