From 37e2b61d3ffc0ab4696262c49a64cacf9fabf879 Mon Sep 17 00:00:00 2001 From: Danielle Adams <6271256+danielleadams@users.noreply.github.com> Date: Fri, 15 Apr 2022 11:11:57 -0400 Subject: [PATCH] Revert "Revert "feat: add handling of colon-delimited identity claims to query (#10189)" (#10213)" This reverts commit 9f13064d592937c82e534c32469053d7e96a169b. --- .../conflict-resolution.test.ts.snap | 12 +- .../__snapshots__/owner-auth.test.ts.snap | 158 +++++++++++++++++- .../src/__tests__/owner-auth.test.ts | 30 ++++ .../src/graphql-auth-transformer.ts | 55 +++++- .../src/resolvers/field.ts | 15 ++ .../src/resolvers/index.ts | 6 +- .../src/resolvers/query.ts | 27 ++- ...phql-many-to-many-transformer.test.ts.snap | 12 +- 8 files changed, 288 insertions(+), 27 deletions(-) diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/conflict-resolution.test.ts.snap b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/conflict-resolution.test.ts.snap index 93324816890..379d0484ec8 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/conflict-resolution.test.ts.snap +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/conflict-resolution.test.ts.snap @@ -15,9 +15,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $role0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $role0 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0 }})) + #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #if( $role0_1 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0_1 }})) #end #if( !$authFilter.isEmpty() ) $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) @@ -79,9 +79,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $role0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $role0 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0 }})) + #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #if( $role0_1 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0_1 }})) #end #if( !$authFilter.isEmpty() ) $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/owner-auth.test.ts.snap b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/owner-auth.test.ts.snap index b82a09a28e4..5de21ec1e7f 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/owner-auth.test.ts.snap +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/owner-auth.test.ts.snap @@ -89,9 +89,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $role0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $role0 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"editors\\": { \\"contains\\": $role0 }})) + #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #if( $role0_1 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"editors\\": { \\"contains\\": $role0_1 }})) #end #if( !$authFilter.isEmpty() ) $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) @@ -113,9 +113,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $role0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $role0 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"editors\\": { \\"contains\\": $role0 }})) + #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #if( $role0_1 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"editors\\": { \\"contains\\": $role0_1 }})) #end #if( !$authFilter.isEmpty() ) $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) @@ -196,3 +196,149 @@ $util.unauthorized() $util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}}) ## [End] Authorization Steps. **" `; + +exports[`owner where field is ":" delimited string 1`] = ` +"## [Start] Authorization Steps. ** +$util.qr($ctx.stash.put(\\"hasAuth\\", true)) +#set( $inputFields = $util.parseJson($util.toJson($ctx.args.input.keySet())) ) +#set( $isAuthorized = false ) +#set( $allowedFields = [] ) +#if( $util.authType() == \\"User Pool Authorization\\" ) + #if( !$isAuthorized ) + #set( $ownerEntity0 = $util.defaultIfNull($ctx.args.input.owner, null) ) + #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub:username\\"), \\"___xamznone____\\") ) + #set( $ownerAllowedFields0 = [\\"id\\",\\"title\\",\\"createdAt\\",\\"updatedAt\\"] ) + #set( $isAuthorizedOnAllFields0 = true ) + #if( $ownerClaim0 == $ownerEntity0 ) + #if( $isAuthorizedOnAllFields0 ) + #set( $isAuthorized = true ) + #else + $util.qr($allowedFields.addAll($ownerAllowedFields0)) + #end + #end + #if( $util.isNull($ownerEntity0) && !$ctx.args.input.containsKey(\\"owner\\") ) + $util.qr($ctx.args.input.put(\\"owner\\", $ownerClaim0)) + #if( $isAuthorizedOnAllFields0 ) + #set( $isAuthorized = true ) + #else + $util.qr($allowedFields.addAll($ownerAllowedFields0)) + #end + #end + #end +#end +#if( !$isAuthorized && $allowedFields.isEmpty() ) +$util.unauthorized() +#end +#if( !$isAuthorized ) + #set( $deniedFields = $util.list.copyAndRemoveAll($inputFields, $allowedFields) ) + #if( $deniedFields.size() > 0 ) + $util.error(\\"Unauthorized on \${deniedFields}\\", \\"Unauthorized\\") + #end +#end +$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}}) +## [End] Authorization Steps. **" +`; + +exports[`owner where field is ":" delimited string 2`] = ` +"## [Start] Get Request template. ** +#set( $GetRequest = { + \\"version\\": \\"2018-05-29\\", + \\"operation\\": \\"GetItem\\" +} ) +#if( $ctx.stash.metadata.modelObjectKey ) + #set( $key = $ctx.stash.metadata.modelObjectKey ) +#else + #set( $key = { + \\"id\\": $util.dynamodb.toDynamoDB($ctx.args.input.id) +} ) +#end +$util.qr($GetRequest.put(\\"key\\", $key)) +$util.toJson($GetRequest) +## [End] Get Request template. **" +`; + +exports[`owner where field is ":" delimited string 3`] = ` +"## [Start] Get Request template. ** +#set( $GetRequest = { + \\"version\\": \\"2018-05-29\\", + \\"operation\\": \\"GetItem\\" +} ) +#if( $ctx.stash.metadata.modelObjectKey ) + #set( $key = $ctx.stash.metadata.modelObjectKey ) +#else + #set( $key = { + \\"id\\": $util.dynamodb.toDynamoDB($ctx.args.input.id) +} ) +#end +$util.qr($GetRequest.put(\\"key\\", $key)) +$util.toJson($GetRequest) +## [End] Get Request template. **" +`; + +exports[`owner where field is ":" delimited string 4`] = ` +"## [Start] Authorization Steps. ** +$util.qr($ctx.stash.put(\\"hasAuth\\", true)) +#set( $isAuthorized = false ) +#set( $primaryFieldMap = {} ) +#if( $util.authType() == \\"User Pool Authorization\\" ) + #if( !$isAuthorized ) + #set( $authFilter = [] ) + #set( $role0_0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) + #set( $ownerPrefix0_0 = \\"$role0_0:\\" ) + #if( $role0_0 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"beginsWith\\": $ownerPrefix0_0 }})) + #end + #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerPrefix0_1 = \\"$role0_1:\\" ) + #if( $role0_1 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"beginsWith\\": $ownerPrefix0_1 }})) + #end + #set( $role0_2 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub:username\\"), \\"___xamznone____\\") ) + #if( $role0_2 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0_2 }})) + #end + #if( !$authFilter.isEmpty() ) + $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) + #end + #end +#end +#if( !$isAuthorized && $util.isNull($ctx.stash.authFilter) ) +$util.unauthorized() +#end +$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}}) +## [End] Authorization Steps. **" +`; + +exports[`owner where field is ":" delimited string 5`] = ` +"## [Start] Authorization Steps. ** +$util.qr($ctx.stash.put(\\"hasAuth\\", true)) +#set( $isAuthorized = false ) +#set( $primaryFieldMap = {} ) +#if( $util.authType() == \\"User Pool Authorization\\" ) + #if( !$isAuthorized ) + #set( $authFilter = [] ) + #set( $role0_0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) + #set( $ownerPrefix0_0 = \\"$role0_0:\\" ) + #if( $role0_0 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"beginsWith\\": $ownerPrefix0_0 }})) + #end + #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerPrefix0_1 = \\"$role0_1:\\" ) + #if( $role0_1 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"beginsWith\\": $ownerPrefix0_1 }})) + #end + #set( $role0_2 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub:username\\"), \\"___xamznone____\\") ) + #if( $role0_2 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0_2 }})) + #end + #if( !$authFilter.isEmpty() ) + $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) + #end + #end +#end +#if( !$isAuthorized && $util.isNull($ctx.stash.authFilter) ) +$util.unauthorized() +#end +$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}}) +## [End] Authorization Steps. **" +`; diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/owner-auth.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/owner-auth.test.ts index 75b3578a52e..25c4206ccfd 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/owner-auth.test.ts +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/owner-auth.test.ts @@ -64,6 +64,36 @@ test('owner field where the field is a list', () => { expect(out.resolvers['Query.listPosts.auth.1.req.vtl']).toMatchSnapshot(); }); +test('owner where field is ":" delimited string', () => { + const authConfig: AppSyncAuthConfiguration = { + defaultAuthentication: { + authenticationType: 'AMAZON_COGNITO_USER_POOLS', + }, + additionalAuthenticationProviders: [], + }; + const validSchema = ` + type Post @model @auth(rules: [{allow: owner, identityClaim: "sub:username" }]) { + id: ID! + title: String! + createdAt: String + updatedAt: String + }`; + const transformer = new GraphQLTransform({ + authConfig, + transformers: [new ModelTransformer(), new AuthTransformer()], + }); + const out = transformer.transform(validSchema); + expect(out).toBeDefined(); + expect(out.rootStack.Resources[ResourceConstants.RESOURCES.GraphQLAPILogicalID].Properties.AuthenticationType).toEqual( + 'AMAZON_COGNITO_USER_POOLS', + ); + expect(out.resolvers['Mutation.createPost.auth.1.req.vtl']).toMatchSnapshot(); + expect(out.resolvers['Mutation.updatePost.auth.1.req.vtl']).toMatchSnapshot(); + expect(out.resolvers['Mutation.deletePost.auth.1.req.vtl']).toMatchSnapshot(); + expect(out.resolvers['Query.getPost.auth.1.req.vtl']).toMatchSnapshot(); + expect(out.resolvers['Query.listPosts.auth.1.req.vtl']).toMatchSnapshot(); +}); + test('owner field with subscriptions', () => { const authConfig: AppSyncAuthConfiguration = { defaultAuthentication: { diff --git a/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts b/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts index c496187fbbc..1383286f3d3 100644 --- a/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts +++ b/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts @@ -58,6 +58,7 @@ import { setDeniedFieldFlag, generateAuthExpressionForRelationQuery, generateSandboxExpressionForField, + generateFieldResolverForOwner, } from './resolvers'; import { AccessControlMatrix } from './accesscontrol'; import { @@ -304,7 +305,9 @@ export class AuthTransformer extends TransformerAuthBase implements TransformerA const def = context.output.getObject(modelName)!; const modelNameConfig = this.modelDirectiveConfig.get(modelName); const searchableDirective = def.directives.find(dir => dir.name.value === 'searchable'); - // queries + const readRoles = acm.getRolesPerOperation('read'); + const roleDefinitions = readRoles.map(role => this.roleMap.get(role)!); + const queryFields = getQueryFieldNames(this.modelDirectiveConfig.get(modelName)!); queryFields.forEach(query => { switch (query.type) { @@ -337,7 +340,6 @@ export class AuthTransformer extends TransformerAuthBase implements TransformerA // get fields specified in the schema // if there is a role that does not have read access on the field then we create a field resolver // or there is a relational directive on the field then we should protect that as well - const readRoles = acm.getRolesPerOperation('read'); const modelFields = def.fields?.filter(f => acm.hasResource(f.name.value)) ?? []; const errorFields = new Array(); modelFields.forEach(field => { @@ -379,14 +381,18 @@ export class AuthTransformer extends TransformerAuthBase implements TransformerA }); const subscriptionFieldNames = getSubscriptionFieldNames(this.modelDirectiveConfig.get(modelName)!); - const subscriptionRoles = acm - .getRolesPerOperation('read') - .map(role => this.roleMap.get(role)!) + const subscriptionRoles = roleDefinitions // for subscriptions we only use static rules or owner rule where the field is not a list .filter(roleDef => (roleDef.strategy === 'owner' && !fieldIsList(def.fields ?? [], roleDef.entity!)) || roleDef.static); subscriptionFieldNames.forEach(subscription => { this.protectSubscriptionResolver(context, subscription.typeName, subscription.fieldName, subscriptionRoles); }); + + roleDefinitions.forEach(role => { + if (role.strategy === 'owner') { + this.addFieldResolverForDynamicAuth(context, def, modelName, role.entity); + } + }); }); this.authNonModelConfig.forEach((acm, typeFieldName) => { @@ -397,6 +403,45 @@ export class AuthTransformer extends TransformerAuthBase implements TransformerA }); }; + addFieldResolverForDynamicAuth = ( + ctx: TransformerContextProvider, + def: ObjectTypeDefinitionNode, + typeName: string, + fieldName: string, + ): void => { + let resolver = ctx.resolvers.getResolver(typeName, fieldName); + + if (resolver) { + resolver.addToSlot( + 'finish', + undefined, + MappingTemplate.s3MappingTemplateFromString( + generateFieldResolverForOwner(fieldName), + `${typeName}.${fieldName}.{slotName}.{slotIndex}.res.vtl`, + ), + ); + } else { + const hasModelDirective = def.directives.some(dir => dir.name.value === 'model'); + const stack = getStackForField(ctx, def, fieldName, hasModelDirective); + + resolver = ctx.resolvers.addResolver( + typeName, + fieldName, + new TransformerResolver( + typeName, + fieldName, + ResolverResourceIDs.ResolverResourceID(typeName, fieldName), + MappingTemplate.s3MappingTemplateFromString('$util.toJson({"version":"2018-05-29","payload":{}})', `${typeName}.${fieldName}.req.vtl`), + MappingTemplate.s3MappingTemplateFromString(generateFieldResolverForOwner(fieldName), `${typeName}.${fieldName}.res.vtl`), + ['init'], + ['finish'], + ), + ); + + resolver.mapToStack(stack); + } + }; + protectSchemaOperations = ( ctx: TransformerTransformSchemaStepContextProvider, def: ObjectTypeDefinitionNode, diff --git a/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts b/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts index 338577dc442..28bfa66db7a 100644 --- a/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts +++ b/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts @@ -191,3 +191,18 @@ export const generateSandboxExpressionForField = (sandboxEnabled: boolean): stri else exp = methodCall(ref('util.unauthorized')); return printBlock(`Sandbox Mode ${sandboxEnabled ? 'Enabled' : 'Disabled'}`)(compoundExpression([exp, toJson(obj({}))])); }; + +/** + * Creates field resolver for owner + */ +export const generateFieldResolverForOwner = (entity: string): string => { + const expressions: Expression[] = [ + set(ref('ownerEntities'), ref(`ctx.source.${entity}.split(":")`)), + set(ref('ownerEntitiesLastIdx'), raw('$ownerEntities.size() - 1')), + set(ref('ownerEntitiesLast'), ref('ownerEntities.get($ownerEntitiesLastIdx)')), + qref(methodCall(ref('ctx.source.put'), str(entity), ref('ownerEntitiesLast'))), + toJson(ref(`ctx.source.${entity}`)), + ]; + + return printBlock('Parse owner field auth for Get')(compoundExpression(expressions)); +}; diff --git a/packages/amplify-graphql-auth-transformer/src/resolvers/index.ts b/packages/amplify-graphql-auth-transformer/src/resolvers/index.ts index ccf1b6ab8e2..7f820a17f54 100644 --- a/packages/amplify-graphql-auth-transformer/src/resolvers/index.ts +++ b/packages/amplify-graphql-auth-transformer/src/resolvers/index.ts @@ -1,4 +1,7 @@ -export { generateAuthExpressionForQueries, generateAuthExpressionForRelationQuery } from './query'; +export { + generateAuthExpressionForQueries, + generateAuthExpressionForRelationQuery, +} from './query'; export { generateAuthExpressionForSearchQueries } from './search'; export { generateAuthExpressionForCreate } from './mutation.create'; export { generateAuthExpressionForUpdate } from './mutation.update'; @@ -8,6 +11,7 @@ export { generateFieldAuthResponse, setDeniedFieldFlag, generateSandboxExpressionForField, + generateFieldResolverForOwner, } from './field'; export { generateAuthExpressionForSubscriptions } from './subscriptions'; export { generateAuthRequestExpression } from './helpers'; diff --git a/packages/amplify-graphql-auth-transformer/src/resolvers/query.ts b/packages/amplify-graphql-auth-transformer/src/resolvers/query.ts index 93bd3f6dd13..9c4c9941d09 100644 --- a/packages/amplify-graphql-auth-transformer/src/resolvers/query.ts +++ b/packages/amplify-graphql-auth-transformer/src/resolvers/query.ts @@ -253,6 +253,8 @@ const generateAuthFilter = (roles: Array, fields: ReadonlyArray< const groupContainsExpression = new Array(); if (!(roles.length > 0)) return []; /** + * if ownerField is a concatenated string (ie. "sub:username") + * ownerField: { beginsWith: "sub: "} * if ownerField is string * ownerField: { eq: "cognito:owner" } * if ownerField is a List @@ -266,13 +268,32 @@ const generateAuthFilter = (roles: Array, fields: ReadonlyArray< roles.forEach((role, idx) => { const entityIsList = fieldIsList(fields, role.entity); if (role.strategy === 'owner') { + const claims = role.claim!.split(':'); + const hasMultiClaims = claims.length > 1 && role.claim !== 'cognito:username'; const ownerCondition = entityIsList ? 'contains' : 'eq'; + + if (hasMultiClaims && !entityIsList) { + claims.forEach((claim, secIdx) => { + authCollectionExp.push( + ...[ + set(ref(`role${idx}_${secIdx}`), getOwnerClaim(claim)), + set(ref(`ownerPrefix${idx}_${secIdx}`), str(`$role${idx}_${secIdx}:`)), + iff( + notEquals(ref(`role${idx}_${secIdx}`), str(NONE_VALUE)), + qref(methodCall(ref('authFilter.add'), raw(`{"${role.entity}": { "beginsWith": $ownerPrefix${idx}_${secIdx} }}`))), + ), + ], + ); + }); + } + const secIdx = claims.length; + authCollectionExp.push( ...[ - set(ref(`role${idx}`), getOwnerClaim(role.claim!)), + set(ref(`role${idx}_${secIdx}`), getOwnerClaim(role.claim!)), iff( - notEquals(ref(`role${idx}`), str(NONE_VALUE)), - qref(methodCall(ref('authFilter.add'), raw(`{"${role.entity}": { "${ownerCondition}": $role${idx} }}`))), + notEquals(ref(`role${idx}_${secIdx}`), str(NONE_VALUE)), + qref(methodCall(ref('authFilter.add'), raw(`{"${role.entity}": { "${ownerCondition}": $role${idx}_${secIdx} }}`))), ), ], ); diff --git a/packages/amplify-graphql-relational-transformer/src/__tests__/__snapshots__/amplify-graphql-many-to-many-transformer.test.ts.snap b/packages/amplify-graphql-relational-transformer/src/__tests__/__snapshots__/amplify-graphql-many-to-many-transformer.test.ts.snap index bbdb4ebe478..402be5e60c1 100644 --- a/packages/amplify-graphql-relational-transformer/src/__tests__/__snapshots__/amplify-graphql-many-to-many-transformer.test.ts.snap +++ b/packages/amplify-graphql-relational-transformer/src/__tests__/__snapshots__/amplify-graphql-many-to-many-transformer.test.ts.snap @@ -2616,9 +2616,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $role0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $role0 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0 }})) + #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #if( $role0_1 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0_1 }})) #end #if( !$authFilter.isEmpty() ) $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) @@ -2675,9 +2675,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $role0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $role0 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0 }})) + #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #if( $role0_1 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0_1 }})) #end #if( !$authFilter.isEmpty() ) $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter }))