Fix apigateway authorizer path suffix

[calvernaz]

This PR accomplishes two things:

1. making sure literal booleans are correctly parsed on our VTL templates. Why ast.literal_eval and not json.loads? Imagine the following case:

# valid rendered template (well, given airspeed implementation)
tpl = '{"key": True}' 

# fails because the string above is not valid json, True is not a valid json literal
json.loads(tpl)
# works and returns the following dict {"key": True}
ast.literal_eval(tpl)

2. routes with trailing slashes are correctly handled inside APIGW router, it uses the strict_slashes where it's needed.

There is a comprehensive test upstream for the templating and routing issue.

[github-actions]

LocalStack integration with Pro

       3 files  ±0         3 suites  ±0   1h 31m 16s ⏱️ +28s
1 738 tests ±0  1 384 ✔️ ±0  354 💤 ±0  0 ❌ ±0 
2 456 runs  ±0  1 760 ✔️ ±0  696 💤 ±0  0 ❌ ±0 

Results for commit e16d8a1. ± Comparison against base commit 44c6718.

♻️ This comment has been updated with latest results.

[calvernaz]

This is the important bit, we only support json templates at the moment, and ast.literal_eval make sure the string is a valid deserialised type, meaning a valid JSON object will turn out to be a valid dictionary, and true for other types. Without this evaluation, we would have (issue found) a rendered template containing invalid json because the boolean literal was a python literal (e.g '{ "key": True}') and not a JSON boolean literal (e.g '{ "key": true}').

[joe4dev]

Thanks for pointing out this key change here 👍

👀 This breaks in cases where a JSON template is requested but the template produces invalid JSON. It would be very helpful to have a parity test covering such a scenario.
I'm ok with doing this in a follow-up PR but it would be good to add a TODO or comment describing this limitation.

[joe4dev]

nit: It might be a bit cleaner to introduce a variable for the rendered vlt template instead of updating response._content inline.

[calvernaz]

The parity test is a good idea, but definitely on a follow-up PR. On AWS I'm sure this will end up as a 500 if the content type expected is application/json. In our case a 500 is guaranteed, the content of the exception might not be the same tho.

[joe4dev]

I understand that one could argue that Velocity templates could be considered language-independent. However, given Apache Velocity stating "Velocity is a Java-based template engine", it might still be useful to aim for parity with the Java-based reference implementation.

There, only true and false are accepted boolean values (see pointer in docs) and using True or False raises an exception (tested with https://github.com/inbravo/apache-velocity-examples). This behavior is independent of the output type (tested using text output, not json).

Hence, given the following template and variables:

template = """
{
#set( $myTrue = true )
"booleanKeyTrue": $booleanKeyTrue,
"booleanKeyFalse": $booleanKeyFalse,
"booleanLiteralTrue": true,
"booleanLiteralFalse": false,
#if( $booleanKeyTrue )
"conditionalOutcome": "PASSED"
#else
"conditionalOutcome": "FAILED"
#end
}
"""
variables = {
    "booleanKeyTrue": "true",
    "booleanKeyFalse": "false",
}

The suggested workaround with dumping JSON (json.dumps(ast.literal_eval(response._content))) produces the correct output for the content type JSON:

import json

from localstack.utils.aws.templating import VtlTemplate
rendered_template = VtlTemplate().render_vtl(template, variables)
print(rendered_template)
print(json.loads(rendered_template))

{
"booleanKeyTrue": true,
"booleanKeyFalse": false,
"booleanLiteralTrue": true,
"booleanLiteralFalse": false,
"conditionalOutcome": "PASSED"
}

Nevertheless one could still argue that the underlying airspeed templating output violates the (Java-based) Velocity protocol:

import airspeed
import json

t = airspeed.Template(template)
booleanKeyTrue = True
booleanKeyFalse = False
print(t.merge(locals()))

{
"booleanKeyTrue": True,
"booleanKeyFalse": False,
"booleanLiteralTrue": true,
"booleanLiteralFalse": false,
"conditionalOutcome": "PASSED"
}

[joe4dev]

It is a sensible assumption to expect a 500 but better write a parity test in a follow-up as I have experienced many surprises ...

[calvernaz]

Im not sure what is your point, there is a test https://github.com/localstack/localstack/pull/7557/files/826c89875cdb39a2d6593ad8d3984e30b33b7de7#diff-c1d667db96ab1afa746d61a5d2bbc4b9fb9cdf160d36110f4d41b16ec91c11abR254 that proves your point.

[calvernaz]

You can use velocity templates to render HTML, the implementation of velocity templates is Java, that's what that means. What we want is to render json in same cases, and that once deserialised is language specific, anything else is a string.

[calvernaz]

Speaking of, there is a unit test failing with valid json but fails to evaluate using ast.literal_evalwith an indentation error.

E         File "<unknown>", line 3
E           {
E       IndentationError: unexpected indent

I'll have to double check on this one.

[calvernaz]

Fixed, it doesn't support leading and trailing white-spaces.

[joe4dev]

I suggest fixing the formatting/linting issues (get build green) and then handle the further suggestions in a follow-up (see comments in ext PR)

[joe4dev]

Thanks for pointing out this key change here 👍

👀 This breaks in cases where a JSON template is requested but the template produces invalid JSON. It would be very helpful to have a parity test covering such a scenario.
I'm ok with doing this in a follow-up PR but it would be good to add a TODO or comment describing this limitation.

[joe4dev]

good json parsing addition 👍
(there is also a as_json option in render_vlt)

[calvernaz]

We should remove that option in the render_vtl template; the template should render whatever it is and make decisions outside the templating what is expected based on the content-type. There are a couple of usages, thus not being removed yet.

[joe4dev]

ok

[joe4dev]

nit: It might be a bit cleaner to introduce a variable for the rendered vlt template instead of updating response._content inline.

[joe4dev]

changes look good 👍
Thank you for finishing this tricky one 🙏

The failing Kinesis test appears unrelated

[joe4dev]

Remember to fix the ext pipeline before merging them together: https://github.com/localstack/localstack-ext/actions/runs/4230870403/jobs/7348708566#step:17:2570
FAILED tests/integration/apigateway/test_rest_apis.py::TestRestAPIs::test_lambda_token_authorizer_path_suffixes

[coveralls]

Coverage: 84.979% (-0.02%) from 84.995% when pulling e16d8a1 on fix-apigateway-authorizer-path-suffix into 44c6718 on master.

[coveralls]

Coverage: 84.979% (-0.02%) from 84.995% when pulling e16d8a1 on fix-apigateway-authorizer-path-suffix into 44c6718 on master.