Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: use sub:username identity claim by default when persisting behind a feature flag #10196

Merged
merged 8 commits into from
Apr 28, 2022
Merged

feat: use sub:username identity claim by default when persisting behind a feature flag #10196

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
77deb74
feat: add writes with new identity claim and warning for change
danielleadams Apr 23, 2022
22e1a1d
fix: add double colon to tests and fix relational snap
danielleadams Apr 26, 2022
797c735
fix: update snapshots for owner auth test
danielleadams Apr 26, 2022
aa6fcbd
fix: update identity claim version change to next major
danielleadams Apr 27, 2022
3d26862
feat: add migration docs url to warning
danielleadams Apr 27, 2022
e8a0f65
fix: use owner claim list for field map with multi claims
danielleadams Apr 28, 2022
d88830f
test: update snapshots
danielleadams Apr 28, 2022
47bbb83
fix: update velocity tests to use jwt token
danielleadams Apr 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .eslint-dictionary.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"argv",
"arn",
"arns",
"authorizer",
"awscloudformation",
"axios",
"backend",
Expand Down
1 change: 1 addition & 0 deletions packages/amplify-graphql-auth-transformer/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
"@aws-cdk/aws-dynamodb": "~1.124.0",
"@aws-cdk/aws-iam": "~1.124.0",
"@aws-cdk/core": "~1.124.0",
"amplify-prompts": "^2.0.0",
"constructs": "^3.3.125",
"graphql": "^14.5.8",
"graphql-mapping-template": "4.20.3",
Expand Down
18 changes: 14 additions & 4 deletions ...lify-graphql-auth-transformer/src/__tests__/__snapshots__/amplify-admin-auth.test.ts.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,13 @@ $util.unauthorized()
#if( $util.authType() == \\"User Pool Authorization\\" )
#if( !$isAuthorized )
#set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#if( $ownerEntity0 == $ownerClaim0 )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") )
#set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#set( $ownerClaim0 = \\"$ownerClaim0::$currentClaim1\\" )
#set( $ownerClaimsList0 = [] )
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\")))
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\"))))
#if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) )
#set( $isAuthorized = true )
#end
#end
Expand Down Expand Up @@ -60,10 +65,15 @@ $util.unauthorized()
#end
#if( !$isAuthorized )
#set( $ownerEntity0 = $util.defaultIfNull($ctx.args.input.owner, null) )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") )
#set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#set( $ownerClaim0 = \\"$ownerClaim0::$currentClaim1\\" )
#set( $ownerClaimsList0 = [] )
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\")))
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\"))))
#set( $ownerAllowedFields0 = [\\"id\\",\\"name\\",\\"description\\",\\"secretValue\\"] )
#set( $isAuthorizedOnAllFields0 = true )
#if( $ownerClaim0 == $ownerEntity0 )
#if( $ownerClaim0 == $ownerEntity0 || $ownerClaimsList0.contains($ownerEntity0) )
#if( $isAuthorizedOnAllFields0 )
#set( $isAuthorized = true )
#else
Expand Down
231 changes: 224 additions & 7 deletions ...ify-graphql-auth-transformer/src/__tests__/__snapshots__/field-auth-argument.test.ts.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,13 @@ $util.unauthorized()
#if( $util.authType() == \\"User Pool Authorization\\" )
#if( !$isAuthorized )
#set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#if( $ownerEntity0 == $ownerClaim0 )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") )
#set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#set( $ownerClaim0 = \\"$ownerClaim0::$currentClaim1\\" )
#set( $ownerClaimsList0 = [] )
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\")))
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\"))))
#if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) )
#set( $isAuthorized = true )
#end
#end
Expand Down Expand Up @@ -48,8 +53,13 @@ exports[`generates field resolver for other provider rules even if private remov
#if( $util.authType() == \\"User Pool Authorization\\" )
#if( !$isAuthorized )
#set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#if( $ownerEntity0 == $ownerClaim0 )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") )
#set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#set( $ownerClaim0 = \\"$ownerClaim0::$currentClaim1\\" )
#set( $ownerClaimsList0 = [] )
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\")))
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\"))))
#if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) )
#set( $isAuthorized = true )
#end
#end
Expand Down Expand Up @@ -139,8 +149,13 @@ exports[`subscription disabled and userPools configured with non-nullable (requi
#if( $util.authType() == \\"User Pool Authorization\\" )
#if( !$isAuthorized )
#set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#if( $ownerEntity0 == $ownerClaim0 )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") )
#set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#set( $ownerClaim0 = \\"$ownerClaim0::$currentClaim1\\" )
#set( $ownerClaimsList0 = [] )
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\")))
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\"))))
#if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) )
#set( $isAuthorized = true )
#end
#end
Expand Down Expand Up @@ -177,11 +192,213 @@ $util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
exports[`subscription disabled and userPools configured with nullable fields top level private and field level owner auth generates field resolver for field with expected owner claim 1`] = `
"## [Start] Field Authorization Steps. **
#set( $isAuthorized = false )
#if( $util.authType() == \\"User Pool Authorization\\" )
#if( !$isAuthorized )
#set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") )
#set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#set( $ownerClaim0 = \\"$ownerClaim0::$currentClaim1\\" )
#set( $ownerClaimsList0 = [] )
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\")))
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\"))))
#if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) )
#set( $isAuthorized = true )
#end
#end
#end
#if( !$isAuthorized )
$util.unauthorized()
#end
$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
## [End] Field Authorization Steps. **"
`;

exports[`with identity claim feature flag disabled does not generate field resolvers when private rule takes precedence over provider-related rules 1`] = `
"## [Start] Field Authorization Steps. **
#set( $isAuthorized = false )
#if( $util.authType() == \\"IAM Authorization\\" )
$util.unauthorized()
#end
#if( $util.authType() == \\"User Pool Authorization\\" )
#if( !$isAuthorized )
#set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#set( $ownerClaimsList0 = [] )
#if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) )
#set( $isAuthorized = true )
#end
#end
#end
#if( !$isAuthorized )
$util.unauthorized()
#end
$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
## [End] Field Authorization Steps. **"
`;

exports[`with identity claim feature flag disabled does not generate field resolvers when private rule takes precedence over provider-related rules 2`] = `
"## [Start] Checking for allowed operations which can return this field. **
#set( $operation = $util.defaultIfNull($ctx.source.get(\\"__operation\\"), null) )
#if( $operation == \\"Mutation\\" )
$util.toJson(null)
#else
$util.toJson($context.source.ssn)
#end
## [End] Checking for allowed operations which can return this field. **"
`;

exports[`with identity claim feature flag disabled error on non null fields which need resolvers 1`] = `"Because \\"Post\\" has a field-level authorization rule and subscriptions are enabled, you need to either apply field-level authorization rules to all required fields where all rules have read access [\\"id\\",\\"name\\",\\"ssn\\"], make those fields nullable, or disable subscriptions for \\"Post\\" (setting level to off or public)."`;

exports[`with identity claim feature flag disabled generates field resolver for other provider rules even if private removes all provided-related rules 1`] = `
"## [Start] Field Authorization Steps. **
#set( $isAuthorized = false )
#if( $util.authType() == \\"IAM Authorization\\" )
#if( !$isAuthorized )
#if( $ctx.identity.userArn == $ctx.stash.authRole )
#set( $isAuthorized = true )
#end
#end
#end
#if( $util.authType() == \\"User Pool Authorization\\" )
#if( !$isAuthorized )
#set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#set( $ownerClaimsList0 = [] )
#if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) )
#set( $isAuthorized = true )
#end
#end
#end
#if( !$isAuthorized )
$util.unauthorized()
#end
$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
## [End] Field Authorization Steps. **"
`;

exports[`with identity claim feature flag disabled generates field resolver for other provider rules even if private removes all provided-related rules 2`] = `
"## [Start] Checking for allowed operations which can return this field. **
#set( $operation = $util.defaultIfNull($ctx.source.get(\\"__operation\\"), null) )
#if( $operation == \\"Mutation\\" )
$util.toJson(null)
#else
$util.toJson($context.source.ssn)
#end
## [End] Checking for allowed operations which can return this field. **"
`;

exports[`with identity claim feature flag disabled per-field @auth without @model 1`] = `
Object {
"Properties": Object {
"Description": "",
"Path": "/",
"PolicyDocument": Object {
"Statement": Array [
Object {
"Action": "appsync:GraphQL",
"Effect": "Allow",
"Resource": Object {
"Fn::Sub": Array [
"arn:aws:appsync:\${AWS::Region}:\${AWS::AccountId}:apis/\${apiId}/types/\${typeName}/fields/\${fieldName}",
Object {
"apiId": Object {
"Fn::GetAtt": Array [
"GraphQLAPI",
"ApiId",
],
},
"fieldName": "listContext",
"typeName": "Query",
},
],
},
},
],
"Version": "2012-10-17",
},
"Roles": Array [
Object {
"Ref": "authRoleName",
},
],
},
"Type": "AWS::IAM::ManagedPolicy",
}
`;

exports[`with identity claim feature flag disabled subscription disabled and userPools configured with non-nullable (required) fields top level private and field level group auth generates field resolver for required field with expected group role 1`] = `
"## [Start] Field Authorization Steps. **
#set( $isAuthorized = false )
#if( $util.authType() == \\"User Pool Authorization\\" )
#if( !$isAuthorized )
#set( $staticGroupRoles = [{\\"claim\\":\\"cognito:groups\\",\\"entity\\":\\"admin\\"}] )
#foreach( $groupRole in $staticGroupRoles )
#set( $groupsInToken = $util.defaultIfNull($ctx.identity.claims.get($groupRole.claim), []) )
#if( $groupsInToken.contains($groupRole.entity) )
#set( $isAuthorized = true )
#break
#end
#end
#end
#end
#if( !$isAuthorized )
$util.unauthorized()
#end
$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
## [End] Field Authorization Steps. **"
`;

exports[`with identity claim feature flag disabled subscription disabled and userPools configured with non-nullable (required) fields top level private and field level owner auth generates field resolver for required field with expected owner claim 1`] = `
"## [Start] Field Authorization Steps. **
#set( $isAuthorized = false )
#if( $util.authType() == \\"User Pool Authorization\\" )
#if( !$isAuthorized )
#set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#set( $ownerClaimsList0 = [] )
#if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) )
#set( $isAuthorized = true )
#end
#end
#end
#if( !$isAuthorized )
$util.unauthorized()
#end
$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
## [End] Field Authorization Steps. **"
`;

exports[`with identity claim feature flag disabled subscription disabled and userPools configured with nullable fields top level private and field level group auth generates field resolver for field with expected group roles 1`] = `
"## [Start] Field Authorization Steps. **
#set( $isAuthorized = false )
#if( $util.authType() == \\"User Pool Authorization\\" )
#if( !$isAuthorized )
#set( $staticGroupRoles = [{\\"claim\\":\\"cognito:groups\\",\\"entity\\":\\"admin\\"}] )
#foreach( $groupRole in $staticGroupRoles )
#set( $groupsInToken = $util.defaultIfNull($ctx.identity.claims.get($groupRole.claim), []) )
#if( $groupsInToken.contains($groupRole.entity) )
#set( $isAuthorized = true )
#break
#end
#end
#end
#end
#if( !$isAuthorized )
$util.unauthorized()
#end
$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
## [End] Field Authorization Steps. **"
`;

exports[`with identity claim feature flag disabled subscription disabled and userPools configured with nullable fields top level private and field level owner auth generates field resolver for field with expected owner claim 1`] = `
"## [Start] Field Authorization Steps. **
#set( $isAuthorized = false )
#if( $util.authType() == \\"User Pool Authorization\\" )
#if( !$isAuthorized )
#set( $ownerEntity0 = $util.defaultIfNull($ctx.source.owner, null) )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) )
#if( $ownerEntity0 == $ownerClaim0 )
#set( $ownerClaimsList0 = [] )
#if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) )
#set( $isAuthorized = true )
#end
#end
Expand Down
Loading