@liflig/cdk 3.3.0 → 3.5.0

package/lib/api-gateway/authorizers/cognito-user-pool-or-basic-auth-authorizer.js

@@ -0,0 +1,238 @@
+/**
+ * This lambda verifies credentials:
+ * - Against Cognito user pool if request uses access token in Bearer authorization header
+ * - Against credentials saved in Secret Manager if request uses basic auth (and if secret exists)
+ *
+ * Expects the following environment variables:
+ * - USER_POOL_ID
+ * - BASIC_AUTH_CREDENTIALS_SECRET_NAME (optional)
+ *   - Name of secret in AWS Secrets Manager that stores basic auth credentials. See
+ *     `BasicAuthAuthorizerProps` on the `ApiGateway` construct for the supported formats.
+ * - REQUIRED_SCOPE (optional)
+ *   - Set this to require that the access token payload contains the given scope
+ */
+import { SecretsManager } from "@aws-sdk/client-secrets-manager";
+import { CognitoJwtVerifier } from "aws-jwt-verify";
+export const handler = async (event) => {
+    const authHeader = event.headers?.authorization;
+    if (!authHeader) {
+        return { isAuthorized: false };
+    }
+    const expectedBasicAuthCredentials = await getExpectedBasicAuthCredentials();
+    if (authHeader.startsWith("Bearer ")) {
+        const result = await verifyAccessToken(authHeader.substring(7)); // substring(7) == after 'Bearer '
+        switch (result) {
+            case "INVALID":
+                return { isAuthorized: false };
+            case "EXPIRED":
+                // We want to return 401 Unauthorized for expired tokens, so the client knows to refresh
+                // their token when receiving this status code. API Gateway Lambda Authorizers return
+                // 403 Forbidden for {isAuthorized: false}, but there is a way to return 401: throwing an
+                // error with this exact string. https://stackoverflow.com/a/71965890
+                throw new Error("Unauthorized");
+            default:
+                return {
+                    isAuthorized: true,
+                    context: {
+                        clientId: result.client_id,
+                        internalAuthorizationHeader: expectedBasicAuthCredentials?.[0]?.basicAuthHeader,
+                    },
+                };
+        }
+    }
+    else if (authHeader.startsWith("Basic ") &&
+        expectedBasicAuthCredentials !== undefined) {
+        for (const expected of expectedBasicAuthCredentials) {
+            if (authHeader === expected.basicAuthHeader) {
+                return {
+                    isAuthorized: true,
+                    context: {
+                        username: expected.username,
+                        internalAuthorizationHeader: expected.basicAuthHeader,
+                    },
+                };
+            }
+        }
+        return { isAuthorized: false };
+    }
+    else {
+        return { isAuthorized: false };
+    }
+};
+/** Decodes and verifies the given token against Cognito. */
+async function verifyAccessToken(token) {
+    try {
+        const tokenVerifier = getTokenVerifier();
+        // Must await here instead of returning the promise directly, so that errors can be caught in
+        // this function
+        return await tokenVerifier.verify(token);
+    }
+    catch (e) {
+        // If the JWT has expired, aws-jwt-verify throws this error:
+        // https://github.com/awslabs/aws-jwt-verify/blob/8d8f714d7281913ecd660147f5c30311479601c1/src/jwt.ts#L197
+        // We can't check instanceof on that error class, since it's not exported, so this is the next
+        // best thing.
+        if (e instanceof Error && e.message?.includes("Token expired")) {
+            return "EXPIRED";
+        }
+        else {
+            return "INVALID";
+        }
+    }
+}
+/**
+ * We cache the verifier in this global variable, so that subsequent invocations of a hot lambda
+ * will re-use this.
+ */
+let cachedTokenVerifier = undefined;
+function getTokenVerifier() {
+    if (cachedTokenVerifier === undefined) {
+        cachedTokenVerifier = dependencies.createTokenVerifier();
+    }
+    return cachedTokenVerifier;
+}
+/** For overriding dependency creation in tests. */
+export const dependencies = {
+    createTokenVerifier: () => {
+        const userPoolId = process.env["USER_POOL_ID"];
+        if (!userPoolId) {
+            console.error("USER_POOL_ID env variable is not defined");
+            throw new Error();
+        }
+        return CognitoJwtVerifier.create({
+            userPoolId,
+            tokenUse: "access",
+            clientId: null,
+            scope: process.env.REQUIRED_SCOPE || undefined, // `|| undefined` to discard empty string
+        });
+    },
+    createSecretsManager: () => new SecretsManager(),
+};
+/** Cache this value, so that subsequent lambda invocations don't have to refetch. */
+let cachedBasicAuthCredentials = undefined;
+/**
+ * Returns an array, to support credential secrets with multiple values (see
+ * `BasicAuthAuthorizerProps` on the `ApiGateway` construct for more on this).
+ */
+async function getExpectedBasicAuthCredentials() {
+    if (cachedBasicAuthCredentials === undefined) {
+        const secretName = process.env["BASIC_AUTH_CREDENTIALS_SECRET_NAME"];
+        if (!secretName) {
+            return undefined;
+        }
+        cachedBasicAuthCredentials = await getBasicAuthCredentialsSecret(secretName);
+    }
+    return cachedBasicAuthCredentials;
+}
+async function getBasicAuthCredentialsSecret(secretName) {
+    const secret = await getSecretValue(secretName);
+    if (isUsernameAndPasswordObject(secret)) {
+        return [encodeBasicAuthCredentials(secret)];
+    }
+    // See `BasicAuthAuthorizerProps` on the `ApiGateway` construct for an explanation of the formats
+    // we parse here
+    if (hasCredentialsKeyWithStringValue(secret)) {
+        let credentialsArray;
+        try {
+            credentialsArray = JSON.parse(secret.credentials);
+        }
+        catch (e) {
+            console.error(`Failed to parse credentials array in secret '${secretName}' as JSON`, e);
+            throw new Error();
+        }
+        if (isArrayOfUsernameAndPasswordObjects(credentialsArray)) {
+            return credentialsArray.map(encodeBasicAuthCredentials);
+        }
+        if (isStringArray(credentialsArray)) {
+            return credentialsArray.map(parseEncodedBasicAuthCredentials);
+        }
+    }
+    console.error(`Basic auth credentials secret did not follow any expected format (secret name: '${secretName}')`);
+    throw new Error();
+}
+async function getSecretValue(secretName) {
+    const client = dependencies.createSecretsManager();
+    const secret = await client.getSecretValue({ SecretId: secretName });
+    if (!secret.SecretString) {
+        console.error(`Secret value not found for '${secretName}'`);
+        throw new Error();
+    }
+    try {
+        return JSON.parse(secret.SecretString);
+    }
+    catch (e) {
+        console.error(`Failed to parse secret '${secretName}' as JSON:`, e);
+        throw new Error();
+    }
+}
+function encodeBasicAuthCredentials(credentials) {
+    const basicAuthHeader = "Basic " +
+        Buffer.from(`${credentials.username}:${credentials.password}`).toString("base64");
+    return { basicAuthHeader, username: credentials.username };
+}
+function isUsernameAndPasswordObject(value) {
+    return (typeof value === "object" &&
+        value !== null &&
+        "username" in value &&
+        typeof value.username === "string" &&
+        "password" in value &&
+        typeof value.password === "string");
+}
+function isArrayOfUsernameAndPasswordObjects(value) {
+    if (!Array.isArray(value)) {
+        return false;
+    }
+    for (const element of value) {
+        if (!isUsernameAndPasswordObject(element)) {
+            return false;
+        }
+    }
+    return true;
+}
+function hasCredentialsKeyWithStringValue(value) {
+    return (typeof value === "object" &&
+        value !== null &&
+        "credentials" in value &&
+        typeof value.credentials === "string");
+}
+function isStringArray(value) {
+    if (!Array.isArray(value)) {
+        return false;
+    }
+    for (const element of value) {
+        if (typeof element !== "string") {
+            return false;
+        }
+    }
+    return true;
+}
+/**
+ * We want to return the requesting username as a context variable in
+ * {@link AuthorizerResult.context}, for API Gateway access logs and parameter mapping. So if the
+ * basic auth credentials secret is stored as pre-encoded base64 strings, we need to parse them to
+ * get the username.
+ */
+function parseEncodedBasicAuthCredentials(encodedCredentials) {
+    let decodedCredentials;
+    try {
+        decodedCredentials = Buffer.from(encodedCredentials, "base64").toString();
+    }
+    catch (e) {
+        console.error("Basic auth credentials secret could not be decoded as base64:", e);
+        throw new Error();
+    }
+    const usernameAndPassword = decodedCredentials.split(":", 2);
+    if (usernameAndPassword.length !== 2) {
+        console.error("Basic auth credentials secret could not be decoded as 'username:password'");
+        throw new Error();
+    }
+    return {
+        basicAuthHeader: `Basic ${encodedCredentials}`,
+        username: usernameAndPassword[0],
+    };
+}
+export function clearCache() {
+    cachedTokenVerifier = undefined;
+    cachedBasicAuthCredentials = undefined;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29nbml0by11c2VyLXBvb2wtb3ItYmFzaWMtYXV0aC1hdXRob3JpemVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2FwaS1nYXRld2F5L2F1dGhvcml6ZXJzL2NvZ25pdG8tdXNlci1wb29sLW9yLWJhc2ljLWF1dGgtYXV0aG9yaXplci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7Ozs7Ozs7Ozs7O0dBWUc7QUFNSCxPQUFPLEVBQUUsY0FBYyxFQUFFLE1BQU0saUNBQWlDLENBQUE7QUFDaEUsT0FBTyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sZ0JBQWdCLENBQUE7QUFtQ25ELE1BQU0sQ0FBQyxNQUFNLE9BQU8sR0FBRyxLQUFLLEVBQzFCLEtBQXlDLEVBQ2QsRUFBRTtJQUM3QixNQUFNLFVBQVUsR0FBRyxLQUFLLENBQUMsT0FBTyxFQUFFLGFBQWEsQ0FBQTtJQUMvQyxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7UUFDaEIsT0FBTyxFQUFFLFlBQVksRUFBRSxLQUFLLEVBQUUsQ0FBQTtJQUNoQyxDQUFDO0lBRUQsTUFBTSw0QkFBNEIsR0FBRyxNQUFNLCtCQUErQixFQUFFLENBQUE7SUFFNUUsSUFBSSxVQUFVLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQyxFQUFFLENBQUM7UUFDckMsTUFBTSxNQUFNLEdBQUcsTUFBTSxpQkFBaUIsQ0FBQyxVQUFVLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUEsQ0FBQyxrQ0FBa0M7UUFDbEcsUUFBUSxNQUFNLEVBQUUsQ0FBQztZQUNmLEtBQUssU0FBUztnQkFDWixPQUFPLEVBQUUsWUFBWSxFQUFFLEtBQUssRUFBRSxDQUFBO1lBQ2hDLEtBQUssU0FBUztnQkFDWix3RkFBd0Y7Z0JBQ3hGLHFGQUFxRjtnQkFDckYseUZBQXlGO2dCQUN6RixxRUFBcUU7Z0JBQ3JFLE1BQU0sSUFBSSxLQUFLLENBQUMsY0FBYyxDQUFDLENBQUE7WUFDakM7Z0JBQ0UsT0FBTztvQkFDTCxZQUFZLEVBQUUsSUFBSTtvQkFDbEIsT0FBTyxFQUFFO3dCQUNQLFFBQVEsRUFBRSxNQUFNLENBQUMsU0FBUzt3QkFDMUIsMkJBQTJCLEVBQ3pCLDRCQUE0QixFQUFFLENBQUMsQ0FBQyxDQUFDLEVBQUUsZUFBZTtxQkFDckQ7aUJBQ0YsQ0FBQTtRQUNMLENBQUM7SUFDSCxDQUFDO1NBQU0sSUFDTCxVQUFVLENBQUMsVUFBVSxDQUFDLFFBQVEsQ0FBQztRQUMvQiw0QkFBNEIsS0FBSyxTQUFTLEVBQzFDLENBQUM7UUFDRCxLQUFLLE1BQU0sUUFBUSxJQUFJLDRCQUE0QixFQUFFLENBQUM7WUFDcEQsSUFBSSxVQUFVLEtBQUssUUFBUSxDQUFDLGVBQWUsRUFBRSxDQUFDO2dCQUM1QyxPQUFPO29CQUNMLFlBQVksRUFBRSxJQUFJO29CQUNsQixPQUFPLEVBQUU7d0JBQ1AsUUFBUSxFQUFFLFFBQVEsQ0FBQyxRQUFRO3dCQUMzQiwyQkFBMkIsRUFBRSxRQUFRLENBQUMsZUFBZTtxQkFDdEQ7aUJBQ0YsQ0FBQTtZQUNILENBQUM7UUFDSCxDQUFDO1FBQ0QsT0FBTyxFQUFFLFlBQVksRUFBRSxLQUFLLEVBQUUsQ0FBQTtJQUNoQyxDQUFDO1NBQU0sQ0FBQztRQUNOLE9BQU8sRUFBRSxZQUFZLEVBQUUsS0FBSyxFQUFFLENBQUE7SUFDaEMsQ0FBQztBQUNILENBQUMsQ0FBQTtBQUVELDREQUE0RDtBQUM1RCxLQUFLLFVBQVUsaUJBQWlCLENBQzlCLEtBQWE7SUFFYixJQUFJLENBQUM7UUFDSCxNQUFNLGFBQWEsR0FBRyxnQkFBZ0IsRUFBRSxDQUFBO1FBQ3hDLDZGQUE2RjtRQUM3RixnQkFBZ0I7UUFDaEIsT0FBTyxNQUFNLGFBQWEsQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUE7SUFDMUMsQ0FBQztJQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7UUFDWCw0REFBNEQ7UUFDNUQsMEdBQTBHO1FBQzFHLDhGQUE4RjtRQUM5RixjQUFjO1FBQ2QsSUFBSSxDQUFDLFlBQVksS0FBSyxJQUFJLENBQUMsQ0FBQyxPQUFPLEVBQUUsUUFBUSxDQUFDLGVBQWUsQ0FBQyxFQUFFLENBQUM7WUFDL0QsT0FBTyxTQUFTLENBQUE7UUFDbEIsQ0FBQzthQUFNLENBQUM7WUFDTixPQUFPLFNBQVMsQ0FBQTtRQUNsQixDQUFDO0lBQ0gsQ0FBQztBQUNILENBQUM7QUFNRDs7O0dBR0c7QUFDSCxJQUFJLG1CQUFtQixHQUE4QixTQUFTLENBQUE7QUFFOUQsU0FBUyxnQkFBZ0I7SUFDdkIsSUFBSSxtQkFBbUIsS0FBSyxTQUFTLEVBQUUsQ0FBQztRQUN0QyxtQkFBbUIsR0FBRyxZQUFZLENBQUMsbUJBQW1CLEVBQUUsQ0FBQTtJQUMxRCxDQUFDO0lBQ0QsT0FBTyxtQkFBbUIsQ0FBQTtBQUM1QixDQUFDO0FBRUQsbURBQW1EO0FBQ25ELE1BQU0sQ0FBQyxNQUFNLFlBQVksR0FBRztJQUMxQixtQkFBbUIsRUFBRSxHQUFrQixFQUFFO1FBQ3ZDLE1BQU0sVUFBVSxHQUFHLE9BQU8sQ0FBQyxHQUFHLENBQUMsY0FBYyxDQUFDLENBQUE7UUFDOUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQ2hCLE9BQU8sQ0FBQyxLQUFLLENBQUMsMENBQTBDLENBQUMsQ0FBQTtZQUN6RCxNQUFNLElBQUksS0FBSyxFQUFFLENBQUE7UUFDbkIsQ0FBQztRQUVELE9BQU8sa0JBQWtCLENBQUMsTUFBTSxDQUFDO1lBQy9CLFVBQVU7WUFDVixRQUFRLEVBQUUsUUFBUTtZQUNsQixRQUFRLEVBQUUsSUFBSTtZQUNkLEtBQUssRUFBRSxPQUFPLENBQUMsR0FBRyxDQUFDLGNBQWMsSUFBSSxTQUFTLEVBQUUseUNBQXlDO1NBQzFGLENBQUMsQ0FBQTtJQUNKLENBQUM7SUFDRCxvQkFBb0IsRUFBRSxHQUFHLEVBQUUsQ0FBQyxJQUFJLGNBQWMsRUFBRTtDQUNqRCxDQUFBO0FBT0QscUZBQXFGO0FBQ3JGLElBQUksMEJBQTBCLEdBQzVCLFNBQVMsQ0FBQTtBQUVYOzs7R0FHRztBQUNILEtBQUssVUFBVSwrQkFBK0I7SUFHNUMsSUFBSSwwQkFBMEIsS0FBSyxTQUFTLEVBQUUsQ0FBQztRQUM3QyxNQUFNLFVBQVUsR0FDZCxPQUFPLENBQUMsR0FBRyxDQUFDLG9DQUFvQyxDQUFDLENBQUE7UUFDbkQsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQ2hCLE9BQU8sU0FBUyxDQUFBO1FBQ2xCLENBQUM7UUFFRCwwQkFBMEIsR0FBRyxNQUFNLDZCQUE2QixDQUFDLFVBQVUsQ0FBQyxDQUFBO0lBQzlFLENBQUM7SUFFRCxPQUFPLDBCQUEwQixDQUFBO0FBQ25DLENBQUM7QUFFRCxLQUFLLFVBQVUsNkJBQTZCLENBQzFDLFVBQWtCO0lBRWxCLE1BQU0sTUFBTSxHQUFHLE1BQU0sY0FBYyxDQUFDLFVBQVUsQ0FBQyxDQUFBO0lBRS9DLElBQUksMkJBQTJCLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQztRQUN4QyxPQUFPLENBQUMsMEJBQTBCLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQTtJQUM3QyxDQUFDO0lBRUQsaUdBQWlHO0lBQ2pHLGdCQUFnQjtJQUNoQixJQUFJLGdDQUFnQyxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7UUFDN0MsSUFBSSxnQkFBeUIsQ0FBQTtRQUM3QixJQUFJLENBQUM7WUFDSCxnQkFBZ0IsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLE1BQU0sQ0FBQyxXQUFXLENBQUMsQ0FBQTtRQUNuRCxDQUFDO1FBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztZQUNYLE9BQU8sQ0FBQyxLQUFLLENBQ1gsZ0RBQWdELFVBQVUsV0FBVyxFQUNyRSxDQUFDLENBQ0YsQ0FBQTtZQUNELE1BQU0sSUFBSSxLQUFLLEVBQUUsQ0FBQTtRQUNuQixDQUFDO1FBRUQsSUFBSSxtQ0FBbUMsQ0FBQyxnQkFBZ0IsQ0FBQyxFQUFFLENBQUM7WUFDMUQsT0FBTyxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsMEJBQTBCLENBQUMsQ0FBQTtRQUN6RCxDQUFDO1FBRUQsSUFBSSxhQUFhLENBQUMsZ0JBQWdCLENBQUMsRUFBRSxDQUFDO1lBQ3BDLE9BQU8sZ0JBQWdCLENBQUMsR0FBRyxDQUFDLGdDQUFnQyxDQUFDLENBQUE7UUFDL0QsQ0FBQztJQUNILENBQUM7SUFFRCxPQUFPLENBQUMsS0FBSyxDQUNYLG1GQUFtRixVQUFVLElBQUksQ0FDbEcsQ0FBQTtJQUNELE1BQU0sSUFBSSxLQUFLLEVBQUUsQ0FBQTtBQUNuQixDQUFDO0FBRUQsS0FBSyxVQUFVLGNBQWMsQ0FBQyxVQUFrQjtJQUM5QyxNQUFNLE1BQU0sR0FBRyxZQUFZLENBQUMsb0JBQW9CLEVBQUUsQ0FBQTtJQUNsRCxNQUFNLE1BQU0sR0FBRyxNQUFNLE1BQU0sQ0FBQyxjQUFjLENBQUMsRUFBRSxRQUFRLEVBQUUsVUFBVSxFQUFFLENBQUMsQ0FBQTtJQUVwRSxJQUFJLENBQUMsTUFBTSxDQUFDLFlBQVksRUFBRSxDQUFDO1FBQ3pCLE9BQU8sQ0FBQyxLQUFLLENBQUMsK0JBQStCLFVBQVUsR0FBRyxDQUFDLENBQUE7UUFDM0QsTUFBTSxJQUFJLEtBQUssRUFBRSxDQUFBO0lBQ25CLENBQUM7SUFFRCxJQUFJLENBQUM7UUFDSCxPQUFPLElBQUksQ0FBQyxLQUFLLENBQUMsTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFBO0lBQ3hDLENBQUM7SUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ1gsT0FBTyxDQUFDLEtBQUssQ0FBQywyQkFBMkIsVUFBVSxZQUFZLEVBQUUsQ0FBQyxDQUFDLENBQUE7UUFDbkUsTUFBTSxJQUFJLEtBQUssRUFBRSxDQUFBO0lBQ25CLENBQUM7QUFDSCxDQUFDO0FBRUQsU0FBUywwQkFBMEIsQ0FBQyxXQUduQztJQUNDLE1BQU0sZUFBZSxHQUNuQixRQUFRO1FBQ1IsTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLFdBQVcsQ0FBQyxRQUFRLElBQUksV0FBVyxDQUFDLFFBQVEsRUFBRSxDQUFDLENBQUMsUUFBUSxDQUNyRSxRQUFRLENBQ1QsQ0FBQTtJQUVILE9BQU8sRUFBRSxlQUFlLEVBQUUsUUFBUSxFQUFFLFdBQVcsQ0FBQyxRQUFRLEVBQUUsQ0FBQTtBQUM1RCxDQUFDO0FBRUQsU0FBUywyQkFBMkIsQ0FDbEMsS0FBYztJQUVkLE9BQU8sQ0FDTCxPQUFPLEtBQUssS0FBSyxRQUFRO1FBQ3pCLEtBQUssS0FBSyxJQUFJO1FBQ2QsVUFBVSxJQUFJLEtBQUs7UUFDbkIsT0FBTyxLQUFLLENBQUMsUUFBUSxLQUFLLFFBQVE7UUFDbEMsVUFBVSxJQUFJLEtBQUs7UUFDbkIsT0FBTyxLQUFLLENBQUMsUUFBUSxLQUFLLFFBQVEsQ0FDbkMsQ0FBQTtBQUNILENBQUM7QUFFRCxTQUFTLG1DQUFtQyxDQUMxQyxLQUFjO0lBRWQsSUFBSSxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztRQUMxQixPQUFPLEtBQUssQ0FBQTtJQUNkLENBQUM7SUFFRCxLQUFLLE1BQU0sT0FBTyxJQUFJLEtBQUssRUFBRSxDQUFDO1FBQzVCLElBQUksQ0FBQywyQkFBMkIsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1lBQzFDLE9BQU8sS0FBSyxDQUFBO1FBQ2QsQ0FBQztJQUNILENBQUM7SUFFRCxPQUFPLElBQUksQ0FBQTtBQUNiLENBQUM7QUFFRCxTQUFTLGdDQUFnQyxDQUN2QyxLQUFjO0lBRWQsT0FBTyxDQUNMLE9BQU8sS0FBSyxLQUFLLFFBQVE7UUFDekIsS0FBSyxLQUFLLElBQUk7UUFDZCxhQUFhLElBQUksS0FBSztRQUN0QixPQUFPLEtBQUssQ0FBQyxXQUFXLEtBQUssUUFBUSxDQUN0QyxDQUFBO0FBQ0gsQ0FBQztBQUVELFNBQVMsYUFBYSxDQUFDLEtBQWM7SUFDbkMsSUFBSSxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztRQUMxQixPQUFPLEtBQUssQ0FBQTtJQUNkLENBQUM7SUFFRCxLQUFLLE1BQU0sT0FBTyxJQUFJLEtBQUssRUFBRSxDQUFDO1FBQzVCLElBQUksT0FBTyxPQUFPLEtBQUssUUFBUSxFQUFFLENBQUM7WUFDaEMsT0FBTyxLQUFLLENBQUE7UUFDZCxDQUFDO0lBQ0gsQ0FBQztJQUVELE9BQU8sSUFBSSxDQUFBO0FBQ2IsQ0FBQztBQUVEOzs7OztHQUtHO0FBQ0gsU0FBUyxnQ0FBZ0MsQ0FDdkMsa0JBQTBCO0lBRTFCLElBQUksa0JBQTBCLENBQUE7SUFDOUIsSUFBSSxDQUFDO1FBQ0gsa0JBQWtCLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxRQUFRLENBQUMsQ0FBQyxRQUFRLEVBQUUsQ0FBQTtJQUMzRSxDQUFDO0lBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztRQUNYLE9BQU8sQ0FBQyxLQUFLLENBQ1gsK0RBQStELEVBQy9ELENBQUMsQ0FDRixDQUFBO1FBQ0QsTUFBTSxJQUFJLEtBQUssRUFBRSxDQUFBO0lBQ25CLENBQUM7SUFFRCxNQUFNLG1CQUFtQixHQUFHLGtCQUFrQixDQUFDLEtBQUssQ0FBQyxHQUFHLEVBQUUsQ0FBQyxDQUFDLENBQUE7SUFDNUQsSUFBSSxtQkFBbUIsQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFLENBQUM7UUFDckMsT0FBTyxDQUFDLEtBQUssQ0FDWCwyRUFBMkUsQ0FDNUUsQ0FBQTtRQUNELE1BQU0sSUFBSSxLQUFLLEVBQUUsQ0FBQTtJQUNuQixDQUFDO0lBRUQsT0FBTztRQUNMLGVBQWUsRUFBRSxTQUFTLGtCQUFrQixFQUFFO1FBQzlDLFFBQVEsRUFBRSxtQkFBbUIsQ0FBQyxDQUFDLENBQUM7S0FDakMsQ0FBQTtBQUNILENBQUM7QUFFRCxNQUFNLFVBQVUsVUFBVTtJQUN4QixtQkFBbUIsR0FBRyxTQUFTLENBQUE7SUFDL0IsMEJBQTBCLEdBQUcsU0FBUyxDQUFBO0FBQ3hDLENBQUMiLCJzb3VyY2VzQ29udGVudCI6WyIvKipcbiAqIFRoaXMgbGFtYmRhIHZlcmlmaWVzIGNyZWRlbnRpYWxzOlxuICogLSBBZ2FpbnN0IENvZ25pdG8gdXNlciBwb29sIGlmIHJlcXVlc3QgdXNlcyBhY2Nlc3MgdG9rZW4gaW4gQmVhcmVyIGF1dGhvcml6YXRpb24gaGVhZGVyXG4gKiAtIEFnYWluc3QgY3JlZGVudGlhbHMgc2F2ZWQgaW4gU2VjcmV0IE1hbmFnZXIgaWYgcmVxdWVzdCB1c2VzIGJhc2ljIGF1dGggKGFuZCBpZiBzZWNyZXQgZXhpc3RzKVxuICpcbiAqIEV4cGVjdHMgdGhlIGZvbGxvd2luZyBlbnZpcm9ubWVudCB2YXJpYWJsZXM6XG4gKiAtIFVTRVJfUE9PTF9JRFxuICogLSBCQVNJQ19BVVRIX0NSRURFTlRJQUxTX1NFQ1JFVF9OQU1FIChvcHRpb25hbClcbiAqICAgLSBOYW1lIG9mIHNlY3JldCBpbiBBV1MgU2VjcmV0cyBNYW5hZ2VyIHRoYXQgc3RvcmVzIGJhc2ljIGF1dGggY3JlZGVudGlhbHMuIFNlZVxuICogICAgIGBCYXNpY0F1dGhBdXRob3JpemVyUHJvcHNgIG9uIHRoZSBgQXBpR2F0ZXdheWAgY29uc3RydWN0IGZvciB0aGUgc3VwcG9ydGVkIGZvcm1hdHMuXG4gKiAtIFJFUVVJUkVEX1NDT1BFIChvcHRpb25hbClcbiAqICAgLSBTZXQgdGhpcyB0byByZXF1aXJlIHRoYXQgdGhlIGFjY2VzcyB0b2tlbiBwYXlsb2FkIGNvbnRhaW5zIHRoZSBnaXZlbiBzY29wZVxuICovXG5cbmltcG9ydCB0eXBlIHtcbiAgQVBJR2F0ZXdheVJlcXVlc3RBdXRob3JpemVyRXZlbnRWMixcbiAgQVBJR2F0ZXdheVNpbXBsZUF1dGhvcml6ZXJSZXN1bHQsXG59IGZyb20gXCJhd3MtbGFtYmRhXCJcbmltcG9ydCB7IFNlY3JldHNNYW5hZ2VyIH0gZnJvbSBcIkBhd3Mtc2RrL2NsaWVudC1zZWNyZXRzLW1hbmFnZXJcIlxuaW1wb3J0IHsgQ29nbml0b0p3dFZlcmlmaWVyIH0gZnJvbSBcImF3cy1qd3QtdmVyaWZ5XCJcbmltcG9ydCB0eXBlIHsgQ29nbml0b0FjY2Vzc1Rva2VuUGF5bG9hZCB9IGZyb20gXCJhd3Mtand0LXZlcmlmeS9qd3QtbW9kZWxcIlxuXG50eXBlIEF1dGhvcml6ZXJSZXN1bHQgPSBBUElHYXRld2F5U2ltcGxlQXV0aG9yaXplclJlc3VsdCAmIHtcbiAgLyoqXG4gICAqIFJldHVybmluZyBhIGNvbnRleHQgb2JqZWN0IGZyb20gb3VyIGF1dGhvcml6ZXIgYWxsb3dzIG91ciBBUEkgR2F0ZXdheSB0byBhY2Nlc3MgdGhlc2UgdmFyaWFibGVzXG4gICAqIHZpYSBgJHtjb250ZXh0LmF1dGhvcml6ZXIuPHByb3BlcnR5Pn1gLlxuICAgKiBodHRwczovL2RvY3MuYXdzLmFtYXpvbi5jb20vYXBpZ2F0ZXdheS9sYXRlc3QvZGV2ZWxvcGVyZ3VpZGUvaHR0cC1hcGktcGFyYW1ldGVyLW1hcHBpbmcuaHRtbFxuICAgKi9cbiAgY29udGV4dD86IHtcbiAgICAvKipcbiAgICAgKiBJZiB0aGUgcmVxdWVzdCB1c2VkIGFuIGFjY2VzcyB0b2tlbiwgYW5kIHRoZSB0b2tlbiB3YXMgdmVyaWZpZWQsIHdlIHJldHVybiB0aGUgYXV0aCBjbGllbnQgSURcbiAgICAgKiBmcm9tIHRoZSB0b2tlbidzIGNsYWltcyBpbiB0aGlzIGNvbnRleHQgdmFyaWFibGUgKG5hbWVkIGBhdXRob3JpemVyLmNsaWVudElkYCkuIFdlIHVzZSB0aGlzXG4gICAgICogdG8gaW5jbHVkZSB0aGUgcmVxdWVzdGluZyBjbGllbnQgaW4gdGhlIEFQSSBHYXRld2F5IGFjY2VzcyBsb2dzIChzZWUgYGRlZmF1bHRBY2Nlc3NMb2dGb3JtYXRgXG4gICAgICogaW4gb3VyIGBBcGlHYXRld2F5YCBjb25zdHJ1Y3QpLiBZb3UgY2FuIGFsc28gdXNlIHRoaXMgd2hlbiBtYXBwaW5nIHBhcmFtZXRlcnMgdG8gdGhlIGJhY2tlbmRcbiAgICAgKiBpbnRlZ3JhdGlvbiAoc2VlIGBBbGJJbnRlZ3JhdGlvblByb3BzLm1hcFBhcmFtZXRlcnNgIG9uIHRoZSBgQXBpR2F0ZXdheWAgY29uc3RydWN0KS5cbiAgICAgKi9cbiAgICBjbGllbnRJZD86IHN0cmluZ1xuICAgIC8qKlxuICAgICAqIElmIHRoZSByZXF1ZXN0IHVzZWQgQmFzaWMgQXV0aCwgYW5kIHRoZSBjcmVkZW50aWFscyB3ZXJlIHZlcmlmaWVkLCB3ZSByZXR1cm4gdGhlIHVzZXJuYW1lXG4gICAgICogdGhhdCB3YXMgdXNlZCBpbiB0aGlzIGNvbnRleHQgdmFyaWFibGUgKG5hbWVkIGBhdXRob3JpemVyLnVzZXJuYW1lYCkuIFdlIHVzZSB0aGlzIHRvIGluY2x1ZGVcbiAgICAgKiB0aGUgcmVxdWVzdGluZyB1c2VyIGluIHRoZSBBUEkgR2F0ZXdheSBhY2Nlc3MgbG9ncyAoc2VlIGBkZWZhdWx0QWNjZXNzTG9nRm9ybWF0YCBpbiBvdXJcbiAgICAgKiBgQXBpR2F0ZXdheWAgY29uc3RydWN0KS4gWW91IGNhbiBhbHNvIHVzZSB0aGlzIHdoZW4gbWFwcGluZyBwYXJhbWV0ZXJzIHRvIHRoZSBiYWNrZW5kXG4gICAgICogaW50ZWdyYXRpb24gKHNlZSBgQWxiSW50ZWdyYXRpb25Qcm9wcy5tYXBQYXJhbWV0ZXJzYCBvbiB0aGUgYEFwaUdhdGV3YXlgIGNvbnN0cnVjdCkuXG4gICAgICovXG4gICAgdXNlcm5hbWU/OiBzdHJpbmdcbiAgICAvKipcbiAgICAgKiBTZWUgYENvZ25pdG9Vc2VyUG9vbEF1dGhvcml6ZXJQcm9wcy5iYXNpY0F1dGhGb3JJbnRlcm5hbEF1dGhvcml6YXRpb25gIG9uIHRoZSBgQXBpR2F0ZXdheWBcbiAgICAgKiBjb25zdHJ1Y3QgKHdlIHByb3ZpZGUgdGhlIHNhbWUgY29udGV4dCB2YXJpYWJsZSBoZXJlIGFzIGluIHRoZSBDb2duaXRvIFVzZXIgUG9vbCBhdXRob3JpemVyLFxuICAgICAqIHVzaW5nIHRoZSBjcmVkZW50aWFscyBmcm9tIEJBU0lDX0FVVEhfQ1JFREVOVElBTFNfU0VDUkVUX05BTUUpLlxuICAgICAqL1xuICAgIGludGVybmFsQXV0aG9yaXphdGlvbkhlYWRlcj86IHN0cmluZ1xuICB9XG59XG5cbmV4cG9ydCBjb25zdCBoYW5kbGVyID0gYXN5bmMgKFxuICBldmVudDogQVBJR2F0ZXdheVJlcXVlc3RBdXRob3JpemVyRXZlbnRWMixcbik6IFByb21pc2U8QXV0aG9yaXplclJlc3VsdD4gPT4ge1xuICBjb25zdCBhdXRoSGVhZGVyID0gZXZlbnQuaGVhZGVycz8uYXV0aG9yaXphdGlvblxuICBpZiAoIWF1dGhIZWFkZXIpIHtcbiAgICByZXR1cm4geyBpc0F1dGhvcml6ZWQ6IGZhbHNlIH1cbiAgfVxuXG4gIGNvbnN0IGV4cGVjdGVkQmFzaWNBdXRoQ3JlZGVudGlhbHMgPSBhd2FpdCBnZXRFeHBlY3RlZEJhc2ljQXV0aENyZWRlbnRpYWxzKClcblxuICBpZiAoYXV0aEhlYWRlci5zdGFydHNXaXRoKFwiQmVhcmVyIFwiKSkge1xuICAgIGNvbnN0IHJlc3VsdCA9IGF3YWl0IHZlcmlmeUFjY2Vzc1Rva2VuKGF1dGhIZWFkZXIuc3Vic3RyaW5nKDcpKSAvLyBzdWJzdHJpbmcoNykgPT0gYWZ0ZXIgJ0JlYXJlciAnXG4gICAgc3dpdGNoIChyZXN1bHQpIHtcbiAgICAgIGNhc2UgXCJJTlZBTElEXCI6XG4gICAgICAgIHJldHVybiB7IGlzQXV0aG9yaXplZDogZmFsc2UgfVxuICAgICAgY2FzZSBcIkVYUElSRURcIjpcbiAgICAgICAgLy8gV2Ugd2FudCB0byByZXR1cm4gNDAxIFVuYXV0aG9yaXplZCBmb3IgZXhwaXJlZCB0b2tlbnMsIHNvIHRoZSBjbGllbnQga25vd3MgdG8gcmVmcmVzaFxuICAgICAgICAvLyB0aGVpciB0b2tlbiB3aGVuIHJlY2VpdmluZyB0aGlzIHN0YXR1cyBjb2RlLiBBUEkgR2F0ZXdheSBMYW1iZGEgQXV0aG9yaXplcnMgcmV0dXJuXG4gICAgICAgIC8vIDQwMyBGb3JiaWRkZW4gZm9yIHtpc0F1dGhvcml6ZWQ6IGZhbHNlfSwgYnV0IHRoZXJlIGlzIGEgd2F5IHRvIHJldHVybiA0MDE6IHRocm93aW5nIGFuXG4gICAgICAgIC8vIGVycm9yIHdpdGggdGhpcyBleGFjdCBzdHJpbmcuIGh0dHBzOi8vc3RhY2tvdmVyZmxvdy5jb20vYS83MTk2NTg5MFxuICAgICAgICB0aHJvdyBuZXcgRXJyb3IoXCJVbmF1dGhvcml6ZWRcIilcbiAgICAgIGRlZmF1bHQ6XG4gICAgICAgIHJldHVybiB7XG4gICAgICAgICAgaXNBdXRob3JpemVkOiB0cnVlLFxuICAgICAgICAgIGNvbnRleHQ6IHtcbiAgICAgICAgICAgIGNsaWVudElkOiByZXN1bHQuY2xpZW50X2lkLFxuICAgICAgICAgICAgaW50ZXJuYWxBdXRob3JpemF0aW9uSGVhZGVyOlxuICAgICAgICAgICAgICBleHBlY3RlZEJhc2ljQXV0aENyZWRlbnRpYWxzPy5bMF0/LmJhc2ljQXV0aEhlYWRlcixcbiAgICAgICAgICB9LFxuICAgICAgICB9XG4gICAgfVxuICB9IGVsc2UgaWYgKFxuICAgIGF1dGhIZWFkZXIuc3RhcnRzV2l0aChcIkJhc2ljIFwiKSAmJlxuICAgIGV4cGVjdGVkQmFzaWNBdXRoQ3JlZGVudGlhbHMgIT09IHVuZGVmaW5lZFxuICApIHtcbiAgICBmb3IgKGNvbnN0IGV4cGVjdGVkIG9mIGV4cGVjdGVkQmFzaWNBdXRoQ3JlZGVudGlhbHMpIHtcbiAgICAgIGlmIChhdXRoSGVhZGVyID09PSBleHBlY3RlZC5iYXNpY0F1dGhIZWFkZXIpIHtcbiAgICAgICAgcmV0dXJuIHtcbiAgICAgICAgICBpc0F1dGhvcml6ZWQ6IHRydWUsXG4gICAgICAgICAgY29udGV4dDoge1xuICAgICAgICAgICAgdXNlcm5hbWU6IGV4cGVjdGVkLnVzZXJuYW1lLFxuICAgICAgICAgICAgaW50ZXJuYWxBdXRob3JpemF0aW9uSGVhZGVyOiBleHBlY3RlZC5iYXNpY0F1dGhIZWFkZXIsXG4gICAgICAgICAgfSxcbiAgICAgICAgfVxuICAgICAgfVxuICAgIH1cbiAgICByZXR1cm4geyBpc0F1dGhvcml6ZWQ6IGZhbHNlIH1cbiAgfSBlbHNlIHtcbiAgICByZXR1cm4geyBpc0F1dGhvcml6ZWQ6IGZhbHNlIH1cbiAgfVxufVxuXG4vKiogRGVjb2RlcyBhbmQgdmVyaWZpZXMgdGhlIGdpdmVuIHRva2VuIGFnYWluc3QgQ29nbml0by4gKi9cbmFzeW5jIGZ1bmN0aW9uIHZlcmlmeUFjY2Vzc1Rva2VuKFxuICB0b2tlbjogc3RyaW5nLFxuKTogUHJvbWlzZTxDb2duaXRvQWNjZXNzVG9rZW5QYXlsb2FkIHwgXCJFWFBJUkVEXCIgfCBcIklOVkFMSURcIj4ge1xuICB0cnkge1xuICAgIGNvbnN0IHRva2VuVmVyaWZpZXIgPSBnZXRUb2tlblZlcmlmaWVyKClcbiAgICAvLyBNdXN0IGF3YWl0IGhlcmUgaW5zdGVhZCBvZiByZXR1cm5pbmcgdGhlIHByb21pc2UgZGlyZWN0bHksIHNvIHRoYXQgZXJyb3JzIGNhbiBiZSBjYXVnaHQgaW5cbiAgICAvLyB0aGlzIGZ1bmN0aW9uXG4gICAgcmV0dXJuIGF3YWl0IHRva2VuVmVyaWZpZXIudmVyaWZ5KHRva2VuKVxuICB9IGNhdGNoIChlKSB7XG4gICAgLy8gSWYgdGhlIEpXVCBoYXMgZXhwaXJlZCwgYXdzLWp3dC12ZXJpZnkgdGhyb3dzIHRoaXMgZXJyb3I6XG4gICAgLy8gaHR0cHM6Ly9naXRodWIuY29tL2F3c2xhYnMvYXdzLWp3dC12ZXJpZnkvYmxvYi84ZDhmNzE0ZDcyODE5MTNlY2Q2NjAxNDdmNWMzMDMxMTQ3OTYwMWMxL3NyYy9qd3QudHMjTDE5N1xuICAgIC8vIFdlIGNhbid0IGNoZWNrIGluc3RhbmNlb2Ygb24gdGhhdCBlcnJvciBjbGFzcywgc2luY2UgaXQncyBub3QgZXhwb3J0ZWQsIHNvIHRoaXMgaXMgdGhlIG5leHRcbiAgICAvLyBiZXN0IHRoaW5nLlxuICAgIGlmIChlIGluc3RhbmNlb2YgRXJyb3IgJiYgZS5tZXNzYWdlPy5pbmNsdWRlcyhcIlRva2VuIGV4cGlyZWRcIikpIHtcbiAgICAgIHJldHVybiBcIkVYUElSRURcIlxuICAgIH0gZWxzZSB7XG4gICAgICByZXR1cm4gXCJJTlZBTElEXCJcbiAgICB9XG4gIH1cbn1cblxuZXhwb3J0IHR5cGUgVG9rZW5WZXJpZmllciA9IHtcbiAgdmVyaWZ5OiAoYWNjZXNzVG9rZW46IHN0cmluZykgPT4gUHJvbWlzZTxDb2duaXRvQWNjZXNzVG9rZW5QYXlsb2FkPlxufVxuXG4vKipcbiAqIFdlIGNhY2hlIHRoZSB2ZXJpZmllciBpbiB0aGlzIGdsb2JhbCB2YXJpYWJsZSwgc28gdGhhdCBzdWJzZXF1ZW50IGludm9jYXRpb25zIG9mIGEgaG90IGxhbWJkYVxuICogd2lsbCByZS11c2UgdGhpcy5cbiAqL1xubGV0IGNhY2hlZFRva2VuVmVyaWZpZXI6IFRva2VuVmVyaWZpZXIgfCB1bmRlZmluZWQgPSB1bmRlZmluZWRcblxuZnVuY3Rpb24gZ2V0VG9rZW5WZXJpZmllcigpOiBUb2tlblZlcmlmaWVyIHtcbiAgaWYgKGNhY2hlZFRva2VuVmVyaWZpZXIgPT09IHVuZGVmaW5lZCkge1xuICAgIGNhY2hlZFRva2VuVmVyaWZpZXIgPSBkZXBlbmRlbmNpZXMuY3JlYXRlVG9rZW5WZXJpZmllcigpXG4gIH1cbiAgcmV0dXJuIGNhY2hlZFRva2VuVmVyaWZpZXJcbn1cblxuLyoqIEZvciBvdmVycmlkaW5nIGRlcGVuZGVuY3kgY3JlYXRpb24gaW4gdGVzdHMuICovXG5leHBvcnQgY29uc3QgZGVwZW5kZW5jaWVzID0ge1xuICBjcmVhdGVUb2tlblZlcmlmaWVyOiAoKTogVG9rZW5WZXJpZmllciA9PiB7XG4gICAgY29uc3QgdXNlclBvb2xJZCA9IHByb2Nlc3MuZW52W1wiVVNFUl9QT09MX0lEXCJdXG4gICAgaWYgKCF1c2VyUG9vbElkKSB7XG4gICAgICBjb25zb2xlLmVycm9yKFwiVVNFUl9QT09MX0lEIGVudiB2YXJpYWJsZSBpcyBub3QgZGVmaW5lZFwiKVxuICAgICAgdGhyb3cgbmV3IEVycm9yKClcbiAgICB9XG5cbiAgICByZXR1cm4gQ29nbml0b0p3dFZlcmlmaWVyLmNyZWF0ZSh7XG4gICAgICB1c2VyUG9vbElkLFxuICAgICAgdG9rZW5Vc2U6IFwiYWNjZXNzXCIsXG4gICAgICBjbGllbnRJZDogbnVsbCxcbiAgICAgIHNjb3BlOiBwcm9jZXNzLmVudi5SRVFVSVJFRF9TQ09QRSB8fCB1bmRlZmluZWQsIC8vIGB8fCB1bmRlZmluZWRgIHRvIGRpc2NhcmQgZW1wdHkgc3RyaW5nXG4gICAgfSlcbiAgfSxcbiAgY3JlYXRlU2VjcmV0c01hbmFnZXI6ICgpID0+IG5ldyBTZWNyZXRzTWFuYWdlcigpLFxufVxuXG50eXBlIEV4cGVjdGVkQmFzaWNBdXRoQ3JlZGVudGlhbHMgPSB7XG4gIGJhc2ljQXV0aEhlYWRlcjogc3RyaW5nXG4gIHVzZXJuYW1lOiBzdHJpbmdcbn1cblxuLyoqIENhY2hlIHRoaXMgdmFsdWUsIHNvIHRoYXQgc3Vic2VxdWVudCBsYW1iZGEgaW52b2NhdGlvbnMgZG9uJ3QgaGF2ZSB0byByZWZldGNoLiAqL1xubGV0IGNhY2hlZEJhc2ljQXV0aENyZWRlbnRpYWxzOiBFeHBlY3RlZEJhc2ljQXV0aENyZWRlbnRpYWxzW10gfCB1bmRlZmluZWQgPVxuICB1bmRlZmluZWRcblxuLyoqXG4gKiBSZXR1cm5zIGFuIGFycmF5LCB0byBzdXBwb3J0IGNyZWRlbnRpYWwgc2VjcmV0cyB3aXRoIG11bHRpcGxlIHZhbHVlcyAoc2VlXG4gKiBgQmFzaWNBdXRoQXV0aG9yaXplclByb3BzYCBvbiB0aGUgYEFwaUdhdGV3YXlgIGNvbnN0cnVjdCBmb3IgbW9yZSBvbiB0aGlzKS5cbiAqL1xuYXN5bmMgZnVuY3Rpb24gZ2V0RXhwZWN0ZWRCYXNpY0F1dGhDcmVkZW50aWFscygpOiBQcm9taXNlPFxuICBFeHBlY3RlZEJhc2ljQXV0aENyZWRlbnRpYWxzW10gfCB1bmRlZmluZWRcbj4ge1xuICBpZiAoY2FjaGVkQmFzaWNBdXRoQ3JlZGVudGlhbHMgPT09IHVuZGVmaW5lZCkge1xuICAgIGNvbnN0IHNlY3JldE5hbWU6IHN0cmluZyB8IHVuZGVmaW5lZCA9XG4gICAgICBwcm9jZXNzLmVudltcIkJBU0lDX0FVVEhfQ1JFREVOVElBTFNfU0VDUkVUX05BTUVcIl1cbiAgICBpZiAoIXNlY3JldE5hbWUpIHtcbiAgICAgIHJldHVybiB1bmRlZmluZWRcbiAgICB9XG5cbiAgICBjYWNoZWRCYXNpY0F1dGhDcmVkZW50aWFscyA9IGF3YWl0IGdldEJhc2ljQXV0aENyZWRlbnRpYWxzU2VjcmV0KHNlY3JldE5hbWUpXG4gIH1cblxuICByZXR1cm4gY2FjaGVkQmFzaWNBdXRoQ3JlZGVudGlhbHNcbn1cblxuYXN5bmMgZnVuY3Rpb24gZ2V0QmFzaWNBdXRoQ3JlZGVudGlhbHNTZWNyZXQoXG4gIHNlY3JldE5hbWU6IHN0cmluZyxcbik6IFByb21pc2U8RXhwZWN0ZWRCYXNpY0F1dGhDcmVkZW50aWFsc1tdPiB7XG4gIGNvbnN0IHNlY3JldCA9IGF3YWl0IGdldFNlY3JldFZhbHVlKHNlY3JldE5hbWUpXG5cbiAgaWYgKGlzVXNlcm5hbWVBbmRQYXNzd29yZE9iamVjdChzZWNyZXQpKSB7XG4gICAgcmV0dXJuIFtlbmNvZGVCYXNpY0F1dGhDcmVkZW50aWFscyhzZWNyZXQpXVxuICB9XG5cbiAgLy8gU2VlIGBCYXNpY0F1dGhBdXRob3JpemVyUHJvcHNgIG9uIHRoZSBgQXBpR2F0ZXdheWAgY29uc3RydWN0IGZvciBhbiBleHBsYW5hdGlvbiBvZiB0aGUgZm9ybWF0c1xuICAvLyB3ZSBwYXJzZSBoZXJlXG4gIGlmIChoYXNDcmVkZW50aWFsc0tleVdpdGhTdHJpbmdWYWx1ZShzZWNyZXQpKSB7XG4gICAgbGV0IGNyZWRlbnRpYWxzQXJyYXk6IHVua25vd25cbiAgICB0cnkge1xuICAgICAgY3JlZGVudGlhbHNBcnJheSA9IEpTT04ucGFyc2Uoc2VjcmV0LmNyZWRlbnRpYWxzKVxuICAgIH0gY2F0Y2ggKGUpIHtcbiAgICAgIGNvbnNvbGUuZXJyb3IoXG4gICAgICAgIGBGYWlsZWQgdG8gcGFyc2UgY3JlZGVudGlhbHMgYXJyYXkgaW4gc2VjcmV0ICcke3NlY3JldE5hbWV9JyBhcyBKU09OYCxcbiAgICAgICAgZSxcbiAgICAgIClcbiAgICAgIHRocm93IG5ldyBFcnJvcigpXG4gICAgfVxuXG4gICAgaWYgKGlzQXJyYXlPZlVzZXJuYW1lQW5kUGFzc3dvcmRPYmplY3RzKGNyZWRlbnRpYWxzQXJyYXkpKSB7XG4gICAgICByZXR1cm4gY3JlZGVudGlhbHNBcnJheS5tYXAoZW5jb2RlQmFzaWNBdXRoQ3JlZGVudGlhbHMpXG4gICAgfVxuXG4gICAgaWYgKGlzU3RyaW5nQXJyYXkoY3JlZGVudGlhbHNBcnJheSkpIHtcbiAgICAgIHJldHVybiBjcmVkZW50aWFsc0FycmF5Lm1hcChwYXJzZUVuY29kZWRCYXNpY0F1dGhDcmVkZW50aWFscylcbiAgICB9XG4gIH1cblxuICBjb25zb2xlLmVycm9yKFxuICAgIGBCYXNpYyBhdXRoIGNyZWRlbnRpYWxzIHNlY3JldCBkaWQgbm90IGZvbGxvdyBhbnkgZXhwZWN0ZWQgZm9ybWF0IChzZWNyZXQgbmFtZTogJyR7c2VjcmV0TmFtZX0nKWAsXG4gIClcbiAgdGhyb3cgbmV3IEVycm9yKClcbn1cblxuYXN5bmMgZnVuY3Rpb24gZ2V0U2VjcmV0VmFsdWUoc2VjcmV0TmFtZTogc3RyaW5nKTogUHJvbWlzZTx1bmtub3duPiB7XG4gIGNvbnN0IGNsaWVudCA9IGRlcGVuZGVuY2llcy5jcmVhdGVTZWNyZXRzTWFuYWdlcigpXG4gIGNvbnN0IHNlY3JldCA9IGF3YWl0IGNsaWVudC5nZXRTZWNyZXRWYWx1ZSh7IFNlY3JldElkOiBzZWNyZXROYW1lIH0pXG5cbiAgaWYgKCFzZWNyZXQuU2VjcmV0U3RyaW5nKSB7XG4gICAgY29uc29sZS5lcnJvcihgU2VjcmV0IHZhbHVlIG5vdCBmb3VuZCBmb3IgJyR7c2VjcmV0TmFtZX0nYClcbiAgICB0aHJvdyBuZXcgRXJyb3IoKVxuICB9XG5cbiAgdHJ5IHtcbiAgICByZXR1cm4gSlNPTi5wYXJzZShzZWNyZXQuU2VjcmV0U3RyaW5nKVxuICB9IGNhdGNoIChlKSB7XG4gICAgY29uc29sZS5lcnJvcihgRmFpbGVkIHRvIHBhcnNlIHNlY3JldCAnJHtzZWNyZXROYW1lfScgYXMgSlNPTjpgLCBlKVxuICAgIHRocm93IG5ldyBFcnJvcigpXG4gIH1cbn1cblxuZnVuY3Rpb24gZW5jb2RlQmFzaWNBdXRoQ3JlZGVudGlhbHMoY3JlZGVudGlhbHM6IHtcbiAgdXNlcm5hbWU6IHN0cmluZ1xuICBwYXNzd29yZDogc3RyaW5nXG59KTogRXhwZWN0ZWRCYXNpY0F1dGhDcmVkZW50aWFscyB7XG4gIGNvbnN0IGJhc2ljQXV0aEhlYWRlciA9XG4gICAgXCJCYXNpYyBcIiArXG4gICAgQnVmZmVyLmZyb20oYCR7Y3JlZGVudGlhbHMudXNlcm5hbWV9OiR7Y3JlZGVudGlhbHMucGFzc3dvcmR9YCkudG9TdHJpbmcoXG4gICAgICBcImJhc2U2NFwiLFxuICAgIClcblxuICByZXR1cm4geyBiYXNpY0F1dGhIZWFkZXIsIHVzZXJuYW1lOiBjcmVkZW50aWFscy51c2VybmFtZSB9XG59XG5cbmZ1bmN0aW9uIGlzVXNlcm5hbWVBbmRQYXNzd29yZE9iamVjdChcbiAgdmFsdWU6IHVua25vd24sXG4pOiB2YWx1ZSBpcyB7IHVzZXJuYW1lOiBzdHJpbmc7IHBhc3N3b3JkOiBzdHJpbmcgfSB7XG4gIHJldHVybiAoXG4gICAgdHlwZW9mIHZhbHVlID09PSBcIm9iamVjdFwiICYmXG4gICAgdmFsdWUgIT09IG51bGwgJiZcbiAgICBcInVzZXJuYW1lXCIgaW4gdmFsdWUgJiZcbiAgICB0eXBlb2YgdmFsdWUudXNlcm5hbWUgPT09IFwic3RyaW5nXCIgJiZcbiAgICBcInBhc3N3b3JkXCIgaW4gdmFsdWUgJiZcbiAgICB0eXBlb2YgdmFsdWUucGFzc3dvcmQgPT09IFwic3RyaW5nXCJcbiAgKVxufVxuXG5mdW5jdGlvbiBpc0FycmF5T2ZVc2VybmFtZUFuZFBhc3N3b3JkT2JqZWN0cyhcbiAgdmFsdWU6IHVua25vd24sXG4pOiB2YWx1ZSBpcyB7IHVzZXJuYW1lOiBzdHJpbmc7IHBhc3N3b3JkOiBzdHJpbmcgfVtdIHtcbiAgaWYgKCFBcnJheS5pc0FycmF5KHZhbHVlKSkge1xuICAgIHJldHVybiBmYWxzZVxuICB9XG5cbiAgZm9yIChjb25zdCBlbGVtZW50IG9mIHZhbHVlKSB7XG4gICAgaWYgKCFpc1VzZXJuYW1lQW5kUGFzc3dvcmRPYmplY3QoZWxlbWVudCkpIHtcbiAgICAgIHJldHVybiBmYWxzZVxuICAgIH1cbiAgfVxuXG4gIHJldHVybiB0cnVlXG59XG5cbmZ1bmN0aW9uIGhhc0NyZWRlbnRpYWxzS2V5V2l0aFN0cmluZ1ZhbHVlKFxuICB2YWx1ZTogdW5rbm93bixcbik6IHZhbHVlIGlzIHsgY3JlZGVudGlhbHM6IHN0cmluZyB9IHtcbiAgcmV0dXJuIChcbiAgICB0eXBlb2YgdmFsdWUgPT09IFwib2JqZWN0XCIgJiZcbiAgICB2YWx1ZSAhPT0gbnVsbCAmJlxuICAgIFwiY3JlZGVudGlhbHNcIiBpbiB2YWx1ZSAmJlxuICAgIHR5cGVvZiB2YWx1ZS5jcmVkZW50aWFscyA9PT0gXCJzdHJpbmdcIlxuICApXG59XG5cbmZ1bmN0aW9uIGlzU3RyaW5nQXJyYXkodmFsdWU6IHVua25vd24pOiB2YWx1ZSBpcyBzdHJpbmdbXSB7XG4gIGlmICghQXJyYXkuaXNBcnJheSh2YWx1ZSkpIHtcbiAgICByZXR1cm4gZmFsc2VcbiAgfVxuXG4gIGZvciAoY29uc3QgZWxlbWVudCBvZiB2YWx1ZSkge1xuICAgIGlmICh0eXBlb2YgZWxlbWVudCAhPT0gXCJzdHJpbmdcIikge1xuICAgICAgcmV0dXJuIGZhbHNlXG4gICAgfVxuICB9XG5cbiAgcmV0dXJuIHRydWVcbn1cblxuLyoqXG4gKiBXZSB3YW50IHRvIHJldHVybiB0aGUgcmVxdWVzdGluZyB1c2VybmFtZSBhcyBhIGNvbnRleHQgdmFyaWFibGUgaW5cbiAqIHtAbGluayBBdXRob3JpemVyUmVzdWx0LmNvbnRleHR9LCBmb3IgQVBJIEdhdGV3YXkgYWNjZXNzIGxvZ3MgYW5kIHBhcmFtZXRlciBtYXBwaW5nLiBTbyBpZiB0aGVcbiAqIGJhc2ljIGF1dGggY3JlZGVudGlhbHMgc2VjcmV0IGlzIHN0b3JlZCBhcyBwcmUtZW5jb2RlZCBiYXNlNjQgc3RyaW5ncywgd2UgbmVlZCB0byBwYXJzZSB0aGVtIHRvXG4gKiBnZXQgdGhlIHVzZXJuYW1lLlxuICovXG5mdW5jdGlvbiBwYXJzZUVuY29kZWRCYXNpY0F1dGhDcmVkZW50aWFscyhcbiAgZW5jb2RlZENyZWRlbnRpYWxzOiBzdHJpbmcsXG4pOiBFeHBlY3RlZEJhc2ljQXV0aENyZWRlbnRpYWxzIHtcbiAgbGV0IGRlY29kZWRDcmVkZW50aWFsczogc3RyaW5nXG4gIHRyeSB7XG4gICAgZGVjb2RlZENyZWRlbnRpYWxzID0gQnVmZmVyLmZyb20oZW5jb2RlZENyZWRlbnRpYWxzLCBcImJhc2U2NFwiKS50b1N0cmluZygpXG4gIH0gY2F0Y2ggKGUpIHtcbiAgICBjb25zb2xlLmVycm9yKFxuICAgICAgXCJCYXNpYyBhdXRoIGNyZWRlbnRpYWxzIHNlY3JldCBjb3VsZCBub3QgYmUgZGVjb2RlZCBhcyBiYXNlNjQ6XCIsXG4gICAgICBlLFxuICAgIClcbiAgICB0aHJvdyBuZXcgRXJyb3IoKVxuICB9XG5cbiAgY29uc3QgdXNlcm5hbWVBbmRQYXNzd29yZCA9IGRlY29kZWRDcmVkZW50aWFscy5zcGxpdChcIjpcIiwgMilcbiAgaWYgKHVzZXJuYW1lQW5kUGFzc3dvcmQubGVuZ3RoICE9PSAyKSB7XG4gICAgY29uc29sZS5lcnJvcihcbiAgICAgIFwiQmFzaWMgYXV0aCBjcmVkZW50aWFscyBzZWNyZXQgY291bGQgbm90IGJlIGRlY29kZWQgYXMgJ3VzZXJuYW1lOnBhc3N3b3JkJ1wiLFxuICAgIClcbiAgICB0aHJvdyBuZXcgRXJyb3IoKVxuICB9XG5cbiAgcmV0dXJuIHtcbiAgICBiYXNpY0F1dGhIZWFkZXI6IGBCYXNpYyAke2VuY29kZWRDcmVkZW50aWFsc31gLFxuICAgIHVzZXJuYW1lOiB1c2VybmFtZUFuZFBhc3N3b3JkWzBdLFxuICB9XG59XG5cbmV4cG9ydCBmdW5jdGlvbiBjbGVhckNhY2hlKCkge1xuICBjYWNoZWRUb2tlblZlcmlmaWVyID0gdW5kZWZpbmVkXG4gIGNhY2hlZEJhc2ljQXV0aENyZWRlbnRpYWxzID0gdW5kZWZpbmVkXG59XG4iXX0=

package/lib/api-gateway/http-api-gateway.d.ts

@@ -7,6 +7,7 @@ import type * as sqs from "aws-cdk-lib/aws-sqs";
 import * as apigw from "aws-cdk-lib/aws-apigatewayv2";
 import * as logs from "aws-cdk-lib/aws-logs";
 import * as iam from "aws-cdk-lib/aws-iam";
+import * as authorizers from "aws-cdk-lib/aws-apigatewayv2-authorizers";
 import type { IUserPool } from "aws-cdk-lib/aws-cognito";
 import * as route53 from "aws-cdk-lib/aws-route53";
 /**
@@ -280,21 +281,21 @@ export type AuthorizationProps<AuthScopesT extends string = string> =
     type: "IAM";
 }
 /**
- * Creates a custom authorizer lambda which reads `Authorization: Bearer <access token>` header
+ * Creates a custom Lambda authorizer which reads `Authorization: Bearer <access token>` header
  * and verifies the token against a Cognito user pool.
  */
  | ({
     type: "COGNITO_USER_POOL";
 } & CognitoUserPoolAuthorizerProps<AuthScopesT>)
 /**
- * Creates a custom authorizer lambda which reads `Authorization: Basic <base64-encoded credentials>`
+ * Creates a custom Lambda authorizer which reads `Authorization: Basic <base64-encoded credentials>`
  * header and verifies the credentials against a given secret.
  */
  | ({
     type: "BASIC_AUTH";
 } & BasicAuthAuthorizerProps)
 /**
- * Creates a custom authorizer lambda which allows both:
+ * Creates a custom Lambda authorizer which allows both:
  * - `Authorization: Bearer <access token>` header, for which the token is checked against the
  *   given Cognito user pool
  * - `Authorization: Basic <base64-encoded credentials>` header, for which the credentials are
@@ -304,7 +305,16 @@ export type AuthorizationProps<AuthScopesT extends string = string> =
  */
  | ({
     type: "COGNITO_USER_POOL_OR_BASIC_AUTH";
-} & CognitoUserPoolOrBasicAuthAuthorizerProps<AuthScopesT>);
+} & CognitoUserPoolOrBasicAuthAuthorizerProps<AuthScopesT>)
+/**
+ * Creates a custom authorizer with the given Lambda function. Use this if you have custom
+ * authorization logic, and the other authorizers from this construct don't meet your needs.
+ *
+ * https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html
+ */
+ | ({
+    type: "CUSTOM_LAMBDA_AUTHORIZER";
+} & CustomLambdaAuthorizerProps);
 export type CognitoUserPoolAuthorizerProps<AuthScopesT extends string = string> = {
     userPool: IUserPool;
     /**
@@ -349,54 +359,39 @@ export type CognitoUserPoolAuthorizerProps<AuthScopesT extends string = string>
 };
 export type BasicAuthAuthorizerProps = {
     /**
-     * Name of secret in AWS Secrets Manager that stores basic auth credentials. The secret value
-     * should follow this format:
-     * ```json
-     * { "username": "<username>", "password": "<password>" }
-     * ```
-     *
-     * The following format is also supported:
-     * ```json
-     * { "credentials": "[\"<encoded-credential-1>\",\"<encoded-credential-2>\"]" }
-     * ```
-     * ...consisting of:
-     * - A single key, `credentials`
-     * - With a _string_ value
-     * - Which is a stringified, escaped JSON array of base64-encoded credentials
-     * - In which each element is encoded from `<username>:<password>`
-     *
-     * If the secret is on this format, the authorizer will match the request's Authorization header
-     * against any one of these encoded credentials.
-     *
-     * The reason that this second format stores stringified JSON _inside_ JSON, is due to a
-     * limitation in Liflig's `load-secrets` library, which only allows storing strings values.
+     * Name of secret in AWS Secrets Manager that stores basic auth credentials.
+     *
+     * The following formats are supported for the secret value:
+     * - Single username and password:
+     *   ```json
+     *   { "username": "<username>", "password": "<password>" }
+     *   ```
+     * - Array of username + password objects:
+     *   ```json
+     *   { "credentials": "[{\"username\":\"<user-1>\",\"password\":\"password-1\"},{\"username\":\"<user-2>\",\"password\":\"<password-2>\"}]" }
+     *   ```
+     *   - The value of the `credentials` field is a string, with a stringified, escaped JSON array of
+     *     objects with `username` and `password` fields.
+     *   - The reason that this second format stores stringified JSON _inside_ JSON, is due to a
+     *     limitation in Liflig's `load-secrets` library, which only allows storing string values.
+     * - Array of base64-encoded credentials:
+     *   ```json
+     *   { "credentials": "[\"<encoded-credential-1>\",\"<encoded-credential-2>\"]" }
+     *   ```
+     *   - Each element is encoded from `<username>:<password>`.
+     *   - The array is stringified for the same reason as above.
+     *
+     * If the secret uses one of the array formats, the authorizer will match the request's
+     * Authorization header against any one of the credentials.
      */
     credentialsSecretName: string;
 };
 export type CognitoUserPoolOrBasicAuthAuthorizerProps<AuthScopesT extends string = string> = {
     userPool: IUserPool;
     /**
-     * Name of secret in AWS Secrets Manager that stores basic auth credentials. The secret value
-     * should follow this format:
-     * ```json
-     * { "username": "<username>", "password": "<password>" }
-     * ```
-     *
-     * The following format is also supported:
-     * ```json
-     * { "credentials": "[\"<encoded-credential-1>\",\"<encoded-credential-2>\"]" }
-     * ```
-     * ...consisting of:
-     * - A single key, `credentials`
-     * - With a _string_ value
-     * - Which is a stringified, escaped JSON array of base64-encoded credentials
-     * - In which each element is encoded from `<username>:<password>`
+     * Name of secret in AWS Secrets Manager that stores basic auth credentials.
      *
-     * If the secret is on this format, the authorizer will match the request's Authorization header
-     * against any one of these encoded credentials.
-     *
-     * The reason that this second format stores stringified JSON _inside_ JSON, is due to a
-     * limitation in Liflig's `load-secrets` library, which only allows storing strings values.
+     * See {@link BasicAuthAuthorizerProps.credentialsSecretName} for the supported formats.
      */
     basicAuthCredentialsSecretName?: string;
     /**
@@ -411,6 +406,32 @@ export type CognitoUserPoolOrBasicAuthAuthorizerProps<AuthScopesT extends string
      */
     requiredScope?: AuthScopesT;
 };
+type CustomLambdaAuthorizerProps = {
+    /**
+     * The Lambda function that will be run whenever the API Gateway route is invoked, to authenticate
+     * the request. See AWS docs for more on how to write the Lambda:
+     * https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html
+     *
+     * The default response format used is `HttpLambdaResponseType.SIMPLE` (format 2.0). If you write
+     * your Lambda in TypeScript, this means that your handler must return
+     * `APIGatewaySimpleAuthorizerResult` (from the `aws-lambda` package). The request event will also
+     * use format 2.0 (`APIGatewayRequestAuthorizerEventV2` in TypeScript). See the AWS docs linked
+     * above for more details on these formats.
+     *
+     * You can override the response format type in
+     * {@link CustomLambdaAuthorizerProps.authorizerProps}.
+     *
+     * See the Lambdas under the `authorizers` folder next to the `ApiGateway` construct in
+     * `liflig-cdk` for examples.
+     */
+    lambdaAuthorizer: lambda.IFunction;
+    /**
+     * Props for the `HttpLambdaAuthorizer` construct. We provide some different defaults:
+     * - `responseTypes` defaults to `[HttpLambdaResponseType.SIMPLE]`
+     * - `resultsCacheTtl` defaults to `Duration.hours(1)`
+     */
+    authorizerProps?: Partial<authorizers.HttpLambdaAuthorizerProps>;
+};
 export type ApiGatewayAccessLogsProps = {
     /**
      * Delete the access logs if this construct is deleted?
@@ -530,3 +551,4 @@ export declare class ApiGateway<AuthScopesT extends string = string> extends con
      */
     grantInvoke(target: iam.IGrantable): void;
 }
+export {};