token = auth_request.token
# This is just for demo purposes as shown in the API Gateway docs.
# Normally you'd call an oauth provider, validate the jwt token, etc.
# In this exampe, the token is treated as the status for demo purposes.
if token == 'allow':
return AuthResponse(routes=['/'], principal_id='user')
else:
# By specifying an empty list of routes,
# we're saying this user is not authorized
# for any URLs, which will result in an
# Unauthorized response.
return AuthResponse(routes=[], principal_id='user')
# setup authorisers for view methods
iam_authorizer = IAMAuthorizer()
set_authorizer = os.getenv(params.AUTHORIZER_PARAM)
if set_authorizer == params.AUTHORIZER_IAM:
use_authorizer = iam_authorizer
elif set_authorizer == params.AUTHORIZER_COGNITO:
# check that we have the required configuration to setup Cognito auth
cog_pool_name = os.getenv(params.COGNITO_POOL_NAME)
cog_provider_arns = os.getenv(params.COGNITO_PROVIDER_ARNS)
if cog_pool_name is not None and cog_provider_arns is not None:
cognito_authorizer = CognitoUserPoolAuthorizer(cog_pool_name, provider_arns=cog_provider_arns.split(','))
else:
print("Unable to configure Cognito Authorizer without %s and %s configuration items" % params.COGNITO_POOL_NAME,
params.COGNITO_PROVIDER_ARNS)
elif set_authorizer == params.AUTHORIZER_CUSTOM:
def demo_app_auth():
demo = app.Chalice('app-name')
@demo.authorizer()
def auth_with_explicit_policy(auth_request):
token = auth_request.token
if token == 'allow':
return {
'context': {},
'principalId': 'user',
'policyDocument': {
'Version': '2012-10-17',
'Statement': [
{
'Action': 'execute-api:Invoke',
'Effect': 'Allow',
'Resource':
["arn:aws:execute-api:mars-west-1:123456789012:"
"ymy8tbxw7b/api/GET/explicit"]
}
]
}
}
else:
return {
'context': {},
'principalId': '',
'policyDocument': {
'Version': '2012-10-17',
'Statement': [
{
'Action': 'execute-api:Invoke',
'Effect': 'Deny',
'Resource':
["arn:aws:execute-api:mars-west-1:123456789012:"
"ymy8tbxw7b/api/GET/explicit"]
}
]
}
}
@demo.authorizer()
def demo_authorizer_returns_none(auth_request):
return None
@demo.authorizer()
def demo_auth(auth_request):
token = auth_request.token
if token == 'allow':
return app.AuthResponse(routes=['/index'], principal_id='user')
else:
return app.AuthResponse(routes=[], principal_id='user')
@demo.authorizer()
def resource_auth(auth_request):
token = auth_request.token
if token == 'allow':
return app.AuthResponse(routes=['/resource/foobar'],
principal_id='user')
else:
return app.AuthResponse(routes=[], principal_id='user')
@demo.authorizer()
def all_auth(auth_request):
token = auth_request.token
if token == 'allow':
return app.AuthResponse(routes=['*'], principal_id='user')
else:
return app.AuthResponse(routes=[], principal_id='user')
@demo.authorizer()
def landing_page_auth(auth_request):
token = auth_request.token
if token == 'allow':
return app.AuthResponse(routes=['/'], principal_id='user')
else:
return app.AuthResponse(routes=[], principal_id='user')
iam_authorizer = IAMAuthorizer()
@demo.route('/', authorizer=landing_page_auth)
def landing_view():
return {}
@demo.route('/index', authorizer=demo_auth)
def index_view():
return {}
@demo.route('/secret', authorizer=demo_auth)
def secret_view():
return {}
@demo.route('/resource/{name}', authorizer=resource_auth)
def single_value(name):
return {'resource': name}
@demo.route('/secret/{value}', authorizer=all_auth)
def secret_view_value(value):
return {'secret': value}
@demo.route('/explicit', authorizer=auth_with_explicit_policy)
def explicit():
return {}
@demo.route('/iam', authorizer=iam_authorizer)
def iam_route():
return {}
@demo.route('/none', authorizer=demo_authorizer_returns_none)
def none_auth():
return {}
return demo