From 928c00ef3a63b0ba23b1b3ca2dfe6dea35e6c505 Mon Sep 17 00:00:00 2001 From: Danielle Adams Date: Mon, 18 Apr 2022 14:10:36 -0400 Subject: [PATCH] fix: match identifier values when populating input --- .../amplify-admin-auth.test.ts.snap | 5 ++- .../field-auth-argument.test.ts.snap | 36 ++++++++++++++----- .../src/__tests__/field-auth-argument.test.ts | 18 +++++++--- .../src/resolvers/field.ts | 19 ++++++++-- 4 files changed, 63 insertions(+), 15 deletions(-) diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/amplify-admin-auth.test.ts.snap b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/amplify-admin-auth.test.ts.snap index 0a4bfeee475..562745c6c9e 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/amplify-admin-auth.test.ts.snap +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/amplify-admin-auth.test.ts.snap @@ -18,7 +18,10 @@ $util.unauthorized() #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/field-auth-argument.test.ts.snap b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/field-auth-argument.test.ts.snap index 48ef861dc9d..7fba29f07fb 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/field-auth-argument.test.ts.snap +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/field-auth-argument.test.ts.snap @@ -12,7 +12,10 @@ $util.unauthorized() #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end @@ -53,7 +56,10 @@ exports[`generates field resolver for other provider rules even if private remov #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end @@ -146,7 +152,10 @@ exports[`subscription disabled and userPools configured with non-nullable (requi #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end @@ -189,7 +198,10 @@ exports[`subscription disabled and userPools configured with nullable fields top #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end @@ -211,7 +223,9 @@ $util.unauthorized() #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end @@ -250,7 +264,9 @@ exports[`with identity claim feature flag disabled generates field resolver for #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end @@ -341,7 +357,9 @@ exports[`with identity claim feature flag disabled subscription disabled and use #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end @@ -382,7 +400,9 @@ exports[`with identity claim feature flag disabled subscription disabled and use #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/field-auth-argument.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/field-auth-argument.test.ts index f69078f2d00..6e91d38a903 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/field-auth-argument.test.ts +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/field-auth-argument.test.ts @@ -188,7 +188,10 @@ describe('subscription disabled and userPools configured', () => { #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get("sub"), "___xamznone____") ) #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), "___xamznone____")) ) #set( $ownerClaim0 = "$ownerClaim0:$currentClaim1" ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get("sub"), "___xamznone____"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), "___xamznone____")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end @@ -277,7 +280,10 @@ describe('subscription disabled and userPools configured', () => { #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get("sub"), "___xamznone____") ) #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), "___xamznone____")) ) #set( $ownerClaim0 = "$ownerClaim0:$currentClaim1" ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get("sub"), "___xamznone____"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), "___xamznone____")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end @@ -529,7 +535,9 @@ describe('with identity claim feature flag disabled', () => { #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), "___xamznone____")) ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), "___xamznone____")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end @@ -622,7 +630,9 @@ describe('with identity claim feature flag disabled', () => { #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), "___xamznone____")) ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), "___xamznone____")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end diff --git a/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts b/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts index 7013a5a3f5f..b802beb495c 100644 --- a/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts +++ b/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts @@ -21,6 +21,7 @@ import { notEquals, obj, list, + or, } from 'graphql-mapping-template'; import { RoleDefinition, @@ -40,6 +41,7 @@ import { lambdaExpression, getIdentityClaimExp, generateOwnerClaimExpression, + generateOwnerClaimListExpression, } from './helpers'; // Field Read VTL Functions @@ -55,16 +57,29 @@ const generateDynamicAuthReadExpression = (roles: Array, fields: compoundExpression([ set(ref(`ownerEntity${idx}`), methodCall(ref('util.defaultIfNull'), ref(`ctx.source.${role.entity!}`), nul())), generateOwnerClaimExpression(role.claim!, `ownerClaim${idx}`), + generateOwnerClaimListExpression(role.claim!, idx), ...(entityIsList ? [ forEach(ref('allowedOwner'), ref(`ownerEntity${idx}`), [ iff( - equals(ref('allowedOwner'), ref(`ownerClaim${idx}`)), + or([ + equals(ref('allowedOwner'), ref(`ownerClaim${idx}`)), + methodCall(ref(`ownerClaimsList${idx}.contains`), ref(`ownerEntity${idx}`)), + ]), compoundExpression([set(ref(IS_AUTHORIZED_FLAG), bool(true)), raw('#break')]), ), ]), ] - : [iff(equals(ref(`ownerEntity${idx}`), ref(`ownerClaim${idx}`)), set(ref(IS_AUTHORIZED_FLAG), bool(true)))]), + : [ + iff( + or([ + equals(ref(`ownerEntity${idx}`), ref(`ownerClaim${idx}`)), + methodCall(ref(`ownerClaimsList${idx}.contains`), ref(`ownerEntity${idx}`)), + ]), + set(ref(IS_AUTHORIZED_FLAG), bool(true)), + ), + ] + ), ]), ), );