cdk-factory 0.7.27__tar.gz → 0.7.28__tar.gz

{cdk_factory-0.7.27 → cdk_factory-0.7.28}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.7.27
+Version: 0.7.28
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.7.27 → cdk_factory-0.7.28}/pyproject.toml

@@ -33,7 +33,7 @@ markers = [
 [project]
 
 name = "cdk_factory"
-version = "0.7.27"
+version = "0.7.28"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

{cdk_factory-0.7.27 → cdk_factory-0.7.28}/src/cdk_factory/stack_library/api_gateway/api_gateway_stack.py

@@ -349,113 +349,36 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
 
     def _validate_authorization_configuration(self, route, has_cognito_authorizer):
         """
-        Validate authorization configuration for security and clarity.
-
-        This method implements 'secure by default' with explicit overrides:
-        - If Cognito is available and route wants NONE auth, requires explicit override
-        - If Cognito is not available and route wants COGNITO auth, raises error
-        - Provides verbose warnings for monitoring and security awareness
-
-        Args:
-            route (dict): Route configuration
-            has_cognito_authorizer (bool): Whether a Cognito authorizer is configured
-
-        Raises:
-            ValueError: When there are security conflicts without explicit overrides
+        Validate authorization configuration using the shared utility method.
+        
+        This delegates to the ApiGatewayIntegrationUtility for consistent validation
+        across both API Gateway stack and Lambda stack patterns.
         """
-        import logging
-
-        auth_type = str(route.get("authorization_type", "COGNITO")).upper()
-        explicit_override = (
-            str(route.get("allow_public_override", False)).lower() == "true"
+        # Convert route dict to ApiGatewayConfigRouteConfig for utility validation
+        # Map "path" to "route" for compatibility with the config object
+        route_config_dict = dict(route)  # Create a copy
+        if "path" in route_config_dict:
+            route_config_dict["route"] = route_config_dict["path"]
+        
+        api_route_config = ApiGatewayConfigRouteConfig(route_config_dict)
+        
+        # Use the utility's enhanced validation method
+        validated_config = self.integration_utility._validate_and_adjust_authorization_configuration(
+            api_route_config, has_cognito_authorizer
         )
-        route_path = route.get("path", "unknown")
-        method = route.get("method", "unknown")
-
-        logger = logging.getLogger(__name__)
-
-        # Case 1: Cognito available + NONE requested + No explicit override = ERROR
-        if has_cognito_authorizer and auth_type == "NONE" and not explicit_override:
-            error_msg = (
-                f"🚨 SECURITY CONFLICT DETECTED for route {route_path} ({method}):\n"
-                f"   ❌ Cognito authorizer is configured (manual or auto-import)\n"
-                f"   ❌ authorization_type is set to 'NONE' (public access)\n"
-                f"   ❌ This creates a security risk - public endpoint with auth available\n\n"
-                f"💡 SOLUTIONS:\n"
-                f"   1. Remove Cognito configuration if you want public access\n"
-                f"   2. Add 'allow_public_override': true to explicitly allow public access\n"
-                f"   3. Remove 'authorization_type': 'NONE' to use secure Cognito auth\n\n"
-                f"🔒 This prevents accidental public endpoints when authentication is available.\n\n"
-                f"👉 ApiGatewayStack documentation for more details: https://github.com/your-repo/api-gateway-stack"
-            )
-            raise ValueError(error_msg)
-
-        # Case 2: No Cognito + COGNITO explicitly requested = ERROR
-        # Only error if COGNITO was explicitly requested, not if it's the default
-        if not has_cognito_authorizer and route.get("authorization_type") == "COGNITO":
-            error_msg = (
-                f"🚨 CONFIGURATION ERROR for route {route_path} ({method}):\n"
-                f"   ❌ authorization_type is explicitly set to 'COGNITO' but no Cognito authorizer configured\n"
-                f"   ❌ Cannot secure endpoint without authentication provider\n\n"
-                f"💡 SOLUTIONS:\n"
-                f"   1. Add Cognito configuration to enable authentication\n"
-                f"   2. Set authorization_type to 'NONE' for public access\n"
-                f"   3. Configure SSM auto-import for user_pool_arn\n"
-                f"   4. Remove explicit authorization_type to use default behavior"
-            )
-            raise ValueError(error_msg)
-
-        # Case 3: Cognito available + NONE requested + Explicit override = WARN
-        if has_cognito_authorizer and auth_type == "NONE" and explicit_override:
-            warning_msg = (
-                f"⚠️  PUBLIC ENDPOINT CONFIGURED: {route_path} ({method})\n"
-                f"   🔓 This endpoint is intentionally public (allow_public_override: true)\n"
-                f"   🔐 Cognito authentication is available but overridden\n"
-                f"   📊 Consider monitoring this endpoint for unexpected usage patterns\n"
-                f"   🔍 Review periodically: Should this endpoint be secured?"
-            )
-
-            # Print to console during deployment for visibility
-            print(warning_msg)
-
-            # Structured logging for monitoring and metrics
-            logger.warning(
-                "Public endpoint configured with Cognito available",
-                extra={
-                    "route": route_path,
-                    "method": method,
-                    "security_override": True,
-                    "cognito_available": True,
-                    "authorization_type": "NONE",
-                    "metric_name": "public_endpoint_with_cognito",
-                    "security_decision": "intentional_public",
-                    "recommendation": "review_periodically",
-                },
-            )
-
-        # Case 4: No Cognito + NONE = INFO (expected for public-only APIs)
-        if not has_cognito_authorizer and auth_type == "NONE":
-            logger.info(
-                f"Public endpoint configured (no Cognito available): {route_path} ({method})",
-                extra={
-                    "route": route_path,
-                    "method": method,
-                    "authorization_type": "NONE",
-                    "cognito_available": False,
-                    "security_decision": "public_only_api",
-                },
-            )
+        
+        # Return the validated authorization type for use in the stack
+        return validated_config.authorization_type
 
     def _setup_lambda_integration(
         self, api_gateway, api_id, route, lambda_fn, authorizer, suffix
     ):
         """Setup Lambda integration for a route"""
-        import logging
-
         route_path = route["path"]
-        # Secure by default: require Cognito authorization unless explicitly set to NONE
+        
+        # Handle authorization type fallback logic before validation
         authorization_type = route.get("authorization_type", "COGNITO")
-
+        
         # If no Cognito authorizer available and default COGNITO, fall back to NONE
         if (
             not authorizer
@@ -463,14 +386,22 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
             and "authorization_type" not in route
         ):
             authorization_type = "NONE"
+            import logging
             logger = logging.getLogger(__name__)
             logger.info(
                 f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
                 f"defaulting to public access (NONE authorization)"
             )
-
-        # Validate authorization configuration for security
-        self._validate_authorization_configuration(route, authorizer is not None)
+        
+        # Create a route config with the resolved authorization type for validation
+        route_for_validation = dict(route)
+        route_for_validation["authorization_type"] = authorization_type
+        
+        # Validate authorization configuration using the utility
+        validated_authorization_type = self._validate_authorization_configuration(route_for_validation, authorizer is not None)
+        
+        # Use the validated authorization type
+        authorization_type = validated_authorization_type
 
         # If set to NONE (explicitly or by fallback), skip authorization
         if authorization_type == "NONE":
@@ -487,6 +418,7 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
                     "user_pool_id": (
                         os.getenv("COGNITO_USER_POOL_ID") if authorizer else None
                     ),
+                    "allow_public_override": route.get("allow_public_override", False),
                 }
             )
 
@@ -508,12 +440,11 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
         self, api_gateway, route, lambda_fn, authorizer, api_id, suffix
     ):
         """Setup fallback Lambda integration for routes without src"""
-        import logging
-
         route_path = route["path"]
-        # Secure by default: require Cognito authorization unless explicitly set to NONE
+        
+        # Handle authorization type fallback logic before validation
         authorization_type = route.get("authorization_type", "COGNITO")
-
+        
         # If no Cognito authorizer available and default COGNITO, fall back to NONE
         if (
             not authorizer
@@ -521,14 +452,22 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
             and "authorization_type" not in route
         ):
             authorization_type = "NONE"
+            import logging
             logger = logging.getLogger(__name__)
             logger.info(
                 f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
                 f"defaulting to public access (NONE authorization)"
             )
-
-        # Validate authorization configuration for security
-        self._validate_authorization_configuration(route, authorizer is not None)
+        
+        # Create a route config with the resolved authorization type for validation
+        route_for_validation = dict(route)
+        route_for_validation["authorization_type"] = authorization_type
+        
+        # Validate authorization configuration using the utility
+        validated_authorization_type = self._validate_authorization_configuration(route_for_validation, authorizer is not None)
+        
+        # Use the validated authorization type
+        authorization_type = validated_authorization_type
 
         resource = (
             api_gateway.root.resource_for_path(route_path)

{cdk_factory-0.7.27 → cdk_factory-0.7.28}/src/cdk_factory/utilities/api_gateway_integration_utility.py

@@ -1382,15 +1382,19 @@ class ApiGatewayIntegrationUtility:
         modified_config = deepcopy(api_config)
 
         auth_type = str(getattr(api_config, "authorization_type", "COGNITO")).upper()
-
-        # Check for explicit override flag
-        explicit_override = (
-            str(getattr(api_config, "allow_public_override", False)).lower() == "true"
-        )
-
         route_path = getattr(api_config, "routes", "unknown")
         method = getattr(api_config, "method", "unknown")
+        
+        logger = logging.getLogger(__name__)
 
+        # Check for explicit override flag
+        explicit_override = getattr(api_config, "allow_public_override", False)
+        # Handle both boolean and string values
+        if isinstance(explicit_override, str):
+            explicit_override = explicit_override.lower() in ("true", "1", "yes")
+        else:
+            explicit_override = bool(explicit_override)
+        
         logger = logging.getLogger(__name__)
 
         # Case 1: Cognito available + NONE requested + No explicit override = ERROR

cdk_factory-0.7.28/src/cdk_factory/version.py

@@ -0,0 +1 @@
+__version__ = "0.7.28"

cdk_factory-0.7.27/src/cdk_factory/version.py

@@ -1 +0,0 @@
-__version__ = "0.7.27"