Bugfix: CORS Security

samtranslator/model/api/api_generator.py

@@ -18,8 +18,9 @@
 # Default the Cors Properties to '*' wildcard and False AllowCredentials. Other properties are actually Optional
 CorsProperties.__new__.__defaults__ = (None, None, _CORS_WILDCARD, None, False)
 
-AuthProperties = namedtuple("_AuthProperties", ["Authorizers", "DefaultAuthorizer"])
-AuthProperties.__new__.__defaults__ = (None, None)
+AuthProperties = namedtuple("_AuthProperties", ["Authorizers", "DefaultAuthorizer",
+                                                "AddDefaultAuthorizerToCorsPreflight"])
+AuthProperties.__new__.__defaults__ = (None, None, True)
 
 
 class ApiGenerator(object):
@@ -264,7 +265,8 @@ def _add_auth(self):
 
         if authorizers:
             swagger_editor.add_authorizers(authorizers)
-            self._set_default_authorizer(swagger_editor, authorizers, auth_properties.DefaultAuthorizer)
+            self._set_default_authorizer(swagger_editor, authorizers, auth_properties.DefaultAuthorizer,
+                 auth_properties.AddDefaultAuthorizerToCorsPreflight)
 
         # Assign the Swagger back to template
         self.definition_body = swagger_editor.swagger
@@ -335,7 +337,8 @@ def _construct_authorizer_lambda_permission(self):
 
         return permissions
 
-    def _set_default_authorizer(self, swagger_editor, authorizers, default_authorizer):
+    def _set_default_authorizer(self, swagger_editor, authorizers, default_authorizer,
+                                add_default_authorizer_to_cors_preflight):
         if not default_authorizer:
             return
 
@@ -344,7 +347,8 @@ def _set_default_authorizer(self, swagger_editor, authorizers, default_authorize
                                            default_authorizer + "' was not defined in 'Authorizers'")
 
         for path in swagger_editor.iter_on_path():
-            swagger_editor.set_path_default_authorizer(path, default_authorizer, authorizers=authorizers)
+            swagger_editor.set_path_default_authorizer(path, default_authorizer, authorizers=authorizers,
+                           addDefaultAuthorizerToCorsPreflight=add_default_authorizer_to_cors_preflight)
 
     def _set_endpoint_configuration(self, rest_api, value):
         """

samtranslator/swagger/swagger.py

@@ -310,7 +310,8 @@ def add_authorizers(self, authorizers):
         for authorizerName, authorizer in authorizers.items():
             self.security_definitions[authorizerName] = authorizer.generate_swagger()
 
-    def set_path_default_authorizer(self, path, default_authorizer, authorizers):
+    def set_path_default_authorizer(self, path, default_authorizer, authorizers,
+                                    add_default_authorizer_to_cors_preflight = True):
         """
         Sets the DefaultAuthorizer for each method on this path. The DefaultAuthorizer won't be set if an Authorizer
         was defined at the Function/Path/Method level
@@ -321,8 +322,10 @@ def set_path_default_authorizer(self, path, default_authorizer, authorizers):
         :param list authorizers: List of Authorizer configurations defined on the related Api.
         """
         for method_name, method in self.paths[path].items():
-            self.set_method_authorizer(path, method_name, default_authorizer, authorizers,
-                                       default_authorizer=default_authorizer, is_default=True)
+            normalized_method_name = self._normalize_method_name(method_name)
+            if not (add_default_authorizer_to_cors_preflight is False and normalized_method_name == "options"):
+                self.set_method_authorizer(path, normalized_method_name, default_authorizer, authorizers,
+                                        default_authorizer=default_authorizer, is_default=True)
 
     def add_auth_to_method(self, path, method_name, auth, api):
         """

tests/translator/input/api_with_cors_and_auth_no_preflight_auth.yaml

@@ -0,0 +1,41 @@
+Globals:
+  Api:
+    Cors: "origins"
+
+Resources:
+  ApiFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://sam-demo-bucket/member_portal.zip
+      Handler: index.gethtml
+      Runtime: nodejs4.3
+      Events:
+        GetHtml:
+          Type: Api
+          Properties:
+            Path: /
+            Method: get
+            RestApiId: !Ref ServerlessApi
+
+        PostHtml:
+          Type: Api
+          Properties:
+            Path: /
+            Method: post
+            RestApiId: !Ref ServerlessApi
+
+
+  ServerlessApi:
+    Type: AWS::Serverless::Api
+    Properties:
+      StageName: Prod
+      Auth:
+        AddDefaultAuthorizerToCorsPreflight: False
+        DefaultAuthorizer: MyLambdaRequestAuth
+        Authorizers:
+          MyLambdaRequestAuth:
+            FunctionPayloadType: REQUEST
+            FunctionArn: !GetAtt MyAuthFn.Arn
+            Identity:
+              Headers:
+                - Authorization1

tests/translator/test_translator.py

@@ -167,6 +167,7 @@ class TestTranslatorEndToEnd(TestCase):
         'api_with_cors_and_only_maxage',
         'api_with_cors_and_only_credentials_false',
         'api_with_cors_no_definitionbody',
+        'api_with_cors_and_auth_no_preflight_auth',
         'api_cache',
         'api_with_access_log_setting',
         'api_with_canary_setting',