Merge pull request #219 from horike37/feature/custom_authorizer_perm

feat: generate LambdaPermission for authorizers

Author: horike37

lib/deploy/events/apiGateway/lambdaPermissions.js

@@ -0,0 +1,64 @@
+'use strict';
+const _ = require('lodash');
+const BbPromise = require('bluebird');
+
+// a function URI looks like this
+// "Fn::Join": [
+//   "",
+//   [
+//     "arn:",
+//     { "Ref": "AWS::Partition" },
+//     ":apigateway:",
+//     { "Ref": "AWS::Region" },
+//     ":lambda:path/2015-03-31/functions/",
+//     {
+//       "Fn::GetAtt": [
+//         "HelloLambdaFunction",
+//         "Arn"
+//       ]
+//     },
+//     "/invocations"
+//   ]
+// ]
+const getFunctionLogicalId = (uri) => {
+  const parts = uri['Fn::Join'][1];
+  const functionRef = parts.find(x => _.has(x, 'Fn::GetAtt'));
+  return functionRef['Fn::GetAtt'][0];
+};
+
+const getLambdaPermission = (logicalId) => ({
+  Type: 'AWS::Lambda::Permission',
+  Properties: {
+    FunctionName: {
+      'Fn::GetAtt': [logicalId, 'Arn'],
+    },
+    Action: 'lambda:InvokeFunction',
+    Principal: {
+      'Fn::Sub': 'apigateway.${AWS::URLSuffix}',
+    },
+  },
+});
+
+module.exports = {
+  compileHttpLambdaPermissions() {
+    const resources = _.get(
+      this.serverless, 'service.provider.compiledCloudFormationTemplate.Resources', {});
+    const authorizers = _.values(resources).filter(r => r.Type === 'AWS::ApiGateway::Authorizer');
+    const customAuthorizers = authorizers.filter(r =>
+      r.Properties.Type === 'CUSTOM' || r.Properties.Type === 'TOKEN');
+    const uris = customAuthorizers.map(r => r.Properties.AuthorizerUri);
+    const funcLogicalIds = _.uniq(uris.map(getFunctionLogicalId));
+    if (_.isEmpty(funcLogicalIds)) {
+      return BbPromise.resolve();
+    }
+
+    const lambdaPermissions = _.zipObject(
+      funcLogicalIds.map(id => `${id}LambdaPermission`),
+      funcLogicalIds.map(getLambdaPermission)
+    );
+
+    _.merge(this.serverless.service.provider.compiledCloudFormationTemplate.Resources,
+      lambdaPermissions);
+    return BbPromise.resolve();
+  },
+};

lib/deploy/events/apiGateway/lambdaPermissions.test.js

@@ -0,0 +1,154 @@
+'use strict';
+
+const _ = require('lodash');
+const expect = require('chai').expect;
+const Serverless = require('serverless/lib/Serverless');
+const AwsProvider = require('serverless/lib/plugins/aws/provider/awsProvider');
+const ServerlessStepFunctions = require('./../../../index');
+
+describe('#compileHttpLambdaPermissions()', () => {
+  let serverless;
+  let serverlessStepFunctions;
+
+  beforeEach(() => {
+    serverless = new Serverless();
+    serverless.setProvider('aws', new AwsProvider(serverless));
+    serverless.service.provider.compiledCloudFormationTemplate = { Resources: {} };
+    serverless.service.service = 'new-service';
+    serverless.service.stepfunctions = {
+      stateMachines: {
+        first: {
+        },
+      },
+    };
+    serverlessStepFunctions = new ServerlessStepFunctions(serverless);
+  });
+
+  it('should not create a Lambda Permission resource when there are no Lambda authorizers', () => {
+    serverlessStepFunctions.compileHttpLambdaPermissions().then(() => {
+      const resources = serverlessStepFunctions.serverless.service.provider
+        .compiledCloudFormationTemplate.Resources;
+      const lambdaPermissions =
+        _.values(resources).filter(x => x.Type === 'AWS::Lambda::Permission');
+      expect(lambdaPermissions).to.have.lengthOf(0);
+    });
+  });
+
+  it('should create a Lambda Permission resource when there is a TOKEN authorizer', () => {
+    serverlessStepFunctions.serverless.service.provider
+      .compiledCloudFormationTemplate.Resources.HelloApiGatewayAuthorizer = {
+        Type: 'AWS::ApiGateway::Authorizer',
+        Properties: {
+          AuthorizerResultTtlInSeconds: 300,
+          IdentitySource: 'method.request.header.Authorization',
+          Name: 'hello',
+          RestApiId: {
+            Ref: 'ApiGatewayRestApi',
+          },
+          AuthorizerUri: {
+            'Fn::Join': [
+              '',
+              [
+                'arn:',
+                {
+                  Ref: 'AWS::Partition',
+                },
+                ':apigateway:',
+                {
+                  Ref: 'AWS::Region',
+                },
+                ':lambda:path/2015-03-31/functions/',
+                {
+                  'Fn::GetAtt': [
+                    'HelloLambdaFunction',
+                    'Arn',
+                  ],
+                },
+                '/invocations',
+              ],
+            ],
+          },
+          Type: 'TOKEN',
+        },
+      };
+
+    serverlessStepFunctions.compileHttpLambdaPermissions().then(() => {
+      const resources = serverlessStepFunctions.serverless.service.provider
+        .compiledCloudFormationTemplate.Resources;
+      const lambdaPermissions =
+        _.values(resources).filter(x => x.Type === 'AWS::Lambda::Permission');
+      expect(lambdaPermissions).to.have.lengthOf(1);
+      expect(lambdaPermissions[0]).to.deep.eq({
+        Type: 'AWS::Lambda::Permission',
+        Properties: {
+          FunctionName: {
+            'Fn::GetAtt': ['HelloLambdaFunction', 'Arn'],
+          },
+          Action: 'lambda:InvokeFunction',
+          Principal: {
+            'Fn::Sub': 'apigateway.${AWS::URLSuffix}',
+          },
+        },
+      });
+    });
+  });
+
+  it('should create a Lambda Permission resource when there is a CUSTOM authorizer', () => {
+    serverlessStepFunctions.serverless.service.provider
+      .compiledCloudFormationTemplate.Resources.HelloApiGatewayAuthorizer = {
+        Type: 'AWS::ApiGateway::Authorizer',
+        Properties: {
+          AuthorizerResultTtlInSeconds: 300,
+          IdentitySource: 'method.request.header.Authorization',
+          Name: 'hello',
+          RestApiId: {
+            Ref: 'ApiGatewayRestApi',
+          },
+          AuthorizerUri: {
+            'Fn::Join': [
+              '',
+              [
+                'arn:',
+                {
+                  Ref: 'AWS::Partition',
+                },
+                ':apigateway:',
+                {
+                  Ref: 'AWS::Region',
+                },
+                ':lambda:path/2015-03-31/functions/',
+                {
+                  'Fn::GetAtt': [
+                    'HelloLambdaFunction',
+                    'Arn',
+                  ],
+                },
+                '/invocations',
+              ],
+            ],
+          },
+          Type: 'CUSTOM',
+        },
+      };
+
+    serverlessStepFunctions.compileHttpLambdaPermissions().then(() => {
+      const resources = serverlessStepFunctions.serverless.service.provider
+        .compiledCloudFormationTemplate.Resources;
+      const lambdaPermissions =
+        _.values(resources).filter(x => x.Type === 'AWS::Lambda::Permission');
+      expect(lambdaPermissions).to.have.lengthOf(1);
+      expect(lambdaPermissions[0]).to.deep.eq({
+        Type: 'AWS::Lambda::Permission',
+        Properties: {
+          FunctionName: {
+            'Fn::GetAtt': ['HelloLambdaFunction', 'Arn'],
+          },
+          Action: 'lambda:InvokeFunction',
+          Principal: {
+            'Fn::Sub': 'apigateway.${AWS::URLSuffix}',
+          },
+        },
+      });
+    });
+  });
+});

lib/index.js

@@ -17,6 +17,7 @@ const httpApiKeys = require('./deploy/events/apiGateway/apiKeys');
 const httpUsagePlan = require('./deploy/events/apiGateway/usagePlan');
 const httpUsagePlanKeys = require('./deploy/events/apiGateway/usagePlanKeys');
 const httpIamRole = require('./deploy/events/apiGateway/iamRole');
+const httpLambdaPermissions = require('./deploy/events/apiGateway/lambdaPermissions');
 const httpDeployment = require('./deploy/events/apiGateway/deployment');
 const httpRestApi = require('./deploy/events/apiGateway/restApi');
 const httpInfo = require('./deploy/events/apiGateway/endpointInfo');
@@ -50,6 +51,7 @@ class ServerlessStepFunctions {
       httpResources,
       httpMethods,
       httpAuthorizers,
+      httpLambdaPermissions,
       httpCors,
       httpApiKeys,
       httpUsagePlan,
@@ -127,6 +129,7 @@ class ServerlessStepFunctions {
             .then(this.compileResources)
             .then(this.compileMethods)
             .then(this.compileAuthorizers)
+            .then(this.compileHttpLambdaPermissions)
             .then(this.compileCors)
             .then(this.compileHttpIamRole)
             .then(this.compileDeployment)

lib/index.test.js

@@ -114,6 +114,9 @@ describe('#index', () => {
          .stub(serverlessStepFunctions, 'compileMethods').returns(BbPromise.resolve());
        const compileAuthorizersStub = sinon
          .stub(serverlessStepFunctions, 'compileAuthorizers').returns(BbPromise.resolve());
+       const compileHttpLambdaPermissions = sinon
+         .stub(serverlessStepFunctions, 'compileHttpLambdaPermissions')
+         .returns(BbPromise.resolve());
        const compileCorsStub = sinon
          .stub(serverlessStepFunctions, 'compileCors').returns(BbPromise.resolve());
        const compileHttpIamRoleStub = sinon
@@ -135,6 +138,7 @@ describe('#index', () => {
            expect(compileResourcesStub.notCalled).to.be.equal(true);
            expect(compileMethodsStub.notCalled).to.be.equal(true);
            expect(compileAuthorizersStub.notCalled).to.be.equal(true);
+           expect(compileHttpLambdaPermissions.notCalled).to.be.equal(true);
            expect(compileCorsStub.notCalled).to.be.equal(true);
            expect(compileHttpIamRoleStub.notCalled).to.be.equal(true);
            expect(compileDeploymentStub.notCalled).to.be.equal(true);
@@ -148,6 +152,7 @@ describe('#index', () => {
            serverlessStepFunctions.compileResources.restore();
            serverlessStepFunctions.compileMethods.restore();
            serverlessStepFunctions.compileAuthorizers.restore();
+           serverlessStepFunctions.compileHttpLambdaPermissions.restore();
            serverlessStepFunctions.compileCors.restore();
            serverlessStepFunctions.compileHttpIamRole.restore();
            serverlessStepFunctions.compileDeployment.restore();