From 4bee768f07e73ab5fe466f9ad3d1845456a0513b Mon Sep 17 00:00:00 2001 From: GZ Date: Wed, 10 Jul 2024 17:52:48 -0700 Subject: [PATCH] fix(apigateway): authorization scope is not added when not explicitly defining authorization type in method or root api (#30822) ### Issue # (if applicable) Closes #30444 ### Reason for this change The original PR caused a breaking change, we can't rollback because it was released in v2.142.0 and it fixes customers issues (partially). Simply doing a revert will be breaking for those customers again. ### Description of changes Identified the root cause and we should use `AuthorizationType` instead of `AuthorizationTypeOption`. `AuthorizationType` defaults to find the authorization type from the authorizer, falling back to use the auth type defined in the `Method` construct's options property and falling back to `None`. `AuthorizationTypeOptions` on the other hand tries to find the auth type from `Method` construct's options property which can be None because it's optional. ### Description of how you validated changes New unit tests covering the changes and new integration tests covering it. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> --- ...efaultTestDeployAssertDBEA1774.assets.json | 19 + ...aultTestDeployAssertDBEA1774.template.json | 36 ++ .../cdk.out | 1 + .../integ.json | 12 + ...tapi-with-authorizer-and-proxy.assets.json | 19 + ...pi-with-authorizer-and-proxy.template.json | 224 +++++++++ .../manifest.json | 167 +++++++ .../tree.json | 430 ++++++++++++++++++ .../integ.api-with-authorizer-and-method.ts | 39 ++ .../integ.api-with-authorizer-and-proxy.ts | 1 - .../aws-cdk-lib/aws-apigateway/lib/method.ts | 7 +- .../aws-apigateway/test/method.test.ts | 78 ++++ 12 files changed, 1028 insertions(+), 5 deletions(-) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/integtest-restapi-with-authorizer-and-proxy.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/integtest-restapi-with-authorizer-and-proxy.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.assets.json new file mode 100644 index 0000000000000..e6124593f200b --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/integ.json new file mode 100644 index 0000000000000..142f8ddaf288f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "36.0.0", + "testCases": { + "apigateway-with-authorizer-and-proxy/DefaultTest": { + "stacks": [ + "integtest-restapi-with-authorizer-and-proxy" + ], + "assertionStack": "apigateway-with-authorizer-and-proxy/DefaultTest/DeployAssert", + "assertionStackName": "apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/integtest-restapi-with-authorizer-and-proxy.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/integtest-restapi-with-authorizer-and-proxy.assets.json new file mode 100644 index 0000000000000..c822d8e0ea23d --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/integtest-restapi-with-authorizer-and-proxy.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "c4f42381397a6248d2aa072f909f526fe197fd78e8fcda7b8ba12c3c86ee4502": { + "source": { + "path": "integtest-restapi-with-authorizer-and-proxy.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "c4f42381397a6248d2aa072f909f526fe197fd78e8fcda7b8ba12c3c86ee4502.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/integtest-restapi-with-authorizer-and-proxy.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/integtest-restapi-with-authorizer-and-proxy.template.json new file mode 100644 index 0000000000000..4597c9ec364eb --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/integtest-restapi-with-authorizer-and-proxy.template.json @@ -0,0 +1,224 @@ +{ + "Resources": { + "UserPool6BA7E5F2": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "AccountRecoverySetting": { + "RecoveryMechanisms": [ + { + "Name": "verified_phone_number", + "Priority": 1 + }, + { + "Name": "verified_email", + "Priority": 2 + } + ] + }, + "AdminCreateUserConfig": { + "AllowAdminCreateUserOnly": true + }, + "EmailVerificationMessage": "The verification code to your new account is {####}", + "EmailVerificationSubject": "Verify your new account", + "SmsVerificationMessage": "The verification code to your new account is {####}", + "VerificationMessageTemplate": { + "DefaultEmailOption": "CONFIRM_WITH_CODE", + "EmailMessage": "The verification code to your new account is {####}", + "EmailSubject": "Verify your new account", + "SmsMessage": "The verification code to your new account is {####}" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "AuthorizerBD825682": { + "Type": "AWS::ApiGateway::Authorizer", + "Properties": { + "IdentitySource": "method.request.header.Authorization", + "Name": "integtestrestapiwithauthorizerandproxyAuthorizer5142DDC8", + "ProviderARNs": [ + { + "Fn::GetAtt": [ + "UserPool6BA7E5F2", + "Arn" + ] + } + ], + "RestApiId": { + "Ref": "CdkTestStack0AE13CA5" + }, + "Type": "COGNITO_USER_POOLS" + } + }, + "CdkTestStack0AE13CA5": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Name": "CdkTestStack" + } + }, + "CdkTestStackDeployment201712E9c8d53ab4e4cdcaa7ab0f70bb7f6ce970": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "Description": "Automatically created by the RestApi construct", + "RestApiId": { + "Ref": "CdkTestStack0AE13CA5" + } + }, + "DependsOn": [ + "AuthorizerBD825682", + "CdkTestStackotherPOST3BA23287", + "CdkTestStackother6044D106", + "CdkTestStackuserGET1317379E", + "CdkTestStackuser7876F2D4" + ] + }, + "CdkTestStackDeploymentStageprod296E6472": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "CdkTestStackDeployment201712E9c8d53ab4e4cdcaa7ab0f70bb7f6ce970" + }, + "RestApiId": { + "Ref": "CdkTestStack0AE13CA5" + }, + "StageName": "prod" + } + }, + "CdkTestStackuser7876F2D4": { + "Type": "AWS::ApiGateway::Resource", + "Properties": { + "ParentId": { + "Fn::GetAtt": [ + "CdkTestStack0AE13CA5", + "RootResourceId" + ] + }, + "PathPart": "user", + "RestApiId": { + "Ref": "CdkTestStack0AE13CA5" + } + } + }, + "CdkTestStackuserGET1317379E": { + "Type": "AWS::ApiGateway::Method", + "Properties": { + "AuthorizationScopes": [ + "profile" + ], + "AuthorizationType": "COGNITO_USER_POOLS", + "AuthorizerId": { + "Ref": "AuthorizerBD825682" + }, + "HttpMethod": "GET", + "Integration": { + "Type": "MOCK" + }, + "ResourceId": { + "Ref": "CdkTestStackuser7876F2D4" + }, + "RestApiId": { + "Ref": "CdkTestStack0AE13CA5" + } + } + }, + "CdkTestStackother6044D106": { + "Type": "AWS::ApiGateway::Resource", + "Properties": { + "ParentId": { + "Fn::GetAtt": [ + "CdkTestStack0AE13CA5", + "RootResourceId" + ] + }, + "PathPart": "other", + "RestApiId": { + "Ref": "CdkTestStack0AE13CA5" + } + } + }, + "CdkTestStackotherPOST3BA23287": { + "Type": "AWS::ApiGateway::Method", + "Properties": { + "AuthorizationScopes": [ + "openid" + ], + "AuthorizationType": "COGNITO_USER_POOLS", + "AuthorizerId": { + "Ref": "AuthorizerBD825682" + }, + "HttpMethod": "POST", + "Integration": { + "Type": "MOCK" + }, + "ResourceId": { + "Ref": "CdkTestStackother6044D106" + }, + "RestApiId": { + "Ref": "CdkTestStack0AE13CA5" + } + } + } + }, + "Outputs": { + "CdkTestStackEndpoint7DDDB759": { + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "CdkTestStack0AE13CA5" + }, + ".execute-api.", + { + "Ref": "AWS::Region" + }, + ".", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Ref": "CdkTestStackDeploymentStageprod296E6472" + }, + "/" + ] + ] + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/manifest.json new file mode 100644 index 0000000000000..b5ff18bcac25e --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/manifest.json @@ -0,0 +1,167 @@ +{ + "version": "36.0.0", + "artifacts": { + "integtest-restapi-with-authorizer-and-proxy.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integtest-restapi-with-authorizer-and-proxy.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integtest-restapi-with-authorizer-and-proxy": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integtest-restapi-with-authorizer-and-proxy.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c4f42381397a6248d2aa072f909f526fe197fd78e8fcda7b8ba12c3c86ee4502.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integtest-restapi-with-authorizer-and-proxy.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integtest-restapi-with-authorizer-and-proxy.assets" + ], + "metadata": { + "/integtest-restapi-with-authorizer-and-proxy/UserPool/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "UserPool6BA7E5F2" + } + ], + "/integtest-restapi-with-authorizer-and-proxy/Authorizer/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AuthorizerBD825682" + } + ], + "/integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CdkTestStack0AE13CA5" + } + ], + "/integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Deployment/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CdkTestStackDeployment201712E9c8d53ab4e4cdcaa7ab0f70bb7f6ce970" + } + ], + "/integtest-restapi-with-authorizer-and-proxy/CdkTestStack/DeploymentStage.prod/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CdkTestStackDeploymentStageprod296E6472" + } + ], + "/integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Endpoint": [ + { + "type": "aws:cdk:logicalId", + "data": "CdkTestStackEndpoint7DDDB759" + } + ], + "/integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Default/user/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CdkTestStackuser7876F2D4" + } + ], + "/integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Default/user/GET/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CdkTestStackuserGET1317379E" + } + ], + "/integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Default/other/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CdkTestStackother6044D106" + } + ], + "/integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Default/other/POST/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CdkTestStackotherPOST3BA23287" + } + ], + "/integtest-restapi-with-authorizer-and-proxy/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integtest-restapi-with-authorizer-and-proxy/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integtest-restapi-with-authorizer-and-proxy" + }, + "apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "apigatewaywithauthorizerandproxyDefaultTestDeployAssertDBEA1774.assets" + ], + "metadata": { + "/apigateway-with-authorizer-and-proxy/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/apigateway-with-authorizer-and-proxy/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "apigateway-with-authorizer-and-proxy/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/tree.json new file mode 100644 index 0000000000000..852cb2a0ab339 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.js.snapshot/tree.json @@ -0,0 +1,430 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "integtest-restapi-with-authorizer-and-proxy": { + "id": "integtest-restapi-with-authorizer-and-proxy", + "path": "integtest-restapi-with-authorizer-and-proxy", + "children": { + "UserPool": { + "id": "UserPool", + "path": "integtest-restapi-with-authorizer-and-proxy/UserPool", + "children": { + "Resource": { + "id": "Resource", + "path": "integtest-restapi-with-authorizer-and-proxy/UserPool/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPool", + "aws:cdk:cloudformation:props": { + "accountRecoverySetting": { + "recoveryMechanisms": [ + { + "name": "verified_phone_number", + "priority": 1 + }, + { + "name": "verified_email", + "priority": 2 + } + ] + }, + "adminCreateUserConfig": { + "allowAdminCreateUserOnly": true + }, + "emailVerificationMessage": "The verification code to your new account is {####}", + "emailVerificationSubject": "Verify your new account", + "smsVerificationMessage": "The verification code to your new account is {####}", + "verificationMessageTemplate": { + "defaultEmailOption": "CONFIRM_WITH_CODE", + "emailMessage": "The verification code to your new account is {####}", + "emailSubject": "Verify your new account", + "smsMessage": "The verification code to your new account is {####}" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPool", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.UserPool", + "version": "0.0.0" + } + }, + "Authorizer": { + "id": "Authorizer", + "path": "integtest-restapi-with-authorizer-and-proxy/Authorizer", + "children": { + "Resource": { + "id": "Resource", + "path": "integtest-restapi-with-authorizer-and-proxy/Authorizer/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGateway::Authorizer", + "aws:cdk:cloudformation:props": { + "identitySource": "method.request.header.Authorization", + "name": "integtestrestapiwithauthorizerandproxyAuthorizer5142DDC8", + "providerArns": [ + { + "Fn::GetAtt": [ + "UserPool6BA7E5F2", + "Arn" + ] + } + ], + "restApiId": { + "Ref": "CdkTestStack0AE13CA5" + }, + "type": "COGNITO_USER_POOLS" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.CfnAuthorizer", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.CognitoUserPoolsAuthorizer", + "version": "0.0.0" + } + }, + "CdkTestStack": { + "id": "CdkTestStack", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack", + "children": { + "Resource": { + "id": "Resource", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGateway::RestApi", + "aws:cdk:cloudformation:props": { + "name": "CdkTestStack" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.CfnRestApi", + "version": "0.0.0" + } + }, + "Deployment": { + "id": "Deployment", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Deployment", + "children": { + "Resource": { + "id": "Resource", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Deployment/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGateway::Deployment", + "aws:cdk:cloudformation:props": { + "description": "Automatically created by the RestApi construct", + "restApiId": { + "Ref": "CdkTestStack0AE13CA5" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.CfnDeployment", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.Deployment", + "version": "0.0.0" + } + }, + "DeploymentStage.prod": { + "id": "DeploymentStage.prod", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/DeploymentStage.prod", + "children": { + "Resource": { + "id": "Resource", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/DeploymentStage.prod/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGateway::Stage", + "aws:cdk:cloudformation:props": { + "deploymentId": { + "Ref": "CdkTestStackDeployment201712E9c8d53ab4e4cdcaa7ab0f70bb7f6ce970" + }, + "restApiId": { + "Ref": "CdkTestStack0AE13CA5" + }, + "stageName": "prod" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.CfnStage", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.Stage", + "version": "0.0.0" + } + }, + "Endpoint": { + "id": "Endpoint", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Endpoint", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnOutput", + "version": "0.0.0" + } + }, + "Default": { + "id": "Default", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Default", + "children": { + "user": { + "id": "user", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Default/user", + "children": { + "Resource": { + "id": "Resource", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Default/user/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGateway::Resource", + "aws:cdk:cloudformation:props": { + "parentId": { + "Fn::GetAtt": [ + "CdkTestStack0AE13CA5", + "RootResourceId" + ] + }, + "pathPart": "user", + "restApiId": { + "Ref": "CdkTestStack0AE13CA5" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.CfnResource", + "version": "0.0.0" + } + }, + "GET": { + "id": "GET", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Default/user/GET", + "children": { + "Resource": { + "id": "Resource", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Default/user/GET/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGateway::Method", + "aws:cdk:cloudformation:props": { + "authorizationScopes": [ + "profile" + ], + "authorizationType": "COGNITO_USER_POOLS", + "authorizerId": { + "Ref": "AuthorizerBD825682" + }, + "httpMethod": "GET", + "integration": { + "type": "MOCK" + }, + "resourceId": { + "Ref": "CdkTestStackuser7876F2D4" + }, + "restApiId": { + "Ref": "CdkTestStack0AE13CA5" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.CfnMethod", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.Method", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.Resource", + "version": "0.0.0" + } + }, + "other": { + "id": "other", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Default/other", + "children": { + "Resource": { + "id": "Resource", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Default/other/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGateway::Resource", + "aws:cdk:cloudformation:props": { + "parentId": { + "Fn::GetAtt": [ + "CdkTestStack0AE13CA5", + "RootResourceId" + ] + }, + "pathPart": "other", + "restApiId": { + "Ref": "CdkTestStack0AE13CA5" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.CfnResource", + "version": "0.0.0" + } + }, + "POST": { + "id": "POST", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Default/other/POST", + "children": { + "Resource": { + "id": "Resource", + "path": "integtest-restapi-with-authorizer-and-proxy/CdkTestStack/Default/other/POST/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGateway::Method", + "aws:cdk:cloudformation:props": { + "authorizationScopes": [ + "openid" + ], + "authorizationType": "COGNITO_USER_POOLS", + "authorizerId": { + "Ref": "AuthorizerBD825682" + }, + "httpMethod": "POST", + "integration": { + "type": "MOCK" + }, + "resourceId": { + "Ref": "CdkTestStackother6044D106" + }, + "restApiId": { + "Ref": "CdkTestStack0AE13CA5" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.CfnMethod", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.Method", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.Resource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.ResourceBase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigateway.RestApi", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integtest-restapi-with-authorizer-and-proxy/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integtest-restapi-with-authorizer-and-proxy/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "apigateway-with-authorizer-and-proxy": { + "id": "apigateway-with-authorizer-and-proxy", + "path": "apigateway-with-authorizer-and-proxy", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "apigateway-with-authorizer-and-proxy/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "apigateway-with-authorizer-and-proxy/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "apigateway-with-authorizer-and-proxy/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "apigateway-with-authorizer-and-proxy/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "apigateway-with-authorizer-and-proxy/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.ts new file mode 100644 index 0000000000000..7572ae17ef764 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-method.ts @@ -0,0 +1,39 @@ +import * as cdk from 'aws-cdk-lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import * as cognito from 'aws-cdk-lib/aws-cognito'; +import * as agw from 'aws-cdk-lib/aws-apigateway'; + +/* + * Stack verification steps: + * * `curl -i ` should return HTTP code 200 + */ + +const app = new cdk.App(); +const stack = new cdk.Stack(app, 'integtest-restapi-with-authorizer-and-proxy'); + +const userPool = new cognito.UserPool(stack, 'UserPool'); + +const authorizer = new agw.CognitoUserPoolsAuthorizer(stack, 'Authorizer', { + cognitoUserPools: [userPool], +}); + +const restApi = new agw.RestApi(stack, 'CdkTestStack', { + defaultMethodOptions: { + authorizer, + authorizationScopes: [cognito.OAuthScope.PROFILE.scopeName], + }, +}); + +restApi.root + .resourceForPath('/user') + .addMethod('GET', new agw.MockIntegration()); + +restApi.root + .resourceForPath('/other') + .addMethod('POST', new agw.MockIntegration(), { + authorizationScopes: [cognito.OAuthScope.OPENID.scopeName], + }); + +new IntegTest(app, 'apigateway-with-authorizer-and-proxy', { + testCases: [stack], +}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-proxy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-proxy.ts index e884228934d2f..9bb5446ab6e64 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-proxy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.api-with-authorizer-and-proxy.ts @@ -47,7 +47,6 @@ sendResource.addProxy({ anyMethod: true, defaultMethodOptions: { authorizer: authorizer, - authorizationType: agw.AuthorizationType.COGNITO, authorizationScopes: ['scope'], }, defaultCorsPreflightOptions: { diff --git a/packages/aws-cdk-lib/aws-apigateway/lib/method.ts b/packages/aws-cdk-lib/aws-apigateway/lib/method.ts index 841e1b70bc511..b488def778e38 100644 --- a/packages/aws-cdk-lib/aws-apigateway/lib/method.ts +++ b/packages/aws-cdk-lib/aws-apigateway/lib/method.ts @@ -202,11 +202,10 @@ export class Method extends Resource { `which is different from what is required by the authorizer [${authorizer.authorizationType}]`); } - // When AuthorizationType is None, there shouldn't be any AuthorizationScope since AuthorizationScope should only - // be applied to COGNITO_USER_POOLS AuthorizationType. + // AuthorizationScope should only be applied to COGNITO_USER_POOLS AuthorizationType. const defaultScopes = options.authorizationScopes ?? defaultMethodOptions.authorizationScopes; - const authorizationScopes = authorizationTypeOption === AuthorizationType.COGNITO ? defaultScopes : undefined; - if (authorizationTypeOption !== AuthorizationType.COGNITO && defaultScopes) { + const authorizationScopes = authorizationType === AuthorizationType.COGNITO ? defaultScopes : undefined; + if (authorizationType !== AuthorizationType.COGNITO && defaultScopes) { Annotations.of(this).addWarningV2('@aws-cdk/aws-apigateway:invalidAuthScope', '\'AuthorizationScopes\' can only be set when \'AuthorizationType\' sets \'COGNITO_USER_POOLS\'. Default to ignore the values set in \'AuthorizationScopes\'.'); } diff --git a/packages/aws-cdk-lib/aws-apigateway/test/method.test.ts b/packages/aws-cdk-lib/aws-apigateway/test/method.test.ts index 7cb2d63f59b08..df5977ede2432 100644 --- a/packages/aws-cdk-lib/aws-apigateway/test/method.test.ts +++ b/packages/aws-cdk-lib/aws-apigateway/test/method.test.ts @@ -812,6 +812,84 @@ describe('method', () => { }).not.toThrow(/Authorization type is set to AWS_IAM which is different from what is required by the authorizer/); }); + test('No options authorization type set but expect auth scope set', () => { + const stack = new cdk.Stack(); + const api = new apigw.RestApi(stack, 'test-api', { + cloudWatchRole: false, + deploy: false, + defaultMethodOptions: { + authorizationType: apigw.AuthorizationType.COGNITO, + }, + }); + + api.root.resourceForPath('/user/profile').addMethod('GET', undefined, { + authorizationScopes: ['profile'], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::ApiGateway::Method', { + AuthorizationScopes: ['profile'], + }); + }); + + test('Set auth scope in the rest api and expect scope is in method', () => { + const stack = new cdk.Stack(); + const api = new apigw.RestApi(stack, 'test-api', { + cloudWatchRole: false, + deploy: false, + defaultMethodOptions: { + authorizationType: apigw.AuthorizationType.COGNITO, + authorizationScopes: ['profile'], + }, + }); + + api.root.resourceForPath('/user/profile').addMethod('GET', undefined); + + Template.fromStack(stack).hasResourceProperties('AWS::ApiGateway::Method', { + AuthorizationScopes: ['profile'], + }); + }); + + test('Override auth scope in the method over rest api', () => { + const stack = new cdk.Stack(); + const api = new apigw.RestApi(stack, 'test-api', { + cloudWatchRole: false, + deploy: false, + defaultMethodOptions: { + authorizationType: apigw.AuthorizationType.COGNITO, + authorizationScopes: ['profile'], + }, + }); + + api.root.resourceForPath('/user/profile').addMethod('GET', undefined, { + authorizationScopes: ['hello'], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::ApiGateway::Method', { + AuthorizationScopes: ['hello'], + }); + }); + + test('Expect auth scope to be none when auth type is not Cognito', () => { + const stack = new cdk.Stack(); + const api = new apigw.RestApi(stack, 'test-api', { + cloudWatchRole: false, + deploy: false, + defaultMethodOptions: { + authorizationType: apigw.AuthorizationType.COGNITO, + authorizationScopes: ['profile'], + }, + }); + + api.root.resourceForPath('/user/profile').addMethod('GET', undefined, { + authorizationScopes: ['hello'], + authorizationType: apigw.AuthorizationType.IAM, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::ApiGateway::Method', { + AuthorizationScopes: Match.absent(), + }); + }); + test.each([ [apigw.AuthorizationType.IAM, undefined], [apigw.AuthorizationType.NONE, undefined],