Add error handling for OverrideApiAuth property without an authorizer (#3350)

Author: paulhcsun

samtranslator/model/eventsources/push.py

@@ -755,7 +755,11 @@ def to_cloudformation(self, **kwargs):  # type: ignore[no-untyped-def]
         # We make the call to add_auth_to_swagger() in two separate places because _add_swagger_integration() deals
         # specifically with cases where DefinitionBody is not defined, and below for when DefinitionBody is defined.
         if swagger_body and self.Auth and self.Auth.get("OverrideApiAuth"):
-            # TODO: refactor to remove this cast
+            if not (self.Auth.get("Authorizer") or self.Auth.get("ApiKeyRequired") or self.Auth.get("ResourcePolicy")):
+                raise InvalidEventException(
+                    self.relative_id,
+                    "Must define one of: Authorizer, ApiKeyRequired or ResourcePolicy when using the OverrideApiAuth property.",
+                )
             stage = cast(str, self.Stage)
             editor = SwaggerEditor(swagger_body)
             self.add_auth_to_swagger(

tests/translator/input/error_api_override_api_auth_without_authorizer.yaml

@@ -0,0 +1,67 @@
+Resources:
+  MyApiWithLambdaRequestAuth:
+    Type: AWS::Serverless::Api
+    Properties:
+      StageName: Prod
+      DefinitionBody:
+        swagger: 2.0
+        info:
+          version: '1.0'
+          title: !Ref AWS::StackName
+        schemes:
+        - https
+        paths:
+          /lambda-request:
+            get:
+              x-amazon-apigateway-integration:
+                httpMethod: POST
+                type: aws_proxy
+                uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations
+                passthroughBehavior: when_no_match
+              responses: {}
+      Auth:
+        Authorizers:
+          MyLambdaRequestAuth:
+            FunctionPayloadType: REQUEST
+            FunctionArn: !GetAtt MyAuthFn.Arn
+            Identity:
+              Headers:
+              - Authorization1
+        DefaultAuthorizer: MyLambdaRequestAuth
+
+  MyAuthFn:
+    Type: AWS::Serverless::Function
+    Properties:
+      InlineCode: |
+        exports.handler = async (event) => {
+          return {
+          statusCode: 200,
+          body: JSON.stringify(event),
+          headers: {}
+          }
+        }
+      Handler: index.handler
+      Runtime: nodejs8.10
+
+  MyFn:
+    Type: AWS::Serverless::Function
+    Properties:
+      InlineCode: |
+        exports.handler = async (event) => {
+          return {
+          statusCode: 200,
+          body: JSON.stringify(event),
+          headers: {}
+          }
+        }
+      Handler: index.handler
+      Runtime: nodejs8.10
+      Events:
+        LambdaRequest:
+          Type: Api
+          Properties:
+            RestApiId: !Ref MyApiWithLambdaRequestAuth
+            Auth:
+              OverrideApiAuth: true
+            Method: get
+            Path: /lambda-request

tests/translator/output/error_api_override_api_auth_without_authorizer.json

@@ -0,0 +1,15 @@
+{
+  "_autoGeneratedBreakdownErrorMessage": [
+    "Invalid Serverless Application Specification document. ",
+    "Number of errors found: 1. ",
+    "Resource with id [MyFn] is invalid. ",
+    "Event with id [LambdaRequest] is invalid. ",
+    "Must define one of: Authorizer, ApiKeyRequired or ResourcePolicy when using the OverrideApiAuth property."
+  ],
+  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [MyFn] is invalid. Event with id [LambdaRequest] is invalid. Must define one of: Authorizer, ApiKeyRequired or ResourcePolicy when using the OverrideApiAuth property.",
+  "errors": [
+    {
+      "errorMessage": "Resource with id [MyFn] is invalid. Event with id [LambdaRequest] is invalid. Must define one of: Authorizer, ApiKeyRequired or ResourcePolicy when using the OverrideApiAuth property."
+    }
+  ]
+}