Issue 1508 remove check requiring identity to be required if ReauthorizeEvery equals zero (aws#1577)

daftster · moelasmar · qingchm · commit dc7413d23a93 · 2021-05-13T15:21:54.000-07:00
* remove check requiring identity to be required Check removed to avoid must specify Identity with at least one of Headers, QueryStrings, StageVariables, or Context. error. This is allowed to be removed from aws console. * set identity to empty dictionary Revert back removal of code section and set identity to empty dictionary instead when function_payload_type is "REQUEST" and no identity defined. * use the correct identity variable fix issue catched by unit test. * Update apigateway.py just set the identity to None * undo change. * remove extra spaces * remove some more spaces * Update test_translator.py remove from test case error_api_invalid_auth as this should be valid. * make the Lambda Authorizer is optional if the authorization caching is not enabled (reference https://docs.aws.amazon.com/apigateway/api-reference/resource/authorizer/#identitySource) * add unit testing to cover the InvalidResourceException in case if the identity values are not exist, and not cached * black reformat Co-authored-by: Mohamed Elasmar <melasmar@amazon.com>
diff --git a/samtranslator/model/apigateway.py b/samtranslator/model/apigateway.py
@@ -267,8 +267,9 @@ def _is_missing_identity_source(self, identity):
         query_strings = identity.get("QueryStrings")
         stage_variables = identity.get("StageVariables")
         context = identity.get("Context")
+        ttl = identity.get("ReauthorizeEvery")
 
-        if not headers and not query_strings and not stage_variables and not context:
+        if (ttl is None or int(ttl) > 0) and not headers and not query_strings and not stage_variables and not context:
             return True
 
         return False
@@ -311,7 +312,9 @@ def generate_swagger(self):
                 swagger[APIGATEWAY_AUTHORIZER_KEY]["authorizerCredentials"] = function_invoke_role
 
             if self._get_function_payload_type() == "REQUEST":
-                swagger[APIGATEWAY_AUTHORIZER_KEY]["identitySource"] = self._get_identity_source()
+                identity_source = self._get_identity_source()
+                if identity_source:
+                    swagger[APIGATEWAY_AUTHORIZER_KEY]["identitySource"] = self._get_identity_source()
 
         # Authorizer Validation Expression is only allowed on COGNITO_USER_POOLS and LAMBDA_TOKEN
         is_lambda_token_authorizer = authorizer_type == "LAMBDA" and self._get_function_payload_type() == "TOKEN"
diff --git a/tests/model/test_api.py b/tests/model/test_api.py
@@ -17,3 +17,18 @@ def test_create_authorizer_fails_with_string_authorization_scopes(self):
             auth = ApiGatewayAuthorizer(
                 api_logical_id="logicalId", name="authName", authorization_scopes="invalid_scope"
             )
+
+    def test_create_authorizer_fails_with_missing_identity_values_and_not_cached(self):
+        with pytest.raises(InvalidResourceException):
+            auth = ApiGatewayAuthorizer(
+                api_logical_id="logicalId",
+                name="authName",
+                identity={"ReauthorizeEvery": 10},
+                function_payload_type="REQUEST",
+            )
+
+    def test_create_authorizer_fails_with_empty_identity(self):
+        with pytest.raises(InvalidResourceException):
+            auth = ApiGatewayAuthorizer(
+                api_logical_id="logicalId", name="authName", identity={}, function_payload_type="REQUEST"
+            )
diff --git a/tests/translator/input/api_with_auth_all_minimum.yaml b/tests/translator/input/api_with_auth_all_minimum.yaml
@@ -32,6 +32,20 @@ Resources:
             Identity:
               Headers:
                 - Authorization1
+
+  MyApiWithNotCachedLambdaRequestAuth:
+    Type: "AWS::Serverless::Api"
+    Properties:
+      StageName: Prod
+      Auth:
+        DefaultAuthorizer: MyLambdaRequestAuth
+        Authorizers:
+          MyLambdaRequestAuth:
+            FunctionPayloadType: REQUEST
+            FunctionArn: !GetAtt MyAuthFn.Arn
+            Identity:
+              ReauthorizeEvery: 0
+
   MyAuthFn:
     Type: AWS::Serverless::Function
     Properties:
@@ -63,6 +77,12 @@ Resources:
             RestApiId: !Ref MyApiWithLambdaRequestAuth
             Method: get
             Path: /lambda-request
+        LambdaNotCachedRequest:
+          Type: Api
+          Properties:
+            RestApiId: !Ref MyApiWithNotCachedLambdaRequestAuth
+            Method: get
+            Path: /not-cached-lambda-request
   MyUserPool:
     Type: AWS::Cognito::UserPool
     Properties:
diff --git a/tests/translator/output/api_with_auth_all_minimum.json b/tests/translator/output/api_with_auth_all_minimum.json
@@ -63,7 +63,19 @@
         }, 
         "StageName": "Prod"
       }
-    }, 
+    },
+    "MyApiWithNotCachedLambdaRequestAuthProdStage": {
+      "Type": "AWS::ApiGateway::Stage",
+      "Properties": {
+        "DeploymentId": {
+          "Ref": "MyApiWithNotCachedLambdaRequestAuthDeployment444f67cd7c"
+        },
+        "RestApiId": {
+          "Ref": "MyApiWithNotCachedLambdaRequestAuth"
+        },
+        "StageName": "Prod"
+      }
+    },
     "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": {
       "Type": "AWS::Lambda::Permission", 
       "Properties": {
@@ -205,7 +217,30 @@
           ]
         }
       }
-    }, 
+    },
+    "MyApiWithNotCachedLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": {
+      "Type": "AWS::Lambda::Permission",
+      "Properties": {
+        "Action": "lambda:InvokeFunction",
+        "Principal": "apigateway.amazonaws.com",
+        "FunctionName": {
+          "Fn::GetAtt": [
+            "MyAuthFn",
+            "Arn"
+          ]
+        },
+        "SourceArn": {
+          "Fn::Sub": [
+            "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*",
+            {
+              "__ApiId__": {
+                "Ref": "MyApiWithNotCachedLambdaRequestAuth"
+              }
+            }
+          ]
+        }
+      }
+    },
     "MyFnLambdaTokenPermissionProd": {
       "Type": "AWS::Lambda::Permission", 
       "Properties": {
@@ -236,7 +271,17 @@
         "Description": "RestApi deployment id: 6e52add211cda52ae10a7cc0e0afcf4afc682f9f", 
         "StageName": "Stage"
       }
-    }, 
+    },
+    "MyApiWithNotCachedLambdaRequestAuthDeployment444f67cd7c": {
+      "Type": "AWS::ApiGateway::Deployment",
+      "Properties": {
+        "RestApiId": {
+          "Ref": "MyApiWithNotCachedLambdaRequestAuth"
+        },
+        "Description": "RestApi deployment id: 444f67cd7c6475a698a0101480ba99b498325e90",
+        "StageName": "Stage"
+      }
+    },
     "MyFnLambdaRequestPermissionProd": {
       "Type": "AWS::Lambda::Permission", 
       "Properties": {
@@ -257,7 +302,28 @@
           ]
         }
       }
-    }, 
+    },
+    "MyFnLambdaNotCachedRequestPermissionProd": {
+      "Type": "AWS::Lambda::Permission",
+      "Properties": {
+        "Action": "lambda:InvokeFunction",
+        "Principal": "apigateway.amazonaws.com",
+        "FunctionName": {
+          "Ref": "MyFn"
+        },
+        "SourceArn": {
+          "Fn::Sub": [
+            "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/not-cached-lambda-request",
+            {
+              "__Stage__": "*",
+              "__ApiId__": {
+                "Ref": "MyApiWithNotCachedLambdaRequestAuth"
+              }
+            }
+          ]
+        }
+      }
+    },
     "MyApiWithLambdaTokenAuth": {
       "Type": "AWS::ApiGateway::RestApi", 
       "Properties": {
@@ -468,6 +534,64 @@
           }
         }
       }
+    },
+    "MyApiWithNotCachedLambdaRequestAuth": {
+      "Type": "AWS::ApiGateway::RestApi",
+      "Properties": {
+        "Body": {
+          "info": {
+            "version": "1.0",
+            "title": {
+              "Ref": "AWS::StackName"
+            }
+          },
+          "paths": {
+            "/not-cached-lambda-request": {
+              "get": {
+                "x-amazon-apigateway-integration": {
+                  "httpMethod": "POST",
+                  "type": "aws_proxy",
+                  "uri": {
+                    "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations"
+                  }
+                },
+                "security": [
+                  {
+                    "MyLambdaRequestAuth": []
+                  }
+                ],
+                "responses": {}
+              }
+            }
+          },
+          "swagger": "2.0",
+          "securityDefinitions": {
+            "MyLambdaRequestAuth": {
+              "in": "header",
+              "type": "apiKey",
+              "name": "Unused",
+              "x-amazon-apigateway-authorizer": {
+                "type": "request",
+                "authorizerUri": {
+                  "Fn::Sub": [
+                    "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations",
+                    {
+                      "__FunctionArn__": {
+                        "Fn::GetAtt": [
+                          "MyAuthFn",
+                          "Arn"
+                        ]
+                      }
+                    }
+                  ]
+                },
+                "authorizerResultTtlInSeconds": 0
+              },
+              "x-amazon-apigateway-authtype": "custom"
+            }
+          }
+        }
+      }
     }
   }
 }
diff --git a/tests/translator/output/aws-cn/api_with_auth_all_minimum.json b/tests/translator/output/aws-cn/api_with_auth_all_minimum.json
diff --git a/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json b/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json
