fix: update iam auth to include roles in before template (aws-amplify…

…#8259)
SwaySway · Sep 24, 2021 · 492e3b5 · 492e3b5
1 parent addc28c
commit 492e3b5
Show file tree

Hide file tree

Showing 28 changed files with 344 additions and 237 deletions.
diff --git a/packages/amplify-cli/src/extensions/amplify-helpers/get-api-key-config.ts b/packages/amplify-cli/src/extensions/amplify-helpers/get-api-key-config.ts
@@ -1,5 +1,5 @@
 import { stateManager } from 'amplify-cli-core';
-import { ApiKeyConfig } from '@aws-amplify/graphql-transformer-core';
+import { ApiKeyConfig } from '@aws-amplify/graphql-transformer-interfaces';
 
 export function getAppSyncApiConfig(): any {
   const apiConfig = stateManager.getMeta()?.api;

diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/amplify-admin-auth.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/amplify-admin-auth.test.ts
@@ -12,19 +12,19 @@ test('test simple model with public auth rule and amplify admin app is present',
     updatedAt: String
   }`;
   const transformer = new GraphQLTransform({
+    authConfig: {
+      defaultAuthentication: {
+        authenticationType: 'API_KEY',
+      },
+      additionalAuthenticationProviders: [
+        {
+          authenticationType: 'AWS_IAM',
+        },
+      ],
+    },
     transformers: [
       new ModelTransformer(),
       new AuthTransformer({
-        authConfig: {
-          defaultAuthentication: {
-            authenticationType: 'API_KEY',
-          },
-          additionalAuthenticationProviders: [
-            {
-              authenticationType: 'AWS_IAM',
-            },
-          ],
-        },
         addAwsIamAuthInOutputSchema: true,
         adminUserPoolID: 'us-fake-1_uuid',
       }),
@@ -45,15 +45,15 @@ test('Test simple model with public auth rule and amplify admin app is not enabl
       }
       `;
   const transformer = new GraphQLTransform({
+    authConfig: {
+      defaultAuthentication: {
+        authenticationType: 'API_KEY',
+      },
+      additionalAuthenticationProviders: [],
+    },
     transformers: [
       new ModelTransformer(),
       new AuthTransformer({
-        authConfig: {
-          defaultAuthentication: {
-            authenticationType: 'API_KEY',
-          },
-          additionalAuthenticationProviders: [],
-        },
         addAwsIamAuthInOutputSchema: false,
       }),
     ],
@@ -73,19 +73,19 @@ test('Test model with public auth rule without all operations and amplify admin
       }
       `;
   const transformer = new GraphQLTransform({
+    authConfig: {
+      defaultAuthentication: {
+        authenticationType: 'API_KEY',
+      },
+      additionalAuthenticationProviders: [
+        {
+          authenticationType: 'AWS_IAM',
+        },
+      ],
+    },
     transformers: [
       new ModelTransformer(),
       new AuthTransformer({
-        authConfig: {
-          defaultAuthentication: {
-            authenticationType: 'API_KEY',
-          },
-          additionalAuthenticationProviders: [
-            {
-              authenticationType: 'AWS_IAM',
-            },
-          ],
-        },
         addAwsIamAuthInOutputSchema: true,
         adminUserPoolID: 'us-fake-1_uuid',
       }),
@@ -99,10 +99,6 @@ test('Test model with public auth rule without all operations and amplify admin
   expect(out.schema).toContain('updatePost(input: UpdatePostInput!, condition: ModelPostConditionInput): Post @aws_api_key @aws_iam');
   expect(out.schema).toContain('deletePost(input: DeletePostInput!, condition: ModelPostConditionInput): Post @aws_api_key @aws_iam');
 
-  // No parameter for Auth and UnAuth policy
-  expect(out.rootStack.Parameters!.authRoleName).toBeUndefined();
-  expect(out.rootStack.Parameters!.unauthRoleName).toBeUndefined();
-
   // No Resource extending Auth and UnAuth role
   const policyResources = Object.values(out.rootStack.Resources!).filter(r => r.Type === 'AWS::IAM::ManagedPolicy');
   expect(policyResources).toHaveLength(0);
@@ -118,19 +114,19 @@ test('Test simple model with private auth rule and amplify admin app is present'
       }
       `;
   const transformer = new GraphQLTransform({
+    authConfig: {
+      defaultAuthentication: {
+        authenticationType: 'AMAZON_COGNITO_USER_POOLS',
+      },
+      additionalAuthenticationProviders: [
+        {
+          authenticationType: 'AWS_IAM',
+        },
+      ],
+    },
     transformers: [
       new ModelTransformer(),
       new AuthTransformer({
-        authConfig: {
-          defaultAuthentication: {
-            authenticationType: 'AMAZON_COGNITO_USER_POOLS',
-          },
-          additionalAuthenticationProviders: [
-            {
-              authenticationType: 'AWS_IAM',
-            },
-          ],
-        },
         addAwsIamAuthInOutputSchema: true,
         adminUserPoolID: 'us-fake-1_uuid',
       }),
@@ -151,19 +147,19 @@ test('Test simple model with private auth rule and amplify admin app not enabled
       }
       `;
   const transformer = new GraphQLTransform({
+    authConfig: {
+      defaultAuthentication: {
+        authenticationType: 'AMAZON_COGNITO_USER_POOLS',
+      },
+      additionalAuthenticationProviders: [
+        {
+          authenticationType: 'AWS_IAM',
+        },
+      ],
+    },
     transformers: [
       new ModelTransformer(),
       new AuthTransformer({
-        authConfig: {
-          defaultAuthentication: {
-            authenticationType: 'AMAZON_COGNITO_USER_POOLS',
-          },
-          additionalAuthenticationProviders: [
-            {
-              authenticationType: 'AWS_IAM',
-            },
-          ],
-        },
         addAwsIamAuthInOutputSchema: false,
       }),
     ],
@@ -183,6 +179,16 @@ test('Test simple model with private auth rule, few operations, and amplify admi
       }
       `;
   const transformer = new GraphQLTransform({
+    authConfig: {
+      defaultAuthentication: {
+        authenticationType: 'AMAZON_COGNITO_USER_POOLS',
+      },
+      additionalAuthenticationProviders: [
+        {
+          authenticationType: 'AWS_IAM',
+        },
+      ],
+    },
     transformers: [
       new ModelTransformer(),
       new AuthTransformer({
@@ -214,10 +220,6 @@ test('Test simple model with private auth rule, few operations, and amplify admi
     'deletePost(input: DeletePostInput!, condition: ModelPostConditionInput): Post @aws_iam @aws_cognito_user_pools',
   );
 
-  // No parameter for Auth and UnAuth policy
-  expect(out.rootStack.Parameters!.authRoleName).toBeUndefined();
-  expect(out.rootStack.Parameters!.unauthRoleName).toBeUndefined();
-
   // No Resource extending Auth and UnAuth role
   const policyResources = Object.values(out.rootStack.Resources!).filter(r => r.Type === 'AWS::IAM::ManagedPolicy');
   expect(policyResources).toHaveLength(0);
@@ -233,19 +235,19 @@ test('Test simple model with private IAM auth rule, few operations, and amplify
       }
       `;
   const transformer = new GraphQLTransform({
+    authConfig: {
+      defaultAuthentication: {
+        authenticationType: 'AMAZON_COGNITO_USER_POOLS',
+      },
+      additionalAuthenticationProviders: [
+        {
+          authenticationType: 'AWS_IAM',
+        },
+      ],
+    },
     transformers: [
       new ModelTransformer(),
       new AuthTransformer({
-        authConfig: {
-          defaultAuthentication: {
-            authenticationType: 'AMAZON_COGNITO_USER_POOLS',
-          },
-          additionalAuthenticationProviders: [
-            {
-              authenticationType: 'AWS_IAM',
-            },
-          ],
-        },
         addAwsIamAuthInOutputSchema: false,
       }),
     ],
@@ -273,19 +275,19 @@ test('Test simple model with AdminUI enabled should add IAM policy only for fiel
       }
       `;
   const transformer = new GraphQLTransform({
+    authConfig: {
+      defaultAuthentication: {
+        authenticationType: 'AMAZON_COGNITO_USER_POOLS',
+      },
+      additionalAuthenticationProviders: [
+        {
+          authenticationType: 'AWS_IAM',
+        },
+      ],
+    },
     transformers: [
       new ModelTransformer(),
       new AuthTransformer({
-        authConfig: {
-          defaultAuthentication: {
-            authenticationType: 'AMAZON_COGNITO_USER_POOLS',
-          },
-          additionalAuthenticationProviders: [
-            {
-              authenticationType: 'AWS_IAM',
-            },
-          ],
-        },
         addAwsIamAuthInOutputSchema: true,
         adminUserPoolID: 'us-fake-1_uuid',
       }),

diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/field-auth-argument.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/field-auth-argument.test.ts
@@ -1,8 +1,9 @@
 import { AuthTransformer } from '@aws-amplify/graphql-auth-transformer';
 import { ModelTransformer } from '@aws-amplify/graphql-model-transformer';
 import { HasManyTransformer } from '@aws-amplify/graphql-relational-transformer';
-import { GraphQLTransform, AppSyncAuthConfiguration } from '@aws-amplify/graphql-transformer-core';
+import { GraphQLTransform } from '@aws-amplify/graphql-transformer-core';
 import { ResourceConstants } from 'graphql-transformer-common';
+import { AppSyncAuthConfiguration } from '@aws-amplify/graphql-transformer-interfaces';
 
 test('subscriptions are only generated if the respective mutation operation exists', () => {
   const validSchema = `
@@ -40,7 +41,7 @@ test('subscriptions are only generated if the respective mutation operation exis
   expect(out.rootStack.Resources[ResourceConstants.RESOURCES.GraphQLAPILogicalID].Properties.AuthenticationType).toEqual(
     'AMAZON_COGNITO_USER_POOLS',
   );
-  expect(out.resolvers['Salary.secret.res.vtl']).toContain('#if( $operation == "Mutation" )');
+  expect(out.pipelineFunctions['Salary.secret.res.vtl']).toContain('#if( $operation == "Mutation" )');
 
   expect(out.pipelineFunctions['Mutation.createSalary.res.vtl']).toContain('$util.qr($ctx.result.put("__operation", "Mutation"))');
   expect(out.pipelineFunctions['Mutation.updateSalary.res.vtl']).toContain('$util.qr($ctx.result.put("__operation", "Mutation"))');
@@ -111,7 +112,7 @@ test('per-field @auth without @model', () => {
   const resources = out.rootStack.Resources;
   const authPolicyIdx = Object.keys(out.rootStack.Resources).find(r => r.includes('AuthRolePolicy'));
   expect(resources[authPolicyIdx]).toMatchSnapshot();
-  expect(out.resolvers['Query.listContext.req.vtl']).toContain(
+  expect(out.pipelineFunctions['Query.listContext.req.vtl']).toContain(
     '#set( $staticGroupRoles = [{"claim":"cognito:groups","entity":"Allowed"}] )',
   );
 });
diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/group-auth.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/group-auth.test.ts
@@ -1,7 +1,8 @@
 import { AuthTransformer } from '@aws-amplify/graphql-auth-transformer';
 import { ModelTransformer } from '@aws-amplify/graphql-model-transformer';
-import { AppSyncAuthConfiguration, GraphQLTransform } from '@aws-amplify/graphql-transformer-core';
+import { GraphQLTransform } from '@aws-amplify/graphql-transformer-core';
 import { ResourceConstants } from 'graphql-transformer-common';
+import { AppSyncAuthConfiguration } from '@aws-amplify/graphql-transformer-interfaces';
 
 test('happy case with static groups', () => {
   const authConfig: AppSyncAuthConfiguration = {

diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/multi-auth.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/multi-auth.test.ts
@@ -2,12 +2,8 @@ import { AuthTransformer } from '@aws-amplify/graphql-auth-transformer';
 import { ModelTransformer } from '@aws-amplify/graphql-model-transformer';
 import { IndexTransformer } from '@aws-amplify/graphql-index-transformer';
 import { HasManyTransformer, HasOneTransformer, BelongsToTransformer } from '@aws-amplify/graphql-relational-transformer';
-import {
-  AppSyncAuthConfiguration,
-  AppSyncAuthConfigurationOIDCEntry,
-  AppSyncAuthMode,
-  GraphQLTransform,
-} from '@aws-amplify/graphql-transformer-core';
+import { GraphQLTransform } from '@aws-amplify/graphql-transformer-core';
+import { AppSyncAuthConfiguration, AppSyncAuthConfigurationOIDCEntry, AppSyncAuthMode } from '@aws-amplify/graphql-transformer-interfaces';
 import { DocumentNode, ObjectTypeDefinitionNode, Kind, FieldDefinitionNode, parse, InputValueDefinitionNode } from 'graphql';
 
 const userPoolsDefaultConfig: AppSyncAuthConfiguration = {
@@ -435,10 +431,10 @@ describe('schema generation directive tests', () => {
     // Check that resolvers containing the authMode check block
     const authModeCheckSnippet = '## [Start] Field Authorization Steps. **';
     // resolvers to check is all other resolvers other than protected
-    expect(out.resolvers['Post.id.req.vtl']).toContain(authModeCheckSnippet);
-    expect(out.resolvers['Post.title.req.vtl']).toContain(authModeCheckSnippet);
-    expect(out.resolvers['Post.createdAt.req.vtl']).toContain(authModeCheckSnippet);
-    expect(out.resolvers['Post.updatedAt.req.vtl']).toContain(authModeCheckSnippet);
+    expect(out.pipelineFunctions['Post.id.req.vtl']).toContain(authModeCheckSnippet);
+    expect(out.pipelineFunctions['Post.title.req.vtl']).toContain(authModeCheckSnippet);
+    expect(out.pipelineFunctions['Post.createdAt.req.vtl']).toContain(authModeCheckSnippet);
+    expect(out.pipelineFunctions['Post.updatedAt.req.vtl']).toContain(authModeCheckSnippet);
   });
 
   test(`'groups' @auth at field level is propagated to type and the type related operations`, () => {
@@ -462,10 +458,10 @@ describe('schema generation directive tests', () => {
     const authModeCheckSnippet = '## [Start] Field Authorization Steps. **';
 
     // resolvers to check is all other resolvers other than protected
-    expect(out.resolvers['Post.id.req.vtl']).toContain(authModeCheckSnippet);
-    expect(out.resolvers['Post.title.req.vtl']).toContain(authModeCheckSnippet);
-    expect(out.resolvers['Post.createdAt.req.vtl']).toContain(authModeCheckSnippet);
-    expect(out.resolvers['Post.updatedAt.req.vtl']).toContain(authModeCheckSnippet);
+    expect(out.pipelineFunctions['Post.id.req.vtl']).toContain(authModeCheckSnippet);
+    expect(out.pipelineFunctions['Post.title.req.vtl']).toContain(authModeCheckSnippet);
+    expect(out.pipelineFunctions['Post.createdAt.req.vtl']).toContain(authModeCheckSnippet);
+    expect(out.pipelineFunctions['Post.updatedAt.req.vtl']).toContain(authModeCheckSnippet);
   });
 
   test(`'groups' @auth at field level is propagated to type and the type related operations, also default provider for read`, () => {
@@ -488,10 +484,10 @@ describe('schema generation directive tests', () => {
     const groupCheckSnippet = '#set( $staticGroupRoles = [{"claim":"cognito:groups","entity":"admin"}] )';
 
     // resolvers to check is all other resolvers other than protected by the group rule
-    expect(out.resolvers['Post.id.req.vtl']).toContain(groupCheckSnippet);
-    expect(out.resolvers['Post.title.req.vtl']).toContain(groupCheckSnippet);
-    expect(out.resolvers['Post.createdAt.req.vtl']).toContain(groupCheckSnippet);
-    expect(out.resolvers['Post.updatedAt.req.vtl']).toContain(groupCheckSnippet);
+    expect(out.pipelineFunctions['Post.id.req.vtl']).toContain(groupCheckSnippet);
+    expect(out.pipelineFunctions['Post.title.req.vtl']).toContain(groupCheckSnippet);
+    expect(out.pipelineFunctions['Post.createdAt.req.vtl']).toContain(groupCheckSnippet);
+    expect(out.pipelineFunctions['Post.updatedAt.req.vtl']).toContain(groupCheckSnippet);
   });
 
   test(`Nested types without @model not getting directives applied for iam, and no policy is generated`, () => {

diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/owner-auth.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/owner-auth.test.ts
@@ -1,9 +1,10 @@
 import { parse } from 'graphql';
 import { AuthTransformer } from '@aws-amplify/graphql-auth-transformer';
 import { ModelTransformer } from '@aws-amplify/graphql-model-transformer';
-import { AppSyncAuthConfiguration, GraphQLTransform } from '@aws-amplify/graphql-transformer-core';
+import { GraphQLTransform } from '@aws-amplify/graphql-transformer-core';
 import { ResourceConstants } from 'graphql-transformer-common';
 import { getField, getObjectType } from './test-helpers';
+import { AppSyncAuthConfiguration } from '@aws-amplify/graphql-transformer-interfaces';
 
 test('auth transformer validation happy case', () => {
   const authConfig: AppSyncAuthConfiguration = {

diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/searchable-auth.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/searchable-auth.test.ts
@@ -1,7 +1,8 @@
 import { AuthTransformer } from '@aws-amplify/graphql-auth-transformer';
 import { ModelTransformer } from '@aws-amplify/graphql-model-transformer';
 import { SearchableModelTransformer } from '@aws-amplify/graphql-searchable-transformer';
-import { AppSyncAuthConfiguration, GraphQLTransform } from '@aws-amplify/graphql-transformer-core';
+import { GraphQLTransform } from '@aws-amplify/graphql-transformer-core';
+import { AppSyncAuthConfiguration } from '@aws-amplify/graphql-transformer-interfaces';
 
 test('auth logic is enabled on owner/static rules in es request', () => {
   const validSchema = `