Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cloudfront): add denyList to OriginRequestPolicy behaviors #25767

Merged
merged 12 commits into from
Jul 7, 2023
Merged
Show file tree
Hide file tree
Changes from 10 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
{
"version": "32.0.0",
"files": {
"01042f10dd3272da413b201384cdf825a7467030c0db8a2d5bcfe10b45a30ced": {
"17ab10021b77a5b225de54b10a02740bc6d638269786a643726871c66180f980": {
"source": {
"path": "integ-distribution-policies.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "01042f10dd3272da413b201384cdf825a7467030c0db8a2d5bcfe10b45a30ced.json",
"objectKey": "17ab10021b77a5b225de54b10a02740bc6d638269786a643726871c66180f980.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,10 @@
"Properties": {
"OriginRequestPolicyConfig": {
"CookiesConfig": {
"CookieBehavior": "none"
"CookieBehavior": "whitelist",
"Cookies": [
"cookie1"
]
},
"HeadersConfig": {
"HeaderBehavior": "allViewerAndWhitelistCloudFront",
Expand All @@ -79,7 +82,10 @@
},
"Name": "ACustomOriginRequestPolicy",
"QueryStringsConfig": {
"QueryStringBehavior": "none"
"QueryStringBehavior": "allExcept",
"QueryStrings": [
"querystringparam"
]
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"validateOnSynth": false,
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/01042f10dd3272da413b201384cdf825a7467030c0db8a2d5bcfe10b45a30ced.json",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/17ab10021b77a5b225de54b10a02740bc6d638269786a643726871c66180f980.json",
"requiresBootstrapStackVersion": 6,
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
"additionalDependencies": [
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,10 @@
"originRequestPolicyConfig": {
"name": "ACustomOriginRequestPolicy",
"cookiesConfig": {
"cookieBehavior": "none"
"cookieBehavior": "whitelist",
"cookies": [
"cookie1"
]
},
"headersConfig": {
"headerBehavior": "allViewerAndWhitelistCloudFront",
Expand All @@ -154,7 +157,10 @@
]
},
"queryStringsConfig": {
"queryStringBehavior": "none"
"queryStringBehavior": "allExcept",
"queryStrings": [
"querystringparam"
]
}
}
}
Expand Down Expand Up @@ -244,7 +250,7 @@
"path": "integ-distribution-policies/Dist/Origin1",
"constructInfo": {
"fqn": "constructs.Construct",
"version": "10.2.26"
"version": "10.2.52"
}
},
"Resource": {
Expand Down Expand Up @@ -304,7 +310,7 @@
"path": "integ-distribution-policies/Dist-2/Origin1",
"constructInfo": {
"fqn": "constructs.Construct",
"version": "10.2.26"
"version": "10.2.52"
}
},
"Resource": {
Expand Down Expand Up @@ -388,7 +394,7 @@
"path": "DistributionPolicies/DefaultTest/Default",
"constructInfo": {
"fqn": "constructs.Construct",
"version": "10.2.26"
"version": "10.2.52"
}
},
"DeployAssert": {
Expand Down Expand Up @@ -434,7 +440,7 @@
"path": "Tree",
"constructInfo": {
"fqn": "constructs.Construct",
"version": "10.2.26"
"version": "10.2.52"
}
}
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,9 @@ const cachePolicyWithRef = new cloudfront.CachePolicy(stack, 'CachePolicyWithRef

const originRequestPolicy = new cloudfront.OriginRequestPolicy(stack, 'OriginRequestPolicy', {
originRequestPolicyName: 'ACustomOriginRequestPolicy',
cookieBehavior: cloudfront.OriginRequestCookieBehavior.allowList('cookie1'),
headerBehavior: cloudfront.OriginRequestHeaderBehavior.all('CloudFront-Forwarded-Proto'),
queryStringBehavior: cloudfront.OriginRequestQueryStringBehavior.denyList('querystringparam'),
});

const responseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy', {
Expand Down
24 changes: 24 additions & 0 deletions packages/aws-cdk-lib/aws-cloudfront/lib/origin-request-policy.ts
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,14 @@ export class OriginRequestCookieBehavior {
/** All cookies in viewer requests are included in requests that CloudFront sends to the origin. */
public static all() { return new OriginRequestCookieBehavior('all'); }

/** All cookies except the provided `cookies` are included in requests that CloudFront sends to the origin. */
public static denyList(...cookies: string[]) {
if (cookies.length === 0) {
throw new Error('At least one cookie to deny must be provided');
}
return new OriginRequestCookieBehavior('allExcept', cookies);
}

/** Only the provided `cookies` are included in requests that CloudFront sends to the origin. */
public static allowList(...cookies: string[]) {
if (cookies.length === 0) {
Expand Down Expand Up @@ -194,6 +202,14 @@ export class OriginRequestHeaderBehavior {
return new OriginRequestHeaderBehavior('whitelist', headers);
}

/** All headers except the provided `headers` are included in requests that CloudFront sends to the origin. */
public static denyList(...headers: string[]) {
if (headers.length === 0) {
throw new Error('At least one header to deny must be provided');
}
return new OriginRequestHeaderBehavior('allExcept', headers);
}

/** The behavior of headers: allow all, none or an allow list. */
public readonly behavior: string;
/** The headers for the allow list or the included CloudFront headers, if applicable. */
Expand Down Expand Up @@ -227,6 +243,14 @@ export class OriginRequestQueryStringBehavior {
return new OriginRequestQueryStringBehavior('whitelist', queryStrings);
}

/** All query strings except the provided `queryStrings` are included in requests that CloudFront sends to the origin. */
public static denyList(...queryStrings: string[]) {
if (queryStrings.length === 0) {
throw new Error('At least one query string to deny must be provided');
}
return new OriginRequestQueryStringBehavior('allExcept', queryStrings);
}

/** The behavior of query strings -- allow all, none, or only an allow list. */
public readonly behavior: string;
/** The query strings to allow, if the behavior is an allow list. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,17 @@ describe.each([
test('allowList() throws if list is empty', () => {
expect(() => clazz.allowList()).toThrow(new RegExp(`At least one ${type} to allow must be provided`));
});

test('denyList()', () => {
const behavior = clazz.denyList('SESSION_ID', 'secrets');

expect(behavior.behavior).toEqual('allExcept');
expect(items(behavior)).toEqual(['SESSION_ID', 'secrets']);
});

test('denyList() throws if list is empty', () => {
expect(() => clazz.denyList()).toThrow(new RegExp(`At least one ${type} to deny must be provided`));
});
});

describe('HeaderBehavior', () => {
Expand Down Expand Up @@ -182,4 +193,15 @@ describe('HeaderBehavior', () => {
expect(() => { OriginRequestHeaderBehavior.all('X-MyCustomHeader'); }).toThrow(errorMessage);
});
});

test('denyList()', () => {
const headers = OriginRequestHeaderBehavior.denyList('SESSION_ID', 'secrets');

expect(headers.behavior).toEqual('allExcept');
expect(headers.headers).toEqual(['SESSION_ID', 'secrets']);
});

test('denyList() throws if list is empty', () => {
expect(() => OriginRequestHeaderBehavior.denyList()).toThrow(/At least one header to deny must be provided/);
});
});