@adobe/helix-deploy 6.0.0 → 6.2.1

package/CHANGELOG.md

@@ -1,3 +1,31 @@
+## [6.2.1](https://github.com/adobe/helix-deploy/compare/v6.2.0...v6.2.1) (2022-01-28)
+
+
+### Bug Fixes
+
+* properly export development server ([a3b60d8](https://github.com/adobe/helix-deploy/commit/a3b60d8107285a93ba72ed99ec21112b1ee565ed))
+
+# [6.2.0](https://github.com/adobe/helix-deploy/compare/v6.1.0...v6.2.0) (2022-01-28)
+
+
+### Features
+
+* allow to set authorizer identity sources ([#363](https://github.com/adobe/helix-deploy/issues/363)) ([b4b6e30](https://github.com/adobe/helix-deploy/commit/b4b6e30f5e35449c123fcfe38fde851223fd3d4f))
+
+# [6.1.0](https://github.com/adobe/helix-deploy/compare/v6.0.1...v6.1.0) (2022-01-25)
+
+
+### Features
+
+* add AWS lambda authorizers support ([#362](https://github.com/adobe/helix-deploy/issues/362)) ([72e4def](https://github.com/adobe/helix-deploy/commit/72e4def53c5cb175447d97b70ec1de17161c1f78)), closes [#261](https://github.com/adobe/helix-deploy/issues/261) [#260](https://github.com/adobe/helix-deploy/issues/260)
+
+## [6.0.1](https://github.com/adobe/helix-deploy/compare/v6.0.0...v6.0.1) (2022-01-24)
+
+
+### Bug Fixes
+
+* **deps:** update external fixes ([#360](https://github.com/adobe/helix-deploy/issues/360)) ([93a99c3](https://github.com/adobe/helix-deploy/commit/93a99c33357c92d4ca2aab6c591acc3f8ed4b400))
+
 # [6.0.0](https://github.com/adobe/helix-deploy/compare/v5.1.0...v6.0.0) (2022-01-18)
 
 

package/index.js

@@ -9,16 +9,8 @@
  * OF ANY KIND, either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
-const ActionBuilder = require('./src/ActionBuilder.js');
-const Bundler = require('./src/bundler/WebpackBundler.js');
-const BaseConfig = require('./src/BaseConfig.js');
-const CLI = require('./src/cli.js');
-const DevelopmentServer = require('./src/DevelopmentServer.js');
-
-module.exports = {
-  ActionBuilder,
-  Bundler,
-  BaseConfig,
-  CLI,
-  DevelopmentServer,
-};
+export { default as ActionBuilder } from './src/ActionBuilder.js';
+export { default as Bundler } from './src/bundler/WebpackBundler.js';
+export { default as BaseConfig } from './src/BaseConfig.js';
+export { default as CLI } from './src/cli.js';
+export { default as DevelopmentServer } from './src/DevelopmentServer.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-deploy",
-  "version": "6.0.0",
+  "version": "6.2.1",
   "description": "Library and Commandline Tools to build and deploy OpenWhisk Actions",
   "license": "Apache-2.0",
   "homepage": "https://github.com/adobe/helix-deploy#readme",
@@ -39,35 +39,35 @@
   "dependencies": {
     "@adobe/fastly-native-promises": "2.0.0",
     "@adobe/helix-fetch": "3.0.0",
-    "@aws-sdk/client-apigatewayv2": "3.47.0",
-    "@aws-sdk/client-lambda": "3.47.0",
-    "@aws-sdk/client-s3": "3.47.0",
-    "@aws-sdk/client-secrets-manager": "3.47.0",
-    "@aws-sdk/client-ssm": "3.47.0",
+    "@aws-sdk/client-apigatewayv2": "3.48.0",
+    "@aws-sdk/client-lambda": "3.48.0",
+    "@aws-sdk/client-s3": "3.48.0",
+    "@aws-sdk/client-secrets-manager": "3.48.0",
+    "@aws-sdk/client-ssm": "3.48.0",
     "@fastly/js-compute": "0.2.1",
     "@google-cloud/functions": "1.2.0",
     "@google-cloud/secret-manager": "3.10.1",
-    "@google-cloud/storage": "5.17.0",
+    "@google-cloud/storage": "5.18.0",
     "@rollup/plugin-alias": "3.1.9",
     "@rollup/plugin-commonjs": "21.0.1",
     "@rollup/plugin-json": "4.1.0",
     "@rollup/plugin-node-resolve": "13.1.3",
     "archiver": "5.3.0",
-    "chalk-template": "0.3.0",
+    "chalk-template": "0.3.1",
     "constants-browserify": "1.0.0",
-    "dotenv": "14.1.0",
+    "dotenv": "14.2.0",
     "express": "4.17.2",
     "form-data": "4.0.0",
     "fs-extra": "10.0.0",
     "get-stream": "6.0.1",
-    "isomorphic-git": "1.10.4",
+    "isomorphic-git": "1.10.5",
     "openwhisk": "3.21.6",
     "proxyquire": "2.1.3",
-    "rollup": "2.64.0",
+    "rollup": "2.66.0",
     "rollup-plugin-terser": "7.0.2",
     "semver": "7.3.5",
     "tar": "6.1.11",
-    "webpack": "5.66.0",
+    "webpack": "5.67.0",
     "yargs": "17.3.1"
   },
   "devDependencies": {
@@ -85,12 +85,12 @@
     "eslint-plugin-header": "3.1.1",
     "eslint-plugin-import": "2.25.4",
     "husky": "7.0.4",
-    "lint-staged": "12.1.7",
+    "lint-staged": "12.3.1",
     "mocha": "9.1.4",
     "mocha-junit-reporter": "2.0.2",
     "mocha-multi-reporters": "1.5.1",
     "nock": "13.2.2",
-    "semantic-release": "18.0.1",
+    "semantic-release": "19.0.2",
     "sinon": "12.0.1",
     "yauzl": "2.10.0"
   },

package/src/cli.js

@@ -41,7 +41,9 @@ export default class CLI {
       .env('HLX');
     BaseConfig.yarg(this._yargs);
     PLUGINS.forEach((PluginClass) => PluginClass.Config.yarg(this._yargs));
-    this._yargs.help();
+    this._yargs
+      .wrap(Math.min(120, this._yargs.terminalWidth()))
+      .help();
   }
 
   prepare(args) {

package/src/deploy/AWSConfig.js

@@ -24,6 +24,9 @@ export default class AWSConfig {
       createRoutes: false,
       lambdaFormat: DEFAULT_LAMBDA_FORMAT,
       parameterMgr: ['system', 'secret'],
+      createAuthorizer: '',
+      attachAuthorizer: '',
+      identitySources: ['$request.header.Authorization'],
     });
   }
 
@@ -33,6 +36,9 @@ export default class AWSConfig {
       .withAWSRole(argv.awsRole)
       .withAWSApi(argv.awsApi)
       .withAWSLambdaFormat(argv.awsLambdaFormat)
+      .withAWSCreateAuthorizer(argv.awsCreateAuthorizer)
+      .withAWSAttachAuthorizer(argv.awsAttachAuthorizer)
+      .withAWSIdentitySources(argv.awsIdentitySource)
       .withAWSCleanUpBuckets(argv.awsCleanupBuckets)
       .withAWSCleanUpIntegrations(argv.awsCleanupIntegrations)
       .withAWSCreateRoutes(argv.awsCreateRoutes)
@@ -79,9 +85,26 @@ export default class AWSConfig {
     return this;
   }
 
+  withAWSCreateAuthorizer(value) {
+    this.createAuthorizer = value;
+    return this;
+  }
+
+  withAWSAttachAuthorizer(value) {
+    this.attachAuthorizer = value;
+    return this;
+  }
+
+  withAWSIdentitySources(value) {
+    this.identitySources = value;
+    return this;
+  }
+
   static yarg(yargs) {
     return yargs
-      .group(['aws-region', 'aws-api', 'aws-role', 'aws-cleanup-buckets', 'aws-cleanup-integrations', 'aws-create-routes'], 'AWS Deployment Options')
+      .group(['aws-region', 'aws-api', 'aws-role', 'aws-cleanup-buckets', 'aws-cleanup-integrations',
+        'aws-create-routes', 'aws-create-authorizer', 'aws-attach-authorizer', 'aws-lambda-format',
+        'aws-parameter-manager'], 'AWS Deployment Options')
       .option('aws-region', {
         description: 'the AWS region to deploy lambda functions to',
         type: 'string',
@@ -113,6 +136,23 @@ export default class AWSConfig {
         type: 'string',
         default: DEFAULT_LAMBDA_FORMAT,
       })
+      .option('aws-create-authorizer', {
+        description: 'Creates API Gateway authorizer using lambda authorization with this function and the specified name. '
+          + 'The string can contain placeholders (note that all dots (\'.\') are replaced with underscores. '
+          // eslint-disable-next-line no-template-curly-in-string
+          + 'Example: "helix-authorizer_${version}".',
+        type: 'string',
+      })
+      .option('aws-identity-source', {
+        description: 'Identity source to used when creating the authorizer',
+        type: 'string',
+        array: true,
+        default: ['$request.header.Authorization'],
+      })
+      .option('aws-attach-authorizer', {
+        description: 'Attach specified authorizer to routes during linking.',
+        type: 'string',
+      })
       .option('aws-cleanup-buckets', {
         description: 'Cleans up stray temporary S3 buckets',
         type: 'boolean',

package/src/deploy/AWSDeployer.js

@@ -29,14 +29,14 @@ import {
 
 import {
   ApiGatewayV2Client,
-  CreateApiCommand,
+  CreateApiCommand, CreateAuthorizerCommand,
   CreateIntegrationCommand, CreateRouteCommand,
   CreateStageCommand,
   DeleteIntegrationCommand,
   GetApiCommand,
-  GetApisCommand,
+  GetApisCommand, GetAuthorizersCommand,
   GetIntegrationsCommand, GetRoutesCommand,
-  GetStagesCommand, UpdateRouteCommand,
+  GetStagesCommand, UpdateAuthorizerCommand, UpdateRouteCommand,
 } from '@aws-sdk/client-apigatewayv2';
 
 import { PutParameterCommand, SSMClient } from '@aws-sdk/client-ssm';
@@ -366,6 +366,20 @@ export default class AWSDeployer extends BaseDeployer {
     return routes;
   }
 
+  async fetchAuthorizers(ApiId) {
+    let nextToken;
+    const authorizers = [];
+    do {
+      const res = await this._api.send(new GetAuthorizersCommand({
+        ApiId,
+        NextToken: nextToken,
+      }));
+      authorizers.push(...res.Items);
+      nextToken = res.NextToken;
+    } while (nextToken);
+    return authorizers;
+  }
+
   async createAPI() {
     const { cfg } = this;
     const { ApiId, ApiEndpoint } = await this.initApiId();
@@ -404,8 +418,12 @@ export default class AWSDeployer extends BaseDeployer {
       const { IntegrationId } = integration;
       this.log.info('--: fetching existing routes...');
       const routes = await this.fetchRoutes(ApiId);
-      await this.createOrUpdateRoute(routes, ApiId, IntegrationId, `ANY ${this.functionPath}/{path+}`);
-      await this.createOrUpdateRoute(routes, ApiId, IntegrationId, `ANY ${this.functionPath}`);
+      const routeParams = {
+        ApiId,
+        Target: `integrations/${IntegrationId}`,
+      };
+      await this.createOrUpdateRoute(routes, routeParams, `ANY ${this.functionPath}/{path+}`);
+      await this.createOrUpdateRoute(routes, routeParams, `ANY ${this.functionPath}`);
     }
 
     // setup permissions for entire package.
@@ -581,25 +599,24 @@ export default class AWSDeployer extends BaseDeployer {
     this.log.info(chalk`{green ok}: deleted ${unused.length} unused integrations.`);
   }
 
-  async createOrUpdateRoute(routes, ApiId, IntegrationId, RouteKey) {
+  async createOrUpdateRoute(routes, routeParams, RouteKey) {
     const existing = routes.find((r) => r.RouteKey === RouteKey);
+    const auth = routeParams.AuthorizerId ? chalk` {yellow (${routeParams.AuthorizerId})}` : '';
     if (existing) {
       this.log.info(chalk`--: updating route for: {blue ${existing.RouteKey}}...`);
       const res = await this._api.send(new UpdateRouteCommand({
-        ApiId,
-        RouteId: existing.RouteId,
+        ...routeParams,
         RouteKey,
-        Target: `integrations/${IntegrationId}`,
+        RouteId: existing.RouteId,
       }));
-      this.log.info(chalk`{green ok}: updated route for: {blue ${res.RouteKey}}`);
+      this.log.info(chalk`{green ok}: updated route for: {blue ${res.RouteKey}}${auth}`);
     } else {
       this.log.info(chalk`--: creating route for: {blue ${RouteKey}}...`);
       const res = await this._api.send(new CreateRouteCommand({
-        ApiId,
+        ...routeParams,
         RouteKey,
-        Target: `integrations/${IntegrationId}`,
       }));
-      this.log.info(chalk`{green ok}: created route for: {blue ${res.RouteKey}}`);
+      this.log.info(chalk`{green ok}: created route for: {blue ${res.RouteKey}}${auth}`);
     }
   }
 
@@ -609,20 +626,22 @@ export default class AWSDeployer extends BaseDeployer {
         FunctionName: functionName,
         Name: name,
       }));
-      this.log.info(chalk`--: updating alias for: {blue ${name}}...`);
+      this.log.info(chalk`--: updating alias {blue ${name}}...`);
       await this._lambda.send(new UpdateAliasCommand({
         FunctionName: functionName,
         Name: name,
         FunctionVersion: functionVersion,
       }));
+      this.log.info(chalk`{green ok:} updated alias {blue ${name}} to version {yellow ${functionVersion}}.`);
     } catch (e) {
       if (e.name === 'ResourceNotFoundException') {
-        this.log.info(chalk`--: creating alias for: {blue ${name}}...`);
+        this.log.info(chalk`--: creating alias {blue ${name}}...`);
         await this._lambda.send(new CreateAliasCommand({
           FunctionName: functionName,
           Name: name,
           FunctionVersion: functionVersion,
         }));
+        this.log.info(chalk`{green ok:} created alias {blue ${name}} for version {yellow ${functionVersion}}.`);
       } else {
         this.log.error(`Unable to verify existence of Lambda alias ${name}`);
         throw e;
@@ -673,16 +692,33 @@ export default class AWSDeployer extends BaseDeployer {
     const { IntegrationId } = integration;
 
     // get all the routes
-    this.log.info(chalk`--: patching routes ...`);
+    this.log.info(chalk`--: fetching routes ...`);
     const routes = await this.fetchRoutes(ApiId);
+    const routeParams = {
+      ApiId,
+      Target: `integrations/${IntegrationId}`,
+      AuthorizerId: undefined,
+      AuthorizationType: 'NONE',
+    };
+    if (this._cfg.attachAuthorizer) {
+      this.log.info(chalk`--: fetching authorizers...`);
+      const authorizers = await this.fetchAuthorizers(ApiId);
+      const authorizer = authorizers.find((info) => info.Name === this._cfg.attachAuthorizer);
+      if (!authorizer) {
+        throw Error(`Specified authorizer ${this._cfg.attachAuthorizer} does not exist in api ${ApiId}.`);
+      }
+      routeParams.AuthorizerId = authorizer.AuthorizerId;
+      routeParams.AuthorizationType = 'CUSTOM';
+      this.log.info(chalk`{green ok:} configuring routes with authorizer {blue ${this._cfg.attachAuthorizer}} {yellow ${authorizer.AuthorizerId}}`);
+    }
 
     // create routes for each symlink
     const sfx = this.getLinkVersions();
 
     for (const suffix of sfx) {
       // check if route already exists
-      await this.createOrUpdateRoute(routes, ApiId, IntegrationId, `ANY /${cfg.packageName}/${cfg.baseName}/${suffix}`);
-      await this.createOrUpdateRoute(routes, ApiId, IntegrationId, `ANY /${cfg.packageName}/${cfg.baseName}/${suffix}/{path+}`);
+      await this.createOrUpdateRoute(routes, routeParams, `ANY /${cfg.packageName}/${cfg.baseName}/${suffix}`);
+      await this.createOrUpdateRoute(routes, routeParams, `ANY /${cfg.packageName}/${cfg.baseName}/${suffix}/{path+}`);
 
       // create or update alias
       await this.createOrUpdateAlias(suffix.replace('.', '_'), functionName, incrementalVersion);
@@ -691,6 +727,69 @@ export default class AWSDeployer extends BaseDeployer {
     if (cleanup) {
       await this.cleanUpIntegrations(functionName);
     }
+
+    await this.updateAuthorizers(ApiId, functionName, aliasArn);
+  }
+
+  async updateAuthorizers(ApiId, functionName, aliasArn) {
+    const cfg = this._cfg;
+    if (!cfg.createAuthorizer) {
+      return;
+    }
+
+    const AUTH_URI_PREFIX = `arn:aws:apigateway:${cfg.region}:lambda:path/2015-03-31/functions/`;
+    const accountId = aliasArn.split(':')[4];
+    this.log.info(chalk`--: patching authorizers...`);
+    const authorizers = await this.fetchAuthorizers(ApiId);
+    const versions = this.getLinkVersions();
+    for (const version of versions) {
+      const props = {
+        ...this.cfg,
+        ...this.cfg.properties,
+        // overwrite version with link name
+        version,
+      };
+      const authorizerName = ActionBuilder.substitute(cfg.createAuthorizer, props).replace(/\./g, '_');
+      const existing = authorizers.find((info) => info.Name === authorizerName) || {};
+      let { AuthorizerId } = existing;
+      if (AuthorizerId) {
+        const res = await this._api.send(new UpdateAuthorizerCommand({
+          ApiId,
+          AuthorizerId,
+          AuthorizerUri: `${AUTH_URI_PREFIX}${aliasArn}/invocations`,
+          IdentitySource: this._cfg.identitySources,
+        }));
+        this.log.info(chalk`{green ok}: updated authorizer: {blue ${res.Name}}`);
+      } else {
+        const res = await this._api.send(new CreateAuthorizerCommand({
+          ApiId,
+          AuthorizerPayloadFormatVersion: '2.0',
+          AuthorizerType: 'REQUEST',
+          AuthorizerUri: `${AUTH_URI_PREFIX}${aliasArn}/invocations`,
+          AuthorizerResultTtlInSeconds: 0,
+          EnableSimpleResponses: true,
+          IdentitySource: this._cfg.identitySources,
+          Name: authorizerName,
+        }));
+        AuthorizerId = res.AuthorizerId;
+        this.log.info(chalk`{green ok}: created authorizer: {blue ${res.Name}}`);
+      }
+
+      // add permission to alias for the API Gateway is allowed to invoke the authorized function
+      try {
+        const sourceArn = `arn:aws:execute-api:${this._cfg.region}:${accountId}:${ApiId}/authorizers/${AuthorizerId}`;
+        await this._lambda.send(new AddPermissionCommand({
+          FunctionName: aliasArn,
+          Action: 'lambda:InvokeFunction',
+          SourceArn: sourceArn,
+          Principal: 'apigateway.amazonaws.com',
+          StatementId: crypto.createHash('sha256').update(aliasArn + sourceArn).digest('hex'),
+        }));
+        this.log.info(chalk`{green ok:} added invoke permissions for ${sourceArn}`);
+      } catch (e) {
+        // ignore, most likely the permission already exists
+      }
+    }
   }
 
   async checkFunctionReady(arn) {

package/src/deploy/GoogleDeployer.js

@@ -223,8 +223,8 @@ export default class GoogleDeployer extends BaseDeployer {
         },
       });
     } catch (err) {
-      this.log.error(chalk`{red error:} bad request: ${err.metadata.internalRepr.get('google.rpc.badrequest-bin').toString()}`);
-      this.log.error(chalk`{red error:} details: ${err.metadata.internalRepr.get('grpc-status-details-bin').toString()}`);
+      this.log.error(chalk`{red error:} bad request: ${err.metadata.internalRepr?.get('google.rpc.badrequest-bin')?.toString()}`);
+      this.log.error(chalk`{red error:} details: ${err.metadata.internalRepr?.get('grpc-status-details-bin')?.toString()}`);
       throw err;
     }
 

package/src/index.js

@@ -11,7 +11,6 @@
  * OF ANY KIND, either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
-
 import CLI from './cli.js';
 
 new CLI().run(process.argv.slice(2));