Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authorization scopes support for cognito user pool integration #6000

Merged
merged 2 commits into from
Apr 24, 2019
Merged

Add authorization scopes support for cognito user pool integration #6000

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
39e3089
Add authorization scopes support for cognito user pool integration
Apr 5, 2019
cabed40
Scope example ...
Apr 8, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 6 additions & 4 deletions docs/providers/aws/events/apigateway.md
View file
Open in desktop
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -279,7 +279,7 @@ functions:
maxAge: 86400 maxAge: 86400
``` ```


If you are using CloudFront or another CDN for your API Gateway, you may want to setup a `Cache-Control` header to allow for OPTIONS request to be cached to avoid the additional hop. If you are using CloudFront or another CDN for your API Gateway, you may want to setup a `Cache-Control` header to allow for OPTIONS request to be cached to avoid the additional hop.


To enable the `Cache-Control` header on preflight response, set the `cacheControl` property in the `cors` object: To enable the `Cache-Control` header on preflight response, set the `cacheControl` property in the `cors` object:


Expand Down Expand Up @@ -446,7 +446,7 @@ functions:
``` ```


You can also configure an existing Cognito User Pool as the authorizer, as shown You can also configure an existing Cognito User Pool as the authorizer, as shown
in the following example: in the following example with optional access token allowed scopes:


```yml ```yml
functions: functions:
Expand All @@ -458,6 +458,8 @@ functions:
method: post method: post
authorizer: authorizer:
arn: arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ arn: arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ
scopes:
- my-app/read
``` ```


If you are using the default `lambda-proxy` integration, your attributes will be If you are using the default `lambda-proxy` integration, your attributes will be
Expand Down Expand Up @@ -1242,7 +1244,7 @@ functions:
events: events:
- http: - http:
path: /users path: /users
... ...
authorizer: authorizer:
# Provide both type and authorizerId # Provide both type and authorizerId
type: COGNITO_USER_POOLS # TOKEN or REQUEST or COGNITO_USER_POOLS, same as AWS Cloudformation documentation type: COGNITO_USER_POOLS # TOKEN or REQUEST or COGNITO_USER_POOLS, same as AWS Cloudformation documentation
Expand All @@ -1254,7 +1256,7 @@ functions:
events: events:
- http: - http:
path: /users/{userId} path: /users/{userId}
... ...
# Provide both type and authorizerId # Provide both type and authorizerId
type: COGNITO_USER_POOLS # TOKEN or REQUEST or COGNITO_USER_POOLS, same as AWS Cloudformation documentation type: COGNITO_USER_POOLS # TOKEN or REQUEST or COGNITO_USER_POOLS, same as AWS Cloudformation documentation
authorizerId: authorizerId:
Expand Down
18 changes: 14 additions & 4 deletions lib/plugins/aws/package/compile/events/apiGateway/lib/method/authorization.js
View file
Open in desktop
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -26,15 +26,25 @@ module.exports = {
const authorizerLogicalId = this.provider.naming const authorizerLogicalId = this.provider.naming
.getAuthorizerLogicalId(http.authorizer.name); .getAuthorizerLogicalId(http.authorizer.name);


let authorizationType;
const authorizerArn = http.authorizer.arn; const authorizerArn = http.authorizer.arn;

let authorizationType;
if (typeof authorizerArn === 'string' if (typeof authorizerArn === 'string'
&& awsArnRegExs.cognitoIdpArnExpr.test(authorizerArn)) { && awsArnRegExs.cognitoIdpArnExpr.test(authorizerArn)) {
authorizationType = 'COGNITO_USER_POOLS'; authorizationType = 'COGNITO_USER_POOLS';
} else { const cognitoReturn = {
authorizationType = 'CUSTOM'; Properties: {
AuthorizationType: authorizationType,
AuthorizerId: { Ref: authorizerLogicalId },
},
DependsOn: authorizerLogicalId,
};
if (http.authorizer.scopes) {
cognitoReturn.Properties.AuthorizationScopes = http.authorizer.scopes;
}
return cognitoReturn;
} }

authorizationType = 'CUSTOM';
return { return {
Properties: { Properties: {
AuthorizationType: authorizationType, AuthorizationType: authorizationType,
Expand Down
6 changes: 6 additions & 0 deletions lib/plugins/aws/package/compile/events/apiGateway/lib/method/index.test.js
View file
Open in desktop
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -502,6 +502,7 @@ describe('#compileMethods()', () => {
authorizer: { authorizer: {
name: 'authorizer', name: 'authorizer',
arn: 'arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ', arn: 'arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ',
scopes: ['myapp/read', 'myapp/write'],
}, },
integration: 'AWS', integration: 'AWS',
path: 'users/create', path: 'users/create',
Expand All @@ -516,6 +517,11 @@ describe('#compileMethods()', () => {
.Resources.ApiGatewayMethodUsersCreatePost.Properties.AuthorizationType .Resources.ApiGatewayMethodUsersCreatePost.Properties.AuthorizationType
).to.equal('COGNITO_USER_POOLS'); ).to.equal('COGNITO_USER_POOLS');


expect(
awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate
.Resources.ApiGatewayMethodUsersCreatePost.Properties.AuthorizationScopes
).to.contain('myapp/read');

expect( expect(
awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate
.Resources.ApiGatewayMethodUsersCreatePost.Properties.AuthorizerId.Ref .Resources.ApiGatewayMethodUsersCreatePost.Properties.AuthorizerId.Ref
Expand Down
3 changes: 3 additions & 0 deletions lib/plugins/aws/package/compile/events/apiGateway/lib/validate.js
View file
Open in desktop
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -220,6 +220,7 @@ module.exports = {
let identityValidationExpression; let identityValidationExpression;
let claims; let claims;
let authorizerId; let authorizerId;
let scopes;


if (typeof authorizer === 'string') { if (typeof authorizer === 'string') {
if (authorizer.toUpperCase() === 'AWS_IAM') { if (authorizer.toUpperCase() === 'AWS_IAM') {
Expand Down Expand Up @@ -258,6 +259,7 @@ module.exports = {
resultTtlInSeconds = Number.parseInt(authorizer.resultTtlInSeconds, 10); resultTtlInSeconds = Number.parseInt(authorizer.resultTtlInSeconds, 10);
resultTtlInSeconds = Number.isNaN(resultTtlInSeconds) ? 300 : resultTtlInSeconds; resultTtlInSeconds = Number.isNaN(resultTtlInSeconds) ? 300 : resultTtlInSeconds;
claims = authorizer.claims || []; claims = authorizer.claims || [];
scopes = authorizer.scopes;


identitySource = authorizer.identitySource; identitySource = authorizer.identitySource;
identityValidationExpression = authorizer.identityValidationExpression; identityValidationExpression = authorizer.identityValidationExpression;
Expand Down Expand Up @@ -295,6 +297,7 @@ module.exports = {
identitySource, identitySource,
identityValidationExpression, identityValidationExpression,
claims, claims,
scopes,
}; };
}, },


Expand Down