From e9dfd46c4699eddbe626ecc1b61eb82cbb0dc17c Mon Sep 17 00:00:00 2001 From: Vu Dao <37215642+vumdao@users.noreply.github.com> Date: Fri, 15 Nov 2024 03:00:28 +0700 Subject: [PATCH] feat: not check cognito User Pool Authorizers for OPTIONS method (#1834) OPTIONS requests should be allowed without authentication. OPTIONS is the HTTP method used for CORS-preflight requests and the [CORS specification](https://fetch.spec.whatwg.org/#cors-protocol-and-credentials) confirms as follows: a CORS-preflight request never includes credentials. --- .../cognito/CognitoUserPoolAPIGWAuthorizer.ts | 6 +++++- test/rules/Cognito.test.ts | 19 ++++++++++++++----- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/rules/cognito/CognitoUserPoolAPIGWAuthorizer.ts b/src/rules/cognito/CognitoUserPoolAPIGWAuthorizer.ts index 35d1df1151..551d0691e4 100644 --- a/src/rules/cognito/CognitoUserPoolAPIGWAuthorizer.ts +++ b/src/rules/cognito/CognitoUserPoolAPIGWAuthorizer.ts @@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0 import { parse } from 'path'; import { CfnResource } from 'aws-cdk-lib'; import { CfnMethod } from 'aws-cdk-lib/aws-apigateway'; -import { NagRuleCompliance } from '../../nag-rules'; +import { NagRuleCompliance, NagRules } from '../../nag-rules'; /** * Rest API methods use Cognito User Pool Authorizers @@ -14,6 +14,10 @@ import { NagRuleCompliance } from '../../nag-rules'; export default Object.defineProperty( (node: CfnResource): NagRuleCompliance => { if (node instanceof CfnMethod) { + const httpMethod = NagRules.resolveIfPrimitive(node, node.httpMethod); + if (httpMethod === 'OPTIONS') { + return NagRuleCompliance.NOT_APPLICABLE; + } if (node.authorizationType !== 'COGNITO_USER_POOLS') { return NagRuleCompliance.NON_COMPLIANT; } diff --git a/test/rules/Cognito.test.ts b/test/rules/Cognito.test.ts index 5e402f0869..43168e06b0 100644 --- a/test/rules/Cognito.test.ts +++ b/test/rules/Cognito.test.ts @@ -2,15 +2,15 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 */ -import { RestApi, AuthorizationType } from 'aws-cdk-lib/aws-apigateway'; +import { AuthorizationType, Cors, RestApi } from 'aws-cdk-lib/aws-apigateway'; import { - UserPool, - Mfa, - CfnUserPool, CfnIdentityPool, + CfnUserPool, + Mfa, + UserPool, } from 'aws-cdk-lib/aws-cognito'; import { Aspects, Stack } from 'aws-cdk-lib/core'; -import { validateStack, TestType, TestPack } from './utils'; +import { TestPack, TestType, validateStack } from './utils'; import { CognitoUserPoolAPIGWAuthorizer, CognitoUserPoolAdvancedSecurityModeEnforced, @@ -114,6 +114,15 @@ describe('Amazon Cognito', () => { }); validateStack(stack, ruleId, TestType.COMPLIANCE); }); + + test('Compliance 2', () => { + new RestApi(stack, 'Rest', { + defaultCorsPreflightOptions: { + allowOrigins: Cors.ALL_ORIGINS, + }, + }); + validateStack(stack, ruleId, TestType.COMPLIANCE); + }); }); describe('CognitoUserPoolNoUnauthenticatedLogins: Cognito identity pools do not allow for unauthenticated logins without a valid reason', () => {