Add support for AWS_AIM, Congnito and custom authorizer

Author: vlewin

lib/deploy/events/apiGateway/methods.js

@@ -202,7 +202,7 @@ module.exports = {
       }
 
       const authorizerLogicalId = this.provider.naming
-        .getAuthorizerLogicalId(http.authorizer.name);
+        .getAuthorizerLogicalId(http.authorizer.name || http.authorizer);
 
       let authorizationType;
       const authorizerArn = http.authorizer.arn;

lib/deploy/events/apiGateway/validate.js

@@ -1,6 +1,7 @@
 'use strict';
 const NOT_FOUND = -1;
 const _ = require('lodash');
+const awsArnRegExs = require('../../../utils/arnRegularExpressions');
 
 module.exports = {
   httpValidate() {
@@ -15,6 +16,10 @@ module.exports = {
           http.path = this.getHttpPath(http, stateMachineName);
           http.method = this.getHttpMethod(http, stateMachineName);
 
+          if (http.authorizer) {
+            http.authorizer = this.getAuthorizer(http, stateMachineName);
+          }
+
           if (http.cors) {
             http.cors = this.getCors(http);
 
@@ -107,6 +112,123 @@ module.exports = {
     throw new this.serverless.classes.Error(errorMessage);
   },
 
+  getIntegration(http, stateMachineName) {
+    if (http.integration) {
+      // normalize the integration for further processing
+      const normalizedIntegration = http.integration.toUpperCase().replace('-', '_');
+      const allowedIntegrations = [
+        'LAMBDA_PROXY', 'LAMBDA', 'AWS', 'AWS_PROXY', 'HTTP', 'HTTP_PROXY', 'MOCK',
+      ];
+
+      // check if the user has entered a non-valid integration
+      if (allowedIntegrations.indexOf(normalizedIntegration) === NOT_FOUND) {
+        const errorMessage = [
+          `Invalid APIG integration "${http.integration}"`,
+          ` in function "${stateMachineName}".`,
+          ' Supported integrations are:',
+          ' lambda, lambda-proxy, aws, aws-proxy, http, http-proxy, mock.',
+        ].join('');
+        throw new this.serverless.classes.Error(errorMessage);
+      }
+      if (normalizedIntegration === 'LAMBDA') {
+        return 'AWS';
+      } else if (normalizedIntegration === 'LAMBDA_PROXY') {
+        return 'AWS_PROXY';
+      }
+      return normalizedIntegration;
+    }
+    return 'AWS_PROXY';
+  },
+
+  getAuthorizer(http, functionName) {
+    const authorizer = http.authorizer;
+
+    let type;
+    let name;
+    let arn;
+    let identitySource;
+    let resultTtlInSeconds;
+    let identityValidationExpression;
+    let claims;
+    let authorizerId;
+
+    if (typeof authorizer === 'string') {
+      if (authorizer.toUpperCase() === 'AWS_IAM') {
+        type = 'AWS_IAM';
+      } else if (authorizer.indexOf(':') === -1) {
+        name = authorizer;
+        arn = this.getLambdaArn(authorizer);
+      } else {
+        arn = authorizer;
+        name = this.provider.naming.extractAuthorizerNameFromArn(arn);
+      }
+    } else if (typeof authorizer === 'object') {
+      if (authorizer.type && authorizer.authorizerId) {
+        type = authorizer.type;
+        authorizerId = authorizer.authorizerId;
+      } else if (authorizer.type && authorizer.type.toUpperCase() === 'AWS_IAM') {
+        type = 'AWS_IAM';
+      } else if (authorizer.arn) {
+        arn = authorizer.arn;
+        if (_.isString(authorizer.name)) {
+          name = authorizer.name;
+        } else {
+          name = this.provider.naming.extractAuthorizerNameFromArn(arn);
+        }
+      } else if (authorizer.name) {
+        name = authorizer.name;
+        arn = this.getLambdaArn(name);
+      } else {
+        throw new this.serverless.classes.Error('Please provide either an authorizer name or ARN');
+      }
+
+      if (!type) {
+        type = authorizer.type;
+      }
+
+      resultTtlInSeconds = Number.parseInt(authorizer.resultTtlInSeconds, 10);
+      resultTtlInSeconds = Number.isNaN(resultTtlInSeconds) ? 300 : resultTtlInSeconds;
+      claims = authorizer.claims || [];
+
+      identitySource = authorizer.identitySource;
+      identityValidationExpression = authorizer.identityValidationExpression;
+    } else {
+      const errorMessage = [
+        `authorizer property in function ${functionName} is not an object nor a string.`,
+        ' The correct format is: authorizer: functionName',
+        ' OR an object containing a name property.',
+        ' Please check the docs for more info.',
+      ].join('');
+      throw new this.serverless.classes.Error(errorMessage);
+    }
+
+    if (typeof identitySource === 'undefined') {
+      identitySource = 'method.request.header.Authorization';
+    }
+
+    const integration = this.getIntegration(http);
+    if (integration === 'AWS_PROXY'
+      && typeof arn === 'string'
+      && awsArnRegExs.cognitoIdpArnExpr.test(arn)
+      && authorizer.claims) {
+      const errorMessage = [
+        'Cognito claims can only be filtered when using the lambda integration type',
+      ];
+      throw new this.serverless.classes.Error(errorMessage);
+    }
+
+    return {
+      type,
+      name,
+      arn,
+      authorizerId,
+      resultTtlInSeconds,
+      identitySource,
+      identityValidationExpression,
+      claims,
+    };
+  },
+
   getCors(http) {
     const headers = [
       'Content-Type',
@@ -164,4 +286,10 @@ module.exports = {
 
     return cors;
   },
+
+  getLambdaArn(name) {
+    this.serverless.service.getFunction(name);
+    const lambdaLogicalId = this.provider.naming.getLambdaLogicalId(name);
+    return { 'Fn::GetAtt': [lambdaLogicalId, 'Arn'] };
+  },
 };