def test_can_use_auth_routes_instead_of_strings(auth_request): expected = [ "arn:aws:execute-api:us-west-2:123:rest-api-id/dev/GET/a", "arn:aws:execute-api:us-west-2:123:rest-api-id/dev/GET/a/b", "arn:aws:execute-api:us-west-2:123:rest-api-id/dev/POST/a/b", ] response = app.AuthResponse( [app.AuthRoute('/a', ['GET']), app.AuthRoute('/a/b', ['GET', 'POST'])], 'principal') serialized = response.to_dict(auth_request) assert serialized['policyDocument'] == { 'Version': '2012-10-17', 'Statement': [{ 'Action': 'execute-api:Invoke', 'Effect': 'Allow', 'Resource': expected, }] }
def test_auth_response_wildcard(auth_request): response = app.AuthResponse( routes=[app.AuthRoute(path='*', methods=['*'])], principal_id='user') serialized = response.to_dict(auth_request) assert serialized['policyDocument'] == { 'Statement': [ {'Action': 'execute-api:Invoke', 'Effect': 'Allow', 'Resource': [ 'arn:aws:execute-api:us-west-2:123:rest-api-id/dev/*/*']}], 'Version': '2012-10-17' }
def test_special_cased_root_resource(auth_request): # Not sure why, but API gateway uses `//` for the root # resource. I've confirmed it doesn't do this for non-root # URLs. We don't to let that leak out to the APIs we expose. auth_request.method_arn = ( "arn:aws:execute-api:us-west-2:123:rest-api-id/dev/GET//") expected = ["arn:aws:execute-api:us-west-2:123:rest-api-id/dev/GET//"] response = app.AuthResponse([app.AuthRoute('/', ['GET'])], 'principal') serialized = response.to_dict(auth_request) assert serialized['policyDocument'] == { 'Version': '2012-10-17', 'Statement': [{ 'Action': 'execute-api:Invoke', 'Effect': 'Allow', 'Resource': expected, }] }
def test_can_mix_auth_routes_and_strings(auth_request): expected = [ 'arn:aws:execute-api:us-west-2:123:rest-api-id/dev/DELETE/a', 'arn:aws:execute-api:us-west-2:123:rest-api-id/dev/HEAD/a', 'arn:aws:execute-api:us-west-2:123:rest-api-id/dev/OPTIONS/a', 'arn:aws:execute-api:us-west-2:123:rest-api-id/dev/PATCH/a', 'arn:aws:execute-api:us-west-2:123:rest-api-id/dev/POST/a', 'arn:aws:execute-api:us-west-2:123:rest-api-id/dev/PUT/a', 'arn:aws:execute-api:us-west-2:123:rest-api-id/dev/GET/a', 'arn:aws:execute-api:us-west-2:123:rest-api-id/dev/GET/a/b', ] response = app.AuthResponse(['/a', app.AuthRoute('/a/b', ['GET'])], 'principal') serialized = response.to_dict(auth_request) assert serialized['policyDocument'] == { 'Version': '2012-10-17', 'Statement': [{ 'Action': 'execute-api:Invoke', 'Effect': 'Allow', 'Resource': expected, }] }