fix(appsync): appsync Event API integration assertion tests (#33572)

### Reason for this change Improved assertion tests for newly added AppSync Event API + Channel namespace constructs. Improved documentation to show no channel namespace is created by default, one must be explicitly defined. ### Description of changes * Added assertions to the following integration tests: * `integ.appsync-event-api.ts` * `integ.appsync-eventapi-api-key-auth.ts` * `integ.appsync-eventapi-cognito-auth.ts` * `integ.appsync-eventapi-grants.ts` * `integ.appsync-eventapi-iam-auth.ts` * `integ.appsync-eventapi-lambda-auth.ts` To validate Cognito authorization, I needed to include the following package `@aws-sdk/client-cognito-identity-provider` which is why `yarn.lock` is updated in this PR. - Added channel namespace usage to all Event API examples in `README.md`. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Integration tests all run successfully with passed assertion tests. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: kwwendt

packages/@aws-cdk-testing/framework-integ/package.json

@@ -35,6 +35,7 @@
  "@aws-sdk/client-acm": "3.632.0",
  "@aws-sdk/client-rds": "3.632.0",
  "@aws-sdk/client-s3": "3.632.0",
+ "@aws-sdk/client-cognito-identity-provider": "3.632.0",
  "axios": "1.7.8",
  "delay": "5.0.0"
  },

packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ-assets/appsync-js-channel-namespace-handler.js

@@ -1,3 +1,12 @@
+function enrichEvent(event) {
+ return {
+ id: event.id,
+ payload: {
+ ...event.payload,
+ newField: 'newField'
+ }
+ }
+}
 export function onPublish(ctx) {
- return ctx.events.filter((event) => event.payload.odds > 0)
+ return ctx.events.map(enrichEvent);
 }

packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ-assets/eventapi-grant-assertion/index.js

@@ -4,6 +4,13 @@ import { HttpRequest } from '@smithy/protocol-http'
 import { SignatureV4 } from '@smithy/signature-v4'
 import { fromNodeProviderChain } from '@aws-sdk/credential-providers'
 import { Sha256 } from '@aws-crypto/sha256-js'
+import { 
+ CognitoIdentityProviderClient, 
+ SignUpCommand,
+ AdminConfirmSignUpCommand,
+ AdminDeleteUserCommand,
+ AdminInitiateAuthCommand,
+} from '@aws-sdk/client-cognito-identity-provider';
 
 // The default headers to to sign the request
 const DEFAULT_HEADERS = {
@@ -16,6 +23,56 @@ const AWS_APPSYNC_EVENTS_SUBPROTOCOL = 'aws-appsync-event-ws';
 const realtimeUrl = process.env.EVENT_API_REALTIME_URL;
 const httpUrl = process.env.EVENT_API_HTTP_URL;
 const region = process.env.AWS_REGION;
+const API_KEY = process.env.API_KEY;
+const USER_POOL_ID = process.env.USER_POOL_ID;
+const CLIENT_ID = process.env.CLIENT_ID;
+const { username, password } = generateUsernamePassword(12);
+
+const cognitoClient = new CognitoIdentityProviderClient();
+
+/**
+ * Utility function for generating a temporary password
+ * @param {int} length 
+ * @returns 
+ */
+function generateUsernamePassword(length) {
+ const uppercaseChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
+ const lowercaseChars = 'abcdefghijklmnopqrstuvwxyz';
+ const numberChars = '0123456789';
+ const specialChars = '!@#$%&';
+ const allChars = uppercaseChars + lowercaseChars + numberChars + specialChars;
+
+ // Ensure length is at least 4 to accommodate required characters
+ const actualLength = Math.max(length, 4);
+ 
+ // Start with one character from each required set
+ let password = [
+ uppercaseChars.charAt(Math.floor(Math.random() * uppercaseChars.length)),
+ lowercaseChars.charAt(Math.floor(Math.random() * lowercaseChars.length)),
+ numberChars.charAt(Math.floor(Math.random() * numberChars.length)),
+ specialChars.charAt(Math.floor(Math.random() * specialChars.length))
+ ];
+
+ // Fill the rest with random characters
+ for (let i = 4; i < actualLength; i++) {
+ const randomIndex = Math.floor(Math.random() * allChars.length);
+ password.push(allChars.charAt(randomIndex));
+ }
+
+ // Shuffle the password array to randomize character positions
+ for (let i = password.length - 1; i > 0; i--) {
+ const j = Math.floor(Math.random() * (i + 1));
+ [password[i], password[j]] = [password[j], password[i]];
+ }
+
+ let username = '';
+ for (let i = 0; i < 6; i++) {
+ const randomIndex = Math.floor(Math.random() * lowercaseChars.length);
+ username += lowercaseChars.charAt(randomIndex);
+ }
+
+ return { username, password: password.join('') };
+}
 
 /**
  * Returns a signed authorization object
@@ -33,7 +90,7 @@ async function signWithAWSV4(httpDomain, region, body) {
  sha256: Sha256,
  })
 
- const url = new URL(`https://${httpDomain}/event`)
+ const url = new URL(`${httpDomain}`)
  const request = new HttpRequest({
  method: 'POST',
  headers: {
@@ -55,13 +112,11 @@ async function signWithAWSV4(httpDomain, region, body) {
 
 /**
  * Returns a header value for the SubProtocol header
- * @param {string} httpDomain the AppSync Event API HTTP domain
- * @param {string} region the AWS region of your API
+ * @param {string} authHeaders the authorization headers
  * @returns string a header string
  */
-async function getAuthProtocolForIAM(httpDomain, region) {
- const signed = await signWithAWSV4(httpDomain, region)
- const based64UrlHeader = btoa(JSON.stringify(signed))
+function getAuthProtocolForIAM(authHeaders) {
+ const based64UrlHeader = btoa(JSON.stringify(authHeaders))
  .replace(/\+/g, '-') // Convert '+' to '-'
  .replace(/\//g, '_') // Convert '/' to '_'
  .replace(/=+$/, '') // Remove padding `=`
@@ -78,26 +133,114 @@ function sleep(ms) {
  return new Promise(resolve => setTimeout(resolve, ms));
 }
 
+/**
+ * Helper function for creating a Cognito user and confirming the user
+ * The function also deletes the user after the test is complete
+ * and it initiates and auth flow to get the ID token for testing the
+ * Event API auth flow with Cognito.
+ * @param {string} action - CREATE, DELETE, AUTH
+ * @returns 
+ */
+async function cognitoUserConfiguration(action) {
+ switch (action) {
+ case 'CREATE':
+ const signUpUserInput = {
+ ClientId: CLIENT_ID,
+ Username: username,
+ Password: password,
+ };
+ const signUpCommand = new SignUpCommand(signUpUserInput);
+ await cognitoClient.send(signUpCommand);
+ const confirmSignUpInput = {
+ UserPoolId: USER_POOL_ID,
+ Username: username,
+ };
+ const confirmSignUpCommand = new AdminConfirmSignUpCommand(confirmSignUpInput);
+ await cognitoClient.send(confirmSignUpCommand);
+ return {};
+ case 'DELETE':
+ const deleteUserInput = {
+ UserPoolId: USER_POOL_ID,
+ Username: username,
+ };
+ const deleteUserCommand = new AdminDeleteUserCommand(deleteUserInput);
+ await cognitoClient.send(deleteUserCommand);
+ return;
+ case 'AUTH':
+ const authInput = {
+ UserPoolId: USER_POOL_ID,
+ ClientId: CLIENT_ID,
+ AuthFlow: 'ADMIN_USER_PASSWORD_AUTH',
+ AuthParameters: {
+ USERNAME: username,
+ PASSWORD: password,
+ },
+ };
+ const authCommand = new AdminInitiateAuthCommand(authInput);
+ const authRes = await cognitoClient.send(authCommand);
+ return authRes.AuthenticationResult.IdToken;
+ }
+}
+
+/**
+ * Returns the appropriate headers depending on the auth mode selected
+ * @param {*} authMode - IAM, API_KEY, LAMBDA, USER_POOL, OIDC
+ * @param {*} event - the event payload for Publish operations, null by default
+ * @param {*} authToken - the token for LAMBDA auth modes
+ * @returns 
+ */
+async function getPublishAuthHeader(authMode, event={}, authToken='') {
+ const url = new URL(`${httpUrl}`)
+ const headers = {
+ host: url.hostname,
+ };
+
+ switch (authMode) {
+ case 'IAM':
+ return await signWithAWSV4(httpUrl, region, JSON.stringify(event));
+ case 'API_KEY':
+ return {
+ 'x-api-key': `${API_KEY}`,
+ ...headers,
+ }
+ case 'USER_POOL':
+ return {
+ 'Authorization': await cognitoUserConfiguration('AUTH'),
+ ...headers,
+ }
+ case 'LAMBDA':
+ return {
+ 'Authorization': authToken,
+ ...headers,
+ }
+ default:
+ throw new Error(`Unknown auth mode ${authMode}`)
+ }
+}
+
 /**
  * Initiates a subscription to a channel and returns the response
  *
  * @param {string} channel the channel to subscribe to
+ * @param {string} authMode the authorization mode for the request
+ * @param {string} authToken the token used for Lambda auth mode
  * @param {boolean} triggerPub whether to also publish in the method
  * @returns {Object}
  */
-async function subscribe(channel, triggerPub=false) {
+async function subscribe(channel, authMode, authToken, triggerPub=false) {
  const response = {};
- const auth = await getAuthProtocolForIAM(httpUrl, region)
+ const authHeader = await getPublishAuthHeader(authMode, {}, authToken);
+ const auth = getAuthProtocolForIAM(authHeader);
  const socket = await new Promise((resolve, reject) => {
  const socket = new WebSocket(
- `wss://${realtimeUrl}/event/realtime`,
+ `${realtimeUrl}`,
  [AWS_APPSYNC_EVENTS_SUBPROTOCOL, auth],
  { headers: { ...DEFAULT_HEADERS } },
  )
 
  socket.onopen = () => {
  socket.send(JSON.stringify({ type: 'connection_init' }))
- console.log("Initialize connection");
+ console.log('Initialize connection');
  resolve(socket)
  }
 
@@ -113,18 +256,18 @@ async function subscribe(channel, triggerPub=false) {
  console.log('Data received');
  response.pubStatusCode = 200;
  response.pubMsg = JSON.parse(payload.event).message;
- } else if (payload.type === "subscribe_error") {
+ } else if (payload.type === 'subscribe_error') {
  console.log(payload);
- if (payload.errors.some((error) => error.errorType === "UnauthorizedException")) {
- console.log("Error received");
+ if (payload.errors.some((error) => error.errorType === 'UnauthorizedException')) {
+ console.log('Error received');
  response.statusCode = 401;
- response.msg = "UnauthorizedException";
+ response.msg = 'UnauthorizedException';
  } else if (payload.errors.some(error => error.errorType === 'AccessDeniedException')) {
  console.log('Error received');
  response.statusCode = 403;
  response.msg = 'Forbidden';
  } else {
- console.log("Error received");
+ console.log('Error received');
  response.statusCode = 400;
  response.msg = payload.errors[0].errorType;
  }
@@ -138,12 +281,12 @@ async function subscribe(channel, triggerPub=false) {
  type: 'subscribe',
  id: crypto.randomUUID(),
  channel: subChannel,
- authorization: await signWithAWSV4(httpUrl, region, JSON.stringify({ channel: subChannel })),
+ authorization: await getPublishAuthHeader(authMode, { channel: subChannel }, authToken),
  }));
 
  if (triggerPub) {
  await sleep(1000);
- await publish(channel);
+ await publish(channel, authMode, authToken);
  }
  await sleep(3000);
  return response;
@@ -153,19 +296,21 @@ async function subscribe(channel, triggerPub=false) {
  * Publishes to a channel and returns the response
  *
  * @param {string} channel the channel to publish to
+ * @param {string} authMode the auth mode to use for publishing
+ * @param {string} authToken the auth token to use for Lambda auth mode
  * @returns {Object}
  */
-async function publish(channel) {
+async function publish(channel, authMode, authToken) {
  const event = {
- "channel": `/${channel}/test`,
- "events": [
+ 'channel': `/${channel}/test`,
+ 'events': [
  JSON.stringify({message:'Hello World!'})
  ]
  }
 
- const response = await fetch(`https://${httpUrl}/event`, {
+ const response = await fetch(`${httpUrl}`, {
  method: 'POST',
- headers: await signWithAWSV4(httpUrl, region, JSON.stringify(event)),
+ headers: await getPublishAuthHeader(authMode, event, authToken),
  body: JSON.stringify(event)
  });
 
@@ -190,18 +335,34 @@ async function publish(channel) {
 exports.handler = async function(event) {
  const pubSubAction = event.action;
  const channel = event.channel;
+ const authMode = event.authMode;
+ const authToken = event.authToken ?? '';
+ const isCustomEndpoint = event.customEndpoint ?? false;
 
+ // If custom endpoint, wait for 60 seconds for DNS to propagate
+ if (isCustomEndpoint) {
+ await sleep(60000);
+ }
+
+ if (authMode === 'USER_POOL') {
+ await cognitoUserConfiguration('CREATE');
+ }
+
+ let res;
  if (pubSubAction === 'publish') {
- const res = await publish(channel);
+ res = await publish(channel, authMode, authToken);
  console.log(res);
- return res;
  } else if (pubSubAction === 'subscribe') {
- const res = await subscribe(channel, false);
+ res = await subscribe(channel, authMode, authToken, false);
  console.log(res);
- return res;
  } else if (pubSubAction === 'pubSub') {
- const res = await subscribe(channel, true);
+ res = await subscribe(channel, authMode, authToken, true);
  console.log(res);
- return res;
  }
-};
+
+ if (authMode === 'USER_POOL') {
+ await cognitoUserConfiguration('DELETE');
+ }
+
+ return res;
+};