Add support for local custom authorizers

[stealthycoin]

BuiltinAuthorizer will now work in local mode. Authorizer types that
cannot be run locally will now simply allow the requests to proceed as
if there were no authorizer to allow for local testing.

closes #404

[codecov-io]

Codecov Report

Merging #467 into master will increase coverage by 0.25%.
The diff coverage is 98.65%.

@@            Coverage Diff             @@
##           master     #467      +/-   ##
==========================================
+ Coverage   94.01%   94.26%   +0.25%     
==========================================
  Files          18       18              
  Lines        2939     3103     +164     
  Branches      380      396      +16     
==========================================
+ Hits         2763     2925     +162     
  Misses        129      129              
- Partials       47       49       +2

Impacted Files	Coverage Δ
chalice/cli/__init__.py	81.86% <100%> (ø)	⬆️
chalice/cli/factory.py	89.52% <50%> (ø)	⬆️
chalice/local.py	98.26% <99.09%> (+0.66%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 07968a6...7305052. Read the comment docs.

[JordonPhillips]

Code looks good! Only had a few minor comments.

[JordonPhillips]

You don't appear to be testing this function

[JordonPhillips]

It's a bit bizzare to define instance attributes outside of init, especially since you're not doing any complicated initialization or logic to set their initial values.

[stealthycoin]

I separated the logic that is specific to the actual lambda context initialization vs the initializations I have to do for my fake object to run.

[jamesls]

Yeah I'm surprised pylint didn't yell at you for this. Even if you want it extracted out to a separate function, I think they should also be "declared" in the __init__.

[JordonPhillips]

How nested is this structure? if it's more than one level then maybe you should deepcopy.

[stealthycoin]

The event is a dict of entirely [str, Union[str, Dict[str, str]] so I don't think it needs to be deepcopied unless I am mistaken about something.

[JordonPhillips]

s/If there/If/

[JordonPhillips]

If authorizer is an attribute of route_entry why are you not just returning route_entry?

[stealthycoin]

Yes I think this made more sense before a refactor and I didn't think to update it.

[JordonPhillips]

You seem to have trailed off here.

[JordonPhillips]

A class doc string for this would be nice

[jamesls]

Some initial feedback, still going through it.

[jamesls]

Yeah I'm surprised pylint didn't yell at you for this. Even if you want it extracted out to a separate function, I think they should also be "declared" in the __init__.

[jamesls]

%s/authroizer/authorizer/g

[jamesls]

You shouldn't need the extra set of parens here.

[jamesls]

These technically support wildcards as well. If you're not going to support them, you should probably make a note about eventually supporting them.

[jamesls]

I don't think this is right. The uri pattern will include the placeholder values so something like this won't work:

@app.route('/foo/{name}', authorizer=demo_auth)
def index(name):
    return {'context': app.current_request.context}

If I return AuthResponse(routes=['/foo/bar'], principal_id='user') from my authorizer.

What if we mirrored things more closely to real IAM?

1. Generate the resource ARN for the specific method/view
2. Check if any of the resources in the returned policy match the ARN (accounting for wildcards).

I also would suggest extracting this policy matching out to a separate class so we can add a lot more tests for the edge cases (using pytest.paramtrize).

[JordonPhillips]

Implementation looks good! Just one little nitpick before I go over the tests.

[JordonPhillips]

nitpick, but you don't need to compile if you're just immediately using it anyway

[jamesls]

Just had some minor feedback.

[jamesls]

Import orders, chalice after 3rd party libs.

[jamesls]

s/Arn/ARN

[jamesls]

s/Arn/ARN

[jamesls]

I don't think this is quite right. If you don't have the appropriate auth header (Authorization) in the request, you get a 401 and the authorizer isn't called at all.

[jamesls]

An authorized error where we generate a policy that forbids access to a resource gives a 403, not a 401.

$ http https://rest-api-id.execute-api.us-west-2.amazonaws.com/api/ 'Authorization: deny'
HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Length: 60
Content-Type: application/json
Date: Thu, 24 Aug 2017 00:27:57 GMT
Via: 1.1 7f3f42df8af148df1f9f1ee7175987ad.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 4ZhC3GokHeXr68EKakpF6xQWxVvTDZtQiGK253psOcWbPW3M980rGw==
X-Cache: Error from cloudfront
x-amzn-ErrorType: AccessDeniedException
x-amzn-RequestId: 13ff2f6d-8863-11e7-af78-e1cc9bcdaa69

{
    "Message": "User is not authorized to access this resource"
}

[jamesls]

runtime_millis is pretty vague, but max_runtime_ms is a lot clearer. Is there a reason to not map to call the arg something different than it's instance attribute name?

[stealthycoin]

I wanted to give the unit in the name is why its not a direct mirror. I agree with max_runtime_ms so I'll do that.

[jamesls]

We usually put all the non test classes/functions at the top of the file before the actual tests.

[stealthycoin]

I was keeping it nearby for easier reference. I'll move it.

[jamesls]

Isn't this identical to the previous test test_can_authorize_empty_path?

[stealthycoin]

Yea...

[jamesls]

?

[stealthycoin]

Fixed... still passes.

[jamesls]

?

[jamesls]

I'm just going through this now, but it looks like there's still some feedback that hasn't been incorporated: #467 (comment)

The ARN generated for a route that has a captured param is still: 'arn:aws:execute-api:mars-west-1:123456789012:ymy8tbxw7b/api/GET/foo/{name}' which isn't right. I tested the example in the linked comment and it still fails in local mode but passes on actual API gateway/lambda.