Merge pull request #3359 from aws/release-v1.76.0

Release 1.76.0 (to main)

Author: GavinZZ

integration/combination/test_api_with_authorizer_override_api_auth.py

@@ -0,0 +1,86 @@
+from unittest.case import skipIf
+
+from integration.config.service_names import API_KEY, COGNITO, REST_API
+from integration.helpers.base_test import BaseTest
+from integration.helpers.deployer.utils.retry import retry
+from integration.helpers.exception import StatusCodeError
+from integration.helpers.resource import current_region_does_not_support
+
+
+@skipIf(
+    current_region_does_not_support([COGNITO, API_KEY, REST_API]), "Cognito is not supported in this testing region"
+)
+class TestApiWithAuthorizerOverrideApiAuth(BaseTest):
+    def test_authorizer_override_api_auth(self):
+        self.create_and_verify_stack("combination/api_with_authorizer_override_api_auth")
+
+        stack_outputs = self.get_stack_outputs()
+
+        base_url = stack_outputs["ApiUrl"]
+
+        # Default case with no Auth override
+        self.verify_authorized_request(base_url + "lambda-request?authorization=allow", 200)
+        self.verify_authorized_request(base_url + "lambda-request", 401)
+
+        # Override Auth to NONE, lambda request should pass without authorization
+        self.verify_authorized_request(base_url + "lambda-request-override-none", 200)
+
+        # Override Auth to CognitoUserPool, lambda request should fail with authorization for lambda request
+        self.verify_authorized_request(base_url + "lambda-request-override-cognito?authorization=allow", 401)
+
+    @retry(StatusCodeError, 10, 0.25)
+    def verify_authorized_request(
+        self,
+        url,
+        expected_status_code,
+        header_key=None,
+        header_value=None,
+    ):
+        if not header_key or not header_value:
+            response = self.do_get_request_with_logging(url)
+        else:
+            headers = {header_key: header_value}
+            response = self.do_get_request_with_logging(url, headers)
+        status = response.status_code
+
+        if status != expected_status_code:
+            raise StatusCodeError(
+                f"Request to {url} failed with status: {status}, expected status: {expected_status_code}"
+            )
+
+        if not header_key or not header_value:
+            self.assertEqual(
+                status, expected_status_code, "Request to " + url + "  must return HTTP " + str(expected_status_code)
+            )
+        else:
+            self.assertEqual(
+                status,
+                expected_status_code,
+                "Request to "
+                + url
+                + " ("
+                + header_key
+                + ": "
+                + header_value
+                + ") must return HTTP "
+                + str(expected_status_code),
+            )
+
+
+def get_authorizer_by_name(authorizers, name):
+    for authorizer in authorizers:
+        if authorizer["name"] == name:
+            return authorizer
+    return None
+
+
+def get_resource_by_path(resources, path):
+    for resource in resources:
+        if resource["path"] == path:
+            return resource
+    return None
+
+
+def get_method(resources, path, rest_api_id, apigw_client):
+    resource = get_resource_by_path(resources, path)
+    return apigw_client.get_method(restApiId=rest_api_id, resourceId=resource["id"], httpMethod="GET")

integration/resources/expected/combination/api_with_authorizer_override_api_auth.json

@@ -0,0 +1,54 @@
+[
+  {
+    "LogicalResourceId": "MyApi",
+    "ResourceType": "AWS::ApiGateway::RestApi"
+  },
+  {
+    "LogicalResourceId": "MyApiMyLambdaRequestAuthAuthorizerPermission",
+    "ResourceType": "AWS::Lambda::Permission"
+  },
+  {
+    "LogicalResourceId": "MyApiProdStage",
+    "ResourceType": "AWS::ApiGateway::Stage"
+  },
+  {
+    "LogicalResourceId": "MyCognitoUserPool",
+    "ResourceType": "AWS::Cognito::UserPool"
+  },
+  {
+    "LogicalResourceId": "MyCognitoUserPoolClient",
+    "ResourceType": "AWS::Cognito::UserPoolClient"
+  },
+  {
+    "LogicalResourceId": "MyApiDeployment",
+    "ResourceType": "AWS::ApiGateway::Deployment"
+  },
+  {
+    "LogicalResourceId": "MyFunction",
+    "ResourceType": "AWS::Lambda::Function"
+  },
+  {
+    "LogicalResourceId": "MyFunctionRole",
+    "ResourceType": "AWS::IAM::Role"
+  },
+  {
+    "LogicalResourceId": "MyFunctionLambdaRequestPermissionProd",
+    "ResourceType": "AWS::Lambda::Permission"
+  },
+  {
+    "LogicalResourceId": "MyFunctionLambdaRequestOverrideNonePermissionProd",
+    "ResourceType": "AWS::Lambda::Permission"
+  },
+  {
+    "LogicalResourceId": "MyFunctionLambdaRequestOverrideCognitoPermissionProd",
+    "ResourceType": "AWS::Lambda::Permission"
+  },
+  {
+    "LogicalResourceId": "MyLambdaAuthFunction",
+    "ResourceType": "AWS::Lambda::Function"
+  },
+  {
+    "LogicalResourceId": "MyLambdaAuthFunctionRole",
+    "ResourceType": "AWS::IAM::Role"
+  }
+]

integration/resources/templates/combination/api_with_authorizer_apikey.yaml

@@ -14,7 +14,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: index.handler
-      Runtime: nodejs16.x
+      Runtime: nodejs18.x
       InlineCode: |
         exports.handler = async (event, context, callback) => {
           return {
@@ -45,7 +45,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: index.handler
-      Runtime: nodejs16.x
+      Runtime: nodejs18.x
       InlineCode: |
         exports.handler = async (event, context, callback) => {
           console.log(event);

integration/resources/templates/combination/api_with_authorizer_override_api_auth.yaml

@@ -0,0 +1,142 @@
+Resources:
+  MyApi:
+    Type: AWS::Serverless::Api
+    Properties:
+      StageName: Prod
+      DefinitionBody:
+        # Simple AWS Proxy API
+        swagger: '2.0'
+        info:
+          version: '2016-09-23T22:23:23Z'
+          title: Simple Api
+        schemes:
+        - https
+        paths:
+          /lambda-request:
+            get:
+              x-amazon-apigateway-integration:
+                type: aws_proxy
+                uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations
+                httpMethod: POST
+                passthroughBehavior: when_no_match
+          /lambda-request-override-none:
+            get:
+              x-amazon-apigateway-integration:
+                type: aws_proxy
+                uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations
+                httpMethod: POST
+                passthroughBehavior: when_no_match
+          /lambda-request-override-cognito:
+            get:
+              x-amazon-apigateway-integration:
+                type: aws_proxy
+                uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations
+                httpMethod: POST
+                passthroughBehavior: when_no_match
+      Auth:
+        Authorizers:
+          MyCognitoAuthorizer:
+            UserPoolArn:
+              Fn::GetAtt: MyCognitoUserPool.Arn
+          MyLambdaRequestAuth:
+            FunctionPayloadType: REQUEST
+            FunctionArn:
+              Fn::GetAtt: MyLambdaAuthFunction.Arn
+            Identity:
+              QueryStrings:
+              - authorization
+        DefaultAuthorizer: MyLambdaRequestAuth
+
+  MyFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      InlineCode: |
+        exports.handler = async (event, context, callback) => {
+          return {
+            statusCode: 200,
+            body: 'Success'
+          }
+        }
+      Handler: index.handler
+      Runtime: nodejs16.x
+      Events:
+        LambdaRequest:
+          Type: Api
+          Properties:
+            RestApiId:
+              Ref: MyApi
+            Method: get
+            Auth:
+              Authorizer: MyLambdaRequestAuth
+            Path: /lambda-request
+        LambdaRequestOverrideNone:
+          Type: Api
+          Properties:
+            RestApiId:
+              Ref: MyApi
+            Method: get
+            Auth:
+              Authorizer: NONE
+              OverrideApiAuth: true
+            Path: /lambda-request-override-none
+        LambdaRequestOverrideCognito:
+          Type: Api
+          Properties:
+            RestApiId:
+              Ref: MyApi
+            Method: get
+            Auth:
+              Authorizer: MyCognitoAuthorizer
+              OverrideApiAuth: true
+            Path: /lambda-request-override-cognito
+
+  MyLambdaAuthFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      Handler: index.handler
+      Runtime: nodejs16.x
+      InlineCode: |
+        exports.handler = async (event, context, callback) => {
+          const auth = event.queryStringParameters.authorization
+          const policyDocument = {
+            Version: '2012-10-17',
+            Statement: [{
+              Action: 'execute-api:Invoke',
+              Effect: auth && auth.toLowerCase() === 'allow' ? 'Allow' : 'Deny',
+              Resource: event.methodArn
+            }]
+          }
+          
+          return {
+            principalId: 'user',
+            context: {},
+            policyDocument
+          }
+        }
+
+  MyCognitoUserPool:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      UserPoolName: MyCognitoUserPool
+
+  MyCognitoUserPoolClient:
+    Type: AWS::Cognito::UserPoolClient
+    Properties:
+      UserPoolId:
+        Ref: MyCognitoUserPool
+      ClientName: MyCognitoUserPoolClient
+      GenerateSecret: false
+
+Outputs:
+  ApiUrl:
+    Description: API endpoint URL for Prod environment
+    Value:
+      Fn::Sub: https://${MyApi}.execute-api.${AWS::Region}.${AWS::URLSuffix}/Prod/
+
+Parameters:
+  OverrideApiAuthValue:
+    Type: String
+    Default: true
+
+Metadata:
+  SamTransformTest: true

integration/resources/templates/combination/api_with_authorizers_invokefunction_set_none.yaml

@@ -31,7 +31,7 @@ Resources:
       InlineCode: |
         print("hello")
       Handler: index.handler
-      Runtime: nodejs16.x
+      Runtime: nodejs18.x
       Events:
         API3:
           Type: Api
@@ -50,7 +50,7 @@ Resources:
       InlineCode: |
         print("hello")
       Handler: index.handler
-      Runtime: nodejs16.x
+      Runtime: nodejs18.x
       Events:
         MyApiWithAwsIamAuth:
           Type: Api

integration/resources/templates/combination/api_with_authorizers_max.yaml

@@ -43,7 +43,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: index.handler
-      Runtime: nodejs16.x
+      Runtime: nodejs18.x
       InlineCode: |
         exports.handler = async (event, context, callback) => {
           return {
@@ -101,7 +101,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: index.handler
-      Runtime: nodejs16.x
+      Runtime: nodejs18.x
       InlineCode: |
         exports.handler = async (event, context, callback) => {
           const token = event.type === 'TOKEN' ? event.authorizationToken : event.queryStringParameters.authorization

integration/resources/templates/combination/api_with_authorizers_max_openapi.yaml

@@ -46,7 +46,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: index.handler
-      Runtime: nodejs16.x
+      Runtime: nodejs18.x
       InlineCode: |
         exports.handler = async (event, context, callback) => {
           return {
@@ -114,7 +114,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: index.handler
-      Runtime: nodejs16.x
+      Runtime: nodejs18.x
       InlineCode: |
         exports.handler = async (event, context, callback) => {
           const token = event.type === 'TOKEN' ? event.authorizationToken : event.queryStringParameters.authorization

integration/resources/templates/combination/api_with_authorizers_min.yaml

@@ -23,7 +23,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: index.handler
-      Runtime: nodejs16.x
+      Runtime: nodejs18.x
       InlineCode: |
         exports.handler = async (event, context, callback) => {
           return {
@@ -80,7 +80,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: index.handler
-      Runtime: nodejs16.x
+      Runtime: nodejs18.x
       InlineCode: |
         exports.handler = async (event, context, callback) => {
           const token = event.type === 'TOKEN' ? event.authorizationToken : event.queryStringParameters.authorization

integration/resources/templates/combination/api_with_binary_media_types_with_definition_body_openapi.yaml

@@ -51,7 +51,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: index.handler
-      Runtime: nodejs16.x
+      Runtime: nodejs18.x
       CodeUri:
         Bucket:
           Ref: Bucket

integration/resources/templates/combination/api_with_cors.yaml

@@ -22,7 +22,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: index.handler
-      Runtime: nodejs16.x
+      Runtime: nodejs18.x
       CodeUri: ${codeuri}
       MemorySize: 128