-
Notifications
You must be signed in to change notification settings - Fork 4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(apigateway): lambda token authorizer (#5197)
* feat(apigateway): L2 support for lambda token authorizers * Address PR comments * More PR feedback * Restructure binding * Restructuring classes to allow for Authorizer.token() and Authorizer.iam() experience * PR feedback * Authorizer -> Authorization * drop using Physical Name * Switch to eslint recommended import style * chore: proposed refactor for authorizers design (#5584) * simplify authorizers class design - rename `AuthorizerBase` to `Authorizer`. This class should actually have the `CfnAuthorizer` instantiation, but will only be introduced when an additional authorizer is included. - simplify `AuthorizerBase` dramatically - move logic to cache `restApiId` from `AuthorizerBase` to `TokenAuthorizer`. When an additional authorizer is added, we will refactor. - remove the usage `Authorizer.token`. It is non-idiomatic in this context since we support one authorizer reused multiple times. * moved Authorizer to authorizer.ts * fix broken references and types Co-authored-by: Niranjan Jayakar <16217941+nija-at@users.noreply.github.com> * Documentation updates & PR feedback Co-authored-by: Elad Ben-Israel <benisrae@amazon.com>
- v2.173.2
- v2.173.1
- v2.173.0
- v2.172.0
- v2.171.1
- v2.171.0
- v2.170.0
- v2.169.0
- v2.168.0
- v2.167.2
- v2.167.1
- v2.167.0
- v2.166.0
- v2.165.0
- v2.164.1
- v2.164.0
- v2.163.1
- v2.163.0
- v2.162.1
- v2.162.0
- v2.161.1
- v2.161.0
- v2.160.0
- v2.159.1
- v2.159.0
- v2.158.0
- v2.157.0
- v2.156.0
- v2.155.0
- v2.154.1
- v2.154.0
- v2.153.0
- v2.152.0
- v2.151.1
- v2.151.0
- v2.150.0
- v2.149.0
- v2.148.1
- v2.148.0
- v2.147.3
- v2.147.2
- v2.147.1
- v2.147.0
- v2.146.0
- v2.145.0
- v2.144.0
- v2.143.1
- v2.143.0
- v2.142.1
- v2.142.0
- v2.141.0
- v2.140.0
- v2.139.1
- v2.139.0
- v2.138.0
- v2.137.0
- v2.136.1
- v2.136.0
- v2.135.0
- v2.134.0
- v2.133.0
- v2.132.1
- v2.132.0
- v2.131.0
- v2.130.0
- v2.129.0
- v2.128.0
- v2.127.0
- v2.126.0
- v2.125.0
- v2.124.0
- v2.123.0
- v2.122.0
- v2.121.1
- v2.121.0
- v2.120.0
- v2.119.0
- v2.118.0
- v2.117.0
- v2.116.1
- v2.116.0
- v2.115.0
- v2.114.1
- v2.114.0
- v2.113.0
- v2.112.0
- v2.111.0
- v2.110.1
- v2.110.0
- v2.109.0
- v2.108.1
- v2.108.0
- v2.107.0
- v2.106.1
- v2.106.0
- v2.105.0
- v2.104.0
- v2.103.1
- v2.103.0
- v2.102.1
- v2.102.0
- v2.101.1
- v2.101.0
- v2.100.0
- v2.99.1
- v2.99.0
- v2.98.0
- v2.97.1
- v2.97.0
- v2.96.2
- v2.96.1
- v2.96.0
- v2.95.1
- v2.95.0
- v2.94.0
- v2.93.0
- v2.92.0
- v2.91.0
- v2.90.0
- v2.89.0
- v2.88.0
- v2.87.0
- v2.86.0
- v2.85.0
- v2.84.0
- v2.83.1
- v2.83.0
- v2.82.0
- v2.81.0
- v2.80.0
- v2.79.1
- v2.79.0
- v2.78.0
- v2.77.0
- v2.76.0
- v2.75.1
- v2.75.0
- v2.74.0
- v2.73.0
- v2.72.1
- v2.72.0
- v2.71.0
- v2.70.0
- v2.69.0
- v2.68.0
- v2.67.0
- v2.66.1
- v2.66.0
- v2.65.0
- v2.64.0
- v2.63.2
- v2.63.1
- v2.63.0
- v2.62.2
- v2.62.1
- v2.62.0
- v2.61.1
- v2.61.0
- v2.60.0
- v2.59.0
- v2.58.1
- v2.58.0
- v2.57.0
- v2.56.1
- v2.56.0
- v2.55.1
- v2.55.0
- v2.54.0
- v2.53.0
- v2.52.1
- v2.52.0
- v2.51.1
- v2.51.0
- v2.50.0
- v2.49.1
- v2.49.0
- v2.48.0
- v2.47.0
- v2.46.0
- v2.45.0
- v2.44.0
- v2.43.1
- v2.43.0
- v2.42.1
- v2.42.0
- v2.41.0
- v2.40.0
- v2.39.1
- v2.39.0
- v2.38.1
- v2.38.0
- v2.37.1
- v2.37.0
- v2.36.0
- v2.35.0
- v2.34.2
- v2.34.1
- v2.34.0
- v2.33.0
- v2.32.1
- v2.32.0
- v2.31.2
- v2.31.1
- v2.31.0
- v2.30.0
- v2.29.1
- v2.29.0
- v2.28.1
- v2.28.0
- v2.27.0
- v2.26.0
- v2.25.0
- v2.24.1
- v2.24.0
- v2.23.0
- v2.22.0
- v2.21.1
- v2.21.0
- v2.20.0
- v2.19.0
- v2.18.0
- v2.17.0
- v2.16.0
- v2.15.0
- v2.14.0
- v2.13.0
- v2.12.0
- v2.11.0
- v2.10.0
- v2.9.0
- v2.8.0
- v2.7.0
- v2.6.0
- v2.5.0
- v2.4.0
- v2.3.0
- v2.2.0
- v2.1.0
- v2.0.0
- v2.0.0-rc.33
- v2.0.0-rc.32
- v2.0.0-rc.31
- v2.0.0-rc.30
- v2.0.0-rc.29
- v2.0.0-rc.28
- v2.0.0-rc.27
- v2.0.0-rc.26
- v2.0.0-rc.25
- v2.0.0-rc.24
- v2.0.0-rc.23
- v2.0.0-rc.22
- v2.0.0-rc.21
- v2.0.0-rc.20
- v2.0.0-rc.19
- v2.0.0-rc.18
- v2.0.0-rc.17
- v2.0.0-rc.16
- v2.0.0-rc.15
- v2.0.0-rc.14
- v2.0.0-rc.13
- v2.0.0-rc.12
- v2.0.0-rc.11
- v2.0.0-rc.10
- v2.0.0-rc.9
- v2.0.0-rc.8
- v2.0.0-rc.7
- v2.0.0-rc.6
- v2.0.0-rc.5
- v2.0.0-rc.4
- v2.0.0-rc.3
- v2.0.0-rc.1
- v2.0.0-alpha.14
- v2.0.0-alpha.13
- v2.0.0-alpha.12
- v2.0.0-alpha.11
- v2.0.0-alpha.10
- v2.0.0-alpha.6
- v2.0.0-alpha.5
- v2.0.0-alpha.4
- v2.0.0-alpha.3
- v2.0.0-alpha.2
- v2.0.0-alpha.1
- v2.0.0-alpha.0
- v1.204.0
- v1.203.0
- v1.202.0
- v1.201.0
- v1.200.0
- v1.199.0
- v1.198.1
- v1.198.0
- v1.197.0
- v1.196.0
- v1.195.0
- v1.194.0
- v1.193.0
- v1.192.0
- v1.191.0
- v1.190.0
- v1.189.0
- v1.188.0
- v1.187.0
- v1.186.1
- v1.186.0
- v1.185.0
- v1.184.1
- v1.184.0
- v1.183.0
- v1.182.0
- v1.181.1
- v1.181.0
- v1.180.0
- v1.179.0
- v1.178.0
- v1.177.0
- v1.176.0
- v1.175.0
- v1.174.0
- v1.173.0
- v1.172.0
- v1.171.0
- v1.170.1
- v1.170.0
- v1.169.0
- v1.168.0
- v1.167.0
- v1.166.1
- v1.165.0
- v1.164.0
- v1.163.2
- v1.163.1
- v1.163.0
- v1.162.0
- v1.161.0
- v1.160.0
- v1.159.0
- v1.158.0
- v1.157.0
- v1.156.1
- v1.156.0
- v1.155.0
- v1.154.0
- v1.153.1
- v1.153.0
- v1.152.0
- v1.151.0
- v1.150.0
- v1.149.0
- v1.148.0
- v1.147.0
- v1.146.0
- v1.145.0
- v1.144.0
- v1.143.0
- v1.142.0
- v1.141.0
- v1.140.0
- v1.139.0
- v1.138.2
- v1.138.1
- v1.138.0
- v1.137.0
- v1.136.0
- v1.135.0
- v1.134.0
- v1.133.0
- v1.132.0
- v1.131.0
- v1.130.0
- v1.129.0
- v1.128.0
- v1.127.0
- v1.126.0
- v1.125.0
- v1.124.0
- v1.123.0
- v1.122.0
- v1.121.0
- v1.120.0
- v1.119.0
- v1.118.0
- v1.117.0
- v1.116.0
- v1.115.0
- v1.114.0
- v1.113.0
- v1.112.0
- v1.111.0
- v1.110.1
- v1.110.0
- v1.109.0
- v1.108.1
- v1.108.0
- v1.107.0
- v1.106.1
- v1.106.0
- v1.105.0
- v1.104.0
- v1.103.0
- v1.102.0
- v1.101.0
- v1.100.0
- v1.99.0
- v1.98.0
- v1.97.0
- v1.96.0
- v1.95.2
- v1.95.1
- v1.95.0
- v1.94.1
- v1.94.0
- v1.93.0
- v1.92.0
- v1.91.0
- v1.90.1
- v1.90.0
- v1.89.0
- v1.88.0
- v1.87.1
- v1.87.0
- v1.86.0
- v1.85.0
- v1.84.0
- v1.83.0
- v1.82.0
- v1.81.0
- v1.80.0
- v1.79.0
- v1.78.0
- v1.77.0
- v1.76.0
- v1.75.0
- v1.74.0
- v1.73.0
- v1.72.0
- v1.71.0
- v1.70.0
- v1.69.0
- v1.68.0
- v1.67.0
- v1.66.0
- v1.65.0
- v1.64.1
- v1.64.0
- v1.63.0
- v1.62.0
- v1.61.1
- v1.61.0
- v1.60.0
- v1.59.0
- v1.58.0
- v1.57.0
- v1.56.0
- v1.55.0
- v1.54.0
- v1.53.0
- v1.52.0
- v1.51.0
- v1.50.0
- v1.49.1
- v1.49.0
- v1.48.0
- v1.47.1
- v1.47.0
- v1.46.0
- v1.45.0
- v1.44.0
- v1.43.0
- v1.42.1
- v1.42.0
- v1.41.0
- v1.40.0
- v1.39.0
- v1.38.0
- v1.37.0
- v1.36.1
- v1.36.0
- v1.35.0
- v1.34.1
- v1.34.0
- v1.33.1
- v1.33.0
- v1.32.2
- v1.32.1
- v1.32.0
- v1.31.0
- v1.30.0
- v1.29.0
- v1.28.0
- v1.27.0
- v1.26.0
- v1.25.0
- v1.24.0
- v1.23.0
- v1.22.0
- v1.21.1
- v1.21.0
- v1.20.0
1 parent
590d2ac
commit 5c16744
Showing
14 changed files
with
1,216 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,33 @@ | ||
import { Resource } from '@aws-cdk/core'; | ||
import { AuthorizationType } from './method'; | ||
import { RestApi } from './restapi'; | ||
|
||
/** | ||
* Base class for all custom authorizers | ||
*/ | ||
export abstract class Authorizer extends Resource implements IAuthorizer { | ||
public readonly abstract authorizerId: string; | ||
public readonly authorizationType?: AuthorizationType = AuthorizationType.CUSTOM; | ||
|
||
/** | ||
* Called when the authorizer is used from a specific REST API. | ||
* @internal | ||
*/ | ||
public abstract _attachToApi(restApi: RestApi): void; | ||
} | ||
|
||
/** | ||
* Represents an API Gateway authorizer. | ||
*/ | ||
export interface IAuthorizer { | ||
/** | ||
* The authorizer ID. | ||
* @attribute | ||
*/ | ||
readonly authorizerId: string; | ||
} | ||
|
||
/** | ||
* The authorization type of this authorizer. | ||
*/ | ||
readonly authorizationType?: AuthorizationType; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
export * from './lambda'; |
141 changes: 141 additions & 0 deletions
141
packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,141 @@ | ||
import * as iam from '@aws-cdk/aws-iam'; | ||
import * as lambda from '@aws-cdk/aws-lambda'; | ||
import { Construct, Duration, Lazy, Stack } from '@aws-cdk/core'; | ||
import { CfnAuthorizer } from '../apigateway.generated'; | ||
import { Authorizer, IAuthorizer } from '../authorizer'; | ||
import { RestApi } from '../restapi'; | ||
|
||
/** | ||
* Properties for TokenAuthorizer | ||
*/ | ||
export interface TokenAuthorizerProps { | ||
|
||
/** | ||
* An optional human friendly name for the authorizer. Note that, this is not the primary identifier of the authorizer. | ||
* | ||
* @default - none | ||
*/ | ||
readonly authorizerName?: string; | ||
|
||
/** | ||
* The handler for the authorizer lambda function. | ||
* | ||
* The handler must follow a very specific protocol on the input it receives and the output it needs to produce. | ||
* API Gateway has documented the handler's input specification | ||
* {@link https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-input.html | here} and output specification | ||
* {@link https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html | here}. | ||
*/ | ||
readonly handler: lambda.IFunction; | ||
|
||
/** | ||
* The request header mapping expression for the bearer token. This is typically passed as part of the header, in which case | ||
* this should be `method.request.header.Authorizer` where Authorizer is the header containing the bearer token. | ||
* @see https://docs.aws.amazon.com/apigateway/api-reference/link-relation/authorizer-create/#identitySource | ||
* @default 'method.request.header.Authorization' | ||
*/ | ||
readonly identitySource?: string; | ||
|
||
/** | ||
* How long APIGateway should cache the results. Max 1 hour. | ||
* Disable caching by setting this to 0. | ||
* | ||
* @default Duration.minutes(5) | ||
*/ | ||
readonly resultsCacheTtl?: Duration; | ||
|
||
/** | ||
* An optional regex to be matched against the authorization token. When matched the authorizer lambda is invoked, | ||
* otherwise a 401 Unauthorized is returned to the client. | ||
* | ||
* @default - no regex filter will be applied. | ||
*/ | ||
readonly validationRegex?: string; | ||
|
||
/** | ||
* An optional IAM role for APIGateway to assume before calling the Lambda-based authorizer. The IAM role must be | ||
* assumable by 'apigateway.amazonaws.com'. | ||
* | ||
* @default - A resource policy is added to the Lambda function allowing apigateway.amazonaws.com to invoke the function. | ||
*/ | ||
readonly assumeRole?: iam.IRole; | ||
} | ||
|
||
/** | ||
* Token based lambda authorizer that recognizes the caller's identity as a bearer token, | ||
* such as a JSON Web Token (JWT) or an OAuth token. | ||
* Based on the token, authorization is performed by a lambda function. | ||
* | ||
* @resource AWS::ApiGateway::Authorizer | ||
*/ | ||
export class TokenAuthorizer extends Authorizer implements IAuthorizer { | ||
|
||
/** | ||
* The id of the authorizer. | ||
* @attribute | ||
*/ | ||
public readonly authorizerId: string; | ||
|
||
/** | ||
* The ARN of the authorizer to be used in permission policies, such as IAM and resource-based grants. | ||
*/ | ||
public readonly authorizerArn: string; | ||
|
||
private restApiId?: string; | ||
|
||
constructor(scope: Construct, id: string, props: TokenAuthorizerProps) { | ||
super(scope, id); | ||
|
||
if (props.resultsCacheTtl && props.resultsCacheTtl.toSeconds() > 3600) { | ||
throw new Error(`Lambda authorizer property 'resultsCacheTtl' must not be greater than 3600 seconds (1 hour)`); | ||
} | ||
|
||
const restApiId = Lazy.stringValue({ produce: () => this.restApiId }); | ||
|
||
const resource = new CfnAuthorizer(this, 'Resource', { | ||
name: props.authorizerName, | ||
restApiId, | ||
type: 'TOKEN', | ||
authorizerUri: `arn:aws:apigateway:${Stack.of(this).region}:lambda:path/2015-03-31/functions/${props.handler.functionArn}/invocations`, | ||
authorizerCredentials: props.assumeRole ? props.assumeRole.roleArn : undefined, | ||
authorizerResultTtlInSeconds: props.resultsCacheTtl && props.resultsCacheTtl.toSeconds(), | ||
identitySource: props.identitySource || 'method.request.header.Authorization', | ||
identityValidationExpression: props.validationRegex, | ||
}); | ||
|
||
this.authorizerId = resource.ref; | ||
|
||
this.authorizerArn = Stack.of(this).formatArn({ | ||
service: 'execute-api', | ||
resource: restApiId, | ||
resourceName: `authorizers/${this.authorizerId}` | ||
}); | ||
|
||
if (!props.assumeRole) { | ||
props.handler.addPermission(`${this.node.uniqueId}:Permissions`, { | ||
principal: new iam.ServicePrincipal('apigateway.amazonaws.com'), | ||
sourceArn: this.authorizerArn | ||
}); | ||
} else if (props.assumeRole instanceof iam.Role) { // i.e., not imported | ||
props.assumeRole.attachInlinePolicy(new iam.Policy(this, 'authorizerInvokePolicy', { | ||
statements: [ | ||
new iam.PolicyStatement({ | ||
resources: [ props.handler.functionArn ], | ||
actions: [ 'lambda:InvokeFunction' ], | ||
}) | ||
] | ||
})); | ||
} | ||
} | ||
|
||
/** | ||
* Attaches this authorizer to a specific REST API. | ||
* @internal | ||
*/ | ||
public _attachToApi(restApi: RestApi) { | ||
if (this.restApiId && this.restApiId !== restApi.restApiId) { | ||
throw new Error(`Cannot attach authorizer to two different rest APIs`); | ||
} | ||
|
||
this.restApiId = restApi.restApiId; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
320 changes: 320 additions & 0 deletions
320
...es/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.expected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,320 @@ | ||
{ | ||
"Resources": { | ||
"MyAuthorizerFunctionServiceRole8A34C19E": { | ||
"Type": "AWS::IAM::Role", | ||
"Properties": { | ||
"AssumeRolePolicyDocument": { | ||
"Statement": [ | ||
{ | ||
"Action": "sts:AssumeRole", | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "lambda.amazonaws.com" | ||
} | ||
} | ||
], | ||
"Version": "2012-10-17" | ||
}, | ||
"ManagedPolicyArns": [ | ||
{ | ||
"Fn::Join": [ | ||
"", | ||
[ | ||
"arn:", | ||
{ | ||
"Ref": "AWS::Partition" | ||
}, | ||
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" | ||
] | ||
] | ||
} | ||
] | ||
} | ||
}, | ||
"MyAuthorizerFunction70F1223E": { | ||
"Type": "AWS::Lambda::Function", | ||
"Properties": { | ||
"Code": { | ||
"S3Bucket": { | ||
"Ref": "AssetParameters6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993aS3Bucket115F9EA4" | ||
}, | ||
"S3Key": { | ||
"Fn::Join": [ | ||
"", | ||
[ | ||
{ | ||
"Fn::Select": [ | ||
0, | ||
{ | ||
"Fn::Split": [ | ||
"||", | ||
{ | ||
"Ref": "AssetParameters6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993aS3VersionKey1039487E" | ||
} | ||
] | ||
} | ||
] | ||
}, | ||
{ | ||
"Fn::Select": [ | ||
1, | ||
{ | ||
"Fn::Split": [ | ||
"||", | ||
{ | ||
"Ref": "AssetParameters6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993aS3VersionKey1039487E" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
] | ||
] | ||
} | ||
}, | ||
"Handler": "index.handler", | ||
"Role": { | ||
"Fn::GetAtt": [ | ||
"MyAuthorizerFunctionServiceRole8A34C19E", | ||
"Arn" | ||
] | ||
}, | ||
"Runtime": "nodejs10.x" | ||
}, | ||
"DependsOn": [ | ||
"MyAuthorizerFunctionServiceRole8A34C19E" | ||
] | ||
}, | ||
"authorizerRole06E70703": { | ||
"Type": "AWS::IAM::Role", | ||
"Properties": { | ||
"AssumeRolePolicyDocument": { | ||
"Statement": [ | ||
{ | ||
"Action": "sts:AssumeRole", | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "apigateway.amazonaws.com" | ||
} | ||
} | ||
], | ||
"Version": "2012-10-17" | ||
} | ||
} | ||
}, | ||
"MyAuthorizer6575980E": { | ||
"Type": "AWS::ApiGateway::Authorizer", | ||
"Properties": { | ||
"RestApiId": { | ||
"Ref": "MyRestApi2D1F47A9" | ||
}, | ||
"Type": "TOKEN", | ||
"AuthorizerCredentials": { | ||
"Fn::GetAtt": [ | ||
"authorizerRole06E70703", | ||
"Arn" | ||
] | ||
}, | ||
"AuthorizerUri": { | ||
"Fn::Join": [ | ||
"", | ||
[ | ||
"arn:aws:apigateway:", | ||
{ | ||
"Ref": "AWS::Region" | ||
}, | ||
":lambda:path/2015-03-31/functions/", | ||
{ | ||
"Fn::GetAtt": [ | ||
"MyAuthorizerFunction70F1223E", | ||
"Arn" | ||
] | ||
}, | ||
"/invocations" | ||
] | ||
] | ||
}, | ||
"IdentitySource": "method.request.header.Authorization" | ||
} | ||
}, | ||
"MyAuthorizerauthorizerInvokePolicy0F88B8E1": { | ||
"Type": "AWS::IAM::Policy", | ||
"Properties": { | ||
"PolicyDocument": { | ||
"Statement": [ | ||
{ | ||
"Action": "lambda:InvokeFunction", | ||
"Effect": "Allow", | ||
"Resource": { | ||
"Fn::GetAtt": [ | ||
"MyAuthorizerFunction70F1223E", | ||
"Arn" | ||
] | ||
} | ||
} | ||
], | ||
"Version": "2012-10-17" | ||
}, | ||
"PolicyName": "MyAuthorizerauthorizerInvokePolicy0F88B8E1", | ||
"Roles": [ | ||
{ | ||
"Ref": "authorizerRole06E70703" | ||
} | ||
] | ||
} | ||
}, | ||
"MyRestApi2D1F47A9": { | ||
"Type": "AWS::ApiGateway::RestApi", | ||
"Properties": { | ||
"Name": "MyRestApi" | ||
} | ||
}, | ||
"MyRestApiDeploymentB555B5828fad37a0e56bbac79ae37ae990881dca": { | ||
"Type": "AWS::ApiGateway::Deployment", | ||
"Properties": { | ||
"RestApiId": { | ||
"Ref": "MyRestApi2D1F47A9" | ||
}, | ||
"Description": "Automatically created by the RestApi construct" | ||
}, | ||
"DependsOn": [ | ||
"MyRestApiANY05143F93" | ||
] | ||
}, | ||
"MyRestApiDeploymentStageprodC33B8E5F": { | ||
"Type": "AWS::ApiGateway::Stage", | ||
"Properties": { | ||
"RestApiId": { | ||
"Ref": "MyRestApi2D1F47A9" | ||
}, | ||
"DeploymentId": { | ||
"Ref": "MyRestApiDeploymentB555B5828fad37a0e56bbac79ae37ae990881dca" | ||
}, | ||
"StageName": "prod" | ||
} | ||
}, | ||
"MyRestApiCloudWatchRoleD4042E8E": { | ||
"Type": "AWS::IAM::Role", | ||
"Properties": { | ||
"AssumeRolePolicyDocument": { | ||
"Statement": [ | ||
{ | ||
"Action": "sts:AssumeRole", | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "apigateway.amazonaws.com" | ||
} | ||
} | ||
], | ||
"Version": "2012-10-17" | ||
}, | ||
"ManagedPolicyArns": [ | ||
{ | ||
"Fn::Join": [ | ||
"", | ||
[ | ||
"arn:", | ||
{ | ||
"Ref": "AWS::Partition" | ||
}, | ||
":iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" | ||
] | ||
] | ||
} | ||
] | ||
} | ||
}, | ||
"MyRestApiAccount2FB6DB7A": { | ||
"Type": "AWS::ApiGateway::Account", | ||
"Properties": { | ||
"CloudWatchRoleArn": { | ||
"Fn::GetAtt": [ | ||
"MyRestApiCloudWatchRoleD4042E8E", | ||
"Arn" | ||
] | ||
} | ||
}, | ||
"DependsOn": [ | ||
"MyRestApi2D1F47A9" | ||
] | ||
}, | ||
"MyRestApiANY05143F93": { | ||
"Type": "AWS::ApiGateway::Method", | ||
"Properties": { | ||
"HttpMethod": "ANY", | ||
"ResourceId": { | ||
"Fn::GetAtt": [ | ||
"MyRestApi2D1F47A9", | ||
"RootResourceId" | ||
] | ||
}, | ||
"RestApiId": { | ||
"Ref": "MyRestApi2D1F47A9" | ||
}, | ||
"AuthorizationType": "CUSTOM", | ||
"AuthorizerId": { | ||
"Ref": "MyAuthorizer6575980E" | ||
}, | ||
"Integration": { | ||
"IntegrationResponses": [ | ||
{ | ||
"StatusCode": "200" | ||
} | ||
], | ||
"PassthroughBehavior": "NEVER", | ||
"RequestTemplates": { | ||
"application/json": "{ \"statusCode\": 200 }" | ||
}, | ||
"Type": "MOCK" | ||
}, | ||
"MethodResponses": [ | ||
{ | ||
"StatusCode": "200" | ||
} | ||
] | ||
} | ||
} | ||
}, | ||
"Parameters": { | ||
"AssetParameters6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993aS3Bucket115F9EA4": { | ||
"Type": "String", | ||
"Description": "S3 bucket for asset \"6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993a\"" | ||
}, | ||
"AssetParameters6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993aS3VersionKey1039487E": { | ||
"Type": "String", | ||
"Description": "S3 key for asset version \"6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993a\"" | ||
}, | ||
"AssetParameters6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993aArtifactHash1A0BBA4E": { | ||
"Type": "String", | ||
"Description": "Artifact hash for asset \"6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993a\"" | ||
} | ||
}, | ||
"Outputs": { | ||
"MyRestApiEndpoint4C55E4CB": { | ||
"Value": { | ||
"Fn::Join": [ | ||
"", | ||
[ | ||
"https://", | ||
{ | ||
"Ref": "MyRestApi2D1F47A9" | ||
}, | ||
".execute-api.", | ||
{ | ||
"Ref": "AWS::Region" | ||
}, | ||
".", | ||
{ | ||
"Ref": "AWS::URLSuffix" | ||
}, | ||
"/", | ||
{ | ||
"Ref": "MyRestApiDeploymentStageprodC33B8E5F" | ||
}, | ||
"/" | ||
] | ||
] | ||
} | ||
} | ||
} | ||
} |
46 changes: 46 additions & 0 deletions
46
packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
import * as iam from '@aws-cdk/aws-iam'; | ||
import * as lambda from '@aws-cdk/aws-lambda'; | ||
import { App, Stack } from '@aws-cdk/core'; | ||
import * as path from 'path'; | ||
import { AuthorizationType, MockIntegration, PassthroughBehavior, RestApi, TokenAuthorizer } from '../../lib'; | ||
|
||
// Against the RestApi endpoint from the stack output, run | ||
// `curl -s -o /dev/null -w "%{http_code}" <url>` should return 401 | ||
// `curl -s -o /dev/null -w "%{http_code}" -H 'Authorization: deny' <url>` should return 403 | ||
// `curl -s -o /dev/null -w "%{http_code}" -H 'Authorization: allow' <url>` should return 200 | ||
|
||
const app = new App(); | ||
const stack = new Stack(app, 'TokenAuthorizerIAMRoleInteg'); | ||
|
||
const authorizerFn = new lambda.Function(stack, 'MyAuthorizerFunction', { | ||
runtime: lambda.Runtime.NODEJS_10_X, | ||
handler: 'index.handler', | ||
code: lambda.AssetCode.fromAsset(path.join(__dirname, 'integ.token-authorizer.handler')) | ||
}); | ||
|
||
const role = new iam.Role(stack, 'authorizerRole', { | ||
assumedBy: new iam.ServicePrincipal('apigateway.amazonaws.com') | ||
}); | ||
|
||
const authorizer = new TokenAuthorizer(stack, 'MyAuthorizer', { | ||
handler: authorizerFn, | ||
assumeRole: role, | ||
}); | ||
|
||
const restapi = new RestApi(stack, 'MyRestApi'); | ||
|
||
restapi.root.addMethod('ANY', new MockIntegration({ | ||
integrationResponses: [ | ||
{ statusCode: '200' } | ||
], | ||
passthroughBehavior: PassthroughBehavior.NEVER, | ||
requestTemplates: { | ||
'application/json': '{ "statusCode": 200 }', | ||
}, | ||
}), { | ||
methodResponses: [ | ||
{ statusCode: '200' } | ||
], | ||
authorizer, | ||
authorizationType: AuthorizationType.CUSTOM | ||
}); |
311 changes: 311 additions & 0 deletions
311
packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.expected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,311 @@ | ||
{ | ||
"Resources": { | ||
"MyAuthorizerFunctionServiceRole8A34C19E": { | ||
"Type": "AWS::IAM::Role", | ||
"Properties": { | ||
"AssumeRolePolicyDocument": { | ||
"Statement": [ | ||
{ | ||
"Action": "sts:AssumeRole", | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "lambda.amazonaws.com" | ||
} | ||
} | ||
], | ||
"Version": "2012-10-17" | ||
}, | ||
"ManagedPolicyArns": [ | ||
{ | ||
"Fn::Join": [ | ||
"", | ||
[ | ||
"arn:", | ||
{ | ||
"Ref": "AWS::Partition" | ||
}, | ||
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" | ||
] | ||
] | ||
} | ||
] | ||
} | ||
}, | ||
"MyAuthorizerFunction70F1223E": { | ||
"Type": "AWS::Lambda::Function", | ||
"Properties": { | ||
"Code": { | ||
"S3Bucket": { | ||
"Ref": "AssetParameters6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993aS3Bucket115F9EA4" | ||
}, | ||
"S3Key": { | ||
"Fn::Join": [ | ||
"", | ||
[ | ||
{ | ||
"Fn::Select": [ | ||
0, | ||
{ | ||
"Fn::Split": [ | ||
"||", | ||
{ | ||
"Ref": "AssetParameters6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993aS3VersionKey1039487E" | ||
} | ||
] | ||
} | ||
] | ||
}, | ||
{ | ||
"Fn::Select": [ | ||
1, | ||
{ | ||
"Fn::Split": [ | ||
"||", | ||
{ | ||
"Ref": "AssetParameters6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993aS3VersionKey1039487E" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
] | ||
] | ||
} | ||
}, | ||
"Handler": "index.handler", | ||
"Role": { | ||
"Fn::GetAtt": [ | ||
"MyAuthorizerFunctionServiceRole8A34C19E", | ||
"Arn" | ||
] | ||
}, | ||
"Runtime": "nodejs10.x" | ||
}, | ||
"DependsOn": [ | ||
"MyAuthorizerFunctionServiceRole8A34C19E" | ||
] | ||
}, | ||
"MyRestApi2D1F47A9": { | ||
"Type": "AWS::ApiGateway::RestApi", | ||
"Properties": { | ||
"Name": "MyRestApi" | ||
} | ||
}, | ||
"MyRestApiDeploymentB555B5828fad37a0e56bbac79ae37ae990881dca": { | ||
"Type": "AWS::ApiGateway::Deployment", | ||
"Properties": { | ||
"RestApiId": { | ||
"Ref": "MyRestApi2D1F47A9" | ||
}, | ||
"Description": "Automatically created by the RestApi construct" | ||
}, | ||
"DependsOn": [ | ||
"MyRestApiANY05143F93" | ||
] | ||
}, | ||
"MyRestApiDeploymentStageprodC33B8E5F": { | ||
"Type": "AWS::ApiGateway::Stage", | ||
"Properties": { | ||
"RestApiId": { | ||
"Ref": "MyRestApi2D1F47A9" | ||
}, | ||
"DeploymentId": { | ||
"Ref": "MyRestApiDeploymentB555B5828fad37a0e56bbac79ae37ae990881dca" | ||
}, | ||
"StageName": "prod" | ||
} | ||
}, | ||
"MyRestApiCloudWatchRoleD4042E8E": { | ||
"Type": "AWS::IAM::Role", | ||
"Properties": { | ||
"AssumeRolePolicyDocument": { | ||
"Statement": [ | ||
{ | ||
"Action": "sts:AssumeRole", | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "apigateway.amazonaws.com" | ||
} | ||
} | ||
], | ||
"Version": "2012-10-17" | ||
}, | ||
"ManagedPolicyArns": [ | ||
{ | ||
"Fn::Join": [ | ||
"", | ||
[ | ||
"arn:", | ||
{ | ||
"Ref": "AWS::Partition" | ||
}, | ||
":iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" | ||
] | ||
] | ||
} | ||
] | ||
} | ||
}, | ||
"MyRestApiAccount2FB6DB7A": { | ||
"Type": "AWS::ApiGateway::Account", | ||
"Properties": { | ||
"CloudWatchRoleArn": { | ||
"Fn::GetAtt": [ | ||
"MyRestApiCloudWatchRoleD4042E8E", | ||
"Arn" | ||
] | ||
} | ||
}, | ||
"DependsOn": [ | ||
"MyRestApi2D1F47A9" | ||
] | ||
}, | ||
"MyRestApiANY05143F93": { | ||
"Type": "AWS::ApiGateway::Method", | ||
"Properties": { | ||
"HttpMethod": "ANY", | ||
"ResourceId": { | ||
"Fn::GetAtt": [ | ||
"MyRestApi2D1F47A9", | ||
"RootResourceId" | ||
] | ||
}, | ||
"RestApiId": { | ||
"Ref": "MyRestApi2D1F47A9" | ||
}, | ||
"AuthorizationType": "CUSTOM", | ||
"AuthorizerId": { | ||
"Ref": "MyAuthorizer6575980E" | ||
}, | ||
"Integration": { | ||
"IntegrationResponses": [ | ||
{ | ||
"StatusCode": "200" | ||
} | ||
], | ||
"PassthroughBehavior": "NEVER", | ||
"RequestTemplates": { | ||
"application/json": "{ \"statusCode\": 200 }" | ||
}, | ||
"Type": "MOCK" | ||
}, | ||
"MethodResponses": [ | ||
{ | ||
"StatusCode": "200" | ||
} | ||
] | ||
} | ||
}, | ||
"MyAuthorizer6575980E": { | ||
"Type": "AWS::ApiGateway::Authorizer", | ||
"Properties": { | ||
"RestApiId": { | ||
"Ref": "MyRestApi2D1F47A9" | ||
}, | ||
"Type": "TOKEN", | ||
"AuthorizerUri": { | ||
"Fn::Join": [ | ||
"", | ||
[ | ||
"arn:aws:apigateway:", | ||
{ | ||
"Ref": "AWS::Region" | ||
}, | ||
":lambda:path/2015-03-31/functions/", | ||
{ | ||
"Fn::GetAtt": [ | ||
"MyAuthorizerFunction70F1223E", | ||
"Arn" | ||
] | ||
}, | ||
"/invocations" | ||
] | ||
] | ||
}, | ||
"IdentitySource": "method.request.header.Authorization" | ||
} | ||
}, | ||
"MyAuthorizerFunctionTokenAuthorizerIntegMyAuthorizer793B1D5FPermissions7557AE26": { | ||
"Type": "AWS::Lambda::Permission", | ||
"Properties": { | ||
"Action": "lambda:InvokeFunction", | ||
"FunctionName": { | ||
"Fn::GetAtt": [ | ||
"MyAuthorizerFunction70F1223E", | ||
"Arn" | ||
] | ||
}, | ||
"Principal": "apigateway.amazonaws.com", | ||
"SourceArn": { | ||
"Fn::Join": [ | ||
"", | ||
[ | ||
"arn:", | ||
{ | ||
"Ref": "AWS::Partition" | ||
}, | ||
":execute-api:", | ||
{ | ||
"Ref": "AWS::Region" | ||
}, | ||
":", | ||
{ | ||
"Ref": "AWS::AccountId" | ||
}, | ||
":", | ||
{ | ||
"Ref": "MyRestApi2D1F47A9" | ||
}, | ||
"/authorizers/", | ||
{ | ||
"Ref": "MyAuthorizer6575980E" | ||
} | ||
] | ||
] | ||
} | ||
} | ||
} | ||
}, | ||
"Parameters": { | ||
"AssetParameters6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993aS3Bucket115F9EA4": { | ||
"Type": "String", | ||
"Description": "S3 bucket for asset \"6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993a\"" | ||
}, | ||
"AssetParameters6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993aS3VersionKey1039487E": { | ||
"Type": "String", | ||
"Description": "S3 key for asset version \"6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993a\"" | ||
}, | ||
"AssetParameters6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993aArtifactHash1A0BBA4E": { | ||
"Type": "String", | ||
"Description": "Artifact hash for asset \"6695c4a3dad80ddeef2797a1729306b7c136d67ce21d2187fdbc7bbad009993a\"" | ||
} | ||
}, | ||
"Outputs": { | ||
"MyRestApiEndpoint4C55E4CB": { | ||
"Value": { | ||
"Fn::Join": [ | ||
"", | ||
[ | ||
"https://", | ||
{ | ||
"Ref": "MyRestApi2D1F47A9" | ||
}, | ||
".execute-api.", | ||
{ | ||
"Ref": "AWS::Region" | ||
}, | ||
".", | ||
{ | ||
"Ref": "AWS::URLSuffix" | ||
}, | ||
"/", | ||
{ | ||
"Ref": "MyRestApiDeploymentStageprodC33B8E5F" | ||
}, | ||
"/" | ||
] | ||
] | ||
} | ||
} | ||
} | ||
} |
23 changes: 23 additions & 0 deletions
23
packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.handler/index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
// tslint:disable:no-console | ||
|
||
export const handler = async (event: any, _context: any = {}): Promise<any> => { | ||
const authToken: string = event.authorizationToken; | ||
console.log(`event.authorizationToken = ${authToken}`); | ||
if (authToken === 'allow' || authToken === 'deny') { | ||
return { | ||
principalId: 'user', | ||
policyDocument: { | ||
Version: "2012-10-17", | ||
Statement: [ | ||
{ | ||
Action: "execute-api:Invoke", | ||
Effect: authToken, | ||
Resource: event.methodArn | ||
} | ||
] | ||
} | ||
}; | ||
} else { | ||
throw new Error('Unauthorized'); | ||
} | ||
}; |
39 changes: 39 additions & 0 deletions
39
packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
import * as lambda from '@aws-cdk/aws-lambda'; | ||
import { App, Stack } from '@aws-cdk/core'; | ||
import * as path from 'path'; | ||
import { MockIntegration, PassthroughBehavior, RestApi, TokenAuthorizer } from '../../lib'; | ||
|
||
// Against the RestApi endpoint from the stack output, run | ||
// `curl -s -o /dev/null -w "%{http_code}" <url>` should return 401 | ||
// `curl -s -o /dev/null -w "%{http_code}" -H 'Authorization: deny' <url>` should return 403 | ||
// `curl -s -o /dev/null -w "%{http_code}" -H 'Authorization: allow' <url>` should return 200 | ||
|
||
const app = new App(); | ||
const stack = new Stack(app, 'TokenAuthorizerInteg'); | ||
|
||
const authorizerFn = new lambda.Function(stack, 'MyAuthorizerFunction', { | ||
runtime: lambda.Runtime.NODEJS_10_X, | ||
handler: 'index.handler', | ||
code: lambda.AssetCode.fromAsset(path.join(__dirname, 'integ.token-authorizer.handler')) | ||
}); | ||
|
||
const restapi = new RestApi(stack, 'MyRestApi'); | ||
|
||
const authorizer = new TokenAuthorizer(stack, 'MyAuthorizer', { | ||
handler: authorizerFn, | ||
}); | ||
|
||
restapi.root.addMethod('ANY', new MockIntegration({ | ||
integrationResponses: [ | ||
{ statusCode: '200' } | ||
], | ||
passthroughBehavior: PassthroughBehavior.NEVER, | ||
requestTemplates: { | ||
'application/json': '{ "statusCode": 200 }', | ||
}, | ||
}), { | ||
methodResponses: [ | ||
{ statusCode: '200' } | ||
], | ||
authorizer | ||
}); |
130 changes: 130 additions & 0 deletions
130
packages/@aws-cdk/aws-apigateway/test/authorizers/test.lambda.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
import { expect, haveResource, ResourcePart } from '@aws-cdk/assert'; | ||
import * as iam from '@aws-cdk/aws-iam'; | ||
import * as lambda from '@aws-cdk/aws-lambda'; | ||
import { Duration, Stack } from '@aws-cdk/core'; | ||
import { Test } from 'nodeunit'; | ||
import { AuthorizationType, RestApi, TokenAuthorizer } from '../../lib'; | ||
|
||
export = { | ||
'default token authorizer'(test: Test) { | ||
const stack = new Stack(); | ||
|
||
const func = new lambda.Function(stack, 'myfunction', { | ||
handler: 'handler', | ||
code: lambda.Code.fromInline('foo'), | ||
runtime: lambda.Runtime.NODEJS_8_10, | ||
}); | ||
|
||
const auth = new TokenAuthorizer(stack, 'myauthorizer', { | ||
handler: func | ||
}); | ||
|
||
const restApi = new RestApi(stack, 'myrestapi'); | ||
restApi.root.addMethod('ANY', undefined, { | ||
authorizer: auth, | ||
authorizationType: AuthorizationType.CUSTOM | ||
}); | ||
|
||
expect(stack).to(haveResource('AWS::ApiGateway::Authorizer', { | ||
Type: 'TOKEN', | ||
RestApiId: stack.resolve(restApi.restApiId), | ||
IdentitySource: 'method.request.header.Authorization' | ||
})); | ||
|
||
expect(stack).to(haveResource('AWS::Lambda::Permission', { | ||
Action: 'lambda:InvokeFunction', | ||
Principal: 'apigateway.amazonaws.com', | ||
})); | ||
|
||
test.ok(auth.authorizerArn.endsWith(`/authorizers/${auth.authorizerId}`), 'Malformed authorizer ARN'); | ||
|
||
test.done(); | ||
}, | ||
|
||
'token authorizer with all parameters specified'(test: Test) { | ||
const stack = new Stack(); | ||
|
||
const func = new lambda.Function(stack, 'myfunction', { | ||
handler: 'handler', | ||
code: lambda.Code.fromInline('foo'), | ||
runtime: lambda.Runtime.NODEJS_8_10, | ||
}); | ||
|
||
const auth = new TokenAuthorizer(stack, 'myauthorizer', { | ||
handler: func, | ||
identitySource: 'method.request.header.whoami', | ||
validationRegex: 'a-hacker', | ||
authorizerName: 'myauthorizer', | ||
resultsCacheTtl: Duration.minutes(1), | ||
}); | ||
|
||
const restApi = new RestApi(stack, 'myrestapi'); | ||
restApi.root.addMethod('ANY', undefined, { | ||
authorizer: auth, | ||
authorizationType: AuthorizationType.CUSTOM | ||
}); | ||
|
||
expect(stack).to(haveResource('AWS::ApiGateway::Authorizer', { | ||
Type: 'TOKEN', | ||
RestApiId: stack.resolve(restApi.restApiId), | ||
IdentitySource: 'method.request.header.whoami', | ||
IdentityValidationExpression: 'a-hacker', | ||
Name: 'myauthorizer', | ||
AuthorizerResultTtlInSeconds: 60 | ||
})); | ||
|
||
test.done(); | ||
}, | ||
|
||
'token authorizer with assume role'(test: Test) { | ||
const stack = new Stack(); | ||
|
||
const func = new lambda.Function(stack, 'myfunction', { | ||
handler: 'handler', | ||
code: lambda.Code.fromInline('foo'), | ||
runtime: lambda.Runtime.NODEJS_8_10, | ||
}); | ||
|
||
const role = new iam.Role(stack, 'authorizerassumerole', { | ||
assumedBy: new iam.ServicePrincipal('apigateway.amazonaws.com'), | ||
roleName: 'authorizerassumerole' | ||
}); | ||
|
||
const auth = new TokenAuthorizer(stack, 'myauthorizer', { | ||
handler: func, | ||
assumeRole: role | ||
}); | ||
|
||
const restApi = new RestApi(stack, 'myrestapi'); | ||
restApi.root.addMethod('ANY', undefined, { | ||
authorizer: auth, | ||
authorizationType: AuthorizationType.CUSTOM | ||
}); | ||
|
||
expect(stack).to(haveResource('AWS::ApiGateway::Authorizer', { | ||
Type: 'TOKEN', | ||
RestApiId: stack.resolve(restApi.restApiId), | ||
})); | ||
|
||
expect(stack).to(haveResource('AWS::IAM::Role')); | ||
|
||
expect(stack).to(haveResource('AWS::IAM::Policy', { | ||
Roles: [ | ||
stack.resolve(role.roleName) | ||
], | ||
PolicyDocument: { | ||
Statement: [ | ||
{ | ||
Resource: stack.resolve(func.functionArn), | ||
Action: 'lambda:InvokeFunction', | ||
Effect: 'Allow', | ||
} | ||
], | ||
} | ||
}, ResourcePart.Properties, true)); | ||
|
||
expect(stack).notTo(haveResource('AWS::Lambda::Permission')); | ||
|
||
test.done(); | ||
} | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters