forked from aws/aws-lambda-runtime-interface-emulator
-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathsecurity_test.go
More file actions
142 lines (94 loc) · 5.86 KB
/
security_test.go
File metadata and controls
142 lines (94 loc) · 5.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package rapi
import (
"bytes"
"context"
"net/http"
"net/http/httptest"
"testing"
"github.com/stretchr/testify/assert"
"go.amzn.com/lambda/testdata"
)
// Verify that state machine will accept response and error with valid invoke id
func TestInvokeValidId(t *testing.T) {
flowTest := testdata.NewFlowTest()
flowTest.ConfigureForInit()
router := NewRouter(flowTest.AppCtx, flowTest.RegistrationService, flowTest.RenderingService)
flowTest.ConfigureForInvoke(context.Background(), createInvoke("InvokeA"))
// Send /next to start Invoke A
responseRecorder := makeTestRequest(t, router, httptest.NewRequest("GET", "/runtime/invocation/next", nil))
assert.Equal(t, http.StatusOK, responseRecorder.Code)
// Send invocation response with correct Invoke Id
responseRecorder = makeTestRequest(t, router, httptest.NewRequest("POST", "/runtime/invocation/InvokeA/response", bytes.NewReader([]byte("{}"))))
assert.Equal(t, http.StatusAccepted, responseRecorder.Code)
flowTest.ConfigureForInvoke(context.Background(), createInvoke("InvokeB"))
// Send /next to start Invoke B
responseRecorder = makeTestRequest(t, router, httptest.NewRequest("GET", "/runtime/invocation/next", nil))
assert.Equal(t, http.StatusOK, responseRecorder.Code)
// Send invocation error with correct Invoke id
responseRecorder = makeTestRequest(t, router, httptest.NewRequest("POST", "/runtime/invocation/InvokeB/error", bytes.NewReader([]byte("{}"))))
assert.Equal(t, http.StatusAccepted, responseRecorder.Code)
}
// All invoke responses must be validated to ensure they use the active Invoke request-id
// This is a Security requirement
func TestSecurityInvokeResponseBadRequestId(t *testing.T) {
flowTest := testdata.NewFlowTest()
flowTest.ConfigureForInit()
router := NewRouter(flowTest.AppCtx, flowTest.RegistrationService, flowTest.RenderingService)
flowTest.ConfigureForInvoke(context.Background(), createInvoke("InvokeA"))
// Try to use the invoke id before next
responseRecorder := makeTestRequest(t, router, httptest.NewRequest("POST", "/runtime/invocation/InvokeA/response", bytes.NewReader([]byte("{}"))))
// NOTE: InvalidStateTransition 403 - forbidden by the state machine
assert.Equal(t, http.StatusForbidden, responseRecorder.Code)
assertResponseErrorType(t, "InvalidStateTransition", responseRecorder)
// Send /next to start Invoke A
responseRecorder = makeTestRequest(t, router, httptest.NewRequest("GET", "/runtime/invocation/next", nil))
assert.Equal(t, http.StatusOK, responseRecorder.Code)
// Send invocation response with invalid invoke id
responseRecorder = makeTestRequest(t, router, httptest.NewRequest("POST", "/runtime/invocation/InvokeZ/response", bytes.NewReader([]byte("{}"))))
assert.Equal(t, http.StatusBadRequest, responseRecorder.Code)
assertResponseErrorType(t, "InvalidRequestID", responseRecorder)
// Send invocation response with correct Invoke Id
responseRecorder = makeTestRequest(t, router, httptest.NewRequest("POST", "/runtime/invocation/InvokeA/response", bytes.NewReader([]byte("{}"))))
assert.Equal(t, http.StatusAccepted, responseRecorder.Code)
flowTest.ConfigureForInvoke(context.Background(), createInvoke("InvokeB"))
// Send /next to start new Invoke
responseRecorder = makeTestRequest(t, router, httptest.NewRequest("GET", "/runtime/invocation/next", nil))
assert.Equal(t, http.StatusOK, responseRecorder.Code)
// Try to re-use the old invoke id
responseRecorder = makeTestRequest(t, router, httptest.NewRequest("POST", "/runtime/invocation/InvokeA/response", bytes.NewReader([]byte("{}"))))
assert.Equal(t, http.StatusBadRequest, responseRecorder.Code)
assertResponseErrorType(t, "InvalidRequestID", responseRecorder)
}
// All invoke errors must be validated to ensure they use the active Invoke request-id
// This is a Security requirement
func TestSecurityInvokeErrorBadRequestId(t *testing.T) {
flowTest := testdata.NewFlowTest()
flowTest.ConfigureForInit()
router := NewRouter(flowTest.AppCtx, flowTest.RegistrationService, flowTest.RenderingService)
flowTest.ConfigureForInvoke(context.Background(), createInvoke("InvokeA"))
// Try to use invoke id before next
responseRecorder := makeTestRequest(t, router, httptest.NewRequest("POST", "/runtime/invocation/InvokeA/error", bytes.NewReader([]byte("{}"))))
// NOTE: InvalidStateTransition 403 - forbidden by the state machine
assert.Equal(t, http.StatusForbidden, responseRecorder.Code)
assertResponseErrorType(t, "InvalidStateTransition", responseRecorder)
// Send /next to start Invoke A
responseRecorder = makeTestRequest(t, router, httptest.NewRequest("GET", "/runtime/invocation/next", nil))
assert.Equal(t, http.StatusOK, responseRecorder.Code)
// Send invocation response with invalid invoke id
responseRecorder = makeTestRequest(t, router, httptest.NewRequest("POST", "/runtime/invocation/InvokeZ/error", bytes.NewReader([]byte("{}"))))
assert.Equal(t, http.StatusBadRequest, responseRecorder.Code)
assertResponseErrorType(t, "InvalidRequestID", responseRecorder)
// Send invocation error with correct Invoke Id
responseRecorder = makeTestRequest(t, router, httptest.NewRequest("POST", "/runtime/invocation/InvokeA/error", bytes.NewReader([]byte("{}"))))
assert.Equal(t, http.StatusAccepted, responseRecorder.Code)
flowTest.ConfigureForInvoke(context.Background(), createInvoke("InvokeB"))
// Send /next to start Invoke B
responseRecorder = makeTestRequest(t, router, httptest.NewRequest("GET", "/runtime/invocation/next", nil))
assert.Equal(t, http.StatusOK, responseRecorder.Code)
// Try to re-use the previous invoke id
responseRecorder = makeTestRequest(t, router, httptest.NewRequest("POST", "/runtime/invocation/InvokeA/error", bytes.NewReader([]byte("{}"))))
assert.Equal(t, http.StatusBadRequest, responseRecorder.Code)
assertResponseErrorType(t, "InvalidRequestID", responseRecorder)
}