#179 - Create a Cognito group that allows authentication but no FormK…

…iQ authorization
formkiq · Nov 25, 2023 · a5c88b0 · a5c88b0
1 parent 8d1ffde
commit a5c88b0
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 3 deletions.
diff --git a/console/src/main/resources/cloudformation/template-users.yaml b/console/src/main/resources/cloudformation/template-users.yaml
@@ -129,6 +129,15 @@ Resources:
         - Arn
       UserPoolId: 
         Ref: CognitoUserPool
+
+  AuthenticationOnlyGroup:
+    Type: "AWS::Cognito::UserPoolGroup"    
+    Properties:
+      Precedence: 0
+      GroupName: "authentication_only"
+      Description: "Authentication only group access"
+      UserPoolId: 
+        Ref: CognitoUserPool
 
   AdminGroupParameter:
     Type: AWS::SSM::Parameter

diff --git a/fkq-lambda-core/src/main/java/com/formkiq/aws/services/lambda/ApiAuthorizationBuilder.java b/fkq-lambda-core/src/main/java/com/formkiq/aws/services/lambda/ApiAuthorizationBuilder.java
@@ -334,6 +334,8 @@ private Collection<String> loadJwtGroups(final ApiGatewayRequestEvent event) {
         groups.add(DEFAULT_SITE_ID);
       }
     }
+
+    groups.remove("authentication_only");
     return groups;
   }
 }
diff --git a/...ambda-core/src/test/java/com/formkiq/aws/services/lambda/ApiAuthorizationBuilderTest.java b/...ambda-core/src/test/java/com/formkiq/aws/services/lambda/ApiAuthorizationBuilderTest.java
@@ -326,7 +326,7 @@ void testApiAuthorizer08() throws Exception {
   @Test
   void testApiAuthorizer09() throws Exception {
     // given
-    String s = "[formkiq_finance other]";
+    String s = "[finance other]";
 
     ApiGatewayRequestEvent event = getJwtEvent(s);
     event.setQueryStringParameters(Map.of("siteId", "finance"));
@@ -336,10 +336,11 @@ void testApiAuthorizer09() throws Exception {
 
     // then
     assertEquals("finance", api0.siteId());
-    assertEquals("finance", String.join(",", api0.siteIds()));
+    assertEquals("finance,other", String.join(",", api0.siteIds()));
     assertEquals("DELETE,READ,WRITE",
         api0.permissions().stream().map(p -> p.name()).sorted().collect(Collectors.joining(",")));
-    assertEquals("groups: finance (DELETE,READ,WRITE)", api0.accessSummary());
+    assertEquals("groups: finance (DELETE,READ,WRITE), other (DELETE,READ,WRITE)",
+        api0.accessSummary());
   }
 
   /**
@@ -398,4 +399,24 @@ void testApiAuthorizer11() throws Exception {
         api1.permissions().stream().map(p -> p.name()).collect(Collectors.joining(",")));
     assertEquals("groups: finance (READ,WRITE)", api1.accessSummary());
   }
+
+  /**
+   * Basic 'authentication_only' access.
+   */
+  @Test
+  void testApiAuthorizer12() throws Exception {
+    // given
+    String s0 = "[authentication_only]";
+    ApiGatewayRequestEvent event0 = getJwtEvent(s0);
+
+    // when
+    ApiAuthorization api0 = new ApiAuthorizationBuilder().build(event0);
+
+    // then
+    assertNull(api0.siteId());
+    assertEquals("", String.join(",", api0.siteIds()));
+    assertEquals("",
+        api0.permissions().stream().map(p -> p.name()).collect(Collectors.joining(",")));
+    assertEquals("no groups", api0.accessSummary());
+  }
 }