in chalice/local.py [0:0]
def authorize(self,
raw_path: str,
lambda_event: EventType,
lambda_context: LambdaContext) -> LocalAuthPair:
method = lambda_event['requestContext']['httpMethod']
route_entry = self._route_for_event(lambda_event)
if not route_entry:
return lambda_event, lambda_context
authorizer = route_entry.authorizer
if not authorizer:
return lambda_event, lambda_context
# If authorizer is Cognito then try to parse the JWT and simulate an
# APIGateway validated request
if isinstance(authorizer, CognitoUserPoolAuthorizer):
if "headers" in lambda_event\
and "authorization" in lambda_event["headers"]:
token = lambda_event["headers"]["authorization"]
claims = self._decode_jwt_payload(token)
try:
cognito_username = claims["cognito:username"]
except KeyError:
# If a key error is raised when trying to get the cognito
# username then it is a machine-to-machine communication.
# This kind of cognito authorization flow is not
# supported in local mode. We can ignore it here to allow
# users to test their code local with a different cognito
# authorization flow.
warnings.warn(
'%s for machine-to-machine communicaiton is not '
'supported in local mode. All requests made against '
'a route will be authorized to allow local testing.'
% authorizer.__class__.__name__
)
return lambda_event, lambda_context
auth_result = {"context": {"claims": claims},
"principalId": cognito_username}
lambda_event = self._update_lambda_event(lambda_event,
auth_result)
if not isinstance(authorizer, ChaliceAuthorizer):
# Currently the only supported local authorizer is the
# BuiltinAuthConfig type. Anything else we will err on the side of
# allowing local testing by simply admiting the request. Otherwise
# there is no way for users to test their code in local mode.
warnings.warn(
'%s is not a supported in local mode. All requests made '
'against a route will be authorized to allow local testing.'
% authorizer.__class__.__name__
)
return lambda_event, lambda_context
arn = self._arn_builder.build_arn(method, raw_path)
auth_event = self._prepare_authorizer_event(arn, lambda_event,
lambda_context)
auth_result = authorizer(auth_event, lambda_context)
if auth_result is None:
raise InvalidAuthorizerError(
{'x-amzn-RequestId': lambda_context.aws_request_id,
'x-amzn-ErrorType': 'AuthorizerConfigurationException'},
b'{"message":null}'
)
authed = self._check_can_invoke_view_function(arn, auth_result)
if authed:
lambda_event = self._update_lambda_event(lambda_event, auth_result)
else:
raise ForbiddenError(
{'x-amzn-RequestId': lambda_context.aws_request_id,
'x-amzn-ErrorType': 'AccessDeniedException'},
(b'{"Message": '
b'"User is not authorized to access this resource"}'))
return lambda_event, lambda_context