diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/amplify-admin-auth.test.ts.snap b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/amplify-admin-auth.test.ts.snap index ce8bd11aa4f..0a4bfeee475 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/amplify-admin-auth.test.ts.snap +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/amplify-admin-auth.test.ts.snap @@ -16,8 +16,8 @@ $util.unauthorized() #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) #if( $ownerEntity0 == $ownerClaim0 ) #set( $isAuthorized = true ) #end @@ -63,11 +63,14 @@ $util.unauthorized() #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.args.input.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) #set( $ownerAllowedFields0 = [\\"id\\",\\"name\\",\\"description\\",\\"secretValue\\"] ) #set( $isAuthorizedOnAllFields0 = true ) - #if( $ownerClaim0 == $ownerEntity0 ) + #if( $ownerClaim0 == $ownerEntity0 || $ownerClaimsList0.contains($ownerEntity0) ) #if( $isAuthorizedOnAllFields0 ) #set( $isAuthorized = true ) #else diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/field-auth-argument.test.ts.snap b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/field-auth-argument.test.ts.snap index 72be71e0a80..48ef861dc9d 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/field-auth-argument.test.ts.snap +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/field-auth-argument.test.ts.snap @@ -10,8 +10,8 @@ $util.unauthorized() #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) #if( $ownerEntity0 == $ownerClaim0 ) #set( $isAuthorized = true ) #end @@ -51,8 +51,8 @@ exports[`generates field resolver for other provider rules even if private remov #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) #if( $ownerEntity0 == $ownerClaim0 ) #set( $isAuthorized = true ) #end @@ -144,8 +144,8 @@ exports[`subscription disabled and userPools configured with non-nullable (requi #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) #if( $ownerEntity0 == $ownerClaim0 ) #set( $isAuthorized = true ) #end @@ -187,8 +187,8 @@ exports[`subscription disabled and userPools configured with nullable fields top #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) #if( $ownerEntity0 == $ownerClaim0 ) #set( $isAuthorized = true ) #end diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/owner-auth.test.ts.snap b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/owner-auth.test.ts.snap index 44af795657d..b4dca71ce25 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/owner-auth.test.ts.snap +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/owner-auth.test.ts.snap @@ -10,12 +10,15 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.args.input.editors, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) #set( $ownerAllowedFields0 = [\\"id\\",\\"title\\",\\"editors\\",\\"createdAt\\",\\"updatedAt\\"] ) #set( $isAuthorizedOnAllFields0 = true ) #foreach( $allowedOwner in $ownerEntity0 ) - #if( $allowedOwner == $ownerClaim0 ) + #if( $allowedOwner == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #if( $isAuthorizedOnAllFields0 ) #set( $isAuthorized = true ) #break @@ -92,8 +95,8 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( !$isAuthorized ) #set( $authFilter = [] ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) #if( $role0 != \\"___xamznone____\\" ) $util.qr($authFilter.add({\\"editors\\": { \\"contains\\": $ownerClaim0 }})) #end @@ -126,8 +129,8 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( !$isAuthorized ) #set( $authFilter = [] ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) #if( $role0 != \\"___xamznone____\\" ) $util.qr($authFilter.add({\\"editors\\": { \\"contains\\": $ownerClaim0 }})) #end @@ -157,8 +160,8 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #set( $isAuthorized = false ) #set( $primaryFieldMap = {} ) #if( $util.authType() == \\"User Pool Authorization\\" ) + #set( $parentClaim = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) #if( !$util.isNull($ctx.args.parent) ) - #set( $parentClaim = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) #if( $util.isString($ctx.args.parent) ) #set( $parentCondition = ($parentClaim == $ctx.args.parent) ) #else @@ -169,10 +172,10 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) $util.qr($ctx.stash.put(\\"authFilter\\", null)) #end #else - $util.qr($primaryFieldMap.put(\\"parent\\", $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($primaryFieldMap.put(\\"parent\\", $parentClaim)) #end + #set( $childClaim = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) #if( !$util.isNull($ctx.args.child) ) - #set( $childClaim = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) #if( $util.isString($ctx.args.child) ) #set( $childCondition = ($childClaim == $ctx.args.child) ) #else @@ -183,7 +186,7 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) $util.qr($ctx.stash.put(\\"authFilter\\", null)) #end #else - $util.qr($primaryFieldMap.put(\\"child\\", $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($primaryFieldMap.put(\\"child\\", $childClaim)) #end #if( !$isAuthorized && !$primaryFieldMap.isEmpty() ) #if( $util.isNull($ctx.args.parent) ) @@ -229,11 +232,14 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.args.input.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) #set( $ownerAllowedFields0 = [\\"id\\",\\"title\\",\\"createdAt\\",\\"updatedAt\\"] ) #set( $isAuthorizedOnAllFields0 = true ) - #if( $ownerClaim0 == $ownerEntity0 ) + #if( $ownerClaim0 == $ownerEntity0 || $ownerClaimsList0.contains($ownerEntity0) ) #if( $isAuthorizedOnAllFields0 ) #set( $isAuthorized = true ) #else @@ -308,8 +314,8 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( !$isAuthorized ) #set( $authFilter = [] ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) #if( $role0 != \\"___xamznone____\\" ) $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $ownerClaim0 }})) #end @@ -342,8 +348,8 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( !$isAuthorized ) #set( $authFilter = [] ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) #if( $role0 != \\"___xamznone____\\" ) $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $ownerClaim0 }})) #end @@ -377,10 +383,12 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.args.input.editors, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) #set( $ownerAllowedFields0 = [\\"id\\",\\"title\\",\\"editors\\",\\"createdAt\\",\\"updatedAt\\"] ) #set( $isAuthorizedOnAllFields0 = true ) #foreach( $allowedOwner in $ownerEntity0 ) - #if( $allowedOwner == $ownerClaim0 ) + #if( $allowedOwner == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #if( $isAuthorizedOnAllFields0 ) #set( $isAuthorized = true ) #break @@ -502,8 +510,8 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #set( $isAuthorized = false ) #set( $primaryFieldMap = {} ) #if( $util.authType() == \\"User Pool Authorization\\" ) + #set( $parentClaim = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) #if( !$util.isNull($ctx.args.parent) ) - #set( $parentClaim = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) #if( $util.isString($ctx.args.parent) ) #set( $parentCondition = ($parentClaim == $ctx.args.parent) ) #else @@ -514,10 +522,10 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) $util.qr($ctx.stash.put(\\"authFilter\\", null)) #end #else - $util.qr($primaryFieldMap.put(\\"parent\\", $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($primaryFieldMap.put(\\"parent\\", $parentClaim)) #end + #set( $childClaim = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) #if( !$util.isNull($ctx.args.child) ) - #set( $childClaim = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) #if( $util.isString($ctx.args.child) ) #set( $childCondition = ($childClaim == $ctx.args.child) ) #else @@ -528,7 +536,7 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) $util.qr($ctx.stash.put(\\"authFilter\\", null)) #end #else - $util.qr($primaryFieldMap.put(\\"child\\", $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($primaryFieldMap.put(\\"child\\", $childClaim)) #end #if( !$isAuthorized && !$primaryFieldMap.isEmpty() ) #if( $util.isNull($ctx.args.parent) ) @@ -574,11 +582,14 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.args.input.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) #set( $ownerAllowedFields0 = [\\"id\\",\\"title\\",\\"createdAt\\",\\"updatedAt\\"] ) #set( $isAuthorizedOnAllFields0 = true ) - #if( $ownerClaim0 == $ownerEntity0 ) + #if( $ownerClaim0 == $ownerEntity0 || $ownerClaimsList0.contains($ownerEntity0) ) #if( $isAuthorizedOnAllFields0 ) #set( $isAuthorized = true ) #else @@ -653,8 +664,8 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( !$isAuthorized ) #set( $authFilter = [] ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) #if( $role0 != \\"___xamznone____\\" ) $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $ownerClaim0 }})) #end @@ -687,8 +698,8 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( !$isAuthorized ) #set( $authFilter = [] ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) #if( $role0 != \\"___xamznone____\\" ) $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $ownerClaim0 }})) #end diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/field-auth-argument.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/field-auth-argument.test.ts index 54f42b6ec37..f69078f2d00 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/field-auth-argument.test.ts +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/field-auth-argument.test.ts @@ -186,8 +186,8 @@ describe('subscription disabled and userPools configured', () => { #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get("sub"), "___xamznone____") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), "___xamznone____")) ) - #set( $ownerClaim0 = "$ownerClaim0:$currentClaim0" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), "___xamznone____")) ) + #set( $ownerClaim0 = "$ownerClaim0:$currentClaim1" ) #if( $ownerEntity0 == $ownerClaim0 ) #set( $isAuthorized = true ) #end @@ -275,8 +275,8 @@ describe('subscription disabled and userPools configured', () => { #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) ) #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get("sub"), "___xamznone____") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), "___xamznone____")) ) - #set( $ownerClaim0 = "$ownerClaim0:$currentClaim0" ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), "___xamznone____")) ) + #set( $ownerClaim0 = "$ownerClaim0:$currentClaim1" ) #if( $ownerEntity0 == $ownerClaim0 ) #set( $isAuthorized = true ) #end diff --git a/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts b/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts index b4b00c069ef..7013a5a3f5f 100644 --- a/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts +++ b/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts @@ -54,7 +54,7 @@ const generateDynamicAuthReadExpression = (roles: Array, fields: not(ref(IS_AUTHORIZED_FLAG)), compoundExpression([ set(ref(`ownerEntity${idx}`), methodCall(ref('util.defaultIfNull'), ref(`ctx.source.${role.entity!}`), nul())), - generateOwnerClaimExpression(role.claim!, idx), + generateOwnerClaimExpression(role.claim!, `ownerClaim${idx}`), ...(entityIsList ? [ forEach(ref('allowedOwner'), ref(`ownerEntity${idx}`), [ @@ -197,10 +197,25 @@ export const generateSandboxExpressionForField = (sandboxEnabled: boolean): stri */ export const generateFieldResolverForOwner = (entity: string): string => { const expressions: Expression[] = [ - set(ref('ownerEntities'), ref(`ctx.source.${entity}.split(":")`)), - set(ref('ownerEntitiesLastIdx'), raw('$ownerEntities.size() - 1')), - set(ref('ownerEntitiesLast'), ref('ownerEntities.get($ownerEntitiesLastIdx)')), - qref(methodCall(ref('ctx.source.put'), str(entity), ref('ownerEntitiesLast'))), + ifElse( + methodCall(ref('util.isString'), ref(`ctx.source.${entity}`)), + compoundExpression([ + set(ref('ownerEntities'), ref(`ctx.source.${entity}.split(":")`)), + set(ref('ownerEntitiesLastIdx'), raw('$ownerEntities.size() - 1')), + set(ref('ownerEntitiesLast'), ref('ownerEntities.get($ownerEntitiesLastIdx)')), + qref(methodCall(ref('ctx.source.put'), str(entity), ref('ownerEntitiesLast'))), + ]), + compoundExpression([ + set(ref('ownerEntitiesList'), list([])), + forEach(ref('ownerEntities'), ref(`ctx.source.${entity}`), [ + set(ref('ownerEntities'), ref('ownerEntities.split(":")')), + set(ref('ownerEntitiesLastIdx'), raw('$ownerEntities.size() - 1')), + set(ref('ownerEntitiesLast'), ref('ownerEntities.get($ownerEntitiesLastIdx)')), + qref(methodCall(ref('ownerEntitiesList.add'), ref('ownerEntitiesLast'))), + ]), + qref(methodCall(ref(`ctx.source.${entity}.put`), ref('ownerEntitiesList'))), + ]), + ), toJson(ref(`ctx.source.${entity}`)), ]; diff --git a/packages/amplify-graphql-auth-transformer/src/resolvers/helpers.ts b/packages/amplify-graphql-auth-transformer/src/resolvers/helpers.ts index 25374f939ce..89f843b11ad 100644 --- a/packages/amplify-graphql-auth-transformer/src/resolvers/helpers.ts +++ b/packages/amplify-graphql-auth-transformer/src/resolvers/helpers.ts @@ -89,26 +89,26 @@ export const getOwnerClaim = (ownerClaim: string): Expression => { /** * Creates generate owner claim expression owner */ -export const generateOwnerClaimExpression = (ownerClaim: string, idx: number): CompoundExpressionNode => { +export const generateOwnerClaimExpression = (ownerClaim: string, refName: string): CompoundExpressionNode => { const expressions: Expression[] = []; const identityClaims = ownerClaim.split(':'); const hasMultiIdentityClaims = identityClaims.length > 1 && ownerClaim !== 'cognito:username'; if (hasMultiIdentityClaims) { - identityClaims.forEach((claim, secIdx) => { + identityClaims.forEach((claim, idx) => { expressions.push(); - if (secIdx === 0) { - expressions.push(set(ref(`ownerClaim${idx}`), getOwnerClaim(claim))); + if (idx === 0) { + expressions.push(set(ref(refName), getOwnerClaim(claim))); } else { expressions.push( set(ref(`currentClaim${idx}`), getOwnerClaim(claim)), - set(ref(`ownerClaim${idx}`), raw(`"$ownerClaim${idx}:$currentClaim${idx}"`)), + set(ref(refName), raw(`"$${refName}:$currentClaim${idx}"`)), ); } }); } else { expressions.push( - set(ref(`ownerClaim${idx}`), getOwnerClaim(ownerClaim)), + set(ref(refName), getOwnerClaim(ownerClaim)), ); } @@ -228,4 +228,18 @@ export const generateAuthRequestExpression = (): string => { return printBlock('Get Request template')(compoundExpression(statements)); }; +/** + * Generates a list of claims to be iterated over for authorization + */ +export const generateOwnerClaimListExpression = (claim: string, idx: number): Expression => { + const claims = claim.split(':'); + + return compoundExpression([ + set(ref(`ownerClaimsList${idx}`), list([])), + compoundExpression( + claims.map(c => qref(methodCall(ref(`ownerClaimsList${idx}.add`), getOwnerClaim(c)))), + ), + ]); +}; + export const emptyPayload = toJson(raw(JSON.stringify({ version: '2018-05-29', payload: {} }))); diff --git a/packages/amplify-graphql-auth-transformer/src/resolvers/mutation.create.ts b/packages/amplify-graphql-auth-transformer/src/resolvers/mutation.create.ts index f8ccbf3de19..b5f4c0585e8 100644 --- a/packages/amplify-graphql-auth-transformer/src/resolvers/mutation.create.ts +++ b/packages/amplify-graphql-auth-transformer/src/resolvers/mutation.create.ts @@ -18,6 +18,7 @@ import { str, printBlock, ifElse, + or, } from 'graphql-mapping-template'; import { getIdentityClaimExp, @@ -27,6 +28,7 @@ import { iamCheck, iamAdminRoleCheckExpression, generateOwnerClaimExpression, + generateOwnerClaimListExpression, } from './helpers'; import { API_KEY_AUTH_TYPE, @@ -161,21 +163,28 @@ const dynamicRoleExpression = (roles: Array, fields: ReadonlyArr not(ref(IS_AUTHORIZED_FLAG)), compoundExpression([ set(ref(`ownerEntity${idx}`), methodCall(ref('util.defaultIfNull'), ref(`ctx.args.input.${role.entity!}`), nul())), - generateOwnerClaimExpression(role.claim!, idx), + generateOwnerClaimExpression(role.claim!, `ownerClaim${idx}`), + generateOwnerClaimListExpression(role.claim!, idx), set(ref(`ownerAllowedFields${idx}`), raw(JSON.stringify(role.allowedFields))), set(ref(`isAuthorizedOnAllFields${idx}`), bool(role.areAllFieldsAllowed)), ...(entityIsList ? [ forEach(ref('allowedOwner'), ref(`ownerEntity${idx}`), [ iff( - equals(ref('allowedOwner'), ref(`ownerClaim${idx}`)), + or([ + equals(ref('allowedOwner'), ref(`ownerClaim${idx}`)), + methodCall(ref(`ownerClaimsList${idx}.contains`), ref(`ownerEntity${idx}`)), + ]), addAllowedFieldsIfElse(`ownerAllowedFields${idx}`, `isAuthorizedOnAllFields${idx}`, true), ), ]), ] : [ iff( - equals(ref(`ownerClaim${idx}`), ref(`ownerEntity${idx}`)), + or([ + equals(ref(`ownerClaim${idx}`), ref(`ownerEntity${idx}`)), + methodCall(ref(`ownerClaimsList${idx}.contains`), ref(`ownerEntity${idx}`)), + ]), addAllowedFieldsIfElse(`ownerAllowedFields${idx}`, `isAuthorizedOnAllFields${idx}`), ), ]), diff --git a/packages/amplify-graphql-auth-transformer/src/resolvers/mutation.delete.ts b/packages/amplify-graphql-auth-transformer/src/resolvers/mutation.delete.ts index 0c0bb1bfe8f..f152c7c75a1 100644 --- a/packages/amplify-graphql-auth-transformer/src/resolvers/mutation.delete.ts +++ b/packages/amplify-graphql-auth-transformer/src/resolvers/mutation.delete.ts @@ -16,9 +16,16 @@ import { not, nul, ifElse, + or, } from 'graphql-mapping-template'; import { - emptyPayload, getIdentityClaimExp, iamAdminRoleCheckExpression, iamCheck, setHasAuthExpression, generateOwnerClaimExpression, + emptyPayload, + getIdentityClaimExp, + iamAdminRoleCheckExpression, + iamCheck, + setHasAuthExpression, + generateOwnerClaimExpression, + generateOwnerClaimListExpression, } from './helpers'; import { API_KEY_AUTH_TYPE, @@ -122,15 +129,32 @@ const dynamicGroupRoleExpression = ( not(ref(IS_AUTHORIZED_FLAG)), compoundExpression([ set(ref(`ownerEntity${idx}`), methodCall(ref('util.defaultIfNull'), ref(`ctx.result.${role.entity!}`), nul())), - generateOwnerClaimExpression(role.claim!, idx), + generateOwnerClaimExpression(role.claim!, `ownerClaim${idx}`), + generateOwnerClaimListExpression(role.claim!, idx), ...(entityIsList ? [ forEach(ref('allowedOwner'), ref(`ownerEntity${idx}`), [ - iff(equals(ref('allowedOwner'), ref(`ownerClaim${idx}`)), set(ref(IS_AUTHORIZED_FLAG), bool(true))), + iff( + or([ + equals(ref('allowedOwner'), ref(`ownerClaim${idx}`)), + methodCall(ref(`ownerClaimsList${idx}.contains`), ref(`ownerEntity${idx}`)), + ]), + set(ref(IS_AUTHORIZED_FLAG), bool(true)), + ), ]), ] - : [iff(equals(ref(`ownerEntity${idx}`), ref(`ownerClaim${idx}`)), set(ref(IS_AUTHORIZED_FLAG), bool(true)))]), + : [ + iff( + or([ + equals(ref(`ownerEntity${idx}`), ref(`ownerClaim${idx}`)), + methodCall(ref(`ownerClaimsList${idx}.contains`), ref(`ownerEntity${idx}`)), + ]), + set(ref(IS_AUTHORIZED_FLAG), bool(true)), + ), + ] + ), ]), + // if authorized result != owner claim or result not in owner claim list, update owner to identity claim ), ); } diff --git a/packages/amplify-graphql-auth-transformer/src/resolvers/mutation.update.ts b/packages/amplify-graphql-auth-transformer/src/resolvers/mutation.update.ts index 81a33d9b899..5eda41bc15b 100644 --- a/packages/amplify-graphql-auth-transformer/src/resolvers/mutation.update.ts +++ b/packages/amplify-graphql-auth-transformer/src/resolvers/mutation.update.ts @@ -20,6 +20,7 @@ import { printBlock, ifElse, nul, + or, } from 'graphql-mapping-template'; import { API_KEY_AUTH_TYPE, @@ -44,6 +45,7 @@ import { iamCheck, iamAdminRoleCheckExpression, generateOwnerClaimExpression, + generateOwnerClaimListExpression, } from './helpers'; /** @@ -180,7 +182,8 @@ const dynamicGroupRoleExpression = (roles: Array, fields: Readon ref(`ownerEntity${idx}`), methodCall(ref('util.defaultIfNull'), ref(`ctx.result.${role.entity!}`), entityIsList ? list([]) : nul()), ), - generateOwnerClaimExpression(role.claim!, idx), + generateOwnerClaimExpression(role.claim!, `ownerClaim${idx}`), + generateOwnerClaimListExpression(role.claim!, idx), set(ref(`ownerAllowedFields${idx}`), raw(JSON.stringify(role.allowedFields))), set(ref(`ownerNullAllowedFields${idx}`), raw(JSON.stringify(role.nullAllowedFields))), set(ref(`isAuthorizedOnAllFields${idx}`), bool(role.areAllFieldsAllowed && role.areAllFieldsNullAllowed)), @@ -188,7 +191,10 @@ const dynamicGroupRoleExpression = (roles: Array, fields: Readon ? [ forEach(ref('allowedOwner'), ref(`ownerEntity${idx}`), [ iff( - equals(ref('allowedOwner'), ref(`ownerClaim${idx}`)), + or([ + equals(ref('allowedOwner'), ref(`ownerClaim${idx}`)), + methodCall(ref(`ownerClaimsList${idx}.contains`), ref(`ownerEntity${idx}`)), + ]), addAllowedFieldsIfElse( `ownerAllowedFields${idx}`, `ownerNullAllowedFields${idx}`, @@ -200,7 +206,10 @@ const dynamicGroupRoleExpression = (roles: Array, fields: Readon ] : [ iff( - equals(ref(`ownerEntity${idx}`), ref(`ownerClaim${idx}`)), + or([ + equals(ref(`ownerEntity${idx}`), ref(`ownerClaim${idx}`)), + methodCall(ref(`ownerClaimsList${idx}.contains`), ref(`ownerEntity${idx}`)), + ]), addAllowedFieldsIfElse(`ownerAllowedFields${idx}`, `ownerNullAllowedFields${idx}`, `isAuthorizedOnAllFields${idx}`), ), ]), diff --git a/packages/amplify-graphql-auth-transformer/src/resolvers/query.ts b/packages/amplify-graphql-auth-transformer/src/resolvers/query.ts index bcdec54b4c4..d136c4e95f9 100644 --- a/packages/amplify-graphql-auth-transformer/src/resolvers/query.ts +++ b/packages/amplify-graphql-auth-transformer/src/resolvers/query.ts @@ -21,6 +21,7 @@ import { nul, notEquals, parens, + or, } from 'graphql-mapping-template'; import { NONE_VALUE } from 'graphql-transformer-common'; import { @@ -32,6 +33,7 @@ import { emptyPayload, setHasAuthExpression, generateOwnerClaimExpression, + generateOwnerClaimListExpression, } from './helpers'; import { COGNITO_AUTH_TYPE, @@ -81,14 +83,17 @@ const generateAuthOnRelationalModelQueryExpression = ( primaryRoles.forEach((role, idx) => { const { claim, field } = primaryFieldMap.get(role.entity); modelQueryExpression.push( - set( - ref(`primaryRole${idx}`), - role.strategy === 'owner' ? getOwnerClaim(role.claim!) : getIdentityClaimExp(str(role.claim!), str(NONE_VALUE)), - ), + generateOwnerClaimExpression(role.claim!, `primaryRole${idx}`), + generateOwnerClaimListExpression(role.claim!, idx), ifElse( and([ parens(not(ref(`util.isNull($ctx.${claim}.${field})`))), - parens(equals(ref(`ctx.${claim}.${field}`), ref(`primaryRole${idx}`))), + parens( + or([ + parens(equals(ref(`ctx.${claim}.${field}`), ref(`primaryRole${idx}`))), + methodCall(ref(`ownerClaimsList${idx}.contains`), ref(`ctx.${claim}.${field}`)), + ]), + ), ]), compoundExpression([set(ref(IS_AUTHORIZED_FLAG), bool(true)), qref(methodCall(ref('ctx.stash.put'), str('authFilter'), nul()))]), iff( @@ -122,22 +127,23 @@ const generateAuthOnModelQueryExpression = ( if (primaryRoles.length > 0) { if (isIndexQuery) { primaryRoles.forEach(role => { - const claimExpression = role.strategy === 'owner' ? getOwnerClaim(role.claim!) : getIdentityClaimExp(str(role.claim!), str(NONE_VALUE)); modelQueryExpression.push( + generateOwnerClaimExpression(role.claim!, `${role.entity}Claim`), ifElse( not(ref(`util.isNull($ctx.args.${role.entity})`)), compoundExpression([ - set(ref(`${role.entity}Claim`), claimExpression), ifElse( ref(`util.isString($ctx.args.${role.entity})`), set(ref(`${role.entity}Condition`), parens(equals(ref(`${role.entity}Claim`), ref(`ctx.args.${role.entity}`)))), set( ref(`${role.entity}Condition`), parens( - equals( - ref(`${role.entity}Claim`), - methodCall(ref('util.defaultIfNull'), raw(`$ctx.args.${role.entity}.get("eq")`), str(NONE_VALUE)), - ), + or([ + equals( + ref(`${role.entity}Claim`), + methodCall(ref('util.defaultIfNull'), raw(`$ctx.args.${role.entity}.get("eq")`), str(NONE_VALUE)), + ), + ]), ), ), ), @@ -149,7 +155,9 @@ const generateAuthOnModelQueryExpression = ( ]), ), ]), - qref(methodCall(ref('primaryFieldMap.put'), str(role.entity), claimExpression)), + qref( + methodCall(ref('primaryFieldMap.put'), str(role.entity), ref(`${role.entity}Claim`)), + ), ), ); }); @@ -170,12 +178,11 @@ const generateAuthOnModelQueryExpression = ( ); } else { primaryRoles.forEach(role => { - const claimExpression = role.strategy === 'owner' ? getOwnerClaim(role.claim!) : getIdentityClaimExp(str(role.claim!), str(NONE_VALUE)); modelQueryExpression.push( + generateOwnerClaimExpression(role.claim!, `${role.entity}Claim`), ifElse( not(ref(`util.isNull($ctx.args.${role.entity})`)), compoundExpression([ - set(ref(`${role.entity}Claim`), claimExpression), ifElse( ref(`util.isString($ctx.args.${role.entity})`), set(ref(`${role.entity}Condition`), parens(equals(ref(`${role.entity}Claim`), ref(`ctx.args.${role.entity}`)))), @@ -199,7 +206,7 @@ const generateAuthOnModelQueryExpression = ( ]), ), ]), - qref(methodCall(ref('primaryFieldMap.put'), str(role.entity), claimExpression)), + qref(methodCall(ref('primaryFieldMap.put'), str(role.entity), ref(`${role.entity}Claim`))), ), ); }); @@ -276,7 +283,7 @@ const generateAuthFilter = (roles: Array, fields: ReadonlyArray< if (hasMultiClaims) { authCollectionExp.push( ...[ - generateOwnerClaimExpression(role.claim!, idx), + generateOwnerClaimExpression(role.claim!, `ownerClaim${idx}`), iff( notEquals(ref(`role${idx}`), str(NONE_VALUE)), qref(methodCall(ref('authFilter.add'), raw(`{"${role.entity}": { "${ownerCondition}": $ownerClaim${idx} }}`))), diff --git a/packages/amplify-graphql-relational-transformer/src/__tests__/__snapshots__/amplify-graphql-many-to-many-transformer.test.ts.snap b/packages/amplify-graphql-relational-transformer/src/__tests__/__snapshots__/amplify-graphql-many-to-many-transformer.test.ts.snap index c0b393b2699..a3b7f999468 100644 --- a/packages/amplify-graphql-relational-transformer/src/__tests__/__snapshots__/amplify-graphql-many-to-many-transformer.test.ts.snap +++ b/packages/amplify-graphql-relational-transformer/src/__tests__/__snapshots__/amplify-graphql-many-to-many-transformer.test.ts.snap @@ -2616,9 +2616,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $ownerClaim0 = $ctx.identity.claims.get(\\"sub\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) #if( $role0 != \\"___xamznone____\\" ) $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $ownerClaim0 }})) #end @@ -2685,9 +2685,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $ownerClaim0 = $ctx.identity.claims.get(\\"sub\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) #if( $role0 != \\"___xamznone____\\" ) $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $ownerClaim0 }})) #end @@ -2737,12 +2737,15 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.args.input.owner, null) ) - #set( $ownerClaim0 = $ctx.identity.claims.get(\\"sub\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) #set( $ownerAllowedFields0 = [\\"id\\",\\"fooID\\",\\"barID\\",\\"foo\\",\\"bar\\"] ) #set( $isAuthorizedOnAllFields0 = true ) - #if( $ownerClaim0 == $ownerEntity0 ) + #if( $ownerClaim0 == $ownerEntity0 || $ownerClaimsList0.contains($ownerEntity0) ) #if( $isAuthorizedOnAllFields0 ) #set( $isAuthorized = true ) #else @@ -2823,10 +2826,13 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.result.owner, null) ) - #set( $ownerClaim0 = $ctx.identity.claims.get(\\"sub\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) - #if( $ownerEntity0 == $ownerClaim0 ) + #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #set( $isAuthorized = true ) #end #end @@ -2959,13 +2965,16 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $ownerEntity0 = $util.defaultIfNull($ctx.result.owner, null) ) - #set( $ownerClaim0 = $ctx.identity.claims.get(\\"sub\\") ) - #set( $currentClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim0\\" ) + #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) + #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #set( $ownerClaim0 = \\"$ownerClaim0:$currentClaim1\\" ) + #set( $ownerClaimsList0 = [] ) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\"))) + $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")))) #set( $ownerAllowedFields0 = [\\"id\\",\\"fooID\\",\\"barID\\",\\"foo\\",\\"bar\\"] ) #set( $ownerNullAllowedFields0 = [\\"id\\",\\"fooID\\",\\"barID\\",\\"foo\\",\\"bar\\"] ) #set( $isAuthorizedOnAllFields0 = true ) - #if( $ownerEntity0 == $ownerClaim0 ) + #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) ) #if( $isAuthorizedOnAllFields0 ) #set( $isAuthorized = true ) #else