From d8a6e5b17d3fa9179be311ede6f2f448308ab06f Mon Sep 17 00:00:00 2001 From: robertd Date: Sat, 27 Feb 2021 02:11:24 -0700 Subject: [PATCH] fix(apigateway): change default SecurityPolicy for DomainName to TLS_1_2 --- .../aws-apigateway/lib/domain-name.ts | 22 +++++++++--------- .../aws-apigateway/test/domains.test.ts | 23 +++---------------- 2 files changed, 14 insertions(+), 31 deletions(-) diff --git a/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts b/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts index 0437b986fdc74..3d39e80b219a8 100644 --- a/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts +++ b/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts @@ -12,8 +12,9 @@ import { EndpointType, IRestApi } from './restapi'; export enum SecurityPolicy { /** Cipher suite TLS 1.0 */ TLS_1_0 = 'TLS_1_0', + /** Cipher suite TLS 1.2 */ - TLS_1_2 = 'TLS_1_2' + TLS_1_2 = 'TLS_1_2', } export interface DomainNameOptions { @@ -38,15 +39,15 @@ export interface DomainNameOptions { /** * The Transport Layer Security (TLS) version + cipher suite for this domain name. * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html - * @default SecurityPolicy.TLS_1_0 + * @default SecurityPolicy.TLS_1_2 */ - readonly securityPolicy?: SecurityPolicy + readonly securityPolicy?: SecurityPolicy; /** * The mutual TLS authentication configuration for a custom domain name. * @default - mTLS is not configured. */ - readonly mtls?: MTLSConfig + readonly mtls?: MTLSConfig; } export interface DomainNameProps extends DomainNameOptions { @@ -83,7 +84,6 @@ export interface IDomainName extends IResource { * @attribute DistributionHostedZoneId,RegionalHostedZoneId */ readonly domainNameAliasHostedZoneId: string; - } export class DomainName extends Resource implements IDomainName { @@ -112,9 +112,9 @@ export class DomainName extends Resource implements IDomainName { const edge = endpointType === EndpointType.EDGE; if (!Token.isUnresolved(props.domainName) && /[A-Z]/.test(props.domainName)) { - throw new Error('domainName does not support uppercase letters. ' + - `got: '${props.domainName}'`); + throw new Error(`Domain name does not support uppercase letters. Got: ${props.domainName}`); } + const mtlsConfig = this.configureMTLS(props.mtls); const resource = new CfnDomainName(this, 'Resource', { domainName: props.domainName, @@ -122,7 +122,7 @@ export class DomainName extends Resource implements IDomainName { regionalCertificateArn: edge ? undefined : props.certificate.certificateArn, endpointConfiguration: { types: [endpointType] }, mutualTlsAuthentication: mtlsConfig, - securityPolicy: props.securityPolicy, + securityPolicy: props.securityPolicy ?? SecurityPolicy.TLS_1_2, }); this.domainName = resource.ref; @@ -176,10 +176,9 @@ export interface DomainNameAttributes { readonly domainNameAliasTarget: string; /** - * Thje Route53 hosted zone ID to use in order to connect a record set to this domain through an alias. + * The Route53 hosted zone ID to use in order to connect a record set to this domain through an alias. */ readonly domainNameAliasHostedZoneId: string; - } /** @@ -190,8 +189,9 @@ export interface MTLSConfig { * The bucket that the trust store is hosted in. */ readonly bucket: IBucket; + /** - * The key in S3 to look at for the trust store + * The key in S3 to look at for the trust store. */ readonly key: string; diff --git a/packages/@aws-cdk/aws-apigateway/test/domains.test.ts b/packages/@aws-cdk/aws-apigateway/test/domains.test.ts index ee70b4e9cb98e..af96926d55a89 100644 --- a/packages/@aws-cdk/aws-apigateway/test/domains.test.ts +++ b/packages/@aws-cdk/aws-apigateway/test/domains.test.ts @@ -1,5 +1,4 @@ import '@aws-cdk/assert/jest'; -import { ABSENT } from '@aws-cdk/assert'; import * as acm from '@aws-cdk/aws-certificatemanager'; import { Bucket } from '@aws-cdk/aws-s3'; import { Stack } from '@aws-cdk/core'; @@ -43,8 +42,6 @@ describe('domains', () => { expect(stack.resolve(regionalDomain.domainNameAliasHostedZoneId)).toEqual({ 'Fn::GetAtt': ['mydomain592C948B', 'RegionalHostedZoneId'] }); expect(stack.resolve(edgeDomain.domainNameAliasDomainName)).toEqual({ 'Fn::GetAtt': ['yourdomain5FE30C81', 'DistributionDomainName'] }); expect(stack.resolve(edgeDomain.domainNameAliasHostedZoneId)).toEqual({ 'Fn::GetAtt': ['yourdomain5FE30C81', 'DistributionHostedZoneId'] }); - - }); test('default endpoint type is REGIONAL', () => { @@ -64,7 +61,6 @@ describe('domains', () => { 'EndpointConfiguration': { 'Types': ['REGIONAL'] }, 'RegionalCertificateArn': { 'Ref': 'Cert5C9FAEC1' }, }); - }); test('accepts different security policies', () => { @@ -109,9 +105,8 @@ describe('domains', () => { 'DomainName': 'default.example.com', 'EndpointConfiguration': { 'Types': ['REGIONAL'] }, 'RegionalCertificateArn': { 'Ref': 'Cert5C9FAEC1' }, - 'SecurityPolicy': ABSENT, + 'SecurityPolicy': 'TLS_1_2', }); - }); test('"mapping" can be used to automatically map this domain to the deployment stage of an API', () => { @@ -140,7 +135,6 @@ describe('domains', () => { 'Ref': 'apiDeploymentStageprod896C8101', }, }); - }); test('"addBasePathMapping" can be used to add base path mapping to the domain', () => { @@ -186,7 +180,6 @@ describe('domains', () => { 'Ref': 'api2DeploymentStageprod4120D74E', }, }); - }); test('a domain name can be defined with the API', () => { @@ -225,8 +218,6 @@ describe('domains', () => { 'Ref': 'apiDeploymentStageprod896C8101', }, }); - - }); test('a domain name can be added later', () => { @@ -265,8 +256,6 @@ describe('domains', () => { 'Ref': 'apiDeploymentStageprod896C8101', }, }); - - }); test('domain name cannot contain uppercase letters', () => { @@ -274,13 +263,10 @@ describe('domains', () => { const stack = new Stack(); const certificate = new acm.Certificate(stack, 'cert', { domainName: 'someDomainWithUpercase.domain.com' }); - // WHEN + // WHEN & THEN expect(() => { new apigw.DomainName(stack, 'someDomain', { domainName: 'someDomainWithUpercase.domain.com', certificate }); - }).toThrow(/uppercase/); - - // THEN - + }).toThrow(/Domain name does not support uppercase letters./); }); test('multiple domain names can be added', () => { @@ -440,7 +426,6 @@ describe('domains', () => { 'RegionalCertificateArn': 'arn:aws:acm:us-east-1:1111111:certificate/11-3336f1-44483d-adc7-9cd375c5169d', 'MutualTlsAuthentication': { 'TruststoreUri': 's3://exampleBucket/someca.pem', 'TruststoreVersion': 'version' }, }); - }); test('base path mapping configures stage for RestApi creation', () => { @@ -466,8 +451,6 @@ describe('domains', () => { 'Ref': 'restApiWithStageDeploymentStageprodC82A6648', }, }); - - }); test('base path mapping configures stage for SpecRestApi creation', () => {