diff --git a/samtranslator/model/api/http_api_generator.py b/samtranslator/model/api/http_api_generator.py index a1da483a3e..e42fe48428 100644 --- a/samtranslator/model/api/http_api_generator.py +++ b/samtranslator/model/api/http_api_generator.py @@ -418,10 +418,15 @@ def _get_authorizers(self, authorizers_config, default_authorizer=None): self.logical_id, "Authorizer %s must be a dictionary." % (authorizer_name) ) + if "OpenIdConnectUrl" in authorizer: + raise InvalidResourceException( + self.logical_id, + "'OpenIdConnectUrl' is no longer a supported property for authorizer '%s'. Please refer to the AWS SAM documentation." + % (authorizer_name), + ) authorizers[authorizer_name] = ApiGatewayV2Authorizer( api_logical_id=self.logical_id, name=authorizer_name, - open_id_connect_url=authorizer.get("OpenIdConnectUrl"), authorization_scopes=authorizer.get("AuthorizationScopes"), jwt_configuration=authorizer.get("JwtConfiguration"), id_source=authorizer.get("IdentitySource"), diff --git a/samtranslator/model/apigatewayv2.py b/samtranslator/model/apigatewayv2.py index 695cec4a2d..0c88ffee37 100644 --- a/samtranslator/model/apigatewayv2.py +++ b/samtranslator/model/apigatewayv2.py @@ -57,33 +57,24 @@ class ApiGatewayV2ApiMapping(Resource): class ApiGatewayV2Authorizer(object): def __init__( - self, - api_logical_id=None, - name=None, - open_id_connect_url=None, - authorization_scopes=[], - jwt_configuration={}, - id_source=None, + self, api_logical_id=None, name=None, authorization_scopes=[], jwt_configuration={}, id_source=None, ): """ Creates an authorizer for use in V2 Http Apis """ - # OIDC uses a connect url, oauth2 doesn't - self.auth_type = "openIdConnect" - if open_id_connect_url is None: - self.auth_type = "oauth2" + # Currently only one type of auth + self.auth_type = "oauth2" self.api_logical_id = api_logical_id self.name = name - self.open_id_connect_url = open_id_connect_url self.authorization_scopes = authorization_scopes # Validate necessary parameters exist if not jwt_configuration: - raise InvalidResourceException(api_logical_id, name + " Authorizer must define 'JwtConfiguration'") + raise InvalidResourceException(api_logical_id, name + " Authorizer must define 'JwtConfiguration'.") self.jwt_configuration = jwt_configuration if not id_source: - raise InvalidResourceException(api_logical_id, name + " Authorizer must define 'IdentitySource'") + raise InvalidResourceException(api_logical_id, name + " Authorizer must define 'IdentitySource'.") self.id_source = id_source def generate_openapi(self): @@ -98,6 +89,4 @@ def generate_openapi(self): "type": "jwt", }, } - if self.open_id_connect_url: - openapi["x-amazon-apigateway-authorizer"]["openIdConnectUrl"] = self.open_id_connect_url return openapi diff --git a/tests/model/test_api_v2.py b/tests/model/test_api_v2.py index 36d87b5e1e..e9fe87d934 100644 --- a/tests/model/test_api_v2.py +++ b/tests/model/test_api_v2.py @@ -15,16 +15,6 @@ def test_create_oauth2_auth(self): ) self.assertEquals(auth.auth_type, "oauth2") - def test_create_oidc_auth(self): - auth = ApiGatewayV2Authorizer( - api_logical_id="logicalId", - name="authName", - open_id_connect_url="https://example.com", - jwt_configuration={"config": "value"}, - id_source="https://example.com", - ) - self.assertEquals(auth.auth_type, "openIdConnect") - def test_create_authorizer_no_id_source(self): with pytest.raises(InvalidResourceException): auth = ApiGatewayV2Authorizer( diff --git a/tests/openapi/test_openapi.py b/tests/openapi/test_openapi.py index 95eceb135a..dde6ea061f 100644 --- a/tests/openapi/test_openapi.py +++ b/tests/openapi/test_openapi.py @@ -353,7 +353,6 @@ def test_must_fail_for_invalid_values(self, data, case): self.assertFalse(OpenApiEditor.is_valid(data), "openapi dictionary with {} must not be valid".format(case)) -# TODO this needs to be updated with OIDC auth - authorization scopes and anything else that needs testing the swagger class TestOpenApiEditor_add_auth(TestCase): def setUp(self): diff --git a/tests/translator/input/error_http_api_invalid_auth.yaml b/tests/translator/input/error_http_api_invalid_auth.yaml index 76f24464be..a45f748002 100644 --- a/tests/translator/input/error_http_api_invalid_auth.yaml +++ b/tests/translator/input/error_http_api_invalid_auth.yaml @@ -53,6 +53,20 @@ Resources: Authorizer: OAuth2 AuthorizationScopes: "scope" + Function5: + Type: AWS::Serverless::Function + Properties: + Runtime: python3.7 + Handler: index.handler + CodeUri: s3://bucket/key + Events: + Api4: + Type: HttpApi + Properties: + ApiId: !Ref MyApi5 + Auth: + Authorizer: OIDC + MyApi: Type: AWS::Serverless::HttpApi Properties: @@ -120,6 +134,28 @@ Resources: audience: - MyApi IdentitySource: "$request.querystring.param" + DefinitionBody: + info: + version: '1.0' + title: + Ref: AWS::StackName + paths: {} + openapi: 3.0.1 + + MyApi5: + Type: AWS::Serverless::HttpApi + Properties: + Auth: + Authorizers: + OIDC: + OpenIdConnectUrl: "https://example.com/url" + AuthorizationScopes: + - scope4 + JwtConfiguration: + issuer: "https://www.example.com/v1/connect/oidc" + audience: + - MyApi + IdentitySource: "$request.querystring.param" DefinitionBody: info: version: '1.0' diff --git a/tests/translator/input/implicit_http_api_auth_and_simple_case.yaml b/tests/translator/input/implicit_http_api_auth_and_simple_case.yaml index ff37c4daab..944e7c8400 100644 --- a/tests/translator/input/implicit_http_api_auth_and_simple_case.yaml +++ b/tests/translator/input/implicit_http_api_auth_and_simple_case.yaml @@ -27,13 +27,6 @@ Resources: Auth: AuthorizationScopes: - scope3 - SomeAuth: - Type: HttpApi - Properties: - Path: /someauth - Method: post - Auth: - Authorizer: OpenIdAuth oauth2Path: Type: HttpApi Properties: @@ -48,16 +41,6 @@ Globals: HttpApi: Auth: Authorizers: - OpenIdAuth: - AuthorizationScopes: - - scope1 - - scope2 - OpenIdConnectUrl: "https://www.example.com/v1/connect" - JwtConfiguration: - issuer: "https://www.example.com/v1/connect/oidc" - audience: - - MyApi - IdentitySource: "$request.querystring.param" oauth2Auth: AuthorizationScopes: - scope4 @@ -66,4 +49,4 @@ Globals: audience: - MyApi IdentitySource: "$request.querystring.param" - DefaultAuthorizer: OpenIdAuth + DefaultAuthorizer: oauth2Auth diff --git a/tests/translator/output/aws-cn/implicit_http_api_auth_and_simple_case.json b/tests/translator/output/aws-cn/implicit_http_api_auth_and_simple_case.json index 48f64be9c1..3a1c35bff3 100644 --- a/tests/translator/output/aws-cn/implicit_http_api_auth_and_simple_case.json +++ b/tests/translator/output/aws-cn/implicit_http_api_auth_and_simple_case.json @@ -55,7 +55,7 @@ "Arn" ] }, - "Runtime": "nodejs12.x", + "Runtime": "nodejs12.x", "Tags": [ { "Value": "SAM", @@ -95,34 +95,8 @@ "Ref": "AWS::StackName" } }, - "tags": [ - { - "name": "httpapi:createdBy", - "x-amazon-apigateway-tag-value": "SAM" - } - ], "paths": { - "/scope3": { - "post": { - "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", - "uri": { - "Fn::Sub": "arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${RestApiFunction.Arn}/invocations" - }, - "payloadFormatVersion": "1.0" - }, - "security": [ - { - "OpenIdAuth": [ - "scope3" - ] - } - ], - "responses": {} - } - }, - "/someauth": { + "/defaultauth": { "post": { "x-amazon-apigateway-integration": { "httpMethod": "POST", @@ -134,9 +108,8 @@ }, "security": [ { - "OpenIdAuth": [ - "scope1", - "scope2" + "oauth2Auth": [ + "scope4" ] } ], @@ -176,9 +149,8 @@ "isDefaultRoute": true, "security": [ { - "OpenIdAuth": [ - "scope1", - "scope2" + "oauth2Auth": [ + "scope4" ] } ], @@ -203,7 +175,7 @@ "responses": {} } }, - "/defaultauth": { + "/scope3": { "post": { "x-amazon-apigateway-integration": { "httpMethod": "POST", @@ -215,9 +187,8 @@ }, "security": [ { - "OpenIdAuth": [ - "scope1", - "scope2" + "oauth2Auth": [ + "scope3" ] } ], @@ -225,6 +196,7 @@ } } }, + "openapi": "3.0.1", "components": { "securitySchemes": { "oauth2Auth": { @@ -239,26 +211,17 @@ "issuer": "https://www.example.com/v1/connect/oidc" } } - }, - "OpenIdAuth": { - "type": "openIdConnect", - "x-amazon-apigateway-authorizer": { - "identitySource": "$request.querystring.param", - "type": "jwt", - "jwtConfiguration": { - "audience": [ - "MyApi" - ], - "issuer": "https://www.example.com/v1/connect/oidc" - }, - "openIdConnectUrl": "https://www.example.com/v1/connect" - } } } }, - "openapi": "3.0.1" + "tags": [ + { + "name": "httpapi:createdBy", + "x-amazon-apigateway-tag-value": "SAM" + } + ] } } } } -} +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/implicit_http_api_auth_and_simple_case.json b/tests/translator/output/aws-us-gov/implicit_http_api_auth_and_simple_case.json index 4e4d6387f8..a89acb6258 100644 --- a/tests/translator/output/aws-us-gov/implicit_http_api_auth_and_simple_case.json +++ b/tests/translator/output/aws-us-gov/implicit_http_api_auth_and_simple_case.json @@ -55,7 +55,7 @@ "Arn" ] }, - "Runtime": "nodejs12.x", + "Runtime": "nodejs12.x", "Tags": [ { "Value": "SAM", @@ -95,34 +95,8 @@ "Ref": "AWS::StackName" } }, - "tags": [ - { - "name": "httpapi:createdBy", - "x-amazon-apigateway-tag-value": "SAM" - } - ], "paths": { - "/scope3": { - "post": { - "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", - "uri": { - "Fn::Sub": "arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${RestApiFunction.Arn}/invocations" - }, - "payloadFormatVersion": "1.0" - }, - "security": [ - { - "OpenIdAuth": [ - "scope3" - ] - } - ], - "responses": {} - } - }, - "/someauth": { + "/defaultauth": { "post": { "x-amazon-apigateway-integration": { "httpMethod": "POST", @@ -134,9 +108,8 @@ }, "security": [ { - "OpenIdAuth": [ - "scope1", - "scope2" + "oauth2Auth": [ + "scope4" ] } ], @@ -176,9 +149,8 @@ "isDefaultRoute": true, "security": [ { - "OpenIdAuth": [ - "scope1", - "scope2" + "oauth2Auth": [ + "scope4" ] } ], @@ -203,7 +175,7 @@ "responses": {} } }, - "/defaultauth": { + "/scope3": { "post": { "x-amazon-apigateway-integration": { "httpMethod": "POST", @@ -215,9 +187,8 @@ }, "security": [ { - "OpenIdAuth": [ - "scope1", - "scope2" + "oauth2Auth": [ + "scope3" ] } ], @@ -225,6 +196,7 @@ } } }, + "openapi": "3.0.1", "components": { "securitySchemes": { "oauth2Auth": { @@ -239,26 +211,17 @@ "issuer": "https://www.example.com/v1/connect/oidc" } } - }, - "OpenIdAuth": { - "type": "openIdConnect", - "x-amazon-apigateway-authorizer": { - "identitySource": "$request.querystring.param", - "type": "jwt", - "jwtConfiguration": { - "audience": [ - "MyApi" - ], - "issuer": "https://www.example.com/v1/connect/oidc" - }, - "openIdConnectUrl": "https://www.example.com/v1/connect" - } } } }, - "openapi": "3.0.1" + "tags": [ + { + "name": "httpapi:createdBy", + "x-amazon-apigateway-tag-value": "SAM" + } + ] } } } } -} +} \ No newline at end of file diff --git a/tests/translator/output/error_http_api_invalid_auth.json b/tests/translator/output/error_http_api_invalid_auth.json index ade985d7c1..e5bdcb426d 100644 --- a/tests/translator/output/error_http_api_invalid_auth.json +++ b/tests/translator/output/error_http_api_invalid_auth.json @@ -4,5 +4,5 @@ "errorMessage": "Resource with id [Function] is invalid. Event with id [Api] is invalid. Unable to set Authorizer [myAuth] on API method [x-amazon-apigateway-any-method] for path [$default] because the related API does not define any Authorizers. Resource with id [Function2] is invalid. Event with id [Api2] is invalid. Unable to set Authorizer [myAuth] on API method [x-amazon-apigateway-any-method] for path [$default] because it wasn't defined in the API's Authorizers. Resource with id [Function3] is invalid. Event with id [Api3] is invalid. Unable to set Authorizer on API method [x-amazon-apigateway-any-method] for path [$default] because 'NONE' is only a valid value when a DefaultAuthorizer on the API is specified. Resource with id [Function4] is invalid. Event with id [Api4] is invalid. Unable to set Authorizer on API method [x-amazon-apigateway-any-method] for path [$default] because 'AuthorizationScopes' must be a list of strings." } ], - "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 4. Resource with id [Function] is invalid. Event with id [Api] is invalid. Unable to set Authorizer [myAuth] on API method [x-amazon-apigateway-any-method] for path [$default] because the related API does not define any Authorizers. Resource with id [Function2] is invalid. Event with id [Api2] is invalid. Unable to set Authorizer [myAuth] on API method [x-amazon-apigateway-any-method] for path [$default] because it wasn't defined in the API's Authorizers. Resource with id [Function3] is invalid. Event with id [Api3] is invalid. Unable to set Authorizer on API method [x-amazon-apigateway-any-method] for path [$default] because 'NONE' is only a valid value when a DefaultAuthorizer on the API is specified. Resource with id [Function4] is invalid. Event with id [Api4] is invalid. Unable to set Authorizer on API method [x-amazon-apigateway-any-method] for path [$default] because 'AuthorizationScopes' must be a list of strings." + "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 5. Resource with id [Function] is invalid. Event with id [Api] is invalid. Unable to set Authorizer [myAuth] on API method [x-amazon-apigateway-any-method] for path [$default] because the related API does not define any Authorizers. Resource with id [Function2] is invalid. Event with id [Api2] is invalid. Unable to set Authorizer [myAuth] on API method [x-amazon-apigateway-any-method] for path [$default] because it wasn't defined in the API's Authorizers. Resource with id [Function3] is invalid. Event with id [Api3] is invalid. Unable to set Authorizer on API method [x-amazon-apigateway-any-method] for path [$default] because 'NONE' is only a valid value when a DefaultAuthorizer on the API is specified. Resource with id [Function4] is invalid. Event with id [Api4] is invalid. Unable to set Authorizer on API method [x-amazon-apigateway-any-method] for path [$default] because 'AuthorizationScopes' must be a list of strings. Resource with id [MyApi5] is invalid. 'OpenIdConnectUrl' is no longer a supported property for authorizer 'OIDC'. Please refer to the AWS SAM documentation." } \ No newline at end of file diff --git a/tests/translator/output/implicit_http_api_auth_and_simple_case.json b/tests/translator/output/implicit_http_api_auth_and_simple_case.json index efcd8d3bbd..ef898940b2 100644 --- a/tests/translator/output/implicit_http_api_auth_and_simple_case.json +++ b/tests/translator/output/implicit_http_api_auth_and_simple_case.json @@ -55,7 +55,7 @@ "Arn" ] }, - "Runtime": "nodejs12.x", + "Runtime": "nodejs12.x", "Tags": [ { "Value": "SAM", @@ -95,34 +95,8 @@ "Ref": "AWS::StackName" } }, - "tags": [ - { - "name": "httpapi:createdBy", - "x-amazon-apigateway-tag-value": "SAM" - } - ], "paths": { - "/scope3": { - "post": { - "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", - "uri": { - "Fn::Sub": "arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${RestApiFunction.Arn}/invocations" - }, - "payloadFormatVersion": "1.0" - }, - "security": [ - { - "OpenIdAuth": [ - "scope3" - ] - } - ], - "responses": {} - } - }, - "/someauth": { + "/defaultauth": { "post": { "x-amazon-apigateway-integration": { "httpMethod": "POST", @@ -134,9 +108,8 @@ }, "security": [ { - "OpenIdAuth": [ - "scope1", - "scope2" + "oauth2Auth": [ + "scope4" ] } ], @@ -176,9 +149,8 @@ "isDefaultRoute": true, "security": [ { - "OpenIdAuth": [ - "scope1", - "scope2" + "oauth2Auth": [ + "scope4" ] } ], @@ -203,7 +175,7 @@ "responses": {} } }, - "/defaultauth": { + "/scope3": { "post": { "x-amazon-apigateway-integration": { "httpMethod": "POST", @@ -215,9 +187,8 @@ }, "security": [ { - "OpenIdAuth": [ - "scope1", - "scope2" + "oauth2Auth": [ + "scope3" ] } ], @@ -225,6 +196,7 @@ } } }, + "openapi": "3.0.1", "components": { "securitySchemes": { "oauth2Auth": { @@ -239,26 +211,17 @@ "issuer": "https://www.example.com/v1/connect/oidc" } } - }, - "OpenIdAuth": { - "type": "openIdConnect", - "x-amazon-apigateway-authorizer": { - "identitySource": "$request.querystring.param", - "type": "jwt", - "jwtConfiguration": { - "audience": [ - "MyApi" - ], - "issuer": "https://www.example.com/v1/connect/oidc" - }, - "openIdConnectUrl": "https://www.example.com/v1/connect" - } } } }, - "openapi": "3.0.1" + "tags": [ + { + "name": "httpapi:createdBy", + "x-amazon-apigateway-tag-value": "SAM" + } + ] } } } } -} +} \ No newline at end of file