Add ApiKey Auth support #943
Conversation
cfbarbero
force-pushed
the
apikey-refactor
branch
from
0a08669 to
a751d75
Compare
Please try to maintain the Swagger integrity as SAM will create an APIGW Deployment when it detects Swagger has changed and we strongly try not to do an APIGW Deployment unless the user actually made a change to their API. |
cfbarbero
force-pushed
the
apikey-refactor
branch
2 times, most recently
from
8d692a1 to
0ff2b41
Compare
|
@brettstack Let me know if there's anything else you'd like me to address. |
Codecov Report
@@ Coverage Diff @@
## develop #943 +/- ##
==========================================
+ Coverage 94.71% 94.8% +0.09%
==========================================
Files 69 69
Lines 3160 3234 +74
Branches 606 629 +23
==========================================
+ Hits 2993 3066 +73
- Misses 85 87 +2
+ Partials 82 81 -1
Continue to review full report at Codecov.
|
|
|
||
| apikey_required_setting = self.Auth.get('ApiKeyRequired') | ||
| apikey_required_setting_is_false = apikey_required_setting is not None and not apikey_required_setting | ||
| if apikey_required_setting_is_false and not api_auth.get('ApiKeyRequired'): |
There was a problem hiding this comment.
Throwing an exception here is not required, as this would be a no-op on api gw.
There was a problem hiding this comment.
Like the Authorizers implementation, I am storing the explicit ApiKeyRequired: False for a function in the security block for that function as api_key_false.
"security": { "api_key_false": [] }
This security option gets cleaned up by the swagger.set_path_default_apikey_required method, however, this is only called when there is a default ApiKeyRequired setting on the Serverless API. If there is no default setting (or no explicit Serverless API) then we never loop back and cleanup the api_key_false security setting.
I assumed we didn't want to spit out this security setting, however, I'll defer to your judgement. I'm also open to other ideas on this.
| self._set_default_apikey_required(swagger_editor) | ||
|
|
||
| # Assign the Swagger back to template | ||
| self.definition_body = swagger_editor.swagger |
There was a problem hiding this comment.
Could you please rebase and add/update a test to ensure this works with openapi 3 as well.
There was a problem hiding this comment.
@praneetap , I have rebased. I am happy to add a test for openapi 3. Can you provide a little direction on that? Are there other tests I can refer to as an example?
There was a problem hiding this comment.
@praneetap , I've added a couple of openapi3 translator tests. Please let me know if there's anything else you'd like to see on this.
New Test:
- api_with_apikey_required_openapi_3
Updated Tests:
- api_with_auth_all_maximum_openapi_3
- api_with_auth_all_maximum
- Implement new translator tests - Add swagger.py unit tests - Update documentation - refactor Auth handling in swagger.py
cfbarbero
force-pushed
the
apikey-refactor
branch
from
0ff2b41 to
f8ed469
Compare
…ed just at a Function level, we need to ensure the OpenApi Auth post processing happens even if the API has no explicit Auth Settings
cfbarbero
force-pushed
the
apikey-refactor
branch
from
922b0dc to
36cf808
Compare
|
@praneetap I have addressed your PR comments, this is ready for review again. |
| rest_api.BodyS3Location = self._construct_body_s3_dict() | ||
| elif self.definition_body: | ||
| # # Post Process OpenApi Auth Settings | ||
| self.definition_body = self._openapi_auth_postprocess(self.definition_body) |
There was a problem hiding this comment.
@praneetap In order to support the ApiKeyRequired setting at the Function level (without requiring an explicit setting on the API), I had to move the _openapi_auth_postprocess method call up a level to ensure it was called on every template reqardless of if there's an explicit API Auth setting. If you have another suggestion I'm happy to change.
|
Is there an ETA when these changes are getting merged to master? |
|
@emonhaider We are working on the v1.14.0 release now. We can't give exact dates, but it's coming soon. |
6 participants
Issue #, if available:
Fixes #867
Description of changes:
Update the
Authproperty to include a new sub-propertyApiKeyRequired: <boolean>. This will be supported on both the Api Auth Method and the Function Auth Method. The function level specification will override the API level.For example:
This is roughly based upon #444. It implements part of #547.
In implementing this change, I refactored the support for the Authorizers in the swagger.py file.
By doing this, it changed the order in which some of the generated swagger properties are translated and there by required updates to the following translator test output files:tests/translator/output/api_with_aws_iam_auth_overrides.jsontests/translator/output/api_with_default_aws_iam_auth.jsonDescription of how you validated changes:
Added additional translator tests:
Updated existing translator tests:
Checklist:
make prpassesBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.