From 0c0523ecc2a8abceaad93406e71a87521ff8f2c3 Mon Sep 17 00:00:00 2001 From: Keeton Hodgson Date: Wed, 4 Dec 2019 16:33:05 -0800 Subject: [PATCH 1/4] Add support for Auth Scopes --- samtranslator/model/api/api_generator.py | 11 +- samtranslator/model/apigateway.py | 4 +- samtranslator/model/eventsources/push.py | 7 + samtranslator/swagger/swagger.py | 32 +- tests/swagger/test_swagger.py | 66 +++ .../api_with_auth_with_default_scopes.yaml | 88 ++++ .../api_with_auth_with_default_scopes.json | 399 +++++++++++++++++ .../api_with_auth_with_default_scopes.json | 407 ++++++++++++++++++ .../api_with_auth_with_default_scopes.json | 407 ++++++++++++++++++ tests/translator/test_translator.py | 1 + 10 files changed, 1413 insertions(+), 9 deletions(-) create mode 100644 tests/translator/input/api_with_auth_with_default_scopes.yaml create mode 100644 tests/translator/output/api_with_auth_with_default_scopes.json create mode 100644 tests/translator/output/aws-cn/api_with_auth_with_default_scopes.json create mode 100644 tests/translator/output/aws-us-gov/api_with_auth_with_default_scopes.json diff --git a/samtranslator/model/api/api_generator.py b/samtranslator/model/api/api_generator.py index 1caf2daf6a..7fd0812d9a 100644 --- a/samtranslator/model/api/api_generator.py +++ b/samtranslator/model/api/api_generator.py @@ -444,7 +444,8 @@ def _add_auth(self): if authorizers: swagger_editor.add_authorizers_security_definitions(authorizers) self._set_default_authorizer(swagger_editor, authorizers, auth_properties.DefaultAuthorizer, - auth_properties.AddDefaultAuthorizerToCorsPreflight) + auth_properties.AddDefaultAuthorizerToCorsPreflight, + auth_properties.Authorizers) if auth_properties.ApiKeyRequired: swagger_editor.add_apikey_security_definition() @@ -586,7 +587,8 @@ def _get_authorizers(self, authorizers_config, default_authorizer=None): function_arn=authorizer.get('FunctionArn'), identity=authorizer.get('Identity'), function_payload_type=authorizer.get('FunctionPayloadType'), - function_invoke_role=authorizer.get('FunctionInvokeRole') + function_invoke_role=authorizer.get('FunctionInvokeRole'), + authorization_scopes=authorizer.get("AuthorizationScopes") ) return authorizers @@ -636,7 +638,7 @@ def _construct_authorizer_lambda_permission(self): return permissions def _set_default_authorizer(self, swagger_editor, authorizers, default_authorizer, - add_default_auth_to_preflight=True): + add_default_auth_to_preflight=True, api_authorizers=None): if not default_authorizer: return @@ -646,7 +648,8 @@ def _set_default_authorizer(self, swagger_editor, authorizers, default_authorize for path in swagger_editor.iter_on_path(): swagger_editor.set_path_default_authorizer(path, default_authorizer, authorizers=authorizers, - add_default_auth_to_preflight=add_default_auth_to_preflight) + add_default_auth_to_preflight=add_default_auth_to_preflight, + api_authorizers=api_authorizers) def _set_default_apikey_required(self, swagger_editor): for path in swagger_editor.iter_on_path(): diff --git a/samtranslator/model/apigateway.py b/samtranslator/model/apigateway.py index b081b05988..c944e23ac7 100644 --- a/samtranslator/model/apigateway.py +++ b/samtranslator/model/apigateway.py @@ -181,7 +181,8 @@ class ApiGatewayAuthorizer(object): _VALID_FUNCTION_PAYLOAD_TYPES = [None, 'TOKEN', 'REQUEST'] def __init__(self, api_logical_id=None, name=None, user_pool_arn=None, function_arn=None, identity=None, - function_payload_type=None, function_invoke_role=None, is_aws_iam_authorizer=False): + function_payload_type=None, function_invoke_role=None, is_aws_iam_authorizer=False, + authorization_scopes=[]): if function_payload_type not in ApiGatewayAuthorizer._VALID_FUNCTION_PAYLOAD_TYPES: raise InvalidResourceException(api_logical_id, name + " Authorizer has invalid " "'FunctionPayloadType': " + function_payload_type) @@ -198,6 +199,7 @@ def __init__(self, api_logical_id=None, name=None, user_pool_arn=None, function_ self.function_payload_type = function_payload_type self.function_invoke_role = function_invoke_role self.is_aws_iam_authorizer = is_aws_iam_authorizer + self.authorization_scopes = authorization_scopes def _is_missing_identity_source(self, identity): if not identity: diff --git a/samtranslator/model/eventsources/push.py b/samtranslator/model/eventsources/push.py index ba0fcdd4c2..c86d19dc96 100644 --- a/samtranslator/model/eventsources/push.py +++ b/samtranslator/model/eventsources/push.py @@ -629,6 +629,13 @@ def _add_swagger_integration(self, api, function): 'is only a valid value when a DefaultAuthorizer on the API is specified.'.format( method=self.Method, path=self.Path)) + if self.Auth.get("AuthorizationScopes") and not isinstance(self.Auth.get("AuthorizationScopes"), list): + raise InvalidEventException( + self.relative_id, + 'Unable to set Authorizer on API method [{method}] for path [{path}] because ' + '\'AuthorizationScopes\' must be a list of strings.'.format(method=self.Method, + path=self.Path)) + apikey_required_setting = self.Auth.get('ApiKeyRequired') apikey_required_setting_is_false = apikey_required_setting is not None and not apikey_required_setting if apikey_required_setting_is_false and not api_auth.get('ApiKeyRequired'): diff --git a/samtranslator/swagger/swagger.py b/samtranslator/swagger/swagger.py index ad7fdaac43..b8d67dd4a7 100644 --- a/samtranslator/swagger/swagger.py +++ b/samtranslator/swagger/swagger.py @@ -459,7 +459,7 @@ def add_apikey_security_definition(self): self.security_definitions.update(api_key_security_definition) def set_path_default_authorizer(self, path, default_authorizer, authorizers, - add_default_auth_to_preflight=True): + add_default_auth_to_preflight=True, api_authorizers=None): """ Adds the default_authorizer to the security block for each method on this path unless an Authorizer was defined at the Function/Path/Method level. This is intended to be used to set the @@ -531,7 +531,8 @@ def set_path_default_authorizer(self, path, default_authorizer, authorizers, # No existing Authorizer found; use default else: security_dict = {} - security_dict[default_authorizer] = [] + security_dict[default_authorizer] = self._get_authorization_scopes(api_authorizers, + default_authorizer) authorizer_security = [security_dict] security = existing_non_authorizer_security + authorizer_security @@ -622,14 +623,17 @@ def add_auth_to_method(self, path, method_name, auth, api): :param dict api: Reference to the related Api's properties as defined in the template. """ method_authorizer = auth and auth.get('Authorizer') + method_scopes = auth and auth.get('AuthorizationScopes') + api_auth = api and api.get('Auth') + authorizers = api_auth and api_auth.get('Authorizers') if method_authorizer: - self._set_method_authorizer(path, method_name, method_authorizer) + self._set_method_authorizer(path, method_name, method_authorizer, authorizers, method_scopes) method_apikey_required = auth and auth.get('ApiKeyRequired') if method_apikey_required is not None: self._set_method_apikey_handling(path, method_name, method_apikey_required) - def _set_method_authorizer(self, path, method_name, authorizer_name): + def _set_method_authorizer(self, path, method_name, authorizer_name, authorizers={}, method_scopes=None): """ Adds the authorizer_name to the security block for each method on this path. This is used to configure the authorizer for individual functions. @@ -656,6 +660,13 @@ def _set_method_authorizer(self, path, method_name, authorizer_name): # This assumes there are no autorizers already configured in the existing security block security = existing_security + authorizer_security + if authorizer_name != 'NONE' and authorizers: + method_auth_scopes = authorizers.get(authorizer_name, {}).get("AuthorizationScopes") + if method_scopes is not None: + method_auth_scopes = method_scopes + if authorizers.get(authorizer_name) is not None and method_auth_scopes is not None: + security_dict[authorizer_name] = method_auth_scopes + if security: method_definition['security'] = security @@ -1100,6 +1111,19 @@ def gen_skeleton(): } } + @staticmethod + def _get_authorization_scopes(authorizers, default_authorizer): + """ + Returns auth scopes for an authorizer if present + :param authorizers: authorizer definitions + :param default_authorizer: name of the default authorizer + """ + if authorizers is not None: + if authorizers.get(default_authorizer) \ + and authorizers[default_authorizer].get("AuthorizationScopes") is not None: + return authorizers[default_authorizer].get("AuthorizationScopes") + return [] + @staticmethod def _normalize_method_name(method): """ diff --git a/tests/swagger/test_swagger.py b/tests/swagger/test_swagger.py index 86fe65b514..c85cbbeeec 100644 --- a/tests/swagger/test_swagger.py +++ b/tests/swagger/test_swagger.py @@ -1791,3 +1791,69 @@ def test_must_add_iam_allow_and_custom(self): } self.assertEqual(deep_sort_lists(expected), deep_sort_lists(self.editor.swagger[_X_POLICY])) + +class TestSwaggerEditor_add_authorization_scopes(TestCase): + def setUp(self): + self.api = api = { + 'Auth':{ + 'Authorizers': { + 'MyOtherCognitoAuth':{}, + 'MyCognitoAuth': {} + }, + 'DefaultAuthorizer': "MyCognitoAuth" + } + } + self.editor = SwaggerEditor({ + "swagger": "2.0", + "paths": { + "/cognito": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [], + "responses": {} + } + }, + } + }) + + def test_should_include_auth_scopes_if_defined_with_authorizer(self): + auth = { + 'AuthorizationScopes': ["ResourceName/method.scope"], + 'Authorizer':"MyOtherCognitoAuth" + } + self.editor.add_auth_to_method("/cognito", "get", auth, self.api) + self.assertEqual([{"MyOtherCognitoAuth": ["ResourceName/method.scope"]}], + self.editor.swagger["paths"]["/cognito"]["get"]["security"]) + + def test_should_include_auth_scopes_with_default_authorizer(self): + auth = { + 'AuthorizationScopes': ["ResourceName/method.scope"], + 'Authorizer': 'MyCognitoAuth' + } + self.editor.add_auth_to_method("/cognito", "get", auth, self.api) + self.assertEqual([{"MyCognitoAuth": ["ResourceName/method.scope"]}], + self.editor.swagger["paths"]["/cognito"]["get"]["security"]) + + def test_should_include_only_specified_authorizer_auth_if_no_scopes_defined(self): + auth = { + 'Authorizer':"MyOtherCognitoAuth" + } + self.editor.add_auth_to_method("/cognito", "get", auth, self.api) + self.assertEqual([{"MyOtherCognitoAuth": []}], + self.editor.swagger["paths"]["/cognito"]["get"]["security"]) + + def test_should_include_none_if_default_is_overwritte(self): + auth = { + 'Authorizer':"NONE" + } + + self.editor.add_auth_to_method("/cognito", "get", auth, self.api) + self.assertEqual([{"NONE": []}], + self.editor.swagger["paths"]["/cognito"]["get"]["security"]) + diff --git a/tests/translator/input/api_with_auth_with_default_scopes.yaml b/tests/translator/input/api_with_auth_with_default_scopes.yaml new file mode 100644 index 0000000000..574c98d5c6 --- /dev/null +++ b/tests/translator/input/api_with_auth_with_default_scopes.yaml @@ -0,0 +1,88 @@ +Resources: + MyApiWithCognitoAuth: + Type: "AWS::Serverless::Api" + Properties: + StageName: Prod + Auth: + DefaultAuthorizer: MyDefaultCognitoAuth + Authorizers: + MyDefaultCognitoAuth: + UserPoolArn: arn:aws:1 + AuthorizationScopes: + - default.write + - default.read + MyCognitoAuthWithDefaultScopes: + UserPoolArn: arn:aws:2 + AuthorizationScopes: + - default.delete + - default.update + + MyFn: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://bucket/key + Handler: index.handler + Runtime: nodejs8.10 + Events: + CognitoAuthorizerWithDefaultScopes: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitoauthorizerwithdefaultscopes + Auth: + Authorizer: MyCognitoAuthWithDefaultScopes + CognitoDefaultScopesDefaultAuthorizer: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitodefaultscopesdefaultauthorizer + CognitoWithAuthNone: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitowithauthnone + Auth: + Authorizer: NONE + CognitoDefaultScopesWithOverwritten: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitodefaultscopesoverwritten + Auth: + Authorizer: MyDefaultCognitoAuth + AuthorizationScopes: + - overwritten.read + - overwritten.write + CognitoAuthorizerScopesOverwritten: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitoauthorizercopesoverwritten + Auth: + Authorizer: MyCognitoAuthWithDefaultScopes + AuthorizationScopes: + - overwritten.read + - overwritten.write + CognitoDefaultScopesNone: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitodefaultscopesnone + Auth: + Authorizer: MyDefaultCognitoAuth + AuthorizationScopes: [] + CognitoDefaultAuythDefaultScopesNone: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitodefaultauthdefaultscopesnone + Auth: + Authorizer: MyCognitoAuthWithDefaultScopes + AuthorizationScopes: [] diff --git a/tests/translator/output/api_with_auth_with_default_scopes.json b/tests/translator/output/api_with_auth_with_default_scopes.json new file mode 100644 index 0000000000..98321f6c70 --- /dev/null +++ b/tests/translator/output/api_with_auth_with_default_scopes.json @@ -0,0 +1,399 @@ +{ + "Resources": { + "MyApiWithCognitoAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/cognitowithauthnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "NONE": [] + } + ], + "responses": {} + } + }, + "/cognitodefaultauthdefaultscopesnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [] + } + ], + "responses": {} + } + }, + "/cognitoauthorizerwithdefaultscopes": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [ + "default.delete", + "default.update" + ] + } + ], + "responses": {} + } + }, + "/cognitoauthorizercopesoverwritten": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [ + "overwritten.read", + "overwritten.write" + ] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesoverwritten": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [ + "overwritten.read", + "overwritten.write" + ] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesdefaultauthorizer": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [ + "default.write", + "default.read" + ] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyCognitoAuthWithDefaultScopes": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + "arn:aws:2" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyDefaultCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + } + } + } + } + }, + "MyFnCognitoDefaultScopesNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyApiWithCognitoAuthDeployment442cfe5207": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "Description": "RestApi deployment id: 442cfe52072a3a5798bee91fd7ffb9d9ac76b9ca", + "StageName": "Stage" + } + }, + "MyFnCognitoAuthorizerWithDefaultScopesPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizerwithdefaultscopes", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoDefaultAuythDefaultScopesNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultauthdefaultscopesnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoDefaultScopesDefaultAuthorizerPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesdefaultauthorizer", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoAuthorizerScopesOverwrittenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizercopesoverwritten", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFnCognitoWithAuthNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitowithauthnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyApiWithCognitoAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithCognitoAuthDeployment442cfe5207" + }, + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "StageName": "Prod" + } + }, + "MyFn": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFnRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFnCognitoDefaultScopesWithOverwrittenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesoverwritten", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + } + } +} diff --git a/tests/translator/output/aws-cn/api_with_auth_with_default_scopes.json b/tests/translator/output/aws-cn/api_with_auth_with_default_scopes.json new file mode 100644 index 0000000000..1249ab0b4a --- /dev/null +++ b/tests/translator/output/aws-cn/api_with_auth_with_default_scopes.json @@ -0,0 +1,407 @@ +{ + "Resources": { + "MyApiWithCognitoAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/cognitowithauthnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "NONE": [] + } + ], + "responses": {} + } + }, + "/cognitodefaultauthdefaultscopesnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [] + } + ], + "responses": {} + } + }, + "/cognitoauthorizerwithdefaultscopes": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [ + "default.delete", + "default.update" + ] + } + ], + "responses": {} + } + }, + "/cognitoauthorizercopesoverwritten": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [ + "overwritten.read", + "overwritten.write" + ] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesoverwritten": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [ + "overwritten.read", + "overwritten.write" + ] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesdefaultauthorizer": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [ + "default.write", + "default.read" + ] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyCognitoAuthWithDefaultScopes": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + "arn:aws:2" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyDefaultCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyFnCognitoDefaultScopesNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoAuthorizerWithDefaultScopesPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizerwithdefaultscopes", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoDefaultAuythDefaultScopesNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultauthdefaultscopesnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyApiWithCognitoAuthDeploymentcddf4840d1": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "Description": "RestApi deployment id: cddf4840d137b720341f7a44922956a392747061", + "StageName": "Stage" + } + }, + "MyFnCognitoDefaultScopesDefaultAuthorizerPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesdefaultauthorizer", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoAuthorizerScopesOverwrittenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizercopesoverwritten", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFnCognitoWithAuthNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitowithauthnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyApiWithCognitoAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithCognitoAuthDeploymentcddf4840d1" + }, + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "StageName": "Prod" + } + }, + "MyFn": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFnRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFnCognitoDefaultScopesWithOverwrittenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesoverwritten", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + } + } +} diff --git a/tests/translator/output/aws-us-gov/api_with_auth_with_default_scopes.json b/tests/translator/output/aws-us-gov/api_with_auth_with_default_scopes.json new file mode 100644 index 0000000000..cac29d6abb --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_with_auth_with_default_scopes.json @@ -0,0 +1,407 @@ +{ + "Resources": { + "MyApiWithCognitoAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/cognitowithauthnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "NONE": [] + } + ], + "responses": {} + } + }, + "/cognitodefaultauthdefaultscopesnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [] + } + ], + "responses": {} + } + }, + "/cognitoauthorizerwithdefaultscopes": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [ + "default.delete", + "default.update" + ] + } + ], + "responses": {} + } + }, + "/cognitoauthorizercopesoverwritten": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [ + "overwritten.read", + "overwritten.write" + ] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesoverwritten": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [ + "overwritten.read", + "overwritten.write" + ] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesdefaultauthorizer": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [ + "default.write", + "default.read" + ] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyCognitoAuthWithDefaultScopes": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + "arn:aws:2" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyDefaultCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyFnCognitoDefaultScopesNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoAuthorizerWithDefaultScopesPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizerwithdefaultscopes", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoDefaultAuythDefaultScopesNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultauthdefaultscopesnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoDefaultScopesDefaultAuthorizerPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesdefaultauthorizer", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoAuthorizerScopesOverwrittenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizercopesoverwritten", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyApiWithCognitoAuthDeploymentba9bfa6490": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "Description": "RestApi deployment id: ba9bfa649000ecc8dd6b649807472d08fe19ec39", + "StageName": "Stage" + } + }, + "MyFnRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFnCognitoWithAuthNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitowithauthnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyApiWithCognitoAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithCognitoAuthDeploymentba9bfa6490" + }, + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "StageName": "Prod" + } + }, + "MyFn": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFnRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFnCognitoDefaultScopesWithOverwrittenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesoverwritten", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + } + } +} diff --git a/tests/translator/test_translator.py b/tests/translator/test_translator.py index eb3b443146..3d3716764c 100644 --- a/tests/translator/test_translator.py +++ b/tests/translator/test_translator.py @@ -159,6 +159,7 @@ class TestTranslatorEndToEnd(TestCase): 'api_with_auth_all_maximum', 'api_with_auth_all_minimum', 'api_with_auth_no_default', + 'api_with_auth_with_default_scopes', 'api_with_default_aws_iam_auth', 'api_with_default_aws_iam_auth_and_no_auth_route', 'api_with_method_aws_iam_auth', From ec25005e544855a7468c3dbd74bb4a5dbcca171e Mon Sep 17 00:00:00 2001 From: Keeton Hodgson Date: Wed, 4 Dec 2019 21:16:01 -0800 Subject: [PATCH 2/4] Add auth scopes to github docs --- versions/2016-10-31.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/versions/2016-10-31.md b/versions/2016-10-31.md index 917ea816a6..5ce65143a9 100644 --- a/versions/2016-10-31.md +++ b/versions/2016-10-31.md @@ -909,6 +909,8 @@ Auth: Authorizers: MyCognitoAuth: UserPoolArn: !GetAtt MyCognitoUserPool.Arn # Can also accept an array + AuthorizationScopes: + - scope1 # List of authorization scopes Identity: # OPTIONAL Header: MyAuthorizationHeader # OPTIONAL; Default: 'Authorization' ValidationExpression: myauthvalidationexpression # OPTIONAL @@ -974,6 +976,9 @@ Configure Auth for a specific Api+Path+Method. ```yaml Auth: Authorizer: MyCognitoAuth # OPTIONAL, if you use IAM permissions in each functions, specify AWS_IAM. + AuthorizationScopes: # OPTIONAL + - scope1 + - scope2 ``` If you have specified a Global Authorizer on the API and want to make a specific Function public, override with the following: From 4e8153d0d2750681f79f21db6f9aaa152362e497 Mon Sep 17 00:00:00 2001 From: Keeton Hodgson Date: Thu, 5 Dec 2019 12:01:26 -0800 Subject: [PATCH 3/4] Fix typo --- tests/translator/input/api_with_auth_with_default_scopes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/translator/input/api_with_auth_with_default_scopes.yaml b/tests/translator/input/api_with_auth_with_default_scopes.yaml index 574c98d5c6..6eabe9d676 100644 --- a/tests/translator/input/api_with_auth_with_default_scopes.yaml +++ b/tests/translator/input/api_with_auth_with_default_scopes.yaml @@ -77,7 +77,7 @@ Resources: Auth: Authorizer: MyDefaultCognitoAuth AuthorizationScopes: [] - CognitoDefaultAuythDefaultScopesNone: + CognitoDefaultAuthDefaultScopesNone: Type: Api Properties: RestApiId: !Ref MyApiWithCognitoAuth From b8943c67f7a30f36c86dfc550a3477d68a793a72 Mon Sep 17 00:00:00 2001 From: Keeton Hodgson Date: Thu, 5 Dec 2019 12:19:42 -0800 Subject: [PATCH 4/4] Update tests, add openapi 3.0.1 test --- ...with_auth_with_default_scopes_openapi.yaml | 89 ++++ .../api_with_auth_with_default_scopes.json | 8 +- ...with_auth_with_default_scopes_openapi.json | 400 +++++++++++++++++ .../api_with_auth_with_default_scopes.json | 8 +- ...with_auth_with_default_scopes_openapi.json | 408 ++++++++++++++++++ .../api_with_auth_with_default_scopes.json | 8 +- ...with_auth_with_default_scopes_openapi.json | 408 ++++++++++++++++++ tests/translator/test_translator.py | 1 + 8 files changed, 1318 insertions(+), 12 deletions(-) create mode 100644 tests/translator/input/api_with_auth_with_default_scopes_openapi.yaml create mode 100644 tests/translator/output/api_with_auth_with_default_scopes_openapi.json create mode 100644 tests/translator/output/aws-cn/api_with_auth_with_default_scopes_openapi.json create mode 100644 tests/translator/output/aws-us-gov/api_with_auth_with_default_scopes_openapi.json diff --git a/tests/translator/input/api_with_auth_with_default_scopes_openapi.yaml b/tests/translator/input/api_with_auth_with_default_scopes_openapi.yaml new file mode 100644 index 0000000000..421c9ce80b --- /dev/null +++ b/tests/translator/input/api_with_auth_with_default_scopes_openapi.yaml @@ -0,0 +1,89 @@ +Resources: + MyApiWithCognitoAuth: + Type: "AWS::Serverless::Api" + Properties: + StageName: Prod + OpenApiVersion: '3.0.1' + Auth: + DefaultAuthorizer: MyDefaultCognitoAuth + Authorizers: + MyDefaultCognitoAuth: + UserPoolArn: arn:aws:1 + AuthorizationScopes: + - default.write + - default.read + MyCognitoAuthWithDefaultScopes: + UserPoolArn: arn:aws:2 + AuthorizationScopes: + - default.delete + - default.update + + MyFn: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://bucket/key + Handler: index.handler + Runtime: nodejs8.10 + Events: + CognitoAuthorizerWithDefaultScopes: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitoauthorizerwithdefaultscopes + Auth: + Authorizer: MyCognitoAuthWithDefaultScopes + CognitoDefaultScopesDefaultAuthorizer: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitodefaultscopesdefaultauthorizer + CognitoWithAuthNone: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitowithauthnone + Auth: + Authorizer: NONE + CognitoDefaultScopesWithOverwritten: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitodefaultscopesoverwritten + Auth: + Authorizer: MyDefaultCognitoAuth + AuthorizationScopes: + - overwritten.read + - overwritten.write + CognitoAuthorizerScopesOverwritten: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitoauthorizercopesoverwritten + Auth: + Authorizer: MyCognitoAuthWithDefaultScopes + AuthorizationScopes: + - overwritten.read + - overwritten.write + CognitoDefaultScopesNone: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitodefaultscopesnone + Auth: + Authorizer: MyDefaultCognitoAuth + AuthorizationScopes: [] + CognitoDefaultAuthDefaultScopesNone: + Type: Api + Properties: + RestApiId: !Ref MyApiWithCognitoAuth + Method: get + Path: /cognitodefaultauthdefaultscopesnone + Auth: + Authorizer: MyCognitoAuthWithDefaultScopes + AuthorizationScopes: [] diff --git a/tests/translator/output/api_with_auth_with_default_scopes.json b/tests/translator/output/api_with_auth_with_default_scopes.json index 98321f6c70..7e23688b29 100644 --- a/tests/translator/output/api_with_auth_with_default_scopes.json +++ b/tests/translator/output/api_with_auth_with_default_scopes.json @@ -204,7 +204,7 @@ "StageName": "Stage" } }, - "MyFnCognitoAuthorizerWithDefaultScopesPermissionProd": { + "MyFnCognitoDefaultAuthDefaultScopesNonePermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:invokeFunction", @@ -214,7 +214,7 @@ }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizerwithdefaultscopes", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultauthdefaultscopesnone", { "__Stage__": "*", "__ApiId__": { @@ -225,7 +225,7 @@ } } }, - "MyFnCognitoDefaultAuythDefaultScopesNonePermissionProd": { + "MyFnCognitoAuthorizerWithDefaultScopesPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:invokeFunction", @@ -235,7 +235,7 @@ }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultauthdefaultscopesnone", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizerwithdefaultscopes", { "__Stage__": "*", "__ApiId__": { diff --git a/tests/translator/output/api_with_auth_with_default_scopes_openapi.json b/tests/translator/output/api_with_auth_with_default_scopes_openapi.json new file mode 100644 index 0000000000..46a3186140 --- /dev/null +++ b/tests/translator/output/api_with_auth_with_default_scopes_openapi.json @@ -0,0 +1,400 @@ +{ + "Resources": { + "MyApiWithCognitoAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/cognitowithauthnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "NONE": [] + } + ], + "responses": {} + } + }, + "/cognitodefaultauthdefaultscopesnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [] + } + ], + "responses": {} + } + }, + "/cognitoauthorizerwithdefaultscopes": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [ + "default.delete", + "default.update" + ] + } + ], + "responses": {} + } + }, + "/cognitoauthorizercopesoverwritten": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [ + "overwritten.read", + "overwritten.write" + ] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesoverwritten": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [ + "overwritten.read", + "overwritten.write" + ] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesdefaultauthorizer": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [ + "default.write", + "default.read" + ] + } + ], + "responses": {} + } + } + }, + "openapi": "3.0.1", + "components": { + "securitySchemes": { + "MyCognitoAuthWithDefaultScopes": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + "arn:aws:2" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyDefaultCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + } + } + } + } + } + }, + "MyFnCognitoDefaultScopesNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoDefaultAuthDefaultScopesNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultauthdefaultscopesnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoAuthorizerWithDefaultScopesPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizerwithdefaultscopes", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoDefaultScopesDefaultAuthorizerPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesdefaultauthorizer", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoAuthorizerScopesOverwrittenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizercopesoverwritten", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyApiWithCognitoAuthDeployment85cd9eefb8": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "Description": "RestApi deployment id: 85cd9eefb8a3340e269379417aec51cb16416c4f" + } + }, + "MyFnRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFnCognitoWithAuthNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitowithauthnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyApiWithCognitoAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithCognitoAuthDeployment85cd9eefb8" + }, + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "StageName": "Prod" + } + }, + "MyFn": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFnRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFnCognitoDefaultScopesWithOverwrittenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesoverwritten", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + } + } +} diff --git a/tests/translator/output/aws-cn/api_with_auth_with_default_scopes.json b/tests/translator/output/aws-cn/api_with_auth_with_default_scopes.json index 1249ab0b4a..cfa879b23f 100644 --- a/tests/translator/output/aws-cn/api_with_auth_with_default_scopes.json +++ b/tests/translator/output/aws-cn/api_with_auth_with_default_scopes.json @@ -202,7 +202,7 @@ } } }, - "MyFnCognitoAuthorizerWithDefaultScopesPermissionProd": { + "MyFnCognitoDefaultAuthDefaultScopesNonePermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:invokeFunction", @@ -212,7 +212,7 @@ }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizerwithdefaultscopes", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultauthdefaultscopesnone", { "__Stage__": "*", "__ApiId__": { @@ -223,7 +223,7 @@ } } }, - "MyFnCognitoDefaultAuythDefaultScopesNonePermissionProd": { + "MyFnCognitoAuthorizerWithDefaultScopesPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:invokeFunction", @@ -233,7 +233,7 @@ }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultauthdefaultscopesnone", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizerwithdefaultscopes", { "__Stage__": "*", "__ApiId__": { diff --git a/tests/translator/output/aws-cn/api_with_auth_with_default_scopes_openapi.json b/tests/translator/output/aws-cn/api_with_auth_with_default_scopes_openapi.json new file mode 100644 index 0000000000..1e257059cd --- /dev/null +++ b/tests/translator/output/aws-cn/api_with_auth_with_default_scopes_openapi.json @@ -0,0 +1,408 @@ +{ + "Resources": { + "MyApiWithCognitoAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/cognitowithauthnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "NONE": [] + } + ], + "responses": {} + } + }, + "/cognitodefaultauthdefaultscopesnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [] + } + ], + "responses": {} + } + }, + "/cognitoauthorizerwithdefaultscopes": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [ + "default.delete", + "default.update" + ] + } + ], + "responses": {} + } + }, + "/cognitoauthorizercopesoverwritten": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [ + "overwritten.read", + "overwritten.write" + ] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesoverwritten": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [ + "overwritten.read", + "overwritten.write" + ] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesdefaultauthorizer": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [ + "default.write", + "default.read" + ] + } + ], + "responses": {} + } + } + }, + "openapi": "3.0.1", + "components": { + "securitySchemes": { + "MyCognitoAuthWithDefaultScopes": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + "arn:aws:2" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyDefaultCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + } + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyFnCognitoDefaultScopesNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoDefaultAuthDefaultScopesNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultauthdefaultscopesnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoAuthorizerWithDefaultScopesPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizerwithdefaultscopes", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoDefaultScopesDefaultAuthorizerPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesdefaultauthorizer", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoAuthorizerScopesOverwrittenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizercopesoverwritten", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyApiWithCognitoAuthDeployment815f0fba0e": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "Description": "RestApi deployment id: 815f0fba0e3496a1f5576f705305124b291b7c03" + } + }, + "MyFnRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFnCognitoWithAuthNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitowithauthnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyApiWithCognitoAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithCognitoAuthDeployment815f0fba0e" + }, + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "StageName": "Prod" + } + }, + "MyFn": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFnRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFnCognitoDefaultScopesWithOverwrittenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesoverwritten", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + } + } +} diff --git a/tests/translator/output/aws-us-gov/api_with_auth_with_default_scopes.json b/tests/translator/output/aws-us-gov/api_with_auth_with_default_scopes.json index cac29d6abb..589283d2c6 100644 --- a/tests/translator/output/aws-us-gov/api_with_auth_with_default_scopes.json +++ b/tests/translator/output/aws-us-gov/api_with_auth_with_default_scopes.json @@ -202,7 +202,7 @@ } } }, - "MyFnCognitoAuthorizerWithDefaultScopesPermissionProd": { + "MyFnCognitoDefaultAuthDefaultScopesNonePermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:invokeFunction", @@ -212,7 +212,7 @@ }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizerwithdefaultscopes", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultauthdefaultscopesnone", { "__Stage__": "*", "__ApiId__": { @@ -223,7 +223,7 @@ } } }, - "MyFnCognitoDefaultAuythDefaultScopesNonePermissionProd": { + "MyFnCognitoAuthorizerWithDefaultScopesPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:invokeFunction", @@ -233,7 +233,7 @@ }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultauthdefaultscopesnone", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizerwithdefaultscopes", { "__Stage__": "*", "__ApiId__": { diff --git a/tests/translator/output/aws-us-gov/api_with_auth_with_default_scopes_openapi.json b/tests/translator/output/aws-us-gov/api_with_auth_with_default_scopes_openapi.json new file mode 100644 index 0000000000..a1a8b0c690 --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_with_auth_with_default_scopes_openapi.json @@ -0,0 +1,408 @@ +{ + "Resources": { + "MyApiWithCognitoAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/cognitowithauthnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "NONE": [] + } + ], + "responses": {} + } + }, + "/cognitodefaultauthdefaultscopesnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesnone": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [] + } + ], + "responses": {} + } + }, + "/cognitoauthorizerwithdefaultscopes": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [ + "default.delete", + "default.update" + ] + } + ], + "responses": {} + } + }, + "/cognitoauthorizercopesoverwritten": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuthWithDefaultScopes": [ + "overwritten.read", + "overwritten.write" + ] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesoverwritten": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [ + "overwritten.read", + "overwritten.write" + ] + } + ], + "responses": {} + } + }, + "/cognitodefaultscopesdefaultauthorizer": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyDefaultCognitoAuth": [ + "default.write", + "default.read" + ] + } + ], + "responses": {} + } + } + }, + "openapi": "3.0.1", + "components": { + "securitySchemes": { + "MyCognitoAuthWithDefaultScopes": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + "arn:aws:2" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyDefaultCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + } + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyFnCognitoDefaultScopesNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoDefaultAuthDefaultScopesNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultauthdefaultscopesnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoAuthorizerWithDefaultScopesPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizerwithdefaultscopes", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyApiWithCognitoAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithCognitoAuthDeploymentddb4f4405b" + }, + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "StageName": "Prod" + } + }, + "MyFnCognitoDefaultScopesDefaultAuthorizerPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesdefaultauthorizer", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnCognitoAuthorizerScopesOverwrittenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitoauthorizercopesoverwritten", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyFnRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFnCognitoWithAuthNonePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitowithauthnone", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + }, + "MyApiWithCognitoAuthDeploymentddb4f4405b": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "Description": "RestApi deployment id: ddb4f4405befb5324c4f18cdc69c3dd8489bc520" + } + }, + "MyFn": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFnRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFnCognitoDefaultScopesWithOverwrittenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognitodefaultscopesoverwritten", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } + } + } + } +} diff --git a/tests/translator/test_translator.py b/tests/translator/test_translator.py index 3d3716764c..c92fdd4f56 100644 --- a/tests/translator/test_translator.py +++ b/tests/translator/test_translator.py @@ -160,6 +160,7 @@ class TestTranslatorEndToEnd(TestCase): 'api_with_auth_all_minimum', 'api_with_auth_no_default', 'api_with_auth_with_default_scopes', + 'api_with_auth_with_default_scopes_openapi', 'api_with_default_aws_iam_auth', 'api_with_default_aws_iam_auth_and_no_auth_route', 'api_with_method_aws_iam_auth',