feat: Terraform Authorizer resource testing (aws#5270)

* Added authorizer project * Added project files * Removed extra print * Add request based authorizer testing
moelasmar · Jun 8, 2023 · 0b765a3 · 0b765a3
1 parent 7a129df
commit 0b765a3
Show file tree

Hide file tree

Showing 3 changed files with 181 additions and 0 deletions.
diff --git a/tests/integration/local/start_api/test_start_api_with_terraform_application.py b/tests/integration/local/start_api/test_start_api_with_terraform_application.py
@@ -99,6 +99,48 @@ def test_successful_request(self):
         self.assertEqual(response.json(), {"message": "hello world"})
 
 
+@skipIf(
+    not CI_OVERRIDE,
+    "Skip Terraform test cases unless running in CI",
+)
+@pytest.mark.flaky(reruns=3)
+class TestStartApiTerraformApplicationV1LambdaAuthorizers(TerraformStartApiIntegrationBase):
+    terraform_application = "v1-lambda-authorizer"
+
+    def setUp(self):
+        self.url = "http://127.0.0.1:{}".format(self.port)
+
+    @parameterized.expand(
+        [
+            ("/hello", {"headers": {"myheader": "123"}}),
+            ("/hello-request", {"headers": {"myheader": "123"}, "params": {"mystring": "456"}}),
+            ("/hello-request-empty", {}),
+            ("/hello-request-empty", {"headers": {"foo": "bar"}}),
+        ]
+    )
+    def test_invoke_authorizer(self, endpoint, parameters):
+        response = requests.get(self.url + endpoint, timeout=300, **parameters)
+
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json(), {"message": "from authorizer"})
+
+    @parameterized.expand(
+        [
+            ("/hello", {"headers": {"blank": "invalid"}}),
+            ("/hello-request", {"headers": {"blank": "invalid"}, "params": {"blank": "invalid"}}),
+        ]
+    )
+    def test_missing_authorizer_identity_source(self, endpoint, parameters):
+        response = requests.get(self.url + endpoint, timeout=300, **parameters)
+
+        self.assertEqual(response.status_code, 401)
+
+    def test_fails_token_header_validation_authorizer(self):
+        response = requests.get(self.url + "/hello", timeout=300, headers={"myheader": "not valid"})
+
+        self.assertEqual(response.status_code, 401)
+
+
 @skipIf(
     not CI_OVERRIDE,
     "Skip Terraform test cases unless running in CI",

diff --git a/tests/integration/testdata/start_api/terraform/v1-lambda-authorizer/lambda-functions.zip b/tests/integration/testdata/start_api/terraform/v1-lambda-authorizer/lambda-functions.zip
diff --git a/tests/integration/testdata/start_api/terraform/v1-lambda-authorizer/main.tf b/tests/integration/testdata/start_api/terraform/v1-lambda-authorizer/main.tf
@@ -0,0 +1,139 @@
+provider "aws" {}
+
+resource "aws_api_gateway_authorizer" "header_authorizer" {
+  name = "header_authorizer"
+  rest_api_id = aws_api_gateway_rest_api.api.id
+  authorizer_uri = aws_lambda_function.authorizer.invoke_arn
+  authorizer_credentials = aws_iam_role.invocation_role.arn
+  identity_source = "method.request.header.myheader"
+  identity_validation_expression = "^123$"
+}
+
+resource "aws_api_gateway_authorizer" "request_authorizer" {
+  name = "request_authorizer"
+  rest_api_id = aws_api_gateway_rest_api.api.id
+  authorizer_uri = aws_lambda_function.authorizer.invoke_arn
+  authorizer_credentials = aws_iam_role.invocation_role.arn
+  identity_source = "method.request.header.myheader, method.request.querystring.mystring"
+  type = "REQUEST"
+}
+
+resource "aws_api_gateway_authorizer" "request_authorizer_empty" {
+  name = "request_authorizer"
+  rest_api_id = aws_api_gateway_rest_api.api.id
+  authorizer_uri = aws_lambda_function.authorizer.invoke_arn
+  authorizer_credentials = aws_iam_role.invocation_role.arn
+  identity_source = ""
+  type = "REQUEST"
+}
+
+resource "aws_lambda_function" "authorizer" {
+  filename = "lambda-functions.zip"
+  function_name = "authorizer"
+  role = aws_iam_role.invocation_role.arn
+  handler = "handlers.auth_handler"
+  runtime = "python3.8"
+  source_code_hash = filebase64sha256("lambda-functions.zip")
+}
+
+resource "aws_lambda_function" "hello_endpoint" {
+  filename = "lambda-functions.zip"
+  function_name = "hello_lambda"
+  role = aws_iam_role.invocation_role.arn
+  handler = "handlers.hello_handler"
+  runtime = "python3.8"
+  source_code_hash = filebase64sha256("lambda-functions.zip")
+}
+
+resource "aws_api_gateway_method" "get_hello" {
+  rest_api_id = aws_api_gateway_rest_api.api.id
+  resource_id = aws_api_gateway_resource.hello_resource.id
+  http_method = "GET"
+  authorizer_id = aws_api_gateway_authorizer.header_authorizer.id
+  authorization = "CUSTOM"
+}
+
+resource "aws_api_gateway_method" "get_hello_request" {
+  rest_api_id = aws_api_gateway_rest_api.api.id
+  resource_id = aws_api_gateway_resource.hello_resource_request.id
+  http_method = "GET"
+  authorizer_id = aws_api_gateway_authorizer.request_authorizer.id
+  authorization = "CUSTOM"
+}
+
+resource "aws_api_gateway_method" "get_hello_request_empty" {
+  rest_api_id = aws_api_gateway_rest_api.api.id
+  resource_id = aws_api_gateway_resource.hello_resource_request_empty.id
+  http_method = "GET"
+  authorizer_id = aws_api_gateway_authorizer.request_authorizer_empty.id
+  authorization = "CUSTOM"
+}
+
+resource "aws_api_gateway_resource" "hello_resource" {
+  rest_api_id = aws_api_gateway_rest_api.api.id
+  parent_id = aws_api_gateway_rest_api.api.root_resource_id
+  path_part = "hello"
+}
+
+resource "aws_api_gateway_resource" "hello_resource_request" {
+  rest_api_id = aws_api_gateway_rest_api.api.id
+  parent_id = aws_api_gateway_rest_api.api.root_resource_id
+  path_part = "hello-request"
+}
+
+resource "aws_api_gateway_resource" "hello_resource_request_empty" {
+  rest_api_id = aws_api_gateway_rest_api.api.id
+  parent_id = aws_api_gateway_rest_api.api.root_resource_id
+  path_part = "hello-request-empty"
+}
+
+resource "aws_api_gateway_integration" "MyDemoIntegration" {
+  rest_api_id = aws_api_gateway_rest_api.api.id
+  resource_id = aws_api_gateway_resource.hello_resource.id
+  http_method = aws_api_gateway_method.get_hello.http_method
+  type = "AWS_PROXY"
+  content_handling = "CONVERT_TO_TEXT"
+  uri = aws_lambda_function.hello_endpoint.invoke_arn
+}
+
+resource "aws_api_gateway_integration" "MyDemoIntegrationRequest" {
+  rest_api_id = aws_api_gateway_rest_api.api.id
+  resource_id = aws_api_gateway_resource.hello_resource_request.id
+  http_method = aws_api_gateway_method.get_hello_request.http_method
+  type = "AWS_PROXY"
+  content_handling = "CONVERT_TO_TEXT"
+  uri = aws_lambda_function.hello_endpoint.invoke_arn
+}
+
+resource "aws_api_gateway_integration" "MyDemoIntegrationRequestEmpty" {
+  rest_api_id = aws_api_gateway_rest_api.api.id
+  resource_id = aws_api_gateway_resource.hello_resource_request_empty.id
+  http_method = aws_api_gateway_method.get_hello_request_empty.http_method
+  type = "AWS_PROXY"
+  content_handling = "CONVERT_TO_TEXT"
+  uri = aws_lambda_function.hello_endpoint.invoke_arn
+}
+
+resource "aws_api_gateway_rest_api" "api" {
+  name = "api"
+}
+
+resource "aws_iam_role" "invocation_role" {
+  name = "iam_lambda"
+  path = "/"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}