@aws-amplify/graphql-auth-transformer - npm Package Compare versions

Comparing version 3.4.1 to 3.4.2-iam-auth.0

API.md

@@ -168,2 +168,4 @@ ## API Report File for "@aws-amplify/graphql-auth-transformer"
     // (undocumented)
+    genericIamAccessEnabled: boolean;
+    // (undocumented)
     hasAdminRolesEnabled: boolean;
@@ -170,0 +172,0 @@ // (undocumented)

CHANGELOG.md

@@ -6,2 +6,6 @@ # Change Log
 
+## [3.4.2-iam-auth.0](https://github.com/aws-amplify/amplify-category-api/compare/@aws-amplify/graphql-auth-transformer@3.4.1...@aws-amplify/graphql-auth-transformer@3.4.2-iam-auth.0) (2024-03-15)
+
+**Note:** Version bump only for package @aws-amplify/graphql-auth-transformer
+
 ## [3.4.1](https://github.com/aws-amplify/amplify-category-api/compare/@aws-amplify/graphql-auth-transformer@3.4.0...@aws-amplify/graphql-auth-transformer@3.4.1) (2024-03-13)
@@ -8,0 +12,0 @@

lib/utils/definitions.d.ts

@@ -65,4 +65,5 @@ import { GetArgumentsOptions } from '@aws-amplify/graphql-transformer-core';
     shouldAddDefaultServiceDirective: boolean;
+    genericIamAccessEnabled: boolean;
 }
 export declare const authDirectiveDefinition = "\n  directive @auth(rules: [AuthRule!]!) on OBJECT | FIELD_DEFINITION\n  input AuthRule {\n    allow: AuthStrategy!\n    provider: AuthProvider\n    identityClaim: String\n    groupClaim: String\n    ownerField: String\n    groupsField: String\n    groups: [String]\n    operations: [ModelOperation]\n  }\n  enum AuthStrategy {\n    owner\n    groups\n    private\n    public\n    custom\n  }\n  enum AuthProvider {\n    apiKey\n    iam\n    oidc\n    userPools\n    function\n  }\n  enum ModelOperation {\n    create\n    update\n    delete\n    read\n    list\n    get\n    sync\n    listen\n    search\n  }\n";
 //# sourceMappingURL=definitions.d.ts.map

lib/utils/index.js

@@ -139,3 +139,3 @@ "use strict";
     const hasAdminRolesEnabled = hasIAM && (adminRoles === null || adminRoles === void 0 ? void 0 : adminRoles.length) > 0;
-    const shouldAddDefaultServiceDirective = hasAdminRolesEnabled && authConfig.defaultAuthentication.authenticationType !== 'AWS_IAM';
+    const shouldAddDefaultServiceDirective = (hasAdminRolesEnabled || context.synthParameters.enableIamAccess) && authConfig.defaultAuthentication.authenticationType !== 'AWS_IAM';
     const configuredProviders = {
@@ -152,2 +152,3 @@ default: getAuthProvider(authConfig.defaultAuthentication.authenticationType),
         shouldAddDefaultServiceDirective,
+        genericIamAccessEnabled: synthParameters.enableIamAccess,
     };
@@ -154,0 +155,0 @@ return configuredProviders;

lib/vtl-generator/ddb/ddb-vtl-generator.d.ts

@@ -18,4 +18,4 @@ import { TransformerContextProvider } from '@aws-amplify/graphql-transformer-interfaces';
     generateFieldResolverForOwner: (entity: string) => string;
-    generateSandboxExpressionForField: (sandboxEnabled: boolean) => string;
+    generateSandboxExpressionForField: (sandboxEnabled: boolean, genericIamAccessEnabled: boolean) => string;
 }
 //# sourceMappingURL=ddb-vtl-generator.d.ts.map

lib/vtl-generator/ddb/ddb-vtl-generator.js

@@ -20,3 +20,3 @@ "use strict";
         this.generateFieldResolverForOwner = (entity) => (0, resolvers_1.generateFieldResolverForOwner)(entity);
-        this.generateSandboxExpressionForField = (sandboxEnabled) => (0, field_1.generateSandboxExpressionForField)(sandboxEnabled);
+        this.generateSandboxExpressionForField = (sandboxEnabled, genericIamAccessEnabled) => (0, field_1.generateSandboxExpressionForField)(sandboxEnabled, genericIamAccessEnabled);
     }
@@ -23,0 +23,0 @@ }

lib/vtl-generator/ddb/resolvers/field.d.ts

@@ -6,3 +6,3 @@ import { FieldDefinitionNode } from 'graphql';
 export declare const setDeniedFieldFlag: (operation: string, subscriptionsEnabled: boolean) => string;
-export declare const generateSandboxExpressionForField: (sandboxEnabled: boolean) => string;
+export declare const generateSandboxExpressionForField: (sandboxEnabled: boolean, genericIamAccessEnabled: boolean) => string;
 //# sourceMappingURL=field.d.ts.map

lib/vtl-generator/ddb/resolvers/field.js

@@ -63,3 +63,3 @@ "use strict";
     if (providers.hasIAM) {
-        totalAuthExpressions.push((0, helpers_1.iamExpression)(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId, fieldName));
+        totalAuthExpressions.push((0, helpers_1.iamExpression)(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId, providers.genericIamAccessEnabled, fieldName));
     }
@@ -101,8 +101,15 @@ if (providers.hasUserPools) {
 exports.setDeniedFieldFlag = setDeniedFieldFlag;
-const generateSandboxExpressionForField = (sandboxEnabled) => {
-    let exp;
-    if (sandboxEnabled)
-        exp = (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.notEquals)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.authType')), (0, graphql_mapping_template_1.str)(utils_1.API_KEY_AUTH_TYPE)), (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.unauthorized')));
-    else
-        exp = (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.unauthorized'));
+const generateSandboxExpressionForField = (sandboxEnabled, genericIamAccessEnabled) => {
+    let exp = (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.unauthorized'));
+    if (sandboxEnabled) {
+        exp = (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.notEquals)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.authType')), (0, graphql_mapping_template_1.str)(utils_1.API_KEY_AUTH_TYPE)), exp);
+    }
+    if (genericIamAccessEnabled) {
+        const isNonCognitoIAMPrincipal = (0, graphql_mapping_template_1.and)([
+            (0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.IAM_AUTH_TYPE)),
+            (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.isNull'), (0, graphql_mapping_template_1.ref)('ctx.identity.cognitoIdentityPoolId')),
+            (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.isNull'), (0, graphql_mapping_template_1.ref)('ctx.identity.cognitoIdentityId')),
+        ]);
+        exp = (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.not)((0, graphql_mapping_template_1.parens)(isNonCognitoIAMPrincipal)), exp);
+    }
     return (0, graphql_mapping_template_1.printBlock)(`Sandbox Mode ${sandboxEnabled ? 'Enabled' : 'Disabled'}`)((0, graphql_mapping_template_1.compoundExpression)([exp, (0, graphql_mapping_template_1.toJson)((0, graphql_mapping_template_1.obj)({}))]));
@@ -109,0 +116,0 @@ };

lib/vtl-generator/ddb/resolvers/helpers.d.ts

@@ -12,3 +12,4 @@ import { Expression } from 'graphql-mapping-template';
 export declare const lambdaExpression: (roles: Array<RoleDefinition>) => Expression;
-export declare const iamExpression: (roles: Array<RoleDefinition>, adminRolesEnabled: boolean, hasIdentityPoolId: boolean, fieldName?: string) => Expression;
+export declare const iamExpression: (roles: Array<RoleDefinition>, adminRolesEnabled: boolean, hasIdentityPoolId: boolean, genericIamAccessEnabled: boolean, fieldName?: string) => Expression;
+export declare const generateIAMAccessCheck: (enableIamAccess: boolean, expression: Expression) => Expression;
 export declare const iamAdminRoleCheckExpression: (fieldName?: string, adminCheckExpression?: Expression) => Expression;
@@ -15,0 +16,0 @@ export declare const generateAuthRequestExpression: () => string;

lib/vtl-generator/ddb/resolvers/helpers.js

 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateFieldResolverForOwner = exports.getOwnerClaimReference = exports.addAllowedFieldsIfElse = exports.generatePopulateOwnerField = exports.generateInvalidClaimsCondition = exports.generateOwnerMultiClaimExpression = exports.generateOwnerClaimExpression = exports.generateOwnerClaimListExpression = exports.emptyPayload = exports.generateAuthRequestExpression = exports.iamAdminRoleCheckExpression = exports.iamExpression = exports.lambdaExpression = exports.apiKeyExpression = exports.generateStaticRoleExpression = exports.responseCheckForErrors = exports.getOwnerClaim = exports.iamCheck = exports.getIdentityClaimExp = exports.getInputFields = exports.setHasAuthExpression = void 0;
+exports.generateFieldResolverForOwner = exports.getOwnerClaimReference = exports.addAllowedFieldsIfElse = exports.generatePopulateOwnerField = exports.generateInvalidClaimsCondition = exports.generateOwnerMultiClaimExpression = exports.generateOwnerClaimExpression = exports.generateOwnerClaimListExpression = exports.emptyPayload = exports.generateAuthRequestExpression = exports.iamAdminRoleCheckExpression = exports.generateIAMAccessCheck = exports.iamExpression = exports.lambdaExpression = exports.apiKeyExpression = exports.generateStaticRoleExpression = exports.responseCheckForErrors = exports.getOwnerClaim = exports.iamCheck = exports.getIdentityClaimExp = exports.getInputFields = exports.setHasAuthExpression = void 0;
 const graphql_mapping_template_1 = require("graphql-mapping-template");
@@ -57,3 +57,3 @@ const utils_1 = require("../../../utils");
 exports.lambdaExpression = lambdaExpression;
-const iamExpression = (roles, adminRolesEnabled, hasIdentityPoolId, fieldName = undefined) => {
+const iamExpression = (roles, adminRolesEnabled, hasIdentityPoolId, genericIamAccessEnabled, fieldName = undefined) => {
     const expression = new Array();
@@ -71,5 +71,16 @@ if (adminRolesEnabled) {
     }
-    return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.IAM_AUTH_TYPE)), (0, graphql_mapping_template_1.compoundExpression)(expression));
+    return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.IAM_AUTH_TYPE)), (0, exports.generateIAMAccessCheck)(genericIamAccessEnabled, (0, graphql_mapping_template_1.compoundExpression)(expression)));
 };
 exports.iamExpression = iamExpression;
+const generateIAMAccessCheck = (enableIamAccess, expression) => {
+    if (!enableIamAccess) {
+        return expression;
+    }
+    const isGenericIamAccess = (0, graphql_mapping_template_1.and)([
+        (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.isNull'), (0, graphql_mapping_template_1.ref)('ctx.identity.cognitoIdentityPoolId')),
+        (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.isNull'), (0, graphql_mapping_template_1.ref)('ctx.identity.cognitoIdentityId')),
+    ]);
+    return (0, graphql_mapping_template_1.ifElse)(isGenericIamAccess, (0, graphql_mapping_template_1.compoundExpression)([exports.setHasAuthExpression, (0, graphql_mapping_template_1.set)((0, graphql_mapping_template_1.ref)(utils_1.IS_AUTHORIZED_FLAG), (0, graphql_mapping_template_1.bool)(true))]), expression);
+};
+exports.generateIAMAccessCheck = generateIAMAccessCheck;
 const iamAdminRoleCheckExpression = (fieldName, adminCheckExpression) => {
@@ -76,0 +87,0 @@ const returnStatement = fieldName ? (0, graphql_mapping_template_1.raw)(`#return($context.source.${fieldName})`) : (0, graphql_mapping_template_1.raw)('#return($util.toJson({}))');

lib/vtl-generator/ddb/resolvers/mutation.create.js

@@ -20,3 +20,3 @@ "use strict";
 };
-const iamExpression = (roles, hasAdminRolesEnabled = false, hasIdentityPoolId) => {
+const iamExpression = (roles, hasAdminRolesEnabled = false, hasIdentityPoolId, genericIamAccessEnabled) => {
     const expression = new Array();
@@ -39,3 +39,3 @@ if (hasAdminRolesEnabled) {
     }
-    return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.IAM_AUTH_TYPE)), (0, graphql_mapping_template_1.compoundExpression)(expression));
+    return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.IAM_AUTH_TYPE)), (0, helpers_1.generateIAMAccessCheck)(genericIamAccessEnabled, (0, graphql_mapping_template_1.compoundExpression)(expression)));
 };
@@ -153,3 +153,3 @@ const lambdaExpression = (roles) => {
     if (providers.hasIAM) {
-        totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId));
+        totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId, providers.genericIamAccessEnabled));
     }
@@ -156,0 +156,0 @@ if (providers.hasLambda) {

lib/vtl-generator/ddb/resolvers/mutation.delete.js

@@ -15,3 +15,3 @@ "use strict";
 };
-const iamExpression = (roles, hasAdminRolesEnabled = false, hasIdentityPoolId) => {
+const iamExpression = (roles, hasAdminRolesEnabled = false, hasIdentityPoolId, genericIamAccessEnabled) => {
     const expression = new Array();
@@ -29,3 +29,3 @@ if (hasAdminRolesEnabled) {
     }
-    return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.IAM_AUTH_TYPE)), (0, graphql_mapping_template_1.compoundExpression)(expression));
+    return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.IAM_AUTH_TYPE)), (0, helpers_1.generateIAMAccessCheck)(genericIamAccessEnabled, (0, graphql_mapping_template_1.compoundExpression)(expression)));
 };
@@ -110,3 +110,3 @@ const lambdaExpression = (roles) => {
     if (providers.hasIAM) {
-        totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId));
+        totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId, providers.genericIamAccessEnabled));
     }
@@ -113,0 +113,0 @@ if (providers.hasLambda) {

lib/vtl-generator/ddb/resolvers/mutation.update.js

@@ -33,3 +33,3 @@ "use strict";
 };
-const iamExpression = (roles, hasAdminRolesEnabled = false, hasIdentityPoolId) => {
+const iamExpression = (roles, hasAdminRolesEnabled = false, hasIdentityPoolId, genericIamAccessEnabled) => {
     const expression = new Array();
@@ -55,3 +55,3 @@ if (hasAdminRolesEnabled) {
     }
-    return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.IAM_AUTH_TYPE)), (0, graphql_mapping_template_1.compoundExpression)(expression));
+    return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.IAM_AUTH_TYPE)), (0, helpers_1.generateIAMAccessCheck)(genericIamAccessEnabled, (0, graphql_mapping_template_1.compoundExpression)(expression)));
 };
@@ -157,3 +157,3 @@ const generateStaticRoleExpression = (roles) => {
     if (providers.hasIAM) {
-        totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId));
+        totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId, providers.genericIamAccessEnabled));
     }
@@ -160,0 +160,0 @@ if (providers.hasUserPools) {

lib/vtl-generator/ddb/resolvers/query.js

@@ -254,3 +254,3 @@ "use strict";
     if (providers.hasIAM) {
-        totalAuthExpressions.push((0, helpers_1.iamExpression)(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId));
+        totalAuthExpressions.push((0, helpers_1.iamExpression)(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId, providers.genericIamAccessEnabled));
     }
@@ -308,3 +308,3 @@ if (providers.hasUserPools) {
     if (providers.hasIAM) {
-        totalAuthExpressions.push((0, helpers_1.iamExpression)(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId));
+        totalAuthExpressions.push((0, helpers_1.iamExpression)(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId, providers.genericIamAccessEnabled));
     }
@@ -311,0 +311,0 @@ if (providers.hasUserPools) {

lib/vtl-generator/ddb/resolvers/search.js

@@ -36,3 +36,3 @@ "use strict";
 };
-const iamExpression = (roles, hasAdminRolesEnabled = false, hasIdentityPoolId) => {
+const iamExpression = (roles, hasAdminRolesEnabled = false, hasIdentityPoolId, genericIamAccessEnabled) => {
     const expression = new Array();
@@ -61,3 +61,3 @@ if (hasAdminRolesEnabled) {
     }
-    return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.IAM_AUTH_TYPE)), (0, graphql_mapping_template_1.compoundExpression)(expression));
+    return (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.IAM_AUTH_TYPE)), (0, helpers_1.generateIAMAccessCheck)(genericIamAccessEnabled, (0, graphql_mapping_template_1.compoundExpression)(expression)));
 };
@@ -168,3 +168,3 @@ const generateStaticRoleExpression = (roles) => {
     if (providers.hasIAM) {
-        totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId));
+        totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId, providers.genericIamAccessEnabled));
     }
@@ -171,0 +171,0 @@ if (providers.hasUserPools) {

lib/vtl-generator/ddb/resolvers/subscriptions.js

@@ -71,3 +71,3 @@ "use strict";
     if (providers.hasIAM) {
-        totalAuthExpressions.push((0, helpers_1.iamExpression)(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId));
+        totalAuthExpressions.push((0, helpers_1.iamExpression)(iamRoles, providers.hasAdminRolesEnabled, providers.hasIdentityPoolId, providers.genericIamAccessEnabled));
     }
@@ -74,0 +74,0 @@ if (providers.hasUserPools) {

lib/vtl-generator/rds/rds-vtl-generator.d.ts

@@ -18,4 +18,4 @@ import { TransformerContextProvider } from '@aws-amplify/graphql-transformer-interfaces';
     generateFieldResolverForOwner: (entity: string) => string;
-    generateSandboxExpressionForField: (sandboxEnabled: boolean) => string;
+    generateSandboxExpressionForField: (sandboxEnabled: boolean, genericIamAccessEnabled: boolean) => string;
 }
 //# sourceMappingURL=rds-vtl-generator.d.ts.map

lib/vtl-generator/rds/rds-vtl-generator.js

@@ -15,3 +15,3 @@ "use strict";
         this.generateAuthExpressionForQueries = (ctx, providers, roles, fields, def, indexName) => (0, resolvers_1.generateAuthExpressionForQueries)(ctx, providers, roles, fields, def, indexName);
-        this.generateAuthExpressionForSearchQueries = (providers, roles, fields, allowedAggFields) => (0, resolvers_1.generateDefaultRDSExpression)();
+        this.generateAuthExpressionForSearchQueries = (providers, roles, fields, allowedAggFields) => (0, resolvers_1.generateDefaultRDSExpression)(providers.genericIamAccessEnabled);
         this.generateAuthExpressionForSubscriptions = (providers, roles) => (0, subscription_1.generateAuthExpressionForSubscriptions)(providers, roles);
@@ -21,3 +21,3 @@ this.setDeniedFieldFlag = (operation, subscriptionsEnabled) => (0, resolvers_1.setDeniedFieldFlag)(operation, subscriptionsEnabled);
         this.generateFieldResolverForOwner = (entity) => (0, resolvers_1.generateFieldResolverForOwner)(entity);
-        this.generateSandboxExpressionForField = (sandboxEnabled) => (0, resolvers_1.generateSandboxExpressionForField)(sandboxEnabled);
+        this.generateSandboxExpressionForField = (sandboxEnabled, genericIamAccessEnabled) => (0, resolvers_1.generateSandboxExpressionForField)(sandboxEnabled, genericIamAccessEnabled);
     }
@@ -24,0 +24,0 @@ }

lib/vtl-generator/rds/resolvers/common.d.ts

 import { Expression } from 'graphql-mapping-template';
 import { FieldDefinitionNode } from 'graphql';
 import { RoleDefinition } from '../../../utils';
-export declare const generateDefaultRDSExpression: () => string;
+export declare const generateDefaultRDSExpression: (iamAccessEnabled: boolean) => string;
 export declare const generateAuthRulesFromRoles: (roles: Array<RoleDefinition>, fields: Readonly<FieldDefinitionNode[]>, hasIdentityPoolId: boolean, hideAllowedFields?: boolean) => Expression[];
@@ -9,6 +9,7 @@ export declare const validateAuthResult: () => Expression;
 export declare const constructAuthorizedInputStatement: (keyName: string) => Expression;
-export declare const generateSandboxExpressionForField: (sandboxEnabled: boolean) => string;
+export declare const generateSandboxExpressionForField: (sandboxEnabled: boolean, genericIamAccessEnabled: boolean) => string;
 export declare const emptyPayload: import("graphql-mapping-template").ToJsonNode;
 export declare const setDeniedFieldFlag: (operation: string, subscriptionsEnabled: boolean) => string;
 export declare const generateFieldResolverForOwner: (entity: string) => string;
+export declare const generateIAMAccessCheck: (enableIamAccess: boolean, expression: Expression) => Expression;
 //# sourceMappingURL=common.d.ts.map

lib/vtl-generator/rds/resolvers/common.js

 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateFieldResolverForOwner = exports.setDeniedFieldFlag = exports.emptyPayload = exports.generateSandboxExpressionForField = exports.constructAuthorizedInputStatement = exports.constructAuthFilter = exports.validateAuthResult = exports.generateAuthRulesFromRoles = exports.generateDefaultRDSExpression = void 0;
+exports.generateIAMAccessCheck = exports.generateFieldResolverForOwner = exports.setDeniedFieldFlag = exports.emptyPayload = exports.generateSandboxExpressionForField = exports.constructAuthorizedInputStatement = exports.constructAuthFilter = exports.validateAuthResult = exports.generateAuthRulesFromRoles = exports.generateDefaultRDSExpression = void 0;
 const graphql_mapping_template_1 = require("graphql-mapping-template");
 const graphql_model_transformer_1 = require("@aws-amplify/graphql-model-transformer");
 const utils_1 = require("../../../utils");
-const generateDefaultRDSExpression = () => {
+const helpers_1 = require("../../ddb/resolvers/helpers");
+const generateDefaultRDSExpression = (iamAccessEnabled) => {
     const exp = (0, graphql_mapping_template_1.ref)('util.unauthorized()');
-    return (0, graphql_mapping_template_1.printBlock)('Default RDS Auth Resolver')((0, graphql_mapping_template_1.compoundExpression)([exp, (0, graphql_mapping_template_1.toJson)((0, graphql_mapping_template_1.obj)({}))]));
+    return (0, graphql_mapping_template_1.printBlock)('Default RDS Auth Resolver')((0, exports.generateIAMAccessCheck)(iamAccessEnabled, (0, graphql_mapping_template_1.compoundExpression)([exp, (0, graphql_mapping_template_1.toJson)((0, graphql_mapping_template_1.obj)({}))])));
 };
@@ -114,8 +115,15 @@ exports.generateDefaultRDSExpression = generateDefaultRDSExpression;
 exports.constructAuthorizedInputStatement = constructAuthorizedInputStatement;
-const generateSandboxExpressionForField = (sandboxEnabled) => {
-    let exp;
-    if (sandboxEnabled)
-        exp = (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.notEquals)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.authType')), (0, graphql_mapping_template_1.str)(utils_1.API_KEY_AUTH_TYPE)), (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.unauthorized')));
-    else
-        exp = (0, graphql_mapping_template_1.ref)('util.unauthorized()');
+const generateSandboxExpressionForField = (sandboxEnabled, genericIamAccessEnabled) => {
+    let exp = (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.unauthorized'));
+    if (sandboxEnabled) {
+        exp = (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.notEquals)((0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.authType')), (0, graphql_mapping_template_1.str)(utils_1.API_KEY_AUTH_TYPE)), exp);
+    }
+    if (genericIamAccessEnabled) {
+        const isNonCognitoIAMPrincipal = (0, graphql_mapping_template_1.and)([
+            (0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.IAM_AUTH_TYPE)),
+            (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.isNull'), (0, graphql_mapping_template_1.ref)('ctx.identity.cognitoIdentityPoolId')),
+            (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.isNull'), (0, graphql_mapping_template_1.ref)('ctx.identity.cognitoIdentityId')),
+        ]);
+        exp = (0, graphql_mapping_template_1.iff)((0, graphql_mapping_template_1.not)((0, graphql_mapping_template_1.parens)(isNonCognitoIAMPrincipal)), exp);
+    }
     return (0, graphql_mapping_template_1.printBlock)(`Sandbox Mode ${sandboxEnabled ? 'Enabled' : 'Disabled'}`)((0, graphql_mapping_template_1.compoundExpression)([exp, (0, graphql_mapping_template_1.toJson)((0, graphql_mapping_template_1.obj)({}))]));
@@ -158,2 +166,14 @@ };
 exports.generateFieldResolverForOwner = generateFieldResolverForOwner;
+const generateIAMAccessCheck = (enableIamAccess, expression) => {
+    if (!enableIamAccess) {
+        return expression;
+    }
+    const isNonCognitoIAMPrincipal = (0, graphql_mapping_template_1.and)([
+        (0, graphql_mapping_template_1.equals)((0, graphql_mapping_template_1.ref)('util.authType()'), (0, graphql_mapping_template_1.str)(utils_1.IAM_AUTH_TYPE)),
+        (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.isNull'), (0, graphql_mapping_template_1.ref)('ctx.identity.cognitoIdentityPoolId')),
+        (0, graphql_mapping_template_1.methodCall)((0, graphql_mapping_template_1.ref)('util.isNull'), (0, graphql_mapping_template_1.ref)('ctx.identity.cognitoIdentityId')),
+    ]);
+    return (0, graphql_mapping_template_1.ifElse)(isNonCognitoIAMPrincipal, (0, graphql_mapping_template_1.compoundExpression)([helpers_1.setHasAuthExpression, exports.emptyPayload]), expression);
+};
+exports.generateIAMAccessCheck = generateIAMAccessCheck;
 //# sourceMappingURL=common.js.map

lib/vtl-generator/rds/resolvers/mutation.js

@@ -7,14 +7,14 @@ "use strict";
 const generateAuthExpressionForCreate = (ctx, providers, roles, fields) => {
-    return generateMutationExpression(roles, fields, 'create', providers.hasIdentityPoolId, false);
+    return generateMutationExpression(roles, fields, 'create', providers.hasIdentityPoolId, providers.genericIamAccessEnabled, false);
 };
 exports.generateAuthExpressionForCreate = generateAuthExpressionForCreate;
 const generateAuthExpressionForUpdate = (providers, roles, fields) => {
-    return generateMutationExpression(roles, fields, 'update', providers.hasIdentityPoolId, true);
+    return generateMutationExpression(roles, fields, 'update', providers.hasIdentityPoolId, providers.genericIamAccessEnabled, true);
 };
 exports.generateAuthExpressionForUpdate = generateAuthExpressionForUpdate;
 const generateAuthExpressionForDelete = (providers, roles, fields) => {
-    return generateMutationExpression(roles, fields, 'delete', providers.hasIdentityPoolId, true);
+    return generateMutationExpression(roles, fields, 'delete', providers.hasIdentityPoolId, providers.genericIamAccessEnabled, true);
 };
 exports.generateAuthExpressionForDelete = generateAuthExpressionForDelete;
-const generateMutationExpression = (roles, fields, operation, hasIdentityPoolId, includeExistingRecord = false) => {
+const generateMutationExpression = (roles, fields, operation, hasIdentityPoolId, enableIamAccess, includeExistingRecord = false) => {
     const expressions = [];
@@ -26,3 +26,3 @@ expressions.push((0, graphql_mapping_template_1.compoundExpression)((0, common_1.generateAuthRulesFromRoles)(roles, fields, hasIdentityPoolId, false)));
     expressions.push((0, common_1.validateAuthResult)(), (0, common_1.constructAuthorizedInputStatement)('ctx.args.input'), common_1.emptyPayload);
-    return (0, graphql_mapping_template_1.printBlock)('Authorization rules')((0, graphql_mapping_template_1.compoundExpression)(expressions));
+    return (0, graphql_mapping_template_1.printBlock)('Authorization rules')((0, common_1.generateIAMAccessCheck)(enableIamAccess, (0, graphql_mapping_template_1.compoundExpression)(expressions)));
 };
@@ -29,0 +29,0 @@ const generateAuthRequestExpression = (ctx, def) => {

lib/vtl-generator/rds/resolvers/query.js

@@ -12,3 +12,3 @@ "use strict";
     expressions.push((0, common_1.validateAuthResult)(), (0, common_1.constructAuthFilter)(), common_1.emptyPayload);
-    return (0, graphql_mapping_template_1.printBlock)('Authorization rules')((0, graphql_mapping_template_1.compoundExpression)(expressions));
+    return (0, graphql_mapping_template_1.printBlock)('Authorization rules')((0, common_1.generateIAMAccessCheck)(providers.genericIamAccessEnabled, (0, graphql_mapping_template_1.compoundExpression)(expressions)));
 };
@@ -22,3 +22,3 @@ exports.generateAuthExpressionForQueries = generateAuthExpressionForQueries;
     expressions.push(common_1.emptyPayload);
-    return (0, graphql_mapping_template_1.printBlock)('Authorization rules')((0, graphql_mapping_template_1.compoundExpression)(expressions));
+    return (0, graphql_mapping_template_1.printBlock)('Authorization rules')((0, common_1.generateIAMAccessCheck)(providers.genericIamAccessEnabled, (0, graphql_mapping_template_1.compoundExpression)(expressions)));
 };
@@ -41,5 +41,5 @@ exports.generateAuthExpressionForField = generateAuthExpressionForField;
     expressions.push((0, common_1.validateAuthResult)(), (0, common_1.constructAuthFilter)(), common_1.emptyPayload);
-    return (0, graphql_mapping_template_1.printBlock)('Authorization rules')((0, graphql_mapping_template_1.compoundExpression)(expressions));
+    return (0, graphql_mapping_template_1.printBlock)('Authorization rules')((0, common_1.generateIAMAccessCheck)(providers.genericIamAccessEnabled, (0, graphql_mapping_template_1.compoundExpression)(expressions)));
 };
 exports.generateAuthExpressionForRelationQuery = generateAuthExpressionForRelationQuery;
 //# sourceMappingURL=query.js.map

lib/vtl-generator/rds/resolvers/subscription.js

@@ -15,5 +15,5 @@ "use strict";
     expressions.push(common_1.emptyPayload);
-    return (0, graphql_mapping_template_1.printBlock)('Authorization rules')((0, graphql_mapping_template_1.compoundExpression)(expressions));
+    return (0, graphql_mapping_template_1.printBlock)('Authorization rules')((0, common_1.generateIAMAccessCheck)(providers.genericIamAccessEnabled, (0, graphql_mapping_template_1.compoundExpression)(expressions)));
 };
 exports.generateAuthExpressionForSubscriptions = generateAuthExpressionForSubscriptions;
 //# sourceMappingURL=subscription.js.map

lib/vtl-generator/vtl-generator.d.ts

@@ -17,4 +17,4 @@ import { TransformerContextProvider } from '@aws-amplify/graphql-transformer-interfaces';
     generateFieldResolverForOwner: (entity: string) => string;
-    generateSandboxExpressionForField: (sandboxEnabled: boolean) => string;
+    generateSandboxExpressionForField: (sandboxEnabled: boolean, genericIamAccessEnabled: boolean) => string;
 }
 //# sourceMappingURL=vtl-generator.d.ts.map

package.json

 {
   "name": "@aws-amplify/graphql-auth-transformer",
-  "version": "3.4.1",
+  "version": "3.4.2-iam-auth.0",
   "description": "Amplify GraphQL @auth transformer",
@@ -32,9 +32,9 @@ "repository": {
   "dependencies": {
-    "@aws-amplify/graphql-model-transformer": "2.6.0",
-    "@aws-amplify/graphql-relational-transformer": "2.4.1",
-    "@aws-amplify/graphql-transformer-core": "2.5.0",
-    "@aws-amplify/graphql-transformer-interfaces": "3.4.0",
+    "@aws-amplify/graphql-model-transformer": "2.6.1-iam-auth.0",
+    "@aws-amplify/graphql-relational-transformer": "2.4.2-iam-auth.0",
+    "@aws-amplify/graphql-transformer-core": "2.5.1-iam-auth.0",
+    "@aws-amplify/graphql-transformer-interfaces": "3.4.1-iam-auth.0",
     "graphql": "^15.5.0",
-    "graphql-mapping-template": "4.20.15",
-    "graphql-transformer-common": "4.28.1",
+    "graphql-mapping-template": "4.20.16-iam-auth.0",
+    "graphql-transformer-common": "4.28.2-iam-auth.0",
     "lodash": "^4.17.21",
@@ -44,7 +44,7 @@ "md5": "^2.3.0"
   "devDependencies": {
-    "@aws-amplify/graphql-function-transformer": "2.1.18",
-    "@aws-amplify/graphql-index-transformer": "2.3.7",
-    "@aws-amplify/graphql-searchable-transformer": "2.6.1",
-    "@aws-amplify/graphql-sql-transformer": "0.2.7",
-    "@aws-amplify/graphql-transformer-test-utils": "0.4.6",
+    "@aws-amplify/graphql-function-transformer": "2.1.19-iam-auth.0",
+    "@aws-amplify/graphql-index-transformer": "2.3.8-iam-auth.0",
+    "@aws-amplify/graphql-searchable-transformer": "2.6.2-iam-auth.0",
+    "@aws-amplify/graphql-sql-transformer": "0.2.8-iam-auth.0",
+    "@aws-amplify/graphql-transformer-test-utils": "0.4.7-iam-auth.0",
     "@types/node": "^12.12.6"
@@ -91,3 +91,3 @@ },
   },
-  "gitHead": "9a0fb53d5df94e76811cbbdc4f3fc98fc6278c41"
+  "gitHead": "cb69f1ad3fae324674f3cc6db63495b4344c3fb5"
 }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

No v1

Quality

Package is not semver >=1. This means it is not stable and does not support ^ ranges.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

657177

increased by1.43%

Lines of code

4257

increased by1.12%

Worsened metrics

Number of low quality alerts

2

increased by100%

Dependency changes

• + Added@aws-amplify/graphql-index-transformer@2.3.8-iam-auth.0(transitive)

• + Added@aws-amplify/graphql-model-transformer@2.6.1-iam-auth.0(transitive)

• + Added@aws-amplify/graphql-relational-transformer@2.4.2-iam-auth.0(transitive)

• + Added@aws-amplify/graphql-transformer-core@2.5.1-iam-auth.0(transitive)

• + Added@aws-amplify/graphql-transformer-interfaces@3.4.1-iam-auth.0(transitive)

• + Addedgraphql-mapping-template@4.20.16-iam-auth.0(transitive)

• + Addedgraphql-transformer-common@4.28.2-iam-auth.0(transitive)

• - Removed@aws-amplify/graphql-index-transformer@2.3.7(transitive)

• - Removed@aws-amplify/graphql-model-transformer@2.6.0(transitive)

• - Removed@aws-amplify/graphql-relational-transformer@2.4.1(transitive)

• - Removed@aws-amplify/graphql-transformer-core@2.5.0(transitive)

• - Removed@aws-amplify/graphql-transformer-interfaces@3.4.0(transitive)

• - Removedgraphql-mapping-template@4.20.15(transitive)

• - Removedgraphql-transformer-common@4.28.1(transitive)

• Updated@aws-amplify/graphql-model-transformer@2.6.1-iam-auth.0

• Updated@aws-amplify/graphql-relational-transformer@2.4.2-iam-auth.0

• Updated@aws-amplify/graphql-transformer-core@2.5.1-iam-auth.0

• Updated@aws-amplify/graphql-transformer-interfaces@3.4.1-iam-auth.0

• Updatedgraphql-mapping-template@4.20.16-iam-auth.0

• Updatedgraphql-transformer-common@4.28.2-iam-auth.0