cdk-factory 0.7.24__tar.gz → 0.7.26__tar.gz

{cdk_factory-0.7.24 → cdk_factory-0.7.26}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.7.24
+Version: 0.7.26
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.7.24 → cdk_factory-0.7.26}/pyproject.toml

@@ -33,7 +33,7 @@ markers = [
 [project]
 
 name = "cdk_factory"
-version = "0.7.24"
+version = "0.7.26"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

{cdk_factory-0.7.24 → cdk_factory-0.7.26}/src/cdk_factory/configurations/resources/apigateway_route_config.py

@@ -68,3 +68,13 @@ class ApiGatewayConfigRouteConfig:
     def user_pool_id(self) -> str | None:
         """User pool ID for existing authorizers"""
         return self._config.get("user_pool_id")
+
+    @property
+    def allow_public_override(self) -> bool:
+        """Whether to allow public access when Cognito is available"""
+        return self._config.get("allow_public_override", False)
+
+    @property
+    def dictionary(self) -> Dict[str, Any]:
+        """Access to the underlying configuration dictionary"""
+        return self._config

{cdk_factory-0.7.24 → cdk_factory-0.7.26}/src/cdk_factory/utilities/api_gateway_integration_utility.py

@@ -54,6 +54,17 @@ class ApiGatewayIntegrationUtility:
         if not api_config:
             raise ValueError("API Gateway config is missing in Lambda function config")
 
+        # Validate authorization configuration for security
+        has_cognito_authorizer = (
+            self.authorizer is not None or 
+            self._get_existing_authorizer_id_with_ssm_fallback(api_config, stack_config) is not None
+        )
+        
+        # Apply enhanced authorization validation and fallback logic
+        api_config = self._validate_and_adjust_authorization_configuration(
+            api_config, has_cognito_authorizer
+        )
+
         # Get or create authorizer if needed (only for COGNITO_USER_POOLS authorization)
         if api_config.authorization_type != "NONE" and not self.authorizer:
             self.authorizer = self.get_or_create_authorizer(
@@ -1294,3 +1305,126 @@ class ApiGatewayIntegrationUtility:
                 api_gateways[api_key]['integrations'].append(integration)
         
         return api_gateways
+
+    def _validate_and_adjust_authorization_configuration(
+        self, api_config: ApiGatewayConfigRouteConfig, has_cognito_authorizer: bool
+    ) -> ApiGatewayConfigRouteConfig:
+        """
+        Validate and adjust authorization configuration for security and clarity.
+        
+        This method implements 'secure by default' with explicit overrides:
+        - If Cognito is available and route wants NONE auth, requires explicit override
+        - If Cognito is not available and route wants COGNITO auth, raises error
+        - Provides verbose warnings for monitoring and security awareness
+        - Returns a potentially modified api_config with adjusted authorization_type
+        
+        Args:
+            api_config (ApiGatewayConfigRouteConfig): Route configuration
+            has_cognito_authorizer (bool): Whether a Cognito authorizer is configured
+            
+        Returns:
+            ApiGatewayConfigRouteConfig: Potentially modified configuration
+            
+        Raises:
+            ValueError: When there are security conflicts without explicit overrides
+        """
+        import logging
+        from copy import deepcopy
+        
+        # Create a copy to avoid modifying the original
+        modified_config = deepcopy(api_config)
+        
+        auth_type = getattr(api_config, 'authorization_type', 'COGNITO')
+        
+        # Check for explicit override flag
+        explicit_override = getattr(api_config, 'allow_public_override', False)
+        
+        route_path = getattr(api_config, 'routes', 'unknown')
+        method = getattr(api_config, 'method', 'unknown')
+        
+        logger = logging.getLogger(__name__)
+        
+        # Case 1: Cognito available + NONE requested + No explicit override = ERROR
+        if has_cognito_authorizer and auth_type == "NONE" and not explicit_override:
+            error_msg = (
+                f"🚨 SECURITY CONFLICT DETECTED for route {route_path} ({method}):\n"
+                f"   ❌ Cognito authorizer is configured (manual or auto-import)\n"
+                f"   ❌ authorization_type is set to 'NONE' (public access)\n"
+                f"   ❌ This creates a security risk - public endpoint with auth available\n\n"
+                f"💡 SOLUTIONS:\n"
+                f"   1. Remove Cognito configuration if you want public access\n"
+                f"   2. Add 'allow_public_override': true to explicitly allow public access\n"
+                f"   3. Remove 'authorization_type': 'NONE' to use secure Cognito auth\n\n"
+                f"🔒 This prevents accidental public endpoints when authentication is available."
+            )
+            raise ValueError(error_msg)
+        
+        # Case 2: No Cognito + COGNITO explicitly requested = ERROR  
+        # Only error if COGNITO was explicitly requested, not if it's the default
+        original_auth_type = None
+        if hasattr(api_config, 'dictionary') and api_config.dictionary:
+            original_auth_type = api_config.dictionary.get('authorization_type')
+        
+        if not has_cognito_authorizer and original_auth_type == "COGNITO":
+            error_msg = (
+                f"🚨 CONFIGURATION ERROR for route {route_path} ({method}):\n"
+                f"   ❌ authorization_type is explicitly set to 'COGNITO' but no Cognito authorizer configured\n"
+                f"   ❌ Cannot secure endpoint without authentication provider\n\n"
+                f"💡 SOLUTIONS:\n"
+                f"   1. Add Cognito configuration to enable authentication\n"
+                f"   2. Set authorization_type to 'NONE' for public access\n"
+                f"   3. Configure SSM auto-import for user_pool_arn\n"
+                f"   4. Remove explicit authorization_type to use default behavior"
+            )
+            raise ValueError(error_msg)
+        
+        # Case 3: Cognito available + NONE requested + Explicit override = WARN
+        if has_cognito_authorizer and auth_type == "NONE" and explicit_override:
+            warning_msg = (
+                f"⚠️  PUBLIC ENDPOINT CONFIGURED: {route_path} ({method})\n"
+                f"   🔓 This endpoint is intentionally public (allow_public_override: true)\n"
+                f"   🔐 Cognito authentication is available but overridden\n"
+                f"   📊 Consider monitoring this endpoint for unexpected usage patterns\n"
+                f"   🔍 Review periodically: Should this endpoint be secured?"
+            )
+            
+            # Print to console during deployment for visibility
+            print(warning_msg)
+            
+            # Structured logging for monitoring and metrics
+            logger.warning(
+                "Public endpoint configured with Cognito available",
+                extra={
+                    "route": route_path,
+                    "method": method,
+                    "security_override": True,
+                    "cognito_available": True,
+                    "authorization_type": "NONE",
+                    "metric_name": "public_endpoint_with_cognito",
+                    "security_decision": "intentional_public",
+                    "recommendation": "review_periodically"
+                }
+            )
+        
+        # Case 4: No Cognito + default COGNITO = Fall back to NONE
+        if not has_cognito_authorizer and auth_type == "COGNITO" and original_auth_type is None:
+            modified_config.authorization_type = "NONE"
+            logger.info(
+                f"No Cognito authorizer available for route {route_path} ({method}), "
+                f"defaulting to public access (NONE authorization)"
+            )
+        
+        # Case 5: No Cognito + NONE = INFO (expected for public-only APIs)
+        if not has_cognito_authorizer and auth_type == "NONE":
+            logger.info(
+                f"Public endpoint configured (no Cognito available): {route_path} ({method})",
+                extra={
+                    "route": route_path,
+                    "method": method,
+                    "authorization_type": "NONE",
+                    "cognito_available": False,
+                    "security_decision": "public_only_api"
+                }
+            )
+        
+        return modified_config

cdk_factory-0.7.26/src/cdk_factory/version.py

@@ -0,0 +1 @@
+__version__ = "0.7.26"

cdk_factory-0.7.24/src/cdk_factory/version.py

@@ -1 +0,0 @@
-__version__ = "0.7.24"