Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(apigateway): authorization models #1995

Merged
merged 3 commits into from
May 23, 2022
Merged

refactor(apigateway): authorization models #1995

merged 3 commits into from
May 23, 2022

Conversation

ml019
Copy link
Contributor

@ml019 ml019 commented May 21, 2022

Intent of Change

  • Refactor (non-breaking change which improves the structure or operation of the implementation)

Description

Support additional model values for the case of IP filtering in combination with a lambda authorizer. Also rename the config attribute to more correctly reflect its purpose in controlling authorization rather than authentication.

Motivation and Context

When used with a lambda authorizer, the default value of "IP" incorrectly provides an explict ALLOW rather than relying on it to come from the policy provided by the authorizer. By providing explicit values to be used with the authorizer, the configuration can be validated as appropriate.

How Has This Been Tested?

Local template generation

Related Changes

Prerequisite PRs:

  • None

Dependent PRs:

  • None

Consumer Actions:

  • None

@ml019 ml019 requested a review from a team May 21, 2022 07:12
@ml019 ml019 self-assigned this May 21, 2022
@ml019 ml019 mentioned this pull request May 21, 2022
Merged
roleyfoley
roleyfoley suggested changes May 21, 2022
View reviewed changes
providers/shared/components/apigateway/id.ftl Show resolved Hide resolved
providers/shared/components/apigateway/id.ftl Outdated
"Values" : ["IP", "SIG4ORIP", "SIG4ANDIP"],
"Values" : [
"IP",
"SIG4ORIP", "SIG4_OR_IP",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should SIG4 move to the aws provider as an extension attribute? Its very specific to AWS

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably but it has been like that so long removing it would require a breaking change.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could make the others I'm adding AWS specific and leave the unhyphenated ones as is?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've moved the new SIG4_* values to the AWS provider and prefixed them. We can plan to remove the shared values in a future breaking change - #1997

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can also add shared: in the aws provider to keep them using the existing value while also adding the prefixed version

https://github.com/hamlet-io/engine-plugin-aws/blob/bb0c68eb47dd6bc8f275808979d655af1fb2685e/aws/components/ecs/id.ftl#L101

Has an example of that for the awsvpc network mode on containers

@ml019 ml019 force-pushed the refactor-api-gateway-resource-policies branch 2 times, most recently from 951e276 to 30e60b7 Compare May 23, 2022 00:30
ml019 added 3 commits May 23, 2022 10:31
@ml019
refactor(apigateway): authorization models
b36c531 
Support additional values for the case of IP filtering in combination
with a lambda authorizer. Also rename the config attribute to
more correctly reflect its purpose in controlling authorization
rather than authentication.

When used with a lambda authorizer, the default value of "IP"
incorrectly provides an explict ALLOW  rather than relying on it
to come from the policy provided by the authorizer. By providing
explicit values to be used with the authorizer, the configuration
can be validated as appropriate.
@ml019
chore(apigateway): add description
3b81ee9 
Add description of the AuthorisationModel attribute.
@ml019
fix(apigateway): remove SIG4 models
28b8aef 
As SIG4 is very AWS specific, move all SIG4 related values to the
AWS provider. The non-prefixed variant will still be included
for backwards compatability.

With the new prefixed AWS values in place, a future breaking change can
remove the non-prefixed SIG4 specific values from the AWS provider.
@ml019 ml019 force-pushed the refactor-api-gateway-resource-policies branch from 30e60b7 to 28b8aef Compare May 23, 2022 00:31
@roleyfoley roleyfoley merged commit d1f4898 into hamlet-io:master May 23, 2022
@ml019 ml019 deleted the refactor-api-gateway-resource-policies branch May 23, 2022 00:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roleyfoley roleyfoley roleyfoley approved these changes

Assignees

@ml019 ml019

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ml019 @roleyfoley