From 35b1890cd6db4a664e935d010fa065c21be43ff7 Mon Sep 17 00:00:00 2001
From: Jason Butz <736696+jbutz@users.noreply.github.com>
Date: Wed, 27 Feb 2019 09:35:33 -0500
Subject: [PATCH 1/6] Ensure no security on OPTIONS API Gateway paths

---
 samtranslator/swagger/swagger.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/samtranslator/swagger/swagger.py b/samtranslator/swagger/swagger.py
index bc7a5e54f4..7c379c32ea 100644
--- a/samtranslator/swagger/swagger.py
+++ b/samtranslator/swagger/swagger.py
@@ -255,7 +255,10 @@ def _options_method_response_for_cors(self, allowed_origins, allowed_headers=Non
                     "description": "Default response for CORS method",
                     "headers": response_headers
                 }
-            }
+            },
+            "security": [
+                {"NONE": []}
+            ]
         }
 
     def _make_cors_allowed_methods_for_path(self, path):

From 9bb37ed9865acd11b79120060942e9b777b9bb5a Mon Sep 17 00:00:00 2001
From: Jason Butz <736696+jbutz@users.noreply.github.com>
Date: Wed, 27 Feb 2019 09:36:05 -0500
Subject: [PATCH 2/6] Update tests to validate OPTIONS API Gateway paths

---
 tests/swagger/test_swagger.py                        |  5 ++++-
 tests/translator/output/api_with_cors.json           | 12 ++++++++++++
 .../api_with_cors_and_only_credentials_false.json    |  6 ++++++
 .../output/api_with_cors_and_only_headers.json       |  9 +++++++++
 .../output/api_with_cors_and_only_maxage.json        |  6 ++++++
 .../output/api_with_cors_and_only_methods.json       |  3 +++
 .../output/api_with_cors_and_only_origins.json       |  9 +++++++++
 .../output/api_with_cors_no_definitionbody.json      |  3 +++
 tests/translator/output/aws-cn/api_with_cors.json    | 12 ++++++++++++
 .../api_with_cors_and_only_credentials_false.json    |  6 ++++++
 .../aws-cn/api_with_cors_and_only_headers.json       |  9 +++++++++
 .../output/aws-cn/api_with_cors_and_only_maxage.json |  6 ++++++
 .../aws-cn/api_with_cors_and_only_methods.json       |  3 +++
 .../aws-cn/api_with_cors_and_only_origins.json       |  9 +++++++++
 .../aws-cn/api_with_cors_no_definitionbody.json      |  3 +++
 .../translator/output/aws-us-gov/api_with_cors.json  | 12 ++++++++++++
 .../api_with_cors_and_only_credentials_false.json    |  6 ++++++
 .../aws-us-gov/api_with_cors_and_only_headers.json   |  9 +++++++++
 .../aws-us-gov/api_with_cors_and_only_maxage.json    |  6 ++++++
 .../aws-us-gov/api_with_cors_and_only_methods.json   |  3 +++
 .../aws-us-gov/api_with_cors_and_only_origins.json   |  9 +++++++++
 .../aws-us-gov/api_with_cors_no_definitionbody.json  |  3 +++
 22 files changed, 148 insertions(+), 1 deletion(-)

diff --git a/tests/swagger/test_swagger.py b/tests/swagger/test_swagger.py
index 26b4a5cee7..61a25b4d9c 100644
--- a/tests/swagger/test_swagger.py
+++ b/tests/swagger/test_swagger.py
@@ -479,7 +479,10 @@ def test_correct_value_is_returned(self):
                         }
                     }
                 }
-            }
+            },
+            "security": [
+                {"NONE": []}
+            ]
         }
 
         actual = SwaggerEditor(SwaggerEditor.gen_skeleton())._options_method_response_for_cors(origins, headers,
diff --git a/tests/translator/output/api_with_cors.json b/tests/translator/output/api_with_cors.json
index 65525b4cae..2141b1b0d8 100644
--- a/tests/translator/output/api_with_cors.json
+++ b/tests/translator/output/api_with_cors.json
@@ -191,6 +191,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -241,6 +244,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -348,6 +354,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -408,6 +417,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/api_with_cors_and_only_credentials_false.json b/tests/translator/output/api_with_cors_and_only_credentials_false.json
index 4e1658dba8..9ce6142f07 100644
--- a/tests/translator/output/api_with_cors_and_only_credentials_false.json
+++ b/tests/translator/output/api_with_cors_and_only_credentials_false.json
@@ -82,6 +82,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -124,6 +127,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
diff --git a/tests/translator/output/api_with_cors_and_only_headers.json b/tests/translator/output/api_with_cors_and_only_headers.json
index 18f5413492..3ecc3dd99c 100644
--- a/tests/translator/output/api_with_cors_and_only_headers.json
+++ b/tests/translator/output/api_with_cors_and_only_headers.json
@@ -177,6 +177,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -223,6 +226,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -367,6 +373,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/api_with_cors_and_only_maxage.json b/tests/translator/output/api_with_cors_and_only_maxage.json
index 65a15ae908..5f885d4532 100644
--- a/tests/translator/output/api_with_cors_and_only_maxage.json
+++ b/tests/translator/output/api_with_cors_and_only_maxage.json
@@ -86,6 +86,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -132,6 +135,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
diff --git a/tests/translator/output/api_with_cors_and_only_methods.json b/tests/translator/output/api_with_cors_and_only_methods.json
index 8fce751364..658052ff76 100644
--- a/tests/translator/output/api_with_cors_and_only_methods.json
+++ b/tests/translator/output/api_with_cors_and_only_methods.json
@@ -161,6 +161,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/api_with_cors_and_only_origins.json b/tests/translator/output/api_with_cors_and_only_origins.json
index ad38022aee..8ad78f4799 100644
--- a/tests/translator/output/api_with_cors_and_only_origins.json
+++ b/tests/translator/output/api_with_cors_and_only_origins.json
@@ -193,6 +193,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -235,6 +238,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -355,6 +361,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/api_with_cors_no_definitionbody.json b/tests/translator/output/api_with_cors_no_definitionbody.json
index d4c2976cec..25a97ee88f 100644
--- a/tests/translator/output/api_with_cors_no_definitionbody.json
+++ b/tests/translator/output/api_with_cors_no_definitionbody.json
@@ -188,6 +188,9 @@
                 },
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               },
               "get": {
diff --git a/tests/translator/output/aws-cn/api_with_cors.json b/tests/translator/output/aws-cn/api_with_cors.json
index 9bdba92001..0be9b3696a 100644
--- a/tests/translator/output/aws-cn/api_with_cors.json
+++ b/tests/translator/output/aws-cn/api_with_cors.json
@@ -157,6 +157,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -207,6 +210,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -356,6 +362,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -416,6 +425,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-cn/api_with_cors_and_only_credentials_false.json b/tests/translator/output/aws-cn/api_with_cors_and_only_credentials_false.json
index 06e79c17a3..9c66b13a6a 100644
--- a/tests/translator/output/aws-cn/api_with_cors_and_only_credentials_false.json
+++ b/tests/translator/output/aws-cn/api_with_cors_and_only_credentials_false.json
@@ -82,6 +82,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -124,6 +127,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
diff --git a/tests/translator/output/aws-cn/api_with_cors_and_only_headers.json b/tests/translator/output/aws-cn/api_with_cors_and_only_headers.json
index 9b591919ed..951125fe7c 100644
--- a/tests/translator/output/aws-cn/api_with_cors_and_only_headers.json
+++ b/tests/translator/output/aws-cn/api_with_cors_and_only_headers.json
@@ -175,6 +175,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -221,6 +224,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -375,6 +381,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-cn/api_with_cors_and_only_maxage.json b/tests/translator/output/aws-cn/api_with_cors_and_only_maxage.json
index 6b05e51fb6..4ba29153fc 100644
--- a/tests/translator/output/aws-cn/api_with_cors_and_only_maxage.json
+++ b/tests/translator/output/aws-cn/api_with_cors_and_only_maxage.json
@@ -86,6 +86,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -132,6 +135,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
diff --git a/tests/translator/output/aws-cn/api_with_cors_and_only_methods.json b/tests/translator/output/aws-cn/api_with_cors_and_only_methods.json
index d80aee0cb3..64f849fe80 100644
--- a/tests/translator/output/aws-cn/api_with_cors_and_only_methods.json
+++ b/tests/translator/output/aws-cn/api_with_cors_and_only_methods.json
@@ -161,6 +161,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-cn/api_with_cors_and_only_origins.json b/tests/translator/output/aws-cn/api_with_cors_and_only_origins.json
index 6473b25a3a..2d2394fb7f 100644
--- a/tests/translator/output/aws-cn/api_with_cors_and_only_origins.json
+++ b/tests/translator/output/aws-cn/api_with_cors_and_only_origins.json
@@ -183,6 +183,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -225,6 +228,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -363,6 +369,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-cn/api_with_cors_no_definitionbody.json b/tests/translator/output/aws-cn/api_with_cors_no_definitionbody.json
index ff72170ebd..5ec67cdfac 100644
--- a/tests/translator/output/aws-cn/api_with_cors_no_definitionbody.json
+++ b/tests/translator/output/aws-cn/api_with_cors_no_definitionbody.json
@@ -188,6 +188,9 @@
                 },
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               },
               "get": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors.json b/tests/translator/output/aws-us-gov/api_with_cors.json
index ccc64a1589..322733c955 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors.json
@@ -167,6 +167,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -217,6 +220,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -356,6 +362,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -416,6 +425,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors_and_only_credentials_false.json b/tests/translator/output/aws-us-gov/api_with_cors_and_only_credentials_false.json
index 06e79c17a3..9c66b13a6a 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors_and_only_credentials_false.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors_and_only_credentials_false.json
@@ -82,6 +82,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -124,6 +127,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors_and_only_headers.json b/tests/translator/output/aws-us-gov/api_with_cors_and_only_headers.json
index b8f450bbff..4347e1d1b6 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors_and_only_headers.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors_and_only_headers.json
@@ -187,6 +187,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -233,6 +236,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -375,6 +381,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors_and_only_maxage.json b/tests/translator/output/aws-us-gov/api_with_cors_and_only_maxage.json
index 6b05e51fb6..4ba29153fc 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors_and_only_maxage.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors_and_only_maxage.json
@@ -86,6 +86,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -132,6 +135,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors_and_only_methods.json b/tests/translator/output/aws-us-gov/api_with_cors_and_only_methods.json
index d80c580bca..6e95815c8d 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors_and_only_methods.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors_and_only_methods.json
@@ -151,6 +151,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors_and_only_origins.json b/tests/translator/output/aws-us-gov/api_with_cors_and_only_origins.json
index 50bdec9beb..bffdd5e9ad 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors_and_only_origins.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors_and_only_origins.json
@@ -183,6 +183,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }
             }, 
@@ -225,6 +228,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -363,6 +369,9 @@
                 }, 
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors_no_definitionbody.json b/tests/translator/output/aws-us-gov/api_with_cors_no_definitionbody.json
index 070ed12f59..6c66f44ab5 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors_no_definitionbody.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors_no_definitionbody.json
@@ -188,6 +188,9 @@
                 },
                 "produces": [
                   "application/json"
+                ],
+                "security": [
+                    {"NONE": []}
                 ]
               },
               "get": {

From 272fb2d55c58c294084260025d981a6844b93dc0 Mon Sep 17 00:00:00 2001
From: Jason Butz <butz_jason@network.lilly.com>
Date: Fri, 1 Mar 2019 13:43:14 -0500
Subject: [PATCH 3/6] Revert "Update tests to validate OPTIONS API Gateway
 paths"

This reverts commit 9bb37ed9865acd11b79120060942e9b777b9bb5a.
---
 tests/swagger/test_swagger.py                        |  5 +----
 tests/translator/output/api_with_cors.json           | 12 ------------
 .../api_with_cors_and_only_credentials_false.json    |  6 ------
 .../output/api_with_cors_and_only_headers.json       |  9 ---------
 .../output/api_with_cors_and_only_maxage.json        |  6 ------
 .../output/api_with_cors_and_only_methods.json       |  3 ---
 .../output/api_with_cors_and_only_origins.json       |  9 ---------
 .../output/api_with_cors_no_definitionbody.json      |  3 ---
 tests/translator/output/aws-cn/api_with_cors.json    | 12 ------------
 .../api_with_cors_and_only_credentials_false.json    |  6 ------
 .../aws-cn/api_with_cors_and_only_headers.json       |  9 ---------
 .../output/aws-cn/api_with_cors_and_only_maxage.json |  6 ------
 .../aws-cn/api_with_cors_and_only_methods.json       |  3 ---
 .../aws-cn/api_with_cors_and_only_origins.json       |  9 ---------
 .../aws-cn/api_with_cors_no_definitionbody.json      |  3 ---
 .../translator/output/aws-us-gov/api_with_cors.json  | 12 ------------
 .../api_with_cors_and_only_credentials_false.json    |  6 ------
 .../aws-us-gov/api_with_cors_and_only_headers.json   |  9 ---------
 .../aws-us-gov/api_with_cors_and_only_maxage.json    |  6 ------
 .../aws-us-gov/api_with_cors_and_only_methods.json   |  3 ---
 .../aws-us-gov/api_with_cors_and_only_origins.json   |  9 ---------
 .../aws-us-gov/api_with_cors_no_definitionbody.json  |  3 ---
 22 files changed, 1 insertion(+), 148 deletions(-)

diff --git a/tests/swagger/test_swagger.py b/tests/swagger/test_swagger.py
index 61a25b4d9c..26b4a5cee7 100644
--- a/tests/swagger/test_swagger.py
+++ b/tests/swagger/test_swagger.py
@@ -479,10 +479,7 @@ def test_correct_value_is_returned(self):
                         }
                     }
                 }
-            },
-            "security": [
-                {"NONE": []}
-            ]
+            }
         }
 
         actual = SwaggerEditor(SwaggerEditor.gen_skeleton())._options_method_response_for_cors(origins, headers,
diff --git a/tests/translator/output/api_with_cors.json b/tests/translator/output/api_with_cors.json
index 2141b1b0d8..65525b4cae 100644
--- a/tests/translator/output/api_with_cors.json
+++ b/tests/translator/output/api_with_cors.json
@@ -191,9 +191,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -244,9 +241,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -354,9 +348,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -417,9 +408,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/api_with_cors_and_only_credentials_false.json b/tests/translator/output/api_with_cors_and_only_credentials_false.json
index 9ce6142f07..4e1658dba8 100644
--- a/tests/translator/output/api_with_cors_and_only_credentials_false.json
+++ b/tests/translator/output/api_with_cors_and_only_credentials_false.json
@@ -82,9 +82,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -127,9 +124,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
diff --git a/tests/translator/output/api_with_cors_and_only_headers.json b/tests/translator/output/api_with_cors_and_only_headers.json
index 3ecc3dd99c..18f5413492 100644
--- a/tests/translator/output/api_with_cors_and_only_headers.json
+++ b/tests/translator/output/api_with_cors_and_only_headers.json
@@ -177,9 +177,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -226,9 +223,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -373,9 +367,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/api_with_cors_and_only_maxage.json b/tests/translator/output/api_with_cors_and_only_maxage.json
index 5f885d4532..65a15ae908 100644
--- a/tests/translator/output/api_with_cors_and_only_maxage.json
+++ b/tests/translator/output/api_with_cors_and_only_maxage.json
@@ -86,9 +86,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -135,9 +132,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
diff --git a/tests/translator/output/api_with_cors_and_only_methods.json b/tests/translator/output/api_with_cors_and_only_methods.json
index 658052ff76..8fce751364 100644
--- a/tests/translator/output/api_with_cors_and_only_methods.json
+++ b/tests/translator/output/api_with_cors_and_only_methods.json
@@ -161,9 +161,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/api_with_cors_and_only_origins.json b/tests/translator/output/api_with_cors_and_only_origins.json
index 8ad78f4799..ad38022aee 100644
--- a/tests/translator/output/api_with_cors_and_only_origins.json
+++ b/tests/translator/output/api_with_cors_and_only_origins.json
@@ -193,9 +193,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -238,9 +235,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -361,9 +355,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/api_with_cors_no_definitionbody.json b/tests/translator/output/api_with_cors_no_definitionbody.json
index 25a97ee88f..d4c2976cec 100644
--- a/tests/translator/output/api_with_cors_no_definitionbody.json
+++ b/tests/translator/output/api_with_cors_no_definitionbody.json
@@ -188,9 +188,6 @@
                 },
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               },
               "get": {
diff --git a/tests/translator/output/aws-cn/api_with_cors.json b/tests/translator/output/aws-cn/api_with_cors.json
index 0be9b3696a..9bdba92001 100644
--- a/tests/translator/output/aws-cn/api_with_cors.json
+++ b/tests/translator/output/aws-cn/api_with_cors.json
@@ -157,9 +157,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -210,9 +207,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -362,9 +356,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -425,9 +416,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-cn/api_with_cors_and_only_credentials_false.json b/tests/translator/output/aws-cn/api_with_cors_and_only_credentials_false.json
index 9c66b13a6a..06e79c17a3 100644
--- a/tests/translator/output/aws-cn/api_with_cors_and_only_credentials_false.json
+++ b/tests/translator/output/aws-cn/api_with_cors_and_only_credentials_false.json
@@ -82,9 +82,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -127,9 +124,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
diff --git a/tests/translator/output/aws-cn/api_with_cors_and_only_headers.json b/tests/translator/output/aws-cn/api_with_cors_and_only_headers.json
index 951125fe7c..9b591919ed 100644
--- a/tests/translator/output/aws-cn/api_with_cors_and_only_headers.json
+++ b/tests/translator/output/aws-cn/api_with_cors_and_only_headers.json
@@ -175,9 +175,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -224,9 +221,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -381,9 +375,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-cn/api_with_cors_and_only_maxage.json b/tests/translator/output/aws-cn/api_with_cors_and_only_maxage.json
index 4ba29153fc..6b05e51fb6 100644
--- a/tests/translator/output/aws-cn/api_with_cors_and_only_maxage.json
+++ b/tests/translator/output/aws-cn/api_with_cors_and_only_maxage.json
@@ -86,9 +86,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -135,9 +132,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
diff --git a/tests/translator/output/aws-cn/api_with_cors_and_only_methods.json b/tests/translator/output/aws-cn/api_with_cors_and_only_methods.json
index 64f849fe80..d80aee0cb3 100644
--- a/tests/translator/output/aws-cn/api_with_cors_and_only_methods.json
+++ b/tests/translator/output/aws-cn/api_with_cors_and_only_methods.json
@@ -161,9 +161,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-cn/api_with_cors_and_only_origins.json b/tests/translator/output/aws-cn/api_with_cors_and_only_origins.json
index 2d2394fb7f..6473b25a3a 100644
--- a/tests/translator/output/aws-cn/api_with_cors_and_only_origins.json
+++ b/tests/translator/output/aws-cn/api_with_cors_and_only_origins.json
@@ -183,9 +183,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -228,9 +225,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -369,9 +363,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-cn/api_with_cors_no_definitionbody.json b/tests/translator/output/aws-cn/api_with_cors_no_definitionbody.json
index 5ec67cdfac..ff72170ebd 100644
--- a/tests/translator/output/aws-cn/api_with_cors_no_definitionbody.json
+++ b/tests/translator/output/aws-cn/api_with_cors_no_definitionbody.json
@@ -188,9 +188,6 @@
                 },
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               },
               "get": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors.json b/tests/translator/output/aws-us-gov/api_with_cors.json
index 322733c955..ccc64a1589 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors.json
@@ -167,9 +167,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -220,9 +217,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -362,9 +356,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -425,9 +416,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors_and_only_credentials_false.json b/tests/translator/output/aws-us-gov/api_with_cors_and_only_credentials_false.json
index 9c66b13a6a..06e79c17a3 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors_and_only_credentials_false.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors_and_only_credentials_false.json
@@ -82,9 +82,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -127,9 +124,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors_and_only_headers.json b/tests/translator/output/aws-us-gov/api_with_cors_and_only_headers.json
index 4347e1d1b6..b8f450bbff 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors_and_only_headers.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors_and_only_headers.json
@@ -187,9 +187,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -236,9 +233,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -381,9 +375,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors_and_only_maxage.json b/tests/translator/output/aws-us-gov/api_with_cors_and_only_maxage.json
index 4ba29153fc..6b05e51fb6 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors_and_only_maxage.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors_and_only_maxage.json
@@ -86,9 +86,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -135,9 +132,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors_and_only_methods.json b/tests/translator/output/aws-us-gov/api_with_cors_and_only_methods.json
index 6e95815c8d..d80c580bca 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors_and_only_methods.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors_and_only_methods.json
@@ -151,9 +151,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors_and_only_origins.json b/tests/translator/output/aws-us-gov/api_with_cors_and_only_origins.json
index bffdd5e9ad..50bdec9beb 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors_and_only_origins.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors_and_only_origins.json
@@ -183,9 +183,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }
             }, 
@@ -228,9 +225,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "x-amazon-apigateway-any-method": {
@@ -369,9 +363,6 @@
                 }, 
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               }, 
               "get": {
diff --git a/tests/translator/output/aws-us-gov/api_with_cors_no_definitionbody.json b/tests/translator/output/aws-us-gov/api_with_cors_no_definitionbody.json
index 6c66f44ab5..070ed12f59 100644
--- a/tests/translator/output/aws-us-gov/api_with_cors_no_definitionbody.json
+++ b/tests/translator/output/aws-us-gov/api_with_cors_no_definitionbody.json
@@ -188,9 +188,6 @@
                 },
                 "produces": [
                   "application/json"
-                ],
-                "security": [
-                    {"NONE": []}
                 ]
               },
               "get": {

From 0d6034596211ce4b2bb553984d3fed80a6f668bd Mon Sep 17 00:00:00 2001
From: Jason Butz <butz_jason@network.lilly.com>
Date: Fri, 1 Mar 2019 13:43:20 -0500
Subject: [PATCH 4/6] Revert "Ensure no security on OPTIONS API Gateway paths"

This reverts commit 35b1890cd6db4a664e935d010fa065c21be43ff7.
---
 samtranslator/swagger/swagger.py | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/samtranslator/swagger/swagger.py b/samtranslator/swagger/swagger.py
index 7c379c32ea..bc7a5e54f4 100644
--- a/samtranslator/swagger/swagger.py
+++ b/samtranslator/swagger/swagger.py
@@ -255,10 +255,7 @@ def _options_method_response_for_cors(self, allowed_origins, allowed_headers=Non
                     "description": "Default response for CORS method",
                     "headers": response_headers
                 }
-            },
-            "security": [
-                {"NONE": []}
-            ]
+            }
         }
 
     def _make_cors_allowed_methods_for_path(self, path):

From b57ba102b738db0b3c47f00e29cb5f23ca9117fa Mon Sep 17 00:00:00 2001
From: Jason Butz <butz_jason@network.lilly.com>
Date: Fri, 1 Mar 2019 14:52:34 -0500
Subject: [PATCH 5/6] Add AddDefaultAuthorizerToCorsPreflight API Auth Property

---
 samtranslator/model/api/api_generator.py | 14 +++++++++-----
 samtranslator/swagger/swagger.py         |  9 ++++++---
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/samtranslator/model/api/api_generator.py b/samtranslator/model/api/api_generator.py
index 95ee8628d4..deed6b834c 100644
--- a/samtranslator/model/api/api_generator.py
+++ b/samtranslator/model/api/api_generator.py
@@ -18,8 +18,9 @@
 # Default the Cors Properties to '*' wildcard and False AllowCredentials. Other properties are actually Optional
 CorsProperties.__new__.__defaults__ = (None, None, _CORS_WILDCARD, None, False)
 
-AuthProperties = namedtuple("_AuthProperties", ["Authorizers", "DefaultAuthorizer"])
-AuthProperties.__new__.__defaults__ = (None, None)
+AuthProperties = namedtuple("_AuthProperties", ["Authorizers", "DefaultAuthorizer",
+                                                "AddDefaultAuthorizerToCorsPreflight"])
+AuthProperties.__new__.__defaults__ = (None, None, True)
 
 
 class ApiGenerator(object):
@@ -264,7 +265,8 @@ def _add_auth(self):
 
         if authorizers:
             swagger_editor.add_authorizers(authorizers)
-            self._set_default_authorizer(swagger_editor, authorizers, auth_properties.DefaultAuthorizer)
+            self._set_default_authorizer(swagger_editor, authorizers, auth_properties.DefaultAuthorizer,
+                 auth_properties.AddDefaultAuthorizerToCorsPreflight)
 
         # Assign the Swagger back to template
         self.definition_body = swagger_editor.swagger
@@ -335,7 +337,8 @@ def _construct_authorizer_lambda_permission(self):
 
         return permissions
 
-    def _set_default_authorizer(self, swagger_editor, authorizers, default_authorizer):
+    def _set_default_authorizer(self, swagger_editor, authorizers, default_authorizer,
+                                add_default_authorizer_to_cors_preflight):
         if not default_authorizer:
             return
 
@@ -344,7 +347,8 @@ def _set_default_authorizer(self, swagger_editor, authorizers, default_authorize
                                            default_authorizer + "' was not defined in 'Authorizers'")
 
         for path in swagger_editor.iter_on_path():
-            swagger_editor.set_path_default_authorizer(path, default_authorizer, authorizers=authorizers)
+            swagger_editor.set_path_default_authorizer(path, default_authorizer, authorizers=authorizers,
+                           addDefaultAuthorizerToCorsPreflight=add_default_authorizer_to_cors_preflight)
 
     def _set_endpoint_configuration(self, rest_api, value):
         """
diff --git a/samtranslator/swagger/swagger.py b/samtranslator/swagger/swagger.py
index bc7a5e54f4..11c955135b 100644
--- a/samtranslator/swagger/swagger.py
+++ b/samtranslator/swagger/swagger.py
@@ -310,7 +310,8 @@ def add_authorizers(self, authorizers):
         for authorizerName, authorizer in authorizers.items():
             self.security_definitions[authorizerName] = authorizer.generate_swagger()
 
-    def set_path_default_authorizer(self, path, default_authorizer, authorizers):
+    def set_path_default_authorizer(self, path, default_authorizer, authorizers,
+                                    add_default_authorizer_to_cors_preflight = True):
         """
         Sets the DefaultAuthorizer for each method on this path. The DefaultAuthorizer won't be set if an Authorizer
         was defined at the Function/Path/Method level
@@ -321,8 +322,10 @@ def set_path_default_authorizer(self, path, default_authorizer, authorizers):
         :param list authorizers: List of Authorizer configurations defined on the related Api.
         """
         for method_name, method in self.paths[path].items():
-            self.set_method_authorizer(path, method_name, default_authorizer, authorizers,
-                                       default_authorizer=default_authorizer, is_default=True)
+            normalized_method_name = self._normalize_method_name(method_name)
+            if not (add_default_authorizer_to_cors_preflight is False and normalized_method_name == "options"):
+                self.set_method_authorizer(path, normalized_method_name, default_authorizer, authorizers,
+                                        default_authorizer=default_authorizer, is_default=True)
 
     def add_auth_to_method(self, path, method_name, auth, api):
         """

From eefe54c002de2862e207f5c36d0d0f2228d4757e Mon Sep 17 00:00:00 2001
From: Jason Butz <butz_jason@network.lilly.com>
Date: Fri, 1 Mar 2019 14:53:25 -0500
Subject: [PATCH 6/6] Add Translator No Preflight Auth Test Input

---
 ..._with_cors_and_auth_no_preflight_auth.yaml | 41 +++++++++++++++++++
 tests/translator/test_translator.py           |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 tests/translator/input/api_with_cors_and_auth_no_preflight_auth.yaml

diff --git a/tests/translator/input/api_with_cors_and_auth_no_preflight_auth.yaml b/tests/translator/input/api_with_cors_and_auth_no_preflight_auth.yaml
new file mode 100644
index 0000000000..cf6c97ec79
--- /dev/null
+++ b/tests/translator/input/api_with_cors_and_auth_no_preflight_auth.yaml
@@ -0,0 +1,41 @@
+Globals:
+  Api:
+    Cors: "origins"
+
+Resources:
+  ApiFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://sam-demo-bucket/member_portal.zip
+      Handler: index.gethtml
+      Runtime: nodejs4.3
+      Events:
+        GetHtml:
+          Type: Api
+          Properties:
+            Path: /
+            Method: get
+            RestApiId: !Ref ServerlessApi
+
+        PostHtml:
+          Type: Api
+          Properties:
+            Path: /
+            Method: post
+            RestApiId: !Ref ServerlessApi
+
+
+  ServerlessApi:
+    Type: AWS::Serverless::Api
+    Properties:
+      StageName: Prod
+      Auth:
+        AddDefaultAuthorizerToCorsPreflight: False
+        DefaultAuthorizer: MyLambdaRequestAuth
+        Authorizers:
+          MyLambdaRequestAuth:
+            FunctionPayloadType: REQUEST
+            FunctionArn: !GetAtt MyAuthFn.Arn
+            Identity:
+              Headers:
+                - Authorization1
\ No newline at end of file
diff --git a/tests/translator/test_translator.py b/tests/translator/test_translator.py
index 7200f878e8..5729a7ef02 100644
--- a/tests/translator/test_translator.py
+++ b/tests/translator/test_translator.py
@@ -167,6 +167,7 @@ class TestTranslatorEndToEnd(TestCase):
         'api_with_cors_and_only_maxage',
         'api_with_cors_and_only_credentials_false',
         'api_with_cors_no_definitionbody',
+        'api_with_cors_and_auth_no_preflight_auth',
         'api_cache',
         'api_with_access_log_setting',
         'api_with_canary_setting',