add unit test

sundersc · Apr 3, 2024 · 2e530a3 · 2e530a3
1 parent 7c2b1c4
commit 2e530a3
Show file tree

Hide file tree

Showing 3 changed files with 290 additions and 2 deletions.
diff --git a/.../amplify-graphql-auth-transformer/src/__tests__/__snapshots__/rds-field-auth.test.ts.snap b/.../amplify-graphql-auth-transformer/src/__tests__/__snapshots__/rds-field-auth.test.ts.snap
@@ -1,5 +1,208 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
+exports[`Verify RDS Model level Auth rules on queries: related models with same groups auth field name but different type should transform correctly 1`] = `
+"## [Start] Authorization rules. **
+$util.qr($ctx.stash.put(\\"hasAuth\\", true))
+#set( $authRules = [] )
+#if( $ctx.stash.adminRoles && $ctx.stash.adminRoles.size() > 0 )
+ $util.qr($authRules.add({
+ \\"provider\\": \\"iam\\",
+ \\"type\\": \\"admin\\",
+ \\"strict\\": false,
+ \\"roles\\": $ctx.stash.adminRoles
+}))
+#end
+$util.qr($authRules.add({
+ \\"type\\": \\"groups\\",
+ \\"provider\\": \\"userPools\\",
+ \\"allowedGroups\\": [\\"Admin\\"],
+ \\"groupClaim\\": \\"cognito:groups\\",
+ \\"allowedFields\\": [\\"id\\", \\"name\\", \\"groupsField\\", \\"profile\\"]
+}))
+$util.qr($authRules.add({
+ \\"type\\": \\"groups\\",
+ \\"provider\\": \\"userPools\\",
+ \\"groupsFieldName\\": \\"groupsField\\",
+ \\"groupsFieldType\\": \\"string\\",
+ \\"groupClaim\\": \\"cognito:groups\\",
+ \\"allowedFields\\": [\\"id\\", \\"name\\", \\"groupsField\\", \\"profile\\"]
+}))
+#set( $authResult = $util.authRules.mutationAuth($authRules, \\"update\\", $ctx.args.input, $ctx.result) )
+#if( !$authResult || ($authResult && !$authResult.authorized) )
+ $util.unauthorized()
+#end
+#if( $authResult && !$util.isNullOrEmpty($authResult.authorizedInput) )
+ #set( $ctx.args.input = $authResult.authorizedInput )
+#end
+$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
+## [End] Authorization rules. **"
+`;
+
+exports[`Verify RDS Model level Auth rules on queries: related models with same groups auth field name but different type should transform correctly 2`] = `
+"## [Start] Authorization rules. **
+$util.qr($ctx.stash.put(\\"hasAuth\\", true))
+#set( $authRules = [] )
+#if( $ctx.stash.adminRoles && $ctx.stash.adminRoles.size() > 0 )
+ $util.qr($authRules.add({
+ \\"provider\\": \\"iam\\",
+ \\"type\\": \\"admin\\",
+ \\"strict\\": false,
+ \\"roles\\": $ctx.stash.adminRoles
+}))
+#end
+$util.qr($authRules.add({
+ \\"type\\": \\"groups\\",
+ \\"provider\\": \\"userPools\\",
+ \\"allowedGroups\\": [\\"Admin\\"],
+ \\"groupClaim\\": \\"cognito:groups\\",
+ \\"allowedFields\\": [\\"id\\", \\"name\\", \\"groupsField\\", \\"profile\\"]
+}))
+$util.qr($authRules.add({
+ \\"type\\": \\"groups\\",
+ \\"provider\\": \\"userPools\\",
+ \\"groupsFieldName\\": \\"groupsField\\",
+ \\"groupsFieldType\\": \\"string\\",
+ \\"groupClaim\\": \\"cognito:groups\\",
+ \\"allowedFields\\": [\\"id\\", \\"name\\", \\"groupsField\\", \\"profile\\"]
+}))
+#set( $authResult = $util.authRules.mutationAuth($authRules, \\"delete\\", $ctx.args.input, $ctx.result) )
+#if( !$authResult || ($authResult && !$authResult.authorized) )
+ $util.unauthorized()
+#end
+#if( $authResult && !$util.isNullOrEmpty($authResult.authorizedInput) )
+ #set( $ctx.args.input = $authResult.authorizedInput )
+#end
+$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
+## [End] Authorization rules. **"
+`;
+
+exports[`Verify RDS Model level Auth rules on queries: related models with same groups auth field name but different type should transform correctly 3`] = `
+"## [Start] Authorization rules. **
+$util.qr($ctx.stash.put(\\"hasAuth\\", true))
+#set( $authRules = [] )
+#if( $ctx.stash.adminRoles && $ctx.stash.adminRoles.size() > 0 )
+ $util.qr($authRules.add({
+ \\"provider\\": \\"iam\\",
+ \\"type\\": \\"admin\\",
+ \\"strict\\": false,
+ \\"roles\\": $ctx.stash.adminRoles
+}))
+#end
+$util.qr($authRules.add({
+ \\"type\\": \\"groups\\",
+ \\"provider\\": \\"userPools\\",
+ \\"allowedGroups\\": [\\"Admin\\"],
+ \\"groupClaim\\": \\"cognito:groups\\",
+ \\"allowedFields\\": [\\"id\\", \\"details\\", \\"groupsField\\", \\"userId\\", \\"user\\"]
+}))
+$util.qr($authRules.add({
+ \\"type\\": \\"groups\\",
+ \\"provider\\": \\"userPools\\",
+ \\"allowedGroups\\": [\\"Dev\\"],
+ \\"groupClaim\\": \\"cognito:groups\\",
+ \\"allowedFields\\": [\\"id\\", \\"details\\", \\"groupsField\\", \\"userId\\", \\"user\\"]
+}))
+$util.qr($authRules.add({
+ \\"type\\": \\"groups\\",
+ \\"provider\\": \\"userPools\\",
+ \\"groupsFieldName\\": \\"groupsField\\",
+ \\"groupsFieldType\\": \\"string[]\\",
+ \\"groupClaim\\": \\"cognito:groups\\",
+ \\"allowedFields\\": [\\"id\\", \\"details\\", \\"groupsField\\", \\"userId\\", \\"user\\"]
+}))
+#set( $authResult = $util.authRules.mutationAuth($authRules, \\"create\\", $ctx.args.input, null) )
+#if( !$authResult || ($authResult && !$authResult.authorized) )
+ $util.unauthorized()
+#end
+#if( $authResult && !$util.isNullOrEmpty($authResult.authorizedInput) )
+ #set( $ctx.args.input = $authResult.authorizedInput )
+#end
+$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
+## [End] Authorization rules. **"
+`;
+
+exports[`Verify RDS Model level Auth rules on queries: related models with same groups auth field name but different type should transform correctly 4`] = `
+"## [Start] Authorization rules. **
+$util.qr($ctx.stash.put(\\"hasAuth\\", true))
+#set( $authRules = [] )
+#if( $ctx.stash.adminRoles && $ctx.stash.adminRoles.size() > 0 )
+ $util.qr($authRules.add({
+ \\"provider\\": \\"iam\\",
+ \\"type\\": \\"admin\\",
+ \\"strict\\": false,
+ \\"roles\\": $ctx.stash.adminRoles
+}))
+#end
+$util.qr($authRules.add({
+ \\"type\\": \\"groups\\",
+ \\"provider\\": \\"userPools\\",
+ \\"allowedGroups\\": [\\"Admin\\"],
+ \\"groupClaim\\": \\"cognito:groups\\"
+}))
+$util.qr($authRules.add({
+ \\"type\\": \\"public\\",
+ \\"provider\\": \\"apiKey\\"
+}))
+$util.qr($authRules.add({
+ \\"type\\": \\"groups\\",
+ \\"provider\\": \\"userPools\\",
+ \\"groupsFieldName\\": \\"groupsField\\",
+ \\"groupsFieldType\\": \\"string[]\\",
+ \\"groupClaim\\": \\"cognito:groups\\"
+}))
+#set( $authResult = $util.authRules.queryAuth($authRules) )
+#if( !$authResult || ($authResult && !$authResult.authorized) )
+ $util.unauthorized()
+#end
+#if( $authResult && !$util.isNullOrEmpty($authResult.authFilter) )
+ #set( $ctx.stash.authFilter = $authResult.authFilter )
+#end
+$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
+## [End] Authorization rules. **"
+`;
+
+exports[`Verify RDS Model level Auth rules on queries: related models with same groups auth field name but different type should transform correctly 5`] = `
+"## [Start] Authorization rules. **
+$util.qr($ctx.stash.put(\\"hasAuth\\", true))
+#set( $authRules = [] )
+#if( $ctx.stash.adminRoles && $ctx.stash.adminRoles.size() > 0 )
+ $util.qr($authRules.add({
+ \\"provider\\": \\"iam\\",
+ \\"type\\": \\"admin\\",
+ \\"strict\\": false,
+ \\"roles\\": $ctx.stash.adminRoles
+}))
+#end
+$util.qr($authRules.add({
+ \\"type\\": \\"groups\\",
+ \\"provider\\": \\"userPools\\",
+ \\"allowedGroups\\": [\\"Admin\\"],
+ \\"groupClaim\\": \\"cognito:groups\\"
+}))
+$util.qr($authRules.add({
+ \\"type\\": \\"groups\\",
+ \\"provider\\": \\"userPools\\",
+ \\"allowedGroups\\": [\\"Dev\\"],
+ \\"groupClaim\\": \\"cognito:groups\\"
+}))
+$util.qr($authRules.add({
+ \\"type\\": \\"groups\\",
+ \\"provider\\": \\"userPools\\",
+ \\"groupsFieldName\\": \\"groupsField\\",
+ \\"groupsFieldType\\": \\"string[]\\",
+ \\"groupClaim\\": \\"cognito:groups\\"
+}))
+#set( $authResult = $util.authRules.queryAuth($authRules) )
+#if( !$authResult || ($authResult && !$authResult.authorized) )
+ $util.unauthorized()
+#end
+#if( $authResult && !$util.isNullOrEmpty($authResult.authFilter) )
+ #set( $ctx.stash.authFilter = $authResult.authFilter )
+#end
+$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
+## [End] Authorization rules. **"
+`;
+
 exports[`Verify RDS Model level Auth rules on queries: should successfully transform different field auth rules 1`] = `
 "## [Start] Authorization rules. **
 $util.qr($ctx.stash.put(\\"hasAuth\\", true))

diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/rds-field-auth.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/rds-field-auth.test.ts
@@ -4,6 +4,7 @@ import { mockSqlDataSourceStrategy, testTransform } from '@aws-amplify/graphql-t
 import { parse } from 'graphql';
 import { AppSyncAuthConfiguration } from '@aws-amplify/graphql-transformer-interfaces';
 import { PrimaryKeyTransformer } from '@aws-amplify/graphql-index-transformer';
+import { BelongsToTransformer, HasOneTransformer } from '@aws-amplify/graphql-relational-transformer';
 import { AuthTransformer } from '../graphql-auth-transformer';
 
 describe('Verify RDS Model level Auth rules on queries:', () => {
@@ -69,4 +70,89 @@ describe('Verify RDS Model level Auth rules on queries:', () => {
  expect(out.resolvers['Post.publicContent.req.vtl']).toMatchSnapshot();
  expect(out.resolvers['Post.publicContent.res.vtl']).toMatchSnapshot();
  });
+
+ it('related models with same groups auth field name but different type should transform correctly', async () => {
+ const validSchema = `
+ type User 
+ @model 
+ @auth(rules: [
+ { allow: groups, groups: ["Admin"] },
+ { allow: public, operations: [get] },
+ { allow: groups, groups: ["Dev"], operations: [read] }
+ { allow: groups, groupsField: "groupsField", operations: [update, delete] }
+ ])
+ {
+ id: String! @primaryKey
+ name: String
+ groupsField: String
+ profile: Profile @hasOne(references: ["userId"])
+ }
+ type Profile 
+ @model 
+ @auth(rules: [
+ { allow: groups, groups: ["Admin"] },
+ { allow: public, operations: [list] },
+ { allow: groups, groups: ["Dev"], operations: [get, create, update, delete] }, 
+ { allow: groups, groupsField: "groupsField", operations: [read, create] }
+ ])
+ {
+ id: String! @primaryKey
+ details: String
+ groupsField: [String]
+ userId: String!
+ user: User @belongsTo(references: ["userId"])
+ }
+ `;
+
+ const authConfig: AppSyncAuthConfiguration = {
+ defaultAuthentication: {
+ authenticationType: 'AMAZON_COGNITO_USER_POOLS',
+ userPoolConfig: {
+ userPoolId: 'TEST_USER_POOL_ID',
+ },
+ },
+ additionalAuthenticationProviders: [
+ {
+ authenticationType: 'API_KEY',
+ },
+ ],
+ };
+
+ const out = testTransform({
+ schema: validSchema,
+ transformers: [
+ new ModelTransformer(),
+ new AuthTransformer(),
+ new PrimaryKeyTransformer(),
+ new HasOneTransformer(),
+ new BelongsToTransformer(),
+ ],
+ dataSourceStrategies: constructDataSourceStrategies(validSchema, mysqlStrategy),
+ authConfig,
+ synthParameters: {
+ identityPoolId: 'TEST_IDENTITY_POOL_ID',
+ },
+ });
+ expect(out).toBeDefined();
+
+ validateModelSchema(parse(out.schema));
+ parse(out.schema);
+
+ // groups field must be of type `string` in the generated `User` resolvers
+ expect(out.resolvers['Mutation.updateUser.auth.1.res.vtl']).toMatchSnapshot();
+ expect(out.resolvers['Mutation.updateUser.auth.1.res.vtl']).toEqual(expect.stringContaining('"groupsFieldType": "string"'));
+
+ expect(out.resolvers['Mutation.deleteUser.auth.1.res.vtl']).toMatchSnapshot();
+ expect(out.resolvers['Mutation.deleteUser.auth.1.res.vtl']).toEqual(expect.stringContaining('"groupsFieldType": "string"'));
+
+ // groups field must be of type `string[]` in the generated `Profile` resolvers
+ expect(out.resolvers['Mutation.createProfile.auth.1.req.vtl']).toMatchSnapshot();
+ expect(out.resolvers['Mutation.createProfile.auth.1.req.vtl']).toEqual(expect.stringContaining('"groupsFieldType": "string[]"'));
+
+ expect(out.resolvers['Query.listProfiles.auth.1.req.vtl']).toMatchSnapshot();
+ expect(out.resolvers['Query.listProfiles.auth.1.req.vtl']).toEqual(expect.stringContaining('"groupsFieldType": "string[]"'));
+
+ expect(out.resolvers['Query.getProfile.auth.1.req.vtl']).toMatchSnapshot();
+ expect(out.resolvers['Query.getProfile.auth.1.req.vtl']).toEqual(expect.stringContaining('"groupsFieldType": "string[]"'));
+ });
 });
diff --git a/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts b/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts
@@ -1148,8 +1148,7 @@ export class AuthTransformer extends TransformerAuthBase implements TransformerA
  default:
  throw new TransformerContractError(`Could not create a role from ${JSON.stringify(rule)}`);
  }
- if (!this.roleMap.has(roleName))
- {
+ if (!this.roleMap.has(roleName)) {
  this.roleMap.set(roleName, roleDefinition);
  }
  acm.setRole({