Auth@Edge User Pool Creation (#194)

voodooGQ · web-flow · commit ffb5019a410b · 2020-03-19T12:06:02.000-07:00
diff --git a/docs/source/module_configuration/staticsite.rst b/docs/source/module_configuration/staticsite.rst
@@ -78,8 +78,17 @@ Parameters
 
     staticsite_auth_at_edge: true
 
+**staticsite_create_user_pool (Optional[bool])**
+  Creates a User Pool for the Auth@Edge configuration. Either this or ``staticsite_user_pool_arn`` are required when ``staticsite_auth_at_edge`` is ``true``.
+
+  Example:
+
+  .. code-block:: yaml
+
+    staticsite_create_user_pool: true
+
 **staticsite_user_pool_arn (Optional[str])**
-  Required if ``staticsite_auth_at_edge`` is ``true``. A pre-existing Cognito User Pool is required for user authentication.
+  A pre-existing Cognito User Pool is required for user authentication. Either this or ``staticsite_create_user_pool`` are required when ``staticsite_auth_at_edge`` is ``true``.
 
   Example:
 
@@ -343,7 +352,7 @@ Here is how the solution works:
 6. After passing all of the verification steps, `Lambda@Edge` strips out the Authorization header and allows the request to pass through to designated origin for CloudFront. In this case, the origin is the private content Amazon S3 bucket.
 7. After receiving response from the origin S3 bucket, CloudFront sends the response back to the browser. The browser displays the data from the returned response.
 
-An example of a `Auth@Edge`_ static site configuration is as follows. All listed options are required:
+An example of a `Auth@Edge`_ static site configuration is as follows:
 
 .. code-block:: yaml
 
@@ -362,5 +371,5 @@ An example of a `Auth@Edge`_ static site configuration is as follows. All listed
         - us-east-1
 
 The `Auth@Edge`_ functionality uses your existing Cognito User Pool (optionally configured
-with federated identity providers). A user pool app client will be automatically created
-within the pool for the application's use.
+with federated identity providers) or can create one for you with the ``staticsite_create_user_pool`` option.
+A user pool app client will be automatically created within the pool for the application's use.
diff --git a/runway/blueprints/staticsite/dependencies.py b/runway/blueprints/staticsite/dependencies.py
@@ -22,6 +22,11 @@ class Dependencies(Blueprint):
             'default': False,
             'description': 'Utilizing Authorization @ Edge'
         },
+        'CreateUserPool': {
+            'type': bool,
+            'default': False,
+            'description': 'Whether a User Pool should be created for the project'
+        },
         'UserPoolId': {
             'type': str,
             'default': '',
@@ -113,12 +118,27 @@ def create_template(self):
         if variables['AuthAtEdge']:
             callbacks = self.context.hook_data['aae_callback_url_retriever']['callback_urls']
 
+            user_pool_id = variables['UserPoolId']
+
+            if variables['CreateUserPool']:
+                user_pool = template.add_resource(
+                    cognito.UserPool("AuthAtEdgeUserPool")
+                )
+
+                user_pool_id = user_pool.ref()
+
+                template.add_output(Output(
+                    'AuthAtEdgeUserPoolId',
+                    Description='Cognito User Pool App Client for Auth @ Edge',
+                    Value=user_pool_id
+                ))
+
             client = template.add_resource(
                 cognito.UserPoolClient(
                     "AuthAtEdgeClient",
                     AllowedOAuthFlows=['code'],
                     CallbackURLs=callbacks,
-                    UserPoolId=variables['UserPoolId'],
+                    UserPoolId=user_pool_id,
                     AllowedOAuthScopes=variables['OAuthScopes']
                 )
             )
diff --git a/runway/hooks/staticsite/auth_at_edge/callback_url_retriever.py b/runway/hooks/staticsite/auth_at_edge/callback_url_retriever.py
@@ -52,11 +52,19 @@ def get(context,  # pylint: disable=unused-argument
         )
         # Get the client_id from the outputs
         outputs = stack_desc['Stacks'][0]['Outputs']
+
+        if kwargs['user_pool_arn']:
+            user_pool_id = kwargs['user_pool_arn'].split('/')[-1:][0]
+        else:
+            user_pool_id = [
+                o['OutputValue'] for o in outputs if o['OutputKey'] == 'AuthAtEdgeUserPoolId'
+            ][0]
+
         client_id = [o['OutputValue'] for o in outputs if o['OutputKey'] == 'AuthAtEdgeClient'][0]
 
         # Poll the user pool client information
         resp = cognito_client.describe_user_pool_client(
-            UserPoolId=kwargs['user_pool_id'],
+            UserPoolId=user_pool_id,
             ClientId=client_id
         )
 
diff --git a/runway/hooks/staticsite/auth_at_edge/client_updater.py b/runway/hooks/staticsite/auth_at_edge/client_updater.py
@@ -63,7 +63,7 @@ def update(context,  # pylint: disable=unused-argument
             ClientId=kwargs['client_id'],
             CallbackURLs=redirect_uris_sign_in,
             LogoutURLs=redirect_uris_sign_out,
-            UserPoolId=kwargs['user_pool_id'],
+            UserPoolId=context.hook_data['aae_user_pool_id_retriever']['id'],
         )
         return True
     except Exception as err:  # pylint: disable=broad-except
diff --git a/runway/hooks/staticsite/auth_at_edge/domain_updater.py b/runway/hooks/staticsite/auth_at_edge/domain_updater.py
@@ -2,14 +2,13 @@
 import logging
 from typing import Any, Dict, Optional, Union  # pylint: disable=unused-import
 
-from runway.cfngin.session_cache import get_session
-from runway.cfngin.providers.base import BaseProvider  # pylint: disable=unused-import
 from runway.cfngin.context import Context  # pylint: disable=unused-import
+from runway.cfngin.providers.base import BaseProvider  # pylint: disable=unused-import
+from runway.cfngin.session_cache import get_session
 
 LOGGER = logging.getLogger(__name__)
 
 
-# pylint: disable=unused-argument
 def update(context,  # type: Context # pylint: disable=unused-import
            provider,  # type: BaseProvider
            **kwargs  # type: Optional[Dict[str, Any]]
@@ -36,7 +35,7 @@ def update(context,  # type: Context # pylint: disable=unused-import
 
     context_dict = {}
 
-    user_pool_id = kwargs['user_pool_id']
+    user_pool_id = context.hook_data['aae_user_pool_id_retriever']['id']
     client_id = kwargs['client_id']
     user_pool = cognito_client.describe_user_pool(UserPoolId=user_pool_id).get('UserPool')
     (user_pool_region, user_pool_hash) = user_pool_id.split('_')
@@ -72,6 +71,50 @@ def update(context,  # type: Context # pylint: disable=unused-import
         return False
 
 
+def delete(context,  # type: Context # pylint: disable=unused-import
+           provider,  # type: BaseProvider
+           **kwargs  # type: Optional[Dict[str, Any]]
+          ):  # noqa: E124
+    # type: (...) -> Union[Dict[str, Any], bool]
+    """Delete the domain if the user pool was created by Runway.
+
+    If a User Pool was created by Runway, and populated with a domain, that
+    domain must be deleted prior to the User Pool itself being deleted or an
+    error will occur. This process ensures that our generated domain name is
+    deleted, or skips if not able to find one.
+
+    Args:
+        context (:class:`runway.cfngin.context.Context`): The context
+            instance.
+        provider (:class:`runway.cfngin.providers.base.BaseProvider`):
+            The provider instance
+
+    Keyword Args:
+        client_id (str): The ID of the Cognito User Pool Client
+    """
+    session = get_session(provider.region)
+    cognito_client = session.client('cognito-idp')
+
+    user_pool_id = context.hook_data['aae_user_pool_id_retriever']['id']
+    client_id = kwargs['client_id']
+    (_, user_pool_hash) = user_pool_id.split('_')
+    domain_prefix = ('%s-%s' % (user_pool_hash, client_id)).lower()
+
+    try:
+        cognito_client.delete_user_pool_domain(
+            UserPoolId=user_pool_id,
+            Domain=domain_prefix
+        )
+        return True
+    except cognito_client.exceptions.InvalidParameterException:
+        LOGGER.info('No domain found with prefix %s. Skipping deletion.', domain_prefix)
+        return True
+    except Exception as err:  # pylint: disable=broad-except
+        LOGGER.error('Could not delete the User Pool Domain.')
+        LOGGER.error(err)
+        return False
+
+
 def get_user_pool_domain(prefix, region):
     """Return a user pool domain name based on the prefix received and region.
 
diff --git a/runway/hooks/staticsite/auth_at_edge/lambda_config.py b/runway/hooks/staticsite/auth_at_edge/lambda_config.py
@@ -67,7 +67,7 @@ def write(context,  # type: context.Context
         'redirect_path_auth_refresh': kwargs['redirect_path_refresh'],
         'redirect_path_sign_in': kwargs['redirect_path_sign_in'],
         'redirect_path_sign_out': kwargs['redirect_path_sign_out'],
-        'user_pool_id': kwargs['user_pool_id'],
+        'user_pool_id': context.hook_data['aae_user_pool_id_retriever']['id']
     }
 
     # Shared file that contains the method called for configuration data
diff --git a/runway/hooks/staticsite/auth_at_edge/user_pool_id_retriever.py b/runway/hooks/staticsite/auth_at_edge/user_pool_id_retriever.py
@@ -0,0 +1,41 @@
+"""Retrieve the ID of the Cognito User Pool."""
+import logging
+
+from typing import Any, Dict, Optional  # pylint: disable=unused-import
+
+from runway.cfngin.providers.base import BaseProvider  # pylint: disable=unused-import
+from runway.cfngin.context import Context  # noqa pylint: disable=unused-import
+
+LOGGER = logging.getLogger(__name__)
+
+
+def get(context,  # pylint: disable=unused-argument
+        provider,  # pylint: disable=unused-argument
+        **kwargs
+       ):  # noqa: E124
+    # type: (Context, BaseProvider, Optional[Dict[str, Any]]) -> Dict
+    """Retrieve the ID of the Cognito User Pool.
+
+    The User Pool can either be supplied via an ARN or by being generated.
+    If the user has supplied an ARN that utilize that, otherwise retrieve
+    the generated id. Used in multiple pre_hooks for Auth@Edge.
+
+    Args:
+        context (:class:`runway.cfngin.context.Context`): The context
+            instance.
+        provider (:class:`runway.cfngin.providers.base.BaseProvider`):
+            The provider instance
+
+    Keyword Args:
+        user_pool_arn (str): The ARN of the supplied User pool
+        created_user_pool_id (str): The ID of the created Cognito User Pool
+    """
+    context_dict = {'id': ''}
+
+    # Favor a specific arn over a created one
+    if kwargs['user_pool_arn']:
+        context_dict['id'] = kwargs['user_pool_arn'].split('/')[-1:][0]
+    elif kwargs['created_user_pool_id']:
+        context_dict['id'] = kwargs['created_user_pool_id']
+
+    return context_dict
diff --git a/runway/module/staticsite.py b/runway/module/staticsite.py

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ def update(context, # pylint: disable=unused-argument`
`63`	`63`	`ClientId=kwargs['client_id'],`
`64`	`64`	`CallbackURLs=redirect_uris_sign_in,`
`65`	`65`	`LogoutURLs=redirect_uris_sign_out,`
`66`		`- UserPoolId=kwargs['user_pool_id'],`
	`66`	`+ UserPoolId=context.hook_data['aae_user_pool_id_retriever']['id'],`
`67`	`67`	`)`
`68`	`68`	`return True`
`69`	`69`	`except Exception as err: # pylint: disable=broad-except`
Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ def write(context, # type: context.Context`
`67`	`67`	`'redirect_path_auth_refresh': kwargs['redirect_path_refresh'],`
`68`	`68`	`'redirect_path_sign_in': kwargs['redirect_path_sign_in'],`
`69`	`69`	`'redirect_path_sign_out': kwargs['redirect_path_sign_out'],`
`70`		`- 'user_pool_id': kwargs['user_pool_id'],`
	`70`	`+ 'user_pool_id': context.hook_data['aae_user_pool_id_retriever']['id']`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`# Shared file that contains the method called for configuration data`