[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

App sync Web socket pass authorization extension not working #8832

Open
1 task done
umangshrestha opened this issue Aug 6, 2023 · 5 comments
Open
1 task done

App sync Web socket pass authorization extension not working #8832

umangshrestha opened this issue Aug 6, 2023 · 5 comments
Assignees
@simonrw
Labels
aws:appsync AWS AppSync status: in progress Currently being worked on status: stale To be closed soon due to staleness type: bug Bug report

Comments

@umangshrestha
Copy link
umangshrestha commented Aug 6, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

I have a Graphql with a subscription linked to the mutation
schema:

schema {
    subscription: Subscription
}
type Subscription @aws_lambda @aws_api_key @aws_iam {
    onChanges(filter: String): Insight
        @aws_subscribe(mutations: ["mutate"])
}

$ awslocal appsync list-graphql-apis
{
    "graphqlApis": [
        {
            "name": "insight-delivery",
            "apiId": "d4c07aa64a5746ac92f434d200",
            "authenticationType": "API_KEY",
            "logConfig": {
                "fieldLogLevel": "ALL",
                "cloudWatchLogsRoleArn": "arn:aws:iam::000000000000:role/InsightsDeliveryServiceRole"
            },
            "arn": "arn:aws:appsync:us-east-1:000000000000:apis/d4c07aa64a5746ac92f434d200",
            "uris": {
                "GRAPHQL": "http://d4c07aa64a5746ac92f434d200.appsync-api.localhost.localstack.cloud:4566/graphql",
                "REALTIME": "ws://localhost:4510/graphql/d4c07aa64a5746ac92f434d200"
            },
            "tags": {},
            "additionalAuthenticationProviders": [
                {
                    "authenticationType": "AWS_LAMBDA",
                    "lambdaAuthorizerConfig": {
                        "authorizerResultTtlInSeconds": 3600,
                        "authorizerUri": "arn:aws:lambda:us-east-1:000000000000:function:insight_graphql_authorizer",
                        "identityValidationExpression": "^Bearer [-0-9a-zA-Z._]*$"
                    }
                },
                {
                    "authenticationType": "AWS_IAM"
                }
            ],
            "xrayEnabled": true
        }
    ]
}
  1. It doesn't allow me to connect with subprotocol graphql-ws
$ wscat -c 'ws://localhost:4510/graphql/d4c07aa64a5746ac92f434d200?header=eyJ4LXVzZXItaWQiOiJYU1hNUFlITU1FNFgiLCJob3N0IjoibG9jYWxob3N0OjQ1MTAiLCJ4LWFwaS1rZXkiOiI2ZDU5ZThiMiJ9&payload=e30='   
/opt/homebrew/lib/node_modules/wscat/node_modules/ws/lib/websocket.js:660
    throw new RangeError(
    ^
RangeError: Unsupported protocol version: NaN (supported versions: 8, 13)
  1. I want to send an extension like I do with app sync.
{
    'id': '1',
    'type': 'start',
    'payload': {
         'extensions': {
            'authorization': {
                'host': urlparse(ws_url).netloc,
                'x-api-key': api_key,
            }
        },
        'data': json.dumps({
            "query": """
            subscription  {
                onChanges {
                    a
                    b
                    c
                    d
                }
            }""",
        }),
    },
}

But I get the following error.

LOG.debug('Parsing and building schema: %s'%E);H=parse_and_build_schema(E);I=FieldResolverContext(D,F,graphql_query=B,functions=functions,auth_context=auth_context,schema=H);LOG.debug('Running GraphQL executor for query: %s',B);J=graphql_sync(H,B,I,variable_values=C);N=GraphQLExecutionResult(result=J.data,errors=J.errors,resolved_fields=I.resolved_fields);return N
  1. Based on the example https://github.com/localstack/localstack-pro-samples/blob/master/appsync-graphql-api/websocket_client.py When just send subscription I get the obvious access denied.
   if not K:raise NotAuthorizedError(f"Access denied - {G}")
2023-08-05 21:42:14 localstack_main  | localstack_ext.services.appsync.models.NotAuthorizedError: Access denied - Auth results (['iam', 'lambda', 'api_key', 'cognito']): [AuthorizationContext(status=<AuthorizationStatus.deny: 2>, authorizer_type='iam', extra={'reason': "'NoneType' object has no attribute 'partition'"}), AuthorizationContext(status=<AuthorizationStatus.deny: 2>, authorizer_type='lambda', extra={}), AuthorizationContext(status=<AuthorizationStatus.deny: 2>, authorizer_type='api_key', extra={'reason': "Missing API key in request headers for invocation of AppSync API 'd4c07aa64a5746ac92f434d200'"}), AuthorizationContext(status=<AuthorizationStatus.neutral: 3>, authorizer_type='cognito', extra={})]

Expected Behavior

If possible I want it to follow the appsync flow:

$ wscat -c 'WSS_URLgraphql/realtime?header=<BASE64_HEADER>&payload=e30=' -s graphql-ws

and I send authorization like

{
    'id': '1',
    'type': 'start',
    'payload': {
         'extensions': {
            'authorization': {
                'host': urlparse(ws_url).netloc,
                'x-api-key': api_key,
            }
        },
        'data': json.dumps({
            "query": """
            subscription echoer {
                onInsightChanges {
                    a
                    b
                    c
                    d
                }
            }""",
        }),
    },
}

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

version: "3.8"

services:
  localstack:
    container_name: "${LOCALSTACK_DOCKER_NAME-localstack_main}"
    image: localstack/localstack-pro:2.1.0 # required for Pro
    ports:
      - "127.0.0.1:4566:4566"            # LocalStack Gateway
      - "127.0.0.1:4510-4559:4510-4559"  # external services port range
      - "127.0.0.1:53:53"                # DNS config (required for Pro)
      - "127.0.0.1:53:53/udp"            # DNS config (required for Pro)
      - "127.0.0.1:443:443"              # LocalStack HTTPS Gateway (required for Pro)
    environment:
      - DEBUG=${DEBUG-}
      - PERSISTENCE=${PERSISTENCE-}
      - LOCALSTACK_API_KEY=${LOCALSTACK_API_KEY-}  # required for Pro
      - LAMBDA_DOCKER_FLAGS= -e LOCALSTACK_TEST_MODE=${LOCALSTACK_TEST_MODE} -e PRIMARY_TEST_USERID=${PRIMARY_TEST_USERID} --add-host=host.docker.internal:host-gateway  # We need this because emulator runs outside of localstack's docker
      - GRAPHQL_ENDPOINT_STRATEGY=domain
      - DOCKER_HOST=unix:///var/run/docker.sock
    volumes:
      - "${LOCALSTACK_VOLUME_DIR:-./volume}:/var/lib/localstack"
      - "/var/run/docker.sock:/var/run/docker.sock"

Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)

awslocal s3 mb s3://mybucket

export AWS_ACCESS_KEY_ID=test
export AWS_SECRET_ACCESS_KEY=test
export AWS_DEFAULT_REGION=us-east-1

run localstack in debug mode

export DEBUG=1

Enable persistence by uncommenting below line to persist resources across multiple re-starts

export PERSISTENCE=1

lambda flags

export LOCALSTACK_TEST_MODE=True

Environment

- OS: Mac 13.4.1
- LocalStack: 2.2.0

Anything else?

No response
@umangshrestha umangshrestha added status: triage needed Requires evaluation by maintainers type: bug Bug report labels Aug 6, 2023
@localstack-bot
Copy link
Collaborator

Welcome to LocalStack! Thanks for reporting your first issue and our team will be working towards fixing the issue for you or reach out for more background information. We recommend joining our Slack Community for real-time help and drop a message to LocalStack Pro Support if you are a Pro user! If you are willing to contribute towards fixing this issue, please have a look at our contributing guidelines and our contributing guide.

@simonrw simonrw added the aws:appsync AWS AppSync label Aug 7, 2023
@simonrw simonrw self-assigned this Aug 9, 2023
@simonrw
Copy link
Contributor
simonrw commented Aug 9, 2023

Hi @umangshrestha, thanks for reporting this issue to us. There is indeed a parity gap between our AppSync implementation and the AWS behaviour. In particular, I've noticed that the messages required for the initial handshake are absent in our implementation.

This being said, I do not have a problem connecting to the websocket endpoint of a LocalStack AppSync instance. I am replicating your wscat invocation, where the header is the base64-encoded value of

{
  "host": "<api id>.appsync-api.localhost.localstack.cloud:4566",
  "x-api-key": "<api key>"
}

Have you tried connecting with the urlparse(api_url).netloc instead of urlparse(ws_url).netloc?

@umangshrestha
Copy link
Author

Hi @umangshrestha, thanks for reporting this issue to us. There is indeed a parity gap between our AppSync implementation and the AWS behaviour. In particular, I've noticed that the messages required for the initial handshake are absent in our implementation.

This being said, I do not have a problem connecting to the websocket endpoint of a LocalStack AppSync instance. I am replicating your wscat invocation, where the header is the base64-encoded value of

{
  "host": "<api id>.appsync-api.localhost.localstack.cloud:4566",
  "x-api-key": "<api key>"
}

Have you tried connecting with the urlparse(api_url).netloc instead of urlparse(ws_url).netloc?

Hello, I have attempted the method earlier and observed the following: The addition of meta information, such as headers and payloads, does not work in the retrieval of subscription messages. Nonetheless, I am able to establish a WebSocket connection.

@simonrw simonrw removed the status: triage needed Requires evaluation by maintainers label Aug 18, 2023
@baermat baermat added the status: in progress Currently being worked on label Aug 31, 2023
@localstack-bot
Copy link
Collaborator

Hello 👋! It looks like this issue hasn’t been active in longer than five months. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

@localstack-bot localstack-bot added the status: stale To be closed soon due to staleness label Jan 28, 2024
@simonrw simonrw removed the status: stale To be closed soon due to staleness label Jan 28, 2024
@localstack-bot
Copy link
Collaborator

Hello 👋! It looks like this issue hasn’t been active in longer than five months. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

@localstack-bot localstack-bot added the status: stale To be closed soon due to staleness label Jun 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simonrw simonrw

Labels
aws:appsync AWS AppSync status: in progress Currently being worked on status: stale To be closed soon due to staleness type: bug Bug report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@simonrw @umangshrestha @localstack-bot @baermat