From 439a0b91c5e4804a60a1d05bc16ee8171028c726 Mon Sep 17 00:00:00 2001 From: Kyle Laker Date: Tue, 3 May 2022 15:19:21 -0400 Subject: [PATCH] fix(cognito): Allow retrieving FIPS-compliant URL This ensures that users in GovCloud can retrieve a URL that works in their region and allows users in us-{east,west}-{1,2} to also use the FIPs endpoints. --- .../aws-cognito/lib/user-pool-domain.ts | 23 ++++++-- .../aws-cognito/test/user-pool-domain.test.ts | 56 +++++++++++++++++++ 2 files changed, 75 insertions(+), 4 deletions(-) diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts index b201b31536c72..22aefc9281621 100644 --- a/packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts +++ b/packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts @@ -152,10 +152,13 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain { /** * The URL to the hosted UI associated with this domain + * + * @param options options to customize the behaviour of this method */ - public baseUrl(): string { + public baseUrl(options?: BaseUrlOptions): string { if (this.isCognitoDomain) { - return `https://${this.domainName}.auth.${Stack.of(this).region}.amazoncognito.com`; + const authDomain = 'auth' + (options?.fips ? '-fips' : ''); + return `https://${this.domainName}.${authDomain}.${Stack.of(this).region}.amazoncognito.com`; } return `https://${this.domainName}`; } @@ -175,14 +178,26 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain { throw new Error('signInUrl is not supported for clients without authorizationCodeGrant or implicitCodeGrant flow enabled'); } const path = options.signInPath ?? '/login'; - return `${this.baseUrl()}${path}?client_id=${client.userPoolClientId}&response_type=${responseType}&redirect_uri=${options.redirectUri}`; + return `${this.baseUrl(options)}${path}?client_id=${client.userPoolClientId}&response_type=${responseType}&redirect_uri=${options.redirectUri}`; } } +/** + * Options to customize the behaviour of `baseUrl()` + */ +export interface BaseUrlOptions { + /** + * Whether to return the FIPS-compliant endpoint + * + * @default return the standard URL + */ + readonly fips?: boolean; +} + /** * Options to customize the behaviour of `signInUrl()` */ -export interface SignInUrlOptions { +export interface SignInUrlOptions extends BaseUrlOptions { /** * Where to redirect to after sign in */ diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts index 7cbc013951271..ea751c58d4380 100644 --- a/packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts +++ b/packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts @@ -164,6 +164,62 @@ describe('User Pool Client', () => { Template.fromStack(stack).resourceCountIs('AWS::Cognito::UserPoolDomain', 0); }); + describe('baseUrl', () => { + test('returns the expected standard URL', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'Pool'); + const domain = pool.addDomain('Domain', { + cognitoDomain: { + domainPrefix: 'cognito-domain-prefix', + }, + }); + + // WHEN + const baseUrl = domain.baseUrl(); + + // THEN + expect(stack.resolve(baseUrl)).toEqual({ + 'Fn::Join': [ + '', [ + 'https://', + { Ref: 'PoolDomainCFC71F56' }, + '.auth.', + { Ref: 'AWS::Region' }, + '.amazoncognito.com', + ], + ], + }); + }); + + test('returns the expected FIPS-compliant endpoint URL', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'Pool'); + const domain = pool.addDomain('Domain', { + cognitoDomain: { + domainPrefix: 'cognito-domain-prefix', + }, + }); + + // WHEN + const baseUrl = domain.baseUrl({ fips: true }); + + // THEN + expect(stack.resolve(baseUrl)).toEqual({ + 'Fn::Join': [ + '', [ + 'https://', + { Ref: 'PoolDomainCFC71F56' }, + '.auth-fips.', + { Ref: 'AWS::Region' }, + '.amazoncognito.com', + ], + ], + }); + }); + }); + describe('signInUrl', () => { test('returns the expected URL', () => { // GIVEN