-
Notifications
You must be signed in to change notification settings - Fork 4k
/
Copy pathidentitypool-role-attachment.ts
203 lines (182 loc) · 5.61 KB
/
identitypool-role-attachment.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
import {
CfnIdentityPoolRoleAttachment,
} from '@aws-cdk/aws-cognito';
import {
IRole,
} from '@aws-cdk/aws-iam';
import {
Resource,
IResource,
} from '@aws-cdk/core';
import {
Construct,
} from 'constructs';
import {
IIdentityPool,
IdentityPoolProviderUrl,
} from './identitypool';
/**
* Represents an Identity Pool Role Attachment
*/
export interface IIdentityPoolRoleAttachment extends IResource {
/**
* Id of the Attachments Underlying Identity Pool
*/
readonly identityPoolId: string;
}
/**
* Props for an Identity Pool Role Attachment
*/
export interface IdentityPoolRoleAttachmentProps {
/**
* Id of the Attachments Underlying Identity Pool
*/
readonly identityPool: IIdentityPool;
/**
* Default Authenticated (User) Role
* @default - No default authenticated role will be added
*/
readonly authenticatedRole?: IRole;
/**
* Default Unauthenticated (Guest) Role
* @default - No default unauthenticated role will be added
*/
readonly unauthenticatedRole?: IRole;
/**
* Rules for mapping roles to users
* @default - no Role Mappings
*/
readonly roleMappings?: IdentityPoolRoleMapping[];
}
/**
* Map roles to users in the identity pool based on claims from the Identity Provider
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
*/
export interface IdentityPoolRoleMapping {
/**
* The url of the provider of for which the role is mapped
*/
readonly providerUrl: IdentityPoolProviderUrl;
/**
* If true then mapped roles must be passed through the cognito:roles or cognito:preferred_role claims from identity provider.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-tokens-to-assign-roles-to-users
*
* @default false
*/
readonly useToken?: boolean;
/**
* Allow for role assumption when results of role mapping are ambiguous
* @default false - Ambiguous role resolutions will lead to requester being denied
*/
readonly resolveAmbiguousRoles?: boolean;
/**
* The claim and value that must be matched in order to assume the role. Required if useToken is false
* @default - No Rule Mapping Rule
*/
readonly rules?: RoleMappingRule[];
}
/**
* Types of matches allowed for Role Mapping
*/
export enum RoleMappingMatchType {
/**
* The Claim from the token must equal the given value in order for a match
*/
EQUALS = 'Equals',
/**
* The Claim from the token must contain the given value in order for a match
*/
CONTAINS = 'Contains',
/**
* The Claim from the token must start with the given value in order for a match
*/
STARTS_WITH = 'StartsWith',
/**
* The Claim from the token must not equal the given value in order for a match
*/
NOTEQUAL = 'NotEqual',
}
/**
* Represents an Identity Pool Role Attachment Role Mapping Rule
*/
export interface RoleMappingRule {
/**
* The key sent in the token by the federated identity provider.
*/
readonly claim: string;
/**
* The Role to be assumed when Claim Value is matched.
*/
readonly mappedRole: IRole;
/**
* The value of the claim that must be matched
*/
readonly claimValue: string;
/**
* How to match with the Claim value
* @default RoleMappingMatchType.EQUALS
*/
readonly matchType?: RoleMappingMatchType
}
/**
* Defines an Identity Pool Role Attachment
*
* @resource AWS::Cognito::IdentityPoolRoleAttachment
*/
export class IdentityPoolRoleAttachment extends Resource implements IIdentityPoolRoleAttachment {
/**
* Id of the underlying identity pool
*/
public readonly identityPoolId: string
constructor(scope: Construct, id: string, props: IdentityPoolRoleAttachmentProps) {
super(scope, id);
this.identityPoolId = props.identityPool.identityPoolId;
const mappings = props.roleMappings || [];
let roles: any = undefined, roleMappings: any = undefined;
if (props.authenticatedRole || props.unauthenticatedRole) {
roles = {};
if (props.authenticatedRole) roles.authenticated = props.authenticatedRole.roleArn;
if (props.unauthenticatedRole) roles.unauthenticated = props.unauthenticatedRole.roleArn;
}
if (mappings) {
roleMappings = this.configureRoleMappings(...mappings);
}
new CfnIdentityPoolRoleAttachment(this, 'Resource', {
identityPoolId: this.identityPoolId,
roles,
roleMappings,
});
}
/**
* Configures Role Mappings for Identity Pool Role Attachment
*/
private configureRoleMappings(
...props: IdentityPoolRoleMapping[]
): { [name:string]: CfnIdentityPoolRoleAttachment.RoleMappingProperty } | undefined {
if (!props || !props.length) return undefined;
return props.reduce((acc, prop) => {
let roleMapping: any = {
ambiguousRoleResolution: prop.resolveAmbiguousRoles ? 'AuthenticatedRole' : 'Deny',
type: prop.useToken ? 'Token' : 'Rules',
identityProvider: prop.providerUrl.value,
};
if (roleMapping.type === 'Rules') {
if (!prop.rules) {
throw new Error('IdentityPoolRoleMapping.rules is required when useToken is false');
}
roleMapping.rulesConfiguration = {
rules: prop.rules.map(rule => {
return {
claim: rule.claim,
value: rule.claimValue,
matchType: rule.matchType || RoleMappingMatchType.EQUALS,
roleArn: rule.mappedRole.roleArn,
};
}),
};
};
acc[prop.providerUrl.value] = roleMapping;
return acc;
}, {} as { [name:string]: CfnIdentityPoolRoleAttachment.RoleMappingProperty });
}
}