From 6c65d042d74a298e1ee71d4f3b1a67b30458518c Mon Sep 17 00:00:00 2001 From: Lucas <12496191+lucashuy@users.noreply.github.com> Date: Thu, 8 Jun 2023 11:46:20 -0700 Subject: [PATCH] feat: Terraform Authorizer resource testing (#5270) * Added authorizer project * Added project files * Removed extra print * Add request based authorizer testing --- ...st_start_api_with_terraform_application.py | 42 ++++++ .../v1-lambda-authorizer/lambda-functions.zip | Bin 0 -> 551 bytes .../terraform/v1-lambda-authorizer/main.tf | 139 ++++++++++++++++++ 3 files changed, 181 insertions(+) create mode 100644 tests/integration/testdata/start_api/terraform/v1-lambda-authorizer/lambda-functions.zip create mode 100644 tests/integration/testdata/start_api/terraform/v1-lambda-authorizer/main.tf diff --git a/tests/integration/local/start_api/test_start_api_with_terraform_application.py b/tests/integration/local/start_api/test_start_api_with_terraform_application.py index 9206d8dba2..555413642e 100644 --- a/tests/integration/local/start_api/test_start_api_with_terraform_application.py +++ b/tests/integration/local/start_api/test_start_api_with_terraform_application.py @@ -99,6 +99,48 @@ def test_successful_request(self): self.assertEqual(response.json(), {"message": "hello world"}) +@skipIf( + not CI_OVERRIDE, + "Skip Terraform test cases unless running in CI", +) +@pytest.mark.flaky(reruns=3) +class TestStartApiTerraformApplicationV1LambdaAuthorizers(TerraformStartApiIntegrationBase): + terraform_application = "v1-lambda-authorizer" + + def setUp(self): + self.url = "http://127.0.0.1:{}".format(self.port) + + @parameterized.expand( + [ + ("/hello", {"headers": {"myheader": "123"}}), + ("/hello-request", {"headers": {"myheader": "123"}, "params": {"mystring": "456"}}), + ("/hello-request-empty", {}), + ("/hello-request-empty", {"headers": {"foo": "bar"}}), + ] + ) + def test_invoke_authorizer(self, endpoint, parameters): + response = requests.get(self.url + endpoint, timeout=300, **parameters) + + self.assertEqual(response.status_code, 200) + self.assertEqual(response.json(), {"message": "from authorizer"}) + + @parameterized.expand( + [ + ("/hello", {"headers": {"blank": "invalid"}}), + ("/hello-request", {"headers": {"blank": "invalid"}, "params": {"blank": "invalid"}}), + ] + ) + def test_missing_authorizer_identity_source(self, endpoint, parameters): + response = requests.get(self.url + endpoint, timeout=300, **parameters) + + self.assertEqual(response.status_code, 401) + + def test_fails_token_header_validation_authorizer(self): + response = requests.get(self.url + "/hello", timeout=300, headers={"myheader": "not valid"}) + + self.assertEqual(response.status_code, 401) + + @skipIf( not CI_OVERRIDE, "Skip Terraform test cases unless running in CI", diff --git a/tests/integration/testdata/start_api/terraform/v1-lambda-authorizer/lambda-functions.zip b/tests/integration/testdata/start_api/terraform/v1-lambda-authorizer/lambda-functions.zip new file mode 100644 index 0000000000000000000000000000000000000000..36c26446344af50d1215621f24af2bff75856930 GIT binary patch literal 551 zcmWIWW@Zs#-~d9t+CyOsP@u%jz`)I*z>txcmy(lORIFD}85+XNz((kZ=$e!ogI`e0(%A72s5%DNMly7eVLnpV>iPE@R4oU3# zu^KoQ?CfWD~ErxLp0T@O^Yry3(yF zCr{n`dm?4$t2v=}=Y5O1>-L5}z?+?eUHjgqcwl&gVkf|xkx7IZ5p&3LpqPV!C5<2! X3Go=<&B_MS!U%+sKzawzLIwr^eU{QQ literal 0 HcmV?d00001 diff --git a/tests/integration/testdata/start_api/terraform/v1-lambda-authorizer/main.tf b/tests/integration/testdata/start_api/terraform/v1-lambda-authorizer/main.tf new file mode 100644 index 0000000000..b3dcc7b51c --- /dev/null +++ b/tests/integration/testdata/start_api/terraform/v1-lambda-authorizer/main.tf @@ -0,0 +1,139 @@ +provider "aws" {} + +resource "aws_api_gateway_authorizer" "header_authorizer" { + name = "header_authorizer" + rest_api_id = aws_api_gateway_rest_api.api.id + authorizer_uri = aws_lambda_function.authorizer.invoke_arn + authorizer_credentials = aws_iam_role.invocation_role.arn + identity_source = "method.request.header.myheader" + identity_validation_expression = "^123$" +} + +resource "aws_api_gateway_authorizer" "request_authorizer" { + name = "request_authorizer" + rest_api_id = aws_api_gateway_rest_api.api.id + authorizer_uri = aws_lambda_function.authorizer.invoke_arn + authorizer_credentials = aws_iam_role.invocation_role.arn + identity_source = "method.request.header.myheader, method.request.querystring.mystring" + type = "REQUEST" +} + +resource "aws_api_gateway_authorizer" "request_authorizer_empty" { + name = "request_authorizer" + rest_api_id = aws_api_gateway_rest_api.api.id + authorizer_uri = aws_lambda_function.authorizer.invoke_arn + authorizer_credentials = aws_iam_role.invocation_role.arn + identity_source = "" + type = "REQUEST" +} + +resource "aws_lambda_function" "authorizer" { + filename = "lambda-functions.zip" + function_name = "authorizer" + role = aws_iam_role.invocation_role.arn + handler = "handlers.auth_handler" + runtime = "python3.8" + source_code_hash = filebase64sha256("lambda-functions.zip") +} + +resource "aws_lambda_function" "hello_endpoint" { + filename = "lambda-functions.zip" + function_name = "hello_lambda" + role = aws_iam_role.invocation_role.arn + handler = "handlers.hello_handler" + runtime = "python3.8" + source_code_hash = filebase64sha256("lambda-functions.zip") +} + +resource "aws_api_gateway_method" "get_hello" { + rest_api_id = aws_api_gateway_rest_api.api.id + resource_id = aws_api_gateway_resource.hello_resource.id + http_method = "GET" + authorizer_id = aws_api_gateway_authorizer.header_authorizer.id + authorization = "CUSTOM" +} + +resource "aws_api_gateway_method" "get_hello_request" { + rest_api_id = aws_api_gateway_rest_api.api.id + resource_id = aws_api_gateway_resource.hello_resource_request.id + http_method = "GET" + authorizer_id = aws_api_gateway_authorizer.request_authorizer.id + authorization = "CUSTOM" +} + +resource "aws_api_gateway_method" "get_hello_request_empty" { + rest_api_id = aws_api_gateway_rest_api.api.id + resource_id = aws_api_gateway_resource.hello_resource_request_empty.id + http_method = "GET" + authorizer_id = aws_api_gateway_authorizer.request_authorizer_empty.id + authorization = "CUSTOM" +} + +resource "aws_api_gateway_resource" "hello_resource" { + rest_api_id = aws_api_gateway_rest_api.api.id + parent_id = aws_api_gateway_rest_api.api.root_resource_id + path_part = "hello" +} + +resource "aws_api_gateway_resource" "hello_resource_request" { + rest_api_id = aws_api_gateway_rest_api.api.id + parent_id = aws_api_gateway_rest_api.api.root_resource_id + path_part = "hello-request" +} + +resource "aws_api_gateway_resource" "hello_resource_request_empty" { + rest_api_id = aws_api_gateway_rest_api.api.id + parent_id = aws_api_gateway_rest_api.api.root_resource_id + path_part = "hello-request-empty" +} + +resource "aws_api_gateway_integration" "MyDemoIntegration" { + rest_api_id = aws_api_gateway_rest_api.api.id + resource_id = aws_api_gateway_resource.hello_resource.id + http_method = aws_api_gateway_method.get_hello.http_method + type = "AWS_PROXY" + content_handling = "CONVERT_TO_TEXT" + uri = aws_lambda_function.hello_endpoint.invoke_arn +} + +resource "aws_api_gateway_integration" "MyDemoIntegrationRequest" { + rest_api_id = aws_api_gateway_rest_api.api.id + resource_id = aws_api_gateway_resource.hello_resource_request.id + http_method = aws_api_gateway_method.get_hello_request.http_method + type = "AWS_PROXY" + content_handling = "CONVERT_TO_TEXT" + uri = aws_lambda_function.hello_endpoint.invoke_arn +} + +resource "aws_api_gateway_integration" "MyDemoIntegrationRequestEmpty" { + rest_api_id = aws_api_gateway_rest_api.api.id + resource_id = aws_api_gateway_resource.hello_resource_request_empty.id + http_method = aws_api_gateway_method.get_hello_request_empty.http_method + type = "AWS_PROXY" + content_handling = "CONVERT_TO_TEXT" + uri = aws_lambda_function.hello_endpoint.invoke_arn +} + +resource "aws_api_gateway_rest_api" "api" { + name = "api" +} + +resource "aws_iam_role" "invocation_role" { + name = "iam_lambda" + path = "/" + assume_role_policy = <