From f9606f78044304a7849cf440ab5f8f122faacef4 Mon Sep 17 00:00:00 2001 From: morgan-sam <57941781+morgan-sam@users.noreply.github.com> Date: Tue, 1 Sep 2020 15:41:53 +0100 Subject: [PATCH] feat(AWS ALB): Remove support for `authorizers[].allowUnauthenticated` BREAKING CHANGE: Support for `providers.alb.authorizers[].allowUnauthenticated` setting was removed. Rely on `providers.alb.authorizers[].onUnauthenticatedRequest` instead. (PR #8160) --- .../package/compile/events/alb/index.test.js | 72 ------------------- .../compile/events/alb/lib/validate.js | 17 +---- .../compile/events/alb/lib/validate.test.js | 3 +- 3 files changed, 2 insertions(+), 90 deletions(-) diff --git a/lib/plugins/aws/package/compile/events/alb/index.test.js b/lib/plugins/aws/package/compile/events/alb/index.test.js index 6d8433add23..fd32623f8cb 100644 --- a/lib/plugins/aws/package/compile/events/alb/index.test.js +++ b/lib/plugins/aws/package/compile/events/alb/index.test.js @@ -166,50 +166,6 @@ describe('AwsCompileAlbEvents', () => { ); })); - it('maps "allowUnauthenticated" set to true to "allow"', () => - fixtures - .extend('functionDestinations', serverlessConfiguration({ allowUnauthenticated: true })) - .then(fixturePath => - runServerless({ - cwd: fixturePath, - cliArgs: ['package'], - }) - ) - .then(({ cfTemplate, awsNaming }) => { - ({ Resources: cfResources } = cfTemplate); - naming = awsNaming; - }) - .then(() => { - const albListenerRuleLogicalId = naming.getAlbListenerRuleLogicalId('trigger', 1); - const rule = cfResources[albListenerRuleLogicalId]; - - expect(rule.Properties.Actions[0].AuthenticateCognitoConfig).to.deep.equal( - baseAuthenticateCognitoConfig({ OnUnauthenticatedRequest: 'allow' }) - ); - })); - - it('"allowUnauthenticated" set to false should be ineffective', () => - fixtures - .extend('functionDestinations', serverlessConfiguration({ allowUnauthenticated: false })) - .then(fixturePath => - runServerless({ - cwd: fixturePath, - cliArgs: ['package'], - }) - ) - .then(({ cfTemplate, awsNaming }) => { - ({ Resources: cfResources } = cfTemplate); - naming = awsNaming; - }) - .then(() => { - const albListenerRuleLogicalId = naming.getAlbListenerRuleLogicalId('trigger', 1); - const rule = cfResources[albListenerRuleLogicalId]; - - expect(rule.Properties.Actions[0].AuthenticateCognitoConfig).to.deep.equal( - baseAuthenticateCognitoConfig({ OnUnauthenticatedRequest: 'deny' }) - ); - })); - it('supports setting value to "allow"', () => fixtures .extend( @@ -259,33 +215,5 @@ describe('AwsCompileAlbEvents', () => { baseAuthenticateCognitoConfig({ OnUnauthenticatedRequest: 'authenticate' }) ); })); - - it('takes precedence over allowUnauthenticated', () => - fixtures - .extend( - 'functionDestinations', - serverlessConfiguration({ - onUnauthenticatedRequest: 'deny', - allowUnauthenticated: true, - }) - ) - .then(fixturePath => - runServerless({ - cwd: fixturePath, - cliArgs: ['package'], - }) - ) - .then(({ cfTemplate, awsNaming }) => { - ({ Resources: cfResources } = cfTemplate); - naming = awsNaming; - }) - .then(() => { - const albListenerRuleLogicalId = naming.getAlbListenerRuleLogicalId('trigger', 1); - const rule = cfResources[albListenerRuleLogicalId]; - - expect(rule.Properties.Actions[0].AuthenticateCognitoConfig).to.deep.equal( - baseAuthenticateCognitoConfig({ OnUnauthenticatedRequest: 'deny' }) - ); - })); }); }); diff --git a/lib/plugins/aws/package/compile/events/alb/lib/validate.js b/lib/plugins/aws/package/compile/events/alb/lib/validate.js index 5fea6d05852..a09c06441c4 100644 --- a/lib/plugins/aws/package/compile/events/alb/lib/validate.js +++ b/lib/plugins/aws/package/compile/events/alb/lib/validate.js @@ -206,22 +206,7 @@ module.exports = { }, validateAlbAuth(auth) { - const hasAllowUnauthenticated = auth.allowUnauthenticated != null; - const hasOnUnauthenticatedRequest = auth.onUnauthenticatedRequest != null; - - if (hasAllowUnauthenticated) { - this.serverless._logDeprecation( - 'AWS_ALB_ALLOW_UNAUTHENTICATED', - 'allowUnauthenticated is deprecated, use onUnauthenticatedRequest instead' - ); - } - - if (hasAllowUnauthenticated && !hasOnUnauthenticatedRequest) { - auth.onUnauthenticatedRequest = auth.allowUnauthenticated ? 'allow' : 'deny'; - } else { - auth.onUnauthenticatedRequest = auth.onUnauthenticatedRequest || 'deny'; - } - + auth.onUnauthenticatedRequest = auth.onUnauthenticatedRequest || 'deny'; return auth; }, diff --git a/lib/plugins/aws/package/compile/events/alb/lib/validate.test.js b/lib/plugins/aws/package/compile/events/alb/lib/validate.test.js index fedb22e8154..c096d254d44 100644 --- a/lib/plugins/aws/package/compile/events/alb/lib/validate.test.js +++ b/lib/plugins/aws/package/compile/events/alb/lib/validate.test.js @@ -108,7 +108,7 @@ describe('#validate()', () => { userPoolArn: 'arn:aws:cognito-idp:us-east-1:123412341234:userpool/us-east-1_123412341', userPoolClientId: '1h57kf5cpq17m0eml12EXAMPLE', userPoolDomain: 'your-test-domain', - allowUnauthenticated: true, + onUnauthenticatedRequest: 'allow', }, mySecondAuth: { type: 'oidc', @@ -131,7 +131,6 @@ describe('#validate()', () => { userPoolClientId: '1h57kf5cpq17m0eml12EXAMPLE', userPoolDomain: 'your-test-domain', onUnauthenticatedRequest: 'allow', - allowUnauthenticated: true, }, mySecondAuth: { type: 'oidc',