forked from aws-powertools/powertools-lambda-python
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtest_api_gateway_authorizer.py
180 lines (154 loc) · 6.14 KB
/
test_api_gateway_authorizer.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
import pytest
from aws_lambda_powertools.utilities.data_classes.api_gateway_authorizer_event import (
DENY_ALL_RESPONSE,
APIGatewayAuthorizerResponse,
HttpVerb,
)
@pytest.fixture
def builder():
return APIGatewayAuthorizerResponse("foo", "us-west-1", "123456789", "fantom", "dev")
def test_authorizer_response_no_statement(builder: APIGatewayAuthorizerResponse):
# GIVEN a builder with no statements
with pytest.raises(ValueError) as ex:
# WHEN calling build
builder.asdict()
# THEN raise a name error for not statements
assert str(ex.value) == "No statements defined for the policy"
def test_authorizer_response_invalid_verb(builder: APIGatewayAuthorizerResponse):
with pytest.raises(ValueError, match="Invalid HTTP verb: 'INVALID'"):
# GIVEN a invalid http_method
# WHEN calling deny_method
builder.deny_route(http_method="INVALID", resource="foo")
def test_authorizer_response_invalid_resource(builder: APIGatewayAuthorizerResponse):
with pytest.raises(ValueError, match="Invalid resource path: \$."): # noqa: W605
# GIVEN a invalid resource path "$"
# WHEN calling deny_method
builder.deny_route(http_method=HttpVerb.GET.value, resource="$")
def test_authorizer_response_allow_all_routes_with_context():
arn = "arn:aws:execute-api:us-west-1:123456789:fantom/dev/GET/foo"
builder = APIGatewayAuthorizerResponse.from_route_arn(arn, principal_id="foo", context={"name": "Foo"})
builder.allow_all_routes()
assert builder.asdict() == {
"principalId": "foo",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": ["arn:aws:execute-api:us-west-1:123456789:fantom/dev/*/*"],
}
],
},
"context": {"name": "Foo"},
}
def test_authorizer_response_allow_all_routes_with_usage_identifier_key():
arn = "arn:aws:execute-api:us-east-1:1111111111:api/dev/ANY/y"
builder = APIGatewayAuthorizerResponse.from_route_arn(arn, principal_id="cow", usage_identifier_key="key")
builder.allow_all_routes()
assert builder.asdict() == {
"principalId": "cow",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": ["arn:aws:execute-api:us-east-1:1111111111:api/dev/*/*"],
}
],
},
"usageIdentifierKey": "key",
}
def test_authorizer_response_deny_all_routes(builder: APIGatewayAuthorizerResponse):
builder.deny_all_routes()
assert builder.asdict() == {
"principalId": "foo",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": ["arn:aws:execute-api:us-west-1:123456789:fantom/dev/*/*"],
}
],
},
}
def test_authorizer_response_allow_route(builder: APIGatewayAuthorizerResponse):
builder.allow_route(http_method=HttpVerb.GET.value, resource="/foo")
assert builder.asdict() == {
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": ["arn:aws:execute-api:us-west-1:123456789:fantom/dev/GET/foo"],
}
],
},
"principalId": "foo",
}
def test_authorizer_response_deny_route(builder: APIGatewayAuthorizerResponse):
builder.deny_route(http_method=HttpVerb.PUT.value, resource="foo")
assert builder.asdict() == {
"principalId": "foo",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": ["arn:aws:execute-api:us-west-1:123456789:fantom/dev/PUT/foo"],
}
],
},
}
def test_authorizer_response_allow_route_with_conditions(builder: APIGatewayAuthorizerResponse):
condition = {"StringEquals": {"method.request.header.Content-Type": "text/html"}}
builder.allow_route(
http_method=HttpVerb.POST.value,
resource="/foo",
conditions=[condition],
)
assert builder.asdict() == {
"principalId": "foo",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": ["arn:aws:execute-api:us-west-1:123456789:fantom/dev/POST/foo"],
"Condition": [{"StringEquals": {"method.request.header.Content-Type": "text/html"}}],
}
],
},
}
def test_authorizer_response_deny_route_with_conditions(builder: APIGatewayAuthorizerResponse):
condition = {"StringEquals": {"method.request.header.Content-Type": "application/json"}}
builder.deny_route(http_method=HttpVerb.POST.value, resource="/foo", conditions=[condition])
assert builder.asdict() == {
"principalId": "foo",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": ["arn:aws:execute-api:us-west-1:123456789:fantom/dev/POST/foo"],
"Condition": [{"StringEquals": {"method.request.header.Content-Type": "application/json"}}],
}
],
},
}
def test_deny_all():
# CHECK we always explicitly deny all
statements = DENY_ALL_RESPONSE["policyDocument"]["Statement"]
assert len(statements) == 1
assert statements[0] == {
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": ["*"],
}