refactor: improve HttpApi authorizer validation (#3899)

vicheey · web-flow · commit 310934b3b89d · 2026-04-13T09:11:21.000-07:00
diff --git a/samtranslator/model/apigatewayv2.py b/samtranslator/model/apigatewayv2.py
@@ -240,54 +240,48 @@ def _get_auth_type(self) -> str:
             return "JWT"
         return "REQUEST"
 
+    # Maps each authorizer type to the set of properties it accepts
+    ALLOWED_PROPERTIES = {
+        "JWT": {"authorization_scopes", "jwt_configuration", "id_source"},
+        "REQUEST": {
+            "function_arn",
+            "function_invoke_role",
+            "identity",
+            "authorizer_payload_format_version",
+            "enable_simple_responses",
+            "enable_function_default_permissions",
+        },
+        "AWS_IAM": set(),
+    }
+
+    # Maps internal attr name to (display name, error hint)
+    PROPERTY_DISPLAY = {
+        "authorization_scopes": ("AuthorizationScopes", "OAuth2 Authorizer"),
+        "jwt_configuration": ("JwtConfiguration", "OAuth2 Authorizer"),
+        "id_source": (
+            "IdentitySource",
+            "OAuth2 Authorizer. For Lambda Authorizer, use the 'Identity' property instead",
+        ),
+        "function_arn": ("FunctionArn", "Lambda Authorizer"),
+        "function_invoke_role": ("FunctionInvokeRole", "Lambda Authorizer"),
+        "identity": ("Identity", "Lambda Authorizer"),
+        "authorizer_payload_format_version": ("AuthorizerPayloadFormatVersion", "Lambda Authorizer"),
+        "enable_simple_responses": ("EnableSimpleResponses", "Lambda Authorizer"),
+        "enable_function_default_permissions": ("EnableFunctionDefaultPermissions", "Lambda Authorizer"),
+    }
+
     def _validate_input_parameters(self) -> None:
         authorizer_type = self._get_auth_type()
 
         if self.authorization_scopes is not None and not isinstance(self.authorization_scopes, list):
             raise InvalidResourceException(self.api_logical_id, "AuthorizationScopes must be a list.")
 
-        if self.authorization_scopes is not None and not authorizer_type == "JWT":
-            raise InvalidResourceException(
-                self.api_logical_id, "AuthorizationScopes must be defined only for OAuth2 Authorizer."
-            )
-
-        if self.jwt_configuration is not None and not authorizer_type == "JWT":
-            raise InvalidResourceException(
-                self.api_logical_id, "JwtConfiguration must be defined only for OAuth2 Authorizer."
-            )
-
-        if self.id_source is not None and not authorizer_type == "JWT":
-            raise InvalidResourceException(
-                self.api_logical_id, "IdentitySource must be defined only for OAuth2 Authorizer."
-            )
-
-        if self.function_arn is not None and not authorizer_type == "REQUEST":
-            raise InvalidResourceException(
-                self.api_logical_id, "FunctionArn must be defined only for Lambda Authorizer."
-            )
-
-        if self.function_invoke_role is not None and not authorizer_type == "REQUEST":
-            raise InvalidResourceException(
-                self.api_logical_id, "FunctionInvokeRole must be defined only for Lambda Authorizer."
-            )
-
-        if self.identity is not None and not authorizer_type == "REQUEST":
-            raise InvalidResourceException(self.api_logical_id, "Identity must be defined only for Lambda Authorizer.")
-
-        if self.authorizer_payload_format_version is not None and not authorizer_type == "REQUEST":
-            raise InvalidResourceException(
-                self.api_logical_id, "AuthorizerPayloadFormatVersion must be defined only for Lambda Authorizer."
-            )
-
-        if self.enable_simple_responses is not None and not authorizer_type == "REQUEST":
-            raise InvalidResourceException(
-                self.api_logical_id, "EnableSimpleResponses must be defined only for Lambda Authorizer."
-            )
-
-        if self.enable_function_default_permissions is not None and authorizer_type != "REQUEST":
-            raise InvalidResourceException(
-                self.api_logical_id, "EnableFunctionDefaultPermissions must be defined only for Lambda Authorizer."
-            )
+        allowed = self.ALLOWED_PROPERTIES.get(authorizer_type, set())
+        for attr, (display_name, allowed_for) in self.PROPERTY_DISPLAY.items():
+            if getattr(self, attr) is not None and attr not in allowed:
+                raise InvalidResourceException(
+                    self.api_logical_id, f"{display_name} is only supported for {allowed_for}."
+                )
 
     def _validate_jwt_authorizer(self) -> None:
         if not self.jwt_configuration:
diff --git a/tests/model/test_api_v2.py b/tests/model/test_api_v2.py
@@ -64,7 +64,7 @@ def test_create_authorizer_fails_with_authorization_scopes_non_oauth2(self):
         self.assertEqual(
             e.value.message,
             "Resource with id [logicalId] is invalid. "
-            + "AuthorizationScopes must be defined only for OAuth2 Authorizer.",
+            + "AuthorizationScopes is only supported for OAuth2 Authorizer.",
         )
 
     @mock.patch(
@@ -79,8 +79,7 @@ def test_create_authorizer_fails_with_jtw_configuration_non_oauth2(self):
             )
         self.assertEqual(
             e.value.message,
-            "Resource with id [logicalId] is invalid. "
-            + "JwtConfiguration must be defined only for OAuth2 Authorizer.",
+            "Resource with id [logicalId] is invalid. " + "JwtConfiguration is only supported for OAuth2 Authorizer.",
         )
 
     def test_create_authorizer_fails_with_id_source_non_oauth2(self):
@@ -92,7 +91,8 @@ def test_create_authorizer_fails_with_id_source_non_oauth2(self):
             )
         self.assertEqual(
             e.value.message,
-            "Resource with id [logicalId] is invalid. " + "IdentitySource must be defined only for OAuth2 Authorizer.",
+            "Resource with id [logicalId] is invalid. " + "IdentitySource is only supported for OAuth2 Authorizer."
+            " For Lambda Authorizer, use the 'Identity' property instead.",
         )
 
     def test_create_authorizer_fails_with_function_arn_non_lambda(self):
@@ -106,7 +106,7 @@ def test_create_authorizer_fails_with_function_arn_non_lambda(self):
             )
         self.assertEqual(
             e.value.message,
-            "Resource with id [logicalId] is invalid. " + "FunctionArn must be defined only for Lambda Authorizer.",
+            "Resource with id [logicalId] is invalid. " + "FunctionArn is only supported for Lambda Authorizer.",
         )
 
     def test_create_authorizer_fails_with_function_invoke_role_non_lambda(self):
@@ -120,8 +120,7 @@ def test_create_authorizer_fails_with_function_invoke_role_non_lambda(self):
             )
         self.assertEqual(
             e.value.message,
-            "Resource with id [logicalId] is invalid. "
-            + "FunctionInvokeRole must be defined only for Lambda Authorizer.",
+            "Resource with id [logicalId] is invalid. " + "FunctionInvokeRole is only supported for Lambda Authorizer.",
         )
 
     def test_create_authorizer_fails_with_identity_non_lambda(self):
@@ -135,7 +134,7 @@ def test_create_authorizer_fails_with_identity_non_lambda(self):
             )
         self.assertEqual(
             e.value.message,
-            "Resource with id [logicalId] is invalid. " + "Identity must be defined only for Lambda Authorizer.",
+            "Resource with id [logicalId] is invalid. " + "Identity is only supported for Lambda Authorizer.",
         )
 
     def test_create_authorizer_fails_with_authorizer_payload_format_version_non_lambda(self):
@@ -150,7 +149,7 @@ def test_create_authorizer_fails_with_authorizer_payload_format_version_non_lamb
         self.assertEqual(
             e.value.message,
             "Resource with id [logicalId] is invalid. "
-            + "AuthorizerPayloadFormatVersion must be defined only for Lambda Authorizer.",
+            + "AuthorizerPayloadFormatVersion is only supported for Lambda Authorizer.",
         )
 
     def test_create_authorizer_fails_with_enable_simple_responses_non_lambda(self):
@@ -165,7 +164,7 @@ def test_create_authorizer_fails_with_enable_simple_responses_non_lambda(self):
         self.assertEqual(
             e.value.message,
             "Resource with id [logicalId] is invalid. "
-            + "EnableSimpleResponses must be defined only for Lambda Authorizer.",
+            + "EnableSimpleResponses is only supported for Lambda Authorizer.",
         )
 
     def test_create_authorizer_fails_with_enable_function_default_permissions_non_lambda(self):
@@ -180,7 +179,7 @@ def test_create_authorizer_fails_with_enable_function_default_permissions_non_la
         self.assertEqual(
             e.value.message,
             "Resource with id [logicalId] is invalid. "
-            + "EnableFunctionDefaultPermissions must be defined only for Lambda Authorizer.",
+            + "EnableFunctionDefaultPermissions is only supported for Lambda Authorizer.",
         )
 
     @mock.patch(
diff --git a/tests/translator/output/error_http_api_invalid_lambda_auth.json b/tests/translator/output/error_http_api_invalid_lambda_auth.json
@@ -9,7 +9,7 @@
     "Resource with id [MyApi3] is invalid. ",
     "Property 'Authorizers.LambdaAuth.EnableFunctionDefaultPermissions' should be a boolean. ",
     "Resource with id [MyApi4] is invalid. ",
-    "EnableFunctionDefaultPermissions must be defined only for Lambda Authorizer."
+    "EnableFunctionDefaultPermissions is only supported for Lambda Authorizer."
   ],
-  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 4. Resource with id [MyApi1] is invalid. LambdaAuth Lambda Authorizer must define 'AuthorizerPayloadFormatVersion'. Resource with id [MyApi2] is invalid. LambdaAuth Lambda Authorizer must define 'FunctionArn'. Resource with id [MyApi3] is invalid. Property 'Authorizers.LambdaAuth.EnableFunctionDefaultPermissions' should be a boolean. Resource with id [MyApi4] is invalid. EnableFunctionDefaultPermissions must be defined only for Lambda Authorizer."
+  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 4. Resource with id [MyApi1] is invalid. LambdaAuth Lambda Authorizer must define 'AuthorizerPayloadFormatVersion'. Resource with id [MyApi2] is invalid. LambdaAuth Lambda Authorizer must define 'FunctionArn'. Resource with id [MyApi3] is invalid. Property 'Authorizers.LambdaAuth.EnableFunctionDefaultPermissions' should be a boolean. Resource with id [MyApi4] is invalid. EnableFunctionDefaultPermissions is only supported for Lambda Authorizer."
 }

Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ def test_create_authorizer_fails_with_authorization_scopes_non_oauth2(self):`
`64`	`64`	`self.assertEqual(`
`65`	`65`	`e.value.message,`
`66`	`66`	`"Resource with id [logicalId] is invalid. "`
`67`		`- + "AuthorizationScopes must be defined only for OAuth2 Authorizer.",`
	`67`	`+ + "AuthorizationScopes is only supported for OAuth2 Authorizer.",`
`68`	`68`	`)`
`69`	`69`
`70`	`70`	`@mock.patch(`
`@@ -79,8 +79,7 @@ def test_create_authorizer_fails_with_jtw_configuration_non_oauth2(self):`
`79`	`79`	`)`
`80`	`80`	`self.assertEqual(`
`81`	`81`	`e.value.message,`
`82`		`- "Resource with id [logicalId] is invalid. "`
`83`		`- + "JwtConfiguration must be defined only for OAuth2 Authorizer.",`
	`82`	`+ "Resource with id [logicalId] is invalid. " + "JwtConfiguration is only supported for OAuth2 Authorizer.",`
`84`	`83`	`)`
`85`	`84`
`86`	`85`	`def test_create_authorizer_fails_with_id_source_non_oauth2(self):`
`@@ -92,7 +91,8 @@ def test_create_authorizer_fails_with_id_source_non_oauth2(self):`
`92`	`91`	`)`
`93`	`92`	`self.assertEqual(`
`94`	`93`	`e.value.message,`
`95`		`- "Resource with id [logicalId] is invalid. " + "IdentitySource must be defined only for OAuth2 Authorizer.",`
	`94`	`+ "Resource with id [logicalId] is invalid. " + "IdentitySource is only supported for OAuth2 Authorizer."`
	`95`	`+ " For Lambda Authorizer, use the 'Identity' property instead.",`
`96`	`96`	`)`
`97`	`97`
`98`	`98`	`def test_create_authorizer_fails_with_function_arn_non_lambda(self):`
`@@ -106,7 +106,7 @@ def test_create_authorizer_fails_with_function_arn_non_lambda(self):`
`106`	`106`	`)`
`107`	`107`	`self.assertEqual(`
`108`	`108`	`e.value.message,`
`109`		`- "Resource with id [logicalId] is invalid. " + "FunctionArn must be defined only for Lambda Authorizer.",`
	`109`	`+ "Resource with id [logicalId] is invalid. " + "FunctionArn is only supported for Lambda Authorizer.",`
`110`	`110`	`)`
`111`	`111`
`112`	`112`	`def test_create_authorizer_fails_with_function_invoke_role_non_lambda(self):`
`@@ -120,8 +120,7 @@ def test_create_authorizer_fails_with_function_invoke_role_non_lambda(self):`
`120`	`120`	`)`
`121`	`121`	`self.assertEqual(`
`122`	`122`	`e.value.message,`
`123`		`- "Resource with id [logicalId] is invalid. "`
`124`		`- + "FunctionInvokeRole must be defined only for Lambda Authorizer.",`
	`123`	`+ "Resource with id [logicalId] is invalid. " + "FunctionInvokeRole is only supported for Lambda Authorizer.",`
`125`	`124`	`)`
`126`	`125`
`127`	`126`	`def test_create_authorizer_fails_with_identity_non_lambda(self):`
`@@ -135,7 +134,7 @@ def test_create_authorizer_fails_with_identity_non_lambda(self):`
`135`	`134`	`)`
`136`	`135`	`self.assertEqual(`
`137`	`136`	`e.value.message,`
`138`		`- "Resource with id [logicalId] is invalid. " + "Identity must be defined only for Lambda Authorizer.",`
	`137`	`+ "Resource with id [logicalId] is invalid. " + "Identity is only supported for Lambda Authorizer.",`
`139`	`138`	`)`
`140`	`139`
`141`	`140`	`def test_create_authorizer_fails_with_authorizer_payload_format_version_non_lambda(self):`
`@@ -150,7 +149,7 @@ def test_create_authorizer_fails_with_authorizer_payload_format_version_non_lamb`
`150`	`149`	`self.assertEqual(`
`151`	`150`	`e.value.message,`
`152`	`151`	`"Resource with id [logicalId] is invalid. "`
`153`		`- + "AuthorizerPayloadFormatVersion must be defined only for Lambda Authorizer.",`
	`152`	`+ + "AuthorizerPayloadFormatVersion is only supported for Lambda Authorizer.",`
`154`	`153`	`)`
`155`	`154`
`156`	`155`	`def test_create_authorizer_fails_with_enable_simple_responses_non_lambda(self):`
`@@ -165,7 +164,7 @@ def test_create_authorizer_fails_with_enable_simple_responses_non_lambda(self):`
`165`	`164`	`self.assertEqual(`
`166`	`165`	`e.value.message,`
`167`	`166`	`"Resource with id [logicalId] is invalid. "`
`168`		`- + "EnableSimpleResponses must be defined only for Lambda Authorizer.",`
	`167`	`+ + "EnableSimpleResponses is only supported for Lambda Authorizer.",`
`169`	`168`	`)`
`170`	`169`
`171`	`170`	`def test_create_authorizer_fails_with_enable_function_default_permissions_non_lambda(self):`
`@@ -180,7 +179,7 @@ def test_create_authorizer_fails_with_enable_function_default_permissions_non_la`
`180`	`179`	`self.assertEqual(`
`181`	`180`	`e.value.message,`
`182`	`181`	`"Resource with id [logicalId] is invalid. "`
`183`		`- + "EnableFunctionDefaultPermissions must be defined only for Lambda Authorizer.",`
	`182`	`+ + "EnableFunctionDefaultPermissions is only supported for Lambda Authorizer.",`
`184`	`183`	`)`
`185`	`184`
`186`	`185`	`@mock.patch(`