Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(apigateway): enhance code arounds method authorizers #30978

Merged
merged 5 commits into from
Jul 30, 2024
Merged

chore(apigateway): enhance code arounds method authorizers #30978

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0e1e362
chore(apigateway): enhance code arounds method authorizers
GavinZZ Jul 29, 2024
29b0100
Update comments
GavinZZ Jul 29, 2024
f5fa8f6
Update comments
GavinZZ Jul 30, 2024
3675b1b
Merge branch 'main' into update_method_authorizer
GavinZZ Jul 30, 2024
e9339be
Merge branch 'main' into update_method_authorizer
mergify[bot] Jul 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 43 additions & 9 deletions packages/aws-cdk-lib/aws-apigateway/lib/method.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,22 +185,35 @@ export class Method extends Resource {
validateHttpMethod(this.httpMethod);

const options = props.options || {};

const defaultMethodOptions = props.resource.defaultMethodOptions || {};

// do not use the default authorizer config in case if the provided authorizer type is None
const authorizer =
options.authorizationType === AuthorizationType.NONE
&& options.authorizer == undefined ? undefined : options.authorizer || defaultMethodOptions.authorizer;
const authorizerId = authorizer?.authorizerId ? authorizer.authorizerId : undefined;

const authorizationTypeOption = options.authorizationType || defaultMethodOptions.authorizationType;
const authorizationType = authorizer?.authorizationType || authorizationTypeOption || AuthorizationType.NONE;

// if the authorizer defines an authorization type and we also have an explicit option set, check that they are the same
if (authorizer?.authorizationType && authorizationTypeOption && authorizer?.authorizationType !== authorizationTypeOption) {
throw new Error(`${this.resource}/${this.httpMethod} - Authorization type is set to ${authorizationTypeOption} ` +
`which is different from what is required by the authorizer [${authorizer.authorizationType}]`);
}
/**
* Get and validate authorization type from the values set by API resource and method.
*
* REST API Resource
* └── defaultMethodOptions: Method options to use as a default for all methods created within this API unless custom options are specified.
* ├── authorizationType: Specifies the default authorization type unless custom options are specified, recommended to not be specified.
* └── authorizer: Specifies the default authorizer for all methods created within this API unless custom options are specified.
* └── authorizerType: The default authorization type of this authorizer.
*
* REST API Method
* └── options: Method options.
* ├── authorizationType: Specifies the authorization type, recommended to not be specified.
* └── authorizer: Specifies an authorizer to use for this method.
* └── authorizerType: The authorization type of this authorizer.
*
* Authorization type is first set to "authorizer.authorizerType", falling back to method's "authorizationType",
* falling back to API resource's default "authorizationType", and lastly "Authorizer.NONE".
*
* Note that "authorizer.authorizerType" should match method or resource's "authorizationType" if exists.
*/
GavinZZ marked this conversation as resolved.
Show resolved Hide resolved
const authorizationType = this.getMethodAuthorizationType(options, defaultMethodOptions, authorizer);

// AuthorizationScope should only be applied to COGNITO_USER_POOLS AuthorizationType.
const defaultScopes = options.authorizationScopes ?? defaultMethodOptions.authorizationScopes;
Expand Down Expand Up @@ -303,6 +316,27 @@ export class Method extends Resource {
this.methodResponses.push(methodResponse);
}

/**
* Get API Gateway Method's authorization type
* @param options API Gateway Method's options to use
* @param defaultMethodOptions API Gateway resource's default Method's options to use
* @param authorizer Authorizer used for API Gateway Method
* @returns API Gateway Method's authorizer type
*/
private getMethodAuthorizationType(options: MethodOptions, defaultMethodOptions: MethodOptions, authorizer?: IAuthorizer): string {
const authorizerAuthType = authorizer?.authorizationType;
const optionsAuthType = options.authorizationType || defaultMethodOptions.authorizationType;
const finalAuthType = authorizerAuthType || optionsAuthType || AuthorizationType.NONE;

// if the authorizer defines an authorization type and we also have an explicit option set, check that they are the same
if (authorizerAuthType && optionsAuthType && authorizerAuthType !== optionsAuthType) {
throw new Error(`${this.resource}/${this.httpMethod} - Authorization type is set to ${optionsAuthType} ` +
`which is different from what is required by the authorizer [${authorizerAuthType}]`);
}

return finalAuthType;
}

private renderIntegration(bindResult: IntegrationConfig): CfnMethod.IntegrationProperty {
const options = bindResult.options ?? {};
let credentials;
Expand Down
Loading