Skip to content

Commit

Permalink
fix AuthType
Browse files Browse the repository at this point in the history
  • Loading branch information
@aws-rafams
aws-rafams committed Jun 13, 2024
1 parent be60c23 commit 4ac6b64
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 42 deletions.
9 changes: 9 additions & 0 deletions src/auth.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
/**
* The authentication method used to be used
*/
export declare enum AuthType {
/** The resource does not use an IAM policy. */
NONE = "NONE",
/** The resource uses an IAM policy. When this type is used, auth is enabled and an auth policy is required. **/
AWS_IAM = "AWS_IAM",
}
1 change: 1 addition & 0 deletions src/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

export * from './servicenetwork';
export * from './service';
export * from './auth';
export * from './listener';
export * from './matches';
export * from './targets';
Expand Down
32 changes: 10 additions & 22 deletions src/listener.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,19 +12,7 @@ import {
HTTPMatch,
IService,
} from './index';
/**
* AuthTypes
*/
export enum AuthType {
/**
* No Authorization
*/
NONE = 'NONE',
/**
* Use IAM Policy as
*/
AWS_IAM = 'AWS_IAM'
}



/**
Expand Down Expand Up @@ -324,7 +312,7 @@ export class Listener extends core.Resource implements IListener {
},
};
} else {
// set the default action to the foward
// set the default action to the foward
defaultAction = {
forward: {
targetGroups: [{
Expand Down Expand Up @@ -357,7 +345,7 @@ export class Listener extends core.Resource implements IListener {
let port: number;
if (protocol === Protocol.HTTP) {
port = props.port ?? 80;
} else if ( protocol === Protocol.HTTPS) {
} else if (protocol === Protocol.HTTPS) {
port = props.port ?? 443;
} else {
throw new Error('Protocol not supported');
Expand Down Expand Up @@ -400,20 +388,20 @@ export class Listener extends core.Resource implements IListener {
// add the action for the statement. There is only one permissiable action
policyStatement.addActions('vpc-lattice-svcs:Invoke');

if ( props.accessMode === RuleAccessMode.UNAUTHENTICATED ) {
if (props.accessMode === RuleAccessMode.UNAUTHENTICATED) {
policyStatement.addPrincipals(new iam.StarPrincipal());
if (props.allowedPrincipals) {
throw new Error('An unauthenticated rule cannot have allowedPrincipals');
}
};

if ( props.accessMode === RuleAccessMode.AUTHENTICATED_ONLY ) {
policyStatement.addCondition('StringNotEqualsIgnoreCase', { 'aws:PrincipalType': 'Anonymous' } );
if (props.accessMode === RuleAccessMode.AUTHENTICATED_ONLY) {
policyStatement.addCondition('StringNotEqualsIgnoreCase', { 'aws:PrincipalType': 'Anonymous' });
};

if ( props.accessMode === RuleAccessMode.ORG_ONLY ) {
policyStatement.addCondition('StringEquals', { 'aws:PrincipalOrgID': [this.service.orgId] } );
policyStatement.addCondition('StringNotEqualsIgnoreCase', { 'aws:PrincipalType': 'Anonymous' } );
if (props.accessMode === RuleAccessMode.ORG_ONLY) {
policyStatement.addCondition('StringEquals', { 'aws:PrincipalOrgID': [this.service.orgId] });
policyStatement.addCondition('StringNotEqualsIgnoreCase', { 'aws:PrincipalType': 'Anonymous' });
};

// conditionaly build a policy statement if principals were provided
Expand Down Expand Up @@ -540,7 +528,7 @@ export class Listener extends core.Resource implements IListener {
},
caseSensitive: headerMatch.caseSensitive ?? false,
});
policyStatement.addCondition('StringEquals', { [`vpc-lattice-svcs:RequestHeader/${headerMatch.headername}`]: headerMatch.matchValue } );
policyStatement.addCondition('StringEquals', { [`vpc-lattice-svcs:RequestHeader/${headerMatch.headername}`]: headerMatch.matchValue });
} else if (matchOperator === MatchOperator.CONTAINS) {
headerMatches.push({
name: headerMatch.headername,
Expand Down
13 changes: 1 addition & 12 deletions src/service.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,12 @@ import {

import * as constructs from 'constructs';
import {
AuthType,
IListener,
IServiceNetwork,
}
from './index';



/**
* Properties to Share the Service
*/
Expand All @@ -39,16 +38,6 @@ export interface ShareServiceProps {
readonly accounts: string[] | undefined;
}

/**
* The authentication method used to be used
*/
export declare enum AuthType {
/** The resource does not use an IAM policy. */
NONE = "NONE",
/** The resource uses an IAM policy. When this type is used, auth is enabled and an auth policy is required. **/
AWS_IAM = "AWS_IAM",
}

/**
* Create a vpcLattice service network.
* Implemented by `Service`.
Expand Down
16 changes: 8 additions & 8 deletions src/servicenetwork.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ export interface AssociateVPCProps {
* Properties to add a logging Destination
*/

export interface AddloggingDestinationProps{
export interface AddloggingDestinationProps {
/**
* The logging destination
*/
Expand Down Expand Up @@ -156,7 +156,7 @@ export interface ServiceNetworkProps {
* The type of authentication to use with the Service Network
* @default 'AWS_IAM'
*/
readonly authType?: AuthType | undefined;
readonly authType?: AuthType;

/**
* Logging destinations
Expand Down Expand Up @@ -234,11 +234,11 @@ export class ServiceNetwork extends ServiceNetworkBase {
/**
* Import a Service Network by Id
*/
public static fromId(scope: constructs.Construct, id: string, serviceNetworkId: string ): IServiceNetwork {
public static fromId(scope: constructs.Construct, id: string, serviceNetworkId: string): IServiceNetwork {
return new ImportedServiceNetwork(scope, id, { serviceNetworkId: serviceNetworkId });
}

public static fromName(scope: constructs.Construct, id: string, serviceNetworkName: string ): IServiceNetwork {
public static fromName(scope: constructs.Construct, id: string, serviceNetworkName: string): IServiceNetwork {
return new ImportedServiceNetwork(scope, id, { serviceNetworkName: serviceNetworkName });
}

Expand Down Expand Up @@ -349,11 +349,11 @@ export class ServiceNetwork extends ServiceNetworkBase {
const orgId = orgIdCr.getResponseField('Organization.Id');

// add the condition that requires that the principal is from this org
statement.addCondition('StringEquals', { 'aws:PrincipalOrgID': [orgId] } );
statement.addCondition('StringNotEqualsIgnoreCase', { 'aws:PrincipalType': 'Anonymous' } );
statement.addCondition('StringEquals', { 'aws:PrincipalOrgID': [orgId] });
statement.addCondition('StringNotEqualsIgnoreCase', { 'aws:PrincipalType': 'Anonymous' });
} else if (props.accessmode === ServiceNetworkAccessMode.AUTHENTICATED_ONLY) {
// add the condition that requires that the principal is authenticated
statement.addCondition('StringNotEqualsIgnoreCase', { 'aws:PrincipalType': 'Anonymous' } );
statement.addCondition('StringNotEqualsIgnoreCase', { 'aws:PrincipalType': 'Anonymous' });
};

this.authPolicy.addStatements(statement);
Expand Down Expand Up @@ -397,7 +397,7 @@ export class ServiceNetwork extends ServiceNetworkBase {
throw new Error(`Auth Policy for granting access on Service Network is invalid\n, ${this.authPolicy}`);
}
// check to see if the AuthType is AWS_IAM
if (this.authType !== AuthType.AWS_IAM ) {
if (this.authType !== AuthType.AWS_IAM) {
throw new Error(`AuthType must be ${AuthType.AWS_IAM} to add an Auth Policy`);
}

Expand Down

0 comments on commit 4ac6b64

Please sign in to comment.