A4A protect emitLifecycleEvent/onAmpRender from exiting promise chain; log signing service to stackdrive with service name #6504
Conversation
…ing; fix a4a integration test to be hermetic
| * @visibileForTesting | ||
| * @private | ||
| */ | ||
| export const protectFunctionWrapper_ = (fn, opt_this, opt_onError) => { |
There was a problem hiding this comment.
Would probably make more sense for this to be export function protectFunctionWrapper_(fn, opt_this, opt_onError) {.
Also, old-style optional parameters are no longer used; rename them and give explicit defaults (which can be undefined if you want the same semantics) instead.
| @@ -482,8 +529,14 @@ export class AmpA4A extends AMP.BaseElement { | |||
| if (isValid) { | |||
| return creative; | |||
| } | |||
| return Promise.reject( | |||
| 'Key failed to validate creative\'s signature.'); | |||
| // Only report is signature is expected to match given | |||
There was a problem hiding this comment.
Grammar nit: also, "... to match given ..." => "... to match, given that ..."
| 'Key failed to validate creative\'s signature.'); | ||
| // Only report is signature is expected to match given | ||
| // multiple key providers could have been specified. | ||
| if (!verifyHashVersion(signature, keyInfo)) { |
There was a problem hiding this comment.
Can you explain why this won't produce false positives? If you've got a locally built AMP runtime, this will run against both the dev and prod keys, and if the creative was signed with the prod key verifyHashVersion will return false for the dev key. Unless I've misunderstood something?
There was a problem hiding this comment.
Good catch, I had the inverse. Removed !.
| if (!verifyHashVersion(signature, keyInfo)) { | ||
| user().error(TAG, this.element.getAttribute('type'), | ||
| `Key failed to validate creative\'s signature for | ||
| service ${keyInfo.serviceName}.`, keyInfo.cryptoKey); |
There was a problem hiding this comment.
That newline and leading whitespace won't be stripped, they'll appear in the error message.
There was a problem hiding this comment.
Also, no need to escape a single quote in a non-single-quoted string.
| @@ -90,19 +91,25 @@ describe('integration test: a4a', () => { | |||
| beforeEach(() => { | |||
| sandbox = sinon.sandbox.create(); | |||
| xhrMock = sandbox.stub(Xhr.prototype, 'fetch'); | |||
| // Expect key set fetches for signing services. | |||
| const fetchJsonMock = sandbox.stub(Xhr.prototype, 'fetchJson'); | |||
There was a problem hiding this comment.
I really want a less fragile way to do test doubles for AJAX requests than these mocks. No need to fix that in this PR though, just something for the future.
There was a problem hiding this comment.
Ack, I agree. I originally had fetch_ but it caused more extensive issues with the test than I wanted to address in this PR.
| * onError handler (if none provided, error is swallowed). | ||
| * @param {!Function} fn to protect | ||
| * @param {T=} opt_this An optional object to use as the 'this' object | ||
| * when calling the function. |
There was a problem hiding this comment.
Should probably note explicitly that this defaults to undefined if omitted.
There was a problem hiding this comment.
Isn't that the usual semantic of omitted params in JS?
There was a problem hiding this comment.
In terms of language semantics, yes. I was referring more to the API for this function; if a parameter is optional, it should be stated what happens if it's omitted (the answer in this case is that this is bound to the value undefined in the wrapped function, but I've seen other callback-accepting functions that do things differently).
There was a problem hiding this comment.
Done (updated function documentation)
| @@ -125,6 +126,38 @@ export const LIFECYCLE_STAGES = { | |||
| }; | |||
|
|
|||
|
|
|||
| /** | |||
| * Utility function that ensures any error thrown is handled by optional | |||
There was a problem hiding this comment.
Can we be clear on whether the caller of a function wrapped with this can use its return value? If so, there should be explicit returns for the case where there's no opt_onError or opt_onError throws, and it should be documented what's returned in these cases. If not, the tests should be changed not to rely on this behavior.
| @@ -125,6 +126,38 @@ export const LIFECYCLE_STAGES = { | |||
| }; | |||
|
|
|||
|
|
|||
| /** | |||
| * Utility function that ensures any error thrown is handled by optional | |||
| * onError handler (if none provided, error is swallowed). | |||
There was a problem hiding this comment.
Make that "if none provided or handler throws"?
| * and arguments provided to function call. | ||
| * @return {!Function} protected function | ||
| * @template T | ||
| * @visibileForTesting |
| expect(errorCalls).to.equal(0); | ||
| }); | ||
|
|
||
| it('handles error properly', done => { |
There was a problem hiding this comment.
I'm having a hard time figuring out how/whether this test works as intended (largely because of the done callback, whose semantics in synchronous code I can't figure out from the Chai API documentation and which should probably be avoided when possible). If protectFunctionWrapper_'s API is such that callers can rely on its return value, then I think it would be better to return an explicit value from the handler and assert that the top-level expression equals that. If not, then I think you should do something analogous to the errorCalls variable in the test above this one.
Also, probably-soon-to-be-irrelevant style nit: parentheses are recommended around arrow function arguments.
There was a problem hiding this comment.
Done, agree that usage of done was unnecessary.
| * @return {!Function} protected function | ||
| * @template T | ||
| * @visibileForTesting | ||
| * @private |
There was a problem hiding this comment.
It looks weird to have it marked both @private and @visibleForTesting, but I guess there's never been a scope visibility thing enabled, so no problem. :-)
There was a problem hiding this comment.
I agree. Renamed to protectFunctionWrapper and removed @Private
| @@ -482,8 +529,14 @@ export class AmpA4A extends AMP.BaseElement { | |||
| if (isValid) { | |||
| return creative; | |||
| } | |||
| return Promise.reject( | |||
| 'Key failed to validate creative\'s signature.'); | |||
| // Only report is signature is expected to match given | |||
There was a problem hiding this comment.
Grammar nit: also, "... to match given ..." => "... to match, given that ..."
| @@ -686,40 +739,46 @@ export class AmpA4A extends AMP.BaseElement { | |||
| const jwkSetPromises = this.getSigningServiceNames().map(serviceName => { | |||
| dev().assert(getMode().localDev || !endsWith(serviceName, '-dev')); | |||
| const url = signingServerURLs[serviceName]; | |||
| const currServiceName = serviceName; | |||
There was a problem hiding this comment.
Why rename serviceName here? Why not just make it currServiceName in the loop index?
There was a problem hiding this comment.
Ah because then it could be re-assigned within the map callback prior to the xhr callback such that it references the LAST value in the object. It's possible map does not actually cause such an issue (would certainly be the case if this was a for loop) but I'm old school and want to ensure we're safe in case someone changes this to a loop at some point.
| @@ -90,19 +91,25 @@ describe('integration test: a4a', () => { | |||
| beforeEach(() => { | |||
| sandbox = sinon.sandbox.create(); | |||
| xhrMock = sandbox.stub(Xhr.prototype, 'fetch'); | |||
| // Expect key set fetches for signing services. | |||
| const fetchJsonMock = sandbox.stub(Xhr.prototype, 'fetchJson'); | |||
| for (const serviceName in signingServerURLs) { | |||
There was a problem hiding this comment.
Last time I tried that, one of the AMP reviewers told me to avoid .keys(), in favor of for - in because .keys() involved allocating a list, which you want only for iteration.
|
@taymonbeal PTAL |
| @@ -128,6 +129,42 @@ export const LIFECYCLE_STAGES = { | |||
| }; | |||
|
|
|||
|
|
|||
| /** | |||
| * Utility function that ensures any error thrown is handled by optional | |||
| * onError handler (if none provided or handler throws, error is swallowed). | |||
There was a problem hiding this comment.
For an abundance of clarity, can this be "if none provided or handler throws, error is swallowed and undefined is returned"?
| * @visibleForTesting | ||
| */ | ||
| export function protectFunctionWrapper( | ||
| fn, opt_this = undefined, opt_onError = undefined) { |
There was a problem hiding this comment.
| /** | ||
| * Protected version of emitLifecycleEvent that ensures error does not | ||
| * cause promise chain to reject. | ||
| * @private {!function(string, !Object=)} |
There was a problem hiding this comment.
| */ | ||
| this.protectedEmitLifecycleEvent_ = protectFunctionWrapper( | ||
| this.emitLifecycleEvent, this, | ||
| (err, var_args) => { |
| 'Key failed to validate creative\'s signature.'); | ||
| // Only report if signature is expected to match, given that | ||
| // multiple key providers could have been specified. | ||
| if (verifyHashVersion(signature, keyInfo)) { |
There was a problem hiding this comment.
What happens if the key hash in the signature doesn't match any available key? That would be an error case, but I don't see how it gets reported.
There was a problem hiding this comment.
Added logging statement within promise chain when we had a signature but validation failed against all providers. This will cause multiple error statements to potentially occur (should there be one key provider that matches the signature hash but failed validation) but cannot see easy way around it.
|
@taymonbeal PTAL |
|
@lannka @dvoytenko could you merge or assign another reviewer as needed? Thanks |
…; log signing service to stackdrive with service name (ampproject#6504) * Initial commit * Include serviceName in crypto key info to allow for better error logging; fix a4a integration test to be hermetic * Fix test coverage * PR feedback * PR responses
…; log signing service to stackdrive with service name (ampproject#6504) * Initial commit * Include serviceName in crypto key info to allow for better error logging; fix a4a integration test to be hermetic * Fix test coverage * PR feedback * PR responses
Couple of changes to A4A flow:
Created generalized protectFunctionWrapper_ which ideally would use spread when calling optional on error handler but linter does not allow. Function will be used for any abstract function implementations whose failure is not expected to trigger abort (emitLifecycleEvent & onAmpCreativeRender)
Modify crypto key fetch to associate service name with key promise allowing for later validation error logging to include service name
Modify crypto validation to report to stackdriver via user().error() and to ensure error is only reported when failure is expected (when public key and signature start with same version info)