feat: add a support for onUnauthenticatedRequest property

[kamaz]

Closes: #7773

@medikoo would be good to get your view on deprecation.

[codecov-commenter]

Codecov Report

Merging #7780 into master will increase coverage by 0.30%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #7780      +/-   ##
==========================================
+ Coverage   88.13%   88.43%   +0.30%     
==========================================
  Files         245      244       -1     
  Lines        9262     9054     -208     
==========================================
- Hits         8163     8007     -156     
+ Misses       1099     1047      -52     

Impacted Files	Coverage Δ
...ins/aws/package/compile/events/alb/lib/validate.js	97.93% <100.00%> (+1.27%)	⬆️
lib/utils/getServerlessDir.js	0.00% <0.00%> (-100.00%)	⬇️
lib/plugins/aws/info/getApiKeyValues.js	82.75% <0.00%> (-9.55%)	⬇️
lib/plugins/slstats/slstats.js	90.90% <0.00%> (-9.10%)	⬇️
...ackage/compile/events/websockets/lib/deployment.js	95.65% <0.00%> (-4.35%)	⬇️
lib/plugins/aws/deploy/lib/createStack.js	97.29% <0.00%> (-2.71%)	⬇️
lib/classes/Utils.js	92.95% <0.00%> (-2.32%)	⬇️
lib/plugins/aws/info/getResourceCount.js	88.88% <0.00%> (-1.12%)	⬇️
lib/plugins/config/config.js	88.88% <0.00%> (-0.91%)	⬇️
lib/plugins/create/create.js	90.80% <0.00%> (-0.31%)	⬇️
... and 58 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update af3fbf0...7d22c4e. Read the comment docs.

[medikoo]

@kamaz great thanks for that! It looks really good. See my remarks, they're mostly about conventions we strive to obey currently in a project

[medikoo]

This should be added over the given deprecation header

[medikoo]

Let's remove ticks, make it as:

## AWS ALB Event `allowUnauthenticated`

[medikoo]

Let's make deprecation code slightly shorter as: AWS_ALB_ALLOW_UNAUTHENTICATED

[medikoo]

Let's list default option (so 'deny')

[medikoo]

Let's not use lodash for constructs which can easily be written in plain JS (see #7747)

[medikoo]

Let's construct tests using runServerless as documented here: https://github.com/serverless/serverless/blob/master/tests/README.md#unit-tests
If something is still unclear please do not hesitate to ask.

As it'll be first tests like that in this file, you can create another describe at bottom of test file to host them

[kamaz]

Thanks for sharing a new way of testing. It looks good as it tests full configuration, not just a single method outside the context.

I'm not sure if the validate.test.js is the right place to add tests when using runServerless as my understanding it imitates serverless framework.

Would it be better to move these tests to index.test.js and have describe dedicated to onUnauthenticatedRequest and allowUnauthenticated?

[medikoo]

@kamaz yes that's a very good point. Indeed in that case index.test.js is better (and it's where we usually put all tests for newly introduced plugins)

[medikoo]

Remove this validation (this will be in scope of schema config validation which is handled here: #6562)

Here just assume that passed value is valid

[kamaz]

@kamaz great thanks for that! It looks really good. See my remarks, they're mostly about conventions we strive to obey currently in a project

@medikoo
Thanks all make sense made the changes except the tests where I need a little bit clarifications.

When it comes to lodash I didn't want to break the convention that was already set up in the file but it is good to know for future that you are moving more towards native js.

[medikoo]

@kamaz is it read for review? If yes, please re-request review. Thank you!

[kamaz]

hi @medikoo, sorry for the delay but last week was a little bit crazy for me. I should have something ready by tomorrow.

[kamaz]

@medikoo I thought before I start writing a set of tests to migrate them to use runServerless I will check what would like to change in the example test that tests the change to onUnauthenticatedRequest.

Do you expect to have an assertion to https://github.com/serverless/serverless/pull/7780/files#diff-f210397c5bba20a4235eaae4251556f9R131 ?

Or

Should the generated cloudformation be asserted as that is the final result?

I would probably opt-out for the latter one.

[medikoo]

Ideally if we confirm on generated template. So something as:

serverless/lib/plugins/aws/package/compile/events/httpApi/index.test.js

Line 66 in 332524d

expect(resource.Properties.StageName).to.equal('$default');

which will validate that we have "deny" set at given property.

Still if for some reason you'll find troublesome getting right path to resource to be validated, let me know

[medikoo]

Let's put . after "instead"

[medikoo]

Ideally if we confirm on generated template. So something as:

serverless/lib/plugins/aws/package/compile/events/httpApi/index.test.js

Line 66 in 332524d

expect(resource.Properties.StageName).to.equal('$default');

which will validate that we have "deny" set at given property.

Still if for some reason you'll find troublesome getting right path to resource to be validated, let me know

[rwestergren]

Looking forward to this change. At the moment, I'm having to override the generated AlbListenerRule, with resource extensions, for example:

  extensions:
    BillerAlbListenerRule1:
      Properties:
        Actions:
          - Type: authenticate-oidc
            Order: 1
            AuthenticateOidcConfig:
              OnUnauthenticatedRequest: authenticate
              AuthorizationEndpoint: https://login.microsoftonline.com/***REMOVED***/oauth2/v2.0/authorize
              ClientId: ***REMOVED***
              Issuer: https://login.microsoftonline.com/***REMOVED***/v2.0
              TokenEndpoint: https://login.microsoftonline.com/***REMOVED***/oauth2/v2.0/token
              UserInfoEndpoint: https://graph.microsoft.com/oidc/userinfo
              ClientSecret: ***REMOVED***
          - Type: forward
            TargetGroupArn: !Ref BillerAlbTargetGroupLoadBalancerListener
            Order: 2

[kamaz]

@medikoo thanks for sharing the initial thoughts about the testing. I hope all the comments should be done now.

[medikoo]

@kamaz looks great, thank you! I've just proposed some minor style improvements

[medikoo]

Let's use more natural != null

[kamaz]

I'm happy to change that but not sure if != null makes it clearer. In this particular case, we only care about a case were the property is not defined not if the value is null 0 or any other.

[medikoo]

we only care about a case were the property is not defined

If that would be the case, then proper check would be 'allowUnauthenticated' in auth.

Still in JS it's not common to do such checks. Usually best practice is just to check whether a property holds some value, where lack of value is represented by three possible scenarios:

• property not defined at all
• undefined assigned explicitly
• null assigned explicitly.

Having that, the most straightforward way to confirm property holds a value, is to follow with obj.prop != null (that excludes just three above cases and nothing more)

[medikoo]

This is a string property, so technically natural check would be Boolean(auth.onUnauthenticatedRequest)

[kamaz]

happy to change see comment https://github.com/serverless/serverless/pull/7780/files#r441055404

[medikoo]

It'll be nice if this test matches one that confirms for allow, so just checks for deny.

I wouldn't check for every CF property, as that technically means reimplementing CF configuration in unit tests, and it's not what I think tests should be about (Testing that given CF configuration results with desired outcome is in scope of integration tests)

[medikoo]

Title should rather be:

should be "deny" by default

[medikoo]

 `allowUnauthenticated` set to false should be ineffective

[medikoo]

I think either we can skip that test ("deny" is default) or name it as:

`allowUnauthenticated` should remain "deny" when set to "deny"

[medikoo]

As we're in context of suite titled onUnauthenticatedRequest. I would name test as:

maps `allowUnauthenticated` set to true to "allow"

[medikoo]

Let's remove that test. I think that testing that onUnauthenticatedRequest takes precedence over allowUnauthenticated shouldn't require more than one test (and anyway such tests will be removed with removal of support for allowUnauthenticated)

[medikoo]

Just: takes precedence over allowUnauthenticated

[medikoo]

@kamaz is this ready for re-review? If it is, can you re-request review (top right box) from me? Thank you!

[medikoo]

@kamaz great thanks for update! It looks very good, just one minor suggestion towards documentation, so it aligns our convention (although I know old version didn't follow that)

[medikoo]

By convention for optional parameters we put defaults as values. So let's use 'deny' as value.

[medikoo]

Thank you @kamaz !