PyPI - cdk-factory - Versions diffs - 0.7.27__py3-none-any.whl → 0.7.29__py3-none-any.whl - Mend

cdk-factory 0.7.27py3-none-any.whl → 0.7.29py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

cdk_factory/stack_library/api_gateway/api_gateway_stack.py CHANGED Viewed

@@ -349,113 +349,36 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
     def _validate_authorization_configuration(self, route, has_cognito_authorizer):
         """
-        Validate authorization configuration for security and clarity.
-        This method implements 'secure by default' with explicit overrides:
-        - If Cognito is available and route wants NONE auth, requires explicit override
-        - If Cognito is not available and route wants COGNITO auth, raises error
-        - Provides verbose warnings for monitoring and security awareness
-        Args:
-            route (dict): Route configuration
-            has_cognito_authorizer (bool): Whether a Cognito authorizer is configured
-        Raises:
-            ValueError: When there are security conflicts without explicit overrides
+        Validate authorization configuration using the shared utility method.
+        This delegates to the ApiGatewayIntegrationUtility for consistent validation
+        across both API Gateway stack and Lambda stack patterns.
         """
-        import logging
-        auth_type = str(route.get("authorization_type", "COGNITO")).upper()
-        explicit_override = (
-            str(route.get("allow_public_override", False)).lower() == "true"
+        # Convert route dict to ApiGatewayConfigRouteConfig for utility validation
+        # Map "path" to "route" for compatibility with the config object
+        route_config_dict = dict(route)  # Create a copy
+        if "path" in route_config_dict:
+            route_config_dict["route"] = route_config_dict["path"]
+        api_route_config = ApiGatewayConfigRouteConfig(route_config_dict)
+        # Use the utility's enhanced validation method
+        validated_config = self.integration_utility._validate_and_adjust_authorization_configuration(
+            api_route_config, has_cognito_authorizer
         )
-        route_path = route.get("path", "unknown")
-        method = route.get("method", "unknown")
-        logger = logging.getLogger(__name__)
-        # Case 1: Cognito available + NONE requested + No explicit override = ERROR
-        if has_cognito_authorizer and auth_type == "NONE" and not explicit_override:
-            error_msg = (
-                f"🚨 SECURITY CONFLICT DETECTED for route {route_path} ({method}):\n"
-                f"   ❌ Cognito authorizer is configured (manual or auto-import)\n"
-                f"   ❌ authorization_type is set to 'NONE' (public access)\n"
-                f"   ❌ This creates a security risk - public endpoint with auth available\n\n"
-                f"💡 SOLUTIONS:\n"
-                f"   1. Remove Cognito configuration if you want public access\n"
-                f"   2. Add 'allow_public_override': true to explicitly allow public access\n"
-                f"   3. Remove 'authorization_type': 'NONE' to use secure Cognito auth\n\n"
-                f"🔒 This prevents accidental public endpoints when authentication is available.\n\n"
-                f"👉 ApiGatewayStack documentation for more details: https://github.com/your-repo/api-gateway-stack"
-            )
-            raise ValueError(error_msg)
-        # Case 2: No Cognito + COGNITO explicitly requested = ERROR
-        # Only error if COGNITO was explicitly requested, not if it's the default
-        if not has_cognito_authorizer and route.get("authorization_type") == "COGNITO":
-            error_msg = (
-                f"🚨 CONFIGURATION ERROR for route {route_path} ({method}):\n"
-                f"   ❌ authorization_type is explicitly set to 'COGNITO' but no Cognito authorizer configured\n"
-                f"   ❌ Cannot secure endpoint without authentication provider\n\n"
-                f"💡 SOLUTIONS:\n"
-                f"   1. Add Cognito configuration to enable authentication\n"
-                f"   2. Set authorization_type to 'NONE' for public access\n"
-                f"   3. Configure SSM auto-import for user_pool_arn\n"
-                f"   4. Remove explicit authorization_type to use default behavior"
-            )
-            raise ValueError(error_msg)
-        # Case 3: Cognito available + NONE requested + Explicit override = WARN
-        if has_cognito_authorizer and auth_type == "NONE" and explicit_override:
-            warning_msg = (
-                f"⚠️  PUBLIC ENDPOINT CONFIGURED: {route_path} ({method})\n"
-                f"   🔓 This endpoint is intentionally public (allow_public_override: true)\n"
-                f"   🔐 Cognito authentication is available but overridden\n"
-                f"   📊 Consider monitoring this endpoint for unexpected usage patterns\n"
-                f"   🔍 Review periodically: Should this endpoint be secured?"
-            )
-            # Print to console during deployment for visibility
-            print(warning_msg)
-            # Structured logging for monitoring and metrics
-            logger.warning(
-                "Public endpoint configured with Cognito available",
-                extra={
-                    "route": route_path,
-                    "method": method,
-                    "security_override": True,
-                    "cognito_available": True,
-                    "authorization_type": "NONE",
-                    "metric_name": "public_endpoint_with_cognito",
-                    "security_decision": "intentional_public",
-                    "recommendation": "review_periodically",
-                },
-            )
-        # Case 4: No Cognito + NONE = INFO (expected for public-only APIs)
-        if not has_cognito_authorizer and auth_type == "NONE":
-            logger.info(
-                f"Public endpoint configured (no Cognito available): {route_path} ({method})",
-                extra={
-                    "route": route_path,
-                    "method": method,
-                    "authorization_type": "NONE",
-                    "cognito_available": False,
-                    "security_decision": "public_only_api",
-                },
-            )
+        # Return the validated authorization type for use in the stack
+        return validated_config.authorization_type
     def _setup_lambda_integration(
         self, api_gateway, api_id, route, lambda_fn, authorizer, suffix
     ):
         """Setup Lambda integration for a route"""
-        import logging
         route_path = route["path"]
-        # Secure by default: require Cognito authorization unless explicitly set to NONE
+        # Handle authorization type fallback logic before validation
         authorization_type = route.get("authorization_type", "COGNITO")
         # If no Cognito authorizer available and default COGNITO, fall back to NONE
         if (
             not authorizer
@@ -463,14 +386,22 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
             and "authorization_type" not in route
         ):
             authorization_type = "NONE"
+            import logging
             logger = logging.getLogger(__name__)
             logger.info(
                 f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
                 f"defaulting to public access (NONE authorization)"
             )
-        # Validate authorization configuration for security
-        self._validate_authorization_configuration(route, authorizer is not None)
+        # Create a route config with the resolved authorization type for validation
+        route_for_validation = dict(route)
+        route_for_validation["authorization_type"] = authorization_type
+        # Validate authorization configuration using the utility
+        validated_authorization_type = self._validate_authorization_configuration(route_for_validation, authorizer is not None)
+        # Use the validated authorization type
+        authorization_type = validated_authorization_type
         # If set to NONE (explicitly or by fallback), skip authorization
         if authorization_type == "NONE":
@@ -487,6 +418,7 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
                     "user_pool_id": (
                         os.getenv("COGNITO_USER_POOL_ID") if authorizer else None
                     ),
+                    "allow_public_override": route.get("allow_public_override", False),
                 }
             )
@@ -508,12 +440,11 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
         self, api_gateway, route, lambda_fn, authorizer, api_id, suffix
     ):
         """Setup fallback Lambda integration for routes without src"""
-        import logging
         route_path = route["path"]
-        # Secure by default: require Cognito authorization unless explicitly set to NONE
+        # Handle authorization type fallback logic before validation
         authorization_type = route.get("authorization_type", "COGNITO")
         # If no Cognito authorizer available and default COGNITO, fall back to NONE
         if (
             not authorizer
@@ -521,14 +452,22 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
             and "authorization_type" not in route
         ):
             authorization_type = "NONE"
+            import logging
             logger = logging.getLogger(__name__)
             logger.info(
                 f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
                 f"defaulting to public access (NONE authorization)"
             )
-        # Validate authorization configuration for security
-        self._validate_authorization_configuration(route, authorizer is not None)
+        # Create a route config with the resolved authorization type for validation
+        route_for_validation = dict(route)
+        route_for_validation["authorization_type"] = authorization_type
+        # Validate authorization configuration using the utility
+        validated_authorization_type = self._validate_authorization_configuration(route_for_validation, authorizer is not None)
+        # Use the validated authorization type
+        authorization_type = validated_authorization_type
         resource = (
             api_gateway.root.resource_for_path(route_path)

cdk_factory/utilities/api_gateway_integration_utility.py CHANGED Viewed

@@ -1108,20 +1108,29 @@ class ApiGatewayIntegrationUtility:
             )
             http_method = "GET"
-        # Create method using L1 construct with existing authorizer ID
+        # Use the validated authorization type from api_config
+        auth_type = api_config.authorization_type
+        method_props = {
+            "http_method": http_method,
+            "resource_id": resource.resource_id,
+            "rest_api_id": api_gateway.rest_api_id,
+            "authorization_type": auth_type,
+            "api_key_required": api_config.api_key_required,
+            "request_parameters": api_config.request_parameters,
+            "integration": integration_props,
+        }
+        # Only add authorizer_id if authorization type is not NONE
+        if auth_type != "NONE":
+            method_props["authorizer_id"] = self._get_existing_authorizer_id_with_ssm_fallback(
+                api_config, stack_config
+            )
+        # Create method using L1 construct with validated authorization configuration
         method = apigateway.CfnMethod(
             self.scope,
             f"method-{http_method.lower()}-{resource.node.id}-existing-auth",
-            http_method=http_method,
-            resource_id=resource.resource_id,
-            rest_api_id=api_gateway.rest_api_id,
-            authorization_type="COGNITO_USER_POOLS",
-            authorizer_id=self._get_existing_authorizer_id_with_ssm_fallback(
-                api_config, stack_config
-            ),
-            api_key_required=api_config.api_key_required,
-            request_parameters=api_config.request_parameters,
-            integration=integration_props,
+            **method_props
         )
         # Add Lambda permission for API Gateway to invoke the function
@@ -1382,15 +1391,19 @@ class ApiGatewayIntegrationUtility:
         modified_config = deepcopy(api_config)
         auth_type = str(getattr(api_config, "authorization_type", "COGNITO")).upper()
-        # Check for explicit override flag
-        explicit_override = (
-            str(getattr(api_config, "allow_public_override", False)).lower() == "true"
-        )
         route_path = getattr(api_config, "routes", "unknown")
         method = getattr(api_config, "method", "unknown")
+        logger = logging.getLogger(__name__)
+        # Check for explicit override flag
+        explicit_override = getattr(api_config, "allow_public_override", False)
+        # Handle both boolean and string values
+        if isinstance(explicit_override, str):
+            explicit_override = explicit_override.lower() in ("true", "1", "yes")
+        else:
+            explicit_override = bool(explicit_override)
         logger = logging.getLogger(__name__)
         # Case 1: Cognito available + NONE requested + No explicit override = ERROR

cdk_factory/version.py CHANGED Viewed

	@@ -1 +1 @@
1	- __version__ = "0.7.27"
1	+ __version__ = "0.7.29"

{cdk_factory-0.7.27.dist-info → cdk_factory-0.7.29.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.7.27
+Version: 0.7.29
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.7.27.dist-info → cdk_factory-0.7.29.dist-info}/RECORD RENAMED Viewed

@@ -1,7 +1,7 @@
 cdk_factory/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cdk_factory/app.py,sha256=xv863N7O6HPKznB68_t7O4la9JacrkG87t9TjoDUk7s,2827
 cdk_factory/cdk.json,sha256=SKZKhJ2PBpFH78j-F8S3VDYW-lf76--Q2I3ON-ZIQfw,3106
-cdk_factory/version.py,sha256=fHi3FiqQRMkjl3o8ATyV9gZrBSNTVvt5m0WxJ-NYHTA,23
+cdk_factory/version.py,sha256=XdC0R1utqmwH52az-uz3mk0vLZyV2OyWiin3soRIguo,23
 cdk_factory/builds/README.md,sha256=9BBWd7bXpyKdMU_g2UljhQwrC9i5O_Tvkb6oPvndoZk,90
 cdk_factory/commands/command_loader.py,sha256=QbLquuP_AdxtlxlDy-2IWCQ6D-7qa58aphnDPtp_uTs,3744
 cdk_factory/configurations/base_config.py,sha256=JKjhNsy0RCUZy1s8n5D_aXXI-upR9izaLtCTfKYiV9k,9624
@@ -72,7 +72,7 @@ cdk_factory/stack/stack_module_registry.py,sha256=J14-A75VZESzRQa8p-Fepdap7Z8T7m
 cdk_factory/stack/stack_modules.py,sha256=kgEK-j0smZPozVwTCfM1g1V17EyTBT0TXAQZq4vZz0o,784
 cdk_factory/stack_library/__init__.py,sha256=5Y9TpIe8ZK1688G60PGcuP-hM0RvYEY_3Hl2qJCJJrw,581
 cdk_factory/stack_library/stack_base.py,sha256=tTleSFmlf26DuKVF_ytftf8P7IVWb5iex8cYfYupfvQ,4940
-cdk_factory/stack_library/api_gateway/api_gateway_stack.py,sha256=-K9ybNHpjycw4wtaiWbMm9dLCYPYoaqlakgBIQyotCk,35632
+cdk_factory/stack_library/api_gateway/api_gateway_stack.py,sha256=83oV1pSFfb68mH4CH3mz0SERiiihpbPCsKK9zHgjvyE,32490
 cdk_factory/stack_library/auto_scaling/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cdk_factory/stack_library/auto_scaling/auto_scaling_stack.py,sha256=UsFqUb_3XPJAlmZ6F75nXna3elOggD1KuFmmdmhi0Lg,19070
 cdk_factory/stack_library/aws_lambdas/lambda_stack.py,sha256=xT8-799fSXMpYaRhRKytxsbpb5EG3g2h6L822_RpRSk,22956
@@ -97,7 +97,7 @@ cdk_factory/stack_library/vpc/__init__.py,sha256=7pIqP97Gf2AJbv9Ebp1WbQGHYhgEbWJ
 cdk_factory/stack_library/vpc/vpc_stack.py,sha256=zdDiGilf03esxuya5Z8zVYSVMAIuZBeD-ZKgfnEd6aw,10077
 cdk_factory/stack_library/websites/static_website_stack.py,sha256=KBQiV6PI09mpHGtH-So5Hk3uhfFLDepoXInGbfin0cY,7938
 cdk_factory/stages/websites/static_website_stage.py,sha256=X4fpKXkhb0zIbSHx3QyddBhVSLBryb1vf1Cg2fMTqog,755
-cdk_factory/utilities/api_gateway_integration_utility.py,sha256=LSfw2lNtJWMsRiaHf4FLiGHRgFPm-fOUhN2YJNHtxnI,62346
+cdk_factory/utilities/api_gateway_integration_utility.py,sha256=xzKOdoKrd8AxuBWtV8uFa3r6I7wSKdC74m7tewBhzT8,62933
 cdk_factory/utilities/commandline_args.py,sha256=0FiNEJFbWVN8Ct7r0VHnJEx7rhUlaRKT7R7HMNJBSTI,2216
 cdk_factory/utilities/configuration_loader.py,sha256=z0ZdGLNbTO4_yfluB9zUh_i_Poc9qj-7oRyjMRlNkN8,1522
 cdk_factory/utilities/docker_utilities.py,sha256=9r8C-lXYpymqEfi3gTeWCQzHldvfjttPqn6p3j2khTE,8111
@@ -109,7 +109,7 @@ cdk_factory/utilities/lambda_function_utilities.py,sha256=j3tBdv_gC2MdEwBINDwAqY
 cdk_factory/utilities/os_execute.py,sha256=5Op0LY_8Y-pUm04y1k8MTpNrmQvcLmQHPQITEP7EuSU,1019
 cdk_factory/utils/api_gateway_utilities.py,sha256=If7Xu5s_UxmuV-kL3JkXxPLBdSVUKoLtohm0IUFoiV8,4378
 cdk_factory/workload/workload_factory.py,sha256=yBUDGIuB8-5p_mGcVFxsD2ZoZIziak3yh3LL3JvS0M4,5903
-cdk_factory-0.7.27.dist-info/METADATA,sha256=kkqu-N4uFgjOYSenuas-fjiwtIcTNoxmRK8NR6CBsyw,2451
-cdk_factory-0.7.27.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-cdk_factory-0.7.27.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
-cdk_factory-0.7.27.dist-info/RECORD,,
+cdk_factory-0.7.29.dist-info/METADATA,sha256=uBLNGvVXNfeVMl5IMIJfZX2S0dLDrPVnUqlSd0Dec9Y,2451
+cdk_factory-0.7.29.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+cdk_factory-0.7.29.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
+cdk_factory-0.7.29.dist-info/RECORD,,

{cdk_factory-0.7.27.dist-info → cdk_factory-0.7.29.dist-info}/WHEEL RENAMED Viewed

File without changes

{cdk_factory-0.7.27.dist-info → cdk_factory-0.7.29.dist-info}/licenses/LICENSE RENAMED Viewed

File without changes

cdk-factory 0.7.27__py3-none-any.whl → 0.7.29__py3-none-any.whl

cdk-factory 0.7.27py3-none-any.whl → 0.7.29py3-none-any.whl