fix(graphql-auth-transformer): fixes @auth directives for Admin UI #7035
Conversation
There was a problem hiding this comment.
Doing this change will add this rule {allow: 'private', provider: 'iam'} into operation rules since the split happens after we do the amplify admin check. When passed into the mutation functions it'll add the directive and the policy into the auth role.
Example if you have the following schema
type Post @model @auth(rules: [
{ allow: private, operations: [read, update], provider: iam }]) {
id: ID!
title: String
description: String
createdAt: AWSDateTime
updatedAt: AWSDateTime
}It will generate a policy to allow private (in this case the auth role) access to create a post.
Can we do the admin check in addDirectivesToOperation and add a unit test to verify the policy generation? This way we don't create unwanted policies.
|
Don’t we need that policy to allow the IAM users of the Admin UI to manage content? |
Won't this add the rule and policy if AdminUI is enabled? I think this is fine. |
yuth
force-pushed
the
graphql-auth-transformer/adminui-auth
branch
from
8881592
to
bb98501
Compare
Codecov Report
@@ Coverage Diff @@
## master #7035 +/- ##
==========================================
+ Coverage 52.27% 52.29% +0.01%
==========================================
Files 491 491
Lines 25248 25259 +11
Branches 4952 4961 +9
==========================================
+ Hits 13199 13208 +9
Misses 11097 11097
- Partials 952 954 +2
Continue to review full report at Codecov.
|
Updated the way IAM auth gets added when AdminUI is enabled by ensuring all the the GraphQL operations for all the type get IAM private authroization added and no IAM policy gets added Auth or UnAuth user roles as AdminUI uses a different role to access the types and fields
yuth
force-pushed
the
graphql-auth-transformer/adminui-auth
branch
from
bcd6253
to
e76be9b
Compare
github-actions
bot
added
the
referenced-in-release
|
👋 Hi, this pull request was referenced in the v4.51.0 release! Check out the release notes here https://github.com/aws-amplify/amplify-cli/releases/tag/v4.51.0. |
…ws-amplify#7035) This fixes a scenario in with the Manage - Content section Admin UI no longer functioned in specific scenarios due to authorization errors from the AppSync API. Issue If a user deployed an API with models that had less than full @auth operations directives (blank or ["create", "read", "update, "delete"]], the generated schema would not include the @aws_iam directive on the mutations as needed by the Manage - Content functionality. For instance, if the schema looked like this: type Post @model @auth(rules: [{allow: public, operations: [read, update]}]) { id: ID! title: String! createdAt: String updatedAt: String } The transformed schema would have an update mutation that looked like this updatePost(input: CreatePostInput!): Post instead of what it needed to look like to authenticate properly updatePost(input: CreatePostInput!): Post @aws_api_key @aws_iam' This would ultimately present itself with the Manage - Content section of the Admin UI failing to initialize DataStore or with failures to delete or update objects on the affected data model. Fix Updated the way IAM auth gets added when AdminUI is enabled by ensuring all the the GraphQL operations for all the type get IAM private authroization added. Update the code to ensure no IAM policy gets added Auth or UnAuth user roles since AdminUI uses a different IAM role to access the types and fields Unit tests were added for the affected scenarios. Use cases were also tested by using the development branch CLI to push schema.graphql changes directly to a previously broken app. The Manage - Content section was verified to work.
Description of changes
This fixes a scenario in with the Manage - Content section Admin UI no longer functioned in specific scenarios due to authorization errors from the AppSync API.
Issue
If a user deployed an API with models that had less than full @auth operations directives (blank or ["create", "read", "update, "delete"]], the generated schema would not include the @aws_iam directive on the mutations as needed by the Manage - Content functionality.
For instance, if the schema looked like this:
The transformed schema would have an update mutation that looked like this
updatePost(input: CreatePostInput!): Postinstead of what it needed to look like to authenticate properly
updatePost(input: CreatePostInput!): Post @aws_api_key @aws_iam'This would ultimately present itself with the Manage - Content section of the Admin UI failing to initialize DataStore or with failures to delete or update objects on the affected data model.
Fix
This changes the order in which the directives are transformed, to add the requisite
iam@auth rules to the underlying schema before the rules are split into operations.Because the operation split had been happening before the
iamrule was added, the mutations were ignored when adding proper directives to the transformed schema.Description of how you validated changes
Unit tests were added for the affected scenarios. Use cases were also tested by using the development branch CLI to push schema.graphql changes directly to a previously broken app. The Manage - Content section was verified to work.
Checklist
yarn testpassesBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.