cdk-factory 0.7.27__py3-none-any.whl → 0.7.28__py3-none-any.whl

cdk_factory/stack_library/api_gateway/api_gateway_stack.py

@@ -349,113 +349,36 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
 
     def _validate_authorization_configuration(self, route, has_cognito_authorizer):
         """
-        Validate authorization configuration for security and clarity.
-
-        This method implements 'secure by default' with explicit overrides:
-        - If Cognito is available and route wants NONE auth, requires explicit override
-        - If Cognito is not available and route wants COGNITO auth, raises error
-        - Provides verbose warnings for monitoring and security awareness
-
-        Args:
-            route (dict): Route configuration
-            has_cognito_authorizer (bool): Whether a Cognito authorizer is configured
-
-        Raises:
-            ValueError: When there are security conflicts without explicit overrides
+        Validate authorization configuration using the shared utility method.
+        
+        This delegates to the ApiGatewayIntegrationUtility for consistent validation
+        across both API Gateway stack and Lambda stack patterns.
         """
-        import logging
-
-        auth_type = str(route.get("authorization_type", "COGNITO")).upper()
-        explicit_override = (
-            str(route.get("allow_public_override", False)).lower() == "true"
+        # Convert route dict to ApiGatewayConfigRouteConfig for utility validation
+        # Map "path" to "route" for compatibility with the config object
+        route_config_dict = dict(route)  # Create a copy
+        if "path" in route_config_dict:
+            route_config_dict["route"] = route_config_dict["path"]
+        
+        api_route_config = ApiGatewayConfigRouteConfig(route_config_dict)
+        
+        # Use the utility's enhanced validation method
+        validated_config = self.integration_utility._validate_and_adjust_authorization_configuration(
+            api_route_config, has_cognito_authorizer
         )
-        route_path = route.get("path", "unknown")
-        method = route.get("method", "unknown")
-
-        logger = logging.getLogger(__name__)
-
-        # Case 1: Cognito available + NONE requested + No explicit override = ERROR
-        if has_cognito_authorizer and auth_type == "NONE" and not explicit_override:
-            error_msg = (
-                f"🚨 SECURITY CONFLICT DETECTED for route {route_path} ({method}):\n"
-                f"   ❌ Cognito authorizer is configured (manual or auto-import)\n"
-                f"   ❌ authorization_type is set to 'NONE' (public access)\n"
-                f"   ❌ This creates a security risk - public endpoint with auth available\n\n"
-                f"💡 SOLUTIONS:\n"
-                f"   1. Remove Cognito configuration if you want public access\n"
-                f"   2. Add 'allow_public_override': true to explicitly allow public access\n"
-                f"   3. Remove 'authorization_type': 'NONE' to use secure Cognito auth\n\n"
-                f"🔒 This prevents accidental public endpoints when authentication is available.\n\n"
-                f"👉 ApiGatewayStack documentation for more details: https://github.com/your-repo/api-gateway-stack"
-            )
-            raise ValueError(error_msg)
-
-        # Case 2: No Cognito + COGNITO explicitly requested = ERROR
-        # Only error if COGNITO was explicitly requested, not if it's the default
-        if not has_cognito_authorizer and route.get("authorization_type") == "COGNITO":
-            error_msg = (
-                f"🚨 CONFIGURATION ERROR for route {route_path} ({method}):\n"
-                f"   ❌ authorization_type is explicitly set to 'COGNITO' but no Cognito authorizer configured\n"
-                f"   ❌ Cannot secure endpoint without authentication provider\n\n"
-                f"💡 SOLUTIONS:\n"
-                f"   1. Add Cognito configuration to enable authentication\n"
-                f"   2. Set authorization_type to 'NONE' for public access\n"
-                f"   3. Configure SSM auto-import for user_pool_arn\n"
-                f"   4. Remove explicit authorization_type to use default behavior"
-            )
-            raise ValueError(error_msg)
-
-        # Case 3: Cognito available + NONE requested + Explicit override = WARN
-        if has_cognito_authorizer and auth_type == "NONE" and explicit_override:
-            warning_msg = (
-                f"⚠️  PUBLIC ENDPOINT CONFIGURED: {route_path} ({method})\n"
-                f"   🔓 This endpoint is intentionally public (allow_public_override: true)\n"
-                f"   🔐 Cognito authentication is available but overridden\n"
-                f"   📊 Consider monitoring this endpoint for unexpected usage patterns\n"
-                f"   🔍 Review periodically: Should this endpoint be secured?"
-            )
-
-            # Print to console during deployment for visibility
-            print(warning_msg)
-
-            # Structured logging for monitoring and metrics
-            logger.warning(
-                "Public endpoint configured with Cognito available",
-                extra={
-                    "route": route_path,
-                    "method": method,
-                    "security_override": True,
-                    "cognito_available": True,
-                    "authorization_type": "NONE",
-                    "metric_name": "public_endpoint_with_cognito",
-                    "security_decision": "intentional_public",
-                    "recommendation": "review_periodically",
-                },
-            )
-
-        # Case 4: No Cognito + NONE = INFO (expected for public-only APIs)
-        if not has_cognito_authorizer and auth_type == "NONE":
-            logger.info(
-                f"Public endpoint configured (no Cognito available): {route_path} ({method})",
-                extra={
-                    "route": route_path,
-                    "method": method,
-                    "authorization_type": "NONE",
-                    "cognito_available": False,
-                    "security_decision": "public_only_api",
-                },
-            )
+        
+        # Return the validated authorization type for use in the stack
+        return validated_config.authorization_type
 
     def _setup_lambda_integration(
         self, api_gateway, api_id, route, lambda_fn, authorizer, suffix
     ):
         """Setup Lambda integration for a route"""
-        import logging
-
         route_path = route["path"]
-        # Secure by default: require Cognito authorization unless explicitly set to NONE
+        
+        # Handle authorization type fallback logic before validation
         authorization_type = route.get("authorization_type", "COGNITO")
-
+        
         # If no Cognito authorizer available and default COGNITO, fall back to NONE
         if (
             not authorizer
@@ -463,14 +386,22 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
             and "authorization_type" not in route
         ):
             authorization_type = "NONE"
+            import logging
             logger = logging.getLogger(__name__)
             logger.info(
                 f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
                 f"defaulting to public access (NONE authorization)"
             )
-
-        # Validate authorization configuration for security
-        self._validate_authorization_configuration(route, authorizer is not None)
+        
+        # Create a route config with the resolved authorization type for validation
+        route_for_validation = dict(route)
+        route_for_validation["authorization_type"] = authorization_type
+        
+        # Validate authorization configuration using the utility
+        validated_authorization_type = self._validate_authorization_configuration(route_for_validation, authorizer is not None)
+        
+        # Use the validated authorization type
+        authorization_type = validated_authorization_type
 
         # If set to NONE (explicitly or by fallback), skip authorization
         if authorization_type == "NONE":
@@ -487,6 +418,7 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
                     "user_pool_id": (
                         os.getenv("COGNITO_USER_POOL_ID") if authorizer else None
                     ),
+                    "allow_public_override": route.get("allow_public_override", False),
                 }
             )
 
@@ -508,12 +440,11 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
         self, api_gateway, route, lambda_fn, authorizer, api_id, suffix
     ):
         """Setup fallback Lambda integration for routes without src"""
-        import logging
-
         route_path = route["path"]
-        # Secure by default: require Cognito authorization unless explicitly set to NONE
+        
+        # Handle authorization type fallback logic before validation
         authorization_type = route.get("authorization_type", "COGNITO")
-
+        
         # If no Cognito authorizer available and default COGNITO, fall back to NONE
         if (
             not authorizer
@@ -521,14 +452,22 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
             and "authorization_type" not in route
         ):
             authorization_type = "NONE"
+            import logging
             logger = logging.getLogger(__name__)
             logger.info(
                 f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
                 f"defaulting to public access (NONE authorization)"
             )
-
-        # Validate authorization configuration for security
-        self._validate_authorization_configuration(route, authorizer is not None)
+        
+        # Create a route config with the resolved authorization type for validation
+        route_for_validation = dict(route)
+        route_for_validation["authorization_type"] = authorization_type
+        
+        # Validate authorization configuration using the utility
+        validated_authorization_type = self._validate_authorization_configuration(route_for_validation, authorizer is not None)
+        
+        # Use the validated authorization type
+        authorization_type = validated_authorization_type
 
         resource = (
             api_gateway.root.resource_for_path(route_path)

cdk_factory/utilities/api_gateway_integration_utility.py

@@ -1382,15 +1382,19 @@ class ApiGatewayIntegrationUtility:
         modified_config = deepcopy(api_config)
 
         auth_type = str(getattr(api_config, "authorization_type", "COGNITO")).upper()
-
-        # Check for explicit override flag
-        explicit_override = (
-            str(getattr(api_config, "allow_public_override", False)).lower() == "true"
-        )
-
         route_path = getattr(api_config, "routes", "unknown")
         method = getattr(api_config, "method", "unknown")
+        
+        logger = logging.getLogger(__name__)
 
+        # Check for explicit override flag
+        explicit_override = getattr(api_config, "allow_public_override", False)
+        # Handle both boolean and string values
+        if isinstance(explicit_override, str):
+            explicit_override = explicit_override.lower() in ("true", "1", "yes")
+        else:
+            explicit_override = bool(explicit_override)
+        
         logger = logging.getLogger(__name__)
 
         # Case 1: Cognito available + NONE requested + No explicit override = ERROR

cdk_factory/version.py

@@ -1 +1 @@
-__version__ = "0.7.27"
+__version__ = "0.7.28"

{cdk_factory-0.7.27.dist-info → cdk_factory-0.7.28.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.7.27
+Version: 0.7.28
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.7.27.dist-info → cdk_factory-0.7.28.dist-info}/RECORD

@@ -1,7 +1,7 @@
 cdk_factory/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cdk_factory/app.py,sha256=xv863N7O6HPKznB68_t7O4la9JacrkG87t9TjoDUk7s,2827
 cdk_factory/cdk.json,sha256=SKZKhJ2PBpFH78j-F8S3VDYW-lf76--Q2I3ON-ZIQfw,3106
-cdk_factory/version.py,sha256=fHi3FiqQRMkjl3o8ATyV9gZrBSNTVvt5m0WxJ-NYHTA,23
+cdk_factory/version.py,sha256=zxRa3gUEpxj8fTU5qOT60NDmCfmdbg7_Z6ZkpKAhrNg,23
 cdk_factory/builds/README.md,sha256=9BBWd7bXpyKdMU_g2UljhQwrC9i5O_Tvkb6oPvndoZk,90
 cdk_factory/commands/command_loader.py,sha256=QbLquuP_AdxtlxlDy-2IWCQ6D-7qa58aphnDPtp_uTs,3744
 cdk_factory/configurations/base_config.py,sha256=JKjhNsy0RCUZy1s8n5D_aXXI-upR9izaLtCTfKYiV9k,9624
@@ -72,7 +72,7 @@ cdk_factory/stack/stack_module_registry.py,sha256=J14-A75VZESzRQa8p-Fepdap7Z8T7m
 cdk_factory/stack/stack_modules.py,sha256=kgEK-j0smZPozVwTCfM1g1V17EyTBT0TXAQZq4vZz0o,784
 cdk_factory/stack_library/__init__.py,sha256=5Y9TpIe8ZK1688G60PGcuP-hM0RvYEY_3Hl2qJCJJrw,581
 cdk_factory/stack_library/stack_base.py,sha256=tTleSFmlf26DuKVF_ytftf8P7IVWb5iex8cYfYupfvQ,4940
-cdk_factory/stack_library/api_gateway/api_gateway_stack.py,sha256=-K9ybNHpjycw4wtaiWbMm9dLCYPYoaqlakgBIQyotCk,35632
+cdk_factory/stack_library/api_gateway/api_gateway_stack.py,sha256=83oV1pSFfb68mH4CH3mz0SERiiihpbPCsKK9zHgjvyE,32490
 cdk_factory/stack_library/auto_scaling/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cdk_factory/stack_library/auto_scaling/auto_scaling_stack.py,sha256=UsFqUb_3XPJAlmZ6F75nXna3elOggD1KuFmmdmhi0Lg,19070
 cdk_factory/stack_library/aws_lambdas/lambda_stack.py,sha256=xT8-799fSXMpYaRhRKytxsbpb5EG3g2h6L822_RpRSk,22956
@@ -97,7 +97,7 @@ cdk_factory/stack_library/vpc/__init__.py,sha256=7pIqP97Gf2AJbv9Ebp1WbQGHYhgEbWJ
 cdk_factory/stack_library/vpc/vpc_stack.py,sha256=zdDiGilf03esxuya5Z8zVYSVMAIuZBeD-ZKgfnEd6aw,10077
 cdk_factory/stack_library/websites/static_website_stack.py,sha256=KBQiV6PI09mpHGtH-So5Hk3uhfFLDepoXInGbfin0cY,7938
 cdk_factory/stages/websites/static_website_stage.py,sha256=X4fpKXkhb0zIbSHx3QyddBhVSLBryb1vf1Cg2fMTqog,755
-cdk_factory/utilities/api_gateway_integration_utility.py,sha256=LSfw2lNtJWMsRiaHf4FLiGHRgFPm-fOUhN2YJNHtxnI,62346
+cdk_factory/utilities/api_gateway_integration_utility.py,sha256=LvsgUaipghTte4FZj1xHRn_O1KoFJGivGhtHxFJI2sc,62607
 cdk_factory/utilities/commandline_args.py,sha256=0FiNEJFbWVN8Ct7r0VHnJEx7rhUlaRKT7R7HMNJBSTI,2216
 cdk_factory/utilities/configuration_loader.py,sha256=z0ZdGLNbTO4_yfluB9zUh_i_Poc9qj-7oRyjMRlNkN8,1522
 cdk_factory/utilities/docker_utilities.py,sha256=9r8C-lXYpymqEfi3gTeWCQzHldvfjttPqn6p3j2khTE,8111
@@ -109,7 +109,7 @@ cdk_factory/utilities/lambda_function_utilities.py,sha256=j3tBdv_gC2MdEwBINDwAqY
 cdk_factory/utilities/os_execute.py,sha256=5Op0LY_8Y-pUm04y1k8MTpNrmQvcLmQHPQITEP7EuSU,1019
 cdk_factory/utils/api_gateway_utilities.py,sha256=If7Xu5s_UxmuV-kL3JkXxPLBdSVUKoLtohm0IUFoiV8,4378
 cdk_factory/workload/workload_factory.py,sha256=yBUDGIuB8-5p_mGcVFxsD2ZoZIziak3yh3LL3JvS0M4,5903
-cdk_factory-0.7.27.dist-info/METADATA,sha256=kkqu-N4uFgjOYSenuas-fjiwtIcTNoxmRK8NR6CBsyw,2451
-cdk_factory-0.7.27.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-cdk_factory-0.7.27.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
-cdk_factory-0.7.27.dist-info/RECORD,,
+cdk_factory-0.7.28.dist-info/METADATA,sha256=kkMbOLCrFJA_nNSeJiE_s3w6egr9KlKXq2etML92R1U,2451
+cdk_factory-0.7.28.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+cdk_factory-0.7.28.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
+cdk_factory-0.7.28.dist-info/RECORD,,