Merge pull request #2757 from jrbeilke/feature-apigw-authorizers

Feature: add support for API Gateway authorizers
2020-02-18 18:52:58 -06:00 · 2020-02-18 18:52:58 -06:00 · ec3f6bbc6c
commit ec3f6bbc6c
parent 3f8ea90475 40208363be
5 changed files with 465 additions and 1 deletions
--- a/moto/apigateway/exceptions.py
+++ b/moto/apigateway/exceptions.py
@ -85,6 +85,15 @@ class NoMethodDefined(BadRequestException):
        )


+class AuthorizerNotFoundException(RESTError):
+    code = 404
+
+    def __init__(self):
+        super(AuthorizerNotFoundException, self).__init__(
+            "NotFoundException", "Invalid Authorizer identifier specified"
+        )
+
+
 class StageNotFoundException(RESTError):
    code = 404

--- a/moto/apigateway/models.py
+++ b/moto/apigateway/models.py
@ -28,6 +28,7 @@ from .exceptions import (
    InvalidHttpEndpoint,
    InvalidResourcePathException,
    InvalidRequestInput,
+    AuthorizerNotFoundException,
    StageNotFoundException,
    RoleNotSpecified,
    NoIntegrationDefined,
@ -187,6 +188,54 @@ class Resource(BaseModel):
        return self.resource_methods[method_type].pop("methodIntegration")


+class Authorizer(BaseModel, dict):
+    def __init__(self, id, name, authorizer_type, **kwargs):
+        super(Authorizer, self).__init__()
+        self["id"] = id
+        self["name"] = name
+        self["type"] = authorizer_type
+        if kwargs.get("provider_arns"):
+            self["providerARNs"] = kwargs.get("provider_arns")
+        if kwargs.get("auth_type"):
+            self["authType"] = kwargs.get("auth_type")
+        if kwargs.get("authorizer_uri"):
+            self["authorizerUri"] = kwargs.get("authorizer_uri")
+        if kwargs.get("authorizer_credentials"):
+            self["authorizerCredentials"] = kwargs.get("authorizer_credentials")
+        if kwargs.get("identity_source"):
+            self["identitySource"] = kwargs.get("identity_source")
+        if kwargs.get("identity_validation_expression"):
+            self["identityValidationExpression"] = kwargs.get(
+                "identity_validation_expression"
+            )
+        self["authorizerResultTtlInSeconds"] = kwargs.get("authorizer_result_ttl")
+
+    def apply_operations(self, patch_operations):
+        for op in patch_operations:
+            if "/authorizerUri" in op["path"]:
+                self["authorizerUri"] = op["value"]
+            elif "/authorizerCredentials" in op["path"]:
+                self["authorizerCredentials"] = op["value"]
+            elif "/authorizerResultTtlInSeconds" in op["path"]:
+                self["authorizerResultTtlInSeconds"] = int(op["value"])
+            elif "/authType" in op["path"]:
+                self["authType"] = op["value"]
+            elif "/identitySource" in op["path"]:
+                self["identitySource"] = op["value"]
+            elif "/identityValidationExpression" in op["path"]:
+                self["identityValidationExpression"] = op["value"]
+            elif "/name" in op["path"]:
+                self["name"] = op["value"]
+            elif "/providerARNs" in op["path"]:
+                # TODO: add and remove
+                raise Exception('Patch operation for "%s" not implemented' % op["path"])
+            elif "/type" in op["path"]:
+                self["type"] = op["value"]
+            else:
+                raise Exception('Patch operation "%s" not implemented' % op["op"])
+        return self
+
+
 class Stage(BaseModel, dict):
    def __init__(
        self,
@ -412,6 +461,7 @@ class RestAPI(BaseModel):
        self.tags = kwargs.get("tags") or {}

        self.deployments = {}
+        self.authorizers = {}
        self.stages = {}

        self.resources = {}
@ -479,6 +529,34 @@ class RestAPI(BaseModel):
                ),
            )

+    def create_authorizer(
+        self,
+        id,
+        name,
+        authorizer_type,
+        provider_arns=None,
+        auth_type=None,
+        authorizer_uri=None,
+        authorizer_credentials=None,
+        identity_source=None,
+        identiy_validation_expression=None,
+        authorizer_result_ttl=None,
+    ):
+        authorizer = Authorizer(
+            id=id,
+            name=name,
+            authorizer_type=authorizer_type,
+            provider_arns=provider_arns,
+            auth_type=auth_type,
+            authorizer_uri=authorizer_uri,
+            authorizer_credentials=authorizer_credentials,
+            identity_source=identity_source,
+            identiy_validation_expression=identiy_validation_expression,
+            authorizer_result_ttl=authorizer_result_ttl,
+        )
+        self.authorizers[id] = authorizer
+        return authorizer
+
    def create_stage(
        self,
        name,
@ -518,6 +596,9 @@ class RestAPI(BaseModel):
    def get_deployment(self, deployment_id):
        return self.deployments[deployment_id]

+    def get_authorizers(self):
+        return list(self.authorizers.values())
+
    def get_stages(self):
        return list(self.stages.values())

@ -613,6 +694,46 @@ class APIGatewayBackend(BaseBackend):
        )
        return method

+    def get_authorizer(self, restapi_id, authorizer_id):
+        api = self.get_rest_api(restapi_id)
+        authorizer = api.authorizers.get(authorizer_id)
+        if authorizer is None:
+            raise AuthorizerNotFoundException()
+        else:
+            return authorizer
+
+    def get_authorizers(self, restapi_id):
+        api = self.get_rest_api(restapi_id)
+        return api.get_authorizers()
+
+    def create_authorizer(self, restapi_id, name, authorizer_type, **kwargs):
+        api = self.get_rest_api(restapi_id)
+        authorizer_id = create_id()
+        authorizer = api.create_authorizer(
+            authorizer_id,
+            name,
+            authorizer_type,
+            provider_arns=kwargs.get("provider_arns"),
+            auth_type=kwargs.get("auth_type"),
+            authorizer_uri=kwargs.get("authorizer_uri"),
+            authorizer_credentials=kwargs.get("authorizer_credentials"),
+            identity_source=kwargs.get("identity_source"),
+            identiy_validation_expression=kwargs.get("identiy_validation_expression"),
+            authorizer_result_ttl=kwargs.get("authorizer_result_ttl"),
+        )
+        return api.authorizers.get(authorizer["id"])
+
+    def update_authorizer(self, restapi_id, authorizer_id, patch_operations):
+        authorizer = self.get_authorizer(restapi_id, authorizer_id)
+        if not authorizer:
+            api = self.get_rest_api(restapi_id)
+            authorizer = api.authorizers[authorizer_id] = Authorizer()
+        return authorizer.apply_operations(patch_operations)
+
+    def delete_authorizer(self, restapi_id, authorizer_id):
+        api = self.get_rest_api(restapi_id)
+        del api.authorizers[authorizer_id]
+
    def get_stage(self, function_id, stage_name):
        api = self.get_rest_api(function_id)
        stage = api.stages.get(stage_name)
--- a/moto/apigateway/responses.py
+++ b/moto/apigateway/responses.py
@ -8,11 +8,13 @@ from .exceptions import (
    ApiKeyNotFoundException,
    BadRequestException,
    CrossAccountNotAllowed,
+    AuthorizerNotFoundException,
    StageNotFoundException,
    ApiKeyAlreadyExists,
 )

 API_KEY_SOURCES = ["AUTHORIZER", "HEADER"]
+AUTHORIZER_TYPES = ["TOKEN", "REQUEST", "COGNITO_USER_POOLS"]
 ENDPOINT_CONFIGURATION_TYPES = ["PRIVATE", "EDGE", "REGIONAL"]


@ -177,6 +179,88 @@ class APIGatewayResponse(BaseResponse):
            )
        return 200, {}, json.dumps(method_response)

+    def restapis_authorizers(self, request, full_url, headers):
+        self.setup_class(request, full_url, headers)
+        url_path_parts = self.path.split("/")
+        restapi_id = url_path_parts[2]
+
+        if self.method == "POST":
+            name = self._get_param("name")
+            authorizer_type = self._get_param("type")
+
+            provider_arns = self._get_param_with_default_value("providerARNs", None)
+            auth_type = self._get_param_with_default_value("authType", None)
+            authorizer_uri = self._get_param_with_default_value("authorizerUri", None)
+            authorizer_credentials = self._get_param_with_default_value(
+                "authorizerCredentials", None
+            )
+            identity_source = self._get_param_with_default_value("identitySource", None)
+            identiy_validation_expression = self._get_param_with_default_value(
+                "identityValidationExpression", None
+            )
+            authorizer_result_ttl = self._get_param_with_default_value(
+                "authorizerResultTtlInSeconds", 300
+            )
+
+            # Param validation
+            if authorizer_type and authorizer_type not in AUTHORIZER_TYPES:
+                return self.error(
+                    "ValidationException",
+                    (
+                        "1 validation error detected: "
+                        "Value '{authorizer_type}' at 'createAuthorizerInput.type' failed "
+                        "to satisfy constraint: Member must satisfy enum value set: "
+                        "[TOKEN, REQUEST, COGNITO_USER_POOLS]"
+                    ).format(authorizer_type=authorizer_type),
+                )
+
+            authorizer_response = self.backend.create_authorizer(
+                restapi_id,
+                name,
+                authorizer_type,
+                provider_arns=provider_arns,
+                auth_type=auth_type,
+                authorizer_uri=authorizer_uri,
+                authorizer_credentials=authorizer_credentials,
+                identity_source=identity_source,
+                identiy_validation_expression=identiy_validation_expression,
+                authorizer_result_ttl=authorizer_result_ttl,
+            )
+        elif self.method == "GET":
+            authorizers = self.backend.get_authorizers(restapi_id)
+            return 200, {}, json.dumps({"item": authorizers})
+
+        return 200, {}, json.dumps(authorizer_response)
+
+    def authorizers(self, request, full_url, headers):
+        self.setup_class(request, full_url, headers)
+        url_path_parts = self.path.split("/")
+        restapi_id = url_path_parts[2]
+        authorizer_id = url_path_parts[4]
+
+        if self.method == "GET":
+            try:
+                authorizer_response = self.backend.get_authorizer(
+                    restapi_id, authorizer_id
+                )
+            except AuthorizerNotFoundException as error:
+                return (
+                    error.code,
+                    {},
+                    '{{"message":"{0}","code":"{1}"}}'.format(
+                        error.message, error.error_type
+                    ),
+                )
+        elif self.method == "PATCH":
+            patch_operations = self._get_param("patchOperations")
+            authorizer_response = self.backend.update_authorizer(
+                restapi_id, authorizer_id, patch_operations
+            )
+        elif self.method == "DELETE":
+            self.backend.delete_authorizer(restapi_id, authorizer_id)
+            return 202, {}, "{}"
+        return 200, {}, json.dumps(authorizer_response)
+
    def restapis_stages(self, request, full_url, headers):
        self.setup_class(request, full_url, headers)
        url_path_parts = self.path.split("/")
--- a/moto/apigateway/urls.py
+++ b/moto/apigateway/urls.py
@ -7,6 +7,8 @@ url_paths = {
    "{0}/restapis$": APIGatewayResponse().restapis,
    "{0}/restapis/(?P<function_id>[^/]+)/?$": APIGatewayResponse().restapis_individual,
    "{0}/restapis/(?P<function_id>[^/]+)/resources$": APIGatewayResponse().resources,
+    "{0}/restapis/(?P<function_id>[^/]+)/authorizers$": APIGatewayResponse().restapis_authorizers,
+    "{0}/restapis/(?P<function_id>[^/]+)/authorizers/(?P<authorizer_id>[^/]+)/?$": APIGatewayResponse().authorizers,
    "{0}/restapis/(?P<function_id>[^/]+)/stages$": APIGatewayResponse().restapis_stages,
    "{0}/restapis/(?P<function_id>[^/]+)/stages/(?P<stage_name>[^/]+)/?$": APIGatewayResponse().stages,
    "{0}/restapis/(?P<function_id>[^/]+)/deployments$": APIGatewayResponse().deployments,