Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(elasticloadbalancingv2): ALB auth return internal server error #24510

Merged

Conversation

WinterYukky
Copy link
Contributor

Summary

Allow HTTPS outbound traffic for security groups attached to the Application Load Balancer if the Application Load Balancer is configured with an authentication configuration.

Why is this PR needed?

Application Load Balancer authentication requires HTTPS outbound traffic.
However, the security group attached to the ApplicationLoadBalancer does not allow traffic to the outside, so the code as described in the documentation will not work by itself.
image

This issue is also documented.
https://aws.amazon.com/premiumsupport/knowledge-center/elb-configure-authentication-alb/?nc1=h_ls

Related issues

Following opened issues were fixed by #21939, but related this PR.
Closes #19035 #18944.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the p2 label Mar 8, 2023
@aws-cdk-automation aws-cdk-automation requested a review from a team March 8, 2023 12:20
@github-actions github-actions bot added the valued-contributor [Pilot] contributed between 6-12 PRs to the CDK label Mar 8, 2023
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@aws-cdk-automation aws-cdk-automation dismissed their stale review March 8, 2023 13:50

✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.

@WinterYukky WinterYukky changed the title fix(elbv2): ALB auth return internal server error fix(elasticloadbalancingv2): ALB auth return internal server error Mar 8, 2023
@aws-cdk-automation
Copy link
Collaborator

This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

@vinayak-kukreja vinayak-kukreja self-assigned this Apr 12, 2023
Copy link
Contributor

@vinayak-kukreja vinayak-kukreja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, thank you for your contribution. This change looks good to me. 🚀

Getting a second opinion from @corymhall

Copy link
Contributor

@corymhall corymhall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@WinterYukky thanks for the PR! I think for this change I would like for someone from the core team to run the integration test to make sure that it works. I also think the integration test needs to have assertions that verify that the request will succeed.

The only other general question I have is around allow all traffic. I can't find any documentation around any published IPs for Cognito and obviously we wouldn't be able to know the IPs of other IdPs, but I think we need to think about how the user could configure it with specific IPs.

import * as elbv2 from '../lib';

// This test can only be run as a dry-run at this time due to requiring a certificate
class AlbOidcStack extends Stack {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@WinterYukky can you set this test up using specific env variables. Use this test as a reference https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-name.ts

Our test framework recognizes those env variables and will replace them with dummy values.

@@ -88,5 +89,6 @@ export class AuthenticateCognitoAction extends elbv2.ListenerAction {
sessionTimeout: options.sessionTimeout?.toSeconds().toString(),
},
}, options.next);
this._bindHook = (_scope, listener) => listener.connections.allowToAnyIpv4(Port.tcp(443), 'Allow to IdP endpoint');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than doing this _bindHook method I think I would rather just overwrite the bind method on both of these actions.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

1 similar comment
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@gitpod-io
Copy link

gitpod-io bot commented Apr 22, 2023

@mergify mergify bot dismissed corymhall’s stale review April 22, 2023 04:42

Pull request has been modified.

Copy link
Contributor Author

@WinterYukky WinterYukky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for reviewing @corymhall !!
I've fixed it in line with your comments. Can you review it again?

Comment on lines +193 to +217
const testUser = new CognitoUser(testCase, 'User', {
userPool: testCase.userPool,
username: 'test-user@example.com',
password: 'TestUser@123',
});
// this function signs in to the website and returns text content of the authenticated page body
const signinFunction = new lambda.Function(testCase, 'Signin', {
functionName: 'cdk-integ-alb-cognito-signin-handler',
code: lambda.Code.fromAsset('alb-cognito-signin-handler'),
handler: 'index.handler',
runtime: lambda.Runtime.NODEJS_18_X,
environment: {
TEST_USERNAME: testUser.username,
TEST_PASSWORD: testUser.password,
TEST_URL: `https://${domainName}`,
},
memorySize: 1024,
timeout: Duration.minutes(5),
});
const invoke = test.assertions.invokeFunction({
functionName: signinFunction.functionName,
});
invoke.expect(integ.ExpectedResult.objectLike({
Payload: '"Authenticated"',
}));
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added an assertion to sign in using puppeteer and verify authenticated page content.

Comment on lines +70 to +81

/**
* Allow HTTPS outbound traffic to communicate with the IdP.
*
* Set this property to false if the IP address used for the IdP endpoint is identifiable
* and you want to control outbound traffic.
* Then allow HTTPS outbound traffic to the IdP's IP address using the listener's `connections` property.
*
* @default true
* @see https://repost.aws/knowledge-center/elb-configure-authentication-alb
*/
readonly allowHttpsOutbound?: boolean;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a property that allows customers to control whether to allow HTTPS outbound traffic. This makes it possible to meet the requirements of customers who don't want to allow outbound traffic.

Comment on lines +122 to +127
public bind(scope: Construct, listener: elbv2.IApplicationListener, associatingConstruct?: IConstruct | undefined): void {
super.bind(scope, listener, associatingConstruct);

if (!this.allowHttpsOutbound) return;
listener.connections.allowToAnyIpv4(Port.tcp(443), 'Allow to IdP endpoint');
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I rewrote it to a method override instead of bindHook

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label May 5, 2023
Copy link
Contributor

@corymhall corymhall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! Love the integ tests!

@@ -0,0 +1,198 @@
import * as integ from '@aws-cdk/integ-tests-alpha';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is awesome!

@mergify
Copy link
Contributor

mergify bot commented May 5, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: e6b5f52
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 75212eb into aws:main May 5, 2023
@mergify
Copy link
Contributor

mergify bot commented May 5, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. valued-contributor [Pilot] contributed between 6-12 PRs to the CDK
Projects
None yet
4 participants