Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Aws alb schema #8291

Merged
merged 27 commits into from Sep 29, 2020
Merged

Aws alb schema #8291

Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
6073591
awsProvider alb schema
Sep 23, 2020
6630aac
remove validations
Sep 23, 2020
f823342
starting alb event schema
Sep 24, 2020
41be84c
improve schema
Sep 24, 2020
4aad750
remove validations
Sep 24, 2020
02317b7
schema touchups
Sep 26, 2020
2c1fe73
schema touchups
Sep 26, 2020
09e0539
remove valiadtion tests
Sep 26, 2020
6c136cb
prettify
Sep 26, 2020
c9c6ba6
fix tests
Sep 26, 2020
9a58de5
Merge remote-tracking branch 'upstream/master' into aws-alb-schema
Sep 26, 2020
123d865
path condition can ba array or string
Sep 28, 2020
3197536
host can be array or single
Sep 28, 2020
e84ab90
method can be array or single
Sep 28, 2020
f8f7d6b
method cannot have lowercase
Sep 28, 2020
2524503
useExistingClientSecret is calculated
Sep 28, 2020
d88772e
conditions.path is required
Sep 28, 2020
2d0349a
breakdown authorizers schema
Sep 28, 2020
29b06a2
ip can be array or single
Sep 28, 2020
847c68c
create alb arn regexp once
Sep 28, 2020
83f7144
fix alb authorizers schema
Sep 28, 2020
5402169
ip can be array or single
Sep 28, 2020
00c6e8c
authorizer can be array or single
Sep 28, 2020
0d05ea1
missed multiValueHeaders
Sep 28, 2020
d71385c
fix matcher.httpCode regexp
Sep 28, 2020
5f9ed97
userPoolArn can user CF functions
Sep 28, 2020
36f6b5f
add minimum to sessionTimeout
Sep 28, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
82 changes: 80 additions & 2 deletions lib/plugins/aws/package/compile/events/alb/index.js
View file
Open in desktop
Expand Up @@ -7,6 +7,12 @@ const compileTargetGroups = require('./lib/targetGroups');
const compileListenerRules = require('./lib/listenerRules');
const compilePermissions = require('./lib/permissions');

function arrayOrSingleSchema(schema) {
return {
oneOf: [schema, { type: 'array', items: schema }],
};
}

class AwsCompileAlbEvents {
constructor(serverless, options) {
this.serverless = serverless;
Expand All @@ -28,8 +34,80 @@ class AwsCompileAlbEvents {
},
};

// TODO: Complete schema, see https://github.com/serverless/serverless/issues/8020
this.serverless.configSchemaHandler.defineFunctionEvent('aws', 'alb', { type: 'object' });
this.serverless.configSchemaHandler.defineFunctionEvent('aws', 'alb', {
type: 'object',
properties: {
authorizer: arrayOrSingleSchema({ type: 'string' }),
conditions: {
type: 'object',
properties: {
header: {
type: 'object',
properties: {
name: { type: 'string', maxLength: 40 },
values: { type: 'array', items: { type: 'string', maxLength: 128 } },
},
additionalProperties: false,
required: ['name', 'values'],
},
host: arrayOrSingleSchema({
type: 'string',
pattern: '^[A-Za-z0-9*?.-]+$',
maxLength: 128,
}),
ip: arrayOrSingleSchema({
oneOf: [
{ type: 'string', format: 'ipv4' },
{ type: 'string', format: 'ipv6' },
],
}),
method: arrayOrSingleSchema({ type: 'string', pattern: '^[A-Z_-]+$', maxLength: 40 }),
path: arrayOrSingleSchema({
type: 'string',
thewizarodofoz marked this conversation as resolved.
Show resolved Hide resolved
pattern: '^([A-Za-z0-9*?_.$/~"\'@:+-]|&)+$',
maxLength: 128,
}),
query: {
type: 'object',
additionalProperties: { type: 'string', maxLength: 128 },
propertyNames: { type: 'string', maxLength: 128 },
},
},
required: ['path'],
additionalProperties: false,
},
healthCheck: {
oneOf: [
{ type: 'boolean' },
{
type: 'object',
properties: {
healthyThresholdCount: { type: 'integer', minimum: 2, maximum: 10 },
intervalSeconds: { type: 'integer', minimum: 5, maximum: 300 },
matcher: {
type: 'object',
properties: {
httpCode: { type: 'string', pattern: '^d{3}(-d{3})?(,d{3}(-d{3})?)*$' }, // eslint-disable-line no-useless-escape
},
additionalProperties: false,
},
path: { type: 'string', minLength: 1, maxLength: 1024 },
timeoutSeconds: { type: 'integer', minimum: 2, maximum: 120 },
unhealthyThresholdCount: { type: 'integer', minimum: 2, maximum: 10 },
},
additionalProperties: false,
},
],
},
listenerArn: {
oneOf: [{ $ref: '#/definitions/awsAlbListenerArn' }, { $ref: '#/definitions/awsCfRef' }],
},
multiValueHeaders: { type: 'boolean' },
priority: { type: 'integer', minimum: 1, maximum: 50000 },
thewizarodofoz marked this conversation as resolved.
Show resolved Hide resolved
},
required: ['listenerArn', 'priority', 'conditions'],
additionalProperties: false,
});
}
}

Expand Down
4 changes: 2 additions & 2 deletions lib/plugins/aws/package/compile/events/alb/index.test.js
View file
Open in desktop
Expand Up @@ -93,7 +93,7 @@ describe('AwsCompileAlbEvents', () => {
{
type: 'cognito',
userPoolClientId: 'userPoolClientId',
userPoolArn: 'userPoolArn',
userPoolArn: 'arn:userPoolArn',
userPoolDomain: 'userPoolDomain',
scope: 'openid',
sessionCookieName: 'sessionCookie',
Expand Down Expand Up @@ -127,7 +127,7 @@ describe('AwsCompileAlbEvents', () => {
const baseAuthenticateCognitoConfig = (override = {}) =>
Object.assign(
{
UserPoolArn: 'userPoolArn',
UserPoolArn: 'arn:userPoolArn',
UserPoolClientId: 'userPoolClientId',
UserPoolDomain: 'userPoolDomain',
OnUnauthenticatedRequest: 'deny',
Expand Down
85 changes: 10 additions & 75 deletions lib/plugins/aws/package/compile/events/alb/lib/validate.js
View file
Open in desktop
Expand Up @@ -2,28 +2,18 @@

const _ = require('lodash');

// eslint-disable-next-line max-len
const CIDR_IPV6_PATTERN = /^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$/;
const CIDR_IPV4_PATTERN = /^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))$/;
// see https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-elb-application
const ALB_LISTENER_PATTERN = /^arn:aws[\w-]*:elasticloadbalancing:.+:listener\/app\/[\w-]+\/([\w-]+)\/([\w-]+)$/;

module.exports = {
// see https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-elb-application
ALB_LISTENER_REGEXP: new RegExp(
'^arn:aws[\\w-]*:elasticloadbalancing:.+:listener\\/app\\/[\\w-]+\\/([\\w-]+)\\/([\\w-]+)$'
),

validate() {
const authorizers = {};
const albAuthConfig = this.serverless.service.provider.alb;
if (albAuthConfig) {
for (const [name, auth] of Object.entries(albAuthConfig.authorizers)) {
switch (auth.type) {
case 'cognito':
case 'oidc':
authorizers[name] = this.validateAlbAuth(auth);
break;
default:
throw new this.serverless.classes.Error(
`Authorizer type "${auth.type}" not supported. Only "cognito" and "oidc" are supported`
);
}
authorizers[name] = this.validateAlbAuth(auth);
}
}

Expand Down Expand Up @@ -58,13 +48,13 @@ module.exports = {
albObj.conditions.method = [].concat(event.alb.conditions.method);
}
if (event.alb.conditions.header) {
albObj.conditions.header = this.validateHeaderCondition(event, functionName);
albObj.conditions.header = event.alb.conditions.header;
}
if (event.alb.conditions.query) {
albObj.conditions.query = this.validateQueryCondition(event, functionName);
albObj.conditions.query = event.alb.conditions.query;
}
if (event.alb.conditions.ip) {
albObj.conditions.ip = this.validateIpCondition(event, functionName);
albObj.conditions.ip = [].concat(event.alb.conditions.ip);
}
if (event.alb.multiValueHeaders) {
albObj.multiValueHeaders = event.alb.multiValueHeaders;
Expand All @@ -89,21 +79,13 @@ module.exports = {
},

validateListenerArn(listenerArn, functionName) {
if (!listenerArn) {
throw new this.serverless.classes.Error(
`listenerArn is missing in function "${functionName}".`
);
}
// If the ARN is a ref, use the logical ID instead of the ALB ID
if (_.isObject(listenerArn)) {
if (listenerArn.Ref) {
return { albId: listenerArn.Ref, listenerId: listenerArn.Ref };
}
throw new this.serverless.classes.Error(
`Invalid ALB listenerArn in function "${functionName}".`
);
}
const matches = listenerArn.match(ALB_LISTENER_PATTERN);
const matches = listenerArn.match(this.ALB_LISTENER_REGEXP);
if (!matches) {
throw new this.serverless.classes.Error(
`Invalid ALB listenerArn in function "${functionName}".`
Expand All @@ -112,53 +94,6 @@ module.exports = {
return { albId: matches[1], listenerId: matches[2] };
},

validateHeaderCondition(event, functionName) {
const messageTitle = `Invalid ALB event "header" condition in function "${functionName}".`;
if (
!_.isObject(event.alb.conditions.header) ||
!event.alb.conditions.header.name ||
!event.alb.conditions.header.values
) {
const errorMessage = [
messageTitle,
' You must provide an object with "name" and "values" properties.',
].join('');
throw new this.serverless.classes.Error(errorMessage);
}
if (!Array.isArray(event.alb.conditions.header.values)) {
const errorMessage = [messageTitle, ' Property "values" must be an array.'].join('');
throw new this.serverless.classes.Error(errorMessage);
}
return event.alb.conditions.header;
},

validateQueryCondition(event, functionName) {
if (!_.isObject(event.alb.conditions.query)) {
const errorMessage = [
`Invalid ALB event "query" condition in function "${functionName}".`,
' You must provide an object.',
].join('');
throw new this.serverless.classes.Error(errorMessage);
}
return event.alb.conditions.query;
},

validateIpCondition(event, functionName) {
const cidrBlocks = [].concat(event.alb.conditions.ip);
const allValuesAreCidr = cidrBlocks.every(
cidr => CIDR_IPV4_PATTERN.test(cidr) || CIDR_IPV6_PATTERN.test(cidr)
);

if (!allValuesAreCidr) {
const errorMessage = [
`Invalid ALB event "ip" condition in function "${functionName}".`,
' You must provide values in a valid IPv4 or IPv6 CIDR format.',
].join('');
throw new this.serverless.classes.Error(errorMessage);
}
return cidrBlocks;
},

validatePriorities(albEvents) {
let comparator;
let duplicates;
Expand Down