Improve function invocation error (#377)

* Fix a var name collision * Use new convention for session * Add actuall error to log * Revert "Add actuall error to log" This reverts commit 2910178. * Add a case handling for UnrecognizedClientException * check for all error that are releated to permissions * fix session init
serverless · Feb 27, 2018 · 5b51ea0 · 5b51ea0
1 parent 0127212
commit 5b51ea0
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 2 deletions.
diff --git a/function/errors.go b/function/errors.go
@@ -40,6 +40,15 @@ func (e ErrFunctionCallFailed) Error() string {
 	return fmt.Sprintf("Function call failed. Error: %q", e.Original)
 }
 
+// ErrFunctionAccessDenied occurs when Event Gateway don't have access to call a function.
+type ErrFunctionAccessDenied struct {
+	Original error
+}
+
+func (e ErrFunctionAccessDenied) Error() string {
+	return fmt.Sprintf("Function access denied. Error: %q", e.Original)
+}
+
 // ErrFunctionProviderError occurs when function call failed because of provider error.
 type ErrFunctionProviderError struct {
 	Original error

diff --git a/function/function.go b/function/function.go
@@ -122,13 +122,18 @@ func (w WeightedFunctions) Choose() (ID, error) {
 	return chosenFunction, nil
 }
 
+// nolint: gocyclo
 func (f *Function) callAWSLambda(payload []byte) ([]byte, error) {
 	config := aws.NewConfig().WithRegion(f.Provider.Region)
 	if f.Provider.AWSAccessKeyID != "" && f.Provider.AWSSecretAccessKey != "" {
 		config = config.WithCredentials(credentials.NewStaticCredentials(f.Provider.AWSAccessKeyID, f.Provider.AWSSecretAccessKey, f.Provider.AWSSessionToken))
 	}
 
-	awslambda := lambda.New(session.New(config))
+	awsSession, err := session.NewSession(config)
+	if err != nil {
+		return nil, &ErrFunctionProviderError{err}
+	}
+	awslambda := lambda.New(awsSession)
 
 	invokeOutput, err := awslambda.Invoke(&lambda.InvokeInput{
 		FunctionName: &f.Provider.ARN,
@@ -137,6 +142,10 @@ func (f *Function) callAWSLambda(payload []byte) ([]byte, error) {
 	if err != nil {
 		if awserr, ok := err.(awserr.Error); ok {
 			switch awserr.Code() {
+			case "AccessDeniedException":
+			case "InvalidSignatureException":
+			case "UnrecognizedClientException":
+				return nil, &ErrFunctionAccessDenied{awserr}
 			case lambda.ErrCodeServiceException:
 				return nil, &ErrFunctionProviderError{awserr}
 			default:

diff --git a/router/router.go b/router/router.go
@@ -226,9 +226,14 @@ func (router *Router) handleHTTPEvent(event *eventpkg.Event, w http.ResponseWrit
 		event.Data = httpdata
 		resp, err := router.callFunction(space, *backingFunction, *event)
 		if err != nil {
+			message := "function call failed"
+			if _, ok := err.(*function.ErrFunctionAccessDenied); ok {
+				message = "function access denied"
+			}
+
 			w.WriteHeader(http.StatusInternalServerError)
 			w.Header().Set("Content-Type", "application/json")
-			encoder.Encode(&httpapi.Response{Errors: []httpapi.Error{{Message: "function call failed"}}})
+			encoder.Encode(&httpapi.Response{Errors: []httpapi.Error{{Message: message}}})
 			return
 		}