feat: cors httpapi (#1381)

Author: Shreya

docs/globals.rst

@@ -96,6 +96,7 @@ Currently, the following resources and properties are being supported:
       # Properties of AWS::Serverless::HttpApi
       # Also works with Implicit APIs
       Auth:
+      CorsConfiguration:
       AccessLogSettings:
       Tags:
       DefaultRouteSettings:

examples/2016-10-31/http_api_cors/README.md

@@ -0,0 +1,12 @@
+# HttpApi with CORS Example
+
+Example SAM template to configure CORS for HttpApi
+
+## Running the example
+
+```bash
+$ sam deploy \
+    --template-file template.yaml \
+    --stack-name my-stack-name \
+    --capabilities CAPABILITY_IAM
+```

examples/2016-10-31/http_api_cors/template.yaml

@@ -0,0 +1,47 @@
+AWSTemplateFormatVersion : '2010-09-09'
+Transform: AWS::Serverless-2016-10-31
+Description: Http Api with Cors.
+
+Resources:
+  HttpApiFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      InlineCode: |
+         exports.handler = async (event) => {
+          console.log("Hello from MyAuthFunction")
+           return {
+           statusCode: 200,
+           body: JSON.stringify(event),
+           headers: {}
+           }
+         }
+      Handler: index.handler
+      Runtime: nodejs12.x
+      Events:
+        SimpleCase:
+          Type: HttpApi
+          Properties:
+            ApiId: !Ref MyApi
+
+  MyApi:
+    Type: AWS::Serverless::HttpApi
+    Properties:
+      CorsConfiguration:
+        AllowHeaders:
+          - x-apigateway-header
+        AllowMethods:
+          - GET
+        AllowOrigins:
+          - https://foo.com
+        ExposeHeaders:
+          - x-amzn-header
+      DefinitionBody:
+        info:
+          version: '1.0'
+          title:
+            Ref: AWS::StackName
+        paths:
+          "$default":
+            x-amazon-apigateway-any-method:
+              isDefaultRoute: true
+        openapi: 3.0.1

samtranslator/model/api/api_generator.py

@@ -18,7 +18,7 @@
 from samtranslator.model.s3_utils.uri_parser import parse_s3_uri
 from samtranslator.region_configuration import RegionConfiguration
 from samtranslator.swagger.swagger import SwaggerEditor
-from samtranslator.model.intrinsics import is_instrinsic, fnSub
+from samtranslator.model.intrinsics import is_intrinsic, fnSub
 from samtranslator.model.lambda_ import LambdaPermission
 from samtranslator.translator import logical_id_generator
 from samtranslator.translator.arn_generator import ArnGenerator
@@ -430,7 +430,7 @@ def _add_cors(self):
                 self.logical_id, "Cors works only with inline Swagger specified in 'DefinitionBody' property."
             )
 
-        if isinstance(self.cors, string_types) or is_instrinsic(self.cors):
+        if isinstance(self.cors, string_types) or is_intrinsic(self.cors):
             # Just set Origin property. Others will be defaults
             properties = CorsProperties(AllowOrigin=self.cors)
         elif isinstance(self.cors, dict):

samtranslator/model/api/http_api_generator.py

@@ -7,6 +7,13 @@
 from samtranslator.open_api.open_api import OpenApiEditor
 from samtranslator.translator import logical_id_generator
 from samtranslator.model.tags.resource_tagging import get_tag_list
+from samtranslator.model.intrinsics import is_intrinsic
+
+_CORS_WILDCARD = "*"
+CorsProperties = namedtuple(
+    "_CorsProperties", ["AllowMethods", "AllowHeaders", "AllowOrigins", "MaxAge", "ExposeHeaders", "AllowCredentials"]
+)
+CorsProperties.__new__.__defaults__ = (None, None, None, None, None, False)
 
 AuthProperties = namedtuple("_AuthProperties", ["Authorizers", "DefaultAuthorizer"])
 AuthProperties.__new__.__defaults__ = (None, None)
@@ -25,6 +32,7 @@ def __init__(
         stage_name,
         tags=None,
         auth=None,
+        cors_configuration=None,
         access_log_settings=None,
         default_route_settings=None,
         resource_attributes=None,
@@ -53,6 +61,7 @@ def __init__(
         if not self.stage_name:
             self.stage_name = DefaultStageName
         self.auth = auth
+        self.cors_configuration = cors_configuration
         self.tags = tags
         self.access_log_settings = access_log_settings
         self.default_route_settings = default_route_settings
@@ -69,8 +78,11 @@ def _construct_http_api(self):
 
         if self.definition_uri and self.definition_body:
             raise InvalidResourceException(
-                self.logical_id, "Specify either 'DefinitionUri' or 'DefinitionBody' property and not both"
+                self.logical_id, "Specify either 'DefinitionUri' or 'DefinitionBody' property and not both."
             )
+        if self.cors_configuration:
+            # call this method to add cors in open api
+            self._add_cors()
 
         self._add_auth()
         self._add_tags()
@@ -84,11 +96,74 @@ def _construct_http_api(self):
                 self.logical_id,
                 "'DefinitionUri' or 'DefinitionBody' are required properties of an "
                 "'AWS::Serverless::HttpApi'. Add a value for one of these properties or "
-                "add a 'HttpApi' event to an 'AWS::Serverless::Function'",
+                "add a 'HttpApi' event to an 'AWS::Serverless::Function'.",
             )
 
         return http_api
 
+    def _add_cors(self):
+        """
+        Add CORS configuration if CORSConfiguration property is set in SAM.
+        Adds CORS configuration only if DefinitionBody is present and
+        APIGW extension for CORS is not present in the DefinitionBody
+        """
+
+        if self.cors_configuration and not self.definition_body:
+            raise InvalidResourceException(
+                self.logical_id, "Cors works only with inline OpenApi specified in 'DefinitionBody' property."
+            )
+
+        # If cors configuration is set to true add * to the allow origins.
+        # This also support referencing the value as a parameter
+        if isinstance(self.cors_configuration, bool):
+            # if cors config is true add Origins as "'*'"
+            properties = CorsProperties(AllowOrigins=[_CORS_WILDCARD])
+
+        elif is_intrinsic(self.cors_configuration):
+            # Just set Origin property. Intrinsics will be handledOthers will be defaults
+            properties = CorsProperties(AllowOrigins=self.cors_configuration)
+
+        elif isinstance(self.cors_configuration, dict):
+            # Make sure keys in the dict are recognized
+            if not all(key in CorsProperties._fields for key in self.cors_configuration.keys()):
+                raise InvalidResourceException(self.logical_id, "Invalid value for 'Cors' property.")
+
+            properties = CorsProperties(**self.cors_configuration)
+
+        else:
+            raise InvalidResourceException(self.logical_id, "Invalid value for 'Cors' property.")
+
+        if not OpenApiEditor.is_valid(self.definition_body):
+            raise InvalidResourceException(
+                self.logical_id,
+                "Unable to add Cors configuration because "
+                "'DefinitionBody' does not contain a valid "
+                "OpenApi definition.",
+            )
+
+        if properties.AllowCredentials is True and properties.AllowOrigins == [_CORS_WILDCARD]:
+            raise InvalidResourceException(
+                self.logical_id,
+                "Unable to add Cors configuration because "
+                "'AllowCredentials' can not be true when "
+                "'AllowOrigin' is \"'*'\" or not set.",
+            )
+
+        editor = OpenApiEditor(self.definition_body)
+        # if CORS is set in both definition_body and as a CorsConfiguration property,
+        # SAM merges and overrides the cors headers in definition_body with headers of CorsConfiguration
+        editor.add_cors(
+            properties.AllowOrigins,
+            properties.AllowHeaders,
+            properties.AllowMethods,
+            properties.ExposeHeaders,
+            properties.MaxAge,
+            properties.AllowCredentials,
+        )
+
+        # Assign the OpenApi back to template
+        self.definition_body = editor.openapi
+
     def _add_auth(self):
         """
         Add Auth configuration to the OAS file, if necessary

samtranslator/model/function_policies.py

@@ -3,7 +3,7 @@
 
 from six import string_types
 
-from samtranslator.model.intrinsics import is_instrinsic, is_intrinsic_if, is_intrinsic_no_value
+from samtranslator.model.intrinsics import is_intrinsic, is_intrinsic_if, is_intrinsic_no_value
 from samtranslator.model.exceptions import InvalidTemplateException
 
 PolicyEntry = namedtuple("PolicyEntry", "data type")
@@ -126,7 +126,7 @@ def _get_type(self, policy):
             return self._get_type_from_intrinsic_if(policy)
 
         # Intrinsic functions are treated as managed policies by default
-        if is_instrinsic(policy):
+        if is_intrinsic(policy):
             return PolicyTypes.MANAGED_POLICY
 
         # Policy statement is a dictionary with the key "Statement" in it

samtranslator/model/intrinsics.py

@@ -129,7 +129,7 @@ def make_shorthand(intrinsic_dict):
         raise NotImplementedError("Shorthanding is only supported for Ref and Fn::GetAtt")
 
 
-def is_instrinsic(input):
+def is_intrinsic(input):
     """
     Checks if the given input is an intrinsic function dictionary. Intrinsic function is a dictionary with single
     key that is the name of the intrinsics.
@@ -155,7 +155,7 @@ def is_intrinsic_if(input):
     :return: True, if yes
     """
 
-    if not is_instrinsic(input):
+    if not is_intrinsic(input):
         return False
 
     key = list(input.keys())[0]
@@ -171,7 +171,7 @@ def is_intrinsic_no_value(input):
     :return: True, if yes
     """
 
-    if not is_instrinsic(input):
+    if not is_intrinsic(input):
         return False
 
     key = list(input.keys())[0]

samtranslator/model/preferences/deployment_preference_collection.py

@@ -2,7 +2,7 @@
 from samtranslator.model.codedeploy import CodeDeployApplication
 from samtranslator.model.codedeploy import CodeDeployDeploymentGroup
 from samtranslator.model.iam import IAMRole
-from samtranslator.model.intrinsics import fnSub, is_instrinsic
+from samtranslator.model.intrinsics import fnSub, is_intrinsic
 from samtranslator.model.update_policy import UpdatePolicy
 from samtranslator.translator.arn_generator import ArnGenerator
 import copy
@@ -149,7 +149,7 @@ def _replace_deployment_types(self, value, key=None):
             for i in range(len(value)):
                 value[i] = self._replace_deployment_types(value[i])
             return value
-        elif is_instrinsic(value):
+        elif is_intrinsic(value):
             for (k, v) in value.items():
                 value[k] = self._replace_deployment_types(v, k)
             return value

samtranslator/model/sam_resources.py

@@ -872,7 +872,7 @@ class SamHttpApi(SamResourceMacro):
         "DefinitionBody": PropertyType(False, is_type(dict)),
         "DefinitionUri": PropertyType(False, one_of(is_str(), is_type(dict))),
         "StageVariables": PropertyType(False, is_type(dict)),
-        "Cors": PropertyType(False, one_of(is_str(), is_type(dict))),
+        "CorsConfiguration": PropertyType(False, one_of(is_type(bool), is_type(dict))),
         "AccessLogSettings": PropertyType(False, is_type(dict)),
         "DefaultRouteSettings": PropertyType(False, is_type(dict)),
         "Auth": PropertyType(False, is_type(dict)),
@@ -881,14 +881,16 @@ class SamHttpApi(SamResourceMacro):
     referable_properties = {"Stage": ApiGatewayV2Stage.resource_type}
 
     def to_cloudformation(self, **kwargs):
-        """Returns the API Gateway RestApi, Deployment, and Stage to which this SAM Api corresponds.
+        """Returns the API GatewayV2 Api, Deployment, and Stage to which this SAM Api corresponds.
 
         :param dict kwargs: already-converted resources that may need to be modified when converting this \
         macro to pure CloudFormation
         :returns: a list of vanilla CloudFormation Resources, to which this Function expands
         :rtype: list
         """
         resources = []
+        intrinsics_resolver = kwargs["intrinsics_resolver"]
+        self.CorsConfiguration = intrinsics_resolver.resolve_parameter_refs(self.CorsConfiguration)
 
         api_generator = HttpApiGenerator(
             self.logical_id,
@@ -899,6 +901,7 @@ def to_cloudformation(self, **kwargs):
             self.StageName,
             tags=self.Tags,
             auth=self.Auth,
+            cors_configuration=self.CorsConfiguration,
             access_log_settings=self.AccessLogSettings,
             default_route_settings=self.DefaultRouteSettings,
             resource_attributes=self.resource_attributes,

samtranslator/open_api/open_api.py

@@ -4,7 +4,9 @@
 
 from samtranslator.model.intrinsics import ref
 from samtranslator.model.intrinsics import make_conditional
+from samtranslator.model.intrinsics import is_intrinsic
 from samtranslator.model.exceptions import InvalidDocumentException, InvalidTemplateException
+import json
 
 
 class OpenApiEditor(object):
@@ -17,6 +19,7 @@ class OpenApiEditor(object):
 
     _X_APIGW_INTEGRATION = "x-amazon-apigateway-integration"
     _X_APIGW_TAG_VALUE = "x-amazon-apigateway-tag-value"
+    _X_APIGW_CORS = "x-amazon-apigateway-cors"
     _CONDITIONAL_IF = "Fn::If"
     _X_ANY_METHOD = "x-amazon-apigateway-any-method"
     _ALL_HTTP_METHODS = ["OPTIONS", "GET", "HEAD", "POST", "PUT", "DELETE", "PATCH"]
@@ -376,6 +379,74 @@ def add_tags(self, tags):
                 tag = {"name": name, self._X_APIGW_TAG_VALUE: value}
                 self.tags.append(tag)
 
+    def add_cors(
+        self,
+        allow_origins,
+        allow_headers=None,
+        allow_methods=None,
+        expose_headers=None,
+        max_age=None,
+        allow_credentials=None,
+    ):
+        """
+        Add CORS configuration to this Api to _X_APIGW_CORS header in open api definition
+
+        Following this guide:
+        https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-cors.html
+        https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigatewayv2-api-cors.html
+
+        :param list/dict allowed_origins: Comma separate list of allowed origins.
+            Value can also be an intrinsic function dict.
+        :param list/dict allowed_headers: Comma separated list of allowed headers.
+            Value can also be an intrinsic function dict.
+        :param list/dict allowed_methods: Comma separated list of allowed methods.
+            Value can also be an intrinsic function dict.
+        :param list/dict expose_headers: Comma separated list of allowed methods.
+            Value can also be an intrinsic function dict.
+        :param integer/dict max_age: Maximum duration to cache the CORS Preflight request. Value is set on
+            Access-Control-Max-Age header. Value can also be an intrinsic function dict.
+        :param bool/None allowed_credentials: Flags whether request is allowed to contain credentials.
+        """
+        ALLOW_ORIGINS = "allowOrigins"
+        ALLOW_HEADERS = "allowHeaders"
+        ALLOW_METHODS = "allowMethods"
+        EXPOSE_HEADERS = "exposeHeaders"
+        MAX_AGE = "maxAge"
+        ALLOW_CREDENTIALS = "allowCredentials"
+        cors_headers = [ALLOW_ORIGINS, ALLOW_HEADERS, ALLOW_METHODS, EXPOSE_HEADERS, MAX_AGE, ALLOW_CREDENTIALS]
+        cors_configuration = self._doc.get(self._X_APIGW_CORS, dict())
+
+        # intrinsics will not work if cors configuration is defined in open api and as a property to the HttpApi
+        if allow_origins and is_intrinsic(allow_origins):
+            cors_configuration_string = json.dumps(allow_origins)
+            for header in cors_headers:
+                # example: allowOrigins to AllowOrigins
+                keyword = header[0].upper() + header[1:]
+                cors_configuration_string = cors_configuration_string.replace(keyword, header)
+            cors_configuration_dict = json.loads(cors_configuration_string)
+            cors_configuration.update(cors_configuration_dict)
+
+        else:
+            if allow_origins:
+                cors_configuration[ALLOW_ORIGINS] = allow_origins
+            if allow_headers:
+                cors_configuration[ALLOW_HEADERS] = allow_headers
+            if allow_methods:
+                cors_configuration[ALLOW_METHODS] = allow_methods
+            if expose_headers:
+                cors_configuration[EXPOSE_HEADERS] = expose_headers
+            if max_age is not None:
+                cors_configuration[MAX_AGE] = max_age
+            if allow_credentials is True:
+                cors_configuration[ALLOW_CREDENTIALS] = allow_credentials
+
+        self._doc[self._X_APIGW_CORS] = cors_configuration
+
+    def has_api_gateway_cors(self):
+        if self._doc.get(self._X_APIGW_CORS):
+            return True
+        return False
+
     @property
     def openapi(self):
         """