Skip to content

Commit

Permalink
Merge pull request #224 from umccr/docs/update-deploy
Browse files Browse the repository at this point in the history 
docs(deploy): make authorizer logic more clear
  • Loading branch information
@brainstorm
brainstorm committed Feb 16, 2024
2 parents 5bd5ad6 + 7707541 commit 3e3b60c
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 31 deletions.
38 changes: 19 additions & 19 deletions deploy/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ The [htsget-lambda] crate is a cloud-based implementation of [htsget-rs]. It use

This is an example that deploys [htsget-lambda] using [aws-cdk]. It is deployed as an AWS HTTP [API Gateway Lambda proxy
integration][aws-api-gateway]. The stack uses [RustFunction][rust-function] in order to integrate [htsget-lambda]
with API Gateway. It also has the option to use a [JWT authorizer][jwt-authorizer] with [AWS Cognito][aws-cognito] as the issuer, and routes
the htsget-rs server with [AWS Route 53][route-53].
with API Gateway. It also has the option to use a [JWT authorizer][jwt-authorizer] with [AWS Cognito][aws-cognito] as the issuer. The
JWT authorizer automatically verifies JWT tokens issued by Cognito. Routing for the server is done using [AWS Route 53][route-53].

## Configuration

Expand All @@ -15,23 +15,23 @@ The CDK code in this directory constructs a CDK app from [`HtsgetLambdaStack`][h
#### HtsgetSettings
These are general settings for the CDK deployment.

| Name | Description | Type |
|----------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------|
| <span id="config">`config`</span> | The location of the htsget-rs server config. This must be specified. This config file configures the htsget-rs server. See [htsget-config] for a list of available server configuration options. | `string` |
| <span id="domain">`domain`</span> | The domain name for the Route53 Hosted Zone that the htsget-rs server will be under. This must be specified. A hosted zone with this name will either be looked up or created depending on the value of [`lookupHostedZone?`](#lookupHostedZone). | `string` |
| <span id="authorizer">`authorizer`</span> | Whether this deployment is gated behind an authorizer, or if it's public. This must be specified. | [`HtsgetAuthSettings`](#htsgetauthsettings) |
| <span id="subDomain">`subDomain?`</span> | The domain name prefix to use for the htsget-rs server. Together with the [`domain`](#domain), this specifies url that the htsget-rs server will be reachable under. Defaults to `"htsget"`. | `string` |
| <span id="s3BucketResources">`s3BucketResources?`</span> | The resources that are affected by the bucket policy with actions: `["s3:List*", "s3:Get*"]`. If this is not specified, it defaults to `["arn:aws:s3:::*"]`. This affects which buckets are allowed to be accessed with the policy. | `string[]` |
| <span id="lookupHostedZone">`lookupHostedZone?`</span> | Whether to lookup the hosted zone with the domain name. Defaults to `true`. If `true`, attempts to lookup an existing hosted zone using the domain name. Set this to `false` if you want to create a new hosted zone with the domain name. | `boolean` |

#### HtsgetAuthSettings
These settings are used to determine if the htsget API gateway endpoint is configured to have an authorizer or not.

| Name | Description | Type |
|---------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|
| <span id="public">`public`</span> | Whether this deployment is public. If this is `true` then no authorizer is present on the API gateway and the options below have no effect. | `boolean` |
| <span id="jwtAudience">`jwtAudience?`</span> | A list of the intended recipients of the JWT. A valid JWT must provide an aud that matches at least one entry in this list. This must be specified if [`public`](#public) is false. | `string[]` |
| <span id="cogUserPoolId?">`cogUserPoolId?`</span> | The cognito user pool id for the authorizer. If this is not set, then a new user pool is created. | `string` |
| Name | Description | Type |
|----------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------|
| <span id="config">`config`</span> | The location of the htsget-rs server config. This must be specified. This config file configures the htsget-rs server. See [htsget-config] for a list of available server configuration options. | `string` |
| <span id="domain">`domain`</span> | The domain name for the Route53 Hosted Zone that the htsget-rs server will be under. This must be specified. A hosted zone with this name will either be looked up or created depending on the value of [`lookupHostedZone?`](#lookupHostedZone). | `string` |
| <span id="authorizer">`authorizer`</span> | Deployment options related to the authorizer. Note that this option allows specifying an AWS [JWT authorizer][jwt-authorizer]. The JWT authorizer automatically verifies tokens issued by a Cognito user pool. | [`HtsgetJwtAuthSettings`](#htsgetjwtauthsettings) |
| <span id="subDomain">`subDomain?`</span> | The domain name prefix to use for the htsget-rs server. Together with the [`domain`](#domain), this specifies url that the htsget-rs server will be reachable under. Defaults to `"htsget"`. | `string` |
| <span id="s3BucketResources">`s3BucketResources?`</span> | The resources that are affected by the bucket policy with actions: `["s3:List*", "s3:Get*"]`. If this is not specified, it defaults to `["arn:aws:s3:::*"]`. This affects which buckets are allowed to be accessed with the policy. | `string[]` |
| <span id="lookupHostedZone">`lookupHostedZone?`</span> | Whether to lookup the hosted zone with the domain name. Defaults to `true`. If `true`, attempts to lookup an existing hosted zone using the domain name. Set this to `false` if you want to create a new hosted zone with the domain name. | `boolean` |

#### HtsgetJwtAuthSettings
These settings are used to determine if the htsget API gateway endpoint is configured to have a JWT authorizer or not.

| Name | Description | Type |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|------------|
| <span id="public">`public`</span> | Whether this deployment is public. If this is `true` then no authorizer is present on the API gateway and the options below have no effect. | `boolean` |
| <span id="jwtAudience">`jwtAudience?`</span> | A list of the intended recipients of the JWT. A valid JWT must provide an aud that matches at least one entry in this list. | `string[]` |
| <span id="cogUserPoolId?">`cogUserPoolId?`</span> | The cognito user pool id for the authorizer. If this is not set, then a new user pool is created. No user pool is created if [`public`](#public) is true. | `string` |

The [`HtsgetSettings`](#htsgetsettings) are passed into [`HtsgetLambdaStack`][htsget-lambda-stack] in order to change the deployment config. An example of a public instance deployment
can be found under [`bin/htsget-lambda.ts`][htsget-lambda-bin]. This uses the [`config/public_umccr.toml`][public-umccr-toml] server config. See [htsget-config] for a list of available server configuration options.
Expand Down
4 changes: 3 additions & 1 deletion deploy/bin/settings.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,10 @@ export const SETTINGS: HtsgetSettings = {
"arn:aws:s3:::org.umccr.demo.htsget-rs-data/*",
],
lookupHostedZone: true,
authorizer: {
jwtAuthorizer: {
// Set this to true if you want a public instance.
public: false,
// jwtAudience: ["audience"],
// cogUserPoolId: "user-pool-id"
},
};
19 changes: 9 additions & 10 deletions deploy/lib/htsget-lambda-stack.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,9 @@ export type HtsgetSettings = {
s3BucketResources?: string[];

/**
* Whether this deployment is gated behind an authorizer, or if its public. When this is not specified, the htsget
* api gateway does not have an authorizer.
* Whether this deployment is gated behind a JWT authorizer, or if its public.
*/
authorizer: HtsgetAuthSettings;
jwtAuthorizer: HtsgetJwtAuthSettings;

/**
* Whether to lookup the hosted zone with the domain name. Defaults to `true`. If `true`, attempts to lookup an
Expand All @@ -69,9 +68,9 @@ export type HtsgetSettings = {
};

/**
* Authentication related settings.
* JWT authorization settings.
*/
export type HtsgetAuthSettings = {
export type HtsgetJwtAuthSettings = {
/**
* Whether this deployment is public.
*/
Expand Down Expand Up @@ -195,21 +194,21 @@ export class HtsgetLambdaStack extends Stack {

// Add an authorizer if auth is required.
let authorizer = undefined;
if (!settings.authorizer.public) {
if (!settings.jwtAuthorizer.public) {
// If the cog user pool id is not specified, create a new one.
if (settings.authorizer.cogUserPoolId === undefined) {
if (settings.jwtAuthorizer.cogUserPoolId === undefined) {
const pool = new UserPool(this, "userPool", {
userPoolName: "HtsgetRsUserPool",
});
settings.authorizer.cogUserPoolId = pool.userPoolId;
settings.jwtAuthorizer.cogUserPoolId = pool.userPoolId;
}

authorizer = new HttpJwtAuthorizer(
id + "HtsgetAuthorizer",
`https://cognito-idp.${this.region}.amazonaws.com/${settings.authorizer.cogUserPoolId}`,
`https://cognito-idp.${this.region}.amazonaws.com/${settings.jwtAuthorizer.cogUserPoolId}`,
{
identitySource: ["$request.header.Authorization"],
jwtAudience: settings.authorizer.jwtAudience ?? [],
jwtAudience: settings.jwtAuthorizer.jwtAudience ?? [],
},
);
}
Expand Down
2 changes: 1 addition & 1 deletion htsget-config/src/config/cors.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ impl<T> AllowType<T, TaggedTypeAll> {
}
}

fn serialize_allow_types<S, T>(names: &Vec<T>, serializer: S) -> Result<S::Ok, S::Error>
fn serialize_allow_types<S, T>(names: &[T], serializer: S) -> Result<S::Ok, S::Error>
where
T: Display,
S: Serializer,
Expand Down

0 comments on commit 3e3b60c

Please sign in to comment.