From b36c5310de9ff3d808c9aa8ad5857ad3feb2b016 Mon Sep 17 00:00:00 2001 From: Michael Leditschke Date: Sat, 21 May 2022 17:03:10 +1000 Subject: [PATCH 1/3] refactor(apigateway): authorization models Support additional values for the case of IP filtering in combination with a lambda authorizer. Also rename the config attribute to more correctly reflect its purpose in controlling authorization rather than authentication. When used with a lambda authorizer, the default value of "IP" incorrectly provides an explict ALLOW rather than relying on it to come from the policy provided by the authorizer. By providing explicit values to be used with the authorizer, the configuration can be validated as appropriate. --- providers/shared/components/apigateway/id.ftl | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/providers/shared/components/apigateway/id.ftl b/providers/shared/components/apigateway/id.ftl index 1754ce606..6cf7e8273 100644 --- a/providers/shared/components/apigateway/id.ftl +++ b/providers/shared/components/apigateway/id.ftl @@ -102,9 +102,15 @@ object. "Default" : [] }, { - "Names" : "Authentication", + "Names" : ["AuthorisationModel", "AuthorizationModel", "Authentication"], "Types" : STRING_TYPE, - "Values" : ["IP", "SIG4ORIP", "SIG4ANDIP"], + "Values" : [ + "IP", + "SIG4ORIP", "SIG4_OR_IP", + "AUTHORISER_OR_IP", "AUTHORIZER_OR_IP", + "SIG4ANDIP", "SIG4_AND_IP", + "AUTHORISER_AND_IP", "AUTHORIZER_AND_IP" + ], "Default" : "IP" }, { From 3b81ee91351502d07e9436c3008a2aa8612faf83 Mon Sep 17 00:00:00 2001 From: Michael Leditschke Date: Sat, 21 May 2022 21:34:39 +1000 Subject: [PATCH 2/3] chore(apigateway): add description Add description of the AuthorisationModel attribute. --- providers/shared/components/apigateway/id.ftl | 1 + 1 file changed, 1 insertion(+) diff --git a/providers/shared/components/apigateway/id.ftl b/providers/shared/components/apigateway/id.ftl index 6cf7e8273..db0f7da8b 100644 --- a/providers/shared/components/apigateway/id.ftl +++ b/providers/shared/components/apigateway/id.ftl @@ -103,6 +103,7 @@ object. }, { "Names" : ["AuthorisationModel", "AuthorizationModel", "Authentication"], + "Description" : "Model to use where IP filtering is part of the desired authorization approach", "Types" : STRING_TYPE, "Values" : [ "IP", From 28b8aef06d51f6361cbe26c9feac700ae31f417a Mon Sep 17 00:00:00 2001 From: Michael Leditschke Date: Sun, 22 May 2022 19:44:36 +1000 Subject: [PATCH 3/3] fix(apigateway): remove SIG4 models As SIG4 is very AWS specific, move all SIG4 related values to the AWS provider. The non-prefixed variant will still be included for backwards compatability. With the new prefixed AWS values in place, a future breaking change can remove the non-prefixed SIG4 specific values from the AWS provider. --- providers/shared/components/apigateway/id.ftl | 2 -- 1 file changed, 2 deletions(-) diff --git a/providers/shared/components/apigateway/id.ftl b/providers/shared/components/apigateway/id.ftl index db0f7da8b..8fe2c9b0a 100644 --- a/providers/shared/components/apigateway/id.ftl +++ b/providers/shared/components/apigateway/id.ftl @@ -107,9 +107,7 @@ object. "Types" : STRING_TYPE, "Values" : [ "IP", - "SIG4ORIP", "SIG4_OR_IP", "AUTHORISER_OR_IP", "AUTHORIZER_OR_IP", - "SIG4ANDIP", "SIG4_AND_IP", "AUTHORISER_AND_IP", "AUTHORIZER_AND_IP" ], "Default" : "IP"