fix(elasticloadbalancingv2): ALB auth return internal server error #24510
Conversation
github-actions
bot
added
the
valued-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.
WinterYukky
changed the title
|
This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
…x/alb-auth-return-internal-server-error
There was a problem hiding this comment.
Hey, thank you for your contribution. This change looks good to me. 🚀
Getting a second opinion from @corymhall
There was a problem hiding this comment.
@WinterYukky thanks for the PR! I think for this change I would like for someone from the core team to run the integration test to make sure that it works. I also think the integration test needs to have assertions that verify that the request will succeed.
The only other general question I have is around allow all traffic. I can't find any documentation around any published IPs for Cognito and obviously we wouldn't be able to know the IPs of other IdPs, but I think we need to think about how the user could configure it with specific IPs.
| import * as elbv2 from '../lib'; | ||
|
|
||
| // This test can only be run as a dry-run at this time due to requiring a certificate | ||
| class AlbOidcStack extends Stack { |
There was a problem hiding this comment.
@WinterYukky can you set this test up using specific env variables. Use this test as a reference https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-name.ts
Our test framework recognizes those env variables and will replace them with dummy values.
| @@ -88,5 +89,6 @@ export class AuthenticateCognitoAction extends elbv2.ListenerAction { | |||
| sessionTimeout: options.sessionTimeout?.toSeconds().toString(), | |||
| }, | |||
| }, options.next); | |||
| this._bindHook = (_scope, listener) => listener.connections.allowToAnyIpv4(Port.tcp(443), 'Allow to IdP endpoint'); | |||
There was a problem hiding this comment.
Rather than doing this _bindHook method I think I would rather just overwrite the bind method on both of these actions.
|
This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state. |
1 similar comment
|
This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state. |
…x/alb-auth-return-internal-server-error
|
|
There was a problem hiding this comment.
Thank you for reviewing @corymhall !!
I've fixed it in line with your comments. Can you review it again?
| const testUser = new CognitoUser(testCase, 'User', { | ||
| userPool: testCase.userPool, | ||
| username: 'test-user@example.com', | ||
| password: 'TestUser@123', | ||
| }); | ||
| // this function signs in to the website and returns text content of the authenticated page body | ||
| const signinFunction = new lambda.Function(testCase, 'Signin', { | ||
| functionName: 'cdk-integ-alb-cognito-signin-handler', | ||
| code: lambda.Code.fromAsset('alb-cognito-signin-handler'), | ||
| handler: 'index.handler', | ||
| runtime: lambda.Runtime.NODEJS_18_X, | ||
| environment: { | ||
| TEST_USERNAME: testUser.username, | ||
| TEST_PASSWORD: testUser.password, | ||
| TEST_URL: `https://${domainName}`, | ||
| }, | ||
| memorySize: 1024, | ||
| timeout: Duration.minutes(5), | ||
| }); | ||
| const invoke = test.assertions.invokeFunction({ | ||
| functionName: signinFunction.functionName, | ||
| }); | ||
| invoke.expect(integ.ExpectedResult.objectLike({ | ||
| Payload: '"Authenticated"', | ||
| })); |
There was a problem hiding this comment.
I added an assertion to sign in using puppeteer and verify authenticated page content.
|
|
||
| /** | ||
| * Allow HTTPS outbound traffic to communicate with the IdP. | ||
| * | ||
| * Set this property to false if the IP address used for the IdP endpoint is identifiable | ||
| * and you want to control outbound traffic. | ||
| * Then allow HTTPS outbound traffic to the IdP's IP address using the listener's `connections` property. | ||
| * | ||
| * @default true | ||
| * @see https://repost.aws/knowledge-center/elb-configure-authentication-alb | ||
| */ | ||
| readonly allowHttpsOutbound?: boolean; |
There was a problem hiding this comment.
I added a property that allows customers to control whether to allow HTTPS outbound traffic. This makes it possible to meet the requirements of customers who don't want to allow outbound traffic.
| public bind(scope: Construct, listener: elbv2.IApplicationListener, associatingConstruct?: IConstruct | undefined): void { | ||
| super.bind(scope, listener, associatingConstruct); | ||
|
|
||
| if (!this.allowHttpsOutbound) return; | ||
| listener.connections.allowToAnyIpv4(Port.tcp(443), 'Allow to IdP endpoint'); | ||
| } |
There was a problem hiding this comment.
I rewrote it to a method override instead of bindHook
…x/alb-auth-return-internal-server-error
aws-cdk-automation
added
the
pr/needs-community-review
| @@ -0,0 +1,198 @@ | |||
| import * as integ from '@aws-cdk/integ-tests-alpha'; | |||
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Summary
Allow HTTPS outbound traffic for security groups attached to the Application Load Balancer if the Application Load Balancer is configured with an authentication configuration.
Why is this PR needed?
Application Load Balancer authentication requires HTTPS outbound traffic.
However, the security group attached to the ApplicationLoadBalancer does not allow traffic to the outside, so the code as described in the documentation will not work by itself.
This issue is also documented.
https://aws.amazon.com/premiumsupport/knowledge-center/elb-configure-authentication-alb/?nc1=h_ls
Related issues
Following opened issues were fixed by #21939, but related this PR.
Closes #19035 #18944.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license