Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
@aws-amplify/graphql-auth-transformer
Advanced tools
@aws-amplify/graphql-auth-transformer - npm Package Compare versions
Comparing version 0.7.8 to 0.7.9-beta.0
@@ -6,2 +6,13 @@ # Change Log | ||
| ## [0.7.9-beta.0](https://github.com/aws-amplify/amplify-cli/compare/@aws-amplify/graphql-auth-transformer@0.7.8...@aws-amplify/graphql-auth-transformer@0.7.9-beta.0) (2022-03-16) | ||
| ### Bug Fixes | ||
| * **amplify-category-auth:** expand [@auth](https://github.com/auth) directive to explicit set of allowed operations ([#9859](https://github.com/aws-amplify/amplify-cli/issues/9859)) ([e44ed18](https://github.com/aws-amplify/amplify-cli/commit/e44ed189b2c94230cbd5674606ffa488cb6c7bfe)) | ||
| ## [0.7.8](https://github.com/aws-amplify/amplify-cli/compare/@aws-amplify/graphql-auth-transformer@0.7.7...@aws-amplify/graphql-auth-transformer@0.7.8) (2022-03-07) | ||
@@ -8,0 +19,0 @@ |
@@ -0,4 +1,5 @@ | ||
| import { ModelOperation } from '../utils'; | ||
| declare type ACMConfig = { | ||
| resources: string[]; | ||
| operations: string[]; | ||
| operations: ModelOperation[]; | ||
| name: string; | ||
@@ -8,3 +9,3 @@ }; | ||
| role: string; | ||
| operations: Array<string>; | ||
| operations: Array<ModelOperation>; | ||
| resource?: string; | ||
@@ -26,5 +27,5 @@ allowRoleOverwrite?: boolean; | ||
| hasResource(resource: string): boolean; | ||
| isAllowed(role: string, resource: string, operation: string): boolean; | ||
| isAllowed(role: string, resource: string, operation: ModelOperation): boolean; | ||
| resetAccessForResource(resource: string): void; | ||
| getRolesPerOperation(operation: string, fullAccess?: boolean): Array<string>; | ||
| getRolesPerOperation(operation: ModelOperation, fullAccess?: boolean): Array<string>; | ||
| getAcmPerRole(): Map<string, Object>; | ||
@@ -31,0 +32,0 @@ private validate; |
@@ -102,3 +102,3 @@ "use strict"; | ||
| if (input.resource && !this.resources.includes(input.resource)) { | ||
| throw new graphql_transformer_core_1.TransformerContractError(`Resource: ${input.resource} is not configued in the ACM`); | ||
| throw new graphql_transformer_core_1.TransformerContractError(`Resource: ${input.resource} is not configured in the ACM`); | ||
| } | ||
@@ -105,0 +105,0 @@ if (input.role && !this.roles.includes(input.role)) { |
@@ -49,3 +49,9 @@ import { TransformerAuthBase } from '@aws-amplify/graphql-transformer-core'; | ||
| private addFieldToResourceReferences; | ||
| addAutoGeneratedFields: (ctx: TransformerContextProvider, def: ObjectTypeDefinitionNode, allowedFields: string[], fields: readonly string[]) => string[]; | ||
| addAutoGeneratedRelationalFields: (ctx: TransformerContextProvider, def: ObjectTypeDefinitionNode, allowedFields: Set<string>, fields: readonly string[]) => void; | ||
| addAutoGeneratedIndexFields: (def: ObjectTypeDefinitionNode, allowedFields: Set<string>) => void; | ||
| addAutoGeneratedHasManyFields: (typeDefs: ObjectTypeDefinitionNode[], def: ObjectTypeDefinitionNode, allowedFields: Set<string>) => void; | ||
| private addAutoGeneratedHasOneFields; | ||
| addAutoGeneratedDataStoreFields: (ctx: TransformerContextProvider, allowedFields: Set<string>) => void; | ||
| } | ||
| //# sourceMappingURL=graphql-auth-transformer.d.ts.map |
@@ -35,2 +35,3 @@ "use strict"; | ||
| const field_1 = require("./resolvers/field"); | ||
| const graphql_relational_transformer_1 = require("@aws-amplify/graphql-relational-transformer"); | ||
| class AuthTransformer extends graphql_transformer_core_1.TransformerAuthBase { | ||
@@ -57,5 +58,3 @@ constructor(config = {}) { | ||
| } | ||
| const authDir = new graphql_transformer_core_1.DirectiveWrapper(directive); | ||
| const rules = authDir.getArguments({ rules: [] }).rules; | ||
| (0, utils_1.ensureAuthRuleDefaults)(rules); | ||
| const rules = (0, utils_1.getAuthDirectiveRules)(new graphql_transformer_core_1.DirectiveWrapper(directive)); | ||
| (0, utils_1.validateRules)(rules, this.configuredAuthProviders, def.name.value); | ||
@@ -90,6 +89,5 @@ const acm = new accesscontrol_1.AccessControlMatrix({ | ||
| const fieldName = field.name.value; | ||
| const authDir = new graphql_transformer_core_1.DirectiveWrapper(directive); | ||
| const rules = authDir.getArguments({ rules: [] }).rules; | ||
| (0, utils_1.ensureAuthRuleDefaults)(rules); | ||
| (0, utils_1.validateFieldRules)(rules, isParentTypeBuiltinType, modelDirective !== undefined, this.configuredAuthProviders, field.name.value); | ||
| const rules = (0, utils_1.getAuthDirectiveRules)(new graphql_transformer_core_1.DirectiveWrapper(directive)); | ||
| (0, utils_1.validateFieldRules)(new graphql_transformer_core_1.DirectiveWrapper(directive), isParentTypeBuiltinType, modelDirective !== undefined, field.name.value); | ||
| (0, utils_1.validateRules)(rules, this.configuredAuthProviders, field.name.value); | ||
| this.setAuthPolicyFlag(rules); | ||
@@ -429,6 +427,6 @@ this.setUnauthPolicyFlag(rules); | ||
| const createRoles = acm.getRolesPerOperation('create').map(role => { | ||
| const dataStoreFields = ctx.isProjectUsingDataStore() ? ['_version', '_deleted', '_lastChangedAt'] : []; | ||
| const roleDefinition = this.roleMap.get(role); | ||
| const allowedFields = fields.filter(resource => acm.isAllowed(role, resource, 'create')); | ||
| const roleDefinition = this.roleMap.get(role); | ||
| roleDefinition.allowedFields = allowedFields.length === fields.length ? [] : [...allowedFields, ...dataStoreFields]; | ||
| roleDefinition.areAllFieldsAllowed = allowedFields.length === fields.length; | ||
| roleDefinition.allowedFields = this.addAutoGeneratedFields(ctx, def, allowedFields, fields); | ||
| return roleDefinition; | ||
@@ -445,10 +443,9 @@ }); | ||
| const totalRoles = updateDeleteRoles.map(role => { | ||
| const dataStoreFields = ctx.isProjectUsingDataStore() ? ['_version', '_deleted', '_lastChangedAt'] : []; | ||
| const allowedFields = fields.filter(resource => acm.isAllowed(role, resource, 'update')); | ||
| const nullAllowedFields = fields.filter(resource => acm.isAllowed(role, resource, 'delete')); | ||
| const roleDefinition = this.roleMap.get(role); | ||
| roleDefinition.allowedFields = allowedFields.length === fields.length ? [] : [...allowedFields, ...dataStoreFields]; | ||
| roleDefinition.nullAllowedFields = nullAllowedFields.length === fields.length ? [] : nullAllowedFields; | ||
| roleDefinition.areAllFieldsAllowed = allowedFields.length === fields.length; | ||
| roleDefinition.areAllFieldsNullAllowed = nullAllowedFields.length === fields.length; | ||
| roleDefinition.allowedFields = this.addAutoGeneratedFields(ctx, def, allowedFields, fields); | ||
| roleDefinition.nullAllowedFields = nullAllowedFields; | ||
| return roleDefinition; | ||
@@ -467,3 +464,3 @@ }); | ||
| const requestExpression = (0, resolvers_1.generateAuthRequestExpression)(); | ||
| const authExpression = (0, resolvers_1.geneateAuthExpressionForDelete)(this.configuredAuthProviders, deleteRoles, (_a = def.fields) !== null && _a !== void 0 ? _a : []); | ||
| const authExpression = (0, resolvers_1.generateAuthExpressionForDelete)(this.configuredAuthProviders, deleteRoles, (_a = def.fields) !== null && _a !== void 0 ? _a : []); | ||
| resolver.addToSlot('auth', graphql_transformer_core_1.MappingTemplate.s3MappingTemplateFromString(requestExpression, `${typeName}.${fieldName}.{slotName}.{slotIndex}.req.vtl`), graphql_transformer_core_1.MappingTemplate.s3MappingTemplateFromString(authExpression, `${typeName}.${fieldName}.{slotName}.{slotIndex}.res.vtl`), datasource); | ||
@@ -476,2 +473,42 @@ }; | ||
| }; | ||
| this.addAutoGeneratedFields = (ctx, def, allowedFields, fields) => { | ||
| const allowedFieldsSet = new Set(allowedFields); | ||
| this.addAutoGeneratedRelationalFields(ctx, def, allowedFieldsSet, fields); | ||
| this.addAutoGeneratedIndexFields(def, allowedFieldsSet); | ||
| this.addAutoGeneratedDataStoreFields(ctx, allowedFieldsSet); | ||
| return Array.from(allowedFieldsSet); | ||
| }; | ||
| this.addAutoGeneratedRelationalFields = (ctx, def, allowedFields, fields) => { | ||
| const typeDefs = ctx.inputDocument.definitions.filter(it => it.kind === 'ObjectTypeDefinition'); | ||
| this.addAutoGeneratedHasManyFields(typeDefs, def, allowedFields); | ||
| this.addAutoGeneratedHasOneFields(typeDefs, fields, def, allowedFields); | ||
| }; | ||
| this.addAutoGeneratedIndexFields = (def, allowedFields) => { | ||
| var _a; | ||
| const sortKeyFieldValues = (_a = def.fields) === null || _a === void 0 ? void 0 : _a.map(it => it.directives).flat().filter(it => it.name.value === 'primaryKey' || it.name.value === 'index').map(it => it.arguments).flat().filter(it => it.name.value === 'sortKeyFields' && it.value.kind === 'ListValue' && it.value.values.length > 1).map(it => it.value).flat(); | ||
| for (const sortKeyFieldValue of sortKeyFieldValues) { | ||
| const accessOnAllKeys = !sortKeyFieldValue.values.some(it => it.kind !== 'StringValue' || !allowedFields.has(it.value)); | ||
| if (accessOnAllKeys) { | ||
| const keyName = sortKeyFieldValue.values | ||
| .map(it => it.value) | ||
| .join(graphql_transformer_common_1.ModelResourceIDs.ModelCompositeKeySeparator()); | ||
| allowedFields.add(keyName); | ||
| } | ||
| } | ||
| }; | ||
| this.addAutoGeneratedHasManyFields = (typeDefs, def, allowedFields) => { | ||
| const hasManyRelatedFields = typeDefs | ||
| .map(it => it.fields.map(field => { | ||
| return { ...field, relatedType: it.name.value }; | ||
| })) | ||
| .flat() | ||
| .filter(it => { var _a; return (0, graphql_transformer_common_1.getBaseType)(it.type) === def.name.value && ((_a = it.directives) === null || _a === void 0 ? void 0 : _a.some(d => d.name.value === 'hasMany')); }); | ||
| for (const relatedField of hasManyRelatedFields) { | ||
| allowedFields.add((0, graphql_relational_transformer_1.getConnectionAttributeName)(relatedField.relatedType, relatedField.name.value)); | ||
| } | ||
| }; | ||
| this.addAutoGeneratedDataStoreFields = (ctx, allowedFields) => { | ||
| const dataStoreFields = ctx.isProjectUsingDataStore() ? ['_version', '_deleted', '_lastChangedAt'] : []; | ||
| dataStoreFields.forEach(item => allowedFields.add(item)); | ||
| }; | ||
| this.config = config; | ||
@@ -486,5 +523,5 @@ this.modelDirectiveConfig = new Map(); | ||
| } | ||
| convertRulesToRoles(acm, authRules, allowRoleOverwrite, field, overideOperations) { | ||
| convertRulesToRoles(acm, authRules, allowRoleOverwrite, field, overrideOperations) { | ||
| for (let rule of authRules) { | ||
| let operations = overideOperations ? overideOperations : rule.operations || utils_1.MODEL_OPERATIONS; | ||
| let operations = overrideOperations ? overrideOperations : rule.operations || utils_1.MODEL_OPERATIONS; | ||
| if (rule.groups && !rule.groupsField) { | ||
@@ -768,4 +805,26 @@ rule.groups.forEach(group => { | ||
| } | ||
| addAutoGeneratedHasOneFields(typeDefs, fields, def, allowedFields) { | ||
| var _a; | ||
| for (const field of fields) { | ||
| const modelField = def.fields.find(it => it.name.value === field); | ||
| const directives = (_a = modelField.directives) === null || _a === void 0 ? void 0 : _a.filter(dir => { var _a; return !((_a = dir.arguments) === null || _a === void 0 ? void 0 : _a.some(it => it.name.value === 'fields')) && (dir.name.value === 'hasOne' || dir.name.value === 'belongsTo'); }); | ||
| for (const dir of directives) { | ||
| if (dir.name.value === 'hasOne') { | ||
| allowedFields.add((0, graphql_relational_transformer_1.getConnectionAttributeName)(def.name.value, field)); | ||
| } | ||
| else if (dir.name.value === 'belongsTo') { | ||
| const relatedType = typeDefs.find(it => { | ||
| var _a; | ||
| return it.name.value === (0, graphql_transformer_common_1.getBaseType)(modelField.type) && | ||
| ((_a = it.fields) === null || _a === void 0 ? void 0 : _a.some(f => { var _a; return (0, graphql_transformer_common_1.getBaseType)(f.type) === def.name.value && ((_a = f.directives) === null || _a === void 0 ? void 0 : _a.some(d => d.name.value === 'hasOne')); })); | ||
| }); | ||
| if (relatedType) { | ||
| allowedFields.add((0, graphql_relational_transformer_1.getConnectionAttributeName)(def.name.value, field)); | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| exports.AuthTransformer = AuthTransformer; | ||
| //# sourceMappingURL=graphql-auth-transformer.js.map |
@@ -5,2 +5,3 @@ export * from './graphql-auth-transformer'; | ||
| export { AccessControlMatrix } from './accesscontrol'; | ||
| export { getAuthDirectiveRules } from './utils'; | ||
| //# sourceMappingURL=index.d.ts.map |
@@ -13,3 +13,3 @@ "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.AccessControlMatrix = void 0; | ||
| exports.getAuthDirectiveRules = exports.AccessControlMatrix = void 0; | ||
| __exportStar(require("./graphql-auth-transformer"), exports); | ||
@@ -20,2 +20,4 @@ __exportStar(require("./utils/constants"), exports); | ||
| Object.defineProperty(exports, "AccessControlMatrix", { enumerable: true, get: function () { return accesscontrol_1.AccessControlMatrix; } }); | ||
| var utils_1 = require("./utils"); | ||
| Object.defineProperty(exports, "getAuthDirectiveRules", { enumerable: true, get: function () { return utils_1.getAuthDirectiveRules; } }); | ||
| //# sourceMappingURL=index.js.map |
@@ -6,3 +6,2 @@ import { Expression } from 'graphql-mapping-template'; | ||
| export declare const getIdentityClaimExp: (value: Expression, defaultValueExp: Expression) => Expression; | ||
| export declare const addAllowedFieldsIfElse: (fieldKey: string, breakLoop?: boolean) => Expression; | ||
| export declare const iamCheck: (claim: string, exp: Expression, identityPoolId?: string) => import("graphql-mapping-template").IfNode; | ||
@@ -9,0 +8,0 @@ export declare const getOwnerClaim: (ownerClaim: string) => Expression; |
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.emptyPayload = exports.generateAuthRequestExpression = exports.iamAdminRoleCheckExpression = exports.iamExpression = exports.lambdaExpression = exports.apiKeyExpression = exports.generateStaticRoleExpression = exports.responseCheckForErrors = exports.getOwnerClaim = exports.iamCheck = exports.addAllowedFieldsIfElse = exports.getIdentityClaimExp = exports.getInputFields = exports.setHasAuthExpression = void 0; | ||
| exports.emptyPayload = exports.generateAuthRequestExpression = exports.iamAdminRoleCheckExpression = exports.iamExpression = exports.lambdaExpression = exports.apiKeyExpression = exports.generateStaticRoleExpression = exports.responseCheckForErrors = exports.getOwnerClaim = exports.iamCheck = exports.getIdentityClaimExp = exports.getInputFields = exports.setHasAuthExpression = void 0; | ||
| const graphql_mapping_template_1 = require("graphql-mapping-template"); | ||
@@ -16,6 +16,2 @@ const graphql_transformer_common_1 = require("graphql-transformer-common"); | ||
| exports.getIdentityClaimExp = getIdentityClaimExp; | ||
| const addAllowedFieldsIfElse = (fieldKey, breakLoop = false) => { | ||
| return (0, graphql_mapping_template_1.ifElse)((0, graphql_mapping_template_1.not)((0, graphql_mapping_template_1.ref)(`${fieldKey}.isEmpty()`)), (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.ref)(fieldKey))), (0, graphql_mapping_template_1.compoundExpression)([(0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true)), ...(breakLoop ? [(0, graphql_mapping_template_1.raw)('#break')] : [])])); | ||
| }; | ||
| exports.addAllowedFieldsIfElse = addAllowedFieldsIfElse; | ||
| const iamCheck = (claim, exp, identityPoolId) => { | ||
@@ -22,0 +18,0 @@ let iamExp = (0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('ctx.identity.userArn'), (0, graphql_mapping_template_1.ref)(`ctx.stash.${claim}`)); |
@@ -5,3 +5,3 @@ export { generateAuthExpressionForQueries, generateAuthExpressionForRelationQuery } from './query'; | ||
| export { generateAuthExpressionForUpdate } from './mutation.update'; | ||
| export { geneateAuthExpressionForDelete } from './mutation.delete'; | ||
| export { generateAuthExpressionForDelete } from './mutation.delete'; | ||
| export { generateAuthExpressionForField, generateFieldAuthResponse, setDeniedFieldFlag } from './field'; | ||
@@ -8,0 +8,0 @@ export { generateAuthExpressionForSubscriptions } from './subscriptions'; |
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.generateAuthRequestExpression = exports.generateAuthExpressionForSubscriptions = exports.setDeniedFieldFlag = exports.generateFieldAuthResponse = exports.generateAuthExpressionForField = exports.geneateAuthExpressionForDelete = exports.generateAuthExpressionForUpdate = exports.generateAuthExpressionForCreate = exports.generateAuthExpressionForSearchQueries = exports.generateAuthExpressionForRelationQuery = exports.generateAuthExpressionForQueries = void 0; | ||
| exports.generateAuthRequestExpression = exports.generateAuthExpressionForSubscriptions = exports.setDeniedFieldFlag = exports.generateFieldAuthResponse = exports.generateAuthExpressionForField = exports.generateAuthExpressionForDelete = exports.generateAuthExpressionForUpdate = exports.generateAuthExpressionForCreate = exports.generateAuthExpressionForSearchQueries = exports.generateAuthExpressionForRelationQuery = exports.generateAuthExpressionForQueries = void 0; | ||
| var query_1 = require("./query"); | ||
@@ -14,3 +14,3 @@ Object.defineProperty(exports, "generateAuthExpressionForQueries", { enumerable: true, get: function () { return query_1.generateAuthExpressionForQueries; } }); | ||
| var mutation_delete_1 = require("./mutation.delete"); | ||
| Object.defineProperty(exports, "geneateAuthExpressionForDelete", { enumerable: true, get: function () { return mutation_delete_1.geneateAuthExpressionForDelete; } }); | ||
| Object.defineProperty(exports, "generateAuthExpressionForDelete", { enumerable: true, get: function () { return mutation_delete_1.generateAuthExpressionForDelete; } }); | ||
| var field_1 = require("./field"); | ||
@@ -17,0 +17,0 @@ Object.defineProperty(exports, "generateAuthExpressionForField", { enumerable: true, get: function () { return field_1.generateAuthExpressionForField; } }); |
@@ -12,7 +12,7 @@ "use strict"; | ||
| } | ||
| if (roles[0].allowedFields.length > 0) { | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles[0].allowedFields)))); | ||
| if (roles[0].areAllFieldsAllowed) { | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))); | ||
| } | ||
| else { | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))); | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles[0].allowedFields)))); | ||
| } | ||
@@ -28,7 +28,7 @@ return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.API_KEY_AUTH_TYPE)), (0, graphql_mapping_template_1.compoundExpression)(expression)); | ||
| for (let role of roles) { | ||
| if (role.allowedFields.length > 0) { | ||
| expression.push((0, helpers_1.iamCheck)(role.claim, (0, graphql_mapping_template_1.compoundExpression)([(0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(role.allowedFields)))]))); | ||
| if (role.areAllFieldsAllowed) { | ||
| expression.push((0, helpers_1.iamCheck)(role.claim, (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true)), identityPoolId)); | ||
| } | ||
| else { | ||
| expression.push((0, helpers_1.iamCheck)(role.claim, (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true)), identityPoolId)); | ||
| expression.push((0, helpers_1.iamCheck)(role.claim, (0, graphql_mapping_template_1.compoundExpression)([(0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(role.allowedFields)))]))); | ||
| } | ||
@@ -47,7 +47,7 @@ } | ||
| } | ||
| if (roles[0].allowedFields.length > 0) { | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles[0].allowedFields)))); | ||
| if (roles[0].areAllFieldsAllowed) { | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))); | ||
| } | ||
| else { | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))); | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles[0].allowedFields)))); | ||
| } | ||
@@ -61,7 +61,7 @@ return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.LAMBDA_AUTH_TYPE)), (0, graphql_mapping_template_1.compoundExpression)(expression)); | ||
| const privateRole = roles[privateRoleIdx]; | ||
| if (privateRole.allowedFields.length > 0) { | ||
| staticRoleExpression.push((0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.raw)(JSON.stringify(privateRole.allowedFields))))); | ||
| if (privateRole.areAllFieldsAllowed) { | ||
| staticRoleExpression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))); | ||
| } | ||
| else { | ||
| staticRoleExpression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))); | ||
| staticRoleExpression.push((0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.raw)(JSON.stringify(privateRole.allowedFields))))); | ||
| } | ||
@@ -72,6 +72,14 @@ roles.splice(privateRoleIdx, 1); | ||
| staticRoleExpression.push((0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.not)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG)), (0, graphql_mapping_template_1.compoundExpression)([ | ||
| (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)('staticGroupRoles'), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles.map(r => { var _a; return ({ claim: r.claim, entity: r.entity, allowedFields: (_a = r.allowedFields) !== null && _a !== void 0 ? _a : [] }); })))), | ||
| (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)('staticGroupRoles'), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles.map(r => { | ||
| var _a; | ||
| return ({ | ||
| claim: r.claim, | ||
| entity: r.entity, | ||
| allowedFields: (_a = r.allowedFields) !== null && _a !== void 0 ? _a : [], | ||
| isAuthorizedOnAllFields: r.areAllFieldsAllowed, | ||
| }); | ||
| })))), | ||
| (0, graphql_mapping_template_1.forEach)((0, graphql_mapping_template_1.ref)('groupRole'), (0, graphql_mapping_template_1.ref)('staticGroupRoles'), [ | ||
| (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)('groupsInToken'), (0, helpers_1.getIdentityClaimExp)((0, graphql_mapping_template_1.ref)('groupRole.claim'), (0, graphql_mapping_template_1.list)([]))), | ||
| (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('groupsInToken.contains'), (0, graphql_mapping_template_1.ref)('groupRole.entity')), (0, helpers_1.addAllowedFieldsIfElse)('groupRole.allowedFields', true)), | ||
| (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('groupsInToken.contains'), (0, graphql_mapping_template_1.ref)('groupRole.entity')), addAllowedFieldsIfElse('groupRole.allowedFields', 'groupRole.isAuthorizedOnAllFields', true)), | ||
| ]), | ||
@@ -92,12 +100,15 @@ ]))); | ||
| (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`ownerAllowedFields${idx}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(role.allowedFields))), | ||
| (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`isAuthorizedOnAllFields${idx}`), (0, graphql_mapping_template_1.bool)(role.areAllFieldsAllowed)), | ||
| ...(entityIsList | ||
| ? [ | ||
| (0, graphql_mapping_template_1.forEach)((0, graphql_mapping_template_1.ref)('allowedOwner'), (0, graphql_mapping_template_1.ref)(`ownerEntity${idx}`), [ | ||
| (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('allowedOwner'), (0, graphql_mapping_template_1.ref)(`ownerClaim${idx}`)), (0, helpers_1.addAllowedFieldsIfElse)(`ownerAllowedFields${idx}`, true)), | ||
| (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('allowedOwner'), (0, graphql_mapping_template_1.ref)(`ownerClaim${idx}`)), addAllowedFieldsIfElse(`ownerAllowedFields${idx}`, `isAuthorizedOnAllFields${idx}`, true)), | ||
| ]), | ||
| ] | ||
| : [(0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)(`ownerClaim${idx}`), (0, graphql_mapping_template_1.ref)(`ownerEntity${idx}`)), (0, helpers_1.addAllowedFieldsIfElse)(`ownerAllowedFields${idx}`))]), | ||
| : [ | ||
| (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)(`ownerClaim${idx}`), (0, graphql_mapping_template_1.ref)(`ownerEntity${idx}`)), addAllowedFieldsIfElse(`ownerAllowedFields${idx}`, `isAuthorizedOnAllFields${idx}`)), | ||
| ]), | ||
| (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.and)([(0, graphql_mapping_template_1.ref)(`util.isNull($ownerEntity${idx})`), (0, graphql_mapping_template_1.not)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('ctx.args.input.containsKey'), (0, graphql_mapping_template_1.str)(role.entity)))]), (0, graphql_mapping_template_1.compoundExpression)([ | ||
| (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('ctx.args.input.put'), (0, graphql_mapping_template_1.str)(role.entity), entityIsList ? (0, graphql_mapping_template_1.list)([(0, graphql_mapping_template_1.ref)(`ownerClaim${idx}`)]) : (0, graphql_mapping_template_1.ref)(`ownerClaim${idx}`))), | ||
| (0, helpers_1.addAllowedFieldsIfElse)(`ownerAllowedFields${idx}`), | ||
| addAllowedFieldsIfElse(`ownerAllowedFields${idx}`, `isAuthorizedOnAllFields${idx}`), | ||
| ])), | ||
@@ -112,6 +123,7 @@ ]))); | ||
| (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`groupAllowedFields${idx}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(role.allowedFields))), | ||
| (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`isAuthorizedOnAllFields${idx}`), (0, graphql_mapping_template_1.bool)(role.areAllFieldsAllowed)), | ||
| (0, graphql_mapping_template_1.forEach)((0, graphql_mapping_template_1.ref)('userGroup'), (0, graphql_mapping_template_1.ref)(`groupClaim${idx}`), [ | ||
| (0, graphql_mapping_template_1.iff)(entityIsList | ||
| ? (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`groupEntity${idx}.contains`), (0, graphql_mapping_template_1.ref)('userGroup')) | ||
| : (0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)(`groupEntity${idx}`), (0, graphql_mapping_template_1.ref)('userGroup')), (0, helpers_1.addAllowedFieldsIfElse)(`groupAllowedFields${idx}`, true)), | ||
| : (0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)(`groupEntity${idx}`), (0, graphql_mapping_template_1.ref)('userGroup')), addAllowedFieldsIfElse(`groupAllowedFields${idx}`, `isAuthorizedOnAllFields${idx}`, true)), | ||
| ]), | ||
@@ -153,2 +165,5 @@ ]))); | ||
| exports.generateAuthExpressionForCreate = generateAuthExpressionForCreate; | ||
| const addAllowedFieldsIfElse = (allowedFieldsKey, condition, breakLoop = false) => { | ||
| return (0, graphql_mapping_template_1.ifElse)((0, graphql_mapping_template_1.ref)(condition), (0, graphql_mapping_template_1.compoundExpression)([(0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true)), ...(breakLoop ? [(0, graphql_mapping_template_1.raw)('#break')] : [])]), (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.ref)(allowedFieldsKey)))); | ||
| }; | ||
| //# sourceMappingURL=mutation.create.js.map |
| import { FieldDefinitionNode } from 'graphql'; | ||
| import { ConfiguredAuthProviders, RoleDefinition } from '../utils'; | ||
| export declare const geneateAuthExpressionForDelete: (providers: ConfiguredAuthProviders, roles: Array<RoleDefinition>, fields: ReadonlyArray<FieldDefinitionNode>) => string; | ||
| export declare const generateAuthExpressionForDelete: (providers: ConfiguredAuthProviders, roles: Array<RoleDefinition>, fields: ReadonlyArray<FieldDefinitionNode>) => string; | ||
| //# sourceMappingURL=mutation.delete.d.ts.map |
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.geneateAuthExpressionForDelete = void 0; | ||
| exports.generateAuthExpressionForDelete = void 0; | ||
| const graphql_mapping_template_1 = require("graphql-mapping-template"); | ||
@@ -93,3 +93,3 @@ const helpers_1 = require("./helpers"); | ||
| }; | ||
| const geneateAuthExpressionForDelete = (providers, roles, fields) => { | ||
| const generateAuthExpressionForDelete = (providers, roles, fields) => { | ||
| const { cognitoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, apiKeyRoles, iamRoles, lambdaRoles } = (0, utils_1.splitRoles)(roles); | ||
@@ -118,3 +118,3 @@ const totalAuthExpressions = [helpers_1.setHasAuthExpression, (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(false))]; | ||
| }; | ||
| exports.geneateAuthExpressionForDelete = geneateAuthExpressionForDelete; | ||
| exports.generateAuthExpressionForDelete = generateAuthExpressionForDelete; | ||
| //# sourceMappingURL=mutation.delete.js.map |
@@ -12,7 +12,7 @@ "use strict"; | ||
| } | ||
| if (roles[0].allowedFields.length > 0 || roles[0].nullAllowedFields.length > 0) { | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles[0].allowedFields))), (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.NULL_ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles[0].nullAllowedFields)))); | ||
| if (roles[0].areAllFieldsAllowed && roles[0].areAllFieldsNullAllowed) { | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))); | ||
| } | ||
| else { | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))); | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles[0].allowedFields))), (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.NULL_ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles[0].nullAllowedFields)))); | ||
| } | ||
@@ -26,7 +26,7 @@ return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.API_KEY_AUTH_TYPE)), (0, graphql_mapping_template_1.compoundExpression)(expression)); | ||
| } | ||
| if (roles[0].allowedFields.length > 0 || roles[0].nullAllowedFields.length > 0) { | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles[0].allowedFields))), (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.NULL_ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles[0].nullAllowedFields)))); | ||
| if (roles[0].areAllFieldsAllowed && roles[0].areAllFieldsNullAllowed) { | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))); | ||
| } | ||
| else { | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))); | ||
| expression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles[0].allowedFields))), (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.NULL_ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(roles[0].nullAllowedFields)))); | ||
| } | ||
@@ -42,3 +42,6 @@ return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.LAMBDA_AUTH_TYPE)), (0, graphql_mapping_template_1.compoundExpression)(expression)); | ||
| for (let role of roles) { | ||
| if (role.allowedFields.length > 0 || role.nullAllowedFields.length > 0) { | ||
| if (role.areAllFieldsAllowed && role.areAllFieldsNullAllowed) { | ||
| expression.push((0, helpers_1.iamCheck)(role.claim, (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true)), identityPoolId)); | ||
| } | ||
| else { | ||
| expression.push((0, helpers_1.iamCheck)(role.claim, (0, graphql_mapping_template_1.compoundExpression)([ | ||
@@ -49,5 +52,2 @@ (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(role.allowedFields))), | ||
| } | ||
| else { | ||
| expression.push((0, helpers_1.iamCheck)(role.claim, (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true)), identityPoolId)); | ||
| } | ||
| } | ||
@@ -65,7 +65,7 @@ } | ||
| const privateRole = roles[privateRoleIdx]; | ||
| if (privateRole.allowedFields.length > 0 || privateRole.nullAllowedFields.length > 0) { | ||
| staticRoleExpression.push((0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.raw)(JSON.stringify(privateRole.allowedFields)))), (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.NULL_ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.raw)(JSON.stringify(privateRole.nullAllowedFields))))); | ||
| if (privateRole.areAllFieldsAllowed && privateRole.areAllFieldsNullAllowed) { | ||
| staticRoleExpression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))); | ||
| } | ||
| else { | ||
| staticRoleExpression.push((0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))); | ||
| staticRoleExpression.push((0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.raw)(JSON.stringify(privateRole.allowedFields)))), (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.NULL_ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.raw)(JSON.stringify(privateRole.nullAllowedFields))))); | ||
| } | ||
@@ -81,13 +81,7 @@ roles.splice(privateRoleIdx, 1); | ||
| nullAllowedFields: r.nullAllowedFields, | ||
| areAllFieldsAllowed: r.areAllFieldsAllowed, | ||
| areAllFieldsNullAllowed: r.areAllFieldsNullAllowed, | ||
| isAuthorizedOnAllFields: r.areAllFieldsAllowed && r.areAllFieldsNullAllowed, | ||
| }))))), | ||
| (0, graphql_mapping_template_1.forEach)((0, graphql_mapping_template_1.ref)('groupRole'), (0, graphql_mapping_template_1.ref)('staticGroupRoles'), [ | ||
| (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)('groupsInToken'), (0, helpers_1.getIdentityClaimExp)((0, graphql_mapping_template_1.ref)('groupRole.claim'), (0, graphql_mapping_template_1.list)([]))), | ||
| (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('groupsInToken.contains'), (0, graphql_mapping_template_1.ref)('groupRole.entity')), (0, graphql_mapping_template_1.compoundExpression)([ | ||
| (0, graphql_mapping_template_1.ifElse)((0, graphql_mapping_template_1.and)([(0, graphql_mapping_template_1.ref)(`groupRole.areAllFieldsAllowed`), (0, graphql_mapping_template_1.ref)('groupRole.areAllFieldsNullAllowed')]), (0, graphql_mapping_template_1.compoundExpression)([(0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true)), (0, graphql_mapping_template_1.raw)('#break')]), (0, graphql_mapping_template_1.compoundExpression)([ | ||
| (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.ref)('groupRole.allowedFields'))), | ||
| (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.NULL_ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.ref)('groupRole.nullAllowedFields'))), | ||
| ])), | ||
| ])), | ||
| (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('groupsInToken.contains'), (0, graphql_mapping_template_1.ref)('groupRole.entity')), addAllowedFieldsIfElse(`groupRole.allowedFields`, `groupRole.nullAllowedFields`, `groupRole.isAuthorizedOnAllFields`, true)), | ||
| ]), | ||
@@ -109,20 +103,11 @@ ]))); | ||
| (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`ownerNullAllowedFields${idx}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(role.nullAllowedFields))), | ||
| (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`isAuthorizedOnAllFields${idx}`), (0, graphql_mapping_template_1.bool)(role.areAllFieldsAllowed && role.areAllFieldsNullAllowed)), | ||
| ...(entityIsList | ||
| ? [ | ||
| (0, graphql_mapping_template_1.forEach)((0, graphql_mapping_template_1.ref)('allowedOwner'), (0, graphql_mapping_template_1.ref)(`ownerEntity${idx}`), [ | ||
| (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('allowedOwner'), (0, graphql_mapping_template_1.ref)(`ownerClaim${idx}`)), role.areAllFieldsAllowed && role.areAllFieldsNullAllowed | ||
| ? (0, graphql_mapping_template_1.compoundExpression)([(0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true)), (0, graphql_mapping_template_1.raw)('#break')]) | ||
| : (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.or)([(0, graphql_mapping_template_1.not)((0, graphql_mapping_template_1.ref)(`ownerAllowedFields${idx}.isEmpty()`)), (0, graphql_mapping_template_1.not)((0, graphql_mapping_template_1.ref)(`ownerNullAllowedFields${idx}.isEmpty()`))]), (0, graphql_mapping_template_1.compoundExpression)([ | ||
| (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.ref)(`ownerAllowedFields${idx}`))), | ||
| (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.NULL_ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.ref)(`ownerNullAllowedFields${idx}`))), | ||
| ]))), | ||
| (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('allowedOwner'), (0, graphql_mapping_template_1.ref)(`ownerClaim${idx}`)), addAllowedFieldsIfElse(`ownerAllowedFields${idx}`, `ownerNullAllowedFields${idx}`, `isAuthorizedOnAllFields${idx}`, true)), | ||
| ]), | ||
| ] | ||
| : [ | ||
| (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)(`ownerEntity${idx}`), (0, graphql_mapping_template_1.ref)(`ownerClaim${idx}`)), role.areAllFieldsAllowed && role.areAllFieldsNullAllowed | ||
| ? (0, graphql_mapping_template_1.compoundExpression)([(0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))]) | ||
| : (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.or)([(0, graphql_mapping_template_1.not)((0, graphql_mapping_template_1.ref)(`ownerAllowedFields${idx}.isEmpty()`)), (0, graphql_mapping_template_1.not)((0, graphql_mapping_template_1.ref)(`ownerNullAllowedFields${idx}.isEmpty()`))]), (0, graphql_mapping_template_1.compoundExpression)([ | ||
| (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.ref)(`ownerAllowedFields${idx}`))), | ||
| (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.NULL_ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.ref)(`ownerNullAllowedFields${idx}`))), | ||
| ]))), | ||
| (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)(`ownerEntity${idx}`), (0, graphql_mapping_template_1.ref)(`ownerClaim${idx}`)), addAllowedFieldsIfElse(`ownerAllowedFields${idx}`, `ownerNullAllowedFields${idx}`, `isAuthorizedOnAllFields${idx}`)), | ||
| ]), | ||
@@ -137,2 +122,3 @@ ]))); | ||
| (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`groupNullAllowedFields${idx}`), (0, graphql_mapping_template_1.raw)(JSON.stringify(role.nullAllowedFields))), | ||
| (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`isAuthorizedOnAllFields${idx}`), (0, graphql_mapping_template_1.bool)(role.areAllFieldsAllowed && role.areAllFieldsNullAllowed)), | ||
| (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`util.isString`), (0, graphql_mapping_template_1.ref)(`groupClaim${idx}`)), (0, graphql_mapping_template_1.ifElse)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`util.isList`), (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`util.parseJson`), (0, graphql_mapping_template_1.ref)(`groupClaim${idx}`))), (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`groupClaim${idx}`), (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`util.parseJson`), (0, graphql_mapping_template_1.ref)(`groupClaim${idx}`))), (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(`groupClaim${idx}`), (0, graphql_mapping_template_1.list)([(0, graphql_mapping_template_1.ref)(`groupClaim${idx}`)])))), | ||
@@ -142,8 +128,3 @@ (0, graphql_mapping_template_1.forEach)((0, graphql_mapping_template_1.ref)('userGroup'), (0, graphql_mapping_template_1.ref)(`groupClaim${idx}`), [ | ||
| ? (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`groupEntity${idx}.contains`), (0, graphql_mapping_template_1.ref)('userGroup')) | ||
| : (0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)(`groupEntity${idx}`), (0, graphql_mapping_template_1.ref)('userGroup')), role.areAllFieldsAllowed && role.areAllFieldsNullAllowed | ||
| ? (0, graphql_mapping_template_1.compoundExpression)([(0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true)), (0, graphql_mapping_template_1.raw)('#break')]) | ||
| : (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.or)([(0, graphql_mapping_template_1.not)((0, graphql_mapping_template_1.ref)(`groupAllowedFields${idx}.isEmpty()`)), (0, graphql_mapping_template_1.not)((0, graphql_mapping_template_1.ref)(`groupNullAllowedFields${idx}.isEmpty()`))]), (0, graphql_mapping_template_1.compoundExpression)([ | ||
| (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.ref)(`groupAllowedFields${idx}`))), | ||
| (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.NULL_ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.ref)(`groupNullAllowedFields${idx}`))), | ||
| ]))), | ||
| : (0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)(`groupEntity${idx}`), (0, graphql_mapping_template_1.ref)('userGroup')), addAllowedFieldsIfElse(`groupAllowedFields${idx}`, `groupNullAllowedFields${idx}`, `isAuthorizedOnAllFields${idx}`, true)), | ||
| ]), | ||
@@ -195,2 +176,8 @@ ]))); | ||
| exports.generateAuthExpressionForUpdate = generateAuthExpressionForUpdate; | ||
| const addAllowedFieldsIfElse = (allowedFieldsKey, nullAllowedFieldsKey, condition, breakLoop = false) => { | ||
| return (0, graphql_mapping_template_1.ifElse)((0, graphql_mapping_template_1.ref)(condition), (0, graphql_mapping_template_1.compoundExpression)([(0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true)), ...(breakLoop ? [(0, graphql_mapping_template_1.raw)('#break')] : [])]), (0, graphql_mapping_template_1.compoundExpression)([ | ||
| (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.ref)(allowedFieldsKey))), | ||
| (0, graphql_mapping_template_1.qref)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)(`${utils_1.NULL_ALLOWED_FIELDS}.addAll`), (0, graphql_mapping_template_1.ref)(nullAllowedFieldsKey))), | ||
| ])); | ||
| }; | ||
| //# sourceMappingURL=mutation.update.js.map |
@@ -0,1 +1,2 @@ | ||
| import { DirectiveWrapper } from '@aws-amplify/graphql-transformer-core'; | ||
| import { TransformerContextProvider } from '@aws-amplify/graphql-transformer-interfaces'; | ||
@@ -12,6 +13,6 @@ import { Stack } from '@aws-cdk/core'; | ||
| export declare const splitRoles: (roles: Array<RoleDefinition>) => RolesByProvider; | ||
| export declare const ensureAuthRuleDefaults: (rules: AuthRule[]) => void; | ||
| export declare const getStackForField: (ctx: TransformerContextProvider, obj: ObjectTypeDefinitionNode, fieldName: string, hasModelDirective: boolean) => Stack; | ||
| export declare const getConfiguredAuthProviders: (config: AuthTransformerConfig) => ConfiguredAuthProviders; | ||
| export declare const getReadRolesForField: (acm: AccessControlMatrix, readRoles: Array<string>, fieldName: string) => Array<string>; | ||
| export declare const getAuthDirectiveRules: (authDir: DirectiveWrapper) => AuthRule[]; | ||
| //# sourceMappingURL=index.d.ts.map |
@@ -13,3 +13,4 @@ "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.getReadRolesForField = exports.getConfiguredAuthProviders = exports.getStackForField = exports.ensureAuthRuleDefaults = exports.splitRoles = void 0; | ||
| exports.getAuthDirectiveRules = exports.getReadRolesForField = exports.getConfiguredAuthProviders = exports.getStackForField = exports.splitRoles = void 0; | ||
| const __1 = require(".."); | ||
| __exportStar(require("./constants"), exports); | ||
@@ -32,29 +33,2 @@ __exportStar(require("./definitions"), exports); | ||
| exports.splitRoles = splitRoles; | ||
| const ensureAuthRuleDefaults = (rules) => { | ||
| for (const rule of rules) { | ||
| if (!rule.provider) { | ||
| switch (rule.allow) { | ||
| case 'owner': | ||
| case 'groups': | ||
| rule.provider = 'userPools'; | ||
| break; | ||
| case 'private': | ||
| rule.provider = 'userPools'; | ||
| break; | ||
| case 'public': | ||
| rule.provider = 'apiKey'; | ||
| break; | ||
| case 'custom': | ||
| rule.provider = 'function'; | ||
| break; | ||
| default: | ||
| throw new Error(`Need to specify an allow to assigned a provider: ${rule}`); | ||
| } | ||
| } | ||
| if (rule.provider === 'iam' && !rule.generateIAMPolicy) { | ||
| rule.generateIAMPolicy = true; | ||
| } | ||
| } | ||
| }; | ||
| exports.ensureAuthRuleDefaults = ensureAuthRuleDefaults; | ||
| const getStackForField = (ctx, obj, fieldName, hasModelDirective) => { | ||
@@ -126,2 +100,33 @@ const fieldNode = obj.fields.find(f => f.name.value === fieldName); | ||
| exports.getReadRolesForField = getReadRolesForField; | ||
| const getAuthDirectiveRules = (authDir) => { | ||
| var _a; | ||
| const rules = authDir.getArguments({ rules: [] }).rules; | ||
| for (const rule of rules) { | ||
| rule.operations = (_a = rule.operations) !== null && _a !== void 0 ? _a : __1.MODEL_OPERATIONS; | ||
| if (!rule.provider) { | ||
| switch (rule.allow) { | ||
| case 'owner': | ||
| case 'groups': | ||
| rule.provider = 'userPools'; | ||
| break; | ||
| case 'private': | ||
| rule.provider = 'userPools'; | ||
| break; | ||
| case 'public': | ||
| rule.provider = 'apiKey'; | ||
| break; | ||
| case 'custom': | ||
| rule.provider = 'function'; | ||
| break; | ||
| default: | ||
| throw new Error(`Need to specify an allow to assigned a provider: ${rule}`); | ||
| } | ||
| } | ||
| if (rule.provider === 'iam') { | ||
| rule.generateIAMPolicy = true; | ||
| } | ||
| } | ||
| return rules; | ||
| }; | ||
| exports.getAuthDirectiveRules = getAuthDirectiveRules; | ||
| //# sourceMappingURL=index.js.map |
@@ -0,6 +1,7 @@ | ||
| import { DirectiveWrapper } from '@aws-amplify/graphql-transformer-core'; | ||
| import { AuthRule, ConfiguredAuthProviders } from './definitions'; | ||
| export declare const validateRuleAuthStrategy: (rule: AuthRule, configuredAuthProviders: ConfiguredAuthProviders) => void; | ||
| export declare const validateRules: (rules: AuthRule[], configuredAuthProviders: ConfiguredAuthProviders, typeName: string) => void; | ||
| export declare const validateFieldRules: (rules: AuthRule[], isParentTypeBuiltinType: boolean, parentHasModelDirective: boolean, authProviderConfig: ConfiguredAuthProviders, fieldName: string) => void; | ||
| export declare const validateFieldRules: (authDir: DirectiveWrapper, isParentTypeBuiltinType: boolean, parentHasModelDirective: boolean, fieldName: string) => void; | ||
| export declare const commonRuleValidation: (rule: AuthRule) => void; | ||
| //# sourceMappingURL=validations.d.ts.map |
@@ -13,3 +13,3 @@ "use strict"; | ||
| if (rule.allow === 'owner') { | ||
| if (rule.provider !== null && rule.provider !== 'userPools' && rule.provider !== 'oidc') { | ||
| if (rule.provider && rule.provider !== 'userPools' && rule.provider !== 'oidc') { | ||
| throw new graphql_transformer_core_1.InvalidDirectiveError(`@auth directive with 'owner' strategy only supports 'userPools' (default) and 'oidc' providers, but \ | ||
@@ -20,3 +20,3 @@ found '${rule.provider}' assigned.`); | ||
| if (rule.allow === 'public') { | ||
| if (rule.provider !== null && rule.provider !== 'apiKey' && rule.provider !== 'iam') { | ||
| if (rule.provider && rule.provider !== 'apiKey' && rule.provider !== 'iam') { | ||
| throw new graphql_transformer_core_1.InvalidDirectiveError(`@auth directive with 'public' strategy only supports 'apiKey' (default) and 'iam' providers, but \ | ||
@@ -27,3 +27,3 @@ found '${rule.provider}' assigned.`); | ||
| if (rule.allow === 'private') { | ||
| if (rule.provider !== null && rule.provider !== 'userPools' && rule.provider !== 'iam' && rule.provider !== 'oidc') { | ||
| if (rule.provider && rule.provider !== 'userPools' && rule.provider !== 'iam' && rule.provider !== 'oidc') { | ||
| throw new graphql_transformer_core_1.InvalidDirectiveError(`@auth directive with 'private' strategy only supports 'userPools' (default) and 'iam' providers, but \ | ||
@@ -34,3 +34,3 @@ found '${rule.provider}' assigned.`); | ||
| if (rule.allow === 'custom') { | ||
| if (rule.provider !== null && rule.provider !== 'function') { | ||
| if (rule.provider && rule.provider !== 'function') { | ||
| throw new graphql_transformer_core_1.InvalidDirectiveError(`@auth directive with 'custom' strategy only supports 'function' (default) provider, but \ | ||
@@ -67,3 +67,4 @@ found '${rule.provider}' assigned.`); | ||
| exports.validateRules = validateRules; | ||
| const validateFieldRules = (rules, isParentTypeBuiltinType, parentHasModelDirective, authProviderConfig, fieldName) => { | ||
| const validateFieldRules = (authDir, isParentTypeBuiltinType, parentHasModelDirective, fieldName) => { | ||
| const rules = authDir.getArguments({ rules: [] }).rules; | ||
| if (rules.length === 0) { | ||
@@ -73,3 +74,2 @@ throw new graphql_transformer_core_1.InvalidDirectiveError(`@auth on ${fieldName} does not have any auth rules.`); | ||
| for (const rule of rules) { | ||
| (0, exports.validateRuleAuthStrategy)(rule, authProviderConfig); | ||
| if (isParentTypeBuiltinType && rule.operations && rule.operations.length > 0) { | ||
@@ -83,3 +83,2 @@ throw new graphql_transformer_core_1.InvalidDirectiveError(`@auth rules on fields within Query, Mutation, Subscription cannot specify 'operations' argument as these rules \ | ||
| } | ||
| (0, exports.commonRuleValidation)(rule); | ||
| } | ||
@@ -86,0 +85,0 @@ }; |
| { | ||
| "name": "@aws-amplify/graphql-auth-transformer", | ||
| "version": "0.7.8", | ||
| "version": "0.7.9-beta.0", | ||
| "description": "Amplify GraphQL @auth Transformer", | ||
@@ -31,2 +31,3 @@ "repository": { | ||
| "@aws-amplify/graphql-model-transformer": "0.13.2", | ||
| "@aws-amplify/graphql-relational-transformer": "0.7.9-beta.0", | ||
| "@aws-amplify/graphql-transformer-core": "0.16.2", | ||
@@ -66,3 +67,3 @@ "@aws-amplify/graphql-transformer-interfaces": "1.13.0", | ||
| }, | ||
| "gitHead": "f0ddd2f73ac3eec6d7fc916d64c471ecf2d18b43" | ||
| "gitHead": "a3ba5c289c91cbf60fb93cca7b442184fe311f7e" | ||
| } |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by1.52%
423361
- Lines of code
- increased by2.44%
3154
Worsened metrics
- Dependency count
- increased by7.69%
14
Dependency changes
+ Added@aws-amplify/graphql-relational-transformer@0.7.9-beta.0
+ Added@aws-amplify/graphql-index-transformer@0.11.2(transitive)
+ Added@aws-amplify/graphql-relational-transformer@0.7.9-beta.0(transitive)