Actions with require-whisk-auth annotation as boolean false are rejected by controller (#4989)

nitikagarw · web-flow · commit 9134a03c37f9 · 2020-10-12T21:47:11.000+09:00
* Actions with require-whisk-auth annotation as boolean false are rejected by controller

* Fix testcase
diff --git a/core/controller/src/main/scala/org/apache/openwhisk/core/controller/WebActions.scala b/core/controller/src/main/scala/org/apache/openwhisk/core/controller/WebActions.scala
@@ -784,10 +784,11 @@ trait WhiskWebActionsApi
     annotations
       .get(Annotations.RequireWhiskAuthAnnotation)
       .map {
-        case JsString(auth)           => checkAuthHeader(auth) // allowed if auth matches header
-        case JsNumber(auth)           => checkAuthHeader(auth.toString) // allowed if auth matches header
-        case JsTrue | JsBoolean(true) => authenticatedUser.isDefined // allowed if user already authenticated
-        case _                        => false // not allowed, something is not right
+        case JsString(auth)             => checkAuthHeader(auth) // allowed if auth matches header
+        case JsNumber(auth)             => checkAuthHeader(auth.toString) // allowed if auth matches header
+        case JsTrue | JsBoolean(true)   => authenticatedUser.isDefined // allowed if user already authenticated
+        case JsFalse | JsBoolean(false) => true // allowed if the require-whisk-auth is specified as false
+        case _                          => false // not allowed, something is not right
       }
   }
 
diff --git a/tests/src/test/scala/org/apache/openwhisk/core/cli/test/WskWebActionsTests.scala b/tests/src/test/scala/org/apache/openwhisk/core/cli/test/WskWebActionsTests.scala
@@ -147,6 +147,24 @@ class WskWebActionsTests extends TestHelpers with WskTestHelpers with RestUtil w
       authorizedResponse.body.asString.parseJson.asJsObject.fields("__ow_user").convertTo[String] shouldBe namespace
   }
 
+  /**
+   * Tests web action not requiring authentication.
+   */
+  it should "create a web action not requiring authentication accessible via HTTPS" in withAssetCleaner(wskprops) {
+    (wp, assetHelper) =>
+      val name = "webaction"
+      val file = Some(TestUtils.getTestActionFilename("echo.js"))
+      val host = getServiceURL()
+      val url = s"$host$testRoutePath/$namespace/default/$name.json"
+
+      assetHelper.withCleaner(wsk.action, name) { (action, _) =>
+        action.create(name, file, web = Some("true"), annotations = Map("require-whisk-auth" -> false.toJson))
+      }
+
+      val unauthorizedResponse = RestAssured.given().config(sslconfig).get(url)
+      unauthorizedResponse.statusCode shouldBe 200
+  }
+
   it should "ensure that CORS header is preserved for custom options" in withAssetCleaner(wskprops) {
     (wp, assetHelper) =>
       val name = "webaction"
