UNPKG

@aws-cdk/aws-apigateway

Version:

The CDK Construct Library for AWS::ApiGateway

github.com/aws/aws-cdk

aws/aws-cdk

138 lines (137 loc) 5.95 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
import * as iam from '@aws-cdk/aws-iam'; import * as lambda from '@aws-cdk/aws-lambda'; import { Duration } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { Authorizer, IAuthorizer } from '../authorizer'; import { IRestApi } from '../restapi'; /** * Base properties for all lambda authorizers */ export interface LambdaAuthorizerProps { /** * An optional human friendly name for the authorizer. Note that, this is not the primary identifier of the authorizer. * * @default - the unique construcrt ID */ readonly authorizerName?: string; /** * The handler for the authorizer lambda function. * * The handler must follow a very specific protocol on the input it receives and the output it needs to produce. * API Gateway has documented the handler's input specification * {@link https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-input.html | here} and output specification * {@link https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html | here}. */ readonly handler: lambda.IFunction; /** * How long APIGateway should cache the results. Max 1 hour. * Disable caching by setting this to 0. * * @default Duration.minutes(5) */ readonly resultsCacheTtl?: Duration; /** * An optional IAM role for APIGateway to assume before calling the Lambda-based authorizer. The IAM role must be * assumable by 'apigateway.amazonaws.com'. * * @default - A resource policy is added to the Lambda function allowing apigateway.amazonaws.com to invoke the function. */ readonly assumeRole?: iam.IRole; } declare abstract class LambdaAuthorizer extends Authorizer implements IAuthorizer { /** * The id of the authorizer. * @attribute */ abstract readonly authorizerId: string; /** * The ARN of the authorizer to be used in permission policies, such as IAM and resource-based grants. */ abstract readonly authorizerArn: string; /** * The Lambda function handler that this authorizer uses. */ protected readonly handler: lambda.IFunction; /** * The IAM role that the API Gateway service assumes while invoking the Lambda function. */ protected readonly role?: iam.IRole; protected restApiId?: string; protected constructor(scope: Construct, id: string, props: LambdaAuthorizerProps); /** * Attaches this authorizer to a specific REST API. * @internal */ _attachToApi(restApi: IRestApi): void; /** * Sets up the permissions necessary for the API Gateway service to invoke the Lambda function. */ protected setupPermissions(): void; /** * Returns a token that resolves to the Rest Api Id at the time of synthesis. * Throws an error, during token resolution, if no RestApi is attached to this authorizer. */ protected lazyRestApiId(): string; } /** * Properties for TokenAuthorizer */ export interface TokenAuthorizerProps extends LambdaAuthorizerProps { /** * An optional regex to be matched against the authorization token. When matched the authorizer lambda is invoked, * otherwise a 401 Unauthorized is returned to the client. * * @default - no regex filter will be applied. */ readonly validationRegex?: string; /** * The request header mapping expression for the bearer token. This is typically passed as part of the header, in which case * this should be `method.request.header.Authorizer` where Authorizer is the header containing the bearer token. * @see https://docs.aws.amazon.com/apigateway/api-reference/link-relation/authorizer-create/#identitySource * @default `IdentitySource.header('Authorization')` */ readonly identitySource?: string; } /** * Token based lambda authorizer that recognizes the caller's identity as a bearer token, * such as a JSON Web Token (JWT) or an OAuth token. * Based on the token, authorization is performed by a lambda function. * * @resource AWS::ApiGateway::Authorizer */ export declare class TokenAuthorizer extends LambdaAuthorizer { readonly authorizerId: string; readonly authorizerArn: string; constructor(scope: Construct, id: string, props: TokenAuthorizerProps); } /** * Properties for RequestAuthorizer */ export interface RequestAuthorizerProps extends LambdaAuthorizerProps { /** * An array of request header mapping expressions for identities. Supported parameter types are * Header, Query String, Stage Variable, and Context. For instance, extracting an authorization * token from a header would use the identity source `IdentitySource.header('Authorizer')`. * * Note: API Gateway uses the specified identity sources as the request authorizer caching key. When caching is * enabled, API Gateway calls the authorizer's Lambda function only after successfully verifying that all the * specified identity sources are present at runtime. If a specified identify source is missing, null, or empty, * API Gateway returns a 401 Unauthorized response without calling the authorizer Lambda function. * * @see https://docs.aws.amazon.com/apigateway/api-reference/link-relation/authorizer-create/#identitySource */ readonly identitySources: string[]; } /** * Request-based lambda authorizer that recognizes the caller's identity via request parameters, * such as headers, paths, query strings, stage variables, or context variables. * Based on the request, authorization is performed by a lambda function. * * @resource AWS::ApiGateway::Authorizer */ export declare class RequestAuthorizer extends LambdaAuthorizer { readonly authorizerId: string; readonly authorizerArn: string; constructor(scope: Construct, id: string, props: RequestAuthorizerProps); } export {};