chore: Add an error when AuthorizationScopes is not used with Authorizer (#3394)

Author: xazhao

samtranslator/model/eventsources/push.py

@@ -1116,8 +1116,11 @@ def add_auth_to_swagger(  # noqa: PLR0912, PLR0913
                         )
 
         auth_scopes = event_auth.get("AuthorizationScopes")
+
         if auth_scopes:
             sam_expect(auth_scopes, event_id, "Auth.AuthorizationScopes", is_sam_event=True).to_be_a_list()
+            if not method_authorizer:
+                raise InvalidEventException(event_id, "AuthorizationScopes works only when Authorizer is set")
 
         apikey_required_setting = event_auth.get("ApiKeyRequired")
         apikey_required_setting_is_false = apikey_required_setting is not None and not apikey_required_setting

tests/translator/input/error_api_invalid_auth.yaml

@@ -1,4 +1,20 @@
 Resources:
+  InvalidAuthorizationScopes:
+    Type: AWS::Serverless::Function
+    Properties:
+      Runtime: python3
+      Handler: index.handler
+      CodeUri: s3://bucket/key
+      Events:
+        Api:
+          Type: Api
+          Properties:
+            Auth:
+              AuthorizationScopes:
+              - https://foobar.acme.net/full-api
+            Method: POST
+            Path: /hello/world
+
   NoAuthApi:
     Type: AWS::Serverless::Api
     Properties:

tests/translator/output/error_api_invalid_auth.json

@@ -1,7 +1,7 @@
 {
   "_autoGeneratedBreakdownErrorMessage": [
     "Invalid Serverless Application Specification document. ",
-    "Number of errors found: 21. ",
+    "Number of errors found: 22. ",
     "Resource with id [AuthNotDictApi] is invalid. ",
     "Property 'Auth' should be a map. ",
     "Resource with id [AuthWithAdditionalPropertyApi] is invalid. ",
@@ -19,7 +19,9 @@
     "Property 'Auth.Authorizers' should be a map. ",
     "Resource with id [IntrinsicDefaultAuthorizerApi] is invalid. ",
     "Property 'Auth.DefaultAuthorizer' should be a string. ",
-    "Resource with id [InvalidFunctionPayloadTypeApi] is invalid. ",
+    "Resource with id [InvalidAuthorizationScopes] is invalid. ",
+    "Event with id [Api] is invalid. ",
+    "AuthorizationScopes works only when Authorizer is set Resource with id [InvalidFunctionPayloadTypeApi] is invalid. ",
     "MyLambdaAuthorizer Authorizer has invalid 'FunctionPayloadType': INVALID. ",
     "Resource with id [MissingAuthorizerFn] is invalid. ",
     "Event with id [GetRoot] is invalid. ",
@@ -49,5 +51,5 @@
     "Resource with id [NonStringDefaultAuthorizerApi] is invalid. ",
     "Property 'Auth.DefaultAuthorizer' should be a string."
   ],
-  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 21. Resource with id [AuthNotDictApi] is invalid. Property 'Auth' should be a map. Resource with id [AuthWithAdditionalPropertyApi] is invalid. Invalid value for 'Auth' property Resource with id [AuthWithDefinitionUriApi] is invalid. Auth works only with inline Swagger specified in 'DefinitionBody' property. Resource with id [AuthWithInvalidDefinitionBodyApi] is invalid. Unable to add Auth configuration because 'DefinitionBody' does not contain a valid Swagger definition. Resource with id [AuthWithMissingDefaultAuthorizerApi] is invalid. Unable to set DefaultAuthorizer because 'NotThere' was not defined in 'Authorizers'. Resource with id [AuthorizerNotDict] is invalid. Property 'Auth.Authorizers.MyCognitoAuthorizer' should be a map. Resource with id [AuthorizerWithBadDisableFunctionDefaultPermissionsType] is invalid. Property 'Authorizers.MyAuth.DisableFunctionDefaultPermissions' should be a boolean. Resource with id [AuthorizersNotDictApi] is invalid. Property 'Auth.Authorizers' should be a map. Resource with id [IntrinsicDefaultAuthorizerApi] is invalid. Property 'Auth.DefaultAuthorizer' should be a string. Resource with id [InvalidFunctionPayloadTypeApi] is invalid. MyLambdaAuthorizer Authorizer has invalid 'FunctionPayloadType': INVALID. Resource with id [MissingAuthorizerFn] is invalid. Event with id [GetRoot] is invalid. Unable to set Authorizer [UnspecifiedAuthorizer] on API method [get] for path [/] because it wasn't defined in the API's Authorizers. Resource with id [NoApiAuthorizerFn] is invalid. Event with id [GetRoot] is invalid. Unable to set Authorizer [MyAuth] on API method [get] for path [/] because the related API does not define any Authorizers. Resource with id [NoAuthFn] is invalid. Event with id [GetRoot] is invalid. Unable to set Authorizer [MyAuth] on API method [get] for path [/] because the related API does not define any Authorizers. Resource with id [NoAuthorizersFn] is invalid. Event with id [GetRoot] is invalid. Unable to set Authorizer [MyAuth] on API method [get] for path [/] because the related API does not define any Authorizers. Resource with id [NoDefaultAuthorizerWithNoneFn] is invalid. Event with id [GetRoot] is invalid. Unable to set Authorizer on API method [get] for path [/] because 'NONE' is only a valid value when a DefaultAuthorizer on the API is specified. Resource with id [NoIdentityOnRequestAuthorizer] is invalid. MyLambdaRequestAuthorizer Authorizer must specify Identity with at least one of Headers, QueryStrings, StageVariables, or Context. Resource with id [NoIdentitySourceOnRequestAuthorizer] is invalid. MyLambdaRequestAuthorizer Authorizer must specify Identity with at least one of Headers, QueryStrings, StageVariables, or Context. Resource with id [NonDictAuthorizerApi] is invalid. Property 'Auth.Authorizers.MyAuth' should be a map. Resource with id [NonDictAuthorizerRestApi] is invalid. Property 'Auth.Authorizers.MyAuth' should be a map. Resource with id [NonDictExternalApiAuthorizer] is invalid. Property 'Auth.Authorizers' should be a map. Resource with id [NonStringDefaultAuthorizerApi] is invalid. Property 'Auth.DefaultAuthorizer' should be a string."
+  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 22. Resource with id [AuthNotDictApi] is invalid. Property 'Auth' should be a map. Resource with id [AuthWithAdditionalPropertyApi] is invalid. Invalid value for 'Auth' property Resource with id [AuthWithDefinitionUriApi] is invalid. Auth works only with inline Swagger specified in 'DefinitionBody' property. Resource with id [AuthWithInvalidDefinitionBodyApi] is invalid. Unable to add Auth configuration because 'DefinitionBody' does not contain a valid Swagger definition. Resource with id [AuthWithMissingDefaultAuthorizerApi] is invalid. Unable to set DefaultAuthorizer because 'NotThere' was not defined in 'Authorizers'. Resource with id [AuthorizerNotDict] is invalid. Property 'Auth.Authorizers.MyCognitoAuthorizer' should be a map. Resource with id [AuthorizerWithBadDisableFunctionDefaultPermissionsType] is invalid. Property 'Authorizers.MyAuth.DisableFunctionDefaultPermissions' should be a boolean. Resource with id [AuthorizersNotDictApi] is invalid. Property 'Auth.Authorizers' should be a map. Resource with id [IntrinsicDefaultAuthorizerApi] is invalid. Property 'Auth.DefaultAuthorizer' should be a string. Resource with id [InvalidAuthorizationScopes] is invalid. Event with id [Api] is invalid. AuthorizationScopes works only when Authorizer is set Resource with id [InvalidFunctionPayloadTypeApi] is invalid. MyLambdaAuthorizer Authorizer has invalid 'FunctionPayloadType': INVALID. Resource with id [MissingAuthorizerFn] is invalid. Event with id [GetRoot] is invalid. Unable to set Authorizer [UnspecifiedAuthorizer] on API method [get] for path [/] because it wasn't defined in the API's Authorizers. Resource with id [NoApiAuthorizerFn] is invalid. Event with id [GetRoot] is invalid. Unable to set Authorizer [MyAuth] on API method [get] for path [/] because the related API does not define any Authorizers. Resource with id [NoAuthFn] is invalid. Event with id [GetRoot] is invalid. Unable to set Authorizer [MyAuth] on API method [get] for path [/] because the related API does not define any Authorizers. Resource with id [NoAuthorizersFn] is invalid. Event with id [GetRoot] is invalid. Unable to set Authorizer [MyAuth] on API method [get] for path [/] because the related API does not define any Authorizers. Resource with id [NoDefaultAuthorizerWithNoneFn] is invalid. Event with id [GetRoot] is invalid. Unable to set Authorizer on API method [get] for path [/] because 'NONE' is only a valid value when a DefaultAuthorizer on the API is specified. Resource with id [NoIdentityOnRequestAuthorizer] is invalid. MyLambdaRequestAuthorizer Authorizer must specify Identity with at least one of Headers, QueryStrings, StageVariables, or Context. Resource with id [NoIdentitySourceOnRequestAuthorizer] is invalid. MyLambdaRequestAuthorizer Authorizer must specify Identity with at least one of Headers, QueryStrings, StageVariables, or Context. Resource with id [NonDictAuthorizerApi] is invalid. Property 'Auth.Authorizers.MyAuth' should be a map. Resource with id [NonDictAuthorizerRestApi] is invalid. Property 'Auth.Authorizers.MyAuth' should be a map. Resource with id [NonDictExternalApiAuthorizer] is invalid. Property 'Auth.Authorizers' should be a map. Resource with id [NonStringDefaultAuthorizerApi] is invalid. Property 'Auth.DefaultAuthorizer' should be a string."
 }