PyPI - cdk-factory - Versions diffs - 0.7.26__tar.gz → 0.7.28__tar.gz - Mend

cdk-factory 0.7.26tar.gz → 0.7.28tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (130) hide show

{cdk_factory-0.7.26 → cdk_factory-0.7.28}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.7.26
+Version: 0.7.28
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.7.26 → cdk_factory-0.7.28}/pyproject.toml RENAMED Viewed

@@ -33,7 +33,7 @@ markers = [
 [project]
 name = "cdk_factory"
-version = "0.7.26"
+version = "0.7.28"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

{cdk_factory-0.7.26 → cdk_factory-0.7.28}/src/cdk_factory/configurations/resources/apigateway_route_config.py RENAMED Viewed

@@ -72,7 +72,7 @@ class ApiGatewayConfigRouteConfig:
     @property
     def allow_public_override(self) -> bool:
         """Whether to allow public access when Cognito is available"""
-        return self._config.get("allow_public_override", False)
+        return str(self._config.get("allow_public_override", False)).lower() == "true"
     @property
     def dictionary(self) -> Dict[str, Any]:

{cdk_factory-0.7.26 → cdk_factory-0.7.28}/src/cdk_factory/stack_library/api_gateway/api_gateway_stack.py RENAMED Viewed

@@ -349,122 +349,60 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
     def _validate_authorization_configuration(self, route, has_cognito_authorizer):
         """
-        Validate authorization configuration for security and clarity.
+        Validate authorization configuration using the shared utility method.
-        This method implements 'secure by default' with explicit overrides:
-        - If Cognito is available and route wants NONE auth, requires explicit override
-        - If Cognito is not available and route wants COGNITO auth, raises error
-        - Provides verbose warnings for monitoring and security awareness
-        Args:
-            route (dict): Route configuration
-            has_cognito_authorizer (bool): Whether a Cognito authorizer is configured
-        Raises:
-            ValueError: When there are security conflicts without explicit overrides
+        This delegates to the ApiGatewayIntegrationUtility for consistent validation
+        across both API Gateway stack and Lambda stack patterns.
         """
-        import logging
-        auth_type = route.get("authorization_type", "COGNITO")
-        explicit_override = route.get("allow_public_override", False)
-        route_path = route.get("path", "unknown")
-        method = route.get("method", "unknown")
+        # Convert route dict to ApiGatewayConfigRouteConfig for utility validation
+        # Map "path" to "route" for compatibility with the config object
+        route_config_dict = dict(route)  # Create a copy
+        if "path" in route_config_dict:
+            route_config_dict["route"] = route_config_dict["path"]
-        logger = logging.getLogger(__name__)
-        # Case 1: Cognito available + NONE requested + No explicit override = ERROR
-        if has_cognito_authorizer and auth_type == "NONE" and not explicit_override:
-            error_msg = (
-                f"🚨 SECURITY CONFLICT DETECTED for route {route_path} ({method}):\n"
-                f"   ❌ Cognito authorizer is configured (manual or auto-import)\n"
-                f"   ❌ authorization_type is set to 'NONE' (public access)\n"
-                f"   ❌ This creates a security risk - public endpoint with auth available\n\n"
-                f"💡 SOLUTIONS:\n"
-                f"   1. Remove Cognito configuration if you want public access\n"
-                f"   2. Add 'allow_public_override': true to explicitly allow public access\n"
-                f"   3. Remove 'authorization_type': 'NONE' to use secure Cognito auth\n\n"
-                f"🔒 This prevents accidental public endpoints when authentication is available."
-            )
-            raise ValueError(error_msg)
+        api_route_config = ApiGatewayConfigRouteConfig(route_config_dict)
-        # Case 2: No Cognito + COGNITO explicitly requested = ERROR
-        # Only error if COGNITO was explicitly requested, not if it's the default
-        if not has_cognito_authorizer and route.get("authorization_type") == "COGNITO":
-            error_msg = (
-                f"🚨 CONFIGURATION ERROR for route {route_path} ({method}):\n"
-                f"   ❌ authorization_type is explicitly set to 'COGNITO' but no Cognito authorizer configured\n"
-                f"   ❌ Cannot secure endpoint without authentication provider\n\n"
-                f"💡 SOLUTIONS:\n"
-                f"   1. Add Cognito configuration to enable authentication\n"
-                f"   2. Set authorization_type to 'NONE' for public access\n"
-                f"   3. Configure SSM auto-import for user_pool_arn\n"
-                f"   4. Remove explicit authorization_type to use default behavior"
-            )
-            raise ValueError(error_msg)
-        # Case 3: Cognito available + NONE requested + Explicit override = WARN
-        if has_cognito_authorizer and auth_type == "NONE" and explicit_override:
-            warning_msg = (
-                f"⚠️  PUBLIC ENDPOINT CONFIGURED: {route_path} ({method})\n"
-                f"   🔓 This endpoint is intentionally public (allow_public_override: true)\n"
-                f"   🔐 Cognito authentication is available but overridden\n"
-                f"   📊 Consider monitoring this endpoint for unexpected usage patterns\n"
-                f"   🔍 Review periodically: Should this endpoint be secured?"
-            )
-            # Print to console during deployment for visibility
-            print(warning_msg)
-            # Structured logging for monitoring and metrics
-            logger.warning(
-                "Public endpoint configured with Cognito available",
-                extra={
-                    "route": route_path,
-                    "method": method,
-                    "security_override": True,
-                    "cognito_available": True,
-                    "authorization_type": "NONE",
-                    "metric_name": "public_endpoint_with_cognito",
-                    "security_decision": "intentional_public",
-                    "recommendation": "review_periodically"
-                }
-            )
+        # Use the utility's enhanced validation method
+        validated_config = self.integration_utility._validate_and_adjust_authorization_configuration(
+            api_route_config, has_cognito_authorizer
+        )
-        # Case 4: No Cognito + NONE = INFO (expected for public-only APIs)
-        if not has_cognito_authorizer and auth_type == "NONE":
-            logger.info(
-                f"Public endpoint configured (no Cognito available): {route_path} ({method})",
-                extra={
-                    "route": route_path,
-                    "method": method,
-                    "authorization_type": "NONE",
-                    "cognito_available": False,
-                    "security_decision": "public_only_api"
-                }
-            )
+        # Return the validated authorization type for use in the stack
+        return validated_config.authorization_type
     def _setup_lambda_integration(
         self, api_gateway, api_id, route, lambda_fn, authorizer, suffix
     ):
         """Setup Lambda integration for a route"""
-        import logging
         route_path = route["path"]
-        # Secure by default: require Cognito authorization unless explicitly set to NONE
+        # Handle authorization type fallback logic before validation
         authorization_type = route.get("authorization_type", "COGNITO")
         # If no Cognito authorizer available and default COGNITO, fall back to NONE
-        if not authorizer and authorization_type == "COGNITO" and "authorization_type" not in route:
+        if (
+            not authorizer
+            and authorization_type == "COGNITO"
+            and "authorization_type" not in route
+        ):
             authorization_type = "NONE"
+            import logging
             logger = logging.getLogger(__name__)
             logger.info(
                 f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
                 f"defaulting to public access (NONE authorization)"
             )
-        # Validate authorization configuration for security
-        self._validate_authorization_configuration(route, authorizer is not None)
+        # Create a route config with the resolved authorization type for validation
+        route_for_validation = dict(route)
+        route_for_validation["authorization_type"] = authorization_type
+        # Validate authorization configuration using the utility
+        validated_authorization_type = self._validate_authorization_configuration(route_for_validation, authorizer is not None)
+        # Use the validated authorization type
+        authorization_type = validated_authorization_type
         # If set to NONE (explicitly or by fallback), skip authorization
         if authorization_type == "NONE":
             authorizer = None
@@ -480,6 +418,7 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
                     "user_pool_id": (
                         os.getenv("COGNITO_USER_POOL_ID") if authorizer else None
                     ),
+                    "allow_public_override": route.get("allow_public_override", False),
                 }
             )
@@ -501,23 +440,34 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
         self, api_gateway, route, lambda_fn, authorizer, api_id, suffix
     ):
         """Setup fallback Lambda integration for routes without src"""
-        import logging
         route_path = route["path"]
-        # Secure by default: require Cognito authorization unless explicitly set to NONE
+        # Handle authorization type fallback logic before validation
         authorization_type = route.get("authorization_type", "COGNITO")
         # If no Cognito authorizer available and default COGNITO, fall back to NONE
-        if not authorizer and authorization_type == "COGNITO" and "authorization_type" not in route:
+        if (
+            not authorizer
+            and authorization_type == "COGNITO"
+            and "authorization_type" not in route
+        ):
             authorization_type = "NONE"
+            import logging
             logger = logging.getLogger(__name__)
             logger.info(
                 f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
                 f"defaulting to public access (NONE authorization)"
             )
-        # Validate authorization configuration for security
-        self._validate_authorization_configuration(route, authorizer is not None)
+        # Create a route config with the resolved authorization type for validation
+        route_for_validation = dict(route)
+        route_for_validation["authorization_type"] = authorization_type
+        # Validate authorization configuration using the utility
+        validated_authorization_type = self._validate_authorization_configuration(route_for_validation, authorizer is not None)
+        # Use the validated authorization type
+        authorization_type = validated_authorization_type
         resource = (
             api_gateway.root.resource_for_path(route_path)

cdk-factory 0.7.26__tar.gz → 0.7.28__tar.gz

cdk-factory 0.7.26tar.gz → 0.7.28tar.gz