-
Notifications
You must be signed in to change notification settings - Fork 817
/
searchable-auth.test.ts
124 lines (121 loc) · 4.52 KB
/
searchable-auth.test.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
import { AuthTransformer, SEARCHABLE_AGGREGATE_TYPES } from '../';
import { ModelTransformer } from '@aws-amplify/graphql-model-transformer';
import { SearchableModelTransformer } from '@aws-amplify/graphql-searchable-transformer';
import { GraphQLTransform } from '@aws-amplify/graphql-transformer-core';
import { AppSyncAuthConfiguration } from '@aws-amplify/graphql-transformer-interfaces';
import { DocumentNode, ObjectTypeDefinitionNode, Kind, FieldDefinitionNode, parse, InputValueDefinitionNode } from 'graphql';
const getObjectType = (doc: DocumentNode, type: string): ObjectTypeDefinitionNode | undefined => {
return doc.definitions.find(def => def.kind === Kind.OBJECT_TYPE_DEFINITION && def.name.value === type) as
| ObjectTypeDefinitionNode
| undefined;
};
const expectMultiple = (fieldOrType: ObjectTypeDefinitionNode | FieldDefinitionNode, directiveNames: string[]) => {
expect(directiveNames).toBeDefined();
expect(directiveNames).toHaveLength(directiveNames.length);
expect(fieldOrType.directives.length).toEqual(directiveNames.length);
directiveNames.forEach(directiveName => {
expect(fieldOrType.directives).toEqual(
expect.arrayContaining([
expect.objectContaining({
name: expect.objectContaining({ value: directiveName }),
}),
]),
);
});
};
test('auth logic is enabled on owner/static rules in es request', () => {
const validSchema = `
type Comment @model
@searchable
@auth(rules: [
{ allow: owner }
{ allow: groups, groups: ["writer"]}
])
{
id: ID!
content: String
}
`;
const authConfig: AppSyncAuthConfiguration = {
defaultAuthentication: {
authenticationType: 'AMAZON_COGNITO_USER_POOLS',
},
additionalAuthenticationProviders: [],
};
const transformer = new GraphQLTransform({
authConfig,
transformers: [
new ModelTransformer(),
new SearchableModelTransformer(),
new AuthTransformer({
authConfig,
addAwsIamAuthInOutputSchema: false,
}),
],
});
const out = transformer.transform(validSchema);
// expect response resolver to contain auth logic for owner rule
expect(out).toBeDefined();
expect(out.pipelineFunctions['Query.searchComments.auth.1.req.vtl']).toContain(
'"terms": [$util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), "___xamznone____"))],',
);
// expect response resolver to contain auth logic for group rule
expect(out.pipelineFunctions['Query.searchComments.auth.1.req.vtl']).toContain(
'#set( $staticGroupRoles = [{"claim":"cognito:groups","entity":"writer"}] )',
);
});
test('auth logic is enabled for iam/apiKey auth rules', () => {
const expectedDirectives = ['aws_api_key', 'aws_iam'];
const validSchema = `
type Post @model
@searchable
@auth(rules: [
{ allow: public, provider: apiKey } # api key is allowed
{ allow: private, provider: iam } # auth roles are allowed
]) {
id: ID!
content: String
secret: String @auth(rules: [{ allow: private, provider: iam }]) # only auth role can do crud on this
}
`;
const authConfig: AppSyncAuthConfiguration = {
defaultAuthentication: {
authenticationType: 'AMAZON_COGNITO_USER_POOLS',
},
additionalAuthenticationProviders: [
{
authenticationType: 'API_KEY',
apiKeyConfig: {
description: 'E2E Test API Key',
apiKeyExpirationDays: 300,
},
},
{
authenticationType: 'AWS_IAM',
},
],
};
const transformer = new GraphQLTransform({
authConfig,
transformers: [
new ModelTransformer(),
new SearchableModelTransformer(),
new AuthTransformer({
authConfig,
addAwsIamAuthInOutputSchema: false,
}),
],
});
const out = transformer.transform(validSchema);
expect(out).toBeDefined();
expect(out.schema).toBeDefined();
const schemaDoc = parse(out.schema);
for (const aggregateType of SEARCHABLE_AGGREGATE_TYPES) {
expectMultiple(getObjectType(schemaDoc, aggregateType), expectedDirectives);
}
// expect the searchbable types to have the auth directives for total providers
// expect the allowed fields for agg to exclude secret
expect(out.pipelineFunctions['Query.searchPosts.auth.1.req.vtl']).toContain(
`#set( $allowedAggFields = ["createdAt","updatedAt","id","content"] )`,
);
});