Merge pull request #516 from awslabs/bucket-sniping-fix

Backend fix

Author: ichuckyi

cloudformation/template.yaml

@@ -1253,6 +1253,7 @@ Resources:
           AdminsGroupName: !Join ['', [!Ref 'AWS::StackName', 'AdminsGroup']]
           RegisteredGroupName: !Sub '${AWS::StackName}-RegisteredGroup'
           DevelopmentMode: !Ref DevelopmentMode
+          SourceAccount: !Ref AWS::AccountId
       # Adds the API as a trigger
       Events:
         ProxyApiRoot:
@@ -1714,6 +1715,7 @@ Resources:
       Environment:
         Variables:
           BucketName: !Ref ArtifactsS3BucketName
+          SourceAccount: !Ref AWS::AccountId
       Layers:
         - !Ref LambdaCommonLayer
 
@@ -1738,6 +1740,7 @@ Resources:
       Environment:
         Variables:
           StaticBucketName: !Ref ArtifactsS3BucketName
+          SourceAccount: !Ref AWS::AccountId
       Layers:
         - !Ref LambdaCommonLayer
 
@@ -2074,6 +2077,7 @@ Resources:
           RegisteredGroup: !Ref CognitoRegisteredGroup
           CustomersTable: !Ref CustomersTable
           FeedbackTable: !If [EnableFeedbackSubmission, !Ref FeedbackTable, !Ref AWS::NoValue]
+          SourceAccount: !Ref AWS::AccountId
 
 
 Outputs:

lambdas/backend/__tests__/routes/admin/catalog/sdkGeneration.js

@@ -67,13 +67,15 @@ describe('idempotentSdkGenerationUpdate', () => {
 
     process.env.StaticBucketName = 'staticBucketName'
     process.env.CatalogUpdaterFunctionArn = 'somebigfunctionarn'
+    process.env.SourceAccount = '123412341234'
 
     await sdkGeneration.idempotentSdkGenerationUpdate(true, 'apiid_stagename', res)
 
     expect(util.s3.getObject).toHaveBeenCalledTimes(1)
     expect(util.s3.getObject).toHaveBeenCalledWith({
       Bucket: 'staticBucketName',
-      Key: 'sdkGeneration.json'
+      Key: 'sdkGeneration.json',
+      ExpectedBucketOwner: '123412341234'
     })
 
     expect(util.s3.upload).toHaveBeenCalledTimes(1)
@@ -83,7 +85,8 @@ describe('idempotentSdkGenerationUpdate', () => {
       Body: JSON.stringify({
         apiid_stagename: true,
         otherapiid_otherstagename: false
-      })
+      }),
+      ExpectedBucketOwner: '123412341234'
     })
 
     expect(util.lambda.invoke).toHaveBeenCalledTimes(1)
@@ -111,13 +114,15 @@ describe('idempotentSdkGenerationUpdate', () => {
 
     process.env.StaticBucketName = 'staticBucketName'
     process.env.CatalogUpdaterFunctionArn = 'somebigfunctionarn'
+    process.env.SourceAccount = '123412341234'
 
     await sdkGeneration.idempotentSdkGenerationUpdate(true, 'apiid_stagename', res)
 
     expect(util.s3.getObject).toHaveBeenCalledTimes(1)
     expect(util.s3.getObject).toHaveBeenCalledWith({
       Bucket: 'staticBucketName',
-      Key: 'sdkGeneration.json'
+      Key: 'sdkGeneration.json',
+      ExpectedBucketOwner: '123412341234'
     })
 
     expect(util.s3.upload).toHaveBeenCalledTimes(1)
@@ -127,7 +132,8 @@ describe('idempotentSdkGenerationUpdate', () => {
       Body: JSON.stringify({
         otherapiid_otherstagename: false,
         apiid_stagename: true
-      })
+      }),
+      ExpectedBucketOwner: '123412341234'
     })
 
     expect(util.lambda.invoke).toHaveBeenCalledTimes(1)
@@ -156,13 +162,15 @@ describe('idempotentSdkGenerationUpdate', () => {
 
     process.env.StaticBucketName = 'staticBucketName'
     process.env.CatalogUpdaterFunctionArn = 'somebigfunctionarn'
+    process.env.SourceAccount = '123412341234'
 
     await sdkGeneration.idempotentSdkGenerationUpdate(false, 'apiid_stagename', res)
 
     expect(util.s3.getObject).toHaveBeenCalledTimes(1)
     expect(util.s3.getObject).toHaveBeenCalledWith({
       Bucket: 'staticBucketName',
-      Key: 'sdkGeneration.json'
+      Key: 'sdkGeneration.json',
+      ExpectedBucketOwner: '123412341234'
     })
 
     expect(util.s3.upload).toHaveBeenCalledTimes(0)

lambdas/backend/__tests__/routes/admin/catalog/visibility.js

@@ -405,6 +405,7 @@ describe('POST /admin/catalog/visibility', () => {
     util.lambda.invoke = jest.fn().mockReturnValue(promiser())
 
     process.env.StaticBucketName = 'myBucket'
+    process.env.SourceAccount = '123412341234'
 
     await adminCatalogVisibility.post(req, mockResponseObject)
 
@@ -422,7 +423,8 @@ describe('POST /admin/catalog/visibility', () => {
       Key: 'catalog/a1b2c3_prod.json',
       Body: Buffer.from(JSON.stringify({
         info: { title: 'swagger document' }
-      }))
+      })),
+      ExpectedBucketOwner: '123412341234'
     })
 
     expect(mockResponseObject.status).toHaveBeenCalledWith(200)
@@ -443,6 +445,7 @@ describe('POST /admin/catalog/visibility', () => {
     util.lambda.invoke = jest.fn().mockReturnValue(promiser())
 
     process.env.StaticBucketName = 'myBucket'
+    process.env.SourceAccount = '123412341234'
 
     await adminCatalogVisibility.post(req, mockResponseObject)
 
@@ -460,7 +463,8 @@ describe('POST /admin/catalog/visibility', () => {
       Key: 'catalog/unsubscribable_a1b2c3_prod.json',
       Body: Buffer.from(JSON.stringify({
         info: { title: 'swagger document' }
-      }))
+      })),
+      ExpectedBucketOwner: '123412341234'
     })
 
     expect(mockResponseObject.status).toHaveBeenCalledWith(200)
@@ -475,13 +479,15 @@ describe('POST /admin/catalog/visibility', () => {
     util.lambda.invoke = jest.fn().mockReturnValue(promiser())
 
     process.env.StaticBucketName = 'myPail'
+    process.env.SourceAccount = '123412341234'
 
     await adminCatalogVisibility.post(req, mockResponseObject)
 
     expect(util.s3.upload).toHaveBeenCalledWith({
       Bucket: 'myPail',
       Key: `catalog/${hash({ info: { title: 'swagger document' } })}.json`,
-      Body: Buffer.from(JSON.stringify({ info: { title: 'swagger document' } }))
+      Body: Buffer.from(JSON.stringify({ info: { title: 'swagger document' } })),
+      ExpectedBucketOwner: '123412341234'
     })
 
     expect(mockResponseObject.status).toHaveBeenCalledWith(200)
@@ -531,16 +537,19 @@ describe('DELETE /admin/catalog/visibility/:id', () => {
     util.s3.deleteObject = jest.fn().mockReturnValue(promiser())
 
     process.env.StaticBucketName = 'myOtherBucket'
+    process.env.SourceAccount = '123412341234'
 
     await adminCatalogVisibility.delete(req, mockResponseObject)
 
     expect(util.s3.deleteObject).toHaveBeenCalledWith({
       Bucket: 'myOtherBucket',
-      Key: 'catalog/unsubscribable_a1b2c3_prod.json'
+      Key: 'catalog/unsubscribable_a1b2c3_prod.json',
+      ExpectedBucketOwner: '123412341234'
     })
     expect(util.s3.deleteObject).toHaveBeenCalledWith({
       Bucket: 'myOtherBucket',
-      Key: 'catalog/a1b2c3_prod.json'
+      Key: 'catalog/a1b2c3_prod.json',
+      ExpectedBucketOwner: '123412341234'
     })
 
     expect(mockResponseObject.status).toHaveBeenCalledWith(200)
@@ -554,16 +563,19 @@ describe('DELETE /admin/catalog/visibility/:id', () => {
     util.s3.deleteObject = jest.fn().mockReturnValue(promiser())
 
     process.env.StaticBucketName = 'myOtherBucket'
+    process.env.SourceAccount = '123412341234'
 
     await adminCatalogVisibility.delete(req, mockResponseObject)
 
     expect(util.s3.deleteObject).toHaveBeenCalledWith({
       Bucket: 'myOtherBucket',
-      Key: 'catalog/unsubscribable_a1b2c3_unmatched.json'
+      Key: 'catalog/unsubscribable_a1b2c3_unmatched.json',
+      ExpectedBucketOwner: '123412341234'
     })
     expect(util.s3.deleteObject).toHaveBeenCalledWith({
       Bucket: 'myOtherBucket',
-      Key: 'catalog/a1b2c3_unmatched.json'
+      Key: 'catalog/a1b2c3_unmatched.json',
+      ExpectedBucketOwner: '123412341234'
     })
 
     expect(mockResponseObject.status).toHaveBeenCalledWith(200)
@@ -577,12 +589,14 @@ describe('DELETE /admin/catalog/visibility/:id', () => {
     util.s3.deleteObject = jest.fn().mockReturnValue(promiser())
 
     process.env.StaticBucketName = 'anotherBucket'
+    process.env.SourceAccount = '123412341234'
 
     await adminCatalogVisibility.delete(req, mockResponseObject)
 
     expect(util.s3.deleteObject).toHaveBeenCalledWith({
       Bucket: 'anotherBucket',
-      Key: 'catalog/somebighash123456.json'
+      Key: 'catalog/somebighash123456.json',
+      ExpectedBucketOwner: '123412341234'
     })
 
     expect(mockResponseObject.status).toHaveBeenCalledWith(200)

lambdas/backend/__tests__/util.js

@@ -160,12 +160,13 @@ describe('backend/util', () => {
       util.s3.getObject = jest.fn().mockReturnValue(promiser(response))
 
       setEnv('StaticBucketName', 'test-bucket')
+      setEnv('SourceAccount', '123412341234')
 
       const result = await util.catalog()
 
       expect(util.s3.getObject).toBeCalledTimes(1)
       expect(util.s3.getObject).toBeCalledWith(
-        expect.objectContaining({ Bucket: 'test-bucket', Key: 'catalog.json' })
+        expect.objectContaining({ Bucket: 'test-bucket', Key: 'catalog.json', ExpectedBucketOwner: '123412341234' })
       )
       expect(result).toMatchObject(catalog)
     })
@@ -182,6 +183,7 @@ describe('backend/util', () => {
       util.s3.getObject = jest.fn().mockReturnValue(promiser(null, response))
 
       setEnv('StaticBucketName', 'test-bucket')
+      setEnv('SourceAccount', '123412341234')
 
       // Suppress error messages - we're expecting an error here.
       console.error = () => {}
@@ -190,7 +192,7 @@ describe('backend/util', () => {
 
       expect(util.s3.getObject).toBeCalledTimes(1)
       expect(util.s3.getObject).toBeCalledWith(
-        expect.objectContaining({ Bucket: 'test-bucket', Key: 'catalog.json' })
+        expect.objectContaining({ Bucket: 'test-bucket', Key: 'catalog.json', ExpectedBucketOwner: '123412341234' })
       )
       expect(result).toMatchObject(catalog)
     })
@@ -203,6 +205,7 @@ describe('backend/util', () => {
       util.s3.getObject = jest.fn().mockReturnValue(promiser(null, response))
 
       setEnv('StaticBucketName', 'test-bucket')
+      setEnv('SourceAccount', '123412341234')
 
       // Suppress error messages - we're expecting an error here.
       console.error = () => {}
@@ -211,7 +214,7 @@ describe('backend/util', () => {
 
       expect(util.s3.getObject).toBeCalledTimes(1)
       expect(util.s3.getObject).toBeCalledWith(
-        expect.objectContaining({ Bucket: 'test-bucket', Key: 'catalog.json' })
+        expect.objectContaining({ Bucket: 'test-bucket', Key: 'catalog.json', ExpectedBucketOwner: '123412341234' })
       )
     })
   })

lambdas/backend/routes/admin/catalog/sdkGeneration.js

@@ -19,7 +19,8 @@ exports.idempotentSdkGenerationUpdate = async (parity, id, res) => {
   const sdkGeneration =
     JSON.parse((await util.s3.getObject({
       Bucket: process.env.StaticBucketName,
-      Key: 'sdkGeneration.json'
+      Key: 'sdkGeneration.json',
+      ExpectedBucketOwner: process.env.SourceAccount
     }).promise()).Body)
 
   if (sdkGeneration[id] !== parity) {
@@ -28,7 +29,8 @@ exports.idempotentSdkGenerationUpdate = async (parity, id, res) => {
     await util.s3.upload({
       Bucket: process.env.StaticBucketName,
       Key: 'sdkGeneration.json',
-      Body: JSON.stringify(sdkGeneration)
+      Body: JSON.stringify(sdkGeneration),
+      ExpectedBucketOwner: process.env.SourceAccount
     }).promise()
 
     // call catalogUpdater to build a fresh catalog.json that includes changes from sdkGeneration.json

lambdas/backend/routes/admin/catalog/visibility.js

@@ -156,14 +156,14 @@ async function uploadFile (file, body) {
   console.log('upload bucket: ', process.env.StaticBucketName)
   console.log('upload key: ', file)
   console.log('upload body length: ', body.byteLength)
-  await util.s3.upload({ Bucket: process.env.StaticBucketName, Key: file, Body: body }).promise()
+  await util.s3.upload({ Bucket: process.env.StaticBucketName, Key: file, Body: body, ExpectedBucketOwner: process.env.SourceAccount }).promise()
   await catalogUpdate()
 }
 
 async function deleteFile (file) {
   console.log('remove bucket: ', process.env.StaticBucketName)
   console.log('remove key: ', file)
-  await util.s3.deleteObject({ Bucket: process.env.StaticBucketName, Key: file }).promise()
+  await util.s3.deleteObject({ Bucket: process.env.StaticBucketName, Key: file, ExpectedBucketOwner: process.env.SourceAccount }).promise()
   await catalogUpdate()
 }
 

lambdas/backend/util.js

@@ -77,7 +77,8 @@ exports.catalog = () => {
   // function when the user updates the catalog. This led to confusing behavior, so I removed it.
   const params = {
     Bucket: process.env.StaticBucketName,
-    Key: 'catalog.json'
+    Key: 'catalog.json',
+    ExpectedBucketOwner: process.env.SourceAccount
   }
 
   console.log(`params: ${JSON.stringify(params, null, 4)}`)

lambdas/catalog-updater/__tests__/catalog-updater-test.js

@@ -203,13 +203,15 @@ describe('handler', () => {
     setMock(index.s3, 'getObject', opts => promiser({ Body: Buffer.from(JSON.stringify(files[opts.Key])) }))
     setMock(index.s3, 'upload', () => promiser())
     setEnv('BucketName', 'TestBucket')
+    setEnv('SourceAccount', '123412341234')
 
     await index.handler({})
     expect(index.s3.upload).toBeCalledWith({
       Bucket: 'TestBucket',
       Key: 'catalog.json',
       Body: JSON.stringify(expectedCatalog),
-      ContentType: 'application/json'
+      ContentType: 'application/json',
+      ExpectedBucketOwner: '123412341234'
     })
   })
 })

lambdas/catalog-updater/index.js

@@ -50,7 +50,8 @@ function swaggerFileFilter (file) {
 async function getSwaggerFile (file) {
   const params = {
     Bucket: bucketName,
-    Key: file.Key
+    Key: file.Key,
+    ExpectedBucketOwner: process.env.SourceAccount
   }
 
   const s3Repr = await exports.s3.getObject(params).promise()
@@ -190,7 +191,7 @@ async function handler (event, context) {
   bucketName = process.env.BucketName
 
   const sdkGeneration = JSON.parse(
-    (await exports.s3.getObject({ Bucket: bucketName, Key: 'sdkGeneration.json' }).promise())
+    (await exports.s3.getObject({ Bucket: bucketName, Key: 'sdkGeneration.json', ExpectedBucketOwner: process.env.SourceAccount }).promise())
       .Body.toString()
   )
   console.log(`sdkGeneration: ${inspectStringify(sdkGeneration)}`)
@@ -207,8 +208,8 @@ async function handler (event, context) {
   while (true) {
     const listObjectsResult = await exports.s3.listObjectsV2(
       token != null
-        ? { Bucket: bucketName, Prefix: 'catalog/', ContinuationToken: token }
-        : { Bucket: bucketName, Prefix: 'catalog/' }
+        ? { Bucket: bucketName, Prefix: 'catalog/', ContinuationToken: token, ExpectedBucketOwner: process.env.SourceAccount }
+        : { Bucket: bucketName, Prefix: 'catalog/', ExpectedBucketOwner: process.env.SourceAccount }
     ).promise()
 
     for (const file of listObjectsResult.Contents) {
@@ -234,7 +235,8 @@ async function handler (event, context) {
     Bucket: bucketName,
     Key: 'catalog.json',
     Body: JSON.stringify(catalog),
-    ContentType: 'application/json'
+    ContentType: 'application/json',
+    ExpectedBucketOwner: process.env.SourceAccount
   }
 
   await exports.s3.upload(params).promise()