def _get_authorizers(self, authorizers_config, default_authorizer=None):
authorizers = {}
if default_authorizer == "AWS_IAM":
authorizers[default_authorizer] = ApiGatewayAuthorizer(
api_logical_id=self.logical_id, name=default_authorizer, is_aws_iam_authorizer=True
)
if not authorizers_config:
if "AWS_IAM" in authorizers:
return authorizers
return None
if not isinstance(authorizers_config, dict):
raise InvalidResourceException(self.logical_id, "Authorizers must be a dictionary.")
for authorizer_name, authorizer in authorizers_config.items():
if not isinstance(authorizer, dict):
raise InvalidResourceException(
self.logical_id, "Authorizer %s must be a dictionary." % (authorizer_name)
)
authorizers[authorizer_name] = ApiGatewayAuthorizer(
api_logical_id=self.logical_id,
name=authorizer_name,
user_pool_arn=authorizer.get("UserPoolArn"),
function_arn=authorizer.get("FunctionArn"),
identity=authorizer.get("Identity"),
function_payload_type=authorizer.get("FunctionPayloadType"),
function_invoke_role=authorizer.get("FunctionInvokeRole"),
authorization_scopes=authorizer.get("AuthorizationScopes"),
)
return authorizers
def test_create_authorizer_fails_with_missing_identity_values_and_not_cached(
self):
with pytest.raises(InvalidResourceException):
ApiGatewayAuthorizer(
api_logical_id="logicalId",
name="authName",
identity={"ReauthorizeEvery": 10},
function_payload_type="REQUEST",
)
def test_create_authorizer_doesnt_fail_with_identity_reauthorization_every_as_zero(
self):
auth = ApiGatewayAuthorizer(
api_logical_id="logicalId",
name="authName",
identity={"ReauthorizeEvery": 0},
function_payload_type="REQUEST",
)
self.assertIsNotNone(auth)
def test_create_authorizer_with_identity_intrinsic_is_invalid_if_no_querystring_stagevariables_context_headers(
self, ):
with pytest.raises(InvalidResourceException):
ApiGatewayAuthorizer(
api_logical_id="logicalId",
name="authName",
identity={"ReauthorizeEvery": {
"FN:If": ["isProd", 10, 0]
}},
function_payload_type="REQUEST",
)
def test_create_authorizer_with_non_integer_identity(self):
auth = ApiGatewayAuthorizer(
api_logical_id="logicalId",
name="authName",
identity={
"ReauthorizeEvery": [],
"Headers": ["Accept"]
},
function_payload_type="REQUEST",
)
self.assertIsNotNone(auth)
def test_create_authorizer_with_identity_ReauthorizeEvery_asNone_valid_with_query_strings(
self):
auth = ApiGatewayAuthorizer(
api_logical_id="logicalId",
name="authName",
identity={
"ReauthorizeEvery": None,
"QueryStrings": ["AQueryString"]
},
function_payload_type="REQUEST",
)
self.assertIsNotNone(auth)
def test_create_authorizer_with_identity_intrinsic_is_valid_with_context(
self):
auth = ApiGatewayAuthorizer(
api_logical_id="logicalId",
name="authName",
identity={
"ReauthorizeEvery": {
"FN:If": ["isProd", 10, 0]
},
"Context": ["Accept"]
},
function_payload_type="REQUEST",
)
self.assertIsNotNone(auth)
def _get_authorizers(self, authorizers_config):
if not authorizers_config:
return None
if not isinstance(authorizers_config, dict):
raise InvalidResourceException(self.logical_id,
"Authorizers must be a dictionary")
authorizers = {}
for authorizer_name, authorizer in authorizers_config.items():
authorizers[authorizer_name] = ApiGatewayAuthorizer(
api_logical_id=self.logical_id,
name=authorizer_name,
user_pool_arn=authorizer.get('UserPoolArn'),
function_arn=authorizer.get('FunctionArn'),
identity=authorizer.get('Identity'),
function_payload_type=authorizer.get('FunctionPayloadType'),
function_invoke_role=authorizer.get('FunctionInvokeRole'))
return authorizers
def test_create_oauth2_auth(self):
auth = ApiGatewayAuthorizer(api_logical_id="logicalId",
name="authName",
authorization_scopes=["scope1", "scope2"])
self.assertIsNotNone(auth)
def test_create_authorizer_fails_with_empty_identity(self):
with pytest.raises(InvalidResourceException):
ApiGatewayAuthorizer(api_logical_id="logicalId",
name="authName",
identity={},
function_payload_type="REQUEST")
def test_create_authorizer_fails_with_string_authorization_scopes(self):
with pytest.raises(InvalidResourceException):
ApiGatewayAuthorizer(api_logical_id="logicalId",
name="authName",
authorization_scopes="invalid_scope")