Validate SSL options earlier; simplify SSLError handler

aws · Nov 28, 2023 · 788fcea · 788fcea
1 parent be55d7c
commit 788fcea
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 8 deletions.
diff --git a/samcli/commands/local/cli_common/options.py b/samcli/commands/local/cli_common/options.py
@@ -87,6 +87,19 @@ def local_common_options(f):
 
     return f
 
+def validate_ssl_params(ctx, param, value):
+    if value and not Path(value).is_file():
+        raise click.UsageError(f"{param.name}: {value} does not exist.")
+
+    if param.name == 'ssl_key_file':
+        return value
+
+    if ctx.params['ssl_key_file'] and value:
+        return value
+    elif ctx.params['ssl_key_file'] or value:
+        raise click.UsageError("If either --ssl-cert-file or --ssl-key-file is specified, both must be specified")
+    else:
+        return value
 
 def service_common_options(port):
     """
@@ -121,8 +134,9 @@ def construct_options(f):
             click.option(
                 "--port", "-p", default=port, help="Local port number to listen on (default: '{}')".format(str(port))
             ),
-            click.option("--ssl-cert-file", default=None, help="Path to SSL certificate file (default: None)"),
-            click.option("--ssl-key-file", default=None, help="Path to SSL key file (default: None)"),
+            click.option("--ssl-cert-file", default=None, callback=validate_ssl_params, help="Path to SSL certificate file (default: None)"),
+            # Mark --ssl-key-file as eager, so by the time the --ssl-cert-file validator is invoked, we know if it's missing
+            click.option("--ssl-key-file", default=None, callback=validate_ssl_params, is_eager=True, help="Path to SSL key file (default: None)"),
         ]
 
         # Reverse the list to maintain ordering of options in help text printed with --help

diff --git a/samcli/commands/local/lib/local_lambda_service.py b/samcli/commands/local/lib/local_lambda_service.py
@@ -22,6 +22,8 @@ def __init__(self, lambda_invoke_context, port, host, ssl_context):
             that can help with Lambda invocation
         :param int port: Port to listen on
         :param string host: Local hostname or IP address to bind to
+        :param tuple(string, string) ssl_context: Optional, path to ssl certificate and key files to start service
+            in https
         """
 
         self.port = port

diff --git a/samcli/commands/local/start_api/cli.py b/samcli/commands/local/start_api/cli.py
@@ -253,12 +253,7 @@ def do_cli(  # pylint: disable=R0914
                 )
                 click.secho(command_suggestions, fg="yellow")
     except SSLError as ex:
-        error_message = (
-            "SSL key file must be present if certificate is present"
-            if ssl_key_file is None
-            else "Invalid certificate and/or key file"
-        )
-        raise UserException(f"SSL Error: {error_message}", wrapped_from=ex.__class__.__name__) from ex
+        raise UserException(f"SSL Error: {ex.strerror}", wrapped_from=ex.__class__.__name__) from ex
     except NoApisDefined as ex:
         raise UserException(
             "Template does not have any APIs connected to Lambda functions", wrapped_from=ex.__class__.__name__

diff --git a/samcli/local/lambda_service/local_lambda_invoke_service.py b/samcli/local/lambda_service/local_lambda_invoke_service.py
@@ -42,6 +42,9 @@ def __init__(self, lambda_runner, port, host, stderr=None, ssl_context=None):
             Optional. port for the service to start listening on
         host str
             Optional. host to start the service on
+        ssl_context : (str, str)
+            Optional. tuple(str, str) indicating the cert and key files to use to start in https mode
+            Defaults to None
         stderr io.BaseIO
             Optional stream where the stderr from Docker container should be written to
         """