From e8727798133038316bb89cb3a1f7e17357ca56fa Mon Sep 17 00:00:00 2001 From: Luca Pizzini Date: Tue, 7 Nov 2023 12:41:38 +0100 Subject: [PATCH 1/3] fix(apigateway): lambda authorizer does not enforce default cache TTL --- .../RequestAuthorizerInteg.template.json | 2 ++ .../TokenAuthorizerIAMRoleInteg.template.json | 1 + .../TokenAuthorizerInteg.template.json | 1 + .../aws-apigateway/lib/authorizers/lambda.ts | 6 ++-- .../test/authorizers/lambda.test.ts | 29 +++++++++++++++++++ 5 files changed, 36 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json index 02889e28f9e3f..a50ec1d9efe5b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json @@ -306,6 +306,7 @@ "MyAuthorizer6575980E": { "Type": "AWS::ApiGateway::Authorizer", "Properties": { + "AuthorizerResultTtlInSeconds": 300, "AuthorizerUri": { "Fn::Join": [ "", @@ -366,6 +367,7 @@ "MySecondAuthorizer25A69B96": { "Type": "AWS::ApiGateway::Authorizer", "Properties": { + "AuthorizerResultTtlInSeconds": 300, "AuthorizerUri": { "Fn::Join": [ "", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json index a322307f6a209..7f4a05a6b5f50 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json @@ -79,6 +79,7 @@ "Arn" ] }, + "AuthorizerResultTtlInSeconds": 300, "AuthorizerUri": { "Fn::Join": [ "", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json index 744f4c84c38d9..953c66adfed71 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json @@ -96,6 +96,7 @@ "MyAuthorizer6575980E": { "Type": "AWS::ApiGateway::Authorizer", "Properties": { + "AuthorizerResultTtlInSeconds": 300, "AuthorizerUri": { "Fn::Join": [ "", diff --git a/packages/aws-cdk-lib/aws-apigateway/lib/authorizers/lambda.ts b/packages/aws-cdk-lib/aws-apigateway/lib/authorizers/lambda.ts index b321a2d355fca..9dd846fa8da1d 100644 --- a/packages/aws-cdk-lib/aws-apigateway/lib/authorizers/lambda.ts +++ b/packages/aws-cdk-lib/aws-apigateway/lib/authorizers/lambda.ts @@ -32,7 +32,7 @@ export interface LambdaAuthorizerProps { * How long APIGateway should cache the results. Max 1 hour. * Disable caching by setting this to 0. * - * @default Duration.minutes(5) + * @default - Duration.minutes(5) */ readonly resultsCacheTtl?: Duration; @@ -215,7 +215,7 @@ export class TokenAuthorizer extends LambdaAuthorizer { type: 'TOKEN', authorizerUri: lambdaAuthorizerArn(props.handler), authorizerCredentials: props.assumeRole?.roleArn, - authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(), + authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds() ?? Duration.minutes(5).toSeconds(), identitySource: props.identitySource || 'method.request.header.Authorization', identityValidationExpression: props.validationRegex, }; @@ -284,7 +284,7 @@ export class RequestAuthorizer extends LambdaAuthorizer { type: 'REQUEST', authorizerUri: lambdaAuthorizerArn(props.handler), authorizerCredentials: props.assumeRole?.roleArn, - authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(), + authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds() ?? Duration.minutes(5).toSeconds(), identitySource: props.identitySources.map(is => is.toString()).join(','), }; diff --git a/packages/aws-cdk-lib/aws-apigateway/test/authorizers/lambda.test.ts b/packages/aws-cdk-lib/aws-apigateway/test/authorizers/lambda.test.ts index 0dcfbd2c269d7..a7101d05ce35f 100644 --- a/packages/aws-cdk-lib/aws-apigateway/test/authorizers/lambda.test.ts +++ b/packages/aws-cdk-lib/aws-apigateway/test/authorizers/lambda.test.ts @@ -28,6 +28,7 @@ describe('lambda authorizer', () => { Type: 'TOKEN', RestApiId: stack.resolve(restApi.restApiId), IdentitySource: 'method.request.header.Authorization', + AuthorizerResultTtlInSeconds: 300, AuthorizerUri: { 'Fn::Join': [ '', @@ -102,6 +103,7 @@ describe('lambda authorizer', () => { Template.fromStack(stack).hasResourceProperties('AWS::ApiGateway::Authorizer', { Type: 'REQUEST', RestApiId: stack.resolve(restApi.restApiId), + AuthorizerResultTtlInSeconds: 0, AuthorizerUri: { 'Fn::Join': [ '', @@ -153,6 +155,33 @@ describe('lambda authorizer', () => { }); + test('request authorizer with default cache TTL', () => { + const stack = new Stack(); + + const func = new lambda.Function(stack, 'myfunction', { + handler: 'handler', + code: lambda.Code.fromInline('foo'), + runtime: lambda.Runtime.NODEJS_LATEST, + }); + + const auth = new RequestAuthorizer(stack, 'myauthorizer', { + handler: func, + identitySources: [IdentitySource.header('whoami')], + }); + + const restApi = new RestApi(stack, 'myrestapi'); + restApi.root.addMethod('ANY', undefined, { + authorizer: auth, + authorizationType: AuthorizationType.CUSTOM, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::ApiGateway::Authorizer', { + Type: 'REQUEST', + RestApiId: stack.resolve(restApi.restApiId), + AuthorizerResultTtlInSeconds: 300, + }); + }); + test('invalid request authorizer config', () => { const stack = new Stack(); From 2b5c50aa425c635e585127090e7e5984450910a6 Mon Sep 17 00:00:00 2001 From: Luca Pizzini Date: Tue, 7 Nov 2023 14:49:53 +0100 Subject: [PATCH 2/3] updated integration test --- .../TokenAuthorizerInteg.template.json | 2 +- .../aws-apigateway/test/authorizers/integ.token-authorizer.ts | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json index 953c66adfed71..ff9093ab12c74 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json @@ -96,7 +96,7 @@ "MyAuthorizer6575980E": { "Type": "AWS::ApiGateway::Authorizer", "Properties": { - "AuthorizerResultTtlInSeconds": 300, + "AuthorizerResultTtlInSeconds": 600, "AuthorizerUri": { "Fn::Join": [ "", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.ts index ed4485d01c3d7..5af2a84aa3b3f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.ts @@ -16,6 +16,7 @@ const authorizerFn = new lambda.Function(stack, 'MyAuthorizerFunction', { const authorizer = new TokenAuthorizer(stack, 'MyAuthorizer', { handler: authorizerFn, + resultsCacheTtl: Duration.minutes(10), }); const restapi = new RestApi(stack, 'MyRestApi', { From bdc9a327ffb243da309790c79f3200775e9b784f Mon Sep 17 00:00:00 2001 From: Luca Pizzini Date: Tue, 7 Nov 2023 15:52:26 +0100 Subject: [PATCH 3/3] updated integration test --- .../RequestAuthorizerInteg.template.json | 4 ++-- .../TokenAuthorizerIAMRoleInteg.template.json | 4 ++-- .../TokenAuthorizerInteg.template.json | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json index a50ec1d9efe5b..6be55d804daf2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json @@ -188,7 +188,7 @@ "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, - "MyRestApiDeploymentB555B582d83364d66d67f510f848797cd89349d5": { + "MyRestApiDeploymentB555B58276a4103e7ef38befb395a9ace5fdce44": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "Description": "Automatically created by the RestApi construct", @@ -208,7 +208,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyRestApiDeploymentB555B582d83364d66d67f510f848797cd89349d5" + "Ref": "MyRestApiDeploymentB555B58276a4103e7ef38befb395a9ace5fdce44" }, "RestApiId": { "Ref": "MyRestApi2D1F47A9" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json index 7f4a05a6b5f50..257b04b3ec628 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json @@ -234,7 +234,7 @@ "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, - "MyRestApiDeploymentB555B582694e8eb3fdb7b5f988ba347d35601979": { + "MyRestApiDeploymentB555B58259401a546b13c99de2d05e5e255a9ede": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "Description": "Automatically created by the RestApi construct", @@ -252,7 +252,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyRestApiDeploymentB555B582694e8eb3fdb7b5f988ba347d35601979" + "Ref": "MyRestApiDeploymentB555B58259401a546b13c99de2d05e5e255a9ede" }, "RestApiId": { "Ref": "MyRestApi2D1F47A9" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json index ff9093ab12c74..e6f4b6c6361a4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json @@ -209,7 +209,7 @@ "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, - "MyRestApiDeploymentB555B582e0e53f2547b469b538202de55968eaf0": { + "MyRestApiDeploymentB555B5827a9cde8f137f97e5aa74fca164d09d74": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "Description": "Automatically created by the RestApi construct", @@ -227,7 +227,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyRestApiDeploymentB555B582e0e53f2547b469b538202de55968eaf0" + "Ref": "MyRestApiDeploymentB555B5827a9cde8f137f97e5aa74fca164d09d74" }, "RestApiId": { "Ref": "MyRestApi2D1F47A9"