aws-cdk-lib/aws-apigateway/lib/authorizers/lambda.js

Version 2 of the AWS Cloud Development Kit library

"use strict";var __esDecorate=exports&&exports.__esDecorate||function(ctor,descriptorIn,decorators,contextIn,initializers,extraInitializers){function accept(f){if(f!==void 0&&typeof f!="function")throw new TypeError("Function expected");return f}for(var kind=contextIn.kind,key=kind==="getter"?"get":kind==="setter"?"set":"value",target=!descriptorIn&&ctor?contextIn.static?ctor:ctor.prototype:null,descriptor=descriptorIn||(target?Object.getOwnPropertyDescriptor(target,contextIn.name):{}),_,done=!1,i=decorators.length-1;i>=0;i--){var context={};for(var p in contextIn)context[p]=p==="access"?{}:contextIn[p];for(var p in contextIn.access)context.access[p]=contextIn.access[p];context.addInitializer=function(f){if(done)throw new TypeError("Cannot add initializers after decoration has completed");extraInitializers.push(accept(f||null))};var result=(0,decorators[i])(kind==="accessor"?{get:descriptor.get,set:descriptor.set}:descriptor[key],context);if(kind==="accessor"){if(result===void 0)continue;if(result===null||typeof result!="object")throw new TypeError("Object expected");(_=accept(result.get))&&(descriptor.get=_),(_=accept(result.set))&&(descriptor.set=_),(_=accept(result.init))&&initializers.unshift(_)}else(_=accept(result))&&(kind==="field"?initializers.unshift(_):descriptor[key]=_)}target&&Object.defineProperty(target,contextIn.name,descriptor),done=!0},__runInitializers=exports&&exports.__runInitializers||function(thisArg,initializers,value){for(var useValue=arguments.length>2,i=0;i<initializers.length;i++)value=useValue?initializers[i].call(thisArg,value):initializers[i].call(thisArg);return useValue?value:void 0};Object.defineProperty(exports,"__esModule",{value:!0}),exports.RequestAuthorizer=exports.TokenAuthorizer=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var identity_source_1=()=>{var tmp=require("./identity-source");return identity_source_1=()=>tmp,tmp},iam=()=>{var tmp=require("../../../aws-iam");return iam=()=>tmp,tmp},lambda=()=>{var tmp=require("../../../aws-lambda");return lambda=()=>tmp,tmp},core_1=()=>{var tmp=require("../../../core");return core_1=()=>tmp,tmp},errors_1=()=>{var tmp=require("../../../core/lib/errors");return errors_1=()=>tmp,tmp},metadata_resource_1=()=>{var tmp=require("../../../core/lib/metadata-resource");return metadata_resource_1=()=>tmp,tmp},prop_injectable_1=()=>{var tmp=require("../../../core/lib/prop-injectable");return prop_injectable_1=()=>tmp,tmp},cx_api_1=()=>{var tmp=require("../../../cx-api");return cx_api_1=()=>tmp,tmp},apigateway_generated_1=()=>{var tmp=require("../apigateway.generated");return apigateway_generated_1=()=>tmp,tmp},authorizer_1=()=>{var tmp=require("../authorizer");return authorizer_1=()=>tmp,tmp};class LambdaAuthorizer extends authorizer_1().Authorizer{handler;role;restApiId;constructor(scope,id,props){if(super(scope,id),this.handler=props.handler,this.role=props.assumeRole,props.resultsCacheTtl&&props.resultsCacheTtl?.toSeconds()>3600)throw new(errors_1()).ValidationError("Lambda authorizer property 'resultsCacheTtl' must not be greater than 3600 seconds (1 hour)",scope)}_attachToApi(restApi){if(this.restApiId&&this.restApiId!==restApi.restApiId)throw new(errors_1()).ValidationError("Cannot attach authorizer to two different rest APIs",this);this.restApiId=restApi.restApiId;const deployment=restApi.latestDeployment,addToLogicalId=core_1().FeatureFlags.of(this).isEnabled(cx_api_1().APIGATEWAY_AUTHORIZER_CHANGE_DEPLOYMENT_LOGICAL_ID);if(deployment&&addToLogicalId){let functionName;this.handler instanceof lambda().Function?functionName=this.handler.node.defaultChild.functionName:functionName=this.handler.functionName,deployment.node.addDependency(this),deployment.addToLogicalId({authorizer:this.authorizerProps,authorizerToken:functionName})}}setupPermissions(){this.role?iam().Role.isRole(this.role)&&this.addLambdaInvokePermission(this.role):this.addDefaultPermissionRole()}addDefaultPermissionRole(){this.handler.addPermission(`${core_1().Names.uniqueId(this)}:Permissions`,{principal:new(iam()).ServicePrincipal("apigateway.amazonaws.com"),sourceArn:this.authorizerArn})}addLambdaInvokePermission(role){role.attachInlinePolicy(new(iam()).Policy(this,"authorizerInvokePolicy",{statements:[new(iam()).PolicyStatement({resources:this.handler.resourceArnsForGrantInvoke,actions:["lambda:InvokeFunction"]})]}))}lazyRestApiId(){return core_1().Lazy.string({produce:()=>{if(!this.restApiId)throw new(errors_1()).ValidationError(`Authorizer (${this.node.path}) must be attached to a RestApi`,this);return this.restApiId}})}}let TokenAuthorizer=(()=>{let _classDecorators=[prop_injectable_1().propertyInjectable],_classDescriptor,_classExtraInitializers=[],_classThis,_classSuper=LambdaAuthorizer;var TokenAuthorizer2=class extends _classSuper{static{_classThis=this}static{const _metadata=typeof Symbol=="function"&&Symbol.metadata?Object.create(_classSuper[Symbol.metadata]??null):void 0;__esDecorate(null,_classDescriptor={value:_classThis},_classDecorators,{kind:"class",name:_classThis.name,metadata:_metadata},null,_classExtraInitializers),TokenAuthorizer2=_classThis=_classDescriptor.value,_metadata&&Object.defineProperty(_classThis,Symbol.metadata,{enumerable:!0,configurable:!0,writable:!0,value:_metadata})}static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_apigateway.TokenAuthorizer",version:"2.233.0"};static PROPERTY_INJECTION_ID="aws-cdk-lib.aws-apigateway.TokenAuthorizer";authorizerId;authorizerArn;authorizerProps;constructor(scope,id,props){super(scope,id,props);try{jsiiDeprecationWarnings().aws_cdk_lib_aws_apigateway_TokenAuthorizerProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,TokenAuthorizer2),error}(0,metadata_resource_1().addConstructMetadata)(this,props);const restApiId=this.lazyRestApiId(),authorizerProps={name:props.authorizerName??core_1().Names.uniqueId(this),restApiId,type:"TOKEN",authorizerUri:lambdaAuthorizerArn(props.handler),authorizerCredentials:props.assumeRole?.roleArn,authorizerResultTtlInSeconds:props.resultsCacheTtl?.toSeconds()??core_1().Duration.minutes(5).toSeconds(),identitySource:props.identitySource||identity_source_1().IdentitySource.header("Authorization"),identityValidationExpression:props.validationRegex};this.authorizerProps=authorizerProps;const resource=new(apigateway_generated_1()).CfnAuthorizer(this,"Resource",authorizerProps);this.authorizerId=resource.ref,this.authorizerArn=core_1().Stack.of(this).formatArn({service:"execute-api",resource:restApiId,resourceName:`authorizers/${this.authorizerId}`}),this.setupPermissions()}static{__runInitializers(_classThis,_classExtraInitializers)}};return TokenAuthorizer2=_classThis})();exports.TokenAuthorizer=TokenAuthorizer;let RequestAuthorizer=(()=>{let _classDecorators=[prop_injectable_1().propertyInjectable],_classDescriptor,_classExtraInitializers=[],_classThis,_classSuper=LambdaAuthorizer;var RequestAuthorizer2=class extends _classSuper{static{_classThis=this}static{const _metadata=typeof Symbol=="function"&&Symbol.metadata?Object.create(_classSuper[Symbol.metadata]??null):void 0;__esDecorate(null,_classDescriptor={value:_classThis},_classDecorators,{kind:"class",name:_classThis.name,metadata:_metadata},null,_classExtraInitializers),RequestAuthorizer2=_classThis=_classDescriptor.value,_metadata&&Object.defineProperty(_classThis,Symbol.metadata,{enumerable:!0,configurable:!0,writable:!0,value:_metadata})}static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_apigateway.RequestAuthorizer",version:"2.233.0"};static PROPERTY_INJECTION_ID="aws-cdk-lib.aws-apigateway.RequestAuthorizer";authorizerId;authorizerArn;authorizerProps;constructor(scope,id,props){super(scope,id,props);try{jsiiDeprecationWarnings().aws_cdk_lib_aws_apigateway_RequestAuthorizerProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,RequestAuthorizer2),error}if((0,metadata_resource_1().addConstructMetadata)(this,props),(props.resultsCacheTtl===void 0||props.resultsCacheTtl.toSeconds()!==0)&&props.identitySources.length===0)throw new(errors_1()).ValidationError("At least one Identity Source is required for a REQUEST-based Lambda authorizer if caching is enabled.",scope);const restApiId=this.lazyRestApiId(),authorizerProps={name:props.authorizerName??core_1().Names.uniqueId(this),restApiId,type:"REQUEST",authorizerUri:lambdaAuthorizerArn(props.handler),authorizerCredentials:props.assumeRole?.roleArn,authorizerResultTtlInSeconds:props.resultsCacheTtl?.toSeconds()??core_1().Duration.minutes(5).toSeconds(),identitySource:props.identitySources.map(is=>is.toString()).join(",")};this.authorizerProps=authorizerProps;const resource=new(apigateway_generated_1()).CfnAuthorizer(this,"Resource",authorizerProps);this.authorizerId=resource.ref,this.authorizerArn=core_1().Stack.of(this).formatArn({service:"execute-api",resource:restApiId,resourceName:`authorizers/${this.authorizerId}`}),this.setupPermissions()}static{__runInitializers(_classThis,_classExtraInitializers)}};return RequestAuthorizer2=_classThis})();exports.RequestAuthorizer=RequestAuthorizer;function lambdaAuthorizerArn(handler){const{region,partition}=core_1().Arn.split(handler.functionArn,core_1().ArnFormat.COLON_RESOURCE_NAME);return`arn:${partition}:apigateway:${region}:lambda:path/2015-03-31/functions/${handler.functionArn}/invocations`}