-
Notifications
You must be signed in to change notification settings - Fork 816
/
subscriptions.ts
76 lines (73 loc) · 2.73 KB
/
subscriptions.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
import {
bool,
compoundExpression,
equals,
Expression,
iff,
methodCall,
not,
ref,
set,
str,
nul,
printBlock,
} from 'graphql-mapping-template';
import { COGNITO_AUTH_TYPE, ConfiguredAuthProviders, IS_AUTHORIZED_FLAG, OIDC_AUTH_TYPE, RoleDefinition, splitRoles } from '../utils';
import {
generateStaticRoleExpression,
getOwnerClaim,
apiKeyExpression,
iamExpression,
lambdaExpression,
emptyPayload,
setHasAuthExpression,
} from './helpers';
const dynamicRoleExpression = (roles: Array<RoleDefinition>): Array<Expression> => {
const ownerExpression = new Array<Expression>();
// we only check against owner rules which are not list fields
roles.forEach((role, idx) => {
if (role.strategy === 'owner') {
ownerExpression.push(
iff(
not(ref(IS_AUTHORIZED_FLAG)),
compoundExpression([
set(ref(`ownerEntity${idx}`), methodCall(ref('util.defaultIfNull'), ref(`ctx.args.${role.entity!}`), nul())),
set(ref(`ownerClaim${idx}`), getOwnerClaim(role.claim!)),
iff(equals(ref(`ownerEntity${idx}`), ref(`ownerClaim${idx}`)), set(ref(IS_AUTHORIZED_FLAG), bool(true))),
]),
),
);
}
});
return [...(ownerExpression.length > 0 ? ownerExpression : [])];
};
export const generateAuthExpressionForSubscriptions = (providers: ConfiguredAuthProviders, roles: Array<RoleDefinition>): string => {
const { cognitoStaticRoles, cognitoDynamicRoles, oidcStaticRoles, oidcDynamicRoles, iamRoles, apiKeyRoles, lambdaRoles } =
splitRoles(roles);
const totalAuthExpressions: Array<Expression> = [setHasAuthExpression, set(ref(IS_AUTHORIZED_FLAG), bool(false))];
if (providers.hasApiKey) {
totalAuthExpressions.push(apiKeyExpression(apiKeyRoles));
}
if (providers.hasLambda) {
totalAuthExpressions.push(lambdaExpression(lambdaRoles));
}
if (providers.hasIAM) {
totalAuthExpressions.push(iamExpression(iamRoles, providers.hasAdminRolesEnabled, providers.adminRoles, providers.identityPoolId));
}
if (providers.hasUserPools)
totalAuthExpressions.push(
iff(
equals(ref('util.authType()'), str(COGNITO_AUTH_TYPE)),
compoundExpression([...generateStaticRoleExpression(cognitoStaticRoles), ...dynamicRoleExpression(cognitoDynamicRoles)]),
),
);
if (providers.hasOIDC)
totalAuthExpressions.push(
iff(
equals(ref('util.authType()'), str(OIDC_AUTH_TYPE)),
compoundExpression([...generateStaticRoleExpression(oidcStaticRoles), ...dynamicRoleExpression(oidcDynamicRoles)]),
),
);
totalAuthExpressions.push(iff(not(ref(IS_AUTHORIZED_FLAG)), ref('util.unauthorized()')));
return printBlock('Authorization Steps')(compoundExpression([...totalAuthExpressions, emptyPayload]));
};