Extract configureEnvironment and update implementation

* sanitise environment
* handle endpoint url configuration misconfiguration
* add testing

Author: simonrw

__tests__/index.test.js

@@ -1,5 +1,59 @@
-describe("Simple test", () => {
-  test("it passes", () => {
-    expect(true).toEqual(true);
+const { configureEnvironment, EnvironmentMisconfigurationError } = require("../src");
+
+describe("configureEnvironment", () => {
+  test("empty environment", () => {
+    const env = {};
+    const allowListStr = "";
+    configureEnvironment(env, allowListStr);
+    expect(env).toEqual({
+      AWS_ENDPOINT_URL: "http://localhost.localstack.cloud:4566",
+      AWS_ENDPOINT_URL_S3: "http://s3.localhost.localstack.cloud:4566",
+    });
+  });
+
+  test("custom endpoint url", () => {
+    const env = {
+      AWS_ENDPOINT_URL: "http://foo.bar:4567",
+      AWS_ENDPOINT_URL_S3: "http://foo.bar:4567",
+    };
+    const allowListStr = "";
+    configureEnvironment(env, allowListStr);
+    expect(env).toEqual({
+      AWS_ENDPOINT_URL: "http://foo.bar:4567",
+      AWS_ENDPOINT_URL_S3: "http://foo.bar:4567",
+    });
+  });
+
+  test("custom endpoint url without specifying s3 url", () => {
+    const env = {
+      AWS_ENDPOINT_URL: "http://foo.bar:4567",
+    };
+    const allowListStr = "";
+    expect(() => configureEnvironment(env, allowListStr)).toThrow(EnvironmentMisconfigurationError);
+  });
+
+  test("strip extra configuration envars", () => {
+    const env = {
+      AWS_PROFILE: "my-profile",
+    };
+    const allowListStr = "";
+    configureEnvironment(env, allowListStr);
+    expect(env).toEqual({
+      AWS_ENDPOINT_URL: "http://localhost.localstack.cloud:4566",
+      AWS_ENDPOINT_URL_S3: "http://s3.localhost.localstack.cloud:4566",
+    });
+  });
+
+  test("allowlist of profile", () => {
+    const env = {
+      AWS_PROFILE: "my-profile",
+    };
+    const allowListStr = "AWS_PROFILE";
+    configureEnvironment(env, allowListStr);
+    expect(env).toEqual({
+      AWS_PROFILE: "my-profile",
+      AWS_ENDPOINT_URL: "http://localhost.localstack.cloud:4566",
+      AWS_ENDPOINT_URL_S3: "http://s3.localhost.localstack.cloud:4566",
+    });
   });
 });

bin/cdklocal

@@ -9,15 +9,13 @@ const https = require("https");
 const crypto = require("crypto");
 const net = require('net');
 
-// constants and custom config values
+const { isEnvTrue, EDGE_PORT, PROTOCOL, configureEnvironment } = require("../src");
 
-const isEnvTrue = (envName) => ["1", "true"].includes(process.env[envName]);
+// constants and custom config values
 
-const DEFAULT_EDGE_PORT = 4566;
-const EDGE_PORT = process.env.EDGE_PORT || DEFAULT_EDGE_PORT;
 const DEFAULT_HOSTNAME = "localhost";
 const LAMBDA_MOUNT_CODE = isEnvTrue("LAMBDA_MOUNT_CODE");
-const PROTOCOL = isEnvTrue("USE_SSL") ? "https" : "http";
+const AWS_ENVAR_ALLOWLIST = process.env.AWS_ENVAR_ALLOWLIST || "";
 
 
 //----------------
@@ -451,13 +449,6 @@ const patchPre_2_14 = () => {
   applyPatches(provider, CdkToolkit, SDK, ToolkitInfo);
 };
 
-const configureEnvironment = () => {
-  // This _must_ use localhost.localstack.cloud as we require valid subdomains of these paths to
-  // resolve. Unfortunately though `curl` seems to support subdomains of localhost, the CDK does not.
-  process.env.AWS_ENDPOINT_URL_S3 = process.env.AWS_ENDPOINT_URL_S3 || `${PROTOCOL}://s3.localhost.localstack.cloud:${EDGE_PORT}`;
-  process.env.AWS_ENDPOINT_URL = process.env.AWS_ENDPOINT_URL || `${PROTOCOL}://localhost.localstack.cloud:${EDGE_PORT}`;
-};
-
 const patchPost_2_14 = () => {
   var lib = null;
   try {
@@ -484,7 +475,7 @@ const patchPost_2_14 = () => {
       break;
     case "ERR_PACKAGE_PATH_NOT_EXPORTED":
       // post 2.177
-      configureEnvironment();
+      configureEnvironment(process.env, AWS_ENVAR_ALLOWLIST);
       break;
     default:
       // a different error

src/index.js

@@ -0,0 +1,69 @@
+const isEnvTrue = (envName) => ["1", "true"].includes(process.env[envName]);
+
+const DEFAULT_EDGE_PORT = 4566;
+const EDGE_PORT = process.env.EDGE_PORT || DEFAULT_EDGE_PORT;
+const PROTOCOL = isEnvTrue("USE_SSL") ? "https" : "http";
+
+class EnvironmentMisconfigurationError extends Error {
+  constructor(message) {
+    super(message);
+  }
+}
+
+const configureEnvironment = (env, allowListStr) => {
+  // If the user has set `AWS_ENDPOINT_URL` but _NOT_ `AWS_ENDPOINT_URL_S3` then we cannot continue
+  // as we do not know if the users endpoint can support subdomains, and we cannot simply use the
+  // same version as S3 requests will be parsed incorrectly.
+  if (Object.hasOwn(env, "AWS_ENDPOINT_URL") && !Object.hasOwn(env, "AWS_ENDPOINT_URL_S3")) {
+    throw new EnvironmentMisconfigurationError("If specifying 'AWS_ENDPOINT_URL' then 'AWS_ENDPOINT_URL_S3' must be specified");
+  }
+
+  // Strip out any variables that may configure the environment
+  //
+  // 1. parse AWS_ENVAR_ALLOWLIST to extract the keys we should allow
+  const allowList = allowListStr.split(",").map((item) => item.trim());
+
+  // 2. build array of keys to remove
+  const keysToRemove = Object.keys(env).filter((key) => {
+    // don't filter out any keys which are not AWS configuration keys
+    if (!key.startsWith("AWS_")) {
+      return false;
+    }
+
+    // always allow AWS_ENDPOINT_URL*
+    if (key.startsWith("AWS_ENDPOINT_URL")) {
+      return false;
+    }
+
+    // if the key has been explicitly allowlisted, don't exclude the key
+    if (allowList.includes(key)) {
+      return false;
+    }
+
+    // otherwise we should remove the key
+    return true;
+  });
+
+  // 3. remove the keys from the environment
+
+  Object.keys(env).forEach((key) => {
+    if (keysToRemove.includes(key)) {
+      delete env[key];
+    }
+  });
+
+  // Explicitly set AWS_ENDPOINT_URL* to configure network access to LocalStack
+  // This _must_ use localhost.localstack.cloud as we require valid subdomains of these paths to
+  // resolve. Unfortunately though `curl` seems to support subdomains of localhost, the CDK does not.
+  env.AWS_ENDPOINT_URL_S3 = env.AWS_ENDPOINT_URL_S3 || `${PROTOCOL}://s3.localhost.localstack.cloud:${EDGE_PORT}`;
+  env.AWS_ENDPOINT_URL = env.AWS_ENDPOINT_URL || `${PROTOCOL}://localhost.localstack.cloud:${EDGE_PORT}`;
+};
+
+
+module.exports = {
+  isEnvTrue,
+  EDGE_PORT,
+  PROTOCOL,
+  configureEnvironment,
+  EnvironmentMisconfigurationError,
+};