Add support for builtin API Gateway authorizers

[jamesls]

Chalice currently supports IAM, Cognito, and Custom authorizers.
The custom authorizer allows you to define a lambda function which
contains custom authorization logic specific for your use case.
Previously, you'd have to create your lambda authorizer function out
of band from your chalice app. We just provided an API to associated
your custom authorizer with certain views.

This change adds support for a "built in authorizer", which allows you
to create custom authorizers that are defined within your chalice app.
When you run "chalice deploy" we'll automatically create and associate
the authorizer for you, but we'll also create the lambda function
associated with the authorizer.

This introduces new concepts in chalice including multi lambda function
support. We now have an API handler (the existing lambda function) as
well as auth handlers.

There's still a few missing pieces that need to get ironed out:

• Need to work out how we want to configure the auth functions
  in config.json (timeouts, memory, etc)
• Need to work out how to deal with "chalice package". It appears
  SAM doesn't support giving implicit permission to invoke the lambda
  function in the same way the event type "Api" works.
• Docs (in progress, should be coming shortly).

Closes #356

[codecov-io]

Codecov Report

Merging #381 into master will increase coverage by 0.54%.
The diff coverage is 98.95%.

@@            Coverage Diff             @@
##           master     #381      +/-   ##
==========================================
+ Coverage   91.62%   92.17%   +0.54%     
==========================================
  Files          18       18              
  Lines        2280     2440     +160     
  Branches      294      320      +26     
==========================================
+ Hits         2089     2249     +160     
  Misses        142      142              
  Partials       49       49

Impacted Files	Coverage Δ
chalice/__init__.py	100% <ø> (ø)	⬆️
chalice/app.py	96.82% <100%> (+0.72%)	⬆️
chalice/cli/factory.py	89.79% <100%> (ø)	⬆️
chalice/config.py	97.14% <100%> (+0.23%)	⬆️
chalice/awsclient.py	91.48% <100%> (+0.68%)	⬆️
chalice/deploy/swagger.py	100% <100%> (ø)	⬆️
chalice/package.py	97.59% <100%> (+0.18%)	⬆️
chalice/constants.py	100% <100%> (ø)	⬆️
chalice/deploy/deployer.py	89.3% <96.22%> (+1.31%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9f6705a...c95b37b. Read the comment docs.

[kyleknap]

It looks good. My comments were mainly just related to questions, suggestions on refactorings, and double checking edge cases.

[kyleknap]

Does it make sense that the random_id is a required parameter to pass in? Seems like it would make more sense if the awsclient handled it automatically for the user.

[jamesls]

I think it would. IIRC correctly it was done this way to make testing easier. I believe there were issues with the botocore stubber's ANY implementation. Those might be fixed now, I can check.

[jamesls]

On second thought, I think it would make sense to parameterize it but not completely hide it. This is used to ensure uniqueness and makes it impossible to do retries at any level above the awsclient level. I'd propose making this an Optional[str].

[kyleknap]

This is second time this name is generated. I wonder if it makes sense to have a shared helper function/property to determine this.

[kyleknap]

We probably want to put validation in on if they pass in kwargs that do not get popped off like we do in route()

[jamesls]

I'll update.

[kyleknap]

It seems like we would given it is used for iteration in the deployer/swagger code. Might want to remove the comment.

[kyleknap]

What was the reason for calling it Builtin as opposed to Custom? Custom falls more in-line with what API Gateway uses in its documentation. Or maybe just calling them AuthConfig's?

[jamesls]

There'a already a custom authorizer in the chalice code. The nomenclature that made the most sense to be (given what's already there):

• Custom authorizers - using the custom authorizer functionality in API gateway with a lambda function that you manage outside of chalice. This maps to the pre-existing CustomAuthorizer class.
• Builtin authorizers - authorizers that are defined in a chalice app that we manage/configure for you. Implementation wise it uses the custom authorizer feature of API gateway but is largely abstracted in chalice.

[kyleknap]

We may want to be using a paginator here. Unfortunately, I do not think botocore has one yet.

[jamesls]

It does not. I couldn't find in their docs what the page size, but I think this might be a forward compatibility thing in their API. The max authorizers for an API is 10 (http://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html) so I don't think we'll be affected. I can add a comment about that though.

[kyleknap]

That works too.

[kyleknap]

So there is also a ResourceDoesNotExistError exception. Should that be used instead of ValueError? There is not really any documentation on when the ResourceDoesNotExistError should be raised.

[jamesls]

I think carlyl added that with the delete feature, which was done after this branch was started. I can update to use ResourceDoesNotExistError.

[kyleknap]

How do we currently handle auth handlers that get removed from a chalice app? So say I defined a auth handler deployed my application and then decided I did not want it anymore. So I delete it from my app.py file and redeploy. My expectation would be that the lambda function for the auth handler will get deleted. From the looks of it, it seems that the deploy code will leave orphaned lambda functions.

[jamesls]

It will be semi-orphaned in the sense that we won't delete it on deploy, but it will still stay in deployed.json so will get removed as part of chalice delete.

I agree it does make sense if you delete your auth handler code we should remove the lambda function. I'll look into how much work that is.

[jamesls]

Capturing offline: I'll use either the deployed.json or query lambda based on the expected tags to delete things at the end of the deploy.

[kyleknap]

I wonder if it makes sense to make assertions about the parameters the update_function and create_function were called with? Currently the only way to tell that the correct parameters were used is by running an integration test. At the very least we should check that the correct function name and handler name is being past in.

[jamesls]

Yeah I can update this.

[kyleknap]

Do you think it is worth adding a test that mixes string and AuthRoute in the AuthResponse list?

[jamesls]

Yeah I'll update this.

[jamesls]

Incorporated feedback so far. Remaining items:

• Docs
• Configuration for authorizer functions (timeouts/roles/memory_size)
• Delete auth lambda functions when removed from code on redeploy

Let me know if I missed anything outside of those three items.

[kyleknap]

Changes look good to me up to this point.

[jamesls]

The last piece of functionality missing is how to configure the authorizers. I'm going to update the original issue with an updated proposal before implementing.

[jamesls]

@kyleknap Updated. This should be all the code related changes. Just needs docs. I'm going to try it out a bit more and see if there's any edge cases I missed, but otherwise is ready to look at again.

[kyleknap]

Looks good. Just some small comments and questions

[kyleknap]

So I think this is fine for now as lambda functions are really the only thing we configure. But how do you see this will expand if we ever support per-resource configurations for other AWS resources besides Lambda? Would we add resource name to the config as well and the config would then be scoped to: stage + lambda function + any other specific managed resource configuration? I just want to make sure there won't be any issues expanding this out

[jamesls]

I would actually see additional resources not using Config directly but instead using a resource specific config obj that Config can create. Initially I had this as Config --references-> LambdaConfig, but reverted that in favor of this current approach because:

1. It's a bigger interface change across all the deployer code which is likely getting refactored soon anyways
2. Almost all the config in Config is actually lambda configuration.

So say if we had ddb tables, you'd say something like:

ddb_config = cfg.resource_config(cfg.stage_name, 'dynamodb_tables')
ddb_config['mytable']['name']
ddb_config['mytable']['provisioned_throughput']
... etc ...

[kyleknap]

Ok cool. I was thinking along the same lines of how you would get resource specific configuration. Makes sense to keep the changes small for now until more configurable managed resources get added as the deployer will need to get refactored.

[kyleknap]

notusing -> not using

[kyleknap]

Unimplemented test

[kyleknap]

I wonder if it makes sense to check that the call to create_function to create the api handler used the expected configuration values as well?

[jamesls]

I'm not following. That's what's happening on lines 900/901 for the timeout and memory size. Was there more you wanted asserted?

[kyleknap]

So right now we are only checking the last client create_function call which was for the auth handler. The first create_function call is for the api handler which is not checked, but has different parameters such as its lambda timeout will be 10 and its lambda memory size will be the default. The assertion would be on what was called in the first create_function call and it would be just a sanity check to make sure the correct scope was used in creating the api handler. If there is already a check for that though, I don't think we need to add an assertion. I may have missed it if there is one as I am only looking at the diffs as you add them, not the entire PR diff each time.

[jamesls]

Oh ok yeah I can update the test if that's not covered.

[kyleknap]

So a stage or a function name that does not exist in the config does not raise an error? That seems like it could raise some unexpected results down the road if the wrong stage or function name is used.

[jamesls]

We have no way of knowing that unless we want to change the interface to declare/define your stages before you can deploy them, which IMO is a tedious API.

Perhaps, we could add an optional prompt when you deploy a stage for the first time, but that wouldn't need changes to the config file validation.

[kyleknap]

Makes sense. Yeah I think it would be an optional prompt for a deploying to a new stage that is not the very first chalice deploy. I feel that the initial chalice deploy should work with minimal amount of prompting. I don't think this should be done in this PR though.

[kyleknap]

So I know it may be tedious, but I wonder if it makes sense to have explicit test to make sure all the valid variables can be configured per lambda function? In the tests, lambda_timeout, environment_variables, and tags are used routinely, but variables such as iam_role_arn, lambda_memory_size, autogen_policy, and iam_policy_file are not. I feel that it would be good to have for a quick check. If not split this into individual tests, maybe have one large test or general helper assertion that makes sure that each of these values exhibit the per function behavior (i.e. override global/stage values and are separate from other functions)?

[jamesls]

This API is actually wrong now. Initially I was doing a deepcopy on the self.__dict__, but ran into issues that couldn't be serialized because our config obj has a reference to the chalice_app which contains all kinds of objects. Now that we're sharing __dict__, this doesn't actually work. I'll get this fixed.

[kyleknap]

Latest updates look good. Looks like all that is left is rebasing and adding docs then it should be good.

[kyleknap]

validae -> validate

[kyleknap]

Everything looks good. 🚢 Also make sure to add a changelog entry

[jamesls]

Merged via 4d1751d