api gateway v1 (rest api) custom authorizer example

utospace · Oct 4, 2020 · 3449cde · 3449cde
commit 3449cde
Show file tree

Hide file tree

Showing 13 changed files with 8,275 additions and 0 deletions.
diff --git a/aws-community-day-2020-korea/api-v1-custom-auth/.gitignore b/aws-community-day-2020-korea/api-v1-custom-auth/.gitignore
@@ -0,0 +1,13 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+
+# Parcel default cache directory
+.parcel-cache
+
+.vscode
diff --git a/aws-community-day-2020-korea/api-v1-custom-auth/.npmignore b/aws-community-day-2020-korea/api-v1-custom-auth/.npmignore
@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
diff --git a/aws-community-day-2020-korea/api-v1-custom-auth/README.md b/aws-community-day-2020-korea/api-v1-custom-auth/README.md
@@ -0,0 +1,14 @@
+# Welcome to your CDK TypeScript project!
+
+This is a blank project for TypeScript development with CDK.
+
+The `cdk.json` file tells the CDK Toolkit how to execute your app.
+
+## Useful commands
+
+ * `npm run build`   compile typescript to js
+ * `npm run watch`   watch for changes and compile
+ * `npm run test`    perform the jest unit tests
+ * `cdk deploy`      deploy this stack to your default AWS account/region
+ * `cdk diff`        compare deployed stack with current state
+ * `cdk synth`       emits the synthesized CloudFormation template
diff --git a/aws-community-day-2020-korea/api-v1-custom-auth/bin/api-v1-custom-auth.ts b/aws-community-day-2020-korea/api-v1-custom-auth/bin/api-v1-custom-auth.ts
@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import 'source-map-support/register';
+import * as cdk from '@aws-cdk/core';
+import { ApiV1CustomAuthStack } from '../lib/api-v1-custom-auth-stack';
+
+const app = new cdk.App();
+new ApiV1CustomAuthStack(app, 'ApiV1CustomAuthStack');
diff --git a/aws-community-day-2020-korea/api-v1-custom-auth/cdk.json b/aws-community-day-2020-korea/api-v1-custom-auth/cdk.json
@@ -0,0 +1,8 @@
+{
+  "app": "npx ts-node bin/api-v1-custom-auth.ts",
+  "context": {
+    "@aws-cdk/core:enableStackNameDuplicates": "true",
+    "aws-cdk:enableDiffNoFail": "true",
+    "@aws-cdk/core:stackRelativeExports": "true"
+  }
+}
diff --git a/aws-community-day-2020-korea/api-v1-custom-auth/jest.config.js b/aws-community-day-2020-korea/api-v1-custom-auth/jest.config.js
@@ -0,0 +1,7 @@
+module.exports = {
+  roots: ['<rootDir>/test'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.tsx?$': 'ts-jest'
+  }
+};
diff --git a/aws-community-day-2020-korea/api-v1-custom-auth/lambda-src/authorizer/authorizer.py b/aws-community-day-2020-korea/api-v1-custom-auth/lambda-src/authorizer/authorizer.py
@@ -0,0 +1,22 @@
+def handler(event, context):
+    auth_token = event['authorizationToken']
+    if auth_token == 'testtoken':
+        return generate_policy(event, True)
+    else:
+        return generate_policy(event, False)
+
+
+def generate_policy(event, is_allow):
+        return {
+        "principalId": "user",
+        "policyDocument": {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Action": "execute-api:Invoke",
+                    "Effect": "Allow" if is_allow else "Deny",
+                    "Resource": event['methodArn']
+                }
+            ]
+        }
+    }
diff --git a/aws-community-day-2020-korea/api-v1-custom-auth/lambda-src/test/test.py b/aws-community-day-2020-korea/api-v1-custom-auth/lambda-src/test/test.py
@@ -0,0 +1,4 @@
+def handler(event, context):
+    return {
+        'statusCode': 200
+    }
diff --git a/aws-community-day-2020-korea/api-v1-custom-auth/lib/api-v1-custom-auth-stack.ts b/aws-community-day-2020-korea/api-v1-custom-auth/lib/api-v1-custom-auth-stack.ts
@@ -0,0 +1,49 @@
+import * as cdk from '@aws-cdk/core';
+import { RestApi, CfnAuthorizer, LambdaIntegration, AuthorizationType, CfnMethod } from '@aws-cdk/aws-apigateway'
+import { Function, Runtime, AssetCode } from '@aws-cdk/aws-lambda'
+import { Role, ServicePrincipal } from '@aws-cdk/aws-iam'
+
+export class ApiV1CustomAuthStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    const api = new RestApi(this, 'Sample01Api')
+
+    const authorizerFunc = new Function(this, 'Sample01AuthFunc', {
+      functionName: 'Sample01AuthFunc',
+      code: new AssetCode('./lambda-src/authorizer'),
+      handler: 'authorizer.handler',
+      runtime: Runtime.PYTHON_3_8,
+    })
+    const role = new Role(this, 'Sample01AuthorizerRole', {
+      assumedBy: new ServicePrincipal('apigateway.amazonaws.com'),
+    });
+
+    authorizerFunc.grantInvoke(role);
+
+    const authorizer = new CfnAuthorizer(this, 'Sample01Authorizer', {
+      name: 'Sample01Authorizer',
+      restApiId: api.restApiId,
+      type: 'TOKEN',
+      identitySource: 'method.request.header.Authorization',
+      authorizerCredentials: role.roleArn,
+      authorizerUri: `arn:aws:apigateway:${this.region}:lambda:path/2015-03-31/functions/${authorizerFunc.functionArn}/invocations`
+    });
+
+    const testResource = api.root.addResource('test');
+
+    const testFunc = new Function(this, 'Sample01TestFunc', {
+      functionName: 'Sample01TestFunc',
+      code: new AssetCode('./lambda-src/test'),
+      handler: 'test.handler',
+      runtime: Runtime.PYTHON_3_8
+    });
+
+    const testIntegration = new LambdaIntegration(testFunc);
+    const testMethod = testResource.addMethod('GET', testIntegration, {
+      authorizationType: AuthorizationType.CUSTOM,
+    })
+    const testMethodResource = testMethod.node.findChild('Resource') as CfnMethod;
+    testMethodResource.addPropertyOverride('AuthorizerId', { Ref: authorizer.logicalId });
+  }
+}