Added password based authorization

compositions/upbound-aws-provider/serverless-microservice/definition.yaml

@@ -45,6 +45,9 @@ spec:
                   description: Set the Lambda function and handler name for API Gateway Lambda Authorizer
                   type: string
                   default: lambda_function.lambda_handler
+                authorizerPassword:
+                  description: Set the API password to be used by the API Gateway Lambda Authorizer
+                  type: string
                 lambdaRunTime: 
                   description: Set the Lambda function runtime.
                   type: string

compositions/upbound-aws-provider/serverless-microservice/rest-lambda-ddb.yaml

@@ -359,7 +359,12 @@ spec:
               string:
                 fmt: "%s-authorizer"
         - type: FromCompositeFieldPath
-          fromFieldPath: status.tableName
+          fromFieldPath: spec.authorizerPassword
+          toFieldPath: spec.envVariables[AUTHORIZER_PASSWORD]
+          policy:
+            fromFieldPath: Required
+            mergeOptions:
+              keepMapValues: true
         - type: FromCompositeFieldPath
           fromFieldPath: spec.codeBucketName
           toFieldPath: spec.bucketName

examples/upbound-aws-provider/composite-resources/serverless-examples/microservice/README.md

@@ -13,7 +13,7 @@ Example is (loosely) based on a AWS Serverless Samples repository [serverless-re
 API uses API Gateway REST API endpoint type with OpenAPI definition that includes proxy resource. All requests are passed to the integration target (AWS Lambda) for routing and interpretation/response generation. API Gateway does not implement any validation, transformation, path based routing, API management functions. You would have to update openAPI in the body property in the composition to implement those features.
 
 
-API Gateway uses Lambda Authorizer for authentication/authorization. However, sample implementation at `./src/authorizer/lambda_function.py` allows all actions on all resources in the API. Make sure to update authorizer Lambda code according to your authentication/authorization needs. For more details on how to implement Lambda Authorizer, check out [documentation](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html). or [blueprints](https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints). 
+API Gateway uses Lambda Authorizer for authentication/authorization. However, sample implementation at `./src/authorizer/lambda_function.py` allows all actions on all resources in the API if the  `Authorization` header value in the request matches the one in the Lambda Authorizer environmental variable `AUTHORIZER_PASSWORD`. Make sure to update authorizer Lambda code according to your authentication/authorization needs. For more details on how to implement Lambda Authorizer, check out [documentation](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html). or [blueprints](https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints). 
 Take a look at Lambda Authorizer code at [serverless-rest-api](https://github.com/aws-samples/serverless-samples/tree/main/serverless-rest-api) for JWT based authorization examples if needed.
 
 
@@ -127,6 +127,7 @@ Set the AWS region in the claim with the ones used in the previous step “Build
 ```shell
 export AWS_REGION=<replace-with-aws-region> # example `us-east-1`
 export S3_BUCKET=<replace-with-s3-bucket-name> # example `my-crossplane-microservice-lambdas`
+export AUTHORIZER_PASSWORD=$(openssl rand -hex 32) 
 ```
 
 Change the default value for `CLAIM_NAME` with any name you choose.
@@ -280,32 +281,32 @@ Expected output:
     Expected output - `{"message":"Unauthorized"}`
  - Test endpoint with authorization:
     ```shell
-    curl $API_BASE_URL/items -H "Authorization: Bearer 1234567890"
+    curl $API_BASE_URL/items -H "Authorization: $AUTHORIZER_PASSWORD"
     ```
     Expected output - `[]`
  - Test endpoint by creating record in the database:
     ```shell
-    curl -X PUT $API_BASE_URL/items -H "Authorization: Bearer 1234567890" -d '{"my_data":"Here goes my payload data"}'
+    curl -X PUT $API_BASE_URL/items -H "Authorization: $AUTHORIZER_PASSWORD" -d '{"my_data":"Here goes my payload data"}'
     ```
     Expected output - `{"my_data": "Here goes my payload data", "timestamp": "2023-12-21T17:11:51.662839", "id": "087b4aca-a024-11ee-a28c-bbcde0052444"}`
 - Get list of items in the database again:
     ```shell
-    curl $API_BASE_URL/items -H "Authorization: Bearer 1234567890"
+    curl $API_BASE_URL/items -H "Authorization: $AUTHORIZER_PASSWORD"
     ```
     Expected output - `[{"my_data": "Here goes my payload data", "id": "087b4aca-a024-11ee-a28c-bbcde0052444", "timestamp": "2023-12-21T17:11:51.662839"}]`
 - Note ID of the item and get individual record from the database:
     ```shell
-    curl $API_BASE_URL/items/<id of the item> -H "Authorization: Bearer 1234567890"
+    curl $API_BASE_URL/items/<id of the item> -H "Authorization: $AUTHORIZER_PASSWORD"
     ```
     Expected output - `{"my_data": "Here goes my payload data", "id": "087b4aca-a024-11ee-a28c-bbcde0052444", "timestamp": "2023-12-21T17:11:51.662839"}`
 - Note ID of the item and delete individual record in the database:
     ```shell
-    curl -X DELETE $API_BASE_URL/items/<id of the item> -H "Authorization: Bearer 1234567890"
+    curl -X DELETE $API_BASE_URL/items/<id of the item> -H "Authorization: $AUTHORIZER_PASSWORD"
     ```
     Expected output - `{}`
 - Get list of items in the database again and verify that record had been deleted:
     ```shell
-    curl $API_BASE_URL/items -H "Authorization: Bearer 1234567890"
+    curl $API_BASE_URL/items -H "Authorization: $AUTHORIZER_PASSWORD"
     ```
     Expected output - `[]`
 

examples/upbound-aws-provider/composite-resources/serverless-examples/microservice/claim/microservice-claim-tmpl.yaml

@@ -9,6 +9,7 @@ spec:
   codeBucketName: $S3_BUCKET
   logicLambdaCodeBucketKey: microservice-business-logic.zip
   authorizerLambdaCodeBucketKey: microservice-authorizer.zip
+  authorizerPassword: $AUTHORIZER_PASSWORD
   lambdaRunTime: python3.10
   resourceConfig:
     providerConfigName: aws-provider-config

examples/upbound-aws-provider/composite-resources/serverless-examples/microservice/src/authorizer/lambda_function.py

@@ -2,13 +2,25 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # IMPORTANT: 
-#     This is sample implementation of a Lambda Authorizer, it generates IAM policy that allows ALL actions on your API to be performed by ANYONE
-#     Make sure to update code below to limit access to the resources based on your use case
-#     For more details on how to implement Lambda Authorizer, check out documentation at https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
-#     You may also use the Lambda Authorizer blueprints at https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints
+#   This is sample implementation of a Lambda Authorizer, it generates IAM policy that allows ALL actions on your API 
+#   to be performed by ANYONE who includes correct password value in the Authorization header (it has to match Lambda 
+#   function evironment variable AUTHORIZER_PASSWORD).
+#   Make sure to update code below to limit access to the resources based on your use case.
+#   For more details on how to implement Lambda Authorizer, check out documentation at https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
+#   You may also use the Lambda Authorizer blueprints at https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints
 
-def lambda_handler(event, context):
+import os
+
+AUTHORIZER_PASSWORD = os.getenv('AUTHORIZER_PASSWORD', None)
 
+def lambda_handler(event, context):
+
+    authorizationToken=event['authorizationToken']
+    if authorizationToken is None:
+        raise Exception('Unauthorized') 
+    if authorizationToken != AUTHORIZER_PASSWORD:
+        raise Exception('Unauthorized')
+
     authResponse = {
         "principalId": "TestUser",
         "policyDocument": {
@@ -21,4 +33,5 @@ def lambda_handler(event, context):
                 "arn:aws:execute-api:*:*:*/*/*/*"
             ]
         }]}}
+
     return authResponse