Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
@aws-amplify/graphql-auth-transformer
Advanced tools
@aws-amplify/graphql-auth-transformer - npm Package Compare versions
Comparing version 0.2.1-beta.0 to 0.3.0-beta.0
@@ -6,2 +6,23 @@ # Change Log | ||
| # [0.3.0-beta.0](https://github.com/aws-amplify/amplify-cli/compare/@aws-amplify/graphql-auth-transformer@0.2.1-beta.0...@aws-amplify/graphql-auth-transformer@0.3.0-beta.0) (2021-11-06) | ||
| ### Bug Fixes | ||
| * allow duplicate auth rules when creating the join type ([#8680](https://github.com/aws-amplify/amplify-cli/issues/8680)) ([1a0636d](https://github.com/aws-amplify/amplify-cli/commit/1a0636d72d010b9d0ed18d511f853bcbffa9d421)) | ||
| * fix null check for implied owner check ([#8586](https://github.com/aws-amplify/amplify-cli/issues/8586)) ([4a0fda8](https://github.com/aws-amplify/amplify-cli/commit/4a0fda81472ec82d6731502bbe83a9ffd0b27198)) | ||
| * **graphql-model-transformer:** override resource logical id to fix v1 to v2 transformer migration ([#8597](https://github.com/aws-amplify/amplify-cli/issues/8597)) ([e3a2afb](https://github.com/aws-amplify/amplify-cli/commit/e3a2afbbed6e97f143fc7c83064e2193f4c91bdd)) | ||
| * searchable fix and migration e2e tests ([#8666](https://github.com/aws-amplify/amplify-cli/issues/8666)) ([d5f9397](https://github.com/aws-amplify/amplify-cli/commit/d5f9397fa860f32e748f6f880929b1e5856a68e2)) | ||
| * update auth vnext validation to use private for oidc ([#8606](https://github.com/aws-amplify/amplify-cli/issues/8606)) ([8e659a1](https://github.com/aws-amplify/amplify-cli/commit/8e659a1357df63d5cae92b67f719ffeea9acacf0)) | ||
| ### Features | ||
| * add admin roles which have admin control over a graphql api ([#8601](https://github.com/aws-amplify/amplify-cli/issues/8601)) ([4d50df0](https://github.com/aws-amplify/amplify-cli/commit/4d50df000c6e11165d2da766c0eaa0097d88a0c2)) | ||
| * allow optional idp arg into auth to allow provided auth role or authenticated identity ([#8609](https://github.com/aws-amplify/amplify-cli/issues/8609)) ([bf843b9](https://github.com/aws-amplify/amplify-cli/commit/bf843b90330d8ceb2ea90bc2761edd57e5d5123b)) | ||
| ## 0.2.1-beta.0 (2021-10-29) | ||
@@ -8,0 +29,0 @@ |
@@ -10,2 +10,3 @@ declare type ACMConfig = { | ||
| resource?: string; | ||
| allowRoleOverwrite?: boolean; | ||
| }; | ||
@@ -21,2 +22,3 @@ export declare class AccessControlMatrix { | ||
| hasRole(role: string): boolean; | ||
| getName(): string; | ||
| getRoles(): Array<string>; | ||
@@ -23,0 +25,0 @@ getResources(): Readonly<Array<string>>; |
@@ -18,3 +18,3 @@ "use strict"; | ||
| setRole(input) { | ||
| const { role, resource, operations } = input; | ||
| const { role, resource, operations, allowRoleOverwrite = false } = input; | ||
| this.validate({ resource, operations }); | ||
@@ -28,3 +28,3 @@ let allowedVector; | ||
| } | ||
| else if (this.roles.includes(role) && resource) { | ||
| else if (this.roles.includes(role) && (resource || allowRoleOverwrite)) { | ||
| allowedVector = this.getResourceOperationMatrix({ operations, resource, role }); | ||
@@ -41,2 +41,5 @@ const roleIndex = this.roles.indexOf(role); | ||
| } | ||
| getName() { | ||
| return this.name; | ||
| } | ||
| getRoles() { | ||
@@ -43,0 +46,0 @@ return this.roles; |
@@ -36,3 +36,3 @@ "use strict"; | ||
| class AuthTransformer extends graphql_transformer_core_1.TransformerAuthBase { | ||
| constructor(config = { addAwsIamAuthInOutputSchema: false }) { | ||
| constructor(config = {}) { | ||
| super('amplify-auth-transformer', utils_1.authDirectiveDefinition); | ||
@@ -42,3 +42,4 @@ this.authPolicyResources = new Set(); | ||
| this.before = (context) => { | ||
| this.config.authConfig = this.config.authConfig || context.authConfig; | ||
| var _a; | ||
| this.config.authConfig = (_a = this.config.authConfig) !== null && _a !== void 0 ? _a : context.authConfig; | ||
| this.configuredAuthProviders = utils_1.getConfiguredAuthProviders(this.config); | ||
@@ -53,2 +54,6 @@ }; | ||
| const typeName = def.name.value; | ||
| let isJoinType = false; | ||
| if (context.metadata.has('joinTypeList')) { | ||
| isJoinType = context.metadata.get('joinTypeList').includes(typeName); | ||
| } | ||
| const authDir = new graphql_transformer_core_1.DirectiveWrapper(directive); | ||
@@ -66,3 +71,3 @@ const rules = authDir.getArguments({ rules: [] }).rules; | ||
| this.addTypeToResourceReferences(def.name.value, rules); | ||
| this.convertRulesToRoles(acm, rules); | ||
| this.convertRulesToRoles(acm, rules, isJoinType); | ||
| this.modelDirectiveConfig.set(typeName, utils_1.getModelConfig(modelDirective, typeName, context.isProjectUsingDataStore())); | ||
@@ -108,3 +113,3 @@ this.authModelConfig.set(typeName, acm); | ||
| } | ||
| this.convertRulesToRoles(acm, rules, fieldName); | ||
| this.convertRulesToRoles(acm, rules, false, fieldName); | ||
| this.authModelConfig.set(typeName, acm); | ||
@@ -120,3 +125,3 @@ } | ||
| }); | ||
| this.convertRulesToRoles(acm, staticRules, typeFieldName, ['read']); | ||
| this.convertRulesToRoles(acm, staticRules, false, typeFieldName, ['read']); | ||
| this.authNonModelConfig.set(typeFieldName, acm); | ||
@@ -373,5 +378,6 @@ } | ||
| const modelFields = (_a = def.fields) !== null && _a !== void 0 ? _a : []; | ||
| const name = acm.getName(); | ||
| const allowedAggFields = modelFields.map(f => f.name.value).filter(f => !acmFields.includes(f)); | ||
| let leastAllowedFields = acmFields; | ||
| const resolver = ctx.resolvers.getResolver(typeName, fieldName); | ||
| const resolver = ctx.resolvers.getResolver('Search', graphql_transformer_common_2.toUpper(name)); | ||
| const readRoleDefinitions = acm.getRolesPerOperation('read').map(role => { | ||
@@ -411,3 +417,3 @@ const allowedFields = acmFields.filter(resource => acm.isAllowed(role, resource, 'read')); | ||
| const fieldResponse = resolvers_1.generateFieldAuthResponse('Mutation', fieldName, subsEnabled); | ||
| const resolver = ctx.resolvers.addResolver(typeName, fieldName, new graphql_transformer_core_1.TransformerResolver(typeName, fieldName, graphql_transformer_core_1.MappingTemplate.s3MappingTemplateFromString(fieldAuthExpression, `${typeName}.${fieldName}.req.vtl`), graphql_transformer_core_1.MappingTemplate.s3MappingTemplateFromString(fieldResponse, `${typeName}.${fieldName}.res.vtl`), ['init'], ['finish'])); | ||
| const resolver = ctx.resolvers.addResolver(typeName, fieldName, new graphql_transformer_core_1.TransformerResolver(typeName, fieldName, graphql_transformer_common_1.ResolverResourceIDs.ResolverResourceID(typeName, fieldName), graphql_transformer_core_1.MappingTemplate.s3MappingTemplateFromString(fieldAuthExpression, `${typeName}.${fieldName}.req.vtl`), graphql_transformer_core_1.MappingTemplate.s3MappingTemplateFromString(fieldResponse, `${typeName}.${fieldName}.res.vtl`), ['init'], ['finish'])); | ||
| resolver.mapToStack(stack); | ||
@@ -470,3 +476,3 @@ } | ||
| } | ||
| convertRulesToRoles(acm, authRules, field, overideOperations) { | ||
| convertRulesToRoles(acm, authRules, allowRoleOverwrite, field, overideOperations) { | ||
| for (let rule of authRules) { | ||
@@ -487,3 +493,3 @@ let operations = overideOperations ? overideOperations : rule.operations || utils_1.MODEL_OPERATIONS; | ||
| } | ||
| acm.setRole({ role: roleName, resource: field, operations }); | ||
| acm.setRole({ role: roleName, resource: field, operations, allowRoleOverwrite }); | ||
| }); | ||
@@ -556,3 +562,3 @@ } | ||
| } | ||
| acm.setRole({ role: roleName, resource: field, operations }); | ||
| acm.setRole({ role: roleName, resource: field, operations, allowRoleOverwrite }); | ||
| } | ||
@@ -573,3 +579,3 @@ } | ||
| } | ||
| if (this.configuredAuthProviders.hasAdminUIEnabled) { | ||
| if (this.configuredAuthProviders.hasAdminRolesEnabled) { | ||
| providers.add('iam'); | ||
@@ -658,3 +664,3 @@ } | ||
| shouldAddDefaultServiceDirective() { | ||
| return this.configuredAuthProviders.hasAdminUIEnabled && this.config.authConfig.defaultAuthentication.authenticationType !== 'AWS_IAM'; | ||
| return (this.configuredAuthProviders.hasAdminRolesEnabled && this.config.authConfig.defaultAuthentication.authenticationType !== 'AWS_IAM'); | ||
| } | ||
@@ -664,3 +670,3 @@ generateIAMPolicies(ctx) { | ||
| if (this.authPolicyResources.size === 0) { | ||
| if (!this.configuredAuthProviders.hasAdminUIEnabled) { | ||
| if (!this.configuredAuthProviders.hasAdminRolesEnabled) { | ||
| throw new graphql_transformer_core_1.TransformerContractError('AuthRole policies should be generated, but no resources were added.'); | ||
@@ -667,0 +673,0 @@ } |
| import { FieldDefinitionNode } from 'graphql'; | ||
| import { RoleDefinition, ConfiguredAuthProviders } from '../utils'; | ||
| export declare const generateAuthExpressionForField: (provider: ConfiguredAuthProviders, roles: Array<RoleDefinition>, fields: ReadonlyArray<FieldDefinitionNode>) => string; | ||
| export declare const generateAuthExpressionForField: (providers: ConfiguredAuthProviders, roles: Array<RoleDefinition>, fields: ReadonlyArray<FieldDefinitionNode>) => string; | ||
| export declare const generateFieldAuthResponse: (operation: string, fieldName: string, subscriptionsEnabled: boolean) => string; | ||
@@ -5,0 +5,0 @@ export declare const setDeniedFieldFlag: (operation: string, subscriptionsEnabled: boolean) => string; |
@@ -40,21 +40,21 @@ "use strict"; | ||
| }; | ||
| const generateAuthExpressionForField = (provider, roles, fields) => { | ||
| const { cogntoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, iamRoles, apiKeyRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const generateAuthExpressionForField = (providers, roles, fields) => { | ||
| const { cognitoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, iamRoles, apiKeyRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const totalAuthExpressions = [graphql_mapping_template_1.set(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG), graphql_mapping_template_1.bool(false))]; | ||
| if (provider.hasApiKey) { | ||
| if (providers.hasApiKey) { | ||
| totalAuthExpressions.push(helpers_1.apiKeyExpression(apiKeyRoles)); | ||
| } | ||
| if (provider.hasLambda) { | ||
| if (providers.hasLambda) { | ||
| totalAuthExpressions.push(helpers_1.lambdaExpression(lambdaRoles)); | ||
| } | ||
| if (provider.hasIAM) { | ||
| totalAuthExpressions.push(helpers_1.iamExpression(iamRoles, provider.hasAdminUIEnabled, provider.adminUserPoolID)); | ||
| if (providers.hasIAM) { | ||
| totalAuthExpressions.push(helpers_1.iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.adminRoles, providers.identityPoolId)); | ||
| } | ||
| if (provider.hasUserPools) { | ||
| if (providers.hasUserPools) { | ||
| totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.COGNITO_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([ | ||
| ...helpers_1.generateStaticRoleExpression(cogntoStaticRoles), | ||
| ...helpers_1.generateStaticRoleExpression(cognitoStaticRoles), | ||
| ...generateDynamicAuthReadExpression(cognitoDynamicRoles, fields), | ||
| ]))); | ||
| } | ||
| if (provider.hasOIDC) { | ||
| if (providers.hasOIDC) { | ||
| totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.OIDC_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([ | ||
@@ -61,0 +61,0 @@ ...helpers_1.generateStaticRoleExpression(oidcStaticRoles), |
@@ -7,3 +7,3 @@ import { Expression } from 'graphql-mapping-template'; | ||
| export declare const addAllowedFieldsIfElse: (fieldKey: string, breakLoop?: boolean) => Expression; | ||
| export declare const iamCheck: (claim: string, exp: Expression) => import("graphql-mapping-template").IfNode; | ||
| export declare const iamCheck: (claim: string, exp: Expression, identityPoolId?: string) => import("graphql-mapping-template").IfNode; | ||
| export declare const getOwnerClaim: (ownerClaim: string) => Expression; | ||
@@ -14,5 +14,6 @@ export declare const responseCheckForErrors: () => import("graphql-mapping-template").IfNode; | ||
| export declare const lambdaExpression: (roles: Array<RoleDefinition>) => import("graphql-mapping-template").IfNode; | ||
| export declare const iamExpression: (roles: Array<RoleDefinition>, adminuiEnabled?: boolean, adminUserPoolID?: string) => import("graphql-mapping-template").IfNode; | ||
| export declare const iamExpression: (roles: Array<RoleDefinition>, adminRolesEnabled: boolean, adminRoles?: Array<string>, identityPoolId?: string) => import("graphql-mapping-template").IfNode; | ||
| export declare const iamAdminRoleCheckExpression: (adminRoles: Array<string>) => Expression; | ||
| export declare const generateAuthRequestExpression: () => string; | ||
| export declare const emptyPayload: import("graphql-mapping-template").ToJsonNode; | ||
| //# sourceMappingURL=helpers.d.ts.map |
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.emptyPayload = exports.generateAuthRequestExpression = exports.iamExpression = exports.lambdaExpression = exports.apiKeyExpression = exports.generateStaticRoleExpression = exports.responseCheckForErrors = exports.getOwnerClaim = exports.iamCheck = exports.addAllowedFieldsIfElse = exports.getIdentityClaimExp = exports.getInputFields = exports.setHasAuthExpression = void 0; | ||
| exports.emptyPayload = exports.generateAuthRequestExpression = exports.iamAdminRoleCheckExpression = exports.iamExpression = exports.lambdaExpression = exports.apiKeyExpression = exports.generateStaticRoleExpression = exports.responseCheckForErrors = exports.getOwnerClaim = exports.iamCheck = exports.addAllowedFieldsIfElse = exports.getIdentityClaimExp = exports.getInputFields = exports.setHasAuthExpression = void 0; | ||
| const graphql_mapping_template_1 = require("graphql-mapping-template"); | ||
@@ -20,3 +20,15 @@ const graphql_transformer_common_1 = require("graphql-transformer-common"); | ||
| exports.addAllowedFieldsIfElse = addAllowedFieldsIfElse; | ||
| const iamCheck = (claim, exp) => graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('ctx.identity.userArn'), graphql_mapping_template_1.ref(`ctx.stash.${claim}`)), exp); | ||
| const iamCheck = (claim, exp, identityPoolId) => { | ||
| let iamExp = graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('ctx.identity.userArn'), graphql_mapping_template_1.ref(`ctx.stash.${claim}`)); | ||
| if (identityPoolId && claim === 'authRole') { | ||
| iamExp = graphql_mapping_template_1.or([ | ||
| graphql_mapping_template_1.parens(iamExp), | ||
| graphql_mapping_template_1.parens(graphql_mapping_template_1.and([ | ||
| graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('ctx.identity.cognitoIdentityPoolId'), graphql_mapping_template_1.str(identityPoolId)), | ||
| graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('ctx.identity.cognitoIdentityAuthType'), graphql_mapping_template_1.str('authenticated')), | ||
| ])), | ||
| ]); | ||
| } | ||
| return graphql_mapping_template_1.iff(iamExp, exp); | ||
| }; | ||
| exports.iamCheck = iamCheck; | ||
@@ -59,18 +71,27 @@ const getOwnerClaim = (ownerClaim) => { | ||
| exports.lambdaExpression = lambdaExpression; | ||
| const iamExpression = (roles, adminuiEnabled = false, adminUserPoolID) => { | ||
| const iamExpression = (roles, adminRolesEnabled, adminRoles = [], identityPoolId) => { | ||
| const expression = new Array(); | ||
| if (adminuiEnabled) { | ||
| expression.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.or([ | ||
| graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.identity.userArn.contains'), graphql_mapping_template_1.str(`${adminUserPoolID}${utils_1.ADMIN_ROLE}`)), | ||
| graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.identity.userArn.contains'), graphql_mapping_template_1.str(`${adminUserPoolID}${utils_1.MANAGE_ROLE}`)), | ||
| ]), graphql_mapping_template_1.raw('#return($util.toJson({})'))); | ||
| if (adminRolesEnabled) { | ||
| expression.push(exports.iamAdminRoleCheckExpression(adminRoles)); | ||
| } | ||
| if (roles.length > 0) { | ||
| for (let role of roles) { | ||
| expression.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.not(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG)), exports.iamCheck(role.claim, graphql_mapping_template_1.set(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG), graphql_mapping_template_1.bool(true))))); | ||
| expression.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.not(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG)), exports.iamCheck(role.claim, graphql_mapping_template_1.set(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG), graphql_mapping_template_1.bool(true)), identityPoolId))); | ||
| } | ||
| } | ||
| else { | ||
| expression.push(graphql_mapping_template_1.ref('util.unauthorized()')); | ||
| } | ||
| return graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.IAM_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression(expression)); | ||
| }; | ||
| exports.iamExpression = iamExpression; | ||
| const iamAdminRoleCheckExpression = (adminRoles) => { | ||
| return graphql_mapping_template_1.compoundExpression([ | ||
| graphql_mapping_template_1.set(graphql_mapping_template_1.ref('adminRoles'), graphql_mapping_template_1.raw(JSON.stringify(adminRoles))), | ||
| graphql_mapping_template_1.forEach(graphql_mapping_template_1.ref('adminRole'), graphql_mapping_template_1.ref('adminRoles'), [ | ||
| graphql_mapping_template_1.iff(graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.identity.userArn.contains'), graphql_mapping_template_1.ref('adminRole')), graphql_mapping_template_1.raw('#return($util.toJson({}))')), | ||
| ]), | ||
| ]); | ||
| }; | ||
| exports.iamAdminRoleCheckExpression = iamAdminRoleCheckExpression; | ||
| const generateAuthRequestExpression = () => { | ||
@@ -77,0 +98,0 @@ const statements = [ |
@@ -20,9 +20,6 @@ "use strict"; | ||
| }; | ||
| const iamExpression = (roles, hasAdminUIEnabled = false, adminUserPoolID) => { | ||
| const iamExpression = (roles, hasAdminRolesEnabled = false, adminRoles = [], identityPoolId) => { | ||
| const expression = new Array(); | ||
| if (hasAdminUIEnabled) { | ||
| expression.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.or([ | ||
| graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.identity.userArn.contains'), graphql_mapping_template_1.str(`${adminUserPoolID}${utils_1.ADMIN_ROLE}`)), | ||
| graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.identity.userArn.contains'), graphql_mapping_template_1.str(`${adminUserPoolID}${utils_1.MANAGE_ROLE}`)), | ||
| ]), graphql_mapping_template_1.raw('#return($util.toJson({})'))); | ||
| if (hasAdminRolesEnabled) { | ||
| expression.push(helpers_1.iamAdminRoleCheckExpression(adminRoles)); | ||
| } | ||
@@ -35,3 +32,3 @@ if (roles.length > 0) { | ||
| else { | ||
| expression.push(helpers_1.iamCheck(role.claim, graphql_mapping_template_1.set(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG), graphql_mapping_template_1.bool(true)))); | ||
| expression.push(helpers_1.iamCheck(role.claim, graphql_mapping_template_1.set(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG), graphql_mapping_template_1.bool(true)), identityPoolId)); | ||
| } | ||
@@ -82,3 +79,3 @@ } | ||
| }; | ||
| const dynamicGroupRoleExpression = (roles, fields) => { | ||
| const dynamicRoleExpression = (roles, fields) => { | ||
| const ownerExpression = new Array(); | ||
@@ -90,3 +87,3 @@ const dynamicGroupExpression = new Array(); | ||
| ownerExpression.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.not(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG)), graphql_mapping_template_1.compoundExpression([ | ||
| graphql_mapping_template_1.set(graphql_mapping_template_1.ref(`ownerEntity${idx}`), graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('util.defaultIfNull'), graphql_mapping_template_1.ref(`ctx.args.input.${role.entity}`), entityIsList ? graphql_mapping_template_1.list([]) : graphql_mapping_template_1.nul())), | ||
| graphql_mapping_template_1.set(graphql_mapping_template_1.ref(`ownerEntity${idx}`), graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('util.defaultIfNull'), graphql_mapping_template_1.ref(`ctx.args.input.${role.entity}`), graphql_mapping_template_1.nul())), | ||
| graphql_mapping_template_1.set(graphql_mapping_template_1.ref(`ownerClaim${idx}`), helpers_1.getOwnerClaim(role.claim)), | ||
@@ -101,3 +98,3 @@ graphql_mapping_template_1.set(graphql_mapping_template_1.ref(`ownerAllowedFields${idx}`), graphql_mapping_template_1.raw(JSON.stringify(role.allowedFields))), | ||
| : [graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref(`ownerClaim${idx}`), graphql_mapping_template_1.ref(`ownerEntity${idx}`)), helpers_1.addAllowedFieldsIfElse(`ownerAllowedFields${idx}`))]), | ||
| graphql_mapping_template_1.iff(graphql_mapping_template_1.and([graphql_mapping_template_1.isNullOrEmpty(graphql_mapping_template_1.ref(`ownerEntity${idx}`)), graphql_mapping_template_1.not(graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.args.input.containsKey'), graphql_mapping_template_1.str(role.entity)))]), graphql_mapping_template_1.compoundExpression([ | ||
| graphql_mapping_template_1.iff(graphql_mapping_template_1.and([graphql_mapping_template_1.ref(`util.isNull($ownerEntity${idx})`), graphql_mapping_template_1.not(graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.args.input.containsKey'), graphql_mapping_template_1.str(role.entity)))]), graphql_mapping_template_1.compoundExpression([ | ||
| graphql_mapping_template_1.qref(graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.args.input.put'), graphql_mapping_template_1.str(role.entity), entityIsList ? graphql_mapping_template_1.list([graphql_mapping_template_1.ref(`ownerClaim${idx}`)]) : graphql_mapping_template_1.ref(`ownerClaim${idx}`))), | ||
@@ -124,3 +121,3 @@ helpers_1.addAllowedFieldsIfElse(`ownerAllowedFields${idx}`), | ||
| const generateAuthExpressionForCreate = (providers, roles, fields) => { | ||
| const { cogntoStaticRoles: cognitoStaticGroupRoles, cognitoDynamicRoles, oidcStaticRoles: oidcStaticGroupRoles, oidcDynamicRoles, apiKeyRoles, iamRoles, lambdaRoles, } = utils_1.splitRoles(roles); | ||
| const { cognitoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, apiKeyRoles, iamRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const totalAuthExpressions = [ | ||
@@ -136,3 +133,3 @@ helpers_1.setHasAuthExpression, | ||
| if (providers.hasIAM) { | ||
| totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminUIEnabled, providers.adminUserPoolID)); | ||
| totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.adminRoles, providers.identityPoolId)); | ||
| } | ||
@@ -143,12 +140,6 @@ if (providers.hasLambda) { | ||
| if (providers.hasUserPools) { | ||
| totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.COGNITO_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([ | ||
| ...generateStaticRoleExpression(cognitoStaticGroupRoles), | ||
| ...dynamicGroupRoleExpression(cognitoDynamicRoles, fields), | ||
| ]))); | ||
| totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.COGNITO_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([...generateStaticRoleExpression(cognitoStaticRoles), ...dynamicRoleExpression(cognitoDynamicRoles, fields)]))); | ||
| } | ||
| if (providers.hasOIDC) { | ||
| totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.OIDC_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([ | ||
| ...generateStaticRoleExpression(oidcStaticGroupRoles), | ||
| ...dynamicGroupRoleExpression(oidcDynamicRoles, fields), | ||
| ]))); | ||
| totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.OIDC_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([...generateStaticRoleExpression(oidcStaticRoles), ...dynamicRoleExpression(oidcDynamicRoles, fields)]))); | ||
| } | ||
@@ -155,0 +146,0 @@ totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.and([graphql_mapping_template_1.not(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG)), graphql_mapping_template_1.ref(`${utils_1.ALLOWED_FIELDS}.isEmpty()`)]), graphql_mapping_template_1.ref('util.unauthorized()')), graphql_mapping_template_1.iff(graphql_mapping_template_1.not(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG)), graphql_mapping_template_1.compoundExpression([ |
@@ -17,13 +17,10 @@ "use strict"; | ||
| }; | ||
| const iamExpression = (roles, hasAdminUIEnabled = false, adminUserPoolID) => { | ||
| const iamExpression = (roles, hasAdminRolesEnabled = false, adminRoles = [], identityPoolId) => { | ||
| const expression = new Array(); | ||
| if (hasAdminUIEnabled) { | ||
| expression.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.or([ | ||
| graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.identity.userArn.contains'), graphql_mapping_template_1.str(`${adminUserPoolID}${utils_1.ADMIN_ROLE}`)), | ||
| graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.identity.userArn.contains'), graphql_mapping_template_1.str(`${adminUserPoolID}${utils_1.MANAGE_ROLE}`)), | ||
| ]), graphql_mapping_template_1.raw('#return($util.toJson({})'))); | ||
| if (hasAdminRolesEnabled) { | ||
| expression.push(helpers_1.iamAdminRoleCheckExpression(adminRoles)); | ||
| } | ||
| if (roles.length > 0) { | ||
| for (let role of roles) { | ||
| expression.push(helpers_1.iamCheck(role.claim, graphql_mapping_template_1.set(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG), graphql_mapping_template_1.bool(true)))); | ||
| expression.push(helpers_1.iamCheck(role.claim, graphql_mapping_template_1.set(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG), graphql_mapping_template_1.bool(true)), identityPoolId)); | ||
| } | ||
@@ -97,3 +94,3 @@ } | ||
| const geneateAuthExpressionForDelete = (providers, roles, fields) => { | ||
| const { cogntoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, apiKeyRoles, iamRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const { cognitoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, apiKeyRoles, iamRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const totalAuthExpressions = [helpers_1.setHasAuthExpression, graphql_mapping_template_1.set(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG), graphql_mapping_template_1.bool(false))]; | ||
@@ -104,3 +101,3 @@ if (providers.hasApiKey) { | ||
| if (providers.hasIAM) { | ||
| totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminUIEnabled, providers.adminUserPoolID)); | ||
| totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.adminRoles, providers.identityPoolId)); | ||
| } | ||
@@ -112,3 +109,3 @@ if (providers.hasLambda) { | ||
| totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.COGNITO_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([ | ||
| ...generateStaticRoleExpression(cogntoStaticRoles), | ||
| ...generateStaticRoleExpression(cognitoStaticRoles), | ||
| ...dynamicGroupRoleExpression(cognitoDynamicRoles, fields), | ||
@@ -115,0 +112,0 @@ ]))); |
@@ -33,9 +33,6 @@ "use strict"; | ||
| }; | ||
| const iamExpression = (roles, hasAdminUIEnabled = false, adminUserPoolID) => { | ||
| const iamExpression = (roles, hasAdminRolesEnabled = false, adminRoles = [], identityPoolId) => { | ||
| const expression = new Array(); | ||
| if (hasAdminUIEnabled) { | ||
| expression.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.or([ | ||
| graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.identity.userArn.contains'), graphql_mapping_template_1.str(`${adminUserPoolID}${utils_1.ADMIN_ROLE}`)), | ||
| graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.identity.userArn.contains'), graphql_mapping_template_1.str(`${adminUserPoolID}${utils_1.MANAGE_ROLE}`)), | ||
| ]), graphql_mapping_template_1.raw('#return($util.toJson({})'))); | ||
| if (hasAdminRolesEnabled) { | ||
| expression.push(helpers_1.iamAdminRoleCheckExpression(adminRoles)); | ||
| } | ||
@@ -48,3 +45,3 @@ if (roles.length > 0) { | ||
| graphql_mapping_template_1.set(graphql_mapping_template_1.ref(`${utils_1.NULL_ALLOWED_FIELDS}`), graphql_mapping_template_1.raw(JSON.stringify(role.nullAllowedFields))), | ||
| ]))); | ||
| ]), identityPoolId)); | ||
| } | ||
@@ -143,3 +140,3 @@ else { | ||
| const generateAuthExpressionForUpdate = (providers, roles, fields) => { | ||
| const { cogntoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, apiKeyRoles, iamRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const { cognitoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, apiKeyRoles, iamRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const totalAuthExpressions = [ | ||
@@ -161,7 +158,7 @@ helpers_1.setHasAuthExpression, | ||
| if (providers.hasIAM) { | ||
| totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminUIEnabled, providers.adminUserPoolID)); | ||
| totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.adminRoles, providers.identityPoolId)); | ||
| } | ||
| if (providers.hasUserPools) { | ||
| totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.COGNITO_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([ | ||
| ...generateStaticRoleExpression(cogntoStaticRoles), | ||
| ...generateStaticRoleExpression(cognitoStaticRoles), | ||
| ...dynamicGroupRoleExpression(cognitoDynamicRoles, fields), | ||
@@ -168,0 +165,0 @@ ]))); |
@@ -131,3 +131,3 @@ "use strict"; | ||
| const generateAuthExpressionForQueries = (providers, roles, fields, primaryFields, isIndexQuery = false) => { | ||
| const { cogntoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, apiKeyRoles, iamRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const { cognitoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, apiKeyRoles, iamRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const getNonPrimaryFieldRoles = (roles) => roles.filter(roles => !primaryFields.includes(roles.entity)); | ||
@@ -146,7 +146,7 @@ const totalAuthExpressions = [ | ||
| if (providers.hasIAM) { | ||
| totalAuthExpressions.push(helpers_1.iamExpression(iamRoles, providers.hasAdminUIEnabled, providers.adminUserPoolID)); | ||
| totalAuthExpressions.push(helpers_1.iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.adminRoles, providers.identityPoolId)); | ||
| } | ||
| if (providers.hasUserPools) { | ||
| totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.COGNITO_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([ | ||
| ...generateStaticRoleExpression(cogntoStaticRoles), | ||
| ...generateStaticRoleExpression(cognitoStaticRoles), | ||
| ...generateAuthFilter(getNonPrimaryFieldRoles(cognitoDynamicRoles), fields), | ||
@@ -168,3 +168,3 @@ ...generateAuthOnModelQueryExpression(cognitoDynamicRoles, primaryFields, isIndexQuery), | ||
| const generateAuthExpressionForRelationQuery = (providers, roles, fields, primaryFieldMap) => { | ||
| const { cogntoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, apiKeyRoles, iamRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const { cognitoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, apiKeyRoles, iamRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const getNonPrimaryFieldRoles = (roles) => roles.filter(roles => !primaryFieldMap.has(roles.entity)); | ||
@@ -183,7 +183,7 @@ const totalAuthExpressions = [ | ||
| if (providers.hasIAM) { | ||
| totalAuthExpressions.push(helpers_1.iamExpression(iamRoles, providers.hasAdminUIEnabled, providers.adminUserPoolID)); | ||
| totalAuthExpressions.push(helpers_1.iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.adminRoles, providers.identityPoolId)); | ||
| } | ||
| if (providers.hasUserPools) { | ||
| totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.COGNITO_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([ | ||
| ...generateStaticRoleExpression(cogntoStaticRoles), | ||
| ...generateStaticRoleExpression(cognitoStaticRoles), | ||
| ...generateAuthFilter(getNonPrimaryFieldRoles(cognitoDynamicRoles), fields), | ||
@@ -190,0 +190,0 @@ ...generateAuthOnRelationalModelQueryExpression(cognitoDynamicRoles, primaryFieldMap), |
@@ -37,9 +37,6 @@ "use strict"; | ||
| }; | ||
| const iamExpression = (roles, adminuiEnabled = false, adminUserPoolID) => { | ||
| const iamExpression = (roles, hasAdminRolesEnabled = false, adminRoles = [], identityPoolId) => { | ||
| const expression = new Array(); | ||
| if (adminuiEnabled) { | ||
| expression.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.or([ | ||
| graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.identity.userArn.contains'), graphql_mapping_template_1.str(`${adminUserPoolID}${utils_1.ADMIN_ROLE}`)), | ||
| graphql_mapping_template_1.methodCall(graphql_mapping_template_1.ref('ctx.identity.userArn.contains'), graphql_mapping_template_1.str(`${adminUserPoolID}${utils_1.MANAGE_ROLE}`)), | ||
| ]), graphql_mapping_template_1.raw('#return($util.toJson({})'))); | ||
| if (hasAdminRolesEnabled) { | ||
| expression.push(helpers_1.iamAdminRoleCheckExpression(adminRoles)); | ||
| } | ||
@@ -58,3 +55,3 @@ if (roles.length === 0) { | ||
| } | ||
| expression.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.not(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG)), helpers_1.iamCheck(role.claim, graphql_mapping_template_1.compoundExpression(exp)))); | ||
| expression.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.not(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG)), helpers_1.iamCheck(role.claim, graphql_mapping_template_1.compoundExpression(exp), identityPoolId))); | ||
| } | ||
@@ -146,3 +143,3 @@ } | ||
| const generateAuthExpressionForSearchQueries = (providers, roles, fields, allowedAggFields) => { | ||
| const { cogntoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, apiKeyRoles, iamRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const { cognitoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, apiKeyRoles, iamRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const totalAuthExpressions = [ | ||
@@ -161,7 +158,7 @@ helpers_1.setHasAuthExpression, | ||
| if (providers.hasIAM) { | ||
| totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminUIEnabled, providers.adminUserPoolID)); | ||
| totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.adminRoles, providers.identityPoolId)); | ||
| } | ||
| if (providers.hasUserPools) { | ||
| totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.COGNITO_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([ | ||
| ...generateStaticRoleExpression(cogntoStaticRoles), | ||
| ...generateStaticRoleExpression(cognitoStaticRoles), | ||
| ...generateAuthFilter(cognitoDynamicRoles, fields, allowedAggFields), | ||
@@ -168,0 +165,0 @@ ]))); |
@@ -21,3 +21,3 @@ "use strict"; | ||
| const generateAuthExpressionForSubscriptions = (providers, roles) => { | ||
| const { cogntoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, iamRoles, apiKeyRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const { cognitoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, iamRoles, apiKeyRoles, lambdaRoles } = utils_1.splitRoles(roles); | ||
| const totalAuthExpressions = [helpers_1.setHasAuthExpression, graphql_mapping_template_1.set(graphql_mapping_template_1.ref(utils_1.IS_AUTHORIZED_FLAG), graphql_mapping_template_1.bool(false))]; | ||
@@ -31,6 +31,6 @@ if (providers.hasApiKey) { | ||
| if (providers.hasIAM) { | ||
| totalAuthExpressions.push(helpers_1.iamExpression(iamRoles, providers.hasAdminUIEnabled, providers.adminUserPoolID)); | ||
| totalAuthExpressions.push(helpers_1.iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.adminRoles, providers.identityPoolId)); | ||
| } | ||
| if (providers.hasUserPools) | ||
| totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.COGNITO_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([...helpers_1.generateStaticRoleExpression(cogntoStaticRoles), ...dynamicRoleExpression(cognitoDynamicRoles)]))); | ||
| totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.COGNITO_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([...helpers_1.generateStaticRoleExpression(cognitoStaticRoles), ...dynamicRoleExpression(cognitoDynamicRoles)]))); | ||
| if (providers.hasOIDC) | ||
@@ -37,0 +37,0 @@ totalAuthExpressions.push(graphql_mapping_template_1.iff(graphql_mapping_template_1.equals(graphql_mapping_template_1.ref('util.authType()'), graphql_mapping_template_1.str(utils_1.OIDC_AUTH_TYPE)), graphql_mapping_template_1.compoundExpression([...helpers_1.generateStaticRoleExpression(oidcStaticRoles), ...dynamicRoleExpression(oidcDynamicRoles)]))); |
@@ -22,4 +22,2 @@ import { AuthProvider, ModelOperation } from './definitions'; | ||
| export declare const DENIED_FIELDS = "deniedFields"; | ||
| export declare const ADMIN_ROLE = "_Full-access/CognitoIdentityCredentials"; | ||
| export declare const MANAGE_ROLE = "_Manage-only/CognitoIdentityCredentials"; | ||
| export declare const NONE_DS = "NONE_DS"; | ||
@@ -26,0 +24,0 @@ export declare const RELATIONAL_DIRECTIVES: string[]; |
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.SEARCHABLE_AGGREGATE_TYPES = exports.RELATIONAL_DIRECTIVES = exports.NONE_DS = exports.MANAGE_ROLE = exports.ADMIN_ROLE = exports.DENIED_FIELDS = exports.NULL_ALLOWED_FIELDS = exports.ALLOWED_FIELDS = exports.IS_AUTHORIZED_FLAG = exports.API_KEY_AUTH_TYPE = exports.LAMBDA_AUTH_TYPE = exports.IAM_AUTH_TYPE = exports.OIDC_AUTH_TYPE = exports.COGNITO_AUTH_TYPE = exports.AUTH_PROVIDER_DIRECTIVE_MAP = exports.MODEL_OPERATIONS = exports.AUTH_NON_MODEL_TYPES = exports.ON_DELETE_FIELD = exports.ON_UPDATE_FIELD = exports.ON_CREATE_FIELD = exports.DEFAULT_GROUP_CLAIM = exports.DEFAULT_COGNITO_IDENTITY_CLAIM = exports.DEFAULT_IDENTITY_CLAIM = exports.DEFAULT_GROUPS_FIELD = exports.DEFAULT_OWNER_FIELD = void 0; | ||
| exports.SEARCHABLE_AGGREGATE_TYPES = exports.RELATIONAL_DIRECTIVES = exports.NONE_DS = exports.DENIED_FIELDS = exports.NULL_ALLOWED_FIELDS = exports.ALLOWED_FIELDS = exports.IS_AUTHORIZED_FLAG = exports.API_KEY_AUTH_TYPE = exports.LAMBDA_AUTH_TYPE = exports.IAM_AUTH_TYPE = exports.OIDC_AUTH_TYPE = exports.COGNITO_AUTH_TYPE = exports.AUTH_PROVIDER_DIRECTIVE_MAP = exports.MODEL_OPERATIONS = exports.AUTH_NON_MODEL_TYPES = exports.ON_DELETE_FIELD = exports.ON_UPDATE_FIELD = exports.ON_CREATE_FIELD = exports.DEFAULT_GROUP_CLAIM = exports.DEFAULT_COGNITO_IDENTITY_CLAIM = exports.DEFAULT_IDENTITY_CLAIM = exports.DEFAULT_GROUPS_FIELD = exports.DEFAULT_OWNER_FIELD = void 0; | ||
| exports.DEFAULT_OWNER_FIELD = 'owner'; | ||
@@ -30,4 +30,2 @@ exports.DEFAULT_GROUPS_FIELD = 'groups'; | ||
| exports.DENIED_FIELDS = 'deniedFields'; | ||
| exports.ADMIN_ROLE = '_Full-access/CognitoIdentityCredentials'; | ||
| exports.MANAGE_ROLE = '_Manage-only/CognitoIdentityCredentials'; | ||
| exports.NONE_DS = 'NONE_DS'; | ||
@@ -34,0 +32,0 @@ exports.RELATIONAL_DIRECTIVES = ['hasOne', 'belongsTo', 'hasMany', 'manyToMany']; |
@@ -16,4 +16,9 @@ import { AppSyncAuthConfiguration } from '@aws-amplify/graphql-transformer-interfaces'; | ||
| } | ||
| export interface AuthTransformerConfig { | ||
| authConfig?: AppSyncAuthConfiguration; | ||
| adminRoles?: Array<string>; | ||
| identityPoolId?: string; | ||
| } | ||
| export interface RolesByProvider { | ||
| cogntoStaticRoles: Array<RoleDefinition>; | ||
| cognitoStaticRoles: Array<RoleDefinition>; | ||
| cognitoDynamicRoles: Array<RoleDefinition>; | ||
@@ -57,11 +62,7 @@ oidcStaticRoles: Array<RoleDefinition>; | ||
| hasLambda: boolean; | ||
| hasAdminUIEnabled: boolean; | ||
| adminUserPoolID?: string; | ||
| hasAdminRolesEnabled: boolean; | ||
| adminRoles: Array<string>; | ||
| identityPoolId?: string; | ||
| } | ||
| export interface AuthTransformerConfig { | ||
| addAwsIamAuthInOutputSchema: boolean; | ||
| authConfig?: AppSyncAuthConfiguration; | ||
| adminUserPoolID?: string; | ||
| } | ||
| export declare const authDirectiveDefinition = "\n directive @auth(rules: [AuthRule!]!) on OBJECT | FIELD_DEFINITION\n input AuthRule {\n allow: AuthStrategy!\n provider: AuthProvider\n identityClaim: String\n groupClaim: String\n ownerField: String\n groupsField: String\n groups: [String]\n operations: [ModelOperation]\n }\n enum AuthStrategy {\n owner\n groups\n private\n public\n custom\n }\n enum AuthProvider {\n apiKey\n iam\n oidc\n userPools\n function\n }\n enum ModelOperation {\n create\n update\n delete\n read\n }\n"; | ||
| //# sourceMappingURL=definitions.d.ts.map |
@@ -21,3 +21,3 @@ "use strict"; | ||
| return { | ||
| cogntoStaticRoles: roles.filter(r => r.static && r.provider === 'userPools'), | ||
| cognitoStaticRoles: roles.filter(r => r.static && r.provider === 'userPools'), | ||
| cognitoDynamicRoles: roles.filter(r => !r.static && r.provider === 'userPools'), | ||
@@ -77,2 +77,3 @@ oidcStaticRoles: roles.filter(r => r.static && r.provider === 'oidc'), | ||
| const getConfiguredAuthProviders = (config) => { | ||
| var _a; | ||
| const providers = [ | ||
@@ -100,4 +101,5 @@ config.authConfig.defaultAuthentication.authenticationType, | ||
| onlyDefaultAuthProviderConfigured: config.authConfig.additionalAuthenticationProviders.length === 0, | ||
| hasAdminUIEnabled: hasIAM && config.addAwsIamAuthInOutputSchema, | ||
| adminUserPoolID: config.adminUserPoolID, | ||
| hasAdminRolesEnabled: hasIAM && ((_a = config.adminRoles) === null || _a === void 0 ? void 0 : _a.length) > 0, | ||
| adminRoles: config.adminRoles, | ||
| identityPoolId: config.identityPoolId, | ||
| hasApiKey: providers.some(p => p === 'API_KEY'), | ||
@@ -104,0 +106,0 @@ hasUserPools: providers.some(p => p === 'AMAZON_COGNITO_USER_POOLS'), |
| "use strict"; | ||
| var __importDefault = (this && this.__importDefault) || function (mod) { | ||
| return (mod && mod.__esModule) ? mod : { "default": mod }; | ||
| }; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
@@ -9,2 +12,3 @@ exports.getSubscriptionFieldNames = exports.getMutationFieldNames = exports.getQueryFieldNames = exports.addDirectivesToOperation = exports.addSubscriptionArguments = exports.addDirectivesToField = exports.extendTypeWithDirectives = exports.getTable = exports.hasRelationalDirective = exports.getRelationalPrimaryMap = exports.getSearchableConfig = exports.getModelConfig = exports.fieldIsList = exports.collectFieldNames = void 0; | ||
| const constants_1 = require("./constants"); | ||
| const md5_1 = __importDefault(require("md5")); | ||
| const collectFieldNames = (object) => { | ||
@@ -33,5 +37,5 @@ return object.fields.map((field) => field.name.value); | ||
| level: graphql_model_transformer_1.SubscriptionLevel.on, | ||
| onCreate: [graphql_transformer_common_1.toCamelCase(['onCreate', typeName])], | ||
| onDelete: [graphql_transformer_common_1.toCamelCase(['onDelete', typeName])], | ||
| onUpdate: [graphql_transformer_common_1.toCamelCase(['onUpdate', typeName])], | ||
| onCreate: [ensureValidSubscriptionName(graphql_transformer_common_1.toCamelCase(['onCreate', typeName]))], | ||
| onDelete: [ensureValidSubscriptionName(graphql_transformer_common_1.toCamelCase(['onDelete', typeName]))], | ||
| onUpdate: [ensureValidSubscriptionName(graphql_transformer_common_1.toCamelCase(['onUpdate', typeName]))], | ||
| }, | ||
@@ -253,2 +257,7 @@ timestamps: { | ||
| exports.getSubscriptionFieldNames = getSubscriptionFieldNames; | ||
| const ensureValidSubscriptionName = (name) => { | ||
| if (name.length <= 50) | ||
| return name; | ||
| return name.slice(0, 45) + md5_1.default(name).slice(0, 5); | ||
| }; | ||
| //# sourceMappingURL=schema.js.map |
@@ -25,3 +25,3 @@ "use strict"; | ||
| if (rule.allow === 'private') { | ||
| if (rule.provider !== null && rule.provider !== 'userPools' && rule.provider !== 'iam') { | ||
| if (rule.provider !== null && rule.provider !== 'userPools' && rule.provider !== 'iam' && rule.provider !== 'oidc') { | ||
| throw new graphql_transformer_core_1.InvalidDirectiveError(`@auth directive with 'private' strategy only supports 'userPools' (default) and 'iam' providers, but \ | ||
@@ -28,0 +28,0 @@ found '${rule.provider}' assigned.`); |
| { | ||
| "name": "@aws-amplify/graphql-auth-transformer", | ||
| "version": "0.2.1-beta.0", | ||
| "version": "0.3.0-beta.0", | ||
| "description": "Amplify GraphQL @auth Transformer", | ||
@@ -30,5 +30,5 @@ "repository": { | ||
| "dependencies": { | ||
| "@aws-amplify/graphql-model-transformer": "0.8.0-beta.0", | ||
| "@aws-amplify/graphql-transformer-core": "0.10.1-beta.0", | ||
| "@aws-amplify/graphql-transformer-interfaces": "1.11.1-beta.0", | ||
| "@aws-amplify/graphql-model-transformer": "0.8.0-beta.1", | ||
| "@aws-amplify/graphql-transformer-core": "0.11.0-beta.0", | ||
| "@aws-amplify/graphql-transformer-interfaces": "1.11.1-beta.1", | ||
| "@aws-cdk/aws-appsync": "~1.124.0", | ||
@@ -45,4 +45,4 @@ "@aws-cdk/aws-dynamodb": "~1.124.0", | ||
| "devDependencies": { | ||
| "@aws-amplify/graphql-index-transformer": "0.6.0-beta.0", | ||
| "@aws-amplify/graphql-searchable-transformer": "0.8.0-beta.0", | ||
| "@aws-amplify/graphql-index-transformer": "0.6.0-beta.1", | ||
| "@aws-amplify/graphql-searchable-transformer": "0.8.0-beta.1", | ||
| "@aws-cdk/assert": "~1.124.0", | ||
@@ -68,3 +68,3 @@ "@types/fs-extra": "^8.0.1", | ||
| }, | ||
| "gitHead": "27ff7fde85e2d0214c421b8173f351dd66a74f00" | ||
| "gitHead": "a035b6d07ee15dff6dc4ea641ccd59a2eb0caf0d" | ||
| } |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by0.85%
366706
- Lines of code
- increased by0.85%
2962
Dependency changes
+ Added@aws-amplify/graphql-model-transformer@0.8.0-beta.1(transitive)
+ Added@aws-amplify/graphql-transformer-core@0.11.0-beta.0(transitive)
+ Added@aws-amplify/graphql-transformer-interfaces@1.11.1-beta.1(transitive)
- Removed@aws-amplify/graphql-model-transformer@0.8.0-beta.0(transitive)
- Removed@aws-amplify/graphql-transformer-core@0.10.1-beta.0(transitive)
- Removed@aws-amplify/graphql-transformer-interfaces@1.11.1-beta.0(transitive)
Updated@aws-amplify/graphql-transformer-interfaces@1.11.1-beta.1