Skip to content

Commit

Permalink
fix(cognito): UserPoolDomain.baseUrl() does not return FIPS-compliant…
Browse files Browse the repository at this point in the history
… url for gov cloud regions (aws#20200)

This ensures that users in GovCloud can retrieve a URL that works in
their region and allows users in us-{east,west}-{1,2} to also use the
FIPs endpoints.

Partially discussed in aws#20182.

Resolves aws#12500

----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
laurelmay authored and wphilipw committed May 23, 2022
1 parent 796e1ee commit c9f355b
Show file tree
Hide file tree
Showing 2 changed files with 76 additions and 5 deletions.
25 changes: 20 additions & 5 deletions packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts
Original file line number Diff line number Diff line change
Expand Up @@ -152,18 +152,21 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain {

/**
* The URL to the hosted UI associated with this domain
*
* @param options options to customize baseUrl
*/
public baseUrl(): string {
public baseUrl(options?: BaseUrlOptions): string {
if (this.isCognitoDomain) {
return `https://${this.domainName}.auth.${Stack.of(this).region}.amazoncognito.com`;
const authDomain = 'auth' + (options?.fips ? '-fips' : '');
return `https://${this.domainName}.${authDomain}.${Stack.of(this).region}.amazoncognito.com`;
}
return `https://${this.domainName}`;
}

/**
* The URL to the sign in page in this domain using a specific UserPoolClient
* @param client [disable-awslint:ref-via-interface] the user pool client that the UI will use to interact with the UserPool
* @param options options to customize the behaviour of this method.
* @param options options to customize signInUrl.
*/
public signInUrl(client: UserPoolClient, options: SignInUrlOptions): string {
let responseType: string;
Expand All @@ -175,14 +178,26 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain {
throw new Error('signInUrl is not supported for clients without authorizationCodeGrant or implicitCodeGrant flow enabled');
}
const path = options.signInPath ?? '/login';
return `${this.baseUrl()}${path}?client_id=${client.userPoolClientId}&response_type=${responseType}&redirect_uri=${options.redirectUri}`;
return `${this.baseUrl(options)}${path}?client_id=${client.userPoolClientId}&response_type=${responseType}&redirect_uri=${options.redirectUri}`;
}
}

/**
* Options to customize the behaviour of `baseUrl()`
*/
export interface BaseUrlOptions {
/**
* Whether to return the FIPS-compliant endpoint
*
* @default return the standard URL
*/
readonly fips?: boolean;
}

/**
* Options to customize the behaviour of `signInUrl()`
*/
export interface SignInUrlOptions {
export interface SignInUrlOptions extends BaseUrlOptions {
/**
* Where to redirect to after sign in
*/
Expand Down
56 changes: 56 additions & 0 deletions packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,62 @@ describe('User Pool Client', () => {
Template.fromStack(stack).resourceCountIs('AWS::Cognito::UserPoolDomain', 0);
});

describe('baseUrl', () => {
test('returns the expected standard URL', () => {
// GIVEN
const stack = new Stack();
const pool = new UserPool(stack, 'Pool');
const domain = pool.addDomain('Domain', {
cognitoDomain: {
domainPrefix: 'cognito-domain-prefix',
},
});

// WHEN
const baseUrl = domain.baseUrl();

// THEN
expect(stack.resolve(baseUrl)).toEqual({
'Fn::Join': [
'', [
'https://',
{ Ref: 'PoolDomainCFC71F56' },
'.auth.',
{ Ref: 'AWS::Region' },
'.amazoncognito.com',
],
],
});
});

test('returns the expected FIPS-compliant endpoint URL', () => {
// GIVEN
const stack = new Stack();
const pool = new UserPool(stack, 'Pool');
const domain = pool.addDomain('Domain', {
cognitoDomain: {
domainPrefix: 'cognito-domain-prefix',
},
});

// WHEN
const baseUrl = domain.baseUrl({ fips: true });

// THEN
expect(stack.resolve(baseUrl)).toEqual({
'Fn::Join': [
'', [
'https://',
{ Ref: 'PoolDomainCFC71F56' },
'.auth-fips.',
{ Ref: 'AWS::Region' },
'.amazoncognito.com',
],
],
});
});
});

describe('signInUrl', () => {
test('returns the expected URL', () => {
// GIVEN
Expand Down

0 comments on commit c9f355b

Please sign in to comment.