From a633ee646aa8817540bccc8f8b3ca19df913370f Mon Sep 17 00:00:00 2001 From: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com> Date: Thu, 26 Sep 2024 10:45:57 -0700 Subject: [PATCH] chore(cognito-identitypool): refactor and remove Digits authentication provider (#31482) ### Issue # (if applicable) N/A ### Reason for this change The authentication providers and their logic in this module have bad code smells, and thus, we have refactored them to bring the module more in line with CDK standards and best practices. In addition, the Digits authentication provider has been deprecated since September 2017, so it has been removed. ### Description of changes * Any modules relating to the Digits auth have been removed, as the service itself is deprecated. * The `IdentityPoolProviders` and `IdentityPoolAuthenticationProviders` interfaces have been merged, as there did not seem to be a reason to keep them separate, aside from differentiating third-party and internal providers. * Some grammar, punctuation, formatting, and capitalization changes ### Description of how you validated changes Unit tests and integration tests have been tweaked only as necessary to confirm these changes. Since they all still pass or show no need to be updated, we can confirm that this refactor does not affect them. The integration test has also been updated to reflect that the previous Google prop for `clientSecret` is deprecated, and use `clientSecretValue` instead. **BREAKING CHANGE**: The `IdentityPoolProviderType.DIGITS` and `IdentityPoolProviderUrl.DIGITS` enum values, and `IdentityPoolDigitsLoginProvider` interface have been removed, as well as the `digits` attribute of the `IdentityPoolAuthenticationProviders` interface. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cognito-identitypool-alpha/README.md | 9 +- .../lib/identitypool-role-attachment.ts | 75 +++--- .../lib/identitypool.ts | 215 +++++++----------- .../test/identitypool.test.ts | 38 +--- .../integ-identitypool.assets.json | 4 +- .../integ-identitypool.template.json | 2 +- .../manifest.json | 2 +- .../integ.identitypool.js.snapshot/tree.json | 2 +- .../test/integ.identitypool.ts | 29 +-- 9 files changed, 139 insertions(+), 237 deletions(-) diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/README.md b/packages/@aws-cdk/aws-cognito-identitypool-alpha/README.md index 85ddb602cd9c1..1b465e96d1276 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/README.md +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/README.md @@ -23,8 +23,8 @@ [Amazon Cognito Identity Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html) enable you to grant your users access to other AWS services. Identity Pools are one of the two main components of [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html), which provides authentication, authorization, and -user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through -a third party such as Facebook, Amazon, Google or Apple. +user management for your web and mobile apps. Your users can sign in through a a trusted identity provider, like a user +pool or a SAML 2.0 service, as well as with third party providers such as Facebook, Amazon, Google or Apple. The other main component in Amazon Cognito is [user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html). User Pools are user directories that provide sign-up and sign-in options for your app users. @@ -53,8 +53,9 @@ import { IdentityPool, UserPoolAuthenticationProvider } from '@aws-cdk/aws-cogni ## Identity Pools -Identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have been -authenticated and received a token. An identity pool is a store of user identity data specific to an account. +Identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have +authenticated by presenting a token from another identity provider. An identity pool is a store of user identity data +specific to an account. Identity pools can be used in conjunction with Cognito User Pools or by accessing external federated identity providers directly. Learn more at [Amazon Cognito Identity Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html). diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool-role-attachment.ts b/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool-role-attachment.ts index 673c1ddf85d97..a61ff5da2b35d 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool-role-attachment.ts +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool-role-attachment.ts @@ -1,28 +1,15 @@ -import { - CfnIdentityPoolRoleAttachment, -} from 'aws-cdk-lib/aws-cognito'; -import { - IRole, -} from 'aws-cdk-lib/aws-iam'; -import { - Resource, - IResource, - Token, -} from 'aws-cdk-lib/core'; -import { - Construct, -} from 'constructs'; -import { - IIdentityPool, - IdentityPoolProviderUrl, -} from './identitypool'; +import { CfnIdentityPoolRoleAttachment } from 'aws-cdk-lib/aws-cognito'; +import { IRole } from 'aws-cdk-lib/aws-iam'; +import { Resource, IResource, Token } from 'aws-cdk-lib/core'; +import { Construct } from 'constructs'; +import { IIdentityPool, IdentityPoolProviderUrl } from './identitypool'; /** * Represents an Identity Pool Role Attachment */ export interface IIdentityPoolRoleAttachment extends IResource { /** - * Id of the Attachments Underlying Identity Pool + * ID of the Attachment's underlying Identity Pool */ readonly identityPoolId: string; } @@ -33,47 +20,47 @@ export interface IIdentityPoolRoleAttachment extends IResource { export interface IdentityPoolRoleAttachmentProps { /** - * Id of the Attachments Underlying Identity Pool + * ID of the Attachment's underlying Identity Pool */ readonly identityPool: IIdentityPool; /** - * Default Authenticated (User) Role - * @default - No default authenticated role will be added + * Default authenticated (User) Role + * @default - No default authenticated Role will be added */ readonly authenticatedRole?: IRole; /** - * Default Unauthenticated (Guest) Role - * @default - No default unauthenticated role will be added - */ + * Default unauthenticated (Guest) Role + * @default - No default unauthenticated Role will be added + */ readonly unauthenticatedRole?: IRole; /** * Rules for mapping roles to users - * @default - no Role Mappings + * @default - No role mappings */ readonly roleMappings?: IdentityPoolRoleMapping[]; } /** - * Map roles to users in the identity pool based on claims from the Identity Provider - * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html + * Map roles to users in the Identity Pool based on claims from the Identity Provider + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html */ export interface IdentityPoolRoleMapping { /** - * The url of the provider of for which the role is mapped + * The url of the Provider for which the role is mapped */ readonly providerUrl: IdentityPoolProviderUrl; /** * The key used for the role mapping in the role mapping hash. Required if the providerUrl is a token. - * @default - the provided providerUrl + * @default - The provided providerUrl */ readonly mappingKey?: string; /** - * If true then mapped roles must be passed through the cognito:roles or cognito:preferred_role claims from identity provider. + * If true then mapped roles must be passed through the cognito:roles or cognito:preferred_role claims from Identity Provider. * @see https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-tokens-to-assign-roles-to-users * * @default false @@ -88,47 +75,47 @@ export interface IdentityPoolRoleMapping { /** * The claim and value that must be matched in order to assume the role. Required if useToken is false - * @default - No Rule Mapping Rule + * @default - No role mapping rule */ readonly rules?: RoleMappingRule[]; } /** - * Types of matches allowed for Role Mapping + * Types of matches allowed for role mapping */ export enum RoleMappingMatchType { /** - * The Claim from the token must equal the given value in order for a match + * The claim from the token must equal the given value in order for a match */ EQUALS = 'Equals', /** - * The Claim from the token must contain the given value in order for a match + * The claim from the token must contain the given value in order for a match */ CONTAINS = 'Contains', /** - * The Claim from the token must start with the given value in order for a match + * The claim from the token must start with the given value in order for a match */ STARTS_WITH = 'StartsWith', /** - * The Claim from the token must not equal the given value in order for a match + * The claim from the token must not equal the given value in order for a match */ NOTEQUAL = 'NotEqual', } /** - * Represents an Identity Pool Role Attachment Role Mapping Rule + * Represents an Identity Pool Role Attachment role mapping rule */ export interface RoleMappingRule { /** - * The key sent in the token by the federated identity provider. + * The key sent in the token by the federated Identity Provider */ readonly claim: string; /** - * The Role to be assumed when Claim Value is matched. + * The role to be assumed when the claim value is matched */ readonly mappedRole: IRole; @@ -138,9 +125,9 @@ export interface RoleMappingRule { readonly claimValue: string; /** - * How to match with the Claim value + * How to match with the claim value * @default RoleMappingMatchType.EQUALS - */ + */ readonly matchType?: RoleMappingMatchType; } @@ -151,7 +138,7 @@ export interface RoleMappingRule { */ export class IdentityPoolRoleAttachment extends Resource implements IIdentityPoolRoleAttachment { /** - * Id of the underlying identity pool + * ID of the underlying Identity Pool */ public readonly identityPoolId: string @@ -176,7 +163,7 @@ export class IdentityPoolRoleAttachment extends Resource implements IIdentityPoo } /** - * Configures Role Mappings for Identity Pool Role Attachment + * Configures role mappings for the Identity Pool Role Attachment */ private configureRoleMappings( ...props: IdentityPoolRoleMapping[] diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts b/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts index c738279822b0a..24a922f3decca 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts @@ -1,40 +1,16 @@ -import { - CfnIdentityPool, - IUserPool, - IUserPoolClient, -} from 'aws-cdk-lib/aws-cognito'; -import { - IOpenIdConnectProvider, - ISamlProvider, - Role, - FederatedPrincipal, - IRole, -} from 'aws-cdk-lib/aws-iam'; -import { - Resource, - IResource, - Stack, - ArnFormat, - Lazy, - Token, -} from 'aws-cdk-lib/core'; -import { - Construct, -} from 'constructs'; -import { - IdentityPoolRoleAttachment, - IdentityPoolRoleMapping, -} from './identitypool-role-attachment'; -import { - IUserPoolAuthenticationProvider, -} from './identitypool-user-pool-authentication-provider'; +import { CfnIdentityPool, IUserPool, IUserPoolClient } from 'aws-cdk-lib/aws-cognito'; +import { IOpenIdConnectProvider, ISamlProvider, Role, FederatedPrincipal, IRole } from 'aws-cdk-lib/aws-iam'; +import { Resource, IResource, Stack, ArnFormat, Lazy, Token } from 'aws-cdk-lib/core'; +import { Construct } from 'constructs'; +import { IdentityPoolRoleAttachment, IdentityPoolRoleMapping } from './identitypool-role-attachment'; +import { IUserPoolAuthenticationProvider } from './identitypool-user-pool-authentication-provider'; /** - * Represents a Cognito IdentityPool + * Represents a Cognito Identity Pool */ export interface IIdentityPool extends IResource { /** - * The id of the Identity Pool in the format REGION:GUID + * The ID of the Identity Pool in the format REGION:GUID * @attribute */ readonly identityPoolId: string; @@ -53,36 +29,36 @@ export interface IIdentityPool extends IResource { } /** - * Props for the IdentityPool construct + * Props for the Identity Pool construct */ export interface IdentityPoolProps { /** * The name of the Identity Pool - * @default - automatically generated name by CloudFormation at deploy time + * @default - Automatically generated name by CloudFormation at deploy time */ readonly identityPoolName?: string; /** - * The Default Role to be assumed by Authenticated Users - * @default - A Default Authenticated Role will be added + * The default Role to be assumed by authenticated users + * @default - A default authenticated Role will be added */ readonly authenticatedRole?: IRole; /** - * The Default Role to be assumed by Unauthenticated Users - * @default - A Default Unauthenticated Role will be added + * The default Role to be assumed by unauthenticated users + * @default - A default unauthenticated Role will be added */ readonly unauthenticatedRole?: IRole; /** - * Wwhether the identity pool supports unauthenticated logins + * Whether the Identity Pool supports unauthenticated logins * @default - false */ readonly allowUnauthenticatedIdentities?: boolean; /** * Rules for mapping roles to users - * @default - no Role Mappings + * @default - no role mappings */ readonly roleMappings?: IdentityPoolRoleMapping[]; @@ -93,7 +69,7 @@ export interface IdentityPoolProps { readonly allowClassicFlow?: boolean; /** - * Authentication providers for using in identity pool. + * Authentication Providers for using in Identity Pool * @default - No Authentication Providers passed directly to Identity Pool */ readonly authenticationProviders?: IdentityPoolAuthenticationProviders; @@ -103,56 +79,51 @@ export interface IdentityPoolProps { * Types of Identity Pool Login Providers */ export enum IdentityPoolProviderType { - /** Facebook Provider type */ + /** Facebook provider type */ FACEBOOK = 'Facebook', - /** Google Provider Type */ + /** Google provider type */ GOOGLE = 'Google', - /** Amazon Provider Type */ + /** Amazon provider type */ AMAZON = 'Amazon', - /** Apple Provider Type */ + /** Apple provider type */ APPLE = 'Apple', - /** Twitter Provider Type */ + /** Twitter provider type */ TWITTER = 'Twitter', - /** Digits Provider Type */ - DIGITS = 'Digits', - /** Open Id Provider Type */ + /** Open Id provider type */ OPEN_ID = 'OpenId', - /** Saml Provider Type */ + /** Saml provider type */ SAML = 'Saml', - /** User Pool Provider Type */ + /** User Pool provider type */ USER_POOL = 'UserPool', - /** Custom Provider Type */ + /** Custom provider type */ CUSTOM = 'Custom', } /** - * Keys for Login Providers - correspond to client id's of respective federation identity providers + * Keys for Login Providers - each correspond to the client IDs of their respective federation Identity Providers */ export class IdentityPoolProviderUrl { - /** Facebook Provider Url */ + /** Facebook Provider url */ public static readonly FACEBOOK = new IdentityPoolProviderUrl(IdentityPoolProviderType.FACEBOOK, 'graph.facebook.com'); - /** Google Provider Url */ + /** Google Provider url */ public static readonly GOOGLE = new IdentityPoolProviderUrl(IdentityPoolProviderType.GOOGLE, 'accounts.google.com'); - /** Amazon Provider Url */ + /** Amazon Provider url */ public static readonly AMAZON = new IdentityPoolProviderUrl(IdentityPoolProviderType.AMAZON, 'www.amazon.com'); - /** Apple Provider Url */ + /** Apple Provider url */ public static readonly APPLE = new IdentityPoolProviderUrl(IdentityPoolProviderType.APPLE, 'appleid.apple.com'); - /** Twitter Provider Url */ + /** Twitter Provider url */ public static readonly TWITTER = new IdentityPoolProviderUrl(IdentityPoolProviderType.TWITTER, 'api.twitter.com'); - /** Digits Provider Url */ - public static readonly DIGITS = new IdentityPoolProviderUrl(IdentityPoolProviderType.DIGITS, 'www.digits.com'); - - /** OpenId Provider Url */ + /** OpenId Provider url */ public static openId(url: string): IdentityPoolProviderUrl { return new IdentityPoolProviderUrl(IdentityPoolProviderType.OPEN_ID, url); } - /** Saml Provider Url */ + /** Saml Provider url */ public static saml(url: string): IdentityPoolProviderUrl { return new IdentityPoolProviderUrl(IdentityPoolProviderType.SAML, url); } @@ -163,152 +134,147 @@ export class IdentityPoolProviderUrl { return new IdentityPoolProviderUrl(IdentityPoolProviderType.USER_POOL, url); } - /** Custom Provider Url */ + /** Custom Provider url */ public static custom(url: string): IdentityPoolProviderUrl { return new IdentityPoolProviderUrl(IdentityPoolProviderType.CUSTOM, url); } constructor( - /** type of Provider Url */ + /** + * The type of Identity Pool Provider + */ public readonly type: IdentityPoolProviderType, - /** value of Provider Url */ + + /** + * The value of the Identity Pool Provider + */ public readonly value: string, ) {} } /** - * Login Provider for Identity Federation using Amazon Credentials + * Login Provider for identity federation using Amazon credentials */ export interface IdentityPoolAmazonLoginProvider { /** - * App Id for Amazon Identity Federation + * App ID for Amazon identity federation */ readonly appId: string; } /** - * Login Provider for Identity Federation using Facebook Credentials + * Login Provider for identity federation using Facebook credentials */ export interface IdentityPoolFacebookLoginProvider { /** - * App Id for Facebook Identity Federation + * App ID for Facebook identity federation */ readonly appId: string; } /** - * Login Provider for Identity Federation using Apple Credentials + * Login Provider for identity federation using Apple credentials */ export interface IdentityPoolAppleLoginProvider { /** - * App Id for Apple Identity Federation - */ + * Services ID for Apple identity federation + */ readonly servicesId: string; } /** - * Login Provider for Identity Federation using Google Credentials + * Login Provider for identity federation using Google credentials */ export interface IdentityPoolGoogleLoginProvider { /** - * App Id for Google Identity Federation + * Client ID for Google identity federation */ readonly clientId: string; } /** - * Login Provider for Identity Federation using Twitter Credentials + * Login Provider for identity federation using Twitter credentials */ export interface IdentityPoolTwitterLoginProvider { /** - * App Id for Twitter Identity Federation + * Consumer key for Twitter identity federation */ readonly consumerKey: string; /** - * App Secret for Twitter Identity Federation + * Consumer secret for identity federation */ readonly consumerSecret: string; } /** - * Login Provider for Identity Federation using Digits Credentials - */ -export interface IdentityPoolDigitsLoginProvider extends IdentityPoolTwitterLoginProvider {} - -/** - * External Identity Providers To Connect to User Pools and Identity Pools + * External Authentication Providers for usage in Identity Pool. + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/external-identity-providers.html */ -export interface IdentityPoolProviders { - /** App Id for Facebook Identity Federation +export interface IdentityPoolAuthenticationProviders { + /** + * The Facebook Authentication Provider associated with this Identity Pool * @default - No Facebook Authentication Provider used without OpenIdConnect or a User Pool */ readonly facebook?: IdentityPoolFacebookLoginProvider; - /** Client Id for Google Identity Federation + /** + * The Google Authentication Provider associated with this Identity Pool * @default - No Google Authentication Provider used without OpenIdConnect or a User Pool */ readonly google?: IdentityPoolGoogleLoginProvider; - /** App Id for Amazon Identity Federation + /** + * The Amazon Authentication Provider associated with this Identity Pool * @default - No Amazon Authentication Provider used without OpenIdConnect or a User Pool */ readonly amazon?: IdentityPoolAmazonLoginProvider; - /** Services Id for Apple Identity Federation + /** + * The Apple Authentication Provider associated with this Identity Pool * @default - No Apple Authentication Provider used without OpenIdConnect or a User Pool */ readonly apple?: IdentityPoolAppleLoginProvider; - /** Consumer Key and Secret for Twitter Identity Federation + /** + * The Twitter Authentication Provider associated with this Identity Pool * @default - No Twitter Authentication Provider used without OpenIdConnect or a User Pool */ readonly twitter?: IdentityPoolTwitterLoginProvider; - /** Consumer Key and Secret for Digits Identity Federation - * @default - No Digits Authentication Provider used without OpenIdConnect or a User Pool - */ - readonly digits?: IdentityPoolDigitsLoginProvider; -} - -/** -* Authentication providers for using in identity pool. -* @see https://docs.aws.amazon.com/cognito/latest/developerguide/external-identity-providers.html -*/ -export interface IdentityPoolAuthenticationProviders extends IdentityPoolProviders { /** * The User Pool Authentication Providers associated with this Identity Pool - * @default - no User Pools Associated + * @default - no User Pools associated */ readonly userPools?: IUserPoolAuthenticationProvider[]; /** * The OpenIdConnect Provider associated with this Identity Pool * @default - no OpenIdConnectProvider - */ + */ readonly openIdConnectProviders?: IOpenIdConnectProvider[]; /** - * The Security Assertion Markup Language Provider associated with this Identity Pool + * The Security Assertion Markup Language provider associated with this Identity Pool * @default - no SamlProvider - */ + */ readonly samlProviders?: ISamlProvider[]; /** - * The Developer Provider Name to associate with this Identity Pool - * @default - no Custom Provider - */ + * The developer provider name to associate with this Identity Pool + * @default - no custom provider + */ readonly customProvider?: string; } /** * Define a Cognito Identity Pool * - * @resource AWS::Cognito::IdentityPool + * @resource AWS::Cognito::IdentityPool */ export class IdentityPool extends Resource implements IIdentityPool { /** - * Import an existing Identity Pool from its id + * Import an existing Identity Pool from its ID */ public static fromIdentityPoolId(scope: Construct, id: string, identityPoolId: string): IIdentityPool { const identityPoolArn = Stack.of(scope).formatArn({ @@ -322,7 +288,7 @@ export class IdentityPool extends Resource implements IIdentityPool { } /** - * Import an existing Identity Pool from its Arn + * Import an existing Identity Pool from its ARN */ public static fromIdentityPoolArn(scope: Construct, id: string, identityPoolArn: string): IIdentityPool { const pool = Stack.of(scope).splitArn(identityPoolArn, ArnFormat.SLASH_RESOURCE_NAME); @@ -355,7 +321,7 @@ export class IdentityPool extends Resource implements IIdentityPool { } /** - * The id of the Identity Pool in the format REGION:GUID + * The ID of the Identity Pool in the format REGION:GUID * @attribute */ public readonly identityPoolId: string; @@ -373,13 +339,13 @@ export class IdentityPool extends Resource implements IIdentityPool { public readonly identityPoolName: string; /** - * Default role for authenticated users + * Default Role for authenticated users */ public readonly authenticatedRole: IRole; /** - * Default role for unauthenticated users - */ + * Default Role for unauthenticated users + */ public readonly unauthenticatedRole: IRole; /** @@ -388,7 +354,7 @@ export class IdentityPool extends Resource implements IIdentityPool { private cognitoIdentityProviders: CfnIdentityPool.CognitoIdentityProviderProperty[] = []; /** - * Running count of added role attachments + * Running count of added Role Attachments */ private roleAttachmentCount: number = 0; @@ -414,7 +380,6 @@ export class IdentityPool extends Resource implements IIdentityPool { if (authProviders.google) supportedLoginProviders[IdentityPoolProviderUrl.GOOGLE.value] = authProviders.google.clientId; if (authProviders.apple) supportedLoginProviders[IdentityPoolProviderUrl.APPLE.value] = authProviders.apple.servicesId; if (authProviders.twitter) supportedLoginProviders[IdentityPoolProviderUrl.TWITTER.value] = `${authProviders.twitter.consumerKey};${authProviders.twitter.consumerSecret}`; - if (authProviders.digits) supportedLoginProviders[IdentityPoolProviderUrl.DIGITS.value] = `${authProviders.digits.consumerKey};${authProviders.digits.consumerSecret}`; if (!Object.keys(supportedLoginProviders).length) supportedLoginProviders = undefined; const cfnIdentityPool = new CfnIdentityPool(this, 'Resource', { @@ -444,15 +409,11 @@ export class IdentityPool extends Resource implements IIdentityPool { roleMappings: props.roleMappings, }); - // This added by the original author, but it's causing cyclic dependencies. - // Don't know why this was added in the first place, but I'm disabling it for now and if - // no complaints come from this, we're probably safe to remove it altogether. - // attachment.node.addDependency(this); Array.isArray(attachment); } /** - * Add a User Pool to the IdentityPool and configure User Pool Client to handle identities + * Add a User Pool to the Identity Pool and configure the User Pool client to handle identities */ public addUserPoolAuthentication(userPool: IUserPoolAuthenticationProvider): void { const providers = userPool.bind(this, this); @@ -460,8 +421,8 @@ export class IdentityPool extends Resource implements IIdentityPool { } /** - * Adds Role Mappings to Identity Pool - */ + * Add Role Mappings to the Identity Pool + */ public addRoleMappings(...roleMappings: IdentityPoolRoleMapping[]): void { if (!roleMappings || !roleMappings.length) return; this.roleAttachmentCount++; @@ -473,15 +434,11 @@ export class IdentityPool extends Resource implements IIdentityPool { roleMappings, }); - // This added by the original author, but it's causing cyclic dependencies. - // Don't know why this was added in the first place, but I'm disabling it for now and if - // no complaints come from this, we're probably safe to remove it altogether. - // attachment.node.addDependency(this); Array.isArray(attachment); } /** - * Configure Default Roles For Identity Pool + * Configure default Roles for Identity Pool */ private configureDefaultRole(type: string): IRole { const assumedBy = this.configureDefaultGrantPrincipal(type.toLowerCase()); diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts index d7864e97cfb3f..b44782677274c 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts @@ -1,35 +1,9 @@ -import { - Template, -} from 'aws-cdk-lib/assertions'; -import { - UserPool, - UserPoolClient, - UserPoolIdentityProvider, -} from 'aws-cdk-lib/aws-cognito'; -import { - Role, - ServicePrincipal, - ArnPrincipal, - AnyPrincipal, - OpenIdConnectProvider, - SamlProvider, - SamlMetadataDocument, - PolicyStatement, - Effect, - PolicyDocument, -} from 'aws-cdk-lib/aws-iam'; -import { - Fn, - Lazy, - Stack, -} from 'aws-cdk-lib'; -import { - IdentityPool, - IdentityPoolProviderUrl, -} from '../lib/identitypool'; -import { - RoleMappingMatchType, -} from '../lib/identitypool-role-attachment'; +import { Template } from 'aws-cdk-lib/assertions'; +import { UserPool, UserPoolClient, UserPoolIdentityProvider } from 'aws-cdk-lib/aws-cognito'; +import { Role, ServicePrincipal, ArnPrincipal, AnyPrincipal, OpenIdConnectProvider, SamlProvider, SamlMetadataDocument, PolicyStatement, Effect, PolicyDocument } from 'aws-cdk-lib/aws-iam'; +import { Fn, Lazy, Stack } from 'aws-cdk-lib'; +import { IdentityPool, IdentityPoolProviderUrl } from '../lib/identitypool'; +import { RoleMappingMatchType } from '../lib/identitypool-role-attachment'; import { UserPoolAuthenticationProvider } from '../lib/identitypool-user-pool-authentication-provider'; describe('identity pool', () => { diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.assets.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.assets.json index c1102a1836ed7..dc5f0fd790977 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.assets.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.assets.json @@ -1,7 +1,7 @@ { "version": "36.0.24", "files": { - "95c3270b9957ed0d53e5665bfe7322f80c61e9fecf25b42cd297caf6bee04ddf": { + "9878ed708b3905cec265bc8f85c35d4d18478d2827955e7de76503c82cf85eda": { "source": { "path": "integ-identitypool.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "95c3270b9957ed0d53e5665bfe7322f80c61e9fecf25b42cd297caf6bee04ddf.json", + "objectKey": "9878ed708b3905cec265bc8f85c35d4d18478d2827955e7de76503c82cf85eda.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.template.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.template.json index a9e51577a8bd5..15a1eceebfaec 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.template.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.template.json @@ -72,7 +72,7 @@ }, "ProviderDetails": { "client_id": "google-client-id", - "client_secret": "google-client-secret", + "client_secret": "google-client-secret-value", "authorize_scopes": "profile" }, "ProviderName": "Google", diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/manifest.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/manifest.json index 143493c68d4b7..8b725a88381ab 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/95c3270b9957ed0d53e5665bfe7322f80c61e9fecf25b42cd297caf6bee04ddf.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9878ed708b3905cec265bc8f85c35d4d18478d2827955e7de76503c82cf85eda.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/tree.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/tree.json index 4f98d36a67bea..1ee17be9c7401 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/tree.json @@ -121,7 +121,7 @@ }, "providerDetails": { "client_id": "google-client-id", - "client_secret": "google-client-secret", + "client_secret": "google-client-secret-value", "authorize_scopes": "profile" }, "providerName": "Google", diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.ts b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.ts index 02e2aaa8069ec..26466161d77b8 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.ts +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.ts @@ -1,25 +1,8 @@ -import { - UserPool, - UserPoolIdentityProviderGoogle, - UserPoolIdentityProviderAmazon, - ProviderAttribute, - UserPoolClient, -} from 'aws-cdk-lib/aws-cognito'; -import { - Effect, - PolicyStatement, -} from 'aws-cdk-lib/aws-iam'; -import { - App, - Stack, -} from 'aws-cdk-lib'; -import { - IdentityPool, - IdentityPoolProviderUrl, -} from '../lib/identitypool'; -import { - UserPoolAuthenticationProvider, -} from '../lib/identitypool-user-pool-authentication-provider'; +import { UserPool, UserPoolIdentityProviderGoogle, UserPoolIdentityProviderAmazon, ProviderAttribute, UserPoolClient } from 'aws-cdk-lib/aws-cognito'; +import { Effect, PolicyStatement } from 'aws-cdk-lib/aws-iam'; +import { App, SecretValue, Stack } from 'aws-cdk-lib'; +import { IdentityPool, IdentityPoolProviderUrl } from '../lib/identitypool'; +import { UserPoolAuthenticationProvider } from '../lib/identitypool-user-pool-authentication-provider'; const app = new App(); const stack = new Stack(app, 'integ-identitypool'); @@ -28,7 +11,7 @@ const userPool = new UserPool(stack, 'Pool'); new UserPoolIdentityProviderGoogle(stack, 'PoolProviderGoogle', { userPool, clientId: 'google-client-id', - clientSecret: 'google-client-secret', + clientSecretValue: new SecretValue('google-client-secret-value'), attributeMapping: { givenName: ProviderAttribute.GOOGLE_GIVEN_NAME, familyName: ProviderAttribute.GOOGLE_FAMILY_NAME,