-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(elasticloadbalancingv2): ALB auth return internal server error #24510
fix(elasticloadbalancingv2): ALB auth return internal server error #24510
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.
This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
…x/alb-auth-return-internal-server-error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, thank you for your contribution. This change looks good to me. 🚀
Getting a second opinion from @corymhall
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@WinterYukky thanks for the PR! I think for this change I would like for someone from the core team to run the integration test to make sure that it works. I also think the integration test needs to have assertions that verify that the request will succeed.
The only other general question I have is around allow all traffic. I can't find any documentation around any published IPs for Cognito and obviously we wouldn't be able to know the IPs of other IdPs, but I think we need to think about how the user could configure it with specific IPs.
import * as elbv2 from '../lib'; | ||
|
||
// This test can only be run as a dry-run at this time due to requiring a certificate | ||
class AlbOidcStack extends Stack { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@WinterYukky can you set this test up using specific env variables. Use this test as a reference https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-name.ts
Our test framework recognizes those env variables and will replace them with dummy values.
@@ -88,5 +89,6 @@ export class AuthenticateCognitoAction extends elbv2.ListenerAction { | |||
sessionTimeout: options.sessionTimeout?.toSeconds().toString(), | |||
}, | |||
}, options.next); | |||
this._bindHook = (_scope, listener) => listener.connections.allowToAnyIpv4(Port.tcp(443), 'Allow to IdP endpoint'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than doing this _bindHook
method I think I would rather just overwrite the bind
method on both of these actions.
This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state. |
1 similar comment
This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state. |
…x/alb-auth-return-internal-server-error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for reviewing @corymhall !!
I've fixed it in line with your comments. Can you review it again?
const testUser = new CognitoUser(testCase, 'User', { | ||
userPool: testCase.userPool, | ||
username: 'test-user@example.com', | ||
password: 'TestUser@123', | ||
}); | ||
// this function signs in to the website and returns text content of the authenticated page body | ||
const signinFunction = new lambda.Function(testCase, 'Signin', { | ||
functionName: 'cdk-integ-alb-cognito-signin-handler', | ||
code: lambda.Code.fromAsset('alb-cognito-signin-handler'), | ||
handler: 'index.handler', | ||
runtime: lambda.Runtime.NODEJS_18_X, | ||
environment: { | ||
TEST_USERNAME: testUser.username, | ||
TEST_PASSWORD: testUser.password, | ||
TEST_URL: `https://${domainName}`, | ||
}, | ||
memorySize: 1024, | ||
timeout: Duration.minutes(5), | ||
}); | ||
const invoke = test.assertions.invokeFunction({ | ||
functionName: signinFunction.functionName, | ||
}); | ||
invoke.expect(integ.ExpectedResult.objectLike({ | ||
Payload: '"Authenticated"', | ||
})); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added an assertion to sign in using puppeteer and verify authenticated page content.
|
||
/** | ||
* Allow HTTPS outbound traffic to communicate with the IdP. | ||
* | ||
* Set this property to false if the IP address used for the IdP endpoint is identifiable | ||
* and you want to control outbound traffic. | ||
* Then allow HTTPS outbound traffic to the IdP's IP address using the listener's `connections` property. | ||
* | ||
* @default true | ||
* @see https://repost.aws/knowledge-center/elb-configure-authentication-alb | ||
*/ | ||
readonly allowHttpsOutbound?: boolean; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a property that allows customers to control whether to allow HTTPS outbound traffic. This makes it possible to meet the requirements of customers who don't want to allow outbound traffic.
public bind(scope: Construct, listener: elbv2.IApplicationListener, associatingConstruct?: IConstruct | undefined): void { | ||
super.bind(scope, listener, associatingConstruct); | ||
|
||
if (!this.allowHttpsOutbound) return; | ||
listener.connections.allowToAnyIpv4(Port.tcp(443), 'Allow to IdP endpoint'); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I rewrote it to a method override instead of bindHook
…x/alb-auth-return-internal-server-error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work! Love the integ tests!
@@ -0,0 +1,198 @@ | |||
import * as integ from '@aws-cdk/integ-tests-alpha'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is awesome!
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Summary
Allow HTTPS outbound traffic for security groups attached to the Application Load Balancer if the Application Load Balancer is configured with an authentication configuration.
Why is this PR needed?
Application Load Balancer authentication requires HTTPS outbound traffic.
However, the security group attached to the ApplicationLoadBalancer does not allow traffic to the outside, so the code as described in the documentation will not work by itself.
This issue is also documented.
https://aws.amazon.com/premiumsupport/knowledge-center/elb-configure-authentication-alb/?nc1=h_ls
Related issues
Following opened issues were fixed by #21939, but related this PR.
Closes #19035 #18944.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license