Automatically secure web actions for HTTP endpoints.

jthomas · jthomas · commit c00336801a1e · 2018-04-30T17:34:09.000+01:00
Fixes #107
diff --git a/README.md b/README.md
@@ -711,6 +711,8 @@ Date: Mon, 19 Dec 2016 15:47:53 GMT
 }
 ````
 
+Functions exposed through the API Gateway service are automatically converted into Web Actions during deployment. The framework [secures Web Actions for HTTP endpoints](https://github.com/apache/incubator-openwhisk/blob/master/docs/webactions.md#securing-web-actions) using the `require-whisk-auth` annotation. If the `require-whisk-auth` annotation is manually configured, the existing annotation value is used, otherwise a random token is automatically generated.
+
 ## Exporting Web Actions
 
 Functions can be turned into "*web actions*" which return HTTP content without use of an API Gateway. This feature is enabled by setting an annotation (`web-export`) in the configuration file.
diff --git a/compile/apigw/index.js b/compile/apigw/index.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const BbPromise = require('bluebird');
+const crypto = require('crypto');
 
 class OpenWhiskCompileHttpEvents {
   constructor(serverless, options) {
@@ -28,6 +29,10 @@ class OpenWhiskCompileHttpEvents {
     }
   }
 
+  generateAuthString() {
+    return crypto.randomBytes(64).toString('hex')
+  }
+
   // HTTP events need Web Actions enabled for those functions. Add
   // annotation 'web-export' if it is not already present.
   addWebAnnotations() {
@@ -38,6 +43,10 @@ class OpenWhiskCompileHttpEvents {
       if (httpEvents.length) {
         if (!f.annotations) f.annotations = {}
         f.annotations['web-export'] = true
+
+        if (!f.annotations.hasOwnProperty('require-whisk-auth')) {
+          f.annotations['require-whisk-auth'] = this.generateAuthString()
+        }
       }
     })
 
@@ -56,6 +65,11 @@ class OpenWhiskCompileHttpEvents {
       || '_';
   }
 
+  retrieveAuthKey(functionObject) {
+    const annotations = functionObject.annotations || {}
+    return annotations['require-whisk-auth']
+  }
+
   //
   // This method takes the rule definitions, parsed from the user's YAML file,
   // and turns it into the OpenWhisk Rule resource object.
@@ -69,6 +83,12 @@ class OpenWhiskCompileHttpEvents {
     const options = this.parseHttpEvent(http);
     options.action = this.calculateFunctionName(funcName, funcObj);
     options.basepath = `/${this.serverless.service.service}`;
+
+    const secure_key = this.retrieveAuthKey(funcObj)
+    if (secure_key) {
+      options.secure_key = secure_key;
+    }
+
     return options;
   }
 
diff --git a/compile/apigw/tests/index.js b/compile/apigw/tests/index.js
@@ -1,5 +1,6 @@
 'use strict';
 
+const crypto = require('crypto');
 const BbPromise = require('bluebird');
 const expect = require('chai').expect;
 const chaiAsPromised = require('chai-as-promised');
@@ -46,11 +47,29 @@ describe('OpenWhiskCompileHttpEvents', () => {
         c: { events: [ { http: true } ], annotations: { 'web-export': false } },
         d: { events: [ { http: true } ] }
       }
+
+      const auth_string = crypto.randomBytes(64).toString('hex');
+      sandbox.stub(openwhiskCompileHttpEvents, 'generateAuthString', () => auth_string);
+
+      return openwhiskCompileHttpEvents.addWebAnnotations().then(() => {
+        expect(openwhiskCompileHttpEvents.serverless.service.functions.a.annotations).to.deep.equal({ 'web-export': true, 'require-whisk-auth': auth_string })
+        expect(openwhiskCompileHttpEvents.serverless.service.functions.b.annotations).to.deep.equal({ foo: 'bar', 'web-export': true, 'require-whisk-auth': auth_string })
+        expect(openwhiskCompileHttpEvents.serverless.service.functions.c.annotations).to.deep.equal({ 'web-export': true, 'require-whisk-auth': auth_string })
+        expect(openwhiskCompileHttpEvents.serverless.service.functions.d.annotations).to.deep.equal({ 'web-export': true, 'require-whisk-auth': auth_string })
+      })
+    });
+
+    it('should not add auth annotation when annotation already present', () => {
+      openwhiskCompileHttpEvents.serverless.service.functions = {
+        a: { events: [ { http: true } ], annotations: { 'require-whisk-auth': false } },
+        b: { events: [ { http: true } ], annotations: { 'require-whisk-auth': true } },
+        c: { events: [ { http: true } ], annotations: { 'require-whisk-auth': 'some string' } }
+      }
+
       return openwhiskCompileHttpEvents.addWebAnnotations().then(() => {
-        expect(openwhiskCompileHttpEvents.serverless.service.functions.a.annotations).to.deep.equal({ 'web-export': true })
-        expect(openwhiskCompileHttpEvents.serverless.service.functions.b.annotations).to.deep.equal({ foo: 'bar', 'web-export': true })
-        expect(openwhiskCompileHttpEvents.serverless.service.functions.c.annotations).to.deep.equal({ 'web-export': true })
-        expect(openwhiskCompileHttpEvents.serverless.service.functions.d.annotations).to.deep.equal({ 'web-export': true })
+        expect(openwhiskCompileHttpEvents.serverless.service.functions.a.annotations).to.deep.equal({ 'web-export': true, 'require-whisk-auth': false })
+        expect(openwhiskCompileHttpEvents.serverless.service.functions.b.annotations).to.deep.equal({ 'web-export': true, 'require-whisk-auth': true })
+        expect(openwhiskCompileHttpEvents.serverless.service.functions.c.annotations).to.deep.equal({ 'web-export': true, 'require-whisk-auth': 'some string' })
       })
     });
 
@@ -152,6 +171,16 @@ describe('OpenWhiskCompileHttpEvents', () => {
       return expect(result).to.deep.equal({basepath: '/my-service', relpath: '/api/foo/bar', operation: 'GET', action: '/sample_ns/my-service_action-name', responsetype: 'json'});
     });
 
+    it('should add secure auth key if present', () => {
+      openwhiskCompileHttpEvents.serverless.service.service = 'my-service' 
+      openwhiskCompileHttpEvents.serverless.service.provider = {namespace: "sample_ns"};
+      const http =  {path: "/api/foo/bar", method: "GET"}
+      const result = openwhiskCompileHttpEvents.compileHttpEvent('action-name', {
+        annotations: { 'require-whisk-auth': 'auth-token' }
+      }, http);
+      return expect(result).to.deep.equal({basepath: '/my-service', relpath: '/api/foo/bar', operation: 'GET', secure_key: 'auth-token', action: '/sample_ns/my-service_action-name', responsetype: 'json'});
+    });
+
     it('should define http events with explicit response type', () => {
       openwhiskCompileHttpEvents.serverless.service.service = 'my-service' 
       openwhiskCompileHttpEvents.serverless.service.provider = {namespace: "sample_ns"};
diff --git a/package.json b/package.json
@@ -37,7 +37,7 @@
     "jszip": "^3.1.3",
     "lodash": "^4.17.4",
     "moment": "^2.16.0",
-    "openwhisk": "^3.4.0"
+    "openwhisk": "^3.15.0"
   },
   "devDependencies": {
     "chai-as-promised": "^6.0.0",

Original file line number	Diff line number	Diff line change
`@@ -711,6 +711,8 @@ Date: Mon, 19 Dec 2016 15:47:53 GMT`
`711`	`711`	`}`
`712`	`712`	````
`713`	`713`
	`714`	+Functions exposed through the API Gateway service are automatically converted into Web Actions during deployment. The framework [secures Web Actions for HTTP endpoints](https://github.com/apache/incubator-openwhisk/blob/master/docs/webactions.md#securing-web-actions) using the `require-whisk-auth` annotation. If the `require-whisk-auth` annotation is manually configured, the existing annotation value is used, otherwise a random token is automatically generated.
	`715`	`+`
`714`	`716`	`## Exporting Web Actions`
`715`	`717`
`716`	`718`	Functions can be turned into "web actions" which return HTTP content without use of an API Gateway. This feature is enabled by setting an annotation (`web-export`) in the configuration file.