refactor: Combine function/sfn Api event logics about adding Auth (#2755)

Author: aahung

samtranslator/model/api/api_generator.py

@@ -753,7 +753,7 @@ def _add_auth(self) -> None:
                 auth_properties.ResourcePolicy, "ResourcePolicy must be a map (ResourcePolicyStatement)."
             )
             for path in swagger_editor.iter_on_path():
-                swagger_editor.add_resource_policy(auth_properties.ResourcePolicy, path, self.stage_name)  # type: ignore[no-untyped-call]
+                swagger_editor.add_resource_policy(auth_properties.ResourcePolicy, path, self.stage_name)
             if auth_properties.ResourcePolicy.get("CustomStatements"):
                 swagger_editor.add_custom_statements(auth_properties.ResourcePolicy.get("CustomStatements"))  # type: ignore[no-untyped-call]
 
@@ -1120,14 +1120,10 @@ def _get_authorizers(self, authorizers_config, default_authorizer=None):  # type
                 return authorizers
             return None
 
-        if not isinstance(authorizers_config, dict):
-            raise InvalidResourceException(self.logical_id, "Authorizers must be a dictionary.")
+        sam_expect(authorizers_config, self.logical_id, "Auth.Authorizers").to_be_a_map()
 
         for authorizer_name, authorizer in authorizers_config.items():
-            if not isinstance(authorizer, dict):
-                raise InvalidResourceException(
-                    self.logical_id, "Authorizer %s must be a dictionary." % (authorizer_name)
-                )
+            sam_expect(authorizer, self.logical_id, f"Auth.Authorizers.{authorizer_name}").to_be_a_map()
 
             authorizers[authorizer_name] = ApiGatewayAuthorizer(  # type: ignore[no-untyped-call]
                 api_logical_id=self.logical_id,

samtranslator/model/api/http_api_generator.py

@@ -563,14 +563,10 @@ def _get_authorizers(
         if not authorizers_config:
             return authorizers
 
-        if not isinstance(authorizers_config, dict):
-            raise InvalidResourceException(self.logical_id, "Authorizers must be a dictionary.")
+        sam_expect(authorizers_config, self.logical_id, "Auth.Authorizers").to_be_a_map()
 
         for authorizer_name, authorizer in authorizers_config.items():
-            if not isinstance(authorizer, dict):
-                raise InvalidResourceException(
-                    self.logical_id, "Authorizer %s must be a dictionary." % (authorizer_name)
-                )
+            sam_expect(authorizer, self.logical_id, f"Auth.Authorizers.{authorizer_name}").to_be_a_map()
 
             if "OpenIdConnectUrl" in authorizer:
                 raise InvalidResourceException(

samtranslator/model/eventsources/push.py

@@ -1,5 +1,5 @@
 import json
-from typing import Any, Dict, Optional
+from typing import Any, Dict, Optional, cast
 
 from samtranslator.metrics.method_decorator import cw_timer
 from samtranslator.model import Property, PropertyType, ResourceMacro, Resource
@@ -27,6 +27,7 @@ class EventSource(ResourceMacro):
     # line to avoid any potential behavior change.
     # TODO: Make `EventSource` an abstract class and not giving `principal` initial value.
     principal: str = None  # type: ignore
+    relative_id: str  # overriding the Optional[str]: for event, relative id is not None
 
     Target: Optional[Dict[str, str]]
 
@@ -272,6 +273,11 @@ class Api(EventSource):
         "UnescapeMappingTemplate": Property(False, is_type(bool)),
     }
 
+    Path: str
+    Method: str
+    RestApiId: str
+    Stage: Optional[str]
+    Auth: Optional[Dict[str, Any]]
     UnescapeMappingTemplate: Optional[bool]
 
     def resources_to_link(self, resources):  # type: ignore[no-untyped-def]
@@ -289,7 +295,7 @@ def resources_to_link(self, resources):  # type: ignore[no-untyped-def]
         permitted_stage = "*"
         stage_suffix = "AllStages"
         explicit_api = None
-        rest_api_id = PushApi.get_rest_api_id_string(self.RestApiId)  # type: ignore[attr-defined]
+        rest_api_id = PushApi.get_rest_api_id_string(self.RestApiId)
         if isinstance(rest_api_id, str):
 
             if (
@@ -314,7 +320,7 @@ def resources_to_link(self, resources):  # type: ignore[no-untyped-def]
                     "RestApiId property of Api event must reference a valid resource in the same template.",
                 )
 
-        return {"explicit_api": explicit_api, "explicit_api_stage": {"suffix": stage_suffix}}
+        return {"explicit_api": explicit_api, "api_id": rest_api_id, "explicit_api_stage": {"suffix": stage_suffix}}
 
     @cw_timer(prefix=SFN_EVETSOURCE_METRIC_PREFIX)
     def to_cloudformation(self, resource, **kwargs):  # type: ignore[no-untyped-def]
@@ -336,20 +342,21 @@ def to_cloudformation(self, resource, **kwargs):  # type: ignore[no-untyped-def]
         intrinsics_resolver = kwargs.get("intrinsics_resolver")
         permissions_boundary = kwargs.get("permissions_boundary")
 
-        if self.Method is not None:  # type: ignore[has-type]
+        if self.Method is not None:
             # Convert to lower case so that user can specify either GET or get
-            self.Method = self.Method.lower()  # type: ignore[has-type]
+            self.Method = self.Method.lower()
 
         role = self._construct_role(resource, permissions_boundary)  # type: ignore[no-untyped-call]
         resources.append(role)
 
         explicit_api = kwargs["explicit_api"]
+        api_id = kwargs["api_id"]
         if explicit_api.get("__MANAGE_SWAGGER"):
-            self._add_swagger_integration(explicit_api, resource, role, intrinsics_resolver)  # type: ignore[no-untyped-call]
+            self._add_swagger_integration(explicit_api, api_id, resource, role, intrinsics_resolver)  # type: ignore[no-untyped-call]
 
         return resources
 
-    def _add_swagger_integration(self, api, resource, role, intrinsics_resolver):  # type: ignore[no-untyped-def]
+    def _add_swagger_integration(self, api, api_id, resource, role, intrinsics_resolver):  # type: ignore[no-untyped-def]
         """Adds the path and method for this Api event source to the Swagger body for the provided RestApi.
 
         :param model.apigateway.ApiGatewayRestApi rest_api: the RestApi to which the path and method should be added.
@@ -362,12 +369,12 @@ def _add_swagger_integration(self, api, resource, role, intrinsics_resolver):  #
 
         editor = SwaggerEditor(swagger_body)
 
-        if editor.has_integration(self.Path, self.Method):  # type: ignore[attr-defined]
+        if editor.has_integration(self.Path, self.Method):
             # Cannot add the integration, if it is already present
             raise InvalidEventException(
                 self.relative_id,
                 'API method "{method}" defined multiple times for path "{path}".'.format(
-                    method=self.Method, path=self.Path  # type: ignore[attr-defined]
+                    method=self.Method, path=self.Path
                 ),
             )
 
@@ -382,78 +389,23 @@ def _add_swagger_integration(self, api, resource, role, intrinsics_resolver):  #
         )
 
         editor.add_state_machine_integration(  # type: ignore[no-untyped-call]
-            self.Path,  # type: ignore[attr-defined]
+            self.Path,
             self.Method,
             integration_uri,
             role.get_runtime_attr("arn"),
             request_template,
             condition=condition,
         )
 
-        # Note: Refactor and combine the section below with the Api eventsource for functions
-        if self.Auth:  # type: ignore[attr-defined]
-            method_authorizer = self.Auth.get("Authorizer")  # type: ignore[attr-defined]
-            api_auth = api.get("Auth")
-            api_auth = intrinsics_resolver.resolve_parameter_refs(api_auth)
-
-            if method_authorizer:
-                api_authorizers = api_auth and api_auth.get("Authorizers")
-
-                if method_authorizer != "AWS_IAM":
-                    if method_authorizer != "NONE" and not api_authorizers:
-                        raise InvalidEventException(
-                            self.relative_id,
-                            "Unable to set Authorizer [{authorizer}] on API method [{method}] for path [{path}] "
-                            "because the related API does not define any Authorizers.".format(
-                                authorizer=method_authorizer, method=self.Method, path=self.Path  # type: ignore[attr-defined]
-                            ),
-                        )
-
-                    if method_authorizer != "NONE" and not api_authorizers.get(method_authorizer):
-                        raise InvalidEventException(
-                            self.relative_id,
-                            "Unable to set Authorizer [{authorizer}] on API method [{method}] for path [{path}] "
-                            "because it wasn't defined in the API's Authorizers.".format(
-                                authorizer=method_authorizer, method=self.Method, path=self.Path  # type: ignore[attr-defined]
-                            ),
-                        )
-
-                    if method_authorizer == "NONE":
-                        if not api_auth or not api_auth.get("DefaultAuthorizer"):
-                            raise InvalidEventException(
-                                self.relative_id,
-                                "Unable to set Authorizer on API method [{method}] for path [{path}] because 'NONE' "
-                                "is only a valid value when a DefaultAuthorizer on the API is specified.".format(
-                                    method=self.Method, path=self.Path  # type: ignore[attr-defined]
-                                ),
-                            )
-
-            if self.Auth.get("AuthorizationScopes") and not isinstance(self.Auth.get("AuthorizationScopes"), list):  # type: ignore[attr-defined]
-                raise InvalidEventException(
-                    self.relative_id,
-                    "Unable to set Authorizer on API method [{method}] for path [{path}] because "
-                    "'AuthorizationScopes' must be a list of strings.".format(method=self.Method, path=self.Path),  # type: ignore[attr-defined]
-                )
+        # self.Stage is not None as it is set in _get_permissions()
+        # before calling this method.
+        # TODO: refactor to remove this cast
+        stage = cast(str, self.Stage)
 
-            apikey_required_setting = self.Auth.get("ApiKeyRequired")  # type: ignore[attr-defined]
-            apikey_required_setting_is_false = apikey_required_setting is not None and not apikey_required_setting
-            if apikey_required_setting_is_false and (not api_auth or not api_auth.get("ApiKeyRequired")):
-                raise InvalidEventException(
-                    self.relative_id,
-                    "Unable to set ApiKeyRequired [False] on API method [{method}] for path [{path}] "
-                    "because the related API does not specify any ApiKeyRequired.".format(
-                        method=self.Method, path=self.Path  # type: ignore[attr-defined]
-                    ),
-                )
-
-            if method_authorizer or apikey_required_setting is not None:
-                editor.add_auth_to_method(api=api, path=self.Path, method_name=self.Method, auth=self.Auth)  # type: ignore[attr-defined, attr-defined, no-untyped-call]
-
-            if self.Auth.get("ResourcePolicy"):  # type: ignore[attr-defined]
-                resource_policy = self.Auth.get("ResourcePolicy")  # type: ignore[attr-defined]
-                editor.add_resource_policy(resource_policy=resource_policy, path=self.Path, stage=self.Stage)  # type: ignore[attr-defined, attr-defined, no-untyped-call]
-                if resource_policy.get("CustomStatements"):
-                    editor.add_custom_statements(resource_policy.get("CustomStatements"))  # type: ignore[no-untyped-call]
+        if self.Auth:
+            PushApi.add_auth_to_swagger(
+                self.Auth, api, api_id, self.relative_id, self.Method, self.Path, stage, editor, intrinsics_resolver
+            )
 
         api["DefinitionBody"] = editor.swagger
 

samtranslator/model/stepfunctions/events.py

@@ -666,7 +666,7 @@ def set_path_default_apikey_required(self, path: str) -> None:
             if security != existing_security:
                 method_definition["security"] = security
 
-    def add_auth_to_method(self, path, method_name, auth, api):  # type: ignore[no-untyped-def]
+    def add_auth_to_method(self, path: str, method_name: str, auth: Dict[str, Any], api: Dict[str, Any]) -> None:
         """
         Adds auth settings for this path/method. Auth settings currently consist of Authorizers and ApiKeyRequired
         but this method will eventually include setting other auth settings such as Resource Policy, etc.
@@ -872,7 +872,7 @@ def add_models(self, models):  # type: ignore[no-untyped-def]
 
             self.definitions[model_name.lower()] = schema
 
-    def add_resource_policy(self, resource_policy, path, stage):  # type: ignore[no-untyped-def]
+    def add_resource_policy(self, resource_policy: Optional[Dict[str, Any]], path: str, stage: PassThrough) -> None:
         """
         Add resource policy definition to Swagger.
 

samtranslator/swagger/swagger.py

@@ -1,5 +1,5 @@
 """A plug-able validator to help raise exception when some value is unexpected."""
-from typing import Generic, Optional, TypeVar
+from typing import Any, Dict, Generic, Optional, TypeVar, cast
 
 from samtranslator.model.exceptions import (
     ExpectedType,
@@ -72,8 +72,8 @@ def to_not_be_none(self, message: Optional[str] = "") -> T:
     #
     # alias methods:
     #
-    def to_be_a_map(self, message: Optional[str] = "") -> T:
-        return self.to_be_a(ExpectedType.MAP, message)
+    def to_be_a_map(self, message: Optional[str] = "") -> Dict[str, Any]:
+        return cast(Dict[str, Any], self.to_be_a(ExpectedType.MAP, message))
 
     def to_be_a_list(self, message: Optional[str] = "") -> T:
         return self.to_be_a(ExpectedType.LIST, message)

samtranslator/validator/value_validator.py

@@ -22,7 +22,9 @@ def setUp(self):
         self.state_machine.get_passthrough_resource_attributes.return_value = {}
 
     def test_to_cloudformation_returns_role_resource(self):
-        resources = self.api_event_source.to_cloudformation(resource=self.state_machine, explicit_api={})
+        resources = self.api_event_source.to_cloudformation(
+            resource=self.state_machine, explicit_api={}, api_id="MyRestApi"
+        )
         self.assertEqual(len(resources), 1)
         self.assertEqual(resources[0].resource_type, "AWS::IAM::Role")
 
@@ -63,7 +65,12 @@ def test_resources_to_link_with_explicit_api(self):
         self.api_event_source.RestApiId = {"Ref": "MyExplicitApi"}
         resources_to_link = self.api_event_source.resources_to_link(resources)
         self.assertEqual(
-            resources_to_link, {"explicit_api": {"StageName": "Prod"}, "explicit_api_stage": {"suffix": "Prod"}}
+            resources_to_link,
+            {
+                "explicit_api": {"StageName": "Prod"},
+                "api_id": "MyExplicitApi",
+                "explicit_api_stage": {"suffix": "Prod"},
+            },
         )
 
     def test_resources_to_link_with_undefined_explicit_api(self):
@@ -75,7 +82,9 @@ def test_resources_to_link_with_undefined_explicit_api(self):
     def test_resources_to_link_without_explicit_api(self):
         resources = {}
         resources_to_link = self.api_event_source.resources_to_link(resources)
-        self.assertEqual(resources_to_link, {"explicit_api": None, "explicit_api_stage": {"suffix": "AllStages"}})
+        self.assertEqual(
+            resources_to_link, {"explicit_api": None, "api_id": None, "explicit_api_stage": {"suffix": "AllStages"}}
+        )
 
     def test_to_cloudformation_throws_when_no_resource(self):
         self.assertRaises(TypeError, self.api_event_source.to_cloudformation)