fix(cognito): UserPoolDomain.baseUrl() does not return FIPS-compliant url for gov cloud regions (#20200)

laurelmay · web-flow · commit dd10df1c84ea · 2022-05-05T02:06:51.000Z
This ensures that users in GovCloud can retrieve a URL that works in their region and allows users in us-{east,west}-{1,2} to also use the FIPs endpoints. Partially discussed in #20182. Resolves #12500 ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts
@@ -152,18 +152,21 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain {
 
   /**
    * The URL to the hosted UI associated with this domain
+   *
+   * @param options options to customize baseUrl
    */
-  public baseUrl(): string {
+  public baseUrl(options?: BaseUrlOptions): string {
     if (this.isCognitoDomain) {
-      return `https://${this.domainName}.auth.${Stack.of(this).region}.amazoncognito.com`;
+      const authDomain = 'auth' + (options?.fips ? '-fips' : '');
+      return `https://${this.domainName}.${authDomain}.${Stack.of(this).region}.amazoncognito.com`;
     }
     return `https://${this.domainName}`;
   }
 
   /**
    * The URL to the sign in page in this domain using a specific UserPoolClient
    * @param client [disable-awslint:ref-via-interface] the user pool client that the UI will use to interact with the UserPool
-   * @param options options to customize the behaviour of this method.
+   * @param options options to customize signInUrl.
    */
   public signInUrl(client: UserPoolClient, options: SignInUrlOptions): string {
     let responseType: string;
@@ -175,14 +178,26 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain {
       throw new Error('signInUrl is not supported for clients without authorizationCodeGrant or implicitCodeGrant flow enabled');
     }
     const path = options.signInPath ?? '/login';
-    return `${this.baseUrl()}${path}?client_id=${client.userPoolClientId}&response_type=${responseType}&redirect_uri=${options.redirectUri}`;
+    return `${this.baseUrl(options)}${path}?client_id=${client.userPoolClientId}&response_type=${responseType}&redirect_uri=${options.redirectUri}`;
   }
 }
 
+/**
+ * Options to customize the behaviour of `baseUrl()`
+ */
+export interface BaseUrlOptions {
+  /**
+   * Whether to return the FIPS-compliant endpoint
+   *
+   * @default return the standard URL
+   */
+  readonly fips?: boolean;
+}
+
 /**
  * Options to customize the behaviour of `signInUrl()`
  */
-export interface SignInUrlOptions {
+export interface SignInUrlOptions extends BaseUrlOptions {
   /**
    * Where to redirect to after sign in
    */
diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts
@@ -164,6 +164,62 @@ describe('User Pool Client', () => {
     Template.fromStack(stack).resourceCountIs('AWS::Cognito::UserPoolDomain', 0);
   });
 
+  describe('baseUrl', () => {
+    test('returns the expected standard URL', () => {
+      // GIVEN
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'Pool');
+      const domain = pool.addDomain('Domain', {
+        cognitoDomain: {
+          domainPrefix: 'cognito-domain-prefix',
+        },
+      });
+
+      // WHEN
+      const baseUrl = domain.baseUrl();
+
+      // THEN
+      expect(stack.resolve(baseUrl)).toEqual({
+        'Fn::Join': [
+          '', [
+            'https://',
+            { Ref: 'PoolDomainCFC71F56' },
+            '.auth.',
+            { Ref: 'AWS::Region' },
+            '.amazoncognito.com',
+          ],
+        ],
+      });
+    });
+
+    test('returns the expected FIPS-compliant endpoint URL', () => {
+      // GIVEN
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'Pool');
+      const domain = pool.addDomain('Domain', {
+        cognitoDomain: {
+          domainPrefix: 'cognito-domain-prefix',
+        },
+      });
+
+      // WHEN
+      const baseUrl = domain.baseUrl({ fips: true });
+
+      // THEN
+      expect(stack.resolve(baseUrl)).toEqual({
+        'Fn::Join': [
+          '', [
+            'https://',
+            { Ref: 'PoolDomainCFC71F56' },
+            '.auth-fips.',
+            { Ref: 'AWS::Region' },
+            '.amazoncognito.com',
+          ],
+        ],
+      });
+    });
+  });
+
   describe('signInUrl', () => {
     test('returns the expected URL', () => {
       // GIVEN
