Enable HTTP endpoints authorizers

Author: vlewin

lib/deploy/events/apiGateway/authorizers.js

@@ -0,0 +1,59 @@
+'use strict';
+
+const BbPromise = require('bluebird');
+const _ = require('lodash');
+const awsArnRegExs = require('../../../utils/arnRegularExpressions');
+
+module.exports = {
+  compileAuthorizers() {
+    this.pluginhttpValidated.events.forEach((event) => {
+      if (event.http.authorizer && event.http.authorizer.arn) {
+        const authorizer = event.http.authorizer;
+        const authorizerProperties = {
+          AuthorizerResultTtlInSeconds: authorizer.resultTtlInSeconds,
+          IdentitySource: authorizer.identitySource,
+          Name: authorizer.name,
+          RestApiId: this.provider.getApiGatewayRestApiId(),
+        };
+
+        if (typeof authorizer.identityValidationExpression === 'string') {
+          _.assign(authorizerProperties, {
+            IdentityValidationExpression: authorizer.identityValidationExpression,
+          });
+        }
+
+        const authorizerLogicalId = this.provider.naming.getAuthorizerLogicalId(authorizer.name);
+
+        if (typeof authorizer.arn === 'string'
+          && awsArnRegExs.cognitoIdpArnExpr.test(authorizer.arn)) {
+          authorizerProperties.Type = 'COGNITO_USER_POOLS';
+          authorizerProperties.ProviderARNs = [authorizer.arn];
+        } else {
+          authorizerProperties.AuthorizerUri =
+          {
+            'Fn::Join': ['',
+              [
+                'arn:',
+                { Ref: 'AWS::Partition' },
+                ':apigateway:',
+                { Ref: 'AWS::Region' },
+                ':lambda:path/2015-03-31/functions/',
+                authorizer.arn,
+                '/invocations',
+              ],
+            ],
+          };
+          authorizerProperties.Type = authorizer.type ? authorizer.type.toUpperCase() : 'TOKEN';
+        }
+
+        _.merge(this.serverless.service.provider.compiledCloudFormationTemplate.Resources, {
+          [authorizerLogicalId]: {
+            Type: 'AWS::ApiGateway::Authorizer',
+            Properties: authorizerProperties,
+          },
+        });
+      }
+    });
+    return BbPromise.resolve();
+  },
+};

lib/deploy/events/apiGateway/authorizers.test.js

@@ -0,0 +1,176 @@
+'use strict';
+
+const expect = require('chai').expect;
+const Serverless = require('serverless/lib/Serverless');
+const AwsProvider = require('serverless/lib/plugins/aws/provider/awsProvider');
+const ServerlessStepFunctions = require('./../../../index');
+
+
+describe('#compileAuthorizers()', () => {
+  let awsCompileApigEvents;
+
+  beforeEach(() => {
+    const serverless = new Serverless();
+    serverless.setProvider('aws', new AwsProvider(serverless));
+    serverless.service.service = 'first-service';
+    serverless.service.provider.compiledCloudFormationTemplate = { Resources: {} };
+    awsCompileApigEvents = new ServerlessStepFunctions(serverless);
+    awsCompileApigEvents.apiGatewayRestApiLogicalId = 'ApiGatewayRestApi';
+    awsCompileApigEvents.pluginhttpValidated = {};
+  });
+
+  it('should create an authorizer with minimal configuration', () => {
+    awsCompileApigEvents.pluginhttpValidated.events = [{
+      http: {
+        path: 'users/create',
+        method: 'POST',
+        authorizer: {
+          name: 'authorizer',
+          arn: { 'Fn::GetAtt': ['SomeLambdaFunction', 'Arn'] },
+          resultTtlInSeconds: 300,
+          identitySource: 'method.request.header.Authorization',
+        },
+      },
+    }];
+
+    return awsCompileApigEvents.compileAuthorizers().then(() => {
+      const resource = awsCompileApigEvents.serverless.service.provider
+        .compiledCloudFormationTemplate.Resources.AuthorizerApiGatewayAuthorizer;
+
+      expect(resource.Type).to.equal('AWS::ApiGateway::Authorizer');
+      expect(resource.Properties.AuthorizerResultTtlInSeconds).to.equal(300);
+      expect(resource.Properties.AuthorizerUri).to.deep.equal({
+        'Fn::Join': ['',
+          [
+            'arn:',
+            { Ref: 'AWS::Partition' },
+            ':apigateway:',
+            { Ref: 'AWS::Region' },
+            ':lambda:path/2015-03-31/functions/',
+            { 'Fn::GetAtt': ['SomeLambdaFunction', 'Arn'] },
+            '/invocations',
+          ],
+        ],
+      });
+      expect(resource.Properties.IdentitySource).to.equal('method.request.header.Authorization');
+      expect(resource.Properties.IdentityValidationExpression).to.equal(undefined);
+      expect(resource.Properties.Name).to.equal('authorizer');
+      expect(resource.Properties.RestApiId.Ref).to.equal('ApiGatewayRestApi');
+      expect(resource.Properties.Type).to.equal('TOKEN');
+    });
+  });
+
+  it('should create an authorizer with provided configuration', () => {
+    awsCompileApigEvents.pluginhttpValidated.events = [{
+      http: {
+        path: 'users/create',
+        method: 'POST',
+        authorizer: {
+          name: 'authorizer',
+          arn: 'foo',
+          resultTtlInSeconds: 500,
+          identitySource: 'method.request.header.Custom',
+          identityValidationExpression: 'regex',
+        },
+      },
+    }];
+
+    return awsCompileApigEvents.compileAuthorizers().then(() => {
+      const resource = awsCompileApigEvents.serverless.service.provider
+        .compiledCloudFormationTemplate.Resources.AuthorizerApiGatewayAuthorizer;
+
+      expect(resource.Type).to.equal('AWS::ApiGateway::Authorizer');
+      expect(resource.Properties.AuthorizerUri).to.deep.equal({
+        'Fn::Join': ['',
+          [
+            'arn:',
+            { Ref: 'AWS::Partition' },
+            ':apigateway:',
+            { Ref: 'AWS::Region' },
+            ':lambda:path/2015-03-31/functions/',
+            'foo',
+            '/invocations',
+          ],
+        ],
+      });
+      expect(resource.Properties.AuthorizerResultTtlInSeconds).to.equal(500);
+      expect(resource.Properties.IdentitySource).to.equal('method.request.header.Custom');
+      expect(resource.Properties.IdentityValidationExpression).to.equal('regex');
+      expect(resource.Properties.Name).to.equal('authorizer');
+      expect(resource.Properties.RestApiId.Ref).to.equal('ApiGatewayRestApi');
+      expect(resource.Properties.Type).to.equal('TOKEN');
+    });
+  });
+
+  it('should apply optional provided type value to Authorizer Type', () => {
+    awsCompileApigEvents.pluginhttpValidated.events = [{
+      http: {
+        path: 'users/create',
+        method: 'POST',
+        authorizer: {
+          name: 'authorizer',
+          arn: 'foo',
+          resultTtlInSeconds: 500,
+          identityValidationExpression: 'regex',
+          type: 'request',
+        },
+      },
+    }];
+
+    return awsCompileApigEvents.compileAuthorizers().then(() => {
+      const resource = awsCompileApigEvents.serverless.service.provider
+        .compiledCloudFormationTemplate.Resources.AuthorizerApiGatewayAuthorizer;
+
+      expect(resource.Type).to.equal('AWS::ApiGateway::Authorizer');
+      expect(resource.Properties.Type).to.equal('REQUEST');
+    });
+  });
+
+  it('should apply TOKEN as authorizer Type when not given a type value', () => {
+    awsCompileApigEvents.pluginhttpValidated.events = [{
+      http: {
+        path: 'users/create',
+        method: 'POST',
+        authorizer: {
+          name: 'authorizer',
+          arn: 'foo',
+          resultTtlInSeconds: 500,
+          identityValidationExpression: 'regex',
+        },
+      },
+    }];
+
+    return awsCompileApigEvents.compileAuthorizers().then(() => {
+      const resource = awsCompileApigEvents.serverless.service.provider
+        .compiledCloudFormationTemplate.Resources.AuthorizerApiGatewayAuthorizer;
+
+      expect(resource.Type).to.equal('AWS::ApiGateway::Authorizer');
+      expect(resource.Properties.Type).to.equal('TOKEN');
+    });
+  });
+
+  it('should create a valid cognito user pool authorizer', () => {
+    awsCompileApigEvents.pluginhttpValidated.events = [{
+      http: {
+        path: 'users/create',
+        method: 'POST',
+        authorizer: {
+          name: 'authorizer',
+          arn: 'arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ',
+        },
+      },
+    }];
+
+    return awsCompileApigEvents.compileAuthorizers().then(() => {
+      const resource = awsCompileApigEvents.serverless.service.provider
+        .compiledCloudFormationTemplate.Resources.AuthorizerApiGatewayAuthorizer;
+
+      expect(resource.Properties.Name).to.equal('authorizer');
+
+      expect(resource.Properties.ProviderARNs[0]
+      ).to.equal('arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ');
+
+      expect(resource.Properties.Type).to.equal('COGNITO_USER_POOLS');
+    });
+  });
+});

lib/index.js

@@ -7,6 +7,7 @@ const compileIamRole = require('./deploy/stepFunctions/compileIamRole');
 const httpValidate = require('./deploy/events/apiGateway/validate');
 const httpResources = require('./deploy/events/apiGateway/resources');
 const httpMethods = require('./deploy/events/apiGateway/methods');
+const httpAuthorizers = require('./deploy/events/apiGateway/authorizers');
 const httpCors = require('./deploy/events/apiGateway/cors');
 const httpApiKeys = require('./deploy/events/apiGateway/apiKeys');
 const httpUsagePlan = require('./deploy/events/apiGateway/usagePlan');
@@ -40,6 +41,7 @@ class ServerlessStepFunctions {
       httpValidate,
       httpResources,
       httpMethods,
+      httpAuthorizers,
       httpCors,
       httpApiKeys,
       httpUsagePlan,
@@ -111,6 +113,7 @@ class ServerlessStepFunctions {
             .then(this.compileRestApi)
             .then(this.compileResources)
             .then(this.compileMethods)
+            .then(this.compileAuthorizers)
             .then(this.compileCors)
             .then(this.compileHttpIamRole)
             .then(this.compileDeployment)

lib/index.test.js

@@ -101,6 +101,8 @@ describe('#index', () => {
          .stub(serverlessStepFunctions, 'compileResources').returns(BbPromise.resolve());
        const compileMethodsStub = sinon
          .stub(serverlessStepFunctions, 'compileMethods').returns(BbPromise.resolve());
+       const compileAuthorizersStub = sinon
+         .stub(serverlessStepFunctions, 'compileAuthorizers').returns(BbPromise.resolve());
        const compileCorsStub = sinon
          .stub(serverlessStepFunctions, 'compileCors').returns(BbPromise.resolve());
        const compileHttpIamRoleStub = sinon
@@ -120,6 +122,7 @@ describe('#index', () => {
            expect(compileRestApiStub.notCalled).to.be.equal(true);
            expect(compileResourcesStub.notCalled).to.be.equal(true);
            expect(compileMethodsStub.notCalled).to.be.equal(true);
+           expect(compileAuthorizersStub.notCalled).to.be.equal(true);
            expect(compileCorsStub.notCalled).to.be.equal(true);
            expect(compileHttpIamRoleStub.notCalled).to.be.equal(true);
            expect(compileDeploymentStub.notCalled).to.be.equal(true);
@@ -131,6 +134,7 @@ describe('#index', () => {
            serverlessStepFunctions.compileRestApi.restore();
            serverlessStepFunctions.compileResources.restore();
            serverlessStepFunctions.compileMethods.restore();
+           serverlessStepFunctions.compileAuthorizers.restore();
            serverlessStepFunctions.compileCors.restore();
            serverlessStepFunctions.compileHttpIamRole.restore();
            serverlessStepFunctions.compileDeployment.restore();
@@ -152,6 +156,8 @@ describe('#index', () => {
           .stub(serverlessStepFunctions, 'compileResources').returns(BbPromise.resolve());
         const compileMethodsStub = sinon
           .stub(serverlessStepFunctions, 'compileMethods').returns(BbPromise.resolve());
+        const compileAuthorizersStub = sinon
+          .stub(serverlessStepFunctions, 'compileAuthorizers').returns(BbPromise.resolve());
         const compileCorsStub = sinon
           .stub(serverlessStepFunctions, 'compileCors').returns(BbPromise.resolve());
         const compileHttpIamRoleStub = sinon
@@ -171,6 +177,7 @@ describe('#index', () => {
             expect(compileRestApiStub.calledOnce).to.be.equal(true);
             expect(compileResourcesStub.calledAfter(compileRestApiStub)).to.be.equal(true);
             expect(compileMethodsStub.calledAfter(compileResourcesStub)).to.be.equal(true);
+            expect(compileAuthorizersStub.calledAfter(compileResourcesStub)).to.be.equal(true);
             expect(compileCorsStub.calledAfter(compileMethodsStub)).to.be.equal(true);
             expect(compileHttpIamRoleStub.calledAfter(compileCorsStub)).to.be.equal(true);
             expect(compileDeploymentStub.calledAfter(compileHttpIamRoleStub)).to.be.equal(true);
@@ -183,6 +190,7 @@ describe('#index', () => {
             serverlessStepFunctions.compileRestApi.restore();
             serverlessStepFunctions.compileResources.restore();
             serverlessStepFunctions.compileMethods.restore();
+            serverlessStepFunctions.compileAuthorizers.restore();
             serverlessStepFunctions.compileHttpIamRole.restore();
             serverlessStepFunctions.compileDeployment.restore();
             serverlessStepFunctions.compileApiKeys.restore();

lib/utils/arnRegularExpressions.js

@@ -0,0 +1,6 @@
+'use strict';
+
+module.exports = {
+  cognitoIdpArnExpr: /^arn:[a-zA-Z-]*:cognito-idp/,
+  lambdaArnExpr: /arn:[a-zA-Z-]*:lambda/,
+};