cdk-factory 0.7.24__py3-none-any.whl → 0.7.26__py3-none-any.whl

cdk_factory/configurations/resources/apigateway_route_config.py

@@ -68,3 +68,13 @@ class ApiGatewayConfigRouteConfig:
     def user_pool_id(self) -> str | None:
         """User pool ID for existing authorizers"""
         return self._config.get("user_pool_id")
+
+    @property
+    def allow_public_override(self) -> bool:
+        """Whether to allow public access when Cognito is available"""
+        return self._config.get("allow_public_override", False)
+
+    @property
+    def dictionary(self) -> Dict[str, Any]:
+        """Access to the underlying configuration dictionary"""
+        return self._config

cdk_factory/utilities/api_gateway_integration_utility.py

@@ -54,6 +54,17 @@ class ApiGatewayIntegrationUtility:
         if not api_config:
             raise ValueError("API Gateway config is missing in Lambda function config")
 
+        # Validate authorization configuration for security
+        has_cognito_authorizer = (
+            self.authorizer is not None or 
+            self._get_existing_authorizer_id_with_ssm_fallback(api_config, stack_config) is not None
+        )
+        
+        # Apply enhanced authorization validation and fallback logic
+        api_config = self._validate_and_adjust_authorization_configuration(
+            api_config, has_cognito_authorizer
+        )
+
         # Get or create authorizer if needed (only for COGNITO_USER_POOLS authorization)
         if api_config.authorization_type != "NONE" and not self.authorizer:
             self.authorizer = self.get_or_create_authorizer(
@@ -1294,3 +1305,126 @@ class ApiGatewayIntegrationUtility:
                 api_gateways[api_key]['integrations'].append(integration)
         
         return api_gateways
+
+    def _validate_and_adjust_authorization_configuration(
+        self, api_config: ApiGatewayConfigRouteConfig, has_cognito_authorizer: bool
+    ) -> ApiGatewayConfigRouteConfig:
+        """
+        Validate and adjust authorization configuration for security and clarity.
+        
+        This method implements 'secure by default' with explicit overrides:
+        - If Cognito is available and route wants NONE auth, requires explicit override
+        - If Cognito is not available and route wants COGNITO auth, raises error
+        - Provides verbose warnings for monitoring and security awareness
+        - Returns a potentially modified api_config with adjusted authorization_type
+        
+        Args:
+            api_config (ApiGatewayConfigRouteConfig): Route configuration
+            has_cognito_authorizer (bool): Whether a Cognito authorizer is configured
+            
+        Returns:
+            ApiGatewayConfigRouteConfig: Potentially modified configuration
+            
+        Raises:
+            ValueError: When there are security conflicts without explicit overrides
+        """
+        import logging
+        from copy import deepcopy
+        
+        # Create a copy to avoid modifying the original
+        modified_config = deepcopy(api_config)
+        
+        auth_type = getattr(api_config, 'authorization_type', 'COGNITO')
+        
+        # Check for explicit override flag
+        explicit_override = getattr(api_config, 'allow_public_override', False)
+        
+        route_path = getattr(api_config, 'routes', 'unknown')
+        method = getattr(api_config, 'method', 'unknown')
+        
+        logger = logging.getLogger(__name__)
+        
+        # Case 1: Cognito available + NONE requested + No explicit override = ERROR
+        if has_cognito_authorizer and auth_type == "NONE" and not explicit_override:
+            error_msg = (
+                f"🚨 SECURITY CONFLICT DETECTED for route {route_path} ({method}):\n"
+                f"   ❌ Cognito authorizer is configured (manual or auto-import)\n"
+                f"   ❌ authorization_type is set to 'NONE' (public access)\n"
+                f"   ❌ This creates a security risk - public endpoint with auth available\n\n"
+                f"💡 SOLUTIONS:\n"
+                f"   1. Remove Cognito configuration if you want public access\n"
+                f"   2. Add 'allow_public_override': true to explicitly allow public access\n"
+                f"   3. Remove 'authorization_type': 'NONE' to use secure Cognito auth\n\n"
+                f"🔒 This prevents accidental public endpoints when authentication is available."
+            )
+            raise ValueError(error_msg)
+        
+        # Case 2: No Cognito + COGNITO explicitly requested = ERROR  
+        # Only error if COGNITO was explicitly requested, not if it's the default
+        original_auth_type = None
+        if hasattr(api_config, 'dictionary') and api_config.dictionary:
+            original_auth_type = api_config.dictionary.get('authorization_type')
+        
+        if not has_cognito_authorizer and original_auth_type == "COGNITO":
+            error_msg = (
+                f"🚨 CONFIGURATION ERROR for route {route_path} ({method}):\n"
+                f"   ❌ authorization_type is explicitly set to 'COGNITO' but no Cognito authorizer configured\n"
+                f"   ❌ Cannot secure endpoint without authentication provider\n\n"
+                f"💡 SOLUTIONS:\n"
+                f"   1. Add Cognito configuration to enable authentication\n"
+                f"   2. Set authorization_type to 'NONE' for public access\n"
+                f"   3. Configure SSM auto-import for user_pool_arn\n"
+                f"   4. Remove explicit authorization_type to use default behavior"
+            )
+            raise ValueError(error_msg)
+        
+        # Case 3: Cognito available + NONE requested + Explicit override = WARN
+        if has_cognito_authorizer and auth_type == "NONE" and explicit_override:
+            warning_msg = (
+                f"⚠️  PUBLIC ENDPOINT CONFIGURED: {route_path} ({method})\n"
+                f"   🔓 This endpoint is intentionally public (allow_public_override: true)\n"
+                f"   🔐 Cognito authentication is available but overridden\n"
+                f"   📊 Consider monitoring this endpoint for unexpected usage patterns\n"
+                f"   🔍 Review periodically: Should this endpoint be secured?"
+            )
+            
+            # Print to console during deployment for visibility
+            print(warning_msg)
+            
+            # Structured logging for monitoring and metrics
+            logger.warning(
+                "Public endpoint configured with Cognito available",
+                extra={
+                    "route": route_path,
+                    "method": method,
+                    "security_override": True,
+                    "cognito_available": True,
+                    "authorization_type": "NONE",
+                    "metric_name": "public_endpoint_with_cognito",
+                    "security_decision": "intentional_public",
+                    "recommendation": "review_periodically"
+                }
+            )
+        
+        # Case 4: No Cognito + default COGNITO = Fall back to NONE
+        if not has_cognito_authorizer and auth_type == "COGNITO" and original_auth_type is None:
+            modified_config.authorization_type = "NONE"
+            logger.info(
+                f"No Cognito authorizer available for route {route_path} ({method}), "
+                f"defaulting to public access (NONE authorization)"
+            )
+        
+        # Case 5: No Cognito + NONE = INFO (expected for public-only APIs)
+        if not has_cognito_authorizer and auth_type == "NONE":
+            logger.info(
+                f"Public endpoint configured (no Cognito available): {route_path} ({method})",
+                extra={
+                    "route": route_path,
+                    "method": method,
+                    "authorization_type": "NONE",
+                    "cognito_available": False,
+                    "security_decision": "public_only_api"
+                }
+            )
+        
+        return modified_config

cdk_factory/version.py

@@ -1 +1 @@
-__version__ = "0.7.24"
+__version__ = "0.7.26"

{cdk_factory-0.7.24.dist-info → cdk_factory-0.7.26.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.7.24
+Version: 0.7.26
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.7.24.dist-info → cdk_factory-0.7.26.dist-info}/RECORD

@@ -1,7 +1,7 @@
 cdk_factory/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cdk_factory/app.py,sha256=xv863N7O6HPKznB68_t7O4la9JacrkG87t9TjoDUk7s,2827
 cdk_factory/cdk.json,sha256=SKZKhJ2PBpFH78j-F8S3VDYW-lf76--Q2I3ON-ZIQfw,3106
-cdk_factory/version.py,sha256=6LhdCdekRyhf1ou0xLzDta4kGS27Isdvy5haWR1XJoc,23
+cdk_factory/version.py,sha256=bdHnwFVnv19lO1d9o0Rjk5Js7MqJglg3CX1USYBiklY,23
 cdk_factory/builds/README.md,sha256=9BBWd7bXpyKdMU_g2UljhQwrC9i5O_Tvkb6oPvndoZk,90
 cdk_factory/commands/command_loader.py,sha256=QbLquuP_AdxtlxlDy-2IWCQ6D-7qa58aphnDPtp_uTs,3744
 cdk_factory/configurations/base_config.py,sha256=JKjhNsy0RCUZy1s8n5D_aXXI-upR9izaLtCTfKYiV9k,9624
@@ -18,7 +18,7 @@ cdk_factory/configurations/stack.py,sha256=7whhC48dUYw7BBFV49zM1Q3AghTNkaiDfy4kK
 cdk_factory/configurations/workload.py,sha256=sM-B6UKOdOn5_H-eWmW03J9oa8YZZmO0bvQ69wbCM0Q,7756
 cdk_factory/configurations/resources/_resources.py,sha256=tnXGn4kEC0JPQaTWB3QpAZG-2hIGBtugHTzuKn1OTvE,2548
 cdk_factory/configurations/resources/api_gateway.py,sha256=-k4hMGszIdQLb5DGmWBIPy49YGutp8zczafRh-Vob0I,4904
-cdk_factory/configurations/resources/apigateway_route_config.py,sha256=R7ZUz8aZ37HdzL5aSqLB624KsQ7-kp713NGuBnU0x_4,1982
+cdk_factory/configurations/resources/apigateway_route_config.py,sha256=fESVFKEKBj-EdkxB-iyDcA43FY1fX9Ow1QedH6UCm2I,2328
 cdk_factory/configurations/resources/auto_scaling.py,sha256=OAVl8iUdHiOYVzme1qNDwA3w2raxDNUo_W2_Vebqtx8,5005
 cdk_factory/configurations/resources/cloudfront.py,sha256=xwDIrYQDqQMgekXSJ5vrgNXIUCfY6O8aiybE5ewwijw,1055
 cdk_factory/configurations/resources/cloudwatch_widget.py,sha256=EdEQSXUkDtoY_Mg_cJBWo1Hp84jSiK7U9tsd3k1VhKI,1271
@@ -97,7 +97,7 @@ cdk_factory/stack_library/vpc/__init__.py,sha256=7pIqP97Gf2AJbv9Ebp1WbQGHYhgEbWJ
 cdk_factory/stack_library/vpc/vpc_stack.py,sha256=zdDiGilf03esxuya5Z8zVYSVMAIuZBeD-ZKgfnEd6aw,10077
 cdk_factory/stack_library/websites/static_website_stack.py,sha256=KBQiV6PI09mpHGtH-So5Hk3uhfFLDepoXInGbfin0cY,7938
 cdk_factory/stages/websites/static_website_stage.py,sha256=X4fpKXkhb0zIbSHx3QyddBhVSLBryb1vf1Cg2fMTqog,755
-cdk_factory/utilities/api_gateway_integration_utility.py,sha256=RdStGFueFFDR_j1zHX-d55czZKf_lP-_Ty_5-XLPQXg,55224
+cdk_factory/utilities/api_gateway_integration_utility.py,sha256=QlIGmWAJShDMTy7mIJeQDyHr59jP7EKQQOFXTNCQJA4,61923
 cdk_factory/utilities/commandline_args.py,sha256=0FiNEJFbWVN8Ct7r0VHnJEx7rhUlaRKT7R7HMNJBSTI,2216
 cdk_factory/utilities/configuration_loader.py,sha256=z0ZdGLNbTO4_yfluB9zUh_i_Poc9qj-7oRyjMRlNkN8,1522
 cdk_factory/utilities/docker_utilities.py,sha256=9r8C-lXYpymqEfi3gTeWCQzHldvfjttPqn6p3j2khTE,8111
@@ -109,7 +109,7 @@ cdk_factory/utilities/lambda_function_utilities.py,sha256=j3tBdv_gC2MdEwBINDwAqY
 cdk_factory/utilities/os_execute.py,sha256=5Op0LY_8Y-pUm04y1k8MTpNrmQvcLmQHPQITEP7EuSU,1019
 cdk_factory/utils/api_gateway_utilities.py,sha256=If7Xu5s_UxmuV-kL3JkXxPLBdSVUKoLtohm0IUFoiV8,4378
 cdk_factory/workload/workload_factory.py,sha256=yBUDGIuB8-5p_mGcVFxsD2ZoZIziak3yh3LL3JvS0M4,5903
-cdk_factory-0.7.24.dist-info/METADATA,sha256=arpwSUyP9MEQqdJM6dkFtxxq0Q3o3PvjutwymPmzV8g,2451
-cdk_factory-0.7.24.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-cdk_factory-0.7.24.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
-cdk_factory-0.7.24.dist-info/RECORD,,
+cdk_factory-0.7.26.dist-info/METADATA,sha256=33JcY3G617lMyKEaMalJobLMN5SQdNSqCSdHp5pgeDc,2451
+cdk_factory-0.7.26.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+cdk_factory-0.7.26.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
+cdk_factory-0.7.26.dist-info/RECORD,,