Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@aws-cdk/integ-tests-alpha
Advanced tools
The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.
This library is meant to be used in combination with the integ-runner CLI to enable users to write and execute integration tests for AWS CDK Constructs.
An integration test should be defined as a CDK application, and there should be a 1:1 relationship between an integration test and a CDK application.
So for example, in order to create an integration test called my-function
we would need to create a file to contain our integration test application.
test/integ.my-function.ts
const app = new App();
const stack = new Stack();
new lambda.Function(stack, 'MyFunction', {
runtime: lambda.Runtime.NODEJS_LATEST,
handler: 'index.handler',
code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),
});
This is a self contained CDK application which we could deploy by running
cdk deploy --app 'node test/integ.my-function.js'
In order to turn this into an integration test, all that is needed is to
use the IntegTest
construct.
declare const app: App;
declare const stack: Stack;
new IntegTest(app, 'Integ', { testCases: [stack] });
You will notice that the stack
is registered to the IntegTest
as a test case.
Each integration test can contain multiple test cases, which are just instances
of a stack. See the Usage section for more details.
Suppose you have a simple stack, that only encapsulates a Lambda function with a certain handler:
interface StackUnderTestProps extends StackProps {
architecture?: lambda.Architecture;
}
class StackUnderTest extends Stack {
constructor(scope: Construct, id: string, props: StackUnderTestProps) {
super(scope, id, props);
new lambda.Function(this, 'Handler', {
runtime: lambda.Runtime.NODEJS_LATEST,
handler: 'index.handler',
code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),
architecture: props.architecture,
});
}
}
You may want to test this stack under different conditions. For example, we want
this stack to be deployed correctly, regardless of the architecture we choose
for the Lambda function. In particular, it should work for both ARM_64
and
X86_64
. So you can create an IntegTestCase
that exercises both scenarios:
interface StackUnderTestProps extends StackProps {
architecture?: lambda.Architecture;
}
class StackUnderTest extends Stack {
constructor(scope: Construct, id: string, props: StackUnderTestProps) {
super(scope, id, props);
new lambda.Function(this, 'Handler', {
runtime: lambda.Runtime.NODEJS_LATEST,
handler: 'index.handler',
code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),
architecture: props.architecture,
});
}
}
// Beginning of the test suite
const app = new App();
new IntegTest(app, 'DifferentArchitectures', {
testCases: [
new StackUnderTest(app, 'Stack1', {
architecture: lambda.Architecture.ARM_64,
}),
new StackUnderTest(app, 'Stack2', {
architecture: lambda.Architecture.X86_64,
}),
],
});
This is all the instruction you need for the integration test runner to know which stacks to synthesize, deploy and destroy. But you may also need to customize the behavior of the runner by changing its parameters. For example:
const app = new App();
const stackUnderTest = new Stack(app, 'StackUnderTest', /* ... */);
const stack = new Stack(app, 'stack');
const testCase = new IntegTest(app, 'CustomizedDeploymentWorkflow', {
testCases: [stackUnderTest],
diffAssets: true,
stackUpdateWorkflow: true,
cdkCommandOptions: {
deploy: {
args: {
requireApproval: RequireApproval.NEVER,
json: true,
},
},
destroy: {
args: {
force: true,
},
},
},
});
In the majority of cases an integration test will contain a single IntegTestCase
.
By default when you create an IntegTest
an IntegTestCase
is created for you
and all of your test cases are registered to this IntegTestCase
. The IntegTestCase
and IntegTestCaseStack
constructs are only needed when it is necessary to
defined different options for individual test cases.
For example, you might want to have one test case where diffAssets
is enabled.
declare const app: App;
declare const stackUnderTest: Stack;
const testCaseWithAssets = new IntegTestCaseStack(app, 'TestCaseAssets', {
diffAssets: true,
});
new IntegTest(app, 'Integ', { testCases: [stackUnderTest, testCaseWithAssets] });
This library also provides a utility to make assertions against the infrastructure that the integration test deploys.
There are two main scenarios in which assertions are created.
integ-runner
In this case you would create an integration test using the IntegTest
construct and then make assertions using the assert
property.
You should not utilize the assertion constructs directly, but should instead use the methods
on IntegTest.assertions
.
declare const app: App;
declare const stack: Stack;
const integ = new IntegTest(app, 'Integ', { testCases: [stack] });
integ.assertions.awsApiCall('S3', 'getObject');
By default an assertions stack is automatically generated for you. You may however provide your own stack to use.
declare const app: App;
declare const stack: Stack;
declare const assertionStack: Stack;
const integ = new IntegTest(app, 'Integ', { testCases: [stack], assertionStack: assertionStack });
integ.assertions.awsApiCall('S3', 'getObject');
In this case you may be using assertions as part of a normal CDK deployment in order to make an assertion on the infrastructure before the deployment is considered successful. In this case you can utilize the assertions constructs directly.
declare const myAppStack: Stack;
new AwsApiCall(myAppStack, 'GetObject', {
service: 'S3',
api: 'getObject',
});
Assertions are created by using the DeployAssert
construct. This construct creates it's own Stack
separate from
any stacks that you create as part of your integration tests. This Stack
is treated differently from other stacks
by the integ-runner
tool. For example, this stack will not be diffed by the integ-runner
.
DeployAssert
also provides utilities to register your own assertions.
declare const myCustomResource: CustomResource;
declare const stack: Stack;
declare const app: App;
const integ = new IntegTest(app, 'Integ', { testCases: [stack] });
integ.assertions.expect(
'CustomAssertion',
ExpectedResult.objectLike({ foo: 'bar' }),
ActualResult.fromCustomResource(myCustomResource, 'data'),
);
In the above example an assertion is created that will trigger a user defined CustomResource
and assert that the data
attribute is equal to { foo: 'bar' }
.
A common method to retrieve the "actual" results to compare with what is expected is to make an API call to receive some data. This library does this by utilizing CloudFormation custom resources which means that CloudFormation will call out to a Lambda Function which will make the API call.
Using the HttpApiCall
will use the
node-fetch JavaScript library to
make the HTTP call.
This can be done by using the class directory (in the case of a normal deployment):
declare const stack: Stack;
new HttpApiCall(stack, 'MyAsssertion', {
url: 'https://example-api.com/abc',
});
Or by using the httpApiCall
method on DeployAssert
(when writing integration tests):
declare const app: App;
declare const stack: Stack;
const integ = new IntegTest(app, 'Integ', {
testCases: [stack],
});
integ.assertions.httpApiCall('https://example-api.com/abc');
Using the AwsApiCall
construct will use the AWS JavaScript SDK to make the API call.
This can be done by using the class directory (in the case of a normal deployment):
declare const stack: Stack;
new AwsApiCall(stack, 'MyAssertion', {
service: 'SQS',
api: 'receiveMessage',
parameters: {
QueueUrl: 'url',
},
});
Or by using the awsApiCall
method on DeployAssert
(when writing integration tests):
declare const app: App;
declare const stack: Stack;
const integ = new IntegTest(app, 'Integ', {
testCases: [stack],
});
integ.assertions.awsApiCall('SQS', 'receiveMessage', {
QueueUrl: 'url',
});
You must specify the service
and the api
when using The AwsApiCall
construct.
The service
is the name of an AWS service, in one of the following forms:
@aws-sdk/client-api-gateway
)api-gateway
)APIGateway
)apigateway
)The api
is the name of an AWS API call, in one of the following forms:
GetObject
)getObject
)GetObjectCommand
)By default, the AwsApiCall
construct will automatically add the correct IAM policies
to allow the Lambda function to make the API call. It does this based on the service
and api
that is provided. In the above example the service is SQS
and the api is
receiveMessage
so it will create a policy with Action: 'sqs:ReceiveMessage
.
There are some cases where the permissions do not exactly match the service/api call, for
example the S3 listObjectsV2
api. In these cases it is possible to add the correct policy
by accessing the provider
object.
declare const app: App;
declare const stack: Stack;
declare const integ: IntegTest;
const apiCall = integ.assertions.awsApiCall('S3', 'listObjectsV2', {
Bucket: 'mybucket',
});
apiCall.provider.addToRolePolicy({
Effect: 'Allow',
Action: ['s3:GetObject', 's3:ListBucket'],
Resource: ['*'],
});
When executing waitForAssertion()
, it is necessary to add an IAM policy using waiterProvider.addToRolePolicy()
.
Because IApiCall
does not have a waiterProvider
property, you need to cast it to AwsApiCall
.
declare const integ: IntegTest;
const apiCall = integ.assertions.awsApiCall('S3', 'listObjectsV2', {
Bucket: 'mybucket',
}).waitForAssertions() as AwsApiCall;
apiCall.waiterProvider?.addToRolePolicy({
Effect: 'Allow',
Action: ['s3:GetObject', 's3:ListBucket'],
Resource: ['*'],
});
Note that addToRolePolicy() uses direct IAM JSON policy blobs, not a iam.PolicyStatement object like you will see in the rest of the CDK.
This library currently provides the ability to assert that two values are equal
to one another by utilizing the EqualsAssertion
class. This utilizes a Lambda
backed CustomResource
which in tern uses the Match utility from the
@aws-cdk/assertions library.
declare const app: App;
declare const stack: Stack;
declare const queue: sqs.Queue;
declare const fn: lambda.IFunction;
const integ = new IntegTest(app, 'Integ', {
testCases: [stack],
});
integ.assertions.invokeFunction({
functionName: fn.functionName,
invocationType: InvocationType.EVENT,
payload: JSON.stringify({ status: 'OK' }),
});
const message = integ.assertions.awsApiCall('SQS', 'receiveMessage', {
QueueUrl: queue.queueUrl,
WaitTimeSeconds: 20,
});
message.assertAtPath('Messages.0.Body', ExpectedResult.objectLike({
requestContext: {
condition: 'Success',
},
requestPayload: {
status: 'OK',
},
responseContext: {
statusCode: 200,
},
responsePayload: 'success',
}));
integ-tests
also provides a Match
utility similar to the @aws-cdk/assertions
module. Match
can be used to construct the ExpectedResult
. While the utility is similar, only a subset of methods are currently available on the Match
utility of this module: arrayWith
, objectLike
, stringLikeRegexp
and serializedJson
.
declare const message: AwsApiCall;
message.expect(ExpectedResult.objectLike({
Messages: Match.arrayWith([
{
Payload: Match.serializedJson({ key: 'value' }),
},
{
Body: {
Values: Match.arrayWith([{ Asdf: 3 }]),
Message: Match.stringLikeRegexp('message'),
},
},
]),
}));
In this example there is a Lambda Function that is invoked and we assert that the payload that is returned is equal to '200'.
declare const lambdaFunction: lambda.IFunction;
declare const app: App;
const stack = new Stack(app, 'cdk-integ-lambda-bundling');
const integ = new IntegTest(app, 'IntegTest', {
testCases: [stack],
});
const invoke = integ.assertions.invokeFunction({
functionName: lambdaFunction.functionName,
});
invoke.expect(ExpectedResult.objectLike({
Payload: '200',
}));
The above example will by default create a CloudWatch log group that's never
expired. If you want to configure it with custom log retention days, you need
to specify the logRetention
property.
import * as logs from 'aws-cdk-lib/aws-logs';
declare const lambdaFunction: lambda.IFunction;
declare const app: App;
const stack = new Stack(app, 'cdk-integ-lambda-bundling');
const integ = new IntegTest(app, 'IntegTest', {
testCases: [stack],
});
const invoke = integ.assertions.invokeFunction({
functionName: lambdaFunction.functionName,
logRetention: logs.RetentionDays.ONE_WEEK,
});
In this example there is a StepFunctions state machine that is executed and then we assert that the result of the execution is successful.
declare const app: App;
declare const stack: Stack;
declare const sm: IStateMachine;
const testCase = new IntegTest(app, 'IntegTest', {
testCases: [stack],
});
// Start an execution
const start = testCase.assertions.awsApiCall('StepFunctions', 'startExecution', {
stateMachineArn: sm.stateMachineArn,
});
// describe the results of the execution
const describe = testCase.assertions.awsApiCall('StepFunctions', 'describeExecution', {
executionArn: start.getAttString('executionArn'),
});
// assert the results
describe.expect(ExpectedResult.objectLike({
status: 'SUCCEEDED',
}));
Sometimes it may be necessary to chain API Calls. Since each API call is its own resource, all you
need to do is add a dependency between the calls. There is an helper method next
that can be used.
declare const integ: IntegTest;
integ.assertions.awsApiCall('S3', 'putObject', {
Bucket: 'amzn-s3-demo-bucket',
Key: 'my-key',
Body: 'helloWorld',
}).next(integ.assertions.awsApiCall('S3', 'getObject', {
Bucket: 'amzn-s3-demo-bucket',
Key: 'my-key',
}));
A common use case when performing assertions is to wait for a condition to pass. Sometimes the thing
that you are asserting against is not done provisioning by the time the assertion runs. In these
cases it is possible to run the assertion asynchronously by calling the waitForAssertions()
method.
Taking the example above of executing a StepFunctions state machine, depending on the complexity of the state machine, it might take a while for it to complete.
declare const app: App;
declare const stack: Stack;
declare const sm: IStateMachine;
const testCase = new IntegTest(app, 'IntegTest', {
testCases: [stack],
});
// Start an execution
const start = testCase.assertions.awsApiCall('StepFunctions', 'startExecution', {
stateMachineArn: sm.stateMachineArn,
});
// describe the results of the execution
const describe = testCase.assertions.awsApiCall('StepFunctions', 'describeExecution', {
executionArn: start.getAttString('executionArn'),
}).expect(ExpectedResult.objectLike({
status: 'SUCCEEDED',
})).waitForAssertions();
When you call waitForAssertions()
the assertion provider will continuously make the awsApiCall
until the
ExpectedResult
is met. You can also control the parameters for waiting, for example:
declare const testCase: IntegTest;
declare const start: IApiCall;
const describe = testCase.assertions.awsApiCall('StepFunctions', 'describeExecution', {
executionArn: start.getAttString('executionArn'),
}).expect(ExpectedResult.objectLike({
status: 'SUCCEEDED',
})).waitForAssertions({
totalTimeout: Duration.minutes(5),
interval: Duration.seconds(15),
backoffRate: 3,
});
FAQs
CDK Integration Testing Constructs
The npm package @aws-cdk/integ-tests-alpha receives a total of 39,081 weekly downloads. As such, @aws-cdk/integ-tests-alpha popularity was classified as popular.
We found that @aws-cdk/integ-tests-alpha demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.