feat: add oauth2 to webui

rubenfonseca · rubenfonseca · commit 8994ec1cf2e1 · 2024-04-15T17:19:23.000+02:00
diff --git a/aws_lambda_powertools/event_handler/api_gateway.py b/aws_lambda_powertools/event_handler/api_gateway.py
@@ -34,7 +34,6 @@
 from aws_lambda_powertools.event_handler.exceptions import NotFoundError, ServiceError
 from aws_lambda_powertools.event_handler.openapi.constants import DEFAULT_API_VERSION, DEFAULT_OPENAPI_VERSION
 from aws_lambda_powertools.event_handler.openapi.exceptions import RequestValidationError
-from aws_lambda_powertools.event_handler.openapi.swagger_ui.html import generate_swagger_html
 from aws_lambda_powertools.event_handler.openapi.types import (
     COMPONENT_REF_PREFIX,
     METHODS_WITH_BODY,
@@ -88,7 +87,9 @@
         Tag,
     )
     from aws_lambda_powertools.event_handler.openapi.params import Dependant
-    from aws_lambda_powertools.event_handler.openapi.swagger_ui.oauth2 import OAuth2Config
+    from aws_lambda_powertools.event_handler.openapi.swagger_ui.oauth2 import (
+        OAuth2Config,
+    )
     from aws_lambda_powertools.event_handler.openapi.types import (
         TypeModelOrEnum,
     )
@@ -1738,9 +1739,25 @@ def enable_swagger(
         """
         from aws_lambda_powertools.event_handler.openapi.compat import model_json
         from aws_lambda_powertools.event_handler.openapi.models import Server
+        from aws_lambda_powertools.event_handler.openapi.swagger_ui import (
+            generate_oauth2_redirect_html,
+            generate_swagger_html,
+        )
 
         @self.get(path, middlewares=middlewares, include_in_schema=False, compress=compress)
         def swagger_handler():
+            query_params = self.current_event.query_string_parameters or {}
+
+            # Check for query parameters; if "format" is specified as "oauth2-redirect",
+            # send the oauth2-redirect HTML stanza so OAuth2 can be used
+            # Source: https://github.com/swagger-api/swagger-ui/blob/master/dist/oauth2-redirect.html
+            if query_params.get("format") == "oauth2-redirect":
+                return Response(
+                    status_code=200,
+                    content_type="text/html",
+                    body=generate_oauth2_redirect_html(),
+                )
+
             base_path = self._get_base_path()
 
             if swagger_base_url:
@@ -1783,7 +1800,6 @@ def swagger_handler():
             # Check for query parameters; if "format" is specified as "json",
             # respond with the JSON used in the OpenAPI spec
             # Example: https://www.example.com/swagger?format=json
-            query_params = self.current_event.query_string_parameters or {}
             if query_params.get("format") == "json":
                 return Response(
                     status_code=200,
diff --git a/aws_lambda_powertools/event_handler/openapi/swagger_ui/__init__.py b/aws_lambda_powertools/event_handler/openapi/swagger_ui/__init__.py
@@ -0,0 +1,15 @@
+from aws_lambda_powertools.event_handler.openapi.swagger_ui.html import (
+    generate_swagger_html,
+)
+from aws_lambda_powertools.event_handler.openapi.swagger_ui.oauth2 import (
+    OAuth2Config,
+    OAuth2UnsafeConfig,
+    generate_oauth2_redirect_html,
+)
+
+__all__ = [
+    "generate_swagger_html",
+    "generate_oauth2_redirect_html",
+    "OAuth2Config",
+    "OAuth2UnsafeConfig",
+]
diff --git a/aws_lambda_powertools/event_handler/openapi/swagger_ui/html.py b/aws_lambda_powertools/event_handler/openapi/swagger_ui/html.py
@@ -66,6 +66,9 @@ def generate_swagger_html(
 {swagger_js_content}
 
 <script>
+  var currentUrl = new URL(window.location.href);
+  var baseUrl = currentUrl.protocol + "//" + currentUrl.host + currentUrl.pathname;
+
   var swaggerUIOptions = {{
     dom_id: "#swagger-ui",
     docExpansion: "list",
@@ -81,7 +84,9 @@ def generate_swagger_html(
     ],
     plugins: [
       SwaggerUIBundle.plugins.DownloadUrl
-    ]
+    ],
+    withCredentials: true,
+    oauth2RedirectUrl: baseUrl + "?format=oauth2-redirect",
   }}
 
   var ui = SwaggerUIBundle(swaggerUIOptions)
diff --git a/aws_lambda_powertools/event_handler/openapi/swagger_ui/oauth2.py b/aws_lambda_powertools/event_handler/openapi/swagger_ui/oauth2.py
@@ -1,4 +1,5 @@
-from typing import Dict, Sequence
+# ruff: noqa: E501
+from typing import Dict, Optional, Sequence
 
 from pydantic import BaseModel, Field
 
@@ -7,15 +8,32 @@
 
 # Based on https://swagger.io/docs/open-source-tools/swagger-ui/usage/oauth2/
 class OAuth2Config(BaseModel):
+    """
+    OAuth2 configuration for Swagger UI
+    """
+
+    # The client ID for the OAuth2 application
     clientId: str = Field(alias="client_id")
-    realm: str
+
+    # The realm in which the OAuth2 application is registered. Optional.
+    realm: Optional[str]
+
+    # The name of the OAuth2 application
     appName: str = Field(alias="app_name")
+
+    # The scopes that the OAuth2 application requires. Defaults to an empty list.
     scopes: Sequence[str] = Field(default=[])
+
+    # Additional query string parameters to be included in the OAuth2 request. Defaults to an empty dictionary.
     additionalQueryStringParams: Dict[str, str] = Field(alias="additional_query_string_params", default={})
+
+    # Whether to use basic authentication with the access code grant type. Defaults to False.
     useBasicAuthenticationWithAccessCodeGrant: bool = Field(
         alias="use_basic_authentication_with_access_code_grant",
         default=False,
     )
+
+    # Whether to use PKCE with the authorization code grant type. Defaults to False.
     usePkceWithAuthorizationCodeGrant: bool = Field(alias="use_pkce_with_authorization_code_grant", default=False)
 
     if PYDANTIC_V2:
@@ -25,3 +43,100 @@ class OAuth2Config(BaseModel):
         class Config:
             extra = "allow"
             allow_population_by_field_name = True
+
+
+class OAuth2UnsafeConfig(OAuth2Config):
+    """
+    This class extends the OAuth2Config class and includes the client secret.
+    This class NEVER BE USED IN PRODUCTION as it will expose sensitive information.
+    """
+
+    # The client secret for the OAuth2 application. This is sensitive information.
+    clientSecret: str = Field(alias="client_secret")
+
+
+def generate_oauth2_redirect_html() -> str:
+    """
+    Generates the HTML content for the OAuth2 redirect page.
+    """
+    return """
+<!doctype html>
+<html lang="en-US">
+<head>
+    <title>Swagger UI: OAuth2 Redirect</title>
+</head>
+<body>
+<script>
+    'use strict';
+    function run () {
+        var oauth2 = window.opener.swaggerUIRedirectOauth2;
+        var sentState = oauth2.state;
+        var redirectUrl = oauth2.redirectUrl;
+        var isValid, qp, arr;
+
+        if (/code|token|error/.test(window.location.hash)) {
+            qp = window.location.hash.substring(1).replace('?', '&');
+        } else {
+            qp = location.search.substring(1);
+        }
+
+        arr = qp.split("&");
+        arr.forEach(function (v,i,_arr) { _arr[i] = '"' + v.replace('=', '":"') + '"';});
+        qp = qp ? JSON.parse('{' + arr.join() + '}',
+                function (key, value) {
+                    return key === "" ? value : decodeURIComponent(value);
+                }
+        ) : {};
+
+        isValid = qp.state === sentState;
+
+        if ((
+          oauth2.auth.schema.get("flow") === "accessCode" ||
+          oauth2.auth.schema.get("flow") === "authorizationCode" ||
+          oauth2.auth.schema.get("flow") === "authorization_code"
+        ) && !oauth2.auth.code) {
+            if (!isValid) {
+                oauth2.errCb({
+                    authId: oauth2.auth.name,
+                    source: "auth",
+                    level: "warning",
+                    message: "Authorization may be unsafe, passed state was changed in server. The passed state wasn't returned from auth server."
+                });
+            }
+
+            if (qp.code) {
+                delete oauth2.state;
+                oauth2.auth.code = qp.code;
+                oauth2.callback({auth: oauth2.auth, redirectUrl: redirectUrl});
+            } else {
+                let oauthErrorMsg;
+                if (qp.error) {
+                    oauthErrorMsg = "["+qp.error+"]: " +
+                        (qp.error_description ? qp.error_description+ ". " : "no accessCode received from the server. ") +
+                        (qp.error_uri ? "More info: "+qp.error_uri : "");
+                }
+
+                oauth2.errCb({
+                    authId: oauth2.auth.name,
+                    source: "auth",
+                    level: "error",
+                    message: oauthErrorMsg || "[Authorization failed]: no accessCode received from the server."
+                });
+            }
+        } else {
+            oauth2.callback({auth: oauth2.auth, token: qp, isValid: isValid, redirectUrl: redirectUrl});
+        }
+        window.close();
+    }
+
+    if (document.readyState !== 'loading') {
+        run();
+    } else {
+        document.addEventListener('DOMContentLoaded', function () {
+            run();
+        });
+    }
+</script>
+</body>
+</html>
+    """.strip()
