feat(apigatewayv2): http api - default authorizer options

packages/@aws-cdk/aws-apigatewayv2-authorizers/README.md

@@ -28,6 +28,37 @@ classified into Lambda Authorizers, JWT authorizers and standard AWS IAM roles a
 available at [Controlling and managing access to an HTTP
 API](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-access-control.html).
 
+Authorizers, and scopes can either be applied to the Gateway (applied to all routes) or specifically for each route.
+
+The example below applies the authorizer to all routes.
+
+```ts
+const authorizer = new HttpJwtAuthorizer({
+  jwtAudience: ['3131231'],
+  jwtIssuer: 'https://test.us.auth0.com',
+});
+
+const api = new HttpApi(stack, 'HttpApi', {
+  defaultAuthorizer: authorizer,
+  defaultAuthorizationScopes: ['read:books']
+});
+
+api.addRoutes({
+  integration: new HttpProxyIntegration({
+    url: 'https://add-books-proxy.myproxy.internal',
+  }),
+  path: '/books', // This route will inherit the authorizer and scopes from the gateway
+});
+
+api.addRoutes({
+  integration: new HttpProxyIntegration({
+    url: 'https://get-books-proxy.myproxy.internal',
+  }),
+  path: '/books', 
+  authorizer: new NoneAuthorizer(), // This route will remove the default authorizer from the gateway
+});
+```
+
 ## JWT Authorizers
 
 JWT authorizers allow the use of JSON Web Tokens (JWTs) as part of [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) and [OAuth 2.0](https://oauth.net/2/) frameworks to allow and restrict clients from accessing HTTP APIs.

packages/@aws-cdk/aws-apigatewayv2/lib/http/api.ts

@@ -4,7 +4,7 @@ import { Duration, IResource, Resource, Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnApi, CfnApiProps } from '../apigatewayv2.generated';
 import { DefaultDomainMappingOptions } from '../http/stage';
-import { IHttpRouteAuthorizer } from './authorizer';
+import { HttpAuthorizerType, HttpRouteAuthorizerBindOptions, HttpRouteAuthorizerConfig, IHttpRouteAuthorizer } from './authorizer';
 import { IHttpRouteIntegration, HttpIntegration, HttpRouteIntegrationConfig } from './integration';
 import { BatchHttpRouteOptions, HttpMethod, HttpRoute, HttpRouteKey } from './route';
 import { HttpStage, HttpStageOptions } from './stage';
@@ -145,6 +145,20 @@ export interface HttpApiProps {
    * @default false execute-api endpoint enabled.
    */
   readonly disableExecuteApiEndpoint?: boolean;
+
+  /**
+   * Default Authorizer to applied to all routes in the gateway
+   *
+   * @default - No authorizer
+   */
+  readonly defaultAuthorizer?: IHttpRouteAuthorizer;
+
+  /**
+   * Default OIDC scopes attached to all routes in the gateway
+   *
+   * @default - no additional authorization scopes
+   */
+  readonly defaultAuthorizationScopes?: string[];
 }
 
 /**
@@ -205,15 +219,20 @@ export interface AddRoutesOptions extends BatchHttpRouteOptions {
 
   /**
    * Authorizer to be associated to these routes.
-   * @default - No authorizer
+   *
+   * Use @see NoneAuthorizer to remove the default authorizer for the api
+   *
+   * @default - uses the default authorizer if one is specified on the HttpApi
    */
   readonly authorizer?: IHttpRouteAuthorizer;
 
   /**
    * The list of OIDC scopes to include in the authorization.
    *
-   * These scopes will be merged with the scopes from the attached authorizer
-   * @default - no additional authorization scopes
+   * These scopes will override the default authorization scopes on the gateway.
+   * Set to [] to remove default scopes
+   *
+   * @default - no additional authorization scopes once no default ones set on the gateway.
    */
   readonly authorizationScopes?: string[];
 }
@@ -353,6 +372,9 @@ export class HttpApi extends HttpApiBase {
 
   private readonly _apiEndpoint: string;
 
+  private readonly authorizer?: IHttpRouteAuthorizer;
+  private readonly authorizationScopes?: string[];
+
   constructor(scope: Construct, id: string, props?: HttpApiProps) {
     super(scope, id);
 
@@ -394,6 +416,8 @@ export class HttpApi extends HttpApiBase {
     const resource = new CfnApi(this, 'Resource', apiProps);
     this.httpApiId = resource.ref;
     this._apiEndpoint = resource.attrApiEndpoint;
+    this.authorizer = props?.defaultAuthorizer;
+    this.authorizationScopes = props?.defaultAuthorizationScopes;
 
     if (props?.defaultIntegration) {
       new HttpRoute(this, 'DefaultRoute', {
@@ -457,12 +481,31 @@ export class HttpApi extends HttpApiBase {
    */
   public addRoutes(options: AddRoutesOptions): HttpRoute[] {
     const methods = options.methods ?? [HttpMethod.ANY];
-    return methods.map((method) => new HttpRoute(this, `${method}${options.path}`, {
-      httpApi: this,
-      routeKey: HttpRouteKey.with(options.path, method),
-      integration: options.integration,
-      authorizer: options.authorizer,
-      authorizationScopes: options.authorizationScopes,
-    }));
+    return methods.map((method) => {
+      let authorizationScopes = this.authorizationScopes;
+
+      if (Array.isArray(options.authorizationScopes)) {
+        authorizationScopes = options.authorizationScopes;
+      }
+
+      return new HttpRoute(this, `${method}${options.path}`, {
+        httpApi: this,
+        routeKey: HttpRouteKey.with(options.path, method),
+        integration: options.integration,
+        authorizer: options.authorizer ?? this.authorizer,
+        authorizationScopes,
+      });
+    });
+  }
+}
+
+/**
+ * Used to remove the default authorizer for a route
+ */
+export class NoneAuthorizer implements IHttpRouteAuthorizer {
+  public bind(_: HttpRouteAuthorizerBindOptions): HttpRouteAuthorizerConfig {
+    return {
+      authorizationType: HttpAuthorizerType.NONE,
+    };
   }
 }

packages/@aws-cdk/aws-apigatewayv2/lib/http/authorizer.ts

@@ -15,6 +15,9 @@ export enum HttpAuthorizerType {
 
   /** Lambda Authorizer */
   LAMBDA = 'REQUEST',
+
+  /** No authorizer */
+  NONE = 'NONE'
 }
 
 /**
@@ -145,8 +148,10 @@ export interface HttpRouteAuthorizerBindOptions {
 export interface HttpRouteAuthorizerConfig {
   /**
    * The authorizer id
+   *
+   * @default - No authorizer id (useful for AWS_IAM route authorizer)
    */
-  readonly authorizerId: string;
+  readonly authorizerId?: string;
   /**
    * The type of authorization
    */

packages/@aws-cdk/aws-apigatewayv2/lib/http/route.ts

@@ -3,7 +3,7 @@ import { Construct } from 'constructs';
 import { CfnRoute, CfnRouteProps } from '../apigatewayv2.generated';
 import { IRoute } from '../common';
 import { IHttpApi } from './api';
-import { IHttpRouteAuthorizer } from './authorizer';
+import { HttpAuthorizerType, IHttpRouteAuthorizer } from './authorizer';
 import { IHttpRouteIntegration } from './integration';
 
 /**
@@ -156,12 +156,14 @@ export class HttpRoute extends Resource implements IHttpRoute {
       ]));
     }
 
+    const authorizationType = authBindResult?.authorizationType === HttpAuthorizerType.NONE ? undefined : authBindResult?.authorizationType;
+
     const routeProps: CfnRouteProps = {
       apiId: props.httpApi.httpApiId,
       routeKey: props.routeKey.key,
       target: `integrations/${integration.integrationId}`,
       authorizerId: authBindResult?.authorizerId,
-      authorizationType: authBindResult?.authorizationType,
+      authorizationType,
       authorizationScopes,
     };
 

packages/@aws-cdk/aws-apigatewayv2/test/http/api.test.ts

@@ -5,7 +5,7 @@ import * as ec2 from '@aws-cdk/aws-ec2';
 import { Duration, Stack } from '@aws-cdk/core';
 import {
   HttpApi, HttpAuthorizer, HttpAuthorizerType, HttpIntegrationType, HttpMethod, HttpRouteAuthorizerBindOptions, HttpRouteAuthorizerConfig,
-  HttpRouteIntegrationBindOptions, HttpRouteIntegrationConfig, IHttpRouteAuthorizer, IHttpRouteIntegration, PayloadFormatVersion,
+  HttpRouteIntegrationBindOptions, HttpRouteIntegrationConfig, IHttpRouteAuthorizer, IHttpRouteIntegration, NoneAuthorizer, PayloadFormatVersion,
 } from '../../lib';
 
 describe('HttpApi', () => {
@@ -371,6 +371,121 @@ describe('HttpApi', () => {
 
     expect(() => api.apiEndpoint).toThrow(/apiEndpoint is not configured/);
   });
+
+
+  describe('default authorization settings', () => {
+    test('can add default authorizer', () => {
+      const stack = new Stack();
+
+      const authorizer = new DummyAuthorizer();
+
+      const httpApi = new HttpApi(stack, 'api', {
+        defaultAuthorizer: authorizer,
+        defaultAuthorizationScopes: ['read:pets'],
+      });
+
+      httpApi.addRoutes({
+        path: '/pets',
+        methods: [HttpMethod.GET],
+        integration: new DummyRouteIntegration(),
+      });
+
+      expect(stack).toHaveResource('AWS::ApiGatewayV2::Route', {
+        AuthorizerId: 'auth-1234',
+        AuthorizationType: 'JWT',
+        AuthorizationScopes: ['read:pets'],
+      });
+    });
+
+    test('can add default authorizer, but remove it for a route', () => {
+      const stack = new Stack();
+      const authorizer = new DummyAuthorizer();
+
+      const httpApi = new HttpApi(stack, 'api', {
+        defaultAuthorizer: authorizer,
+        defaultAuthorizationScopes: ['read:pets'],
+      });
+
+      httpApi.addRoutes({
+        path: '/pets',
+        methods: [HttpMethod.GET],
+        integration: new DummyRouteIntegration(),
+      });
+
+      httpApi.addRoutes({
+        path: '/chickens',
+        methods: [HttpMethod.GET],
+        integration: new DummyRouteIntegration(),
+        authorizer: new NoneAuthorizer(),
+      });
+
+      expect(stack).toHaveResource('AWS::ApiGatewayV2::Route', {
+        RouteKey: 'GET /pets',
+        AuthorizerId: 'auth-1234',
+      });
+
+      expect(stack).toHaveResource('AWS::ApiGatewayV2::Route', {
+        RouteKey: 'GET /chickens',
+        AuthorizerId: ABSENT,
+      });
+    });
+
+    test('can remove default scopes for a route', () => {
+      const stack = new Stack();
+
+      const authorizer = new DummyAuthorizer();
+
+      const httpApi = new HttpApi(stack, 'api', {
+        defaultAuthorizer: authorizer,
+        defaultAuthorizationScopes: ['read:books'],
+      });
+
+      httpApi.addRoutes({
+        path: '/pets',
+        methods: [HttpMethod.GET, HttpMethod.PATCH],
+        integration: new DummyRouteIntegration(),
+        authorizationScopes: [],
+      });
+
+      expect(stack).toHaveResource('AWS::ApiGatewayV2::Route', {
+        AuthorizationScopes: [],
+      });
+    });
+
+    test('can override scopes for a route', () => {
+      const stack = new Stack();
+
+      const authorizer = new DummyAuthorizer();
+
+      const httpApi = new HttpApi(stack, 'api', {
+        defaultAuthorizer: authorizer,
+        defaultAuthorizationScopes: ['read:pets'],
+      });
+
+      httpApi.addRoutes({
+        path: '/pets',
+        methods: [HttpMethod.GET, HttpMethod.PATCH],
+        integration: new DummyRouteIntegration(),
+      });
+
+      httpApi.addRoutes({
+        path: '/chickens',
+        methods: [HttpMethod.GET, HttpMethod.PATCH],
+        integration: new DummyRouteIntegration(),
+        authorizationScopes: ['read:chickens'],
+      });
+
+      expect(stack).toHaveResource('AWS::ApiGatewayV2::Route', {
+        RouteKey: 'GET /pets',
+        AuthorizationScopes: ['read:pets'],
+      });
+
+      expect(stack).toHaveResource('AWS::ApiGatewayV2::Route', {
+        RouteKey: 'GET /chickens',
+        AuthorizationScopes: ['read:chickens'],
+      });
+    });
+  });
 });
 
 class DummyRouteIntegration implements IHttpRouteIntegration {