refactor(apig-validation): switch to Joi for common proxies properties

erezrokah · erezrokah · commit 96b22dabaa58 · 2019-08-24T13:36:00.000+03:00
diff --git a/lib/apiGateway/schema.js b/lib/apiGateway/schema.js
@@ -0,0 +1,128 @@
+'use strict'
+
+const Joi = require('@hapi/joi')
+
+const path = Joi.string().required()
+
+const method = Joi.string()
+  .required()
+  .valid(['get', 'post', 'put', 'patch', 'options', 'head', 'delete', 'any'])
+  .insensitive()
+
+const cors = Joi.alternatives().try(
+  Joi.boolean(),
+  Joi.object({
+    headers: Joi.array().items(Joi.string()),
+    origin: Joi.string(),
+    origins: Joi.array().items(Joi.string()),
+    methods: Joi.array().items(method),
+    maxAge: Joi.number().min(1),
+    cacheControl: Joi.string(),
+    allowCredentials: Joi.boolean()
+  })
+    .oxor('origin', 'origins') // can have one of them, but not required
+    .error((errors) => {
+      for (const error of errors) {
+        switch (error.type) {
+          case 'object.oxor':
+            error.message = '"cors" can have "origin" or "origins" but not both'
+            break
+          default:
+            break
+        }
+      }
+      return errors
+    })
+)
+
+const authorizerId = Joi.alternatives().try(
+  Joi.string(),
+  Joi.object().keys({
+    Ref: Joi.string().required()
+  })
+)
+
+const authorizationScopes = Joi.array()
+
+// https://hapi.dev/family/joi/?v=15.1.0#anywhencondition-options
+const authorizationType = Joi.alternatives().when('authorizerId', {
+  is: authorizerId.required(),
+  then: Joi.string()
+    .valid('CUSTOM')
+    .required(),
+  otherwise: Joi.alternatives().when('authorizationScopes', {
+    is: authorizationScopes.required(),
+    then: Joi.string()
+      .valid('COGNITO_USER_POOLS')
+      .required(),
+    otherwise: Joi.string().valid('NONE', 'AWS_IAM', 'CUSTOM', 'COGNITO_USER_POOLS')
+  })
+})
+
+// https://hapi.dev/family/joi/?v=15.1.0#objectpatternpattern-schema
+const requestParameters = Joi.object().pattern(Joi.string(), Joi.string().required())
+
+const proxy = Joi.object({
+  path,
+  method,
+  cors,
+  authorizationType,
+  authorizerId,
+  authorizationScopes,
+  requestParameters
+})
+  .oxor('authorizerId', 'authorizationScopes') // can have one of them, but not required
+  .error((errors) => {
+    for (const error of errors) {
+      switch (error.type) {
+        case 'object.oxor':
+          error.message = 'cannot set both "authorizerId" and "authorizationScopes"'
+          break
+        default:
+          break
+      }
+    }
+    return errors
+  })
+  .required()
+
+const allowedProxies = ['kinesis', 'sqs', 's3', 'sns']
+
+const proxiesSchemas = {
+  kinesis: Joi.object({ kinesis: proxy.forbiddenKeys('requestParameters') }),
+  s3: Joi.object({ s3: proxy.forbiddenKeys('requestParameters') }),
+  sns: Joi.object({ sns: proxy.forbiddenKeys('requestParameters') }),
+  sqs: Joi.object({ sqs: proxy.optionalKeys('requestParameters') })
+}
+
+const schema = Joi.array()
+  .items(...allowedProxies.map((proxyKey) => proxiesSchemas[proxyKey]))
+  .error((errors) => {
+    for (const error of errors) {
+      switch (error.type) {
+        case 'array.includes':
+          // get a detailed error why the proxy object failed the schema validation
+          // Joi default message is `"value" at position <i> does not match any of the allowed types`
+          const proxyKey = Object.keys(error.context.value)[0]
+          if (proxiesSchemas[proxyKey]) {
+            // e.g. value is { kinesis: { path: '/kinesis', method: 'xxxx' } }
+            const { error: proxyError } = Joi.validate(
+              error.context.value,
+              proxiesSchemas[proxyKey]
+            )
+            error.message = proxyError.message
+          } else {
+            // e.g. value is { xxxxx: { path: '/kinesis', method: 'post' } }
+            error.message = `Invalid APIG proxy "${proxyKey}". This plugin supported Proxies are: ${allowedProxies.join(
+              ', '
+            )}.`
+          }
+          break
+        default:
+          break
+      }
+    }
+    return errors
+  })
+
+module.exports = schema
diff --git a/lib/apiGateway/validate.js b/lib/apiGateway/validate.js
@@ -1,19 +1,36 @@
 'use strict'
 const NOT_FOUND = -1
 const _ = require('lodash')
+const Joi = require('@hapi/joi')
+const schema = require('./schema')
 
 module.exports = {
   validateServiceProxies() {
+    const proxies = this.getAllServiceProxies()
+
+    const { error } = Joi.validate(proxies, schema)
+    if (error) {
+      throw new this.serverless.classes.Error(error.message)
+    }
+
     const corsPreflight = {}
-    const events = this.getAllServiceProxies().map((serviceProxy) => {
+
+    const events = proxies.map((serviceProxy) => {
       const serviceName = this.getServiceName(serviceProxy)
-      this.checkAllowedService(serviceName)
       const http = serviceProxy[serviceName]
-      http.path = this.getProxyPath(serviceProxy[serviceName], serviceName)
-      http.method = this.getProxyMethod(serviceProxy[serviceName], serviceName)
-      http.auth = this.getAuth(serviceProxy[serviceName], serviceName)
+      http.path = http.path.replace(/^\//, '').replace(/\/$/, '')
+      http.method = http.method.toLowerCase()
+      http.auth = {
+        authorizationType: http.authorizationType || 'NONE'
+      }
 
-      this.validateRequestParameters(serviceProxy[serviceName], serviceName)
+      if (_.has(http, 'authorizerId')) {
+        http.auth.authorizerId = http.authorizerId
+      }
+
+      if (_.has(http, 'authorizationScopes')) {
+        http.auth.authorizationScopes = http.authorizationScopes
+      }
 
       if (serviceProxy[serviceName].cors) {
         http.cors = this.getCors(serviceProxy[serviceName])
@@ -47,49 +64,8 @@ module.exports = {
     }
   },
 
-  checkAllowedService(serviceName) {
-    const allowedProxies = ['kinesis', 'sqs', 's3', 'sns']
-    if (allowedProxies.indexOf(serviceName) === NOT_FOUND) {
-      const errorMessage = [
-        `Invalid APIG proxy "${serviceName}".`,
-        ` This plugin supported Proxies are: ${allowedProxies.join(', ')}.`
-      ].join('')
-      throw new this.serverless.classes.Error(errorMessage)
-    }
-  },
-
-  getProxyPath(proxy, serviceName) {
-    if (proxy.path && _.isString(proxy.path)) {
-      return proxy.path.replace(/^\//, '').replace(/\/$/, '')
-    }
-
-    throw new this.serverless.classes.Error(
-      `Missing or invalid "path" property in ${serviceName} proxy`
-    )
-  },
-
-  getProxyMethod(proxy, serviceName) {
-    if (proxy.method && _.isString(proxy.method)) {
-      const method = proxy.method.toLowerCase()
-
-      const allowedMethods = ['get', 'post', 'put', 'patch', 'options', 'head', 'delete', 'any']
-      if (allowedMethods.indexOf(method) === NOT_FOUND) {
-        const errorMessage = [
-          `Invalid APIG method "${proxy.method}" in AWS service proxy.`,
-          ` AWS supported methods are: ${allowedMethods.join(', ')}.`
-        ].join('')
-        throw new this.serverless.classes.Error(errorMessage)
-      }
-      return method
-    }
-
-    throw new this.serverless.classes.Error(
-      `Missing or invalid "method" property in ${serviceName} proxy`
-    )
-  },
-
   getCors(proxy) {
-    const headers = [
+    const defaultHeaders = [
       'Content-Type',
       'X-Amz-Date',
       'Authorization',
@@ -102,34 +78,17 @@ module.exports = {
       origins: ['*'],
       origin: '*',
       methods: ['OPTIONS'],
-      headers,
+      headers: defaultHeaders,
       allowCredentials: false
     }
 
-    if (typeof proxy.cors === 'object') {
+    if (_.isPlainObject(proxy.cors)) {
       cors = proxy.cors
       cors.methods = cors.methods || []
       cors.allowCredentials = Boolean(cors.allowCredentials)
 
-      if (cors.origins && cors.origin) {
-        const errorMessage = [
-          'You can only use "origin" or "origins",',
-          ' but not both at the same time to configure CORS.',
-          ' Please check the docs for more info.'
-        ].join('')
-        throw new this.serverless.classes.Error(errorMessage)
-      }
-
-      if (cors.headers) {
-        if (!Array.isArray(cors.headers)) {
-          const errorMessage = [
-            'CORS header values must be provided as an array.',
-            ' Please check the docs for more info.'
-          ].join('')
-          throw new this.serverless.classes.Error(errorMessage)
-        }
-      } else {
-        cors.headers = headers
+      if (!cors.headers) {
+        cors.headers = defaultHeaders
       }
 
       if (cors.methods.indexOf('OPTIONS') === NOT_FOUND) {
@@ -139,87 +98,10 @@ module.exports = {
       if (cors.methods.indexOf(proxy.method.toUpperCase()) === NOT_FOUND) {
         cors.methods.push(proxy.method.toUpperCase())
       }
-
-      if (_.has(cors, 'maxAge')) {
-        if (!_.isInteger(cors.maxAge) || cors.maxAge < 1) {
-          const errorMessage = 'maxAge should be an integer over 0'
-          throw new this.serverless.classes.Error(errorMessage)
-        }
-      }
     } else {
       cors.methods.push(proxy.method.toUpperCase())
     }
 
     return cors
-  },
-
-  getAuth(proxy, serviceName) {
-    const auth = {
-      authorizationType: 'NONE'
-    }
-
-    if (!_.isUndefined(proxy.authorizationType)) {
-      if (_.isString(proxy.authorizationType)) {
-        const allowedTypes = ['NONE', 'AWS_IAM', 'CUSTOM', 'COGNITO_USER_POOLS']
-        if (allowedTypes.indexOf(proxy.authorizationType) === NOT_FOUND) {
-          const errorMessage = [
-            `Invalid APIG authorization type "${proxy.authorizationType}" in AWS service proxy.`,
-            ` AWS supported types are: ${allowedTypes.join(', ')}.`
-          ].join('')
-          throw new this.serverless.classes.Error(errorMessage)
-        }
-
-        auth.authorizationType = proxy.authorizationType
-      } else {
-        throw new this.serverless.classes.Error(
-          `Invalid "authorizationType" property in ${serviceName} proxy`
-        )
-      }
-    }
-
-    if (!_.isUndefined(proxy.authorizerId)) {
-      if (auth.authorizationType !== 'CUSTOM') {
-        const errorMessage = `Expecting 'CUSTOM' authorization type when 'authorizerId' is set in service ${serviceName}`
-        throw new this.serverless.classes.Error(errorMessage)
-      }
-
-      auth.authorizerId = proxy.authorizerId
-    }
-
-    if (!_.isUndefined(proxy.authorizationScopes)) {
-      if (_.isArray(proxy.authorizationScopes)) {
-        if (auth.authorizationType !== 'COGNITO_USER_POOLS') {
-          const errorMessage = `Expecting 'COGNITO_USER_POOLS' authorization type when 'authorizationScopes' is set in service ${serviceName}`
-          throw new this.serverless.classes.Error(errorMessage)
-        }
-
-        auth.authorizationScopes = proxy.authorizationScopes
-      } else {
-        throw new this.serverless.classes.Error(
-          `Invalid "authorizationScopes" property in ${serviceName} proxy`
-        )
-      }
-    }
-
-    return auth
-  },
-
-  validateRequestParameters(proxy, serviceName) {
-    if (!_.isUndefined(proxy.requestParameters)) {
-      if (serviceName !== 'sqs') {
-        throw new this.serverless.classes.Error(
-          'requestParameters property is only valid for "sqs" service proxy'
-        )
-      }
-
-      if (
-        !_.isPlainObject(proxy.requestParameters) ||
-        _.some(_.values(proxy.requestParameters), (v) => !_.isString(v))
-      ) {
-        throw new this.serverless.classes.Error(
-          'requestParameters property must be a string to string mapping'
-        )
-      }
-    }
   }
 }
diff --git a/lib/apiGateway/validate.test.js b/lib/apiGateway/validate.test.js
