Adding authorization scopes as list validation in ApiGatewayAuthorizer (v1 and v2). (#1670)

c2tarun · web-flow · commit d09ed7b05eed · 2020-07-29T16:46:36.000-05:00
* Adding authorization scopes as list validation in ApiGatewayAuthorizer and ApiGatewayV2Authorizer.

* make black.

* Adding functional test for invalid auth scope.

* adding error condition for invalid test.

* removing test template file.
diff --git a/samtranslator/model/apigateway.py b/samtranslator/model/apigateway.py
@@ -244,6 +244,9 @@ def __init__(
                 "of Headers, QueryStrings, StageVariables, or Context.",
             )
 
+        if authorization_scopes is not None and not isinstance(authorization_scopes, list):
+            raise InvalidResourceException(api_logical_id, "AuthorizationScopes must be a list.")
+
         self.api_logical_id = api_logical_id
         self.name = name
         self.user_pool_arn = user_pool_arn
diff --git a/samtranslator/model/apigatewayv2.py b/samtranslator/model/apigatewayv2.py
@@ -62,6 +62,9 @@ def __init__(
         """
         Creates an authorizer for use in V2 Http Apis
         """
+        if authorization_scopes is not None and not isinstance(authorization_scopes, list):
+            raise InvalidResourceException(api_logical_id, "AuthorizationScopes must be a list.")
+
         # Currently only one type of auth
         self.auth_type = "oauth2"
 
diff --git a/tests/model/test_api.py b/tests/model/test_api.py
@@ -0,0 +1,19 @@
+from unittest import TestCase
+import pytest
+
+from samtranslator.model import InvalidResourceException
+from samtranslator.model.apigateway import ApiGatewayAuthorizer
+
+
+class TestApiGatewayAuthorizer(TestCase):
+    def test_create_oauth2_auth(self):
+        auth = ApiGatewayAuthorizer(
+            api_logical_id="logicalId", name="authName", authorization_scopes=["scope1", "scope2"]
+        )
+        self.assertIsNotNone(auth)
+
+    def test_create_authorizer_fails_with_string_authorization_scopes(self):
+        with pytest.raises(InvalidResourceException):
+            auth = ApiGatewayAuthorizer(
+                api_logical_id="logicalId", name="authName", authorization_scopes="invalid_scope"
+            )
diff --git a/tests/model/test_api_v2.py b/tests/model/test_api_v2.py
@@ -12,6 +12,7 @@ def test_create_oauth2_auth(self):
             name="authName",
             jwt_configuration={"config": "value"},
             id_source="https://example.com",
+            authorization_scopes=["scope1", "scope2"],
         )
         self.assertEquals(auth.auth_type, "oauth2")
 
@@ -24,3 +25,12 @@ def test_create_authorizer_no_id_source(self):
     def test_create_authorizer_no_jwt_config(self):
         with pytest.raises(InvalidResourceException):
             auth = ApiGatewayV2Authorizer(api_logical_id="logicalId", name="authName", id_source="https://example.com")
+
+    def test_create_authorizer_fails_with_string_authorization_scopes(self):
+        with pytest.raises(InvalidResourceException):
+            auth = ApiGatewayV2Authorizer(
+                api_logical_id="logicalId",
+                name="authName",
+                jwt_configuration={"config": "value"},
+                authorization_scopes="invalid_scope",
+            )
diff --git a/tests/translator/input/error_api_with_invalid_auth_scopes_openapi.yaml b/tests/translator/input/error_api_with_invalid_auth_scopes_openapi.yaml
@@ -0,0 +1,87 @@
+Resources:
+  MyApiWithCognitoAuth:
+    Type: "AWS::Serverless::Api"
+    Properties:
+      StageName: Prod
+      OpenApiVersion: '3.0.1'
+      Auth:
+        DefaultAuthorizer: MyDefaultCognitoAuth
+        Authorizers:
+          MyDefaultCognitoAuth:
+            UserPoolArn: arn:aws:1
+            AuthorizationScopes:
+              - default.write
+              - default.read
+          MyCognitoAuthWithDefaultScopes:
+            UserPoolArn: arn:aws:2
+            AuthorizationScopes: default.delete
+
+  MyFn:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://bucket/key
+      Handler: index.handler
+      Runtime: nodejs12.x
+      Events:
+        CognitoAuthorizerWithDefaultScopes:
+          Type: Api
+          Properties:
+            RestApiId: !Ref MyApiWithCognitoAuth
+            Method: get
+            Path: /cognitoauthorizerwithdefaultscopes
+            Auth:
+              Authorizer: MyCognitoAuthWithDefaultScopes
+        CognitoDefaultScopesDefaultAuthorizer:
+          Type: Api
+          Properties:
+            RestApiId: !Ref MyApiWithCognitoAuth
+            Method: get
+            Path: /cognitodefaultscopesdefaultauthorizer
+        CognitoWithAuthNone:
+          Type: Api
+          Properties:
+            RestApiId: !Ref MyApiWithCognitoAuth
+            Method: get
+            Path: /cognitowithauthnone
+            Auth:
+              Authorizer: NONE
+        CognitoDefaultScopesWithOverwritten:
+          Type: Api
+          Properties:
+            RestApiId: !Ref MyApiWithCognitoAuth
+            Method: get
+            Path: /cognitodefaultscopesoverwritten
+            Auth:
+              Authorizer: MyDefaultCognitoAuth
+              AuthorizationScopes: 
+                - overwritten.read
+                - overwritten.write
+        CognitoAuthorizerScopesOverwritten:
+          Type: Api
+          Properties:
+            RestApiId: !Ref MyApiWithCognitoAuth
+            Method: get
+            Path: /cognitoauthorizercopesoverwritten
+            Auth:
+              Authorizer: MyCognitoAuthWithDefaultScopes
+              AuthorizationScopes: 
+                - overwritten.read
+                - overwritten.write
+        CognitoDefaultScopesNone:
+          Type: Api
+          Properties:
+            RestApiId: !Ref MyApiWithCognitoAuth
+            Method: get
+            Path: /cognitodefaultscopesnone
+            Auth:
+              Authorizer: MyDefaultCognitoAuth
+              AuthorizationScopes: []
+        CognitoDefaultAuthDefaultScopesNone:
+          Type: Api
+          Properties:
+            RestApiId: !Ref MyApiWithCognitoAuth
+            Method: get
+            Path: /cognitodefaultauthdefaultscopesnone
+            Auth:
+              Authorizer: MyCognitoAuthWithDefaultScopes
+              AuthorizationScopes: []
diff --git a/tests/translator/output/error_api_with_invalid_auth_scopes_openapi.json b/tests/translator/output/error_api_with_invalid_auth_scopes_openapi.json
@@ -0,0 +1,9 @@
+{
+    "errors": [
+      {
+        "errorMessage": "Resource with id [MyApiWithCognitoAuth] is invalid. AuthorizationScopes must be a list."
+      }
+    ], 
+    "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [MyApiWithCognitoAuth] is invalid. AuthorizationScopes must be a list."
+  }
+
diff --git a/tests/translator/test_translator.py b/tests/translator/test_translator.py
@@ -629,6 +629,7 @@ def _generate_new_deployment_hash(self, logical_id, dict_to_hash, rest_api_to_sw
         "error_function_with_invalid_condition_name",
         "error_invalid_document_empty_semantic_version",
         "error_api_with_invalid_open_api_version_type",
+        "error_api_with_invalid_auth_scopes_openapi",
         "error_api_with_custom_domains_invalid",
         "error_api_with_custom_domains_route53_invalid",
         "error_api_event_import_vaule_reference",

Original file line number	Diff line number	Diff line change
`@@ -244,6 +244,9 @@ def __init__(`
`244`	`244`	`"of Headers, QueryStrings, StageVariables, or Context.",`
`245`	`245`	`)`
`246`	`246`
	`247`	`+ if authorization_scopes is not None and not isinstance(authorization_scopes, list):`
	`248`	`+ raise InvalidResourceException(api_logical_id, "AuthorizationScopes must be a list.")`
	`249`	`+`
`247`	`250`	`self.api_logical_id = api_logical_id`
`248`	`251`	`self.name = name`
`249`	`252`	`self.user_pool_arn = user_pool_arn`