feat: add ApiKey Auth support (#943)

* Initial work to add ApiKeyRequired support

- Implement new translator tests
- Add swagger.py unit tests
- Update documentation
- refactor Auth handling in swagger.py

* Fix spacing

* undo space changes

* Add openapi3 tests

* Fix linting errors

* Update apikey openapi3 tests with expected output.

* Move OpenApi Auth processing- Since the ApiKey setting can be specified just at a Function level, we need to ensure the OpenApi Auth post processing happens even if the API has no explicit Auth Settings

Author: cfbarbero

samtranslator/model/api/api_generator.py

@@ -21,8 +21,9 @@
 CorsProperties.__new__.__defaults__ = (None, None, _CORS_WILDCARD, None, False)
 
 AuthProperties = namedtuple("_AuthProperties",
-                            ["Authorizers", "DefaultAuthorizer", "InvokeRole", "AddDefaultAuthorizerToCorsPreflight"])
-AuthProperties.__new__.__defaults__ = (None, None, None, True)
+                            ["Authorizers", "DefaultAuthorizer", "InvokeRole", "AddDefaultAuthorizerToCorsPreflight",
+                             "ApiKeyRequired"])
+AuthProperties.__new__.__defaults__ = (None, None, None, True, None)
 
 GatewayResponseProperties = ["ResponseParameters", "ResponseTemplates", "StatusCode"]
 
@@ -115,6 +116,8 @@ def _construct_rest_api(self):
         if self.definition_uri:
             rest_api.BodyS3Location = self._construct_body_s3_dict()
         elif self.definition_body:
+            # # Post Process OpenApi Auth Settings
+            self.definition_body = self._openapi_auth_postprocess(self.definition_body)
             rest_api.Body = self.definition_body
 
         if self.name:
@@ -308,13 +311,17 @@ def _add_auth(self):
         authorizers = self._get_authorizers(auth_properties.Authorizers, auth_properties.DefaultAuthorizer)
 
         if authorizers:
-            swagger_editor.add_authorizers(authorizers)
+            swagger_editor.add_authorizers_security_definitions(authorizers)
             self._set_default_authorizer(swagger_editor, authorizers, auth_properties.DefaultAuthorizer,
                                          auth_properties.AddDefaultAuthorizerToCorsPreflight)
 
-        # Assign the Swagger back to template
+        if auth_properties.ApiKeyRequired:
+            swagger_editor.add_apikey_security_definition()
+            self._set_default_apikey_required(swagger_editor)
 
-        self.definition_body = self._openapi_auth_postprocess(swagger_editor.swagger)
+        # Assign the Swagger back to template
+        # self.definition_body = self._openapi_auth_postprocess(swagger_editor.swagger)
+        self.definition_body = swagger_editor.swagger
 
     def _openapi_auth_postprocess(self, definition_body):
         """
@@ -523,6 +530,10 @@ def _set_default_authorizer(self, swagger_editor, authorizers, default_authorize
             swagger_editor.set_path_default_authorizer(path, default_authorizer, authorizers=authorizers,
                                                        add_default_auth_to_preflight=add_default_auth_to_preflight)
 
+    def _set_default_apikey_required(self, swagger_editor):
+        for path in swagger_editor.iter_on_path():
+            swagger_editor.set_path_default_apikey_required(path)
+
     def _set_endpoint_configuration(self, rest_api, value):
         """
         Sets endpoint configuration property of AWS::ApiGateway::RestApi resource

samtranslator/model/eventsources/push.py

@@ -123,9 +123,9 @@ class CloudWatchEvent(PushEventSource):
     resource_type = 'CloudWatchEvent'
     principal = 'events.amazonaws.com'
     property_types = {
-            'Pattern': PropertyType(False, is_type(dict)),
-            'Input': PropertyType(False, is_str()),
-            'InputPath': PropertyType(False, is_str())
+        'Pattern': PropertyType(False, is_type(dict)),
+        'Input': PropertyType(False, is_str()),
+        'InputPath': PropertyType(False, is_str())
     }
 
     def to_cloudformation(self, **kwargs):
@@ -539,9 +539,9 @@ def _add_swagger_integration(self, api, function):
 
         if self.Auth:
             method_authorizer = self.Auth.get('Authorizer')
+            api_auth = api.get('Auth')
 
             if method_authorizer:
-                api_auth = api.get('Auth')
                 api_authorizers = api_auth and api_auth.get('Authorizers')
 
                 if method_authorizer != 'AWS_IAM':
@@ -566,6 +566,16 @@ def _add_swagger_integration(self, api, function):
                             'is only a valid value when a DefaultAuthorizer on the API is specified.'.format(
                                 method=self.Method, path=self.Path))
 
+            apikey_required_setting = self.Auth.get('ApiKeyRequired')
+            apikey_required_setting_is_false = apikey_required_setting is not None and not apikey_required_setting
+            if apikey_required_setting_is_false and not api_auth.get('ApiKeyRequired'):
+                raise InvalidEventException(
+                    self.relative_id,
+                    'Unable to set ApiKeyRequired [False] on API method [{method}] for path [{path}] '
+                    'because the related API does not specify any ApiKeyRequired.'.format(
+                        method=self.Method, path=self.Path))
+
+            if method_authorizer or apikey_required_setting is not None:
                 editor.add_auth_to_method(api=api, path=self.Path, method_name=self.Method, auth=self.Auth)
 
         if self.RequestModel: