From 1875a0be9e6dfe43bf40817987abb74064603347 Mon Sep 17 00:00:00 2001 From: Alex Oskotsky Date: Thu, 21 May 2020 01:21:59 -0400 Subject: [PATCH 1/7] Fix support for regional domains using TLS 1.0 --- CHANGELOG.md | 8 ++++++ package-lock.json | 2 +- package.json | 2 +- src/index.ts | 19 ++++++++----- test/integration-tests/integration.test.ts | 8 ++++++ .../regional-tls-1-0/handler.js | 16 +++++++++++ .../regional-tls-1-0/serverless.yml | 28 +++++++++++++++++++ test/unit-tests/index.test.ts | 2 +- 8 files changed, 75 insertions(+), 10 deletions(-) create mode 100644 test/integration-tests/regional-tls-1-0/handler.js create mode 100644 test/integration-tests/regional-tls-1-0/serverless.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index daac6ae1..bbeca14e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [4.1.1] - 2020-05-21 + +### Changed +- Fix support for TLS 1.0 regional domains which were broken in the 4.0.0 release. Discovered by @jufemaiz + ## [4.1.0] - 2020-05-18 ### Changed @@ -16,6 +21,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [4.0.0] - 2020-05-06 +### Breaking Changes +- Regional domains with TLS 1.0 no longer work. Fixed in 4.1.1 + ### Added - Add support for WebSocket and HTTP APIs. A domain name can be created for each API type (Rest, WebSocket, HTTP) for up to 3 domain names in a single Serverless config. Thanks @TehNrd ([#319](https://github.com/amplify-education/serverless-domain-manager/pull/319)) diff --git a/package-lock.json b/package-lock.json index c6d49e44..c2947526 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "serverless-domain-manager", - "version": "4.0.1", + "version": "4.1.1", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index e0b49ae3..76e1aaf3 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "serverless-domain-manager", - "version": "4.1.0", + "version": "4.1.1", "engines": { "node": ">=4.0" }, diff --git a/src/index.ts b/src/index.ts index d4e5802e..8658b1e5 100644 --- a/src/index.ts +++ b/src/index.ts @@ -390,11 +390,10 @@ class ServerlessCustomDomain { let createdDomain = {}; - // For EDGE domain name, create with APIGateway (v1) - if (domain.endpointType === Globals.endpointTypes.edge) { + // For EDGE domain name or TLS 1.0, create with APIGateway (v1) + if (domain.endpointType === Globals.endpointTypes.edge || domain.securityPolicy === "TLS_1_0") { // Set up parameters const params = { - certificateArn: domain.certificateArn, domainName: domain.givenDomainName, endpointConfiguration: { types: [domain.endpointType], @@ -402,6 +401,12 @@ class ServerlessCustomDomain { securityPolicy: domain.securityPolicy, }; + if(domain.endpointType === Globals.endpointTypes.edge) { + params['certificateArn'] = domain.certificateArn + } else { + params['regionalCertificateArn'] = domain.certificateArn + } + // Make API call to create domain try { // Creating EDGE domain so use APIGateway (v1) service @@ -581,8 +586,8 @@ class ServerlessCustomDomain { * Creates basepath mapping */ public async createBasePathMapping(domain: DomainConfig): Promise { - // Use APIGateway (v1) for EDGE domains - if (domain.endpointType === Globals.endpointTypes.edge) { + // Use APIGateway (v1) for EDGE or TLS 1.0 domains + if (domain.endpointType === Globals.endpointTypes.edge || domain.securityPolicy === "TLS_1_0") { const params = { basePath: domain.basePath, domainName: domain.givenDomainName, @@ -620,8 +625,8 @@ class ServerlessCustomDomain { * Updates basepath mapping */ public async updateBasePathMapping(domain: DomainConfig): Promise { - // Use APIGateway (v1) for EDGE domains - if (domain.endpointType === Globals.endpointTypes.edge) { + // Use APIGateway (v1) for EDGE or TLS 1.0 domains + if (domain.endpointType === Globals.endpointTypes.edge || domain.securityPolicy === "TLS_1_0") { const params = { basePath: domain.apiMapping.ApiMappingKey || "(none)", domainName: domain.givenDomainName, diff --git a/test/integration-tests/integration.test.ts b/test/integration-tests/integration.test.ts index 65e5f33d..0ee9b7e7 100644 --- a/test/integration-tests/integration.test.ts +++ b/test/integration-tests/integration.test.ts @@ -86,6 +86,14 @@ const testCases = [ testFolder: "http-api", testStage: "$default", }, + { + testBasePath: "(none)", + testDescription: "Deploy regional domain with TLS 1.0", + testDomain: `regional-tls-1-0-${RANDOM_STRING}.${TEST_DOMAIN}`, + testEndpoint: "REGIONAL", + testFolder: "regional-tls-1-0", + testStage: "dev", + }, ]; describe("Integration Tests", function() { diff --git a/test/integration-tests/regional-tls-1-0/handler.js b/test/integration-tests/regional-tls-1-0/handler.js new file mode 100644 index 00000000..1bd222d6 --- /dev/null +++ b/test/integration-tests/regional-tls-1-0/handler.js @@ -0,0 +1,16 @@ +"use strict"; + +module.exports.helloWorld = (event, context, callback) => { + const response = { + statusCode: 200, + headers: { + "Access-Control-Allow-Origin": "*", // Required for CORS support to work + }, + body: JSON.stringify({ + message: "Go Serverless v1.0! Your function executed successfully!", + input: event, + }), + }; + + callback(null, response); +}; diff --git a/test/integration-tests/regional-tls-1-0/serverless.yml b/test/integration-tests/regional-tls-1-0/serverless.yml new file mode 100644 index 00000000..fc1219d3 --- /dev/null +++ b/test/integration-tests/regional-tls-1-0/serverless.yml @@ -0,0 +1,28 @@ +# Test regional domains with TLS 1.0 +service: regional-tls-1-0-${opt:RANDOM_STRING} +provider: + name: aws + runtime: nodejs12.x + region: us-west-2 + stage: dev + endpointType: regional + +functions: + helloWorld: + handler: handler.helloWorld + events: + - http: + path: hello-world + method: get + cors: true +plugins: + - serverless-domain-manager +custom: + customDomain: + domainName: regional-tls-1-0-${opt:RANDOM_STRING}.${env:TEST_DOMAIN} + securityPolicy: tls_1_0 + endpointType: regional + +package: + exclude: + - node_modules/** diff --git a/test/unit-tests/index.test.ts b/test/unit-tests/index.test.ts index 6c34e4a1..52cdae8b 100644 --- a/test/unit-tests/index.test.ts +++ b/test/unit-tests/index.test.ts @@ -264,7 +264,7 @@ describe("Custom Domain Plugin", () => { plugin.apigatewayV2 = new aws.ApiGatewayV2(); const dc: DomainConfig = new DomainConfig(plugin.serverless.service.custom.customDomain); - dc.apiId = "test_api_id", + dc.apiId = "test_api_id"; dc.apiMapping = {ApiMappingId: "test_mapping_id"}; const spy = chai.spy.on(plugin.apigatewayV2, "updateApiMapping"); From f69eb8a35c6f97eeb93fd0f87be6f86bb44013c2 Mon Sep 17 00:00:00 2001 From: Alex Oskotsky Date: Thu, 21 May 2020 01:39:00 -0400 Subject: [PATCH 2/7] fix lint --- src/index.ts | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/index.ts b/src/index.ts index 8658b1e5..9ac43e5e 100644 --- a/src/index.ts +++ b/src/index.ts @@ -401,11 +401,13 @@ class ServerlessCustomDomain { securityPolicy: domain.securityPolicy, }; - if(domain.endpointType === Globals.endpointTypes.edge) { - params['certificateArn'] = domain.certificateArn + /* tslint:disable:no-string-literal */ + if (domain.endpointType === Globals.endpointTypes.edge) { + params["certificateArn"] = domain.certificateArn; } else { - params['regionalCertificateArn'] = domain.certificateArn + params["regionalCertificateArn"] = domain.certificateArn; } + /* tslint:enable:no-string-literal */ // Make API call to create domain try { From 63090872f885801f17c359ac39f9a2e0cc6243c0 Mon Sep 17 00:00:00 2001 From: Alex Oskotsky Date: Thu, 21 May 2020 01:39:09 -0400 Subject: [PATCH 3/7] add unit test --- test/unit-tests/index.test.ts | 55 +++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/test/unit-tests/index.test.ts b/test/unit-tests/index.test.ts index 52cdae8b..7ec41024 100644 --- a/test/unit-tests/index.test.ts +++ b/test/unit-tests/index.test.ts @@ -189,6 +189,61 @@ describe("Custom Domain Plugin", () => { }); }); + it("Creates basepath mapping for regional tls 1.0 REST api", async () => { + AWS.mock("APIGateway", "createBasePathMapping", (params, callback) => { + callback(null, params); + }); + const plugin = constructPlugin({ + basePath: "test_basepath", + domainName: "test_domain", + endpointType: "regional", + securityPolicy: "tls_1_0", + }); + plugin.initializeVariables(); + plugin.apigateway = new aws.APIGateway(); + + const dc: DomainConfig = new DomainConfig(plugin.serverless.service.custom.customDomain); + dc.apiId = "test_rest_api_id"; + + const spy = chai.spy.on(plugin.apigateway, "createBasePathMapping"); + + await plugin.createBasePathMapping(dc); + + expect(spy).to.have.been.called.with({ + basePath: "test_basepath", + domainName: "test_domain", + restApiId: "test_rest_api_id", + stage: "test", + }); + }); + + it("Creates basepath mapping for regional tls 1.2 REST api", async () => { + AWS.mock("ApiGatewayV2", "createApiMapping", (params, callback) => { + callback(null, params); + }); + const plugin = constructPlugin({ + basePath: "test_basepath", + domainName: "test_domain", + endpointType: "regional", + }); + plugin.initializeVariables(); + plugin.apigatewayV2 = new aws.ApiGatewayV2(); + + const dc: DomainConfig = new DomainConfig(plugin.serverless.service.custom.customDomain); + dc.apiId = "test_rest_api_id"; + + const spy = chai.spy.on(plugin.apigatewayV2, "createApiMapping"); + + await plugin.createBasePathMapping(dc); + + expect(spy).to.have.been.called.with({ + ApiId: "test_rest_api_id", + ApiMappingKey: "test_basepath", + DomainName: "test_domain", + Stage: "test", + }); + }); + it("Creates basepath mapping for regional HTTP/Websocket api", async () => { AWS.mock("ApiGatewayV2", "createApiMapping", (params, callback) => { callback(null, params); From 4faf3677be2273c3f76218c99db3caeb8f7fe658 Mon Sep 17 00:00:00 2001 From: Alex Oskotsky Date: Thu, 21 May 2020 01:43:13 -0400 Subject: [PATCH 4/7] update changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bbeca14e..0efc9c59 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [4.1.1] - 2020-05-21 ### Changed -- Fix support for TLS 1.0 regional domains which were broken in the 4.0.0 release. Discovered by @jufemaiz +- Fix support for TLS 1.0 regional domains which were broken in the 4.0.0 release. Discovered by @jufemaiz ([#348](https://github.com/amplify-education/serverless-domain-manager/pull/348)) ## [4.1.0] - 2020-05-18 From 46f3d02e115b3a90c2d97a61b50dece810fcc29b Mon Sep 17 00:00:00 2001 From: Alex Oskotsky Date: Thu, 21 May 2020 18:16:00 -0400 Subject: [PATCH 5/7] check if existing domain is tls 1.0 instead of config --- src/index.ts | 9 ++++++--- test/unit-tests/index.test.ts | 7 +++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/src/index.ts b/src/index.ts index 9ac43e5e..5e3d2854 100644 --- a/src/index.ts +++ b/src/index.ts @@ -152,14 +152,14 @@ class ServerlessCustomDomain { domain.apiMapping = await this.getBasePathMapping(domain); + await this.getDomainInfo(); + if (!domain.apiMapping) { await this.createBasePathMapping(domain); } else { await this.updateBasePathMapping(domain); } - await this.getDomainInfo(); - } catch (err) { this.logIfDebug(err, domain.givenDomainName); throw new Error(`Error: Unable to setup base domain mappings for ${domain.givenDomainName}`); @@ -628,7 +628,10 @@ class ServerlessCustomDomain { */ public async updateBasePathMapping(domain: DomainConfig): Promise { // Use APIGateway (v1) for EDGE or TLS 1.0 domains - if (domain.endpointType === Globals.endpointTypes.edge || domain.securityPolicy === "TLS_1_0") { + // check here if the EXISTING domain is using TLS 1.0 regardless of what is configured + // We don't support updating custom domains so switching from TLS 1.0 to 1.2 will require recreating + // the domain + if (domain.endpointType === Globals.endpointTypes.edge || domain.domainInfo.securityPolicy === "TLS_1_0") { const params = { basePath: domain.apiMapping.ApiMappingKey || "(none)", domainName: domain.givenDomainName, diff --git a/test/unit-tests/index.test.ts b/test/unit-tests/index.test.ts index 7ec41024..af411589 100644 --- a/test/unit-tests/index.test.ts +++ b/test/unit-tests/index.test.ts @@ -321,6 +321,13 @@ describe("Custom Domain Plugin", () => { const dc: DomainConfig = new DomainConfig(plugin.serverless.service.custom.customDomain); dc.apiId = "test_api_id"; dc.apiMapping = {ApiMappingId: "test_mapping_id"}; + dc.domainInfo = new DomainInfo({ + DomainNameConfigurations: [{ + ApiGatewayDomainName: 'fake_dist_name', + HostedZoneId: 'fake_zone_id', + SecurityPolicy: 'TLS_1_2', + }] + }); const spy = chai.spy.on(plugin.apigatewayV2, "updateApiMapping"); From b7fe62856ca2595ed661f61e497b641e4867e091 Mon Sep 17 00:00:00 2001 From: Alex Oskotsky Date: Thu, 21 May 2020 18:23:45 -0400 Subject: [PATCH 6/7] fix lint errors --- test/unit-tests/index.test.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/unit-tests/index.test.ts b/test/unit-tests/index.test.ts index af411589..34133b21 100644 --- a/test/unit-tests/index.test.ts +++ b/test/unit-tests/index.test.ts @@ -323,10 +323,10 @@ describe("Custom Domain Plugin", () => { dc.apiMapping = {ApiMappingId: "test_mapping_id"}; dc.domainInfo = new DomainInfo({ DomainNameConfigurations: [{ - ApiGatewayDomainName: 'fake_dist_name', - HostedZoneId: 'fake_zone_id', - SecurityPolicy: 'TLS_1_2', - }] + ApiGatewayDomainName: "fake_dist_name", + HostedZoneId: "fake_zone_id", + SecurityPolicy: "TLS_1_2", + }], }); const spy = chai.spy.on(plugin.apigatewayV2, "updateApiMapping"); From 0d5ef3b752d8b95186fb5711c163f2246f44631d Mon Sep 17 00:00:00 2001 From: Alex Oskotsky Date: Mon, 25 May 2020 15:20:36 -0400 Subject: [PATCH 7/7] update release date : --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0efc9c59..708a1448 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). -## [4.1.1] - 2020-05-21 +## [4.1.1] - 2020-05-25 ### Changed - Fix support for TLS 1.0 regional domains which were broken in the 4.0.0 release. Discovered by @jufemaiz ([#348](https://github.com/amplify-education/serverless-domain-manager/pull/348))