-
Notifications
You must be signed in to change notification settings - Fork 816
/
definitions.ts
107 lines (99 loc) · 2.9 KB
/
definitions.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
import { AppSyncAuthConfiguration } from '@aws-amplify/graphql-transformer-interfaces';
export type AuthStrategy = 'owner' | 'groups' | 'public' | 'private' | 'custom';
export type AuthProvider = 'apiKey' | 'iam' | 'oidc' | 'userPools' | 'function';
export type ModelQuery = 'get' | 'list';
export type ModelMutation = 'create' | 'update' | 'delete';
export type ModelOperation = 'create' | 'update' | 'delete' | 'read';
export type RelationalPrimaryMapConfig = Map<string, { claim: string; field: string }>;
export interface SearchableConfig {
queries: {
search: string;
};
}
export interface AuthTransformerConfig {
/** used mainly in the before step to pass the authConfig from the transformer core down to the directive */
authConfig?: AppSyncAuthConfiguration;
/** using the iam provider the resolvers checks will lets the roles in this list passthrough the acm */
adminRoles?: Array<string>;
/** when authorizing private/public @auth can also check authenticated/unauthenticated status for a given identityPoolId */
identityPoolId?: string;
}
export interface RolesByProvider {
cognitoStaticRoles: Array<RoleDefinition>;
cognitoDynamicRoles: Array<RoleDefinition>;
oidcStaticRoles: Array<RoleDefinition>;
oidcDynamicRoles: Array<RoleDefinition>;
iamRoles: Array<RoleDefinition>;
apiKeyRoles: Array<RoleDefinition>;
lambdaRoles: Array<RoleDefinition>;
}
export interface AuthRule {
allow: AuthStrategy;
provider?: AuthProvider;
ownerField?: string;
identityClaim?: string;
groupsField?: string;
groupClaim?: string;
groups?: string[];
operations?: ModelOperation[];
// Used only for IAM provider to decide if an IAM policy needs to be generated. IAM auth with AdminUI does not need IAM policies
generateIAMPolicy?: boolean;
}
export interface RoleDefinition {
provider: AuthProvider;
strategy: AuthStrategy;
static: boolean;
claim?: string;
entity?: string;
// specific to mutations
allowedFields?: Array<string>;
nullAllowedFields?: Array<string>;
}
export interface AuthDirective {
rules: AuthRule[];
}
export interface ConfiguredAuthProviders {
default: AuthProvider;
onlyDefaultAuthProviderConfigured: boolean;
hasApiKey: boolean;
hasUserPools: boolean;
hasOIDC: boolean;
hasIAM: boolean;
hasLambda: boolean;
hasAdminRolesEnabled: boolean;
adminRoles: Array<string>;
identityPoolId?: string;
}
export const authDirectiveDefinition = `
directive @auth(rules: [AuthRule!]!) on OBJECT | FIELD_DEFINITION
input AuthRule {
allow: AuthStrategy!
provider: AuthProvider
identityClaim: String
groupClaim: String
ownerField: String
groupsField: String
groups: [String]
operations: [ModelOperation]
}
enum AuthStrategy {
owner
groups
private
public
custom
}
enum AuthProvider {
apiKey
iam
oidc
userPools
function
}
enum ModelOperation {
create
update
delete
read
}
`;