From 26b936afd17600563e7abf207264062a14edd428 Mon Sep 17 00:00:00 2001 From: MURAKAMI Masahiko Date: Tue, 5 Dec 2023 08:54:53 +0900 Subject: [PATCH 1/2] fix: authRole,unauthRole define resources according to @auth directive operations --- .../src/graphql-auth-transformer.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts b/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts index 0f2b84f23c..bc2ce990e3 100644 --- a/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts +++ b/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts @@ -552,12 +552,13 @@ export class AuthTransformer extends TransformerAuthBase implements TransformerA const addServiceDirective = (typeName: string, operation: ModelOperation, operationName: string | null = null): void => { if (operationName) { const includeDefault = this.doesTypeHaveRulesForOperation(acm, operation); - const providers = this.getAuthProviders(acm.getRolesPerOperation(operation, operation === 'delete')); + const rolesPerOperation = acm.getRolesPerOperation(operation, operation === 'delete'); + const providers = this.getAuthProviders(rolesPerOperation); const operationDirectives = this.getServiceDirectives(providers, includeDefault); if (operationDirectives.length > 0) { addDirectivesToOperation(ctx, typeName, operationName, operationDirectives); } - this.addOperationToResourceReferences(typeName, operationName, acm.getRoles()); + this.addOperationToResourceReferences(typeName, operationName, rolesPerOperation); } }; // default model operations From 812295a7ec193c98746f12aa5001520233698122 Mon Sep 17 00:00:00 2001 From: MURAKAMI Masahiko Date: Tue, 5 Dec 2023 12:42:49 +0900 Subject: [PATCH 2/2] test: update expected values --- .../src/__tests__/amplify-admin-auth.test.ts | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/amplify-admin-auth.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/amplify-admin-auth.test.ts index 6f76cf381d..d3f6566b85 100644 --- a/packages/amplify-graphql-auth-transformer/src/__tests__/amplify-admin-auth.test.ts +++ b/packages/amplify-graphql-auth-transformer/src/__tests__/amplify-admin-auth.test.ts @@ -249,7 +249,19 @@ test('simple model with private IAM auth rule, few operations, and amplify admin expect(out.schema).toContain('getPost(id: ID!): Post @aws_iam'); expect(out.schema).toContain('listPosts(filter: ModelPostFilterInput, limit: Int, nextToken: String): ModelPostConnection @aws_iam'); - + const policyResources = _.filter(out.rootStack.Resources, (r) => r.Type === 'AWS::IAM::ManagedPolicy'); + expect(policyResources).toHaveLength(1); + const resources = _.get(policyResources, '[0].Properties.PolicyDocument.Statement[0].Resource'); + const typeFieldList = _.map(resources, (r) => _.get(r, 'Fn::Sub[1]')).map((r) => `${_.get(r, 'typeName')}.${_.get(r, 'fieldName', '*')}`); + expect(typeFieldList).toEqual([ + 'Post.*', + 'Query.getPost', + 'Query.listPosts', + 'Mutation.updatePost', + 'Subscription.onCreatePost', + 'Subscription.onUpdatePost', + 'Subscription.onDeletePost', + ]); expect(out.resolvers['Mutation.updatePost.auth.1.res.vtl']).toMatchSnapshot(); expect(out.resolvers['Mutation.updatePost.auth.1.res.vtl']).toContain( '#if( ($ctx.identity.userArn == $ctx.stash.authRole) || ($ctx.identity.cognitoIdentityPoolId == $ctx.stash.identityPoolId && $ctx.identity.cognitoIdentityAuthType == "authenticated") )', @@ -308,9 +320,6 @@ test('simple model with AdminUI enabled should add IAM policy only for fields th 'Post.*', 'Query.getPost', 'Query.listPosts', - 'Mutation.createPost', - 'Mutation.updatePost', - 'Mutation.deletePost', 'Subscription.onCreatePost', 'Subscription.onUpdatePost', 'Subscription.onDeletePost',