feat(data-classes): Add a deny all response

Michael Brewer · Michael Brewer · commit b406365b5fa0 · 2021-08-22T11:27:10.000-07:00
Update the docs and add a deny all response
diff --git a/aws_lambda_powertools/utilities/data_classes/api_gateway_authorizer_event.py b/aws_lambda_powertools/utilities/data_classes/api_gateway_authorizer_event.py
@@ -324,6 +324,21 @@ class HttpVerb(enum.Enum):
     ALL = "*"
 
 
+DENY_ALL_RESPONSE = {
+    "principalId": "deny-all-user",
+    "policyDocument": {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Action": "execute-api:Invoke",
+                "Effect": "Deny",
+                "Resource": ["*"],
+            }
+        ],
+    },
+}
+
+
 class APIGatewayAuthorizerResponse:
     """Api Gateway HTTP API V1 payload or Rest api authorizer response helper
 
diff --git a/docs/utilities/data_classes.md b/docs/utilities/data_classes.md
@@ -96,20 +96,17 @@ Use **`APIGatewayAuthorizerRequestEvent`** for type `REQUEST` and **`APIGatewayA
 
     When the user is found, it includes the user details in the request context that will be available to the back-end, and returns a full access policy for admin users.
 
-    ```python hl_lines="2-5 29 36-42 47 49"
+    ```python hl_lines="2-6 29 36-42 47 49"
     from aws_lambda_powertools.utilities.data_classes import event_source
     from aws_lambda_powertools.utilities.data_classes.api_gateway_authorizer_event import (
+        DENY_ALL_RESPONSE,
         APIGatewayAuthorizerRequestEvent,
         APIGatewayAuthorizerResponse,
         HttpVerb,
     )
     from secrets import compare_digest
 
 
-    class UnAuthorizedError(Exception):
-        ...
-
-
     def get_user_by_token(token):
         if compare_digest(token, "admin-foo"):
             return {"id": 0, "name": "Admin", "isAdmin": True}
@@ -124,8 +121,11 @@ Use **`APIGatewayAuthorizerRequestEvent`** for type `REQUEST` and **`APIGatewayA
         user = get_user_by_token(event.get_header_value("Authorization"))
 
         if user is None:
-            # No user was found, so we raised a not authorized error
-            raise UnAuthorizedError("Not authorized to perform this action")
+            # No user was found
+            # to return 401 - `{"message":"Unauthorized"}`, but polutes lambda metrics
+            # raise Exception("Unauthorized")
+            # to return 403 - `{"message":"Forbidden"}`
+            return DENY_ALL_RESPONSE
 
         # parse the `methodArn` as an `APIGatewayRouteArn`
         arn = event.parsed_arn
diff --git a/tests/functional/data_classes/test_api_gateway_authorizer.py b/tests/functional/data_classes/test_api_gateway_authorizer.py
@@ -1,6 +1,7 @@
 import pytest
 
 from aws_lambda_powertools.utilities.data_classes.api_gateway_authorizer_event import (
+    DENY_ALL_RESPONSE,
     APIGatewayAuthorizerResponse,
     HttpVerb,
 )
@@ -145,3 +146,14 @@ def test_authorizer_response_deny_route_with_conditions(builder: APIGatewayAutho
             ],
         },
     }
+
+
+def test_deny_all():
+    # CHECK we always explicitly deny all
+    statements = DENY_ALL_RESPONSE["policyDocument"]["Statement"]
+    assert len(statements) == 1
+    assert statements[0] == {
+        "Action": "execute-api:Invoke",
+        "Effect": "Deny",
+        "Resource": ["*"],
+    }
