Add support to download hook target data for stack-level hooks

brianlaoaws · brianlaoaws · commit dd20afbebf18 · 2024-02-29T09:52:47.000-05:00
Stack level hooks will not be provided with invocation payload information, unlike resource level hooks. Instead, Hooks Service will pass in an S3 presigned URL that points to a file that contains the stack-level invocation payload. The base hook handler (before it reaches the customer's handler code), will use that URL to download the data and set it on the target model that is passed to the customer's handler.
diff --git a/src/main/java/software/amazon/cloudformation/HookAbstractWrapper.java b/src/main/java/software/amazon/cloudformation/HookAbstractWrapper.java
@@ -17,12 +17,18 @@
 import com.amazonaws.AmazonServiceException;
 import com.amazonaws.retry.RetryUtils;
 import com.fasterxml.jackson.core.type.TypeReference;
+import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.time.Instant;
+import java.util.Collections;
 import java.util.Date;
+import java.util.Map;
+
+import com.google.common.annotations.VisibleForTesting;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.exception.ExceptionUtils;
@@ -31,10 +37,15 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import software.amazon.awssdk.awscore.exception.AwsServiceException;
+import software.amazon.awssdk.http.HttpExecuteRequest;
+import software.amazon.awssdk.http.HttpExecuteResponse;
 import software.amazon.awssdk.http.HttpStatusCode;
 import software.amazon.awssdk.http.HttpStatusFamily;
 import software.amazon.awssdk.http.SdkHttpClient;
+import software.amazon.awssdk.http.SdkHttpMethod;
+import software.amazon.awssdk.http.SdkHttpRequest;
 import software.amazon.awssdk.http.apache.ApacheHttpClient;
+import software.amazon.awssdk.utils.IoUtils;
 import software.amazon.cloudformation.encryption.Cipher;
 import software.amazon.cloudformation.encryption.KMSCipher;
 import software.amazon.cloudformation.exceptions.BaseHandlerException;
@@ -63,6 +74,7 @@
 import software.amazon.cloudformation.proxy.hook.HookInvocationRequest;
 import software.amazon.cloudformation.proxy.hook.HookProgressEvent;
 import software.amazon.cloudformation.proxy.hook.HookRequestContext;
+import software.amazon.cloudformation.proxy.hook.HookRequestData;
 import software.amazon.cloudformation.proxy.hook.HookStatus;
 import software.amazon.cloudformation.resource.SchemaValidator;
 import software.amazon.cloudformation.resource.Serializer;
@@ -89,6 +101,9 @@ public abstract class HookAbstractWrapper<TargetT, CallbackT, ConfigurationT> {
     final SchemaValidator validator;
     final TypeReference<HookInvocationRequest<ConfigurationT, CallbackT>> typeReference;
 
+    final TypeReference<Map<String, Object>> hookStackPayloadS3TypeReference = new TypeReference<>() {
+    };
+
     private MetricsPublisher providerMetricsPublisher;
 
     private CloudWatchLogHelper cloudWatchLogHelper;
@@ -222,18 +237,20 @@ private ProgressEvent<TargetT, CallbackT> processInvocation(final JSONObject raw
 
         assert request != null : "Invalid request object received. Request object is null";
 
-        if (request.getRequestData() == null || request.getRequestData().getTargetModel() == null) {
-            throw new TerminalException("Invalid request object received. Target Model can not be null.");
-        }
-
-        // TODO: Include hook schema validation here after schema is finalized
+        boolean isPayloadRemote = isHookInvocationPayloadRemote(request.getRequestData());
 
         try {
             // initialise dependencies with platform credentials
             initialiseRuntime(request.getHookTypeName(), request.getRequestData().getProviderCredentials(),
                 request.getRequestData().getProviderLogGroupName(), request.getAwsAccountId(),
                 request.getRequestData().getHookEncryptionKeyArn(), request.getRequestData().getHookEncryptionKeyRole());
 
+            if (isPayloadRemote) {
+                Map<String, Object> targetModelData = retrieveHookInvocationPayloadFromS3(request.getRequestData().getPayload());
+
+                request.getRequestData().setTargetModel(targetModelData);
+            }
+
             // transform the request object to pass to caller
             HookHandlerRequest hookHandlerRequest = transform(request);
             ConfigurationT typeConfiguration = request.getHookModel();
@@ -366,6 +383,50 @@ private void writeResponse(final OutputStream outputStream, final HookProgressEv
         outputStream.flush();
     }
 
+    public Map<String, Object> retrieveHookInvocationPayloadFromS3(final String s3PresignedUrl) {
+        if (s3PresignedUrl != null) {
+            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+
+            try {
+                URL presignedUrl = new URL(s3PresignedUrl);
+                SdkHttpRequest httpRequest = SdkHttpRequest.builder().method(SdkHttpMethod.GET).uri(presignedUrl.toURI())
+                        .build();
+
+                HttpExecuteRequest executeRequest = HttpExecuteRequest.builder().request(httpRequest).build();
+
+                HttpExecuteResponse response = HTTP_CLIENT.prepareRequest(executeRequest).call();
+
+                response.responseBody().ifPresentOrElse(abortableInputStream -> {
+                    try {
+                        IoUtils.copy(abortableInputStream, byteArrayOutputStream);
+                    } catch (IOException e) {
+                        throw new RuntimeException(e);
+                    }
+                }, () -> loggerProxy.log("Hook invocation payload is empty."));
+
+                String str = byteArrayOutputStream.toString(StandardCharsets.UTF_8);
+
+                return this.serializer.deserialize(str, hookStackPayloadS3TypeReference);
+            } catch (Exception exp) {
+                loggerProxy.log("Failed to retrieve hook invocation payload" + exp.toString());
+            }
+        }
+        return Collections.emptyMap();
+    }
+
+    @VisibleForTesting
+    protected boolean isHookInvocationPayloadRemote(HookRequestData hookRequestData) {
+        if (hookRequestData == null || hookRequestData.getTargetModel() == null) {
+            throw new TerminalException("Invalid request object received. Target Model can not be null.");
+        }
+
+        if (hookRequestData.getTargetModel().isEmpty() && hookRequestData.getPayload() == null) {
+            throw new TerminalException("No payload data set.");
+        }
+
+        return hookRequestData.getTargetModel().isEmpty();
+    }
+
     /**
      * Transforms the incoming request to the subset of typed models which the
      * handler implementor needs
diff --git a/src/main/java/software/amazon/cloudformation/proxy/hook/HookRequestData.java b/src/main/java/software/amazon/cloudformation/proxy/hook/HookRequestData.java
@@ -29,6 +29,7 @@ public class HookRequestData {
     private String targetType;
     private String targetLogicalId;
     private Map<String, Object> targetModel;
+    private String payload;
     private String callerCredentials;
     private String providerCredentials;
     private String providerLogGroupName;
diff --git a/src/test/java/software/amazon/cloudformation/HookLambdaWrapperOverride.java b/src/test/java/software/amazon/cloudformation/HookLambdaWrapperOverride.java
@@ -19,6 +19,7 @@
 import java.nio.charset.StandardCharsets;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
 import java.util.Queue;
 import lombok.Data;
 import lombok.EqualsAndHashCode;
@@ -46,6 +47,8 @@
 @EqualsAndHashCode(callSuper = true)
 public class HookLambdaWrapperOverride extends HookLambdaWrapper<TestModel, TestContext, TestConfigurationModel> {
 
+    private Map<String, Object> hookInvocationPayloadFromS3;
+
     /**
      * This .ctor provided for testing
      */
@@ -128,6 +131,15 @@ protected HookHandlerRequest transform(final HookInvocationRequest<TestConfigura
 
     public HookHandlerRequest transformResponse;
 
+    @Override
+    public Map<String, Object> retrieveHookInvocationPayloadFromS3(final String s3PresignedUrl) {
+        return hookInvocationPayloadFromS3;
+    }
+
+    public void setHookInvocationPayloadFromS3(Map<String, Object> input) {
+        hookInvocationPayloadFromS3 = input;
+    }
+
     @Override
     protected TypeReference<HookInvocationRequest<TestConfigurationModel, TestContext>> getTypeReference() {
         return new TypeReference<HookInvocationRequest<TestConfigurationModel, TestContext>>() {
diff --git a/src/test/java/software/amazon/cloudformation/HookLambdaWrapperTest.java b/src/test/java/software/amazon/cloudformation/HookLambdaWrapperTest.java
@@ -30,14 +30,23 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.CsvSource;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 import software.amazon.awssdk.http.SdkHttpClient;
 import software.amazon.cloudformation.encryption.KMSCipher;
+import software.amazon.cloudformation.exceptions.TerminalException;
 import software.amazon.cloudformation.injection.CredentialsProvider;
 import software.amazon.cloudformation.loggers.CloudWatchLogPublisher;
 import software.amazon.cloudformation.loggers.LogPublisher;
@@ -48,6 +57,7 @@
 import software.amazon.cloudformation.proxy.ProgressEvent;
 import software.amazon.cloudformation.proxy.hook.HookHandlerRequest;
 import software.amazon.cloudformation.proxy.hook.HookProgressEvent;
+import software.amazon.cloudformation.proxy.hook.HookRequestData;
 import software.amazon.cloudformation.proxy.hook.HookStatus;
 import software.amazon.cloudformation.proxy.hook.targetmodel.ChangedResource;
 import software.amazon.cloudformation.proxy.hook.targetmodel.StackHookTargetModel;
@@ -333,6 +343,22 @@ public void invokeHandler_WithStackLevelHook_returnsSuccess(final String request
 
         lenient().when(cipher.decryptCredentials(any())).thenReturn(new Credentials("123", "123", "123"));
 
+        wrapper.setHookInvocationPayloadFromS3(Map.of(
+                "Template", "template string here",
+                "PreviousTemplate", "previous template string here",
+                "ResolvedTemplate", "resolved template string here",
+                "ChangedResources", List.of(
+                        Map.of(
+                                "LogicalResourceId", "SomeLogicalResourceId",
+                                "ResourceType", "AWS::S3::Bucket",
+                                "Action", "CREATE",
+                                "LineNumber", 3,
+                                "ResourceProperties", "<Resource Properties as json string>",
+                                "PreviousResourceProperties", "<Resource Properties as json string>"
+                        )
+                )
+        ));
+
         try (final InputStream in = loadRequestStream(requestDataPath); final OutputStream out = new ByteArrayOutputStream()) {
             final Context context = getLambdaContext();
 
@@ -369,6 +395,30 @@ public void invokeHandler_WithStackLevelHook_returnsSuccess(final String request
         }
     }
 
+   @Test
+   public void testIsHookInvocationPayloadRemote() {
+        List<HookRequestData> invalidHookRequestDataObjects = ImmutableList.of(
+                HookRequestData.builder().targetModel(null).build(),
+                HookRequestData.builder().targetModel(null).payload(null).build(),
+                HookRequestData.builder().targetModel(Collections.emptyMap()).payload(null).build(),
+                HookRequestData.builder().targetModel(Collections.emptyMap()).payload(null).build()
+        );
+
+        invalidHookRequestDataObjects.forEach(requestData -> {
+            Assertions.assertThrows(TerminalException.class, () -> wrapper.isHookInvocationPayloadRemote(requestData));
+        });
+
+       Assertions.assertThrows(TerminalException.class, () -> wrapper.isHookInvocationPayloadRemote(null));
+
+       HookRequestData bothFieldsPopulated = HookRequestData.builder().targetModel(ImmutableMap.of("foo", "bar")).payload("http://s3PresignedUrl").build();
+       HookRequestData onlyTargetModelPopulated = HookRequestData.builder().targetModel(ImmutableMap.of("foo", "bar")).payload(null).build();
+       HookRequestData onlyPayloadPopulated = HookRequestData.builder().targetModel(Collections.emptyMap()).payload("http://s3PresignedUrl").build();
+
+       Assertions.assertFalse(wrapper.isHookInvocationPayloadRemote(bothFieldsPopulated));
+       Assertions.assertFalse(wrapper.isHookInvocationPayloadRemote(onlyTargetModelPopulated));
+       Assertions.assertTrue(wrapper.isHookInvocationPayloadRemote(onlyPayloadPopulated));
+   }
+
     private final String expectedStringWhenStrictDeserializingWithExtraneousFields = "Unrecognized field \"targetName\" (class software.amazon.cloudformation.proxy.hook.HookInvocationRequest), not marked as ignorable (10 known properties: \"requestContext\", \"stackId\", \"clientRequestToken\", \"hookModel\", \"hookTypeName\", \"requestData\", \"actionInvocationPoint\", \"awsAccountId\", \"changeSetId\", \"hookTypeVersion\"])\n"
         + " at [Source: (String)\"{\n" + "    \"clientRequestToken\": \"123456\",\n" + "    \"awsAccountId\": \"123456789012\",\n"
         + "    \"stackId\": \"arn:aws:cloudformation:us-east-1:123456789012:stack/SampleStack/e722ae60-fe62-11e8-9a0e-0ae8cc519968\",\n"
diff --git a/src/test/java/software/amazon/cloudformation/data/hook/preCreate.request.with-stack-level-hook.json b/src/test/java/software/amazon/cloudformation/data/hook/preCreate.request.with-stack-level-hook.json
@@ -14,21 +14,8 @@
         "targetName": "STACK",
         "targetType": "STACK",
         "targetLogicalId": "myStack",
-        "targetModel": {
-            "template": "template string here",
-            "previousTemplate": "previous template string here",
-            "resolvedTemplate": "resolved template string here",
-            "changedResources": [
-                {
-                    "LogicalResourceId": "SomeLogicalResourceId",
-                    "ResourceType": "AWS::S3::Bucket",
-                    "LineNumber": 3,
-                    "Action": "CREATE",
-                    "ResourceProperties": "<Resource Properties as json string>",
-                    "PreviousResourceProperties": "<Resource Properties as json string>"
-                }
-            ]
-        },
+        "targetModel": {},
+        "payload": "http://someS3PresignedUrl",
         "callerCredentials": "callerCredentials",
         "providerCredentials": "providerCredentials",
         "providerLogGroupName": "providerLoggingGroupName",
diff --git a/src/test/java/software/amazon/cloudformation/proxy/hook/targetmodel/HookTargetModelTest.java b/src/test/java/software/amazon/cloudformation/proxy/hook/targetmodel/HookTargetModelTest.java
@@ -222,11 +222,11 @@ public void testStackHookTargetModel() throws Exception {
         Assertions.assertEquals(changedResources, targetModel.getChangedResources());
         Assertions.assertNull(targetModel.getHookTargetTypeReference());
         Assertions.assertEquals(
-            "{\"Template\":\"{\\\"key1\\\":\\\"value1\\\"}\",\"PreviousTemplate\":\"{\\\"previousKey1\\\":\\\"" +
-                    "previousValue1\\\"}\",\"ResolvedTemplate\":\"{\\\"resolvedKey1\\\":\\\"resolvedValue1\\\"}\",\"ChangedResources\"" +
-                    ":[{\"LogicalResourceId\":\"SomeLogicalResourceId\",\"ResourceType\":\"AWS::S3::Bucket\",\"LineNumber\":" +
-                    "11,\"Action\":\"CREATE\",\"ResourceProperties\":\"{\\\"BucketName\\\": \\\"some-bucket-name\\\"\"," +
-                    "\"PreviousResourceProperties\":\"{\\\"BucketName\\\": \\\"some-prev-bucket-name\\\"\"}]}",
+            "{\"Template\":\"{\\\"key1\\\":\\\"value1\\\"}\",\"PreviousTemplate\":\"{\\\"previousKey1\\\":\\\""
+                + "previousValue1\\\"}\",\"ResolvedTemplate\":\"{\\\"resolvedKey1\\\":\\\"resolvedValue1\\\"}\",\"ChangedResources\""
+                + ":[{\"LogicalResourceId\":\"SomeLogicalResourceId\",\"ResourceType\":\"AWS::S3::Bucket\",\"LineNumber\":"
+                + "11,\"Action\":\"CREATE\",\"ResourceProperties\":\"{\\\"BucketName\\\": \\\"some-bucket-name\\\"\","
+                + "\"PreviousResourceProperties\":\"{\\\"BucketName\\\": \\\"some-prev-bucket-name\\\"\"}]}",
             OBJECT_MAPPER.writeValueAsString(targetModel));
     }
 
@@ -252,14 +252,12 @@ public void testStackHookTargetModelWithAdditionalPropertiesInInput() throws Exc
         Assertions.assertEquals(changedResources, targetModel.getChangedResources());
         Assertions.assertNull(targetModel.getHookTargetTypeReference());
 
-        Assertions.assertEquals(
-            "{\"Template\":\"{\\\"key1\\\":\\\"value1\\\"}\",\"PreviousTemplate\":\"{\\\"previousKey1\\\":" +
-                    "\\\"previousValue1\\\"}\",\"ResolvedTemplate\":\"{\\\"resolvedKey1\\\":\\\"resolvedValue1\\\"}\"," +
-                    "\"ChangedResources\":[{\"LogicalResourceId\":\"SomeLogicalResourceId\",\"ResourceType\":" +
-                    "\"AWS::S3::Bucket\",\"LineNumber\":11,\"Action\":\"CREATE\",\"ResourceProperties\":\"{" +
-                    "\\\"BucketName\\\": \\\"some-bucket-name\\\"\",\"PreviousResourceProperties\":\"{\\\"BucketName\\\":" +
-                    " \\\"some-prev-bucket-name\\\"\"}]}",
-            OBJECT_MAPPER.writeValueAsString(targetModel));
+        Assertions.assertEquals("{\"Template\":\"{\\\"key1\\\":\\\"value1\\\"}\",\"PreviousTemplate\":\"{\\\"previousKey1\\\":"
+            + "\\\"previousValue1\\\"}\",\"ResolvedTemplate\":\"{\\\"resolvedKey1\\\":\\\"resolvedValue1\\\"}\","
+            + "\"ChangedResources\":[{\"LogicalResourceId\":\"SomeLogicalResourceId\",\"ResourceType\":"
+            + "\"AWS::S3::Bucket\",\"LineNumber\":11,\"Action\":\"CREATE\",\"ResourceProperties\":\"{"
+            + "\\\"BucketName\\\": \\\"some-bucket-name\\\"\",\"PreviousResourceProperties\":\"{\\\"BucketName\\\":"
+            + " \\\"some-prev-bucket-name\\\"\"}]}", OBJECT_MAPPER.writeValueAsString(targetModel));
     }
 
     @Test
@@ -282,11 +280,11 @@ public void testStackHookTargetModelWithMissingPropertiesInInput() throws Except
         Assertions.assertEquals(changedResources, targetModel.getChangedResources());
         Assertions.assertNull(targetModel.getHookTargetTypeReference());
         Assertions.assertEquals(
-            "{\"Template\":\"{\\\"key1\\\":\\\"value1\\\"}\",\"PreviousTemplate\":null,\"ResolvedTemplate\":" +
-                    "\"{\\\"resolvedKey1\\\":\\\"resolvedValue1\\\"}\",\"ChangedResources\":[{\"LogicalResourceId\":" +
-                    "\"SomeLogicalResourceId\",\"ResourceType\":\"AWS::S3::Bucket\",\"LineNumber\":null,\"Action\":" +
-                    "\"CREATE\",\"ResourceProperties\":\"{\\\"BucketName\\\": \\\"some-bucket-name\\\"\"," +
-                    "\"PreviousResourceProperties\":\"{\\\"BucketName\\\": \\\"some-prev-bucket-name\\\"\"}]}",
+            "{\"Template\":\"{\\\"key1\\\":\\\"value1\\\"}\",\"PreviousTemplate\":null,\"ResolvedTemplate\":"
+                + "\"{\\\"resolvedKey1\\\":\\\"resolvedValue1\\\"}\",\"ChangedResources\":[{\"LogicalResourceId\":"
+                + "\"SomeLogicalResourceId\",\"ResourceType\":\"AWS::S3::Bucket\",\"LineNumber\":null,\"Action\":"
+                + "\"CREATE\",\"ResourceProperties\":\"{\\\"BucketName\\\": \\\"some-bucket-name\\\"\","
+                + "\"PreviousResourceProperties\":\"{\\\"BucketName\\\": \\\"some-prev-bucket-name\\\"\"}]}",
             OBJECT_MAPPER.writeValueAsString(targetModel));
     }
 
