SAM throws error if DefaultAuthorizer is a dict #1245

jlhood · 2019-11-13T19:07:17Z

Description:

We saw a case where a customer tried to use !Ref in the DefaultAuthorizer field of the Auth object on a AWS::Serverless::Api, rather than just a string. In this case, SAM throws a 5xx error here because dict objects are not hashable. We should add a validation check to ensure the value of the DefaultAuthorizer field is a string so we can throw a useful error message back to the customer.

Steps to reproduce the issue:

Either run sam-translate.py or try to deploy this template:

AWSTemplateFormatVersion: "2010-09-09"
Transform: "AWS::Serverless-2016-10-31"

Resources:
  MyApi:
    Type: "AWS::Serverless::Api"
    Properties:
      StageName: Prod
      Auth:
        DefaultAuthorizer: !Ref MyCognitoAuth
        Authorizers:
          MyCognitoAuth:
            UserPoolArn: arn:aws:1
            Identity:
              Header: MyAuthorizationHeader
              ValidationExpression: myauthvalidationexpression

  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: s3://sam-demo-bucket/thumbnails.zip
      Handler: index.handler
      Runtime: nodejs8.10
      Events:
        Api:
          Type: Api
          Properties:
            RestApiId: !Ref MyApi
            Path: /
            Method: get

Observed result:

sam-translate.py returns this:

Traceback (most recent call last):
  File "bin/sam-translate.py", line 141, in <module>
    transform_template(input_file_path, output_file_path)
  File "bin/sam-translate.py", line 98, in transform_template
    sam_template, {}, ManagedPolicyLoader(iam_client))
  File "/Users/jahood/Documents/workspace/serverless-application-model/bin/../samtranslator/translator/transform.py", line 16, in transform
    return translator.translate(input_fragment, parameter_values=parameter_values)
  File "/Users/jahood/Documents/workspace/serverless-application-model/bin/../samtranslator/translator/translator.py", line 83, in translate
    translated = macro.to_cloudformation(**kwargs)
  File "/Users/jahood/Documents/workspace/serverless-application-model/bin/../samtranslator/model/sam_resources.py", line 535, in to_cloudformation
    rest_api, deployment, stage, permissions, domain, basepath_mapping, route53 = api_generator.to_cloudformation()
  File "/Users/jahood/Documents/workspace/serverless-application-model/bin/../samtranslator/model/api/api_generator.py", line 342, in to_cloudformation
    rest_api = self._construct_rest_api()
  File "/Users/jahood/Documents/workspace/serverless-application-model/bin/../samtranslator/model/api/api_generator.py", line 118, in _construct_rest_api
    self._add_auth()
  File "/Users/jahood/Documents/workspace/serverless-application-model/bin/../samtranslator/model/api/api_generator.py", line 449, in _add_auth
    auth_properties.AddDefaultAuthorizerToCorsPreflight)
  File "/Users/jahood/Documents/workspace/serverless-application-model/bin/../samtranslator/model/api/api_generator.py", line 645, in _set_default_authorizer
    if not authorizers.get(default_authorizer) and default_authorizer != 'AWS_IAM':
TypeError: unhashable type: 'dict'

CloudFormation returns this:

Failed to create the changeset: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state Status: FAILED. Reason: Transform AWS::Serverless-2016-10-31 failed with: Internal transform failure.

Expected result:

SAM returns helpful error message saying DefaultAuthorizer must be a string.

The text was updated successfully, but these errors were encountered:

tbutler4 · 2020-11-29T17:19:32Z

@jlhood @praneetap @Shivakishore14
...
Is this issue still open? I see it has been some time since it was first opened and there has been some work with issue #1286.. I want to try to tackle this for my first open source contribution.

jfuss · 2022-02-05T14:12:12Z

See #1286 (comment) but this was patched in #1774

In issue aws#1245, we had a cases were SAM would fail due to improper validation. In updating aws#1286, I noticed this was patched in aws#1774 but we only added tests for AWS::Serverless::StateMachine. This commit adds an additional test to cover AWS::Serverless::Api.

In issue #1245, we had a cases were SAM would fail due to improper validation. In updating #1286, I noticed this was patched in #1774 but we only added tests for AWS::Serverless::StateMachine. This commit adds an additional test to cover AWS::Serverless::Api. Co-authored-by: Jacob Fuss <jfuss@users.noreply.github.com>

jlhood added contributors/good-first-issue Good first issue for a contributor contributors/welcome Contributors are welcome to work on this type/bug labels Nov 13, 2019

Shivakishore14 mentioned this issue Dec 4, 2019

Throw error if DefaultAuthorizer is not a string #1286

Closed

4 tasks

praneetap added the good first issue label Jan 15, 2020

mgrandis removed the good first issue label Feb 11, 2021

aws-sam-cli-bot added the maintainer/need-response label Nov 23, 2021

jfuss closed this as completed Feb 5, 2022

jfuss mentioned this issue Feb 5, 2022

tests: add test for DefaultAuthorizers not a string in API #2313

Merged

8 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SAM throws error if DefaultAuthorizer is a dict #1245

SAM throws error if DefaultAuthorizer is a dict #1245

jlhood commented Nov 13, 2019

tbutler4 commented Nov 29, 2020 •

edited

Loading

jfuss commented Feb 5, 2022

SAM throws error if DefaultAuthorizer is a dict #1245

SAM throws error if DefaultAuthorizer is a dict #1245

Comments

jlhood commented Nov 13, 2019

tbutler4 commented Nov 29, 2020 • edited Loading

jfuss commented Feb 5, 2022

tbutler4 commented Nov 29, 2020 •

edited

Loading