@platformatic/watt-extra 1.13.0-alpha.1 → 1.13.0-alpha.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/plugins/auth.js +6 -1
- package/test/auth.test.js +39 -0
package/package.json
CHANGED
package/plugins/auth.js
CHANGED
|
@@ -48,7 +48,12 @@ async function resolveEcsIdentity (log) {
|
|
|
48
48
|
if (!res.ok) throw new Error(`status ${res.status}`)
|
|
49
49
|
const meta = await res.json()
|
|
50
50
|
const id = meta.TaskARN?.split('/').pop()
|
|
51
|
-
|
|
51
|
+
// meta.Cluster may be either the short name or the full cluster ARN
|
|
52
|
+
// (e.g. 'arn:aws:ecs:us-east-1:123456789012:cluster/my-cluster'). We
|
|
53
|
+
// strip down to the short name so callers can interpolate it into
|
|
54
|
+
// URL paths without producing extra path segments.
|
|
55
|
+
const cluster = meta.Cluster
|
|
56
|
+
const namespace = cluster?.includes('/') ? cluster.split('/').pop() : cluster
|
|
52
57
|
if (!id || !namespace) throw new Error('TaskARN or Cluster missing in metadata')
|
|
53
58
|
log.info({ id, namespace }, 'Resolved ECS task identity')
|
|
54
59
|
return { id, namespace }
|
package/test/auth.test.js
CHANGED
|
@@ -214,3 +214,42 @@ test('auth plugin sends ECS identity headers when running on ECS', async (t) =>
|
|
|
214
214
|
equal(responseBody.headers['x-ecs-cluster'], 'my-cluster')
|
|
215
215
|
equal(responseBody.headers.authorization, undefined, 'No Authorization header on ECS')
|
|
216
216
|
})
|
|
217
|
+
|
|
218
|
+
test('auth plugin strips cluster ARN to short name in x-ecs-cluster header', async (t) => {
|
|
219
|
+
const originalEnv = { ...process.env }
|
|
220
|
+
|
|
221
|
+
t.after(() => {
|
|
222
|
+
process.env = originalEnv
|
|
223
|
+
})
|
|
224
|
+
|
|
225
|
+
// ECS task metadata sometimes returns the full cluster ARN in the Cluster
|
|
226
|
+
// field. ICC interpolates this value into URL paths, so the short name
|
|
227
|
+
// (which contains no slashes) is the only safe form to send.
|
|
228
|
+
const metadata = fastify()
|
|
229
|
+
metadata.get('/task', async () => ({
|
|
230
|
+
TaskARN: 'arn:aws:ecs:us-east-1:123456789012:task/my-cluster/abcdef0123',
|
|
231
|
+
Cluster: 'arn:aws:ecs:us-east-1:123456789012:cluster/my-cluster'
|
|
232
|
+
}))
|
|
233
|
+
await metadata.listen({ port: 0 })
|
|
234
|
+
const metadataUrl = `http://localhost:${metadata.server.address().port}`
|
|
235
|
+
t.after(() => metadata.close())
|
|
236
|
+
|
|
237
|
+
process.env.ECS_CONTAINER_METADATA_URI_V4 = metadataUrl
|
|
238
|
+
|
|
239
|
+
const server = fastify()
|
|
240
|
+
server.get('/', async (request) => {
|
|
241
|
+
return { headers: request.headers }
|
|
242
|
+
})
|
|
243
|
+
await server.listen({ port: 0 })
|
|
244
|
+
const url = `http://localhost:${server.server.address().port}`
|
|
245
|
+
t.after(() => server.close())
|
|
246
|
+
|
|
247
|
+
const app = createMockApp('ecs')
|
|
248
|
+
await authPlugin(app)
|
|
249
|
+
|
|
250
|
+
equal(app.machineIdentity?.namespace, 'my-cluster', 'Namespace should be stripped to cluster short name')
|
|
251
|
+
|
|
252
|
+
const response = await request(url, { dispatcher: app.dispatcher })
|
|
253
|
+
const responseBody = await response.body.json()
|
|
254
|
+
equal(responseBody.headers['x-ecs-cluster'], 'my-cluster')
|
|
255
|
+
})
|