From d424d7fe46442d64b508a65b765416433c400743 Mon Sep 17 00:00:00 2001 From: Danielle Adams <6271256+danielleadams@users.noreply.github.com> Date: Thu, 14 Apr 2022 11:13:04 -0400 Subject: [PATCH] Revert "feat: add handling of colon-delimited identity claims to query (#10189)" This reverts commit d7983f411f69e79cbe7508684b31ba9f9f2d9c33. --- .../conflict-resolution.test.ts.snap | 12 +- .../__snapshots__/owner-auth.test.ts.snap | 158 +----------------- .../src/__tests__/owner-auth.test.ts | 30 ---- .../src/graphql-auth-transformer.ts | 55 +----- .../src/resolvers/field.ts | 15 -- .../src/resolvers/index.ts | 6 +- .../src/resolvers/query.ts | 27 +-- ...phql-many-to-many-transformer.test.ts.snap | 12 +- 8 files changed, 27 insertions(+), 288 deletions(-) diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/conflict-resolution.test.ts.snap b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/conflict-resolution.test.ts.snap index 379d0484ec8..93324816890 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/conflict-resolution.test.ts.snap +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/conflict-resolution.test.ts.snap @@ -15,9 +15,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $role0_1 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0_1 }})) + #set( $role0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #if( $role0 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0 }})) #end #if( !$authFilter.isEmpty() ) $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) @@ -79,9 +79,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $role0_1 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0_1 }})) + #set( $role0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #if( $role0 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0 }})) #end #if( !$authFilter.isEmpty() ) $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/owner-auth.test.ts.snap b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/owner-auth.test.ts.snap index 5de21ec1e7f..b82a09a28e4 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/owner-auth.test.ts.snap +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/__snapshots__/owner-auth.test.ts.snap @@ -89,9 +89,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $role0_1 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"editors\\": { \\"contains\\": $role0_1 }})) + #set( $role0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #if( $role0 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"editors\\": { \\"contains\\": $role0 }})) #end #if( !$authFilter.isEmpty() ) $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) @@ -113,9 +113,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $role0_1 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"editors\\": { \\"contains\\": $role0_1 }})) + #set( $role0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #if( $role0 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"editors\\": { \\"contains\\": $role0 }})) #end #if( !$authFilter.isEmpty() ) $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) @@ -196,149 +196,3 @@ $util.unauthorized() $util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}}) ## [End] Authorization Steps. **" `; - -exports[`owner where field is ":" delimited string 1`] = ` -"## [Start] Authorization Steps. ** -$util.qr($ctx.stash.put(\\"hasAuth\\", true)) -#set( $inputFields = $util.parseJson($util.toJson($ctx.args.input.keySet())) ) -#set( $isAuthorized = false ) -#set( $allowedFields = [] ) -#if( $util.authType() == \\"User Pool Authorization\\" ) - #if( !$isAuthorized ) - #set( $ownerEntity0 = $util.defaultIfNull($ctx.args.input.owner, null) ) - #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub:username\\"), \\"___xamznone____\\") ) - #set( $ownerAllowedFields0 = [\\"id\\",\\"title\\",\\"createdAt\\",\\"updatedAt\\"] ) - #set( $isAuthorizedOnAllFields0 = true ) - #if( $ownerClaim0 == $ownerEntity0 ) - #if( $isAuthorizedOnAllFields0 ) - #set( $isAuthorized = true ) - #else - $util.qr($allowedFields.addAll($ownerAllowedFields0)) - #end - #end - #if( $util.isNull($ownerEntity0) && !$ctx.args.input.containsKey(\\"owner\\") ) - $util.qr($ctx.args.input.put(\\"owner\\", $ownerClaim0)) - #if( $isAuthorizedOnAllFields0 ) - #set( $isAuthorized = true ) - #else - $util.qr($allowedFields.addAll($ownerAllowedFields0)) - #end - #end - #end -#end -#if( !$isAuthorized && $allowedFields.isEmpty() ) -$util.unauthorized() -#end -#if( !$isAuthorized ) - #set( $deniedFields = $util.list.copyAndRemoveAll($inputFields, $allowedFields) ) - #if( $deniedFields.size() > 0 ) - $util.error(\\"Unauthorized on \${deniedFields}\\", \\"Unauthorized\\") - #end -#end -$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}}) -## [End] Authorization Steps. **" -`; - -exports[`owner where field is ":" delimited string 2`] = ` -"## [Start] Get Request template. ** -#set( $GetRequest = { - \\"version\\": \\"2018-05-29\\", - \\"operation\\": \\"GetItem\\" -} ) -#if( $ctx.stash.metadata.modelObjectKey ) - #set( $key = $ctx.stash.metadata.modelObjectKey ) -#else - #set( $key = { - \\"id\\": $util.dynamodb.toDynamoDB($ctx.args.input.id) -} ) -#end -$util.qr($GetRequest.put(\\"key\\", $key)) -$util.toJson($GetRequest) -## [End] Get Request template. **" -`; - -exports[`owner where field is ":" delimited string 3`] = ` -"## [Start] Get Request template. ** -#set( $GetRequest = { - \\"version\\": \\"2018-05-29\\", - \\"operation\\": \\"GetItem\\" -} ) -#if( $ctx.stash.metadata.modelObjectKey ) - #set( $key = $ctx.stash.metadata.modelObjectKey ) -#else - #set( $key = { - \\"id\\": $util.dynamodb.toDynamoDB($ctx.args.input.id) -} ) -#end -$util.qr($GetRequest.put(\\"key\\", $key)) -$util.toJson($GetRequest) -## [End] Get Request template. **" -`; - -exports[`owner where field is ":" delimited string 4`] = ` -"## [Start] Authorization Steps. ** -$util.qr($ctx.stash.put(\\"hasAuth\\", true)) -#set( $isAuthorized = false ) -#set( $primaryFieldMap = {} ) -#if( $util.authType() == \\"User Pool Authorization\\" ) - #if( !$isAuthorized ) - #set( $authFilter = [] ) - #set( $role0_0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $ownerPrefix0_0 = \\"$role0_0:\\" ) - #if( $role0_0 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"beginsWith\\": $ownerPrefix0_0 }})) - #end - #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerPrefix0_1 = \\"$role0_1:\\" ) - #if( $role0_1 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"beginsWith\\": $ownerPrefix0_1 }})) - #end - #set( $role0_2 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub:username\\"), \\"___xamznone____\\") ) - #if( $role0_2 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0_2 }})) - #end - #if( !$authFilter.isEmpty() ) - $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) - #end - #end -#end -#if( !$isAuthorized && $util.isNull($ctx.stash.authFilter) ) -$util.unauthorized() -#end -$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}}) -## [End] Authorization Steps. **" -`; - -exports[`owner where field is ":" delimited string 5`] = ` -"## [Start] Authorization Steps. ** -$util.qr($ctx.stash.put(\\"hasAuth\\", true)) -#set( $isAuthorized = false ) -#set( $primaryFieldMap = {} ) -#if( $util.authType() == \\"User Pool Authorization\\" ) - #if( !$isAuthorized ) - #set( $authFilter = [] ) - #set( $role0_0 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub\\"), \\"___xamznone____\\") ) - #set( $ownerPrefix0_0 = \\"$role0_0:\\" ) - #if( $role0_0 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"beginsWith\\": $ownerPrefix0_0 }})) - #end - #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #set( $ownerPrefix0_1 = \\"$role0_1:\\" ) - #if( $role0_1 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"beginsWith\\": $ownerPrefix0_1 }})) - #end - #set( $role0_2 = $util.defaultIfNull($ctx.identity.claims.get(\\"sub:username\\"), \\"___xamznone____\\") ) - #if( $role0_2 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0_2 }})) - #end - #if( !$authFilter.isEmpty() ) - $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) - #end - #end -#end -#if( !$isAuthorized && $util.isNull($ctx.stash.authFilter) ) -$util.unauthorized() -#end -$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}}) -## [End] Authorization Steps. **" -`; diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/owner-auth.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/owner-auth.test.ts index a172618b970..600c25a1d6b 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/owner-auth.test.ts +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/owner-auth.test.ts @@ -64,36 +64,6 @@ test('owner field where the field is a list', () => { expect(out.resolvers['Query.listPosts.auth.1.req.vtl']).toMatchSnapshot(); }); -test('owner where field is ":" delimited string', () => { - const authConfig: AppSyncAuthConfiguration = { - defaultAuthentication: { - authenticationType: 'AMAZON_COGNITO_USER_POOLS', - }, - additionalAuthenticationProviders: [], - }; - const validSchema = ` - type Post @model @auth(rules: [{allow: owner, identityClaim: "sub:username" }]) { - id: ID! - title: String! - createdAt: String - updatedAt: String - }`; - const transformer = new GraphQLTransform({ - authConfig, - transformers: [new ModelTransformer(), new AuthTransformer()], - }); - const out = transformer.transform(validSchema); - expect(out).toBeDefined(); - expect(out.rootStack.Resources[ResourceConstants.RESOURCES.GraphQLAPILogicalID].Properties.AuthenticationType).toEqual( - 'AMAZON_COGNITO_USER_POOLS', - ); - expect(out.resolvers['Mutation.createPost.auth.1.req.vtl']).toMatchSnapshot(); - expect(out.resolvers['Mutation.updatePost.auth.1.req.vtl']).toMatchSnapshot(); - expect(out.resolvers['Mutation.deletePost.auth.1.req.vtl']).toMatchSnapshot(); - expect(out.resolvers['Query.getPost.auth.1.req.vtl']).toMatchSnapshot(); - expect(out.resolvers['Query.listPosts.auth.1.req.vtl']).toMatchSnapshot(); -}); - test('owner field with subscriptions', () => { const authConfig: AppSyncAuthConfiguration = { defaultAuthentication: { diff --git a/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts b/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts index 1383286f3d3..c496187fbbc 100644 --- a/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts +++ b/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts @@ -58,7 +58,6 @@ import { setDeniedFieldFlag, generateAuthExpressionForRelationQuery, generateSandboxExpressionForField, - generateFieldResolverForOwner, } from './resolvers'; import { AccessControlMatrix } from './accesscontrol'; import { @@ -305,9 +304,7 @@ export class AuthTransformer extends TransformerAuthBase implements TransformerA const def = context.output.getObject(modelName)!; const modelNameConfig = this.modelDirectiveConfig.get(modelName); const searchableDirective = def.directives.find(dir => dir.name.value === 'searchable'); - const readRoles = acm.getRolesPerOperation('read'); - const roleDefinitions = readRoles.map(role => this.roleMap.get(role)!); - + // queries const queryFields = getQueryFieldNames(this.modelDirectiveConfig.get(modelName)!); queryFields.forEach(query => { switch (query.type) { @@ -340,6 +337,7 @@ export class AuthTransformer extends TransformerAuthBase implements TransformerA // get fields specified in the schema // if there is a role that does not have read access on the field then we create a field resolver // or there is a relational directive on the field then we should protect that as well + const readRoles = acm.getRolesPerOperation('read'); const modelFields = def.fields?.filter(f => acm.hasResource(f.name.value)) ?? []; const errorFields = new Array(); modelFields.forEach(field => { @@ -381,18 +379,14 @@ export class AuthTransformer extends TransformerAuthBase implements TransformerA }); const subscriptionFieldNames = getSubscriptionFieldNames(this.modelDirectiveConfig.get(modelName)!); - const subscriptionRoles = roleDefinitions + const subscriptionRoles = acm + .getRolesPerOperation('read') + .map(role => this.roleMap.get(role)!) // for subscriptions we only use static rules or owner rule where the field is not a list .filter(roleDef => (roleDef.strategy === 'owner' && !fieldIsList(def.fields ?? [], roleDef.entity!)) || roleDef.static); subscriptionFieldNames.forEach(subscription => { this.protectSubscriptionResolver(context, subscription.typeName, subscription.fieldName, subscriptionRoles); }); - - roleDefinitions.forEach(role => { - if (role.strategy === 'owner') { - this.addFieldResolverForDynamicAuth(context, def, modelName, role.entity); - } - }); }); this.authNonModelConfig.forEach((acm, typeFieldName) => { @@ -403,45 +397,6 @@ export class AuthTransformer extends TransformerAuthBase implements TransformerA }); }; - addFieldResolverForDynamicAuth = ( - ctx: TransformerContextProvider, - def: ObjectTypeDefinitionNode, - typeName: string, - fieldName: string, - ): void => { - let resolver = ctx.resolvers.getResolver(typeName, fieldName); - - if (resolver) { - resolver.addToSlot( - 'finish', - undefined, - MappingTemplate.s3MappingTemplateFromString( - generateFieldResolverForOwner(fieldName), - `${typeName}.${fieldName}.{slotName}.{slotIndex}.res.vtl`, - ), - ); - } else { - const hasModelDirective = def.directives.some(dir => dir.name.value === 'model'); - const stack = getStackForField(ctx, def, fieldName, hasModelDirective); - - resolver = ctx.resolvers.addResolver( - typeName, - fieldName, - new TransformerResolver( - typeName, - fieldName, - ResolverResourceIDs.ResolverResourceID(typeName, fieldName), - MappingTemplate.s3MappingTemplateFromString('$util.toJson({"version":"2018-05-29","payload":{}})', `${typeName}.${fieldName}.req.vtl`), - MappingTemplate.s3MappingTemplateFromString(generateFieldResolverForOwner(fieldName), `${typeName}.${fieldName}.res.vtl`), - ['init'], - ['finish'], - ), - ); - - resolver.mapToStack(stack); - } - }; - protectSchemaOperations = ( ctx: TransformerTransformSchemaStepContextProvider, def: ObjectTypeDefinitionNode, diff --git a/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts b/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts index 28bfa66db7a..338577dc442 100644 --- a/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts +++ b/packages/amplify-graphql-auth-transformer/src/resolvers/field.ts @@ -191,18 +191,3 @@ export const generateSandboxExpressionForField = (sandboxEnabled: boolean): stri else exp = methodCall(ref('util.unauthorized')); return printBlock(`Sandbox Mode ${sandboxEnabled ? 'Enabled' : 'Disabled'}`)(compoundExpression([exp, toJson(obj({}))])); }; - -/** - * Creates field resolver for owner - */ -export const generateFieldResolverForOwner = (entity: string): string => { - const expressions: Expression[] = [ - set(ref('ownerEntities'), ref(`ctx.source.${entity}.split(":")`)), - set(ref('ownerEntitiesLastIdx'), raw('$ownerEntities.size() - 1')), - set(ref('ownerEntitiesLast'), ref('ownerEntities.get($ownerEntitiesLastIdx)')), - qref(methodCall(ref('ctx.source.put'), str(entity), ref('ownerEntitiesLast'))), - toJson(ref(`ctx.source.${entity}`)), - ]; - - return printBlock('Parse owner field auth for Get')(compoundExpression(expressions)); -}; diff --git a/packages/amplify-graphql-auth-transformer/src/resolvers/index.ts b/packages/amplify-graphql-auth-transformer/src/resolvers/index.ts index 7f820a17f54..ccf1b6ab8e2 100644 --- a/packages/amplify-graphql-auth-transformer/src/resolvers/index.ts +++ b/packages/amplify-graphql-auth-transformer/src/resolvers/index.ts @@ -1,7 +1,4 @@ -export { - generateAuthExpressionForQueries, - generateAuthExpressionForRelationQuery, -} from './query'; +export { generateAuthExpressionForQueries, generateAuthExpressionForRelationQuery } from './query'; export { generateAuthExpressionForSearchQueries } from './search'; export { generateAuthExpressionForCreate } from './mutation.create'; export { generateAuthExpressionForUpdate } from './mutation.update'; @@ -11,7 +8,6 @@ export { generateFieldAuthResponse, setDeniedFieldFlag, generateSandboxExpressionForField, - generateFieldResolverForOwner, } from './field'; export { generateAuthExpressionForSubscriptions } from './subscriptions'; export { generateAuthRequestExpression } from './helpers'; diff --git a/packages/amplify-graphql-auth-transformer/src/resolvers/query.ts b/packages/amplify-graphql-auth-transformer/src/resolvers/query.ts index 9c4c9941d09..93bd3f6dd13 100644 --- a/packages/amplify-graphql-auth-transformer/src/resolvers/query.ts +++ b/packages/amplify-graphql-auth-transformer/src/resolvers/query.ts @@ -253,8 +253,6 @@ const generateAuthFilter = (roles: Array, fields: ReadonlyArray< const groupContainsExpression = new Array(); if (!(roles.length > 0)) return []; /** - * if ownerField is a concatenated string (ie. "sub:username") - * ownerField: { beginsWith: "sub: "} * if ownerField is string * ownerField: { eq: "cognito:owner" } * if ownerField is a List @@ -268,32 +266,13 @@ const generateAuthFilter = (roles: Array, fields: ReadonlyArray< roles.forEach((role, idx) => { const entityIsList = fieldIsList(fields, role.entity); if (role.strategy === 'owner') { - const claims = role.claim!.split(':'); - const hasMultiClaims = claims.length > 1 && role.claim !== 'cognito:username'; const ownerCondition = entityIsList ? 'contains' : 'eq'; - - if (hasMultiClaims && !entityIsList) { - claims.forEach((claim, secIdx) => { - authCollectionExp.push( - ...[ - set(ref(`role${idx}_${secIdx}`), getOwnerClaim(claim)), - set(ref(`ownerPrefix${idx}_${secIdx}`), str(`$role${idx}_${secIdx}:`)), - iff( - notEquals(ref(`role${idx}_${secIdx}`), str(NONE_VALUE)), - qref(methodCall(ref('authFilter.add'), raw(`{"${role.entity}": { "beginsWith": $ownerPrefix${idx}_${secIdx} }}`))), - ), - ], - ); - }); - } - const secIdx = claims.length; - authCollectionExp.push( ...[ - set(ref(`role${idx}_${secIdx}`), getOwnerClaim(role.claim!)), + set(ref(`role${idx}`), getOwnerClaim(role.claim!)), iff( - notEquals(ref(`role${idx}_${secIdx}`), str(NONE_VALUE)), - qref(methodCall(ref('authFilter.add'), raw(`{"${role.entity}": { "${ownerCondition}": $role${idx}_${secIdx} }}`))), + notEquals(ref(`role${idx}`), str(NONE_VALUE)), + qref(methodCall(ref('authFilter.add'), raw(`{"${role.entity}": { "${ownerCondition}": $role${idx} }}`))), ), ], ); diff --git a/packages/amplify-graphql-relational-transformer/src/__tests__/__snapshots__/amplify-graphql-many-to-many-transformer.test.ts.snap b/packages/amplify-graphql-relational-transformer/src/__tests__/__snapshots__/amplify-graphql-many-to-many-transformer.test.ts.snap index 402be5e60c1..bbdb4ebe478 100644 --- a/packages/amplify-graphql-relational-transformer/src/__tests__/__snapshots__/amplify-graphql-many-to-many-transformer.test.ts.snap +++ b/packages/amplify-graphql-relational-transformer/src/__tests__/__snapshots__/amplify-graphql-many-to-many-transformer.test.ts.snap @@ -2616,9 +2616,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $role0_1 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0_1 }})) + #set( $role0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #if( $role0 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0 }})) #end #if( !$authFilter.isEmpty() ) $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter })) @@ -2675,9 +2675,9 @@ $util.qr($ctx.stash.put(\\"hasAuth\\", true)) #if( $util.authType() == \\"User Pool Authorization\\" ) #if( !$isAuthorized ) #set( $authFilter = [] ) - #set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) - #if( $role0_1 != \\"___xamznone____\\" ) - $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0_1 }})) + #set( $role0 = $util.defaultIfNull($ctx.identity.claims.get(\\"username\\"), $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:username\\"), \\"___xamznone____\\")) ) + #if( $role0 != \\"___xamznone____\\" ) + $util.qr($authFilter.add({\\"owner\\": { \\"eq\\": $role0 }})) #end #if( !$authFilter.isEmpty() ) $util.qr($ctx.stash.put(\\"authFilter\\", { \\"or\\": $authFilter }))