Reprovision Storage Integration test backend #256
Conversation
lawmicha
changed the title
lawmicha
changed the title
...FunctionalTests/BlogPostCommentGraphQLWithAPIKey/BlogPostCommentGraphQLWithAPIKeyTests.swift
Show resolved
Hide resolved
| @@ -19,8 +20,8 @@ class AWSS3StoragePluginAccessLevelTests: AWSS3StoragePluginTestBase { | |||
|
|
|||
| // This is a run once function to set up users then use console to verify and run rest of these tests. | |||
| func testSetUpOnce() { | |||
| signUpUser(username: user1) | |||
| signUpUser(username: user2) | |||
| AuthHelper.signUpUser(username: user1, password: password) | |||
There was a problem hiding this comment.
We need to move the password out of the source file and into a setup run from the CLI. As it stands, if an attacker obtains our user pool ID (which remember is not considered sensitive), they could use the test storage bucket to store and distribute files.
There was a problem hiding this comment.
depending on what the attacker obtains, couldn't they also just create their own user as well? I thought that if awsconfiguration.json and amplifyconfiguration.json is never exposed then we are good, and the username and password for this user is specific for the user pool and wouldn't provide any value to the attacker.
if we need to move this out, i can follow a similar pattern and have another file like credentials.json that gets pulled down like https://github.com/aws-amplify/aws-sdk-ios/blob/f3967e2e2a648e8a114ef5dd50bef5e075668693/AWSAuthSDK/AWSAuthSDKTestAppUITests/AWSDropInUIUserPoolTests.swift#L24
There was a problem hiding this comment.
We treat things like pool IDs with different sensitivity than credentials like password. (e.g., we may log a user pool ID). A credentials.json pattern or similar would be one way to protect that, but let's talk about it IRL to make sure we don't end up with a catch-all for "everything that doesn't fit in a config file." :)
If this test is setting up something that allows guest access, we need to have some controls in place to ensure we don't have unauthorized access to our bucket. Again, let's discuss IRL.
There was a problem hiding this comment.
discussed with tim and in the current state of things, we'll do a couple of things to make things more secure and less prone to abuse:
- credentials.json to contain user/pass. this can be stored in the same pattern as the configuration files, ie.
AWSS3StorageIntegrationTests-credentials.json. - Not as urgent for API plugin but will do the same
- add
*credentials.jsonto .gitignore - bucket policy updated to expire asap, looks like 1 day is the shortest possible.
- The tests need to be prone to parallel execution. S3 keys defined in the tests should contain some unique identifier. there are many cases where the tests may be run in parallel. Multiple circleCI runs and developer using test account locally (though ideally developer should create their own resources using the readme instructions).
AmplifyPlugins/Storage/AWSS3StoragePluginFunctionalTests/AWSS3StoragePluginTestBase.swift
Outdated
Show resolved
Hide resolved
| @@ -13,8 +13,8 @@ class AuthHelper { | |||
| let callbackInvoked = DispatchSemaphore(value: 0) | |||
|
|
|||
| AWSMobileClient.default().initialize { userState, error in | |||
| if let error = error { | |||
| fatalError("Error initializing AWSMobileClient. Error: \(error.localizedDescription)") | |||
| if let error = error as? AWSMobileClientError { | |||
There was a problem hiding this comment.
Why only fatal on AWSMobileClientErrors?
There was a problem hiding this comment.
i didn't think AWSMobileClient returns anything other than AWSMobileClientErrors, so i was casting to it and extracting the message out for a friendly local debugging message
There was a problem hiding this comment.
I follow your logic, but it relies a lot of knowledge of the code paths that lead up to this, which in AWSMobileClient is a little fraught right now. Consider a pattern that logs the message if it's an AWSMobielClientError and the localizedDescription otherwise.
There was a problem hiding this comment.
adding check for AWSMobileClientError, else fatalError with localizedDescription
AmplifyPlugins/Storage/AWSS3StoragePluginFunctionalTests/README.md
Outdated
Show resolved
Hide resolved
AmplifyPlugins/Storage/AWSS3StoragePluginFunctionalTests/AWSS3StoragePluginTestBase.swift
Outdated
Show resolved
Hide resolved
lawmicha
force-pushed
the
lawmicha/has-syncable-flag
branch
2 times, most recently
from
fcc497a to
f3b683c
Compare
- Moved AuthHelper to AmplifyTestCommon for API and Storage tests - Adding readme for integration test set up
lawmicha
force-pushed
the
lawmicha/storage-reprovision
branch
from
7fe0c7d to
2ea82d4
Compare
- Storage tests use unique UUIDs as keys to allow parallel execution - updated README with credentials.json structure - Added for API's GraphQLWithUserPool tests as well
| let credentials = try TestConfigHelper.retrieveCredentials( | ||
| forResource: GraphQLWithUserPoolIntegrationTests.credentials) | ||
|
|
||
| if credentials["user1"] == nil || credentials["password"] == nil { |
There was a problem hiding this comment.
nit: prefer guard let when you're trying to get actual values:
guard let userName = credentials["user1"], let password = credentials["password"] else {...}| @@ -42,18 +56,19 @@ class GraphQLWithUserPoolIntegrationTests: XCTestCase { | |||
| Amplify.reset() | |||
| } | |||
|
|
|||
| let user1 = "[email protected]" | |||
| let password = "Abc123@@!!" | |||
|
|
|||
| // This is a run once function to set up users then use console to verify and run rest of these tests. | |||
| func testSetUpOnce() { | |||
There was a problem hiding this comment.
Since running this by itself isn't sufficient to actually provision the test user, let's remove it altogether in favor of including CLI commands or console instructions in the test setup README.
There was a problem hiding this comment.
updating readme with instructions on setting up a user and removing disabled method
|
|
||
| override func setUp() { | ||
| do { | ||
|
|
||
| let credentials = try TestConfigHelper.retrieveCredentials( |
There was a problem hiding this comment.
Put this into the static setUp since you only have to read the credentials file once
| override func setUp() { | ||
| do { | ||
|
|
||
| let credentials = try TestConfigHelper.retrieveCredentials(forResource: AWSS3StoragePluginTestBase.credentials) |
There was a problem hiding this comment.
make this a static set up method?
Major changes
Minor changes
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.