fix: Ensure AutoPublishCodeSha256 resolves to a string (#2173)

* Ensure AutoPublishCodeSha256 resolves to a string

* Add unit test for AutoPublishCodeSha256 checking

Author: marekaiv

samtranslator/model/sam_resources.py

@@ -157,6 +157,11 @@ def to_cloudformation(self, **kwargs):
             code_sha256 = None
             if self.AutoPublishCodeSha256:
                 code_sha256 = intrinsics_resolver.resolve_parameter_refs(self.AutoPublishCodeSha256)
+                if not isinstance(code_sha256, string_types):
+                    raise InvalidResourceException(
+                        self.logical_id,
+                        "AutoPublishCodeSha256 must be a string",
+                    )
             lambda_version = self._construct_version(
                 lambda_function, intrinsics_resolver=intrinsics_resolver, code_sha256=code_sha256
             )

samtranslator/translator/logical_id_generator.py

@@ -16,6 +16,7 @@ def __init__(self, prefix, data_obj=None, data_hash=None):
 
         :param prefix: Prefix for the logicalId
         :param data_obj: Data object to trigger new changes on. If set to None, this is ignored
+        :param data_hash: Pre-computed hash, must be a string
         """
 
         data_str = ""

tests/model/test_sam_resources.py

@@ -235,6 +235,34 @@ def test_with_version_description(self):
         generateFunctionVersion = [x for x in cfnResources if isinstance(x, LambdaVersion)]
         self.assertEqual(generateFunctionVersion[0].Description, test_description)
 
+    @patch("boto3.session.Session.region_name", "ap-southeast-1")
+    def test_with_autopublish_bad_hash(self):
+        function = SamFunction("foo")
+        test_description = "foobar"
+
+        function.Runtime = "foo"
+        function.Handler = "bar"
+        function.CodeUri = "s3://foobar/foo.zip"
+        function.AutoPublishAlias = "live"
+        function.AutoPublishCodeSha256 = {"Fn::Sub": "${parameter1}"}
+
+        with pytest.raises(InvalidResourceException):
+            function.to_cloudformation(**self.kwargs)
+
+    @patch("boto3.session.Session.region_name", "ap-southeast-1")
+    def test_with_autopublish_good_hash(self):
+        function = SamFunction("foo")
+        test_description = "foobar"
+
+        function.Runtime = "foo"
+        function.Handler = "bar"
+        function.CodeUri = "s3://foobar/foo.zip"
+        function.AutoPublishAlias = "live"
+        function.AutoPublishCodeSha256 = "08240bdc52933ca4f88d5f75fc88cd3228a48feffa9920c735602433b94767ad"
+
+        # confirm no exception thrown
+        function.to_cloudformation(**self.kwargs)
+
 
 class TestOpenApi(TestCase):
     kwargs = {

tests/translator/input/error_function_fnsub_in_auto_publish_hash.yaml

@@ -0,0 +1,24 @@
+Description: Dip Investigation
+Parameters:
+  GitCommitInfo: 
+    Type: String
+    Default: hashhash
+  GitDirtInfo: 
+    Type: String
+    Default: dirtyyy
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  Function:
+    Type: AWS::Serverless::Function
+    Properties:
+      VersionDescription:
+        Fn::Sub: ${GitCommitInfo}-${GitDirtyInfo}
+      MemorySize: 128
+      Handler: loader
+      Role:
+        Ref: IamRole
+      CodeUri: s3://some-bucket/somekey
+      AutoPublishCodeSha256:
+        Fn::Sub: ${GitCommitInfo}-${GitDirtInfo}-1
+      Runtime: go1.x
+      AutoPublishAlias: Alias1

tests/translator/output/error_function_fnsub_in_auto_publish_hash.json

@@ -0,0 +1,8 @@
+{
+  "errors": [
+    {
+      "errorMessage": "[Function] is invalid. AutoPublishCodeSha256 must be a string"
+    }
+  ], 
+  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [Function] is invalid. AutoPublishCodeSha256 must be a string"
+}