Lambda: throw error on empty resource policy (#7491)

moto/awslambda/exceptions.py

@@ -64,7 +64,7 @@ class UnknownFunctionException(LambdaClientError):
         super().__init__("ResourceNotFoundException", f"Function not found: {arn}")
 
 
-class FunctionUrlConfigNotFound(LambdaClientError):
+class GenericResourcNotFound(LambdaClientError):
     code = 404
 
     def __init__(self) -> None:

moto/awslambda/models.py

@@ -45,7 +45,7 @@ from moto.utilities.utils import load_resource_as_bytes
 from .exceptions import (
     ConflictException,
     CrossAccountNotAllowed,
-    FunctionUrlConfigNotFound,
+    GenericResourcNotFound,
     InvalidParameterValueException,
     InvalidRoleFormat,
     UnknownAliasException,
@@ -1216,7 +1216,7 @@ class LambdaFunction(CloudFormationModel, DockerModel):
 
     def get_url_config(self) -> "FunctionUrlConfig":
         if not self.url_config:
-            raise FunctionUrlConfigNotFound()
+            raise GenericResourcNotFound()
         return self.url_config
 
     def update_url_config(self, config: Dict[str, Any]) -> "FunctionUrlConfig":

moto/awslambda/policy.py

@@ -2,6 +2,7 @@ import json
 from typing import TYPE_CHECKING, Any, Callable, Dict, List, Optional, TypeVar
 
 from moto.awslambda.exceptions import (
+    GenericResourcNotFound,
     PreconditionFailedException,
     UnknownPolicyException,
 )
@@ -26,6 +27,8 @@ class Policy:
         return json.dumps(p)
 
     def get_policy(self) -> Dict[str, Any]:
+        if not self.statements:
+            raise GenericResourcNotFound()
         return {
             "Policy": {
                 "Version": "2012-10-17",

tests/test_awslambda/test_lambda_policy.py

@@ -230,9 +230,13 @@ def test_remove_function_permission(key):
 
     remove = conn.remove_permission(FunctionName=name_or_arn, StatementId="1")
     assert remove["ResponseMetadata"]["HTTPStatusCode"] == 204
-    policy = conn.get_policy(FunctionName=name_or_arn)["Policy"]
-    policy = json.loads(policy)
-    assert policy["Statement"] == []
+
+    with pytest.raises(ClientError) as exc:
+        conn.get_policy(FunctionName=name_or_arn)["Policy"]
+
+    err = exc.value.response["Error"]
+    assert err["Code"] == "ResourceNotFoundException"
+    assert err["Message"] == "The resource you requested does not exist."
 
 
 @pytest.mark.parametrize("key", ["FunctionName", "FunctionArn"])
@@ -275,9 +279,12 @@ def test_remove_function_permission__with_qualifier(key):
         FunctionName=name_or_arn, StatementId="1", Qualifier="2"
     )
     assert remove["ResponseMetadata"]["HTTPStatusCode"] == 204
-    policy = conn.get_policy(FunctionName=name_or_arn, Qualifier="2")["Policy"]
-    policy = json.loads(policy)
-    assert policy["Statement"] == []
+    with pytest.raises(ClientError) as exc:
+        conn.get_policy(FunctionName=name_or_arn, Qualifier="2")
+
+    err = exc.value.response["Error"]
+    assert err["Code"] == "ResourceNotFoundException"
+    assert err["Message"] == "The resource you requested does not exist."
 
 
 @mock_aws
@@ -292,3 +299,31 @@ def test_get_unknown_policy():
         err["Message"]
         == "Function not found: arn:aws:lambda:us-west-2:123456789012:function:unknown"
     )
+
+
+@mock_aws
+def test_policy_error_if_blank_resource_policy():
+    # Setup
+    conn = boto3.client("lambda", _lambda_region)
+    zip_content = get_test_zip_file1()
+    function_name = str(uuid4())[0:6]
+    conn.create_function(
+        FunctionName=function_name,
+        Runtime=PYTHON_VERSION,
+        Role=(get_role_name()),
+        Handler="lambda_function.handler",
+        Code={"ZipFile": zip_content},
+        Description="test lambda function",
+        Timeout=3,
+        MemorySize=128,
+        Publish=True,
+    )
+
+    # Execute
+    with pytest.raises(ClientError) as exc:
+        conn.get_policy(FunctionName=function_name)
+
+    # Verify
+    err = exc.value.response["Error"]
+    assert err["Code"] == "ResourceNotFoundException"
+    assert err["Message"] == "The resource you requested does not exist."