feat(graphql-auth-transformer): add compound auth rules #3123
Conversation
Codecov Report
@@ Coverage Diff @@
## master aws-amplify/amplify-cli#3123 +/- ##
==========================================
+ Coverage 60.49% 60.64% +0.14%
==========================================
Files 254 254
Lines 12619 12676 +57
Branches 2646 2504 -142
==========================================
+ Hits 7634 7687 +53
- Misses 4646 4666 +20
+ Partials 339 323 -16
Continue to review full report at Codecov.
|
RossWilliams
force-pushed
the
feat/compound-auth-rules
branch
from
ae9b4c5
to
1e99640
Compare
adds 'and' property on auth rules to force each auth rule with the same 'and' property to all match before allowing operations.
RossWilliams
force-pushed
the
feat/compound-auth-rules
branch
from
1e99640
to
589d5d5
Compare
|
This is a simple and elegant solution to a sorely missing feature in Amplify. What is the likelihood that this PR gets merged? @RossWilliams My only note is |
|
@davekiss that is an easy find/replace change once a good name is found. "And" was chosen to match aws-amplify/amplify-category-api#433 Proposal 5 naming, and it reads well when it is the last parameter, but I can see it being problematic otherwise. 'ruleGroup' itself does not feel like the final solution, as the word 'group' would be an overload for the group authorisation parameters. 'ruleSet' may be more descriptive. In terms of timeline, I'm not aware of the process, but #2463 appears to be consuming most of the review energy right now, might need to wait for that to be completed first. |
|
@RossWilliams thanks for this contribution. We cannot merge it as-is at this point, as it deviates the expression based syntax in the proposal, which is kind of a shared syntax when building expressions with the CLI’s directives, and the unknown performance implications what is also called out by you in the code. In addition, we’re experimenting with some auth logic change for VTL to simplify customers’ use cases and that work affects AND, OR rules as well. |
Do you mind sharing the auth logic changes you are playing with? I'm more than happy to help move it along and stop having to rebase these changes for another 9 months. |
|
@RossWilliams nothing concrete to share at this point, but sure, I agree, no need to rebase this PR until we've anything. |
|
@attilah @RossWilliams wondering what the status is here. Ross, are you still using your custom fork for this? |
|
Im still using a variant of this code with additional customisations and performance improvements. I would not use this PR as-is, as there have been subsequent security issues found and fixed in the auth module. |
|
@attilah as you close this PR... are you still working on a solution? @RossWilliams would you be kind enough to share your updated code with additional customisations and performance improvements? |
|
This pull request has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
adds 'and' property on auth rules to force each auth rule with the same 'and' property to all match before allowing operations. Allows combining owner, group, and dynamic group authentication rules. Works on objects and fields for user pools.
Issue #, if available: aws-amplify/amplify-category-api#433 aws-amplify/amplify-category-api#449 aws-amplify/amplify-category-api#452
Description of changes:
The RFC for @auth directive improvements describes in option 5 the ability to join auth rules together using 'AND' and 'OR', with an arbitrary level of nesting. This PR takes a slightly different approach in only implementing AND, and not allowing nesting. This feels reasonable as @auth rules are OR'd by default and any nesting can be decomposed into a flat structure.
To implement this a new property on an auth rule is created, "and". And is assigned a string, and all rules with the same assigned and string are considered part of a group whose rules must all pass to allow the operation.
Compound rules are tracked by counting how many of the rules have passed, rejecting the operation if no compound rule sets have all their rules pass.
List operations require a deep clone of the object holding the counts via json stringify and json parse operations so that their count tracking is independent of each other.
Update and Delete operations are somewhat more challenging as their dynamic group and owner rules are evaluated on the server, while the static auth is evaluated on the client. This requires nesting condition expressions, and only executing DynamoDB calls if the static group rules have been satisfied.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.