Lambda: improve function name and qualifier validation #11366

gregfurman · 2024-08-16T14:06:18Z

Motivation

Current validation checks for Lambda function names did not account for some invalid regex combinations as well as length limits for FunctionName differing between request types. This will add tests ensuring a wider range of invalid FunctionName and Qualfier combinations are caught.

Changes

The Lambda Provider:

Remove validation checks from create_function in favour of api_utils.get_name_and_qualifier
Use improved qualifier validation and better account for invalid qualifier edge-case for DeleteFunction

The API utils api_utils.py:

Conduct name validations in the get_name_and_qualifier -- which is ubiquitously used across the Lambda provider and should enact these checks.
Account for operation type when running validate_function_name (accounting specifically for CreateFunction, DeleteFunction, Invoke, and GetFunction) with sensible defaults being used elsewhere.
Add new validate_qualifier and construct_validation_exception_message

The Lambda API tests:

Added new test test_function_name_and_qualifier_validation which accounts for a wide range of possible exception cases when attempting validation.

Testing

The below is a test table showing all scenarios tested for CreateFunction, DeleteFunction GetFunction and Invoke test types.

Some considerations:

The "Negative Version Number" and "Incomplete ARN" test skips the create_function request.
The "Function Name Too Long" test will only fail validation for create_function request -- with ResourceNotFoundException being thrown for othe types. None are skipped to ensure parity with AWS.

Name	Function Name	Qualifier	Skipped Requests
Invalid Function Name	`my-function!`	N/A	None
Invalid Qualifier	`my-function`	`invalid!`	None
Invalid Account ID	`invalid-account:function:my-function`	N/A	None
Invalid Region in ARN	`arn:aws:lambda:invalid-region:{account_id}:function:my-function`	N/A	None
Non-Lambda ARN	`arn:aws:ec2:{region_name}:{account_id}:instance:i-1234567890abcdef0`	N/A	None
Function Name Too Long	`"a" * max_length`	N/A	None
Long Name, Invalid Region	`arn:aws:lambda:invalid-region:{account_id}:function:my-function["a" * max_length]`	N/A	None
Long ARN & Qualifier, Invalid Region	`arn:aws:lambda:invalid-region:{account_id}:function:my-function-["a" * max_length]`	`"a" * max_length`	None
Long Qualifier	`my-function`	`"a" * max_length`	None
Multiple Qualifiers in ARN	`arn:aws:lambda:{region_name}:{account_id}:function:my-function:1:2`	N/A	None
Negative Version Number	`my-function`	`-1`	`create_function`
Incomplete ARN	`arn:aws:lambda:{region_name}:{account_id}:function`	N/A	`create_function`
Partial ARN, Extra Qualifier	`function:my-function:$LATEST:extra`	N/A	None
Latest Ver, Add'l Qualifier	`arn:aws:lambda:{region_name}:{account_id}:function:my-function:$LATEST`	`1`	None
Lowercase Latest Qualifier	`arn:aws:lambda:{region_name}:{account_id}:function:my-function`	`$latest`	None
Missing Region in ARN	`arn:aws:lambda::{account_id}:function:my-function`	N/A	None
Missing Account ID in ARN	`arn:aws:lambda:{region_name}::function:my-function`	N/A	None
Misspelled Latest in ARN	`arn:aws:lambda:{region_name}:{account_id}:function:my-function:$LATES`	N/A	None

Additional Pipelines

LocalStack Pro: IAM Policies Enforced

ext: Partial run against tests in aws/tests/lambda_ and with ENFORCE_IAM enabled at GitHub workflow
ENV: ENFORCE_IAM=1

LocalStack Community: Multi-Account and Multi-Region

multi: Multi-region/account build at CircleCI pipeline.

TODO

What's left to do:

Ensure a multi-account and multi-region test can run for this PR
Runs against LocalStack Pro version with IAM enforcement enabled

Potential future works

Extend the operations being tested beyond CreateFunction, DeleteFunction, GetFunction, and Invoke
Look into improving test-coverage and support for multi-account and multi-region operations for the provider.

github-actions · 2024-08-16T14:49:58Z

LocalStack Community integration with Pro

2 files ± 0 2 suites ±0 1h 13m 55s ⏱️ - 21m 54s
2 495 tests - 844 2 194 ✅ - 751 301 💤 - 93 0 ❌ ±0
2 497 runs - 844 2 194 ✅ - 751 303 💤 - 93 0 ❌ ±0

Results for commit b6f8a0e. ± Comparison against base commit 0063912.

This pull request removes 916 and adds 72 tests. Note that renamed tests count towards both.

tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_lambda_dynamodb
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_opensearch_crud
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_search_books
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_setup
tests.aws.scenario.kinesis_firehose.test_kinesis_firehose.TestKinesisFirehoseScenario ‑ test_kinesis_firehose_s3
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_destination_sns
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_infra
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_prefill_dynamodb_table
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input0-SUCCEEDED]
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input1-SUCCEEDED]
…

tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[full_arn_and_qualifier_too_long_and_invalid_region-create_function]
tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[full_arn_and_qualifier_too_long_and_invalid_region-delete_function]
tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[full_arn_and_qualifier_too_long_and_invalid_region-get_function]
tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[full_arn_and_qualifier_too_long_and_invalid_region-invoke]
tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[full_arn_with_multiple_qualifiers-create_function]
tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[full_arn_with_multiple_qualifiers-delete_function]
tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[full_arn_with_multiple_qualifiers-get_function]
tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[full_arn_with_multiple_qualifiers-invoke]
tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[function_name_is_single_invalid-create_function]
tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[function_name_is_single_invalid-delete_function]
…

This pull request removes 97 skipped tests and adds 4 skipped tests. Note that renamed tests count towards both.

tests.aws.scenario.kinesis_firehose.test_kinesis_firehose.TestKinesisFirehoseScenario ‑ test_kinesis_firehose_s3
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input4-FAILED]
tests.aws.scenario.mythical_mysfits.test_mythical_misfits.TestMythicalMisfitsScenario ‑ test_deployed_infra_state
tests.aws.scenario.mythical_mysfits.test_mythical_misfits.TestMythicalMisfitsScenario ‑ test_populate_data
tests.aws.scenario.mythical_mysfits.test_mythical_misfits.TestMythicalMisfitsScenario ‑ test_user_clicks_are_stored
tests.aws.services.cloudcontrol.test_cloudcontrol_api.TestCloudControlResourceApi ‑ test_api_exceptions
tests.aws.services.cloudcontrol.test_cloudcontrol_api.TestCloudControlResourceApi ‑ test_create_exceptions
tests.aws.services.cloudcontrol.test_cloudcontrol_api.TestCloudControlResourceApi ‑ test_create_invalid_desiredstate
tests.aws.services.cloudcontrol.test_cloudcontrol_api.TestCloudControlResourceApi ‑ test_double_create_with_client_token
tests.aws.services.cloudcontrol.test_cloudcontrol_api.TestCloudControlResourceApi ‑ test_lifecycle
…

tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[function_name_too_long-invoke]
tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[incomplete_arn-create_function]
tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[incomplete_arn-invoke]
tests.aws.services.lambda_.test_lambda_api.TestLambdaFunction ‑ test_function_name_and_qualifier_validation[lowercase_latest_qualifier-delete_function]

♻️ This comment has been updated with latest results.

dfangl

Great first iteration! I found some issues with the validation, which would be nice to address before merging :)

localstack-core/localstack/services/lambda_/provider.py

localstack-core/localstack/services/lambda_/api_utils.py

tests/aws/services/lambda_/test_lambda_api.py

tests/aws/services/lambda_/test_lambda_api.validation.json

dfangl

LGTM now! Thanks for adding those changes!

FYI: We squash commits anyway on merging, so it is not necessary to force push for changes, and keep the commit count low. Personally, I find it is easier, especially for review, if you can see the changes done after a review in separate commits. Others might disagree with this, though 😅

gregfurman added this to the Playground milestone Aug 16, 2024

gregfurman marked this pull request as ready for review August 19, 2024 08:34

gregfurman requested review from joe4dev, dominikschubert and dfangl as code owners August 19, 2024 08:34

gregfurman self-assigned this Aug 19, 2024

gregfurman added semver: patch Non-breaking changes which can be included in patch releases aws:lambda AWS Lambda labels Aug 19, 2024

dfangl requested changes Aug 22, 2024

View reviewed changes

joe4dev mentioned this pull request Aug 22, 2024

[Lambda DevX] Introducing Lambda Debug Mode Config #11363

Merged

gregfurman force-pushed the fix/lambda-name-validation branch from 2979749 to 4b4362b Compare August 22, 2024 16:26

gregfurman requested a review from dfangl August 23, 2024 10:47

Lambda: improve function name and qualifier validation

b6f8a0e

gregfurman force-pushed the fix/lambda-name-validation branch from 4b4362b to b6f8a0e Compare August 26, 2024 10:17

dfangl approved these changes Aug 26, 2024

View reviewed changes

gregfurman merged commit ff1c31b into master Aug 26, 2024
34 checks passed

gregfurman deleted the fix/lambda-name-validation branch August 26, 2024 12:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Lambda: improve function name and qualifier validation #11366

Lambda: improve function name and qualifier validation #11366

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Lambda: improve function name and qualifier validation #11366

Lambda: improve function name and qualifier validation #11366

Uh oh!

Conversation

Uh oh!

Motivation

Changes

Testing

Additional Pipelines

LocalStack Pro: IAM Policies Enforced

LocalStack Community: Multi-Account and Multi-Region

TODO

Potential future works

Uh oh!

Uh oh!

LocalStack Community integration with Pro

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!