Add validation for swagger security when ApiKeyRequired is true (#2456)

hawflau · web-flow · commit 4dfb963317a2 · 2022-07-25T13:03:48.000-07:00
diff --git a/samtranslator/swagger/swagger.py b/samtranslator/swagger/swagger.py
@@ -647,7 +647,10 @@ def set_path_default_authorizer(
             # We want to ensure only a single Authorizer security entry exists while keeping everything else
             for security in existing_security:
                 SwaggerEditor.validate_is_dict(
-                    security, "{} in Security for path {} is not a valid dictionary.".format(security, path)
+                    security,
+                    "{} in Security for path {} method {} is not a valid dictionary.".format(
+                        security, path, method_name
+                    ),
                 )
                 if authorizer_names.isdisjoint(security.keys()):
                     existing_non_authorizer_security.append(security)
@@ -703,7 +706,7 @@ def set_path_default_apikey_required(self, path):
         :param string path: Path name
         """
 
-        for _, method_definition in self.iter_on_all_methods_for_path(path):
+        for method_name, method_definition in self.iter_on_all_methods_for_path(path):
             existing_security = method_definition.get("security", [])
             apikey_security_names = set(["api_key", "api_key_false"])
             existing_non_apikey_security = []
@@ -714,6 +717,12 @@ def set_path_default_apikey_required(self, path):
             # (e.g. sigv4 (AWS_IAM), authorizers, NONE (marker for ignoring default authorizer))
             # We want to ensure only a single ApiKey security entry exists while keeping everything else
             for security in existing_security:
+                SwaggerEditor.validate_is_dict(
+                    security,
+                    "{} in Security for path {} method {} is not a valid dictionary.".format(
+                        security, path, method_name
+                    ),
+                )
                 if apikey_security_names.isdisjoint(security.keys()):
                     existing_non_apikey_security.append(security)
                 else:
diff --git a/tests/translator/input/error_swagger_security_not_dict_with_api_key_required.yaml b/tests/translator/input/error_swagger_security_not_dict_with_api_key_required.yaml
@@ -0,0 +1,45 @@
+transformId: AWS::Serverless-2016-10-31
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  AuthFunction:
+    Type: AWS::Serverless::Function
+  AccessingPartyAPI:
+    Type: AWS::Serverless::Api
+    Properties:
+      EndpointConfiguration: REGIONAL
+      StageName: demo
+      Auth:
+        ApiKeyRequired: true
+
+      DefinitionBody:
+        paths:
+          "/path":
+            put:
+              responses:
+                '201':
+                  content:
+                    application/json:
+                      schema:
+                        "$ref": "abcd"
+              x-amazon-apigateway-integration:
+                contentHandling: CONVERT_TO_TEXT
+                responses:
+                  default:
+                    statusCode: '200'
+                uri:
+                  Fn::Sub: foobar
+                httpMethod: POST
+                passthroughBehavior: when_no_match
+                type: aws_proxy
+              requestBody:
+                content:
+                  application/json:
+                    schema:
+                      required:
+                      - readoutId
+                      - status
+                      type: object
+              security:
+                - []
+
+        openapi: 3.0.3
diff --git a/tests/translator/output/error_swagger_security_not_dict.json b/tests/translator/output/error_swagger_security_not_dict.json
@@ -1,3 +1,3 @@
 {
-  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Structure of the SAM template is invalid. CustomAuthorizer in Security for path /path is not a valid dictionary."
+  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Structure of the SAM template is invalid. CustomAuthorizer in Security for path /path method put is not a valid dictionary."
 }
diff --git a/tests/translator/output/error_swagger_security_not_dict_with_api_key_required.json b/tests/translator/output/error_swagger_security_not_dict_with_api_key_required.json
@@ -0,0 +1,3 @@
+{
+  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Structure of the SAM template is invalid. [] in Security for path /path method put is not a valid dictionary."
+}

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`{`
`2`		`- "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Structure of the SAM template is invalid. CustomAuthorizer in Security for path /path is not a valid dictionary."`
	`2`	`+ "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Structure of the SAM template is invalid. CustomAuthorizer in Security for path /path method put is not a valid dictionary."`
`3`	`3`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+{`
	`2`	`+ "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Structure of the SAM template is invalid. [] in Security for path /path method put is not a valid dictionary."`
	`3`	`+}`