APIGW NG implement api key validation handler #11114
Conversation
There was a problem hiding this comment.
LGTM! 🚀 extremely well covered PR, the tests are really great, love the abstractions and usage of fixtures.
The handler is looking extremely good, well documented, nicely encapsulated functions and helpers, this is awesome 💯
edit: I've merged #11111 so I've took the liberty to rebase this PR on master and push it so I can create branches based on top of #11114 😄
| Will return an api key from the moto store. | ||
| """ | ||
| apigateway_backend: APIGatewayBackend = apigateway_backends[account_id][region_name] | ||
| return ApiKey(**apigateway_backend.keys[api_key_id].to_json()) |
There was a problem hiding this comment.
I know it's not supposed to happen, but should we protect against KeyError here?
Also, I believe we could avoid the ** destructing into typed dict by doing the following:
| return ApiKey(**apigateway_backend.keys[api_key_id].to_json()) | |
| api_key: ApiKey = apigateway_backend.keys[api_key_id].to_json() | |
| return api_key |
Not sure how to do it with the list comprehension, but the creation of a typed dict by de-structuring a dict is not really required, as we're just passing dict around.
There was a problem hiding this comment.
Actually realised I don't even need to go that far and and with simply return apigateway_backend.keys[api_key_id].to_json() all the typing works fine. Which I can also use to simplify the code of get_usage_plans and get_usage_plan_keys and remove the destructing while keeping typing!
👍
| if not (identity := context.context_variables.get("identity", ContextVarsIdentity())): | ||
| context.context_variables["identity"] = identity |
There was a problem hiding this comment.
You can simplify with setdefault(key, default_value) which does the same thing under the hood:
| if not (identity := context.context_variables.get("identity", ContextVarsIdentity())): | |
| context.context_variables["identity"] = identity | |
| identity = context.context_variables.setdefault("identity", ContextVarsIdentity()) |
| LOG.debug("Updating $context.identity.apiKeyId='%s'", validated_key["id"]) | ||
| identity["apiKeyId"] = validated_key["id"] | ||
|
|
||
| def validate_api_key( |
There was a problem hiding this comment.
I believe once we migrate UsagePlan and ApiKey to our store, seeing this usage, we should keep a map of API Key values (+ maybe stage?) directly in order to quickly validate them? We could maybe then simplify this to not have to iterate over all usage plans and usage plan keys.
There was a problem hiding this comment.
Yes, I believe we can keep the item in the store in a way that will be more favourable to this specific access pattern. I don't think we will be able to avoid all looping, without creating some data duplication but we should be able to reduce the amount of work being done here.
8288e20 to
a324a08
Compare
LocalStack Community integration with Pro 2 files ± 0 2 suites ±0 23m 29s ⏱️ - 1h 11m 46s Results for commit 0149699. ± Comparison against base commit be9149c. This pull request removes 2518 tests.♻️ This comment has been updated with latest results. |
Motivation
Implementation of a new api key validation handler. There is a mix of moto helpers in the implementation as not all relevant information live in the deployment.
Important configuration in the frozen deployment:
apiKeyRequired, which determines if validation is required or skipped.apiKeySource, which determines if the key is to be retrieved from the headers or from an identity context populated by an Lambda AuthorizerImportant configuration in apigateway store.
Those items, when created, modified or deleted, will affect a deployment without the need to redeploy. see https://docs.aws.amazon.com/apigateway/latest/developerguide/updating-api.html
enabledfrom the key will affect without redeploying)Changes
$contextvariables with relevant data.moto_helpersto keep moto backend isolated and ease technical debt.TODO
What's left to do: