Skip to content

fix: remove OIDC auth from Http Api #1491

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Mar 5, 2020
Merged

fix: remove OIDC auth from Http Api #1491

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4dbc15a
remove oidc auth (redundant)
keetonian Mar 4, 2020
ea60b27
Add explicit error if OpenIdConnectUrl is used
keetonian Mar 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion samtranslator/model/api/http_api_generator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -418,10 +418,15 @@ def _get_authorizers(self, authorizers_config, default_authorizer=None):
self.logical_id, "Authorizer %s must be a dictionary." % (authorizer_name)
)

if "OpenIdConnectUrl" in authorizer:
raise InvalidResourceException(
self.logical_id,
"'OpenIdConnectUrl' is no longer a supported property for authorizer '%s'. Please refer to the AWS SAM documentation."
% (authorizer_name),
)
authorizers[authorizer_name] = ApiGatewayV2Authorizer(
api_logical_id=self.logical_id,
name=authorizer_name,
open_id_connect_url=authorizer.get("OpenIdConnectUrl"),
authorization_scopes=authorizer.get("AuthorizationScopes"),
jwt_configuration=authorizer.get("JwtConfiguration"),
id_source=authorizer.get("IdentitySource"),
Expand Down
21 changes: 5 additions & 16 deletions samtranslator/model/apigatewayv2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,33 +57,24 @@ class ApiGatewayV2ApiMapping(Resource):

class ApiGatewayV2Authorizer(object):
def __init__(
self,
api_logical_id=None,
name=None,
open_id_connect_url=None,
authorization_scopes=[],
jwt_configuration={},
id_source=None,
self, api_logical_id=None, name=None, authorization_scopes=[], jwt_configuration={}, id_source=None,
):
"""
Creates an authorizer for use in V2 Http Apis
"""
# OIDC uses a connect url, oauth2 doesn't
self.auth_type = "openIdConnect"
if open_id_connect_url is None:
self.auth_type = "oauth2"
# Currently only one type of auth
self.auth_type = "oauth2"

self.api_logical_id = api_logical_id
self.name = name
self.open_id_connect_url = open_id_connect_url
self.authorization_scopes = authorization_scopes

# Validate necessary parameters exist
if not jwt_configuration:
raise InvalidResourceException(api_logical_id, name + " Authorizer must define 'JwtConfiguration'")
raise InvalidResourceException(api_logical_id, name + " Authorizer must define 'JwtConfiguration'.")
self.jwt_configuration = jwt_configuration
if not id_source:
raise InvalidResourceException(api_logical_id, name + " Authorizer must define 'IdentitySource'")
raise InvalidResourceException(api_logical_id, name + " Authorizer must define 'IdentitySource'.")
self.id_source = id_source

def generate_openapi(self):
Expand All @@ -98,6 +89,4 @@ def generate_openapi(self):
"type": "jwt",
},
}
if self.open_id_connect_url:
openapi["x-amazon-apigateway-authorizer"]["openIdConnectUrl"] = self.open_id_connect_url
return openapi
10 changes: 0 additions & 10 deletions tests/model/test_api_v2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,6 @@ def test_create_oauth2_auth(self):
)
self.assertEquals(auth.auth_type, "oauth2")

def test_create_oidc_auth(self):
auth = ApiGatewayV2Authorizer(
api_logical_id="logicalId",
name="authName",
open_id_connect_url="https://example.com",
jwt_configuration={"config": "value"},
id_source="https://example.com",
)
self.assertEquals(auth.auth_type, "openIdConnect")

def test_create_authorizer_no_id_source(self):
with pytest.raises(InvalidResourceException):
auth = ApiGatewayV2Authorizer(
Expand Down
1 change: 0 additions & 1 deletion tests/openapi/test_openapi.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,7 +353,6 @@ def test_must_fail_for_invalid_values(self, data, case):
self.assertFalse(OpenApiEditor.is_valid(data), "openapi dictionary with {} must not be valid".format(case))


# TODO this needs to be updated with OIDC auth - authorization scopes and anything else that needs testing the swagger
class TestOpenApiEditor_add_auth(TestCase):
def setUp(self):

Expand Down
36 changes: 36 additions & 0 deletions tests/translator/input/error_http_api_invalid_auth.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,20 @@ Resources:
Authorizer: OAuth2
AuthorizationScopes: "scope"

Function5:
Type: AWS::Serverless::Function
Properties:
Runtime: python3.7
Handler: index.handler
CodeUri: s3://bucket/key
Events:
Api4:
Type: HttpApi
Properties:
ApiId: !Ref MyApi5
Auth:
Authorizer: OIDC

MyApi:
Type: AWS::Serverless::HttpApi
Properties:
Expand Down Expand Up @@ -120,6 +134,28 @@ Resources:
audience:
- MyApi
IdentitySource: "$request.querystring.param"
DefinitionBody:
info:
version: '1.0'
title:
Ref: AWS::StackName
paths: {}
openapi: 3.0.1

MyApi5:
Type: AWS::Serverless::HttpApi
Properties:
Auth:
Authorizers:
OIDC:
OpenIdConnectUrl: "https://example.com/url"
AuthorizationScopes:
- scope4
JwtConfiguration:
issuer: "https://www.example.com/v1/connect/oidc"
audience:
- MyApi
IdentitySource: "$request.querystring.param"
DefinitionBody:
info:
version: '1.0'
Expand Down
19 changes: 1 addition & 18 deletions tests/translator/input/implicit_http_api_auth_and_simple_case.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,6 @@ Resources:
Auth:
AuthorizationScopes:
- scope3
SomeAuth:
Type: HttpApi
Properties:
Path: /someauth
Method: post
Auth:
Authorizer: OpenIdAuth
oauth2Path:
Type: HttpApi
Properties:
Expand All @@ -48,16 +41,6 @@ Globals:
HttpApi:
Auth:
Authorizers:
OpenIdAuth:
AuthorizationScopes:
- scope1
- scope2
OpenIdConnectUrl: "https://www.example.com/v1/connect"
JwtConfiguration:
issuer: "https://www.example.com/v1/connect/oidc"
audience:
- MyApi
IdentitySource: "$request.querystring.param"
oauth2Auth:
AuthorizationScopes:
- scope4
Expand All @@ -66,4 +49,4 @@ Globals:
audience:
- MyApi
IdentitySource: "$request.querystring.param"
DefaultAuthorizer: OpenIdAuth
DefaultAuthorizer: oauth2Auth
71 changes: 17 additions & 54 deletions tests/translator/output/aws-cn/implicit_http_api_auth_and_simple_case.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@
"Arn"
]
},
"Runtime": "nodejs12.x",
"Runtime": "nodejs12.x",
"Tags": [
{
"Value": "SAM",
Expand Down Expand Up @@ -95,34 +95,8 @@
"Ref": "AWS::StackName"
}
},
"tags": [
{
"name": "httpapi:createdBy",
"x-amazon-apigateway-tag-value": "SAM"
}
],
"paths": {
"/scope3": {
"post": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${RestApiFunction.Arn}/invocations"
},
"payloadFormatVersion": "1.0"
},
"security": [
{
"OpenIdAuth": [
"scope3"
]
}
],
"responses": {}
}
},
"/someauth": {
"/defaultauth": {
"post": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
Expand All @@ -134,9 +108,8 @@
},
"security": [
{
"OpenIdAuth": [
"scope1",
"scope2"
"oauth2Auth": [
"scope4"
]
}
],
Expand Down Expand Up @@ -176,9 +149,8 @@
"isDefaultRoute": true,
"security": [
{
"OpenIdAuth": [
"scope1",
"scope2"
"oauth2Auth": [
"scope4"
]
}
],
Expand All @@ -203,7 +175,7 @@
"responses": {}
}
},
"/defaultauth": {
"/scope3": {
"post": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
Expand All @@ -215,16 +187,16 @@
},
"security": [
{
"OpenIdAuth": [
"scope1",
"scope2"
"oauth2Auth": [
"scope3"
]
}
],
"responses": {}
}
}
},
"openapi": "3.0.1",
"components": {
"securitySchemes": {
"oauth2Auth": {
Expand All @@ -239,26 +211,17 @@
"issuer": "https://www.example.com/v1/connect/oidc"
}
}
},
"OpenIdAuth": {
"type": "openIdConnect",
"x-amazon-apigateway-authorizer": {
"identitySource": "$request.querystring.param",
"type": "jwt",
"jwtConfiguration": {
"audience": [
"MyApi"
],
"issuer": "https://www.example.com/v1/connect/oidc"
},
"openIdConnectUrl": "https://www.example.com/v1/connect"
}
}
}
},
"openapi": "3.0.1"
"tags": [
{
"name": "httpapi:createdBy",
"x-amazon-apigateway-tag-value": "SAM"
}
]
}
}
}
}
}
}
Loading