Adding example

leandrodamascena · leandrodamascena · commit 5ab15ddd57de · 2025-01-24T15:27:36.000Z
diff --git a/aws_lambda_powertools/utilities/data_classes/transfer_family_event.py b/aws_lambda_powertools/utilities/data_classes/transfer_family_event.py
@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import json
 from typing import Any, Literal
 
 from aws_lambda_powertools.utilities.data_classes.common import (
@@ -62,7 +63,7 @@ def _build_authentication_response(
             if not home_directory_details:
                 raise ValueError("home_directory_details must be set when home_directory_type is LOGICAL")
 
-            response["HomeDirectoryDetails"] = [home_directory_details]
+            response["HomeDirectoryDetails"] = json.dumps([home_directory_details])
 
         else:
             raise ValueError(f"Invalid home_directory_type: {home_directory_type}")
diff --git a/docs/utilities/data_classes.md b/docs/utilities/data_classes.md
@@ -108,8 +108,8 @@ Log Data Event for Troubleshooting
 | [SES](#ses)                                                                   | `SESEvent`                                         |
 | [SNS](#sns)                                                                   | `SNSEvent`                                         |
 | [SQS](#sqs)                                                                   | `SQSEvent`                                         |
-| [TransferFamilyAuthorizer]                                                    | `TransferFamilyAuthorizer`                         |
-| [TransferFamilyAuthorizerResponse]                                            | `TransferFamilyAuthorizerResponse`                 |
+| [TransferFamilyAuthorizer](#transfer-family-authorizer)                       | `TransferFamilyAuthorizer`                         |
+| [TransferFamilyAuthorizerResponse](#transfer-family-authorizer)               | `TransferFamilyAuthorizerResponse`                 |
 | [VPC Lattice V2](#vpc-lattice-v2)                                             | `VPCLatticeV2Event`                                |
 | [VPC Lattice V1](#vpc-lattice-v1)                                             | `VPCLatticeEvent`                                  |
 
@@ -1257,6 +1257,32 @@ AWS Secrets Manager rotation uses an AWS Lambda function to update the secret. [
             do_something_with(record.body)
     ```
 
+### Transfer Family Authorizer
+
+AWS Transfer Family allows using Lambda as a custom identity provider. This enables integration with various identity providers like Okta, Secrets Manager, OneLogin, or custom data stores for authentication and authorization.
+
+=== "transfer_family_authorizer_efs.py"
+
+    ```python hl_lines="8 9 16 23 43"
+    --8<-- "examples/event_sources/src/transfer_family_authorizer_efs.py"
+    ```
+
+    1. You can use the method `build_authentication_response_efs` to build a response to AWS Transfer Family
+
+=== "transfer_family_authorizer_s3.py"
+
+    ```python hl_lines="8 9 16 23 43"
+    --8<-- "examples/event_sources/src/transfer_family_authorizer_s3.py"
+    ```
+
+    1. You can use the method `build_authentication_response_s3` to build a response to AWS Transfer Family
+
+=== "Transfer Family Authorizer Example Event"
+
+    ```json
+    --8<-- "examples/event_sources/src/transfer_family_authorizer_payload.json"
+    ```
+
 ### VPC Lattice V2
 
 You can register your Lambda functions as targets within an Amazon VPC Lattice service network. By doing this, your Lambda function becomes a service within the network, and clients that have access to the VPC Lattice service network can call your service using [Payload V2](https://docs.aws.amazon.com/lambda/latest/dg/services-vpc-lattice.html#vpc-lattice-receiving-events){target="_blank"}.
diff --git a/examples/event_sources/src/transfer_family_authorizer_efs.py b/examples/event_sources/src/transfer_family_authorizer_efs.py
@@ -0,0 +1,57 @@
+from __future__ import annotations
+
+from typing import Any
+
+from aws_lambda_powertools import Logger
+from aws_lambda_powertools.utilities import parameters
+from aws_lambda_powertools.utilities.data_classes import (
+    TransferFamilyAuthorizer,
+    TransferFamilyAuthorizerResponse,
+    event_source,
+)
+from aws_lambda_powertools.utilities.typing import LambdaContext
+
+logger = Logger()
+
+@event_source(data_class=TransferFamilyAuthorizer)
+def lambda_handler(event: TransferFamilyAuthorizer, context: LambdaContext):
+
+    username = event.username
+    password = event.password or None
+
+    response: dict[str, Any] = {}
+    build_response = TransferFamilyAuthorizerResponse()
+
+    try:
+        user_data = parameters.get_secret(f"/sftp/{username}", transform="json")
+
+        logger.info(f"Credentials found for user {username}")
+
+        stored_username = user_data["username"]
+        stored_secret = user_data["password"]
+        stored_gid = user_data["gid"]
+        stored_uid = user_data["uid"]
+        stored_role = user_data["role"]
+        stored_directory = user_data["efs-server"]
+        stored_entry = user_data["entry"]
+        stored_directory_type = user_data["directory-type"]
+        home_directory_details = {"Entry": stored_entry, "Target": stored_directory}
+
+        if username == stored_username and password == stored_secret:
+            logger.info(f"User {username} informed a valid password")
+
+            response = build_response.build_authentication_response_efs( # (1)!
+                role_arn=stored_role,
+                user_gid=stored_gid,
+                user_uid=stored_uid,
+                home_directory_type=stored_directory_type,
+                home_directory_details=home_directory_details,
+            )
+        else:
+            logger.info(f"User {username} informed a invalid password")
+
+    except Exception as e:
+        logger.exception(e)
+        logger.info(f"Credentials not valid for user {username}")
+
+    return response
diff --git a/examples/event_sources/src/transfer_family_authorizer_payload.json b/examples/event_sources/src/transfer_family_authorizer_payload.json
@@ -0,0 +1,8 @@
+{
+    "username": "value",
+    "password": "value",
+    "protocol": "SFTP",
+    "serverId": "s-abcd123456",
+    "sourceIp": "192.168.0.100"
+  }
+  
diff --git a/examples/event_sources/src/transfer_family_authorizer_s3.py b/examples/event_sources/src/transfer_family_authorizer_s3.py
@@ -0,0 +1,57 @@
+from __future__ import annotations
+
+from typing import Any
+
+from aws_lambda_powertools import Logger
+from aws_lambda_powertools.utilities import parameters
+from aws_lambda_powertools.utilities.data_classes import (
+    TransferFamilyAuthorizer,
+    TransferFamilyAuthorizerResponse,
+    event_source,
+)
+from aws_lambda_powertools.utilities.typing import LambdaContext
+
+logger = Logger()
+
+@event_source(data_class=TransferFamilyAuthorizer)
+def lambda_handler(event: TransferFamilyAuthorizer, context: LambdaContext):
+
+    username = event.username
+    password = event.password or None
+
+    response: dict[str, Any] = {}
+    build_response = TransferFamilyAuthorizerResponse()
+
+    try:
+        user_data = parameters.get_secret(f"/sftp/{username}", transform="json")
+
+        logger.info(f"Credentials found for user {username}")
+
+        stored_username = user_data["username"]
+        stored_secret = user_data["password"]
+        stored_gid = user_data["gid"]
+        stored_uid = user_data["uid"]
+        stored_role = user_data["role"]
+        stored_directory = user_data["efs-server"]
+        stored_entry = user_data["entry"]
+        stored_directory_type = user_data["directory-type"]
+        home_directory_details = {"Entry": stored_entry, "Target": stored_directory}
+
+        if username == stored_username and password == stored_secret:
+            logger.info(f"User {username} informed a valid password")
+
+            response = build_response.build_authentication_response_efs( # (1)!
+                role_arn=stored_role,
+                user_gid=stored_gid,
+                user_uid=stored_uid,
+                home_directory_type=stored_directory_type,
+                home_directory_details=home_directory_details,
+            )
+        else:
+            logger.info(f"User {username} informed a invalid password")
+
+    except Exception as e:
+        logger.exception(e)
+        logger.info(f"Credentials not valid for user {username}")
+
+    return response
diff --git a/tests/unit/data_classes/required_dependencies/test_transfer_family_event.py b/tests/unit/data_classes/required_dependencies/test_transfer_family_event.py
@@ -1,3 +1,5 @@
+import json
+
 import pytest
 
 from aws_lambda_powertools.utilities.data_classes.transfer_family_event import (
@@ -52,7 +54,7 @@ def test_build_authentication_response_s3(home_directory_type):
         assert response.get("HomeDirectory") == home_directory
         assert "HomeDirectoryDetails" not in response
     else:
-        assert response.get("HomeDirectoryDetails") == [home_directory_details]
+        assert response.get("HomeDirectoryDetails") == json.dumps([home_directory_details])
         assert "HomeDirectory" not in response
 
 
@@ -86,7 +88,7 @@ def test_build_authentication_response_efs(home_directory_type):
         assert response.get("HomeDirectory") == home_directory
         assert "HomeDirectoryDetails" not in response
     else:
-        assert response.get("HomeDirectoryDetails") == [home_directory_details]
+        assert response.get("HomeDirectoryDetails") == json.dumps([home_directory_details])
         assert "HomeDirectory" not in response
 
 
