feat: Refactored APIM policies into reusable builder component (#387)

Resolves issue where APIM policy overwrites any changes done outside of serverless yaml config
Adds support for JWT validation
Adds support for IP filter

Author: wbreza

package-lock.json

@@ -61,7 +61,7 @@
     "request": "^2.81.0",
     "rimraf": "^2.7.1",
     "semver": "^6.3.0",
-    "xml": "^1.0.1"
+    "xml2js": "^0.4.22"
   },
   "devDependencies": {
     "@azure/ms-rest-js": "^1.8.7",
@@ -74,6 +74,7 @@
     "@types/request": "^2.48.1",
     "@types/serverless": "^1.18.2",
     "@types/xml": "^1.0.3",
+    "@types/xml2js": "^0.4.5",
     "@typescript-eslint/eslint-plugin": "^1.9.0",
     "@typescript-eslint/parser": "^1.9.0",
     "axios-mock-adapter": "^1.16.0",

package.json

@@ -12,11 +12,20 @@ export interface ApiManagementConfig {
   backends?: BackendContract[];
   /** The API's CORS policy */
   cors?: ApiCorsPolicy;
+  /** The API's JWT validation policy */
+  jwtValidate?: ApiJwtValidatePolicy;
+  /** The API's IP Filter policy */
+  ipFilter?: ApiIpFilterPolicy;
+  /** The pricing SKU for the APIM instance */
   sku?: {
+    /** The SKU name, (consumption | developer | basic | standard | premium) */
     name?: string;
+    /** The max number of reserved nodes for the specified SKU */
     capacity?: number;
   };
+  /** The publisher e-mail associated with the APIM instance */
   publisherEmail?: string;
+  /** The publisher name associated with the APIM instance */
   publisherName?: string;
 }
 
@@ -35,3 +44,73 @@ export interface ApiCorsPolicy {
   /** A list of headers exposed during OPTION preflight requests */
   exposeHeaders: string[];
 }
+
+/**
+ * Defines an APIM JWT validation policy
+ * See https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT for more information
+ */
+export interface ApiJwtValidatePolicy {
+  /** The name of the query string parameter that contains the JWT token */
+  queryParamName?: string;
+  /** The name of the HTTP header that contains the JWT token */
+  headerName?: string;
+  /** An explicit JWT token value to validate */
+  tokenValue?: string;
+  /** The authorization scheme to acceept (ex. bearer) */
+  scheme?: string;
+  /** The HTTP status code to return for a failed response */
+  failedStatusCode?: number;
+  /** The error message to return for a failed response */
+  failedErrorMessage?: string;
+  /** Whether or not an expiration claim is required in the token */
+  requireExpirationTime?: boolean;
+  /** Whether or not tokens must be signed */
+  requireSignedTokens?: boolean;
+  /** Number of seconds to skew the clock */
+  clockSkew?: number;
+  /** String. Name of context variable that will receive token value as an object of type Jwt upon successful token validation */
+  outputTokenVariableName?: string;
+  /** Specifies the OpenID configuration used to validate the JWT token */
+  openId?: {
+    /** Link to the OpenID metadata url */
+    metadataUrl: string;
+  };
+  /** List of valid Base64 encoded signing keys */
+  signingKeys?: string[];
+  /** List of valie Base64 encoded decryption keys */
+  decryptionKeys?: string[];
+  /** List of valid audiences for the token */
+  audiences?: string[];
+  /** List of valid issuers for the token */
+  issuers?: string[];
+  /** List of claims that must exist within the token */
+  requiredClaims?: ApiJwtClaim[];
+}
+
+/**
+ * A JWT validation claim
+ */
+export interface ApiJwtClaim {
+  /** The name of the claim to validate */
+  name: string;
+  /** Whether the claim value must contain all or any value */
+  match: "all" | "any";
+  /** The seperator used to parse multi-valued claims */
+  separator?: string;
+  /** The values to match against */
+  values?: string[];
+}
+
+/**
+ * A IP Filter validation policy
+ */
+export interface ApiIpFilterPolicy {
+  /** Whether the policy should allow or forbid the address specification */
+  action: "allow" | "forbid";
+  addresses?: string[];
+  /** The range of IP addresses to apply to the policy */
+  addressRange?: {
+    from: string;
+    to: string;
+  };
+}