Adding Auth on Subscriptions (#2068)

* feat(graphql-auth-transformer): protecting subscriptions

adding protection on subscriptions

BREAKING CHANGE: If an owner is used in the auth directive it will either be a requirement if it's
the only rule or an optional input if used with other rules

re #1766 #1043

* feat(graphql-auth-transformer): pr changes

added changes based on review

BREAKING CHANGE: If an owner is included in the auth directive it will either be a requirement if
it's the only rule or an optional input if used with other rules

re #1766 #1043

* feat(graphql-auth-transformer): protect mutations

protecting mutations as the same response is used in subscriptions - protected fields should still
be accessible through query operations

BREAKING CHANGE: the subscription operations will require an argument if owner is the only auth rule

re #1766 #1043

* feat(graphql-dynamodb-transformer): auth check

adding a check on auth in model

re #1766 #1043

* feat(graphql-transformer-core): added getfieldarguments

added function to get field arguments from type

re #1766 #1043

* Added changes to check for prev version of auth

* add checks for prev version of auth and added warning when adding a @model w/o @auth

* Changes to check if parent type has @model

* Updated ModelSubscriptionMap with status enum

* Updated Auth snapshots

* Updated Tests to account for new changes in auth

* Added learn more links

* Added identifyClaim

* changed status to level to match storage naming convention

* added version number in transformer config

* updated e2e tests based on auth changes

* Added change to read from cloud backend dir

* changes to modelsubscriptionmap

* Change to ModelSubsriptionMap

* Updated yarn.lock

* feat: pr review changes

add changes based pr comments and added a per field auth e2e test

BREAKING CHANGE: Subscriptions will require an argument if an owner is only rule set - If owner &
group rules are owner will be an optional arg

re pr #2068

* Added comment change

* refactor: additional pr review changes

Edited version check, for subscriptions added check for nonnull field auth, updated ddb transformer
to account for public flag

re pr #2068

* refactor(graphql-auth-transformer): changed subscription resolver

changed the subscription resolver response template

re pr #2068

* feat: subscription feedback changes

per field auth now protects mutations where it sets the operation label in mutation operations

re pr #2068

* chore(yarn.lock): update yarn.lock

* refactor(graphql-auth-transformer): per field auth error message edit

re pr #2068

* Updating based on new PR comments re pr #2068

* Change transformerConfig Ver

* DynamoDB Transformer check for public

* Added info on subscription levels in ddb transformer

* Changed typo here

* feat(graphql-auth-transformer): subscription resolver logic change

changed resolver logic to also get created when subscription level is PUBLIC also added snapshot
tests

* feat(graphql-auth-transformer): change add owner logic

changes based on pr review changing add owner logic which looks at list of rules and change of
remove command on package.json

re pr #2068

* updated yarn lock

* feat(graphql-auth-transformer): subscriptions obj logic change

changed logic to subscriptions object and added rimraf as devdependency

re pr #2068

* moved add owner argument logic in else flow for adding logic

* Added padding to prompts

Author: Josue Ruiz

packages/amplify-cli/src/commands/push.js

@@ -5,7 +5,9 @@ module.exports = {
       context.amplify.constructExeInfo(context);
       await context.amplify.pushResources(context);
     } catch (e) {
-      context.print.error(`An error occured during the push operation: ${e.message}`);
+      if (e.name !== 'InvalidDirectiveError') {
+        context.print.error(`An error occured during the push operation: ${e.message}`);
+      }
       process.exit(1);
     }
   },

packages/amplify-provider-awscloudformation/lib/transform-graphql-schema.js

@@ -13,7 +13,11 @@ const KeyTransformer = require('graphql-key-transformer').default;
 const providerName = require('./constants').ProviderName;
 const TransformPackage = require('graphql-transformer-core');
 
-const { collectDirectiveNames } = TransformPackage;
+const {
+  collectDirectivesByTypeNames,
+  readTransformerConfiguration,
+  writeTransformerConfiguration,
+} = TransformPackage;
 
 const category = 'api';
 const parametersFileName = 'parameters.json';
@@ -22,11 +26,61 @@ const schemaDirName = 'schema';
 
 function failOnInvalidAuthType(usedDirectives, opts) {
   if (usedDirectives.includes('auth') && !opts.isUserPoolEnabled) {
-    throw new Error(`You are trying to use the @auth directive without enabling Amazon Cognito user pools for your API.
-Run \`amplify update api\` and choose "Amazon Cognito User Pool" as the authorization type for the API.`);
+    throw new Error(`You are trying to
+use the @auth directive without enabling Amazon Cognito user pools for your API.
+Run \`amplify update api\` and choose
+"Amazon Cognito User Pool" as the authorization type for the API.`);
   }
 }
 
+function warnOnAuth(context, map) {
+  const unAuthModelTypes = Object.keys(map).filter(type => (!map[type].includes('auth') && map[type].includes('model')));
+  if (unAuthModelTypes.length) {
+    context.print.warning('\nThe following types do not have \'@auth\' enabled. Consider using @auth with @model');
+    context.print.warning(unAuthModelTypes.map(type => `\t - ${type}`).join('\n'));
+    context.print.info('Learn more about @auth here: https://aws-amplify.github.io/docs/cli-toolchain/graphql#auth \n');
+  }
+}
+
+/**
+ * @TODO Include a map of versions to keep track
+ */
+async function transformerVersionCheck(
+  context, resourceDir, cloudBackendDirectory,
+  updatedResources, usedDirectives,
+) {
+  const versionChangeMessage = 'The default behaviour for @auth has changed in the latest version of Amplify\nRead here for details: https://aws-amplify.github.io/docs/cli-toolchain/graphql#authorizing-subscriptions';
+  let transformerConfig;
+  // this is where we check if there is a prev version of the transformer being used
+  // by using the transformer.conf.json file
+  try {
+    transformerConfig = await readTransformerConfiguration(cloudBackendDirectory);
+  } catch (err) {
+    // check local resource if the question has been answered before
+    transformerConfig = await readTransformerConfiguration(resourceDir);
+  }
+  const resources = updatedResources.filter(resource => resource.service === 'AppSync');
+  if (!transformerConfig.Version && usedDirectives.includes('auth')
+  && resources.length > 0) {
+    if (context.exeInfo &&
+      context.exeInfo.inputParams && context.exeInfo.inputParams.yes) {
+      context.print.warning(`\n${versionChangeMessage}\n`);
+    } else {
+      const response = await inquirer.prompt({
+        name: 'transformerConfig',
+        type: 'confirm',
+        message: `\n${versionChangeMessage} \n Do you wish to continue?`,
+        default: false,
+      });
+      if (!response.transformerConfig) {
+        process.exit(0);
+      }
+    }
+  }
+  transformerConfig.Version = 4.0;
+  await writeTransformerConfiguration(resourceDir, transformerConfig);
+}
+
 function apiProjectIsFromOldVersion(pathToProject, resourcesToBeCreated) {
   const resources = resourcesToBeCreated.filter(resource => resource.service === 'AppSync');
   if (!pathToProject || resources.length > 0) {
@@ -202,11 +256,23 @@ async function transformGraphQLSchema(context, options) {
   const project = await TransformPackage.readProjectConfiguration(resourceDir);
 
   // Check for common errors
-  const usedDirectives = collectDirectiveNames(project.schema);
+  const directiveMap = collectDirectivesByTypeNames(project.schema);
   failOnInvalidAuthType(
-    usedDirectives,
+    directiveMap.directives,
     { isUserPoolEnabled: Boolean(parameters.AuthCognitoUserPoolId) },
   );
+  warnOnAuth(
+    context,
+    directiveMap.types,
+  );
+
+  await transformerVersionCheck(
+    context,
+    resourceDir,
+    previouslyDeployedBackendDir,
+    resourcesToBeUpdated,
+    directiveMap.directives,
+  );
 
   const authMode = parameters.AuthCognitoUserPoolId ? 'AMAZON_COGNITO_USER_POOLS' : 'API_KEY';
   const transformerList = [
@@ -222,7 +288,7 @@ async function transformGraphQLSchema(context, options) {
     new ModelAuthTransformer({ authMode }),
   ];
 
-  if (usedDirectives.includes('searchable')) {
+  if (directiveMap.directives.includes('searchable')) {
     transformerList.push(new SearchableModelTransformer());
   }
 

packages/amplify-util-mock/src/api/api.ts

@@ -114,6 +114,8 @@ export class APITest {
   }
 
   private async reload(context, filePath, action) {
+    const apiDir = await this.getAPIBackendDirectory(context)
+    const inputSchemaPath = path.join(apiDir, 'schema');
     try {
       let shouldReload;
       if (this.resolverOverrideManager.isTemplateFile(filePath)) {
@@ -139,7 +141,7 @@ export class APITest {
             mappingTemplates,
           });
         }
-      } else {
+      } else if(filePath.includes(inputSchemaPath)) {
         context.print.info('GraphQL Schema change detected. Reloading...');
         const config = await this.runTransformer(context);
         await this.appSyncSimulator.reload(config);

packages/graphql-auth-transformer/package.json

@@ -7,7 +7,8 @@
     "test": "jest",
     "test-ci": "jest --ci -i",
     "build": "tsc",
-    "clean": "rm -rf ./lib"
+    "clean": "rimraf ./lib",
+    "watch": "tsc -w"
   },
   "keywords": [
     "graphql",
@@ -30,6 +31,7 @@
     "cloudform-types": "^3.7.0",
     "graphql-dynamodb-transformer": "3.12.0",
     "jest": "^23.1.0",
+    "rimraf": "^3.0.0",
     "ts-jest": "^22.4.6",
     "tslint": "^5.18.0",
     "typescript": "^3.5.3"

packages/graphql-auth-transformer/src/AuthRule.ts

@@ -5,9 +5,11 @@ export interface AuthRule {
     allow: 'owner' | 'groups';
     ownerField?: string;
     identityField?: string;
+    identityClaim?: string;
     groupsField?: string;
+    groupClaim?: string;
     groups?: string[];
-    operations?: ModelOperation[]
-    queries?: ModelQuery[]
-    mutations?: ModelMutation[]
+    operations?: ModelOperation[];
+    queries?: ModelQuery[];
+    mutations?: ModelMutation[];
 }