Add checks for authorizer event source types (#2307)

Author: mildaniel

samtranslator/model/eventsources/push.py

@@ -704,14 +704,9 @@ def _add_swagger_integration(self, api, function, intrinsics_resolver):
                             ),
                         )
 
-                    if not isinstance(method_authorizer, str):
-                        raise InvalidEventException(
-                            self.relative_id,
-                            "Unable to set Authorizer [{authorizer}] on API method [{method}] for path [{path}] "
-                            "because it wasn't defined with acceptable values in the API's Authorizers.".format(
-                                authorizer=method_authorizer, method=self.Method, path=self.Path
-                            ),
-                        )
+                    _check_valid_authorizer_types(
+                        self.relative_id, self.Method, self.Path, method_authorizer, api_authorizers
+                    )
 
                     if method_authorizer != "NONE" and not api_authorizers.get(method_authorizer):
                         raise InvalidEventException(
@@ -1198,13 +1193,6 @@ def _add_auth_to_openapi_integration(self, api, editor):
         :param editor: OpenApiEditor object that contains the OpenApi definition
         """
         method_authorizer = self.Auth.get("Authorizer")
-
-        if method_authorizer is not None and not isinstance(method_authorizer, str):
-            raise InvalidEventException(
-                self.relative_id,
-                "'Authorizer' in the 'Auth' section must be a string.",
-            )
-
         api_auth = api.get("Auth", {})
         if not method_authorizer:
             if api_auth.get("DefaultAuthorizer"):
@@ -1221,6 +1209,8 @@ def _add_auth_to_openapi_integration(self, api, editor):
         # Default auth should already be applied, so apply any other auth here or scope override to default
         api_authorizers = api_auth and api_auth.get("Authorizers")
 
+        _check_valid_authorizer_types(self.relative_id, self.Method, self.Path, method_authorizer, api_authorizers)
+
         if method_authorizer != "NONE" and not api_authorizers:
             raise InvalidEventException(
                 self.relative_id,
@@ -1270,3 +1260,19 @@ def _build_apigw_integration_uri(function, partition):
     if function_arn.get("Fn::GetAtt") and isinstance(function_arn["Fn::GetAtt"][0], Py27UniStr):
         arn = Py27UniStr(arn)
     return Py27Dict(fnSub(arn))
+
+
+def _check_valid_authorizer_types(relative_id, method, path, method_authorizer, api_authorizers):
+    if method_authorizer == "NONE":
+        # If the method authorizer is "NONE" then this check
+        # isn't needed since DefaultAuthorizer needs to be used.
+        return
+
+    if not isinstance(method_authorizer, str) or not isinstance(api_authorizers, dict):
+        raise InvalidEventException(
+            relative_id,
+            "Unable to set Authorizer [{authorizer}] on API method [{method}] for path [{path}]. "
+            "The method authorizer must be a string with a corresponding dict entry in the api authorizer.".format(
+                authorizer=method_authorizer, method=method, path=path
+            ),
+        )

tests/translator/input/error_api_invalid_event_authorizer_type.yaml

@@ -0,0 +1,28 @@
+Resources:
+  SignInFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://bucket/key
+      Handler: main.main
+      Runtime: python3.9
+      Events:
+        MainFuncPostV1:
+          Type: Api
+          Properties:
+            Auth:
+              Authorizer:
+                - CognitoAuthorizer
+            Path: /v1/signin
+            RestApiId: AuthorizedApi
+            Method: post
+  AuthorizedApi:
+    Type: 'AWS::Serverless::Api'
+    Properties:
+      StageName: Prod
+      Auth:
+        DefaultAuthorizer: NONE
+        Authorizers:
+          - CognitoAuthorizer: null
+            UserPoolArn: !GetAtt 'CognitoUserPool.Arn'
+            AuthorizationScopes:
+              - aws.cognito.signin.user.admin

tests/translator/input/error_http_api_invalid_event_authorizer_type.yaml

@@ -0,0 +1,28 @@
+Resources:
+  SignInFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://bucket/key
+      Handler: main.main
+      Runtime: python3.9
+      Events:
+        MainFuncPostV1:
+          Type: HttpApi
+          Properties:
+            Auth:
+              Authorizer:
+                - CognitoAuthorizer
+            Path: /v1/signin
+            ApiId: AuthorizedApi
+            Method: post
+  AuthorizedApi:
+    Type: 'AWS::Serverless::HttpApi'
+    Properties:
+      StageName: Prod
+      Auth:
+        DefaultAuthorizer: NONE
+        Authorizers:
+          - CognitoAuthorizer: null
+            UserPoolArn: !GetAtt 'CognitoUserPool.Arn'
+            AuthorizationScopes:
+              - aws.cognito.signin.user.admin

tests/translator/output/error_api_invalid_event_authorizer_type.json

@@ -0,0 +1,8 @@
+{
+  "errors": [
+    {
+      "errorMessage": "Resource with id [AuthorizedApi] is invalid. Authorizers must be a dictionary. Resource with id [SignInFunction] is invalid. Event with id [MainFuncPostV1] is invalid. Unable to set Authorizer [['CognitoAuthorizer']] on API method [post] for path [/v1/signin]. The method authorizer must be a string with a corresponding dict entry in the api authorizer."
+    }
+  ],
+  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 2. Resource with id [AuthorizedApi] is invalid. Authorizers must be a dictionary. Resource with id [SignInFunction] is invalid. Event with id [MainFuncPostV1] is invalid. Unable to set Authorizer [['CognitoAuthorizer']] on API method [post] for path [/v1/signin]. The method authorizer must be a string with a corresponding dict entry in the api authorizer."
+}

tests/translator/output/error_api_with_invalid_auth_scopes_openapi.json

@@ -4,6 +4,6 @@
         "errorMessage": "Resource with id [MyApiWithCognitoAuth] is invalid. AuthorizationScopes must be a list."
       }
     ], 
-    "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 2. Resource with id [MyApiWithCognitoAuth] is invalid. AuthorizationScopes must be a list. Resource with id [MyFn] is invalid. Event with id [CognitoAuthorizerNotString] is invalid. Unable to set Authorizer [['NotString']] on API method [get] for path [/cognitoauthorizernotstring] because it wasn't defined with acceptable values in the API's Authorizers."
+    "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 2. Resource with id [MyApiWithCognitoAuth] is invalid. AuthorizationScopes must be a list. Resource with id [MyFn] is invalid. Event with id [CognitoAuthorizerNotString] is invalid. Unable to set Authorizer [['NotString']] on API method [get] for path [/cognitoauthorizernotstring]. The method authorizer must be a string with a corresponding dict entry in the api authorizer."
   }
 

tests/translator/output/error_http_api_invalid_auth.json

@@ -4,5 +4,5 @@
       "errorMessage": "Resource with id [Function] is invalid. Event with id [Api] is invalid. Unable to set Authorizer [myAuth] on API method [x-amazon-apigateway-any-method] for path [$default] because the related API does not define any Authorizers. Resource with id [Function2] is invalid. Event with id [Api2] is invalid. Unable to set Authorizer [myAuth] on API method [x-amazon-apigateway-any-method] for path [$default] because it wasn't defined in the API's Authorizers. Resource with id [Function3] is invalid. Event with id [Api3] is invalid. Unable to set Authorizer on API method [x-amazon-apigateway-any-method] for path [$default] because 'NONE' is only a valid value when a DefaultAuthorizer on the API is specified. Resource with id [Function4] is invalid. Event with id [Api4] is invalid. Unable to set Authorizer on API method [x-amazon-apigateway-any-method] for path [$default] because 'AuthorizationScopes' must be a list of strings."
     }
   ],
-  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 6. Resource with id [Function] is invalid. Event with id [Api] is invalid. Unable to set Authorizer [myAuth] on API method [x-amazon-apigateway-any-method] for path [$default] because the related API does not define any Authorizers. Resource with id [Function2] is invalid. Event with id [Api2] is invalid. Unable to set Authorizer [myAuth] on API method [x-amazon-apigateway-any-method] for path [$default] because it wasn't defined in the API's Authorizers. Resource with id [Function3] is invalid. Event with id [Api3] is invalid. Unable to set Authorizer on API method [x-amazon-apigateway-any-method] for path [$default] because 'NONE' is only a valid value when a DefaultAuthorizer on the API is specified. Resource with id [Function4] is invalid. Event with id [Api4] is invalid. Unable to set Authorizer on API method [x-amazon-apigateway-any-method] for path [$default] because 'AuthorizationScopes' must be a list of strings. Resource with id [MyApi5] is invalid. 'OpenIdConnectUrl' is no longer a supported property for authorizer 'OIDC'. Please refer to the AWS SAM documentation. Resource with id [NonStringAuthFunction] is invalid. Event with id [GetRoot] is invalid. 'Authorizer' in the 'Auth' section must be a string."
+  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 6. Resource with id [Function] is invalid. Event with id [Api] is invalid. Unable to set Authorizer [myAuth] on API method [x-amazon-apigateway-any-method] for path [$default] because the related API does not define any Authorizers. Resource with id [Function2] is invalid. Event with id [Api2] is invalid. Unable to set Authorizer [myAuth] on API method [x-amazon-apigateway-any-method] for path [$default] because it wasn't defined in the API's Authorizers. Resource with id [Function3] is invalid. Event with id [Api3] is invalid. Unable to set Authorizer on API method [x-amazon-apigateway-any-method] for path [$default] because 'NONE' is only a valid value when a DefaultAuthorizer on the API is specified. Resource with id [Function4] is invalid. Event with id [Api4] is invalid. Unable to set Authorizer on API method [x-amazon-apigateway-any-method] for path [$default] because 'AuthorizationScopes' must be a list of strings. Resource with id [MyApi5] is invalid. 'OpenIdConnectUrl' is no longer a supported property for authorizer 'OIDC'. Please refer to the AWS SAM documentation. Resource with id [NonStringAuthFunction] is invalid. Event with id [GetRoot] is invalid. Unable to set Authorizer [{'Ref': 'MyAuth'}] on API method [get] for path [/]. The method authorizer must be a string with a corresponding dict entry in the api authorizer."
 }

tests/translator/output/error_http_api_invalid_event_authorizer_type.json

@@ -0,0 +1,8 @@
+{
+  "errors": [
+    {
+      "errorMessage": "Resource with id [AuthorizedApi] is invalid. Authorizers must be a dictionary. Resource with id [SignInFunction] is invalid. Event with id [MainFuncPostV1] is invalid. Unable to set Authorizer [['CognitoAuthorizer']] on API method [post] for path [/v1/signin]. The method authorizer must be a string with a corresponding dict entry in the api authorizer."
+    }
+  ],
+  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 2. Resource with id [AuthorizedApi] is invalid. Authorizers must be a dictionary. Resource with id [SignInFunction] is invalid. Event with id [MainFuncPostV1] is invalid. Unable to set Authorizer [['CognitoAuthorizer']] on API method [post] for path [/v1/signin]. The method authorizer must be a string with a corresponding dict entry in the api authorizer."
+}