Migrate Serverless-java-container to aws-lambda-java-events #584
Conversation
|
We identified new issues on unchanged lines of code. Navigate to the Amazon CodeGuru Reviewer console to view the recommendations to fix them. |
| import java.util.stream.Collectors; | ||
| import java.util.stream.Stream; | ||
|
|
||
| public class AwsAlbHttpServletRequest extends AwsHttpServletRequest{ |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
This class references 46 other classes. By comparison, 98% of the classes in the CodeGuru reference dataset reference fewer. This indicates that this class is highly coupled with other classes. A class that is highly coupled with other classes is difficult to understand and its behavior might change unexpectedly when one of its referenced classes is updated. High coupling could also increase the integration test complexity, maintenance cost and technical debt. We recommend that you simplify this class or break it into multiple classes.
There was a problem hiding this comment.
I think breaking this class into multiple classes will add more confusion and make it difficult to understand. This implementation is quite similar to already existing classes like AwsHttpApiV2ProxyHttpServletRequest and AwsProxyHttpServletRequest.
There was a problem hiding this comment.
Can we reduce duplicate code? There is a lot copy/paste from AwsProxyHttpServletRequest. We can run mvn pmd:cpd for a report.
mbfreder
force-pushed
the
java-events
branch
2 times, most recently
from
8430ff4
to
a71db17
Compare
| @@ -94,7 +94,7 @@ public String getAuthenticationScheme() { | |||
| if (event.getRequestContext().getAuthorizer() == null) { | |||
| return null; | |||
| } | |||
| if (event.getRequestContext().getAuthorizer().isJwt()) { | |||
| if (event.getRequestContext().getAuthorizer().getJwt() != null) { //TODO: Confirm | |||
There was a problem hiding this comment.
Updated. Thanks Roger.
| case ALB: | ||
| return event.getMultiValueHeaders().getFirst(ALB_IDENTITY_HEADER); | ||
| } | ||
| return event.getRequestContext().getAuthorizer().get("principalId").toString(); // TODO: Check later |
| } | ||
|
|
||
| request.setPath(stripBasePath(request.getPath(), config)); | ||
| if (request.getMultiValueHeaders() != null && request.getMultiValueHeaders().get(HttpHeaders.CONTENT_TYPE) != null && request.getMultiValueHeaders().get(HttpHeaders.CONTENT_TYPE).get(0) != null) { //TODO: check |
| @@ -195,7 +194,7 @@ public String getQueryString() { | |||
| return this.generateQueryString( | |||
| request.getMultiValueQueryStringParameters(), | |||
| // ALB does not automatically decode parameters, so we don't want to re-encode them | |||
| request.getRequestSource() != RequestSource.ALB, | |||
| true, //request.getRequestSource() != RequestSource.ALB, TODO: check | |||
| @@ -49,17 +52,17 @@ public HttpServletRequest readRequest(AwsProxyRequest request, SecurityContext s | |||
| } | |||
|
|
|||
| request.setPath(stripBasePath(request.getPath(), config)); | |||
| if (request.getMultiValueHeaders() != null && request.getMultiValueHeaders().getFirst(HttpHeaders.CONTENT_TYPE) != null) { | |||
| String contentType = request.getMultiValueHeaders().getFirst(HttpHeaders.CONTENT_TYPE); | |||
| if (request.getMultiValueHeaders() != null && request.getMultiValueHeaders().get(HttpHeaders.CONTENT_TYPE) != null && request.getMultiValueHeaders().get(HttpHeaders.CONTENT_TYPE).get(0) != null) { //TODO: check | |||
| } | ||
| AwsProxyHttpServletRequest servletRequest = new AwsProxyHttpServletRequest(request, lambdaContext, securityContext, config); | ||
| servletRequest.setServletContext(servletContext); | ||
| servletRequest.setAttribute(API_GATEWAY_CONTEXT_PROPERTY, request.getRequestContext()); | ||
| servletRequest.setAttribute(API_GATEWAY_STAGE_VARS_PROPERTY, request.getStageVariables()); | ||
| servletRequest.setAttribute(API_GATEWAY_EVENT_PROPERTY, request); | ||
| servletRequest.setAttribute(ALB_CONTEXT_PROPERTY, request.getRequestContext().getElb()); | ||
| //servletRequest.setAttribute(ALB_CONTEXT_PROPERTY, request.getRequestContext().getElb()); TODO: elb |
|
|
||
| assertThat(req.getHeaders().get("accept"), is("*")); | ||
| assertThat(req.getHeaders().get("accept"), is("*")); //TODO: Move this to alb specific test file, if any. |
There was a problem hiding this comment.
I think I left many of these TODOs after my initial changes. Some were around ALB references that wasn't clear what was the best option at the time
| import java.util.stream.Collectors; | ||
| import java.util.stream.Stream; | ||
|
|
||
| public class AwsAlbHttpServletRequest extends AwsHttpServletRequest{ |
There was a problem hiding this comment.
Can we reduce duplicate code? There is a lot copy/paste from AwsProxyHttpServletRequest. We can run mvn pmd:cpd for a report.
| case ALB: | ||
| return event.getMultiValueHeaders().getFirst(ALB_IDENTITY_HEADER); | ||
| } | ||
| return event.getRequestContext().getAuthorizer().get("principalId").toString(); |
There was a problem hiding this comment.
Please define a constant for principalId (ideally it should be provided by aws-lambda-events lib).
| return null; | ||
| }; | ||
| } | ||
|
|
||
| if (getAuthenticationScheme().equals(AUTH_SCHEME_COGNITO_POOL)) { | ||
| return new CognitoUserPoolPrincipal(event.getRequestContext().getAuthorizer().getClaims()); | ||
| return new CognitoUserPoolPrincipal((Map<String, String>) event.getRequestContext().getAuthorizer().get("claims")); |
There was a problem hiding this comment.
Please define a constant (ideally it should be provided by aws-lambda-events lib).
| if (event.getMultiValueHeaders().containsKey(ALB_ACESS_TOKEN_HEADER)) { | ||
| return AUTH_SCHEME_CUSTOM; | ||
| } | ||
| if (event.getRequestContext().getAuthorizer() != null && ((Map<String, String>) event.getRequestContext().getAuthorizer().get("claims")).get("sub") != null) { |
| claims = c; | ||
| } | ||
|
|
||
| @Override | ||
| public String getName() { | ||
| return claims.getSubject(); | ||
| return claims.get("sub"); |
| } | ||
|
|
||
| return new StringBuilder().append("null") | ||
| .append(".execute-api.") |
There was a problem hiding this comment.
this is for API-Gateway but not for ALB
There was a problem hiding this comment.
I used the same logic and tweaked it to make this test pass, since ALB's request context doesn't have an API ID. Is there a better way to do it?
| @@ -16,6 +16,7 @@ | |||
| import com.fasterxml.jackson.annotation.JsonInclude; | |||
| import com.fasterxml.jackson.annotation.JsonProperty; | |||
|
|
|||
| import java.util.List; | |||
There was a problem hiding this comment.
AwsProxyResponse should be moved to src/test/java
| @@ -17,7 +17,7 @@ | |||
| <properties> | |||
| <spring.version>6.0.9</spring.version> | |||
| <springboot.version>3.1.0</springboot.version> | |||
| <springsecurity.version>6.1.0</springsecurity.version> | |||
| <springsecurity.version>6.0.3</springsecurity.version> | |||
There was a problem hiding this comment.
this downgrade seems to be a merge error
There was a problem hiding this comment.
Yes. Thanks for pointing that out.
| * @param valueSeparator The separator to be used for parsing header values | ||
| * @return A list of SimpleMapEntry objects with all of the possible values for the header. | ||
| */ | ||
| protected static List<AwsHttpServletRequest.HeaderValue> parseHeaderValue(String headerValue, String valueSeparator, String qualifierSeparator) { |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
The cyclomatic complexity of this method is 13. By comparison, 98% of the methods in the CodeGuru reference dataset have a lower cyclomatic complexity. This indicates the method has a high number of decisions and it can make the logic difficult to understand and test.
We recommend that you simplify this method or break it into multiple methods. For example, consider extracting the code block on lines 439-447 into a separate method.
| import static com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest.cleanUri; | ||
| import static com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest.decodeRequestPath; | ||
|
|
||
| public class AwsHttpServletRequestHelper { |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
This class references 45 other classes. By comparison, 98% of the classes in the CodeGuru reference dataset reference fewer. This indicates that this class is highly coupled with other classes. A class that is highly coupled with other classes is difficult to understand and its behavior might change unexpectedly when one of its referenced classes is updated. High coupling could also increase the integration test complexity, maintenance cost and technical debt. We recommend that you simplify this class or break it into multiple classes.
There was a problem hiding this comment.
Could you please rebase on main?
We could use the opportunity and move some of the helping methods to https://github.com/aws/aws-lambda-java-libs/tree/events-v4-serialization-v2 so that other users of that library benefit from it as well. In addition this would reduce the amount of code here.
| @@ -169,7 +176,7 @@ | |||
| <version>${dependencyCheck.version}</version> | |||
| <configuration> | |||
| <skipProvidedScope>true</skipProvidedScope> | |||
| <failBuildOnCVSS>7</failBuildOnCVSS> | |||
| <failBuildOnCVSS>8</failBuildOnCVSS> | |||
There was a problem hiding this comment.
The issue was related to a false positive. The CVE has been updated so it's no longer required.
There was a problem hiding this comment.
Hmm just noticed https://nvd.nist.gov/vuln/detail/CVE-2023-35116 came back today. FasterXML/jackson-databind#3972 is closed.
Let me add a suppression for it...
|
|
||
| @Override | ||
| public Enumeration<String> getHeaders(String s) { | ||
| return AwsHttpServletRequestHelper.getHeaders(request.getMultiValueHeaders(), s); |
There was a problem hiding this comment.
Both AwsAlbHttpServletRequest and AwsProxyHttpServletRequest extend AwsHttpServletRequest. Instead of overriding all methods twice in subclasses and delegating to the helper, this should be done in AwsHttpServletRequest directly.
There was a problem hiding this comment.
AwsHttpServletRequest doesn't have access to the underlying request objects. I can't think of a way to move the methods there if I can't access the request objects (APIGatewayProxyRequestEvent and ApplicationLoadBalancerRequestEvent).
| @@ -22,11 +22,11 @@ Resources: | |||
| Type: HttpApi | |||
| Properties: | |||
| TimeoutInMillis: 20000 | |||
| PayloadFormatVersion: '1.0' | |||
| # PayloadFormatVersion: '1.0' | |||
| @@ -265,7 +265,7 @@ | |||
| <version>${dependencyCheck.version}</version> | |||
| <configuration> | |||
| <skipProvidedScope>true</skipProvidedScope> | |||
| <failBuildOnCVSS>7</failBuildOnCVSS> | |||
| <failBuildOnCVSS>8</failBuildOnCVSS> | |||
HttpApiV2ProxyRequest -> APIGatewayV2HTTPEvent
Migration to aws-lambda-java-events
These frameworks are not supported by 2.0, but we remove references to HttpApiV2ProxyRequest anyway.
- Replaced string literals with constants
…ind vulnerability - Created a helper class to reduce duplicated code in AwsAlbHttpServletRequest
Rebased on main. |
Issue #, if available:
Description of changes:
By submitting this pull request