From 2b4536c5135d8ea20903d84626602444ef82c43a Mon Sep 17 00:00:00 2001 From: Vu Dao Date: Thu, 7 Nov 2024 19:02:39 +0700 Subject: [PATCH 1/4] Not check cognito User Pool Authorizers for OPTIONS method --- .../cognito/CognitoUserPoolAPIGWAuthorizer.ts | 6 +++++- test/rules/Cognito.test.ts | 19 ++++++++++++++----- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/rules/cognito/CognitoUserPoolAPIGWAuthorizer.ts b/src/rules/cognito/CognitoUserPoolAPIGWAuthorizer.ts index 35d1df1151..551d0691e4 100644 --- a/src/rules/cognito/CognitoUserPoolAPIGWAuthorizer.ts +++ b/src/rules/cognito/CognitoUserPoolAPIGWAuthorizer.ts @@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0 import { parse } from 'path'; import { CfnResource } from 'aws-cdk-lib'; import { CfnMethod } from 'aws-cdk-lib/aws-apigateway'; -import { NagRuleCompliance } from '../../nag-rules'; +import { NagRuleCompliance, NagRules } from '../../nag-rules'; /** * Rest API methods use Cognito User Pool Authorizers @@ -14,6 +14,10 @@ import { NagRuleCompliance } from '../../nag-rules'; export default Object.defineProperty( (node: CfnResource): NagRuleCompliance => { if (node instanceof CfnMethod) { + const httpMethod = NagRules.resolveIfPrimitive(node, node.httpMethod); + if (httpMethod === 'OPTIONS') { + return NagRuleCompliance.NOT_APPLICABLE; + } if (node.authorizationType !== 'COGNITO_USER_POOLS') { return NagRuleCompliance.NON_COMPLIANT; } diff --git a/test/rules/Cognito.test.ts b/test/rules/Cognito.test.ts index 5e402f0869..3b93f2247a 100644 --- a/test/rules/Cognito.test.ts +++ b/test/rules/Cognito.test.ts @@ -2,15 +2,14 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 */ -import { RestApi, AuthorizationType } from 'aws-cdk-lib/aws-apigateway'; +import { AuthorizationType, Cors, RestApi } from 'aws-cdk-lib/aws-apigateway'; import { - UserPool, - Mfa, - CfnUserPool, CfnIdentityPool, + CfnUserPool, + Mfa, + UserPool, } from 'aws-cdk-lib/aws-cognito'; import { Aspects, Stack } from 'aws-cdk-lib/core'; -import { validateStack, TestType, TestPack } from './utils'; import { CognitoUserPoolAPIGWAuthorizer, CognitoUserPoolAdvancedSecurityModeEnforced, @@ -18,6 +17,7 @@ import { CognitoUserPoolNoUnauthenticatedLogins, CognitoUserPoolStrongPasswordPolicy, } from '../../src/rules/cognito'; +import { TestPack, TestType, validateStack } from './utils'; const testPack = new TestPack([ CognitoUserPoolAPIGWAuthorizer, @@ -114,6 +114,15 @@ describe('Amazon Cognito', () => { }); validateStack(stack, ruleId, TestType.COMPLIANCE); }); + + test('Compliance', () => { + new RestApi(stack, 'rRest', { + defaultCorsPreflightOptions: { + allowOrigins: Cors.ALL_ORIGINS, + }, + }); + validateStack(stack, ruleId, TestType.COMPLIANCE); + }); }); describe('CognitoUserPoolNoUnauthenticatedLogins: Cognito identity pools do not allow for unauthenticated logins without a valid reason', () => { From 11a256f8d3a0b2e4033028f95403d3513e2b40e2 Mon Sep 17 00:00:00 2001 From: Vu Dao <37215642+vumdao@users.noreply.github.com> Date: Sat, 9 Nov 2024 08:22:23 +0700 Subject: [PATCH 2/4] Update test/rules/Cognito.test.ts Co-authored-by: Arun Donti --- test/rules/Cognito.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/Cognito.test.ts b/test/rules/Cognito.test.ts index 3b93f2247a..e08293c726 100644 --- a/test/rules/Cognito.test.ts +++ b/test/rules/Cognito.test.ts @@ -116,7 +116,7 @@ describe('Amazon Cognito', () => { }); test('Compliance', () => { - new RestApi(stack, 'rRest', { + new RestApi(stack, 'Rest', { defaultCorsPreflightOptions: { allowOrigins: Cors.ALL_ORIGINS, }, From 5b730d4cdb6b3397f01f5dcc0b749766c9a46615 Mon Sep 17 00:00:00 2001 From: Vu Dao <37215642+vumdao@users.noreply.github.com> Date: Sat, 9 Nov 2024 08:22:39 +0700 Subject: [PATCH 3/4] Update test/rules/Cognito.test.ts Co-authored-by: Arun Donti --- test/rules/Cognito.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/Cognito.test.ts b/test/rules/Cognito.test.ts index e08293c726..43c5baee70 100644 --- a/test/rules/Cognito.test.ts +++ b/test/rules/Cognito.test.ts @@ -115,7 +115,7 @@ describe('Amazon Cognito', () => { validateStack(stack, ruleId, TestType.COMPLIANCE); }); - test('Compliance', () => { + test('Compliance 2', () => { new RestApi(stack, 'Rest', { defaultCorsPreflightOptions: { allowOrigins: Cors.ALL_ORIGINS, From 802e97766f362547e64442946d6ab3c7ba9ac877 Mon Sep 17 00:00:00 2001 From: Vu Dao Date: Wed, 13 Nov 2024 07:44:25 +0700 Subject: [PATCH 4/4] Fix Files were changed during build --- test/rules/Cognito.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/Cognito.test.ts b/test/rules/Cognito.test.ts index 43c5baee70..43168e06b0 100644 --- a/test/rules/Cognito.test.ts +++ b/test/rules/Cognito.test.ts @@ -10,6 +10,7 @@ import { UserPool, } from 'aws-cdk-lib/aws-cognito'; import { Aspects, Stack } from 'aws-cdk-lib/core'; +import { TestPack, TestType, validateStack } from './utils'; import { CognitoUserPoolAPIGWAuthorizer, CognitoUserPoolAdvancedSecurityModeEnforced, @@ -17,7 +18,6 @@ import { CognitoUserPoolNoUnauthenticatedLogins, CognitoUserPoolStrongPasswordPolicy, } from '../../src/rules/cognito'; -import { TestPack, TestType, validateStack } from './utils'; const testPack = new TestPack([ CognitoUserPoolAPIGWAuthorizer,