aws-sdk-verifiedpermissions 1.18.0 → 1.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b2e2e4bc3c9002c9339678fb29f3c6ce9c8ad6c017b6c3e16528f4dd22c5ab32
-  data.tar.gz: 32987a27b39ea1e5ee5dac39c0bb0e339faea04b805c9d0cb7270168685efcdc
+  metadata.gz: 41ef019fc552dd6626faca87c604b2cd2cd0b13692e009f58e9de726acef3ef3
+  data.tar.gz: 76e66a78cfd4c1b5b5b74a38bddbaa1e2a189135e8f1946d903b3667fcb8fdf5
 SHA512:
-  metadata.gz: 224a6f6b501cec475a0a375b1f4df6a1adc5973a7d6696e59eade5c53493f0b1d3329458a6db844f74be81caed71a8436342312fb0902192fc13e8df587657d4
-  data.tar.gz: 17cb9addf43c47fab588adcbb689dcf88256ebd5927e274c8092395703d38d57bdfbba8cfc9cf6b4f6761c44799636569aff4eca1c88f52e32ae32894d1e7870
+  metadata.gz: acaaa4a7d0b3f7e070f2c4698ca8a01d05eed0e24895a31986988b91e774c92dee3699be18d1b05715c57e9ccc5ae61c26affe541dc511885116b714105cfae7
+  data.tar.gz: 45e7982d0a52044b48edfd68082997fab982e3b5a236ac9aed1aaf4e0b84c86935fc32e5cf809ebec0403e4c0e559a59cb06eaba5919a6c0571cc4fa80b5f300

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.19.0 (2024-04-05)
+------------------
+
+* Feature - Adding BatchIsAuthorizedWithToken API which supports multiple authorization requests against a PolicyStore given a bearer token.
+
 1.18.0 (2024-04-04)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.18.0
+1.19.0

data/lib/aws-sdk-verifiedpermissions/client.rb

@@ -518,6 +518,152 @@ module Aws::VerifiedPermissions
       req.send_request(options)
     end
 
+    # Makes a series of decisions about multiple authorization requests for
+    # one token. The principal in this request comes from an external
+    # identity source in the form of an identity or access token, formatted
+    # as a [JSON web token (JWT)][1]. The information in the parameters can
+    # also define additional context that Verified Permissions can include
+    # in the evaluations.
+    #
+    # The request is evaluated against all policies in the specified policy
+    # store that match the entities that you provide in the entities
+    # declaration and in the token. The result of the decisions is a series
+    # of `Allow` or `Deny` responses, along with the IDs of the policies
+    # that produced each decision.
+    #
+    # The `entities` of a `BatchIsAuthorizedWithToken` API request can
+    # contain up to 100 resources and up to 99 user groups. The `requests`
+    # of a `BatchIsAuthorizedWithToken` API request can contain up to 30
+    # requests.
+    #
+    # <note markdown="1"> The `BatchIsAuthorizedWithToken` operation doesn't have its own IAM
+    # permission. To authorize this operation for Amazon Web Services
+    # principals, include the permission
+    # `verifiedpermissions:IsAuthorizedWithToken` in their IAM policies.
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://wikipedia.org/wiki/JSON_Web_Token
+    #
+    # @option params [required, String] :policy_store_id
+    #   Specifies the ID of the policy store. Policies in this policy store
+    #   will be used to make an authorization decision for the input.
+    #
+    # @option params [String] :identity_token
+    #   Specifies an identity (ID) token for the principal that you want to
+    #   authorize in each request. This token is provided to you by the
+    #   identity provider (IdP) associated with the specified identity source.
+    #   You must specify either an `accessToken`, an `identityToken`, or both.
+    #
+    #   Must be an ID token. Verified Permissions returns an error if the
+    #   `token_use` claim in the submitted token isn't `id`.
+    #
+    # @option params [String] :access_token
+    #   Specifies an access token for the principal that you want to authorize
+    #   in each request. This token is provided to you by the identity
+    #   provider (IdP) associated with the specified identity source. You must
+    #   specify either an `accessToken`, an `identityToken`, or both.
+    #
+    #   Must be an access token. Verified Permissions returns an error if the
+    #   `token_use` claim in the submitted token isn't `access`.
+    #
+    # @option params [Types::EntitiesDefinition] :entities
+    #   Specifies the list of resources and their associated attributes that
+    #   Verified Permissions can examine when evaluating the policies.
+    #
+    #   You can't include principals in this parameter, only resource and
+    #   action entities. This parameter can't include any entities of a type
+    #   that matches the user or group entity types that you defined in your
+    #   identity source.
+    #
+    #    * The `BatchIsAuthorizedWithToken` operation takes principal
+    #     attributes from <b> <i>only</i> </b> the `identityToken` or
+    #     `accessToken` passed to the operation.
+    #
+    #   * For action entities, you can include only their `Identifier` and
+    #     `EntityType`.
+    #
+    # @option params [required, Array<Types::BatchIsAuthorizedWithTokenInputItem>] :requests
+    #   An array of up to 30 requests that you want Verified Permissions to
+    #   evaluate.
+    #
+    # @return [Types::BatchIsAuthorizedWithTokenOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::BatchIsAuthorizedWithTokenOutput#principal #principal} => Types::EntityIdentifier
+    #   * {Types::BatchIsAuthorizedWithTokenOutput#results #results} => Array&lt;Types::BatchIsAuthorizedWithTokenOutputItem&gt;
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.batch_is_authorized_with_token({
+    #     policy_store_id: "PolicyStoreId", # required
+    #     identity_token: "Token",
+    #     access_token: "Token",
+    #     entities: {
+    #       entity_list: [
+    #         {
+    #           identifier: { # required
+    #             entity_type: "EntityType", # required
+    #             entity_id: "EntityId", # required
+    #           },
+    #           attributes: {
+    #             "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
+    #           },
+    #           parents: [
+    #             {
+    #               entity_type: "EntityType", # required
+    #               entity_id: "EntityId", # required
+    #             },
+    #           ],
+    #         },
+    #       ],
+    #     },
+    #     requests: [ # required
+    #       {
+    #         action: {
+    #           action_type: "ActionType", # required
+    #           action_id: "ActionId", # required
+    #         },
+    #         resource: {
+    #           entity_type: "EntityType", # required
+    #           entity_id: "EntityId", # required
+    #         },
+    #         context: {
+    #           context_map: {
+    #             "String" => "value", # value <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
+    #           },
+    #         },
+    #       },
+    #     ],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.principal.entity_type #=> String
+    #   resp.principal.entity_id #=> String
+    #   resp.results #=> Array
+    #   resp.results[0].request.action.action_type #=> String
+    #   resp.results[0].request.action.action_id #=> String
+    #   resp.results[0].request.resource.entity_type #=> String
+    #   resp.results[0].request.resource.entity_id #=> String
+    #   resp.results[0].request.context.context_map #=> Hash
+    #   resp.results[0].request.context.context_map["String"] #=> <Hash,Array,String,Numeric,Boolean,IO,Set,nil>
+    #   resp.results[0].decision #=> String, one of "ALLOW", "DENY"
+    #   resp.results[0].determining_policies #=> Array
+    #   resp.results[0].determining_policies[0].policy_id #=> String
+    #   resp.results[0].errors #=> Array
+    #   resp.results[0].errors[0].error_description #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/BatchIsAuthorizedWithToken AWS API Documentation
+    #
+    # @overload batch_is_authorized_with_token(params = {})
+    # @param [Hash] params ({})
+    def batch_is_authorized_with_token(params = {}, options = {})
+      req = build_request(:batch_is_authorized_with_token, params)
+      req.send_request(options)
+    end
+
     # Creates a reference to an Amazon Cognito user pool as an external
     # identity provider (IdP).
     #
@@ -1421,14 +1567,6 @@ module Aws::VerifiedPermissions
     # `Allow` or `Deny`, along with a list of the policies that resulted in
     # the decision.
     #
-    # If you specify the `identityToken` parameter, then this operation
-    # derives the principal from that token. You must not also include that
-    # principal in the `entities` parameter or the operation fails and
-    # reports a conflict between the two entity sources.
-    #
-    #  If you provide only an `accessToken`, then you can include the entity
-    # as part of the `entities` parameter to provide additional attributes.
-    #
     # At this time, Verified Permissions accepts tokens from only Amazon
     # Cognito.
     #
@@ -1482,8 +1620,10 @@ module Aws::VerifiedPermissions
     #   Specifies the list of resources and their associated attributes that
     #   Verified Permissions can examine when evaluating the policies.
     #
-    #   <note markdown="1"> You can include only resource and action entities in this parameter;
-    #   you can't include principals.
+    #   You can't include principals in this parameter, only resource and
+    #   action entities. This parameter can't include any entities of a type
+    #   that matches the user or group entity types that you defined in your
+    #   identity source.
     #
     #    * The `IsAuthorizedWithToken` operation takes principal attributes
     #     from <b> <i>only</i> </b> the `identityToken` or `accessToken`
@@ -1492,8 +1632,6 @@ module Aws::VerifiedPermissions
     #   * For action entities, you can include only their `Identifier` and
     #     `EntityType`.
     #
-    #    </note>
-    #
     # @return [Types::IsAuthorizedWithTokenOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::IsAuthorizedWithTokenOutput#decision #decision} => String
@@ -2256,7 +2394,7 @@ module Aws::VerifiedPermissions
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-verifiedpermissions'
-      context[:gem_version] = '1.18.0'
+      context[:gem_version] = '1.19.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-verifiedpermissions/client_api.rb

@@ -24,6 +24,12 @@ module Aws::VerifiedPermissions
     BatchIsAuthorizedOutput = Shapes::StructureShape.new(name: 'BatchIsAuthorizedOutput')
     BatchIsAuthorizedOutputItem = Shapes::StructureShape.new(name: 'BatchIsAuthorizedOutputItem')
     BatchIsAuthorizedOutputList = Shapes::ListShape.new(name: 'BatchIsAuthorizedOutputList')
+    BatchIsAuthorizedWithTokenInput = Shapes::StructureShape.new(name: 'BatchIsAuthorizedWithTokenInput')
+    BatchIsAuthorizedWithTokenInputItem = Shapes::StructureShape.new(name: 'BatchIsAuthorizedWithTokenInputItem')
+    BatchIsAuthorizedWithTokenInputList = Shapes::ListShape.new(name: 'BatchIsAuthorizedWithTokenInputList')
+    BatchIsAuthorizedWithTokenOutput = Shapes::StructureShape.new(name: 'BatchIsAuthorizedWithTokenOutput')
+    BatchIsAuthorizedWithTokenOutputItem = Shapes::StructureShape.new(name: 'BatchIsAuthorizedWithTokenOutputItem')
+    BatchIsAuthorizedWithTokenOutputList = Shapes::ListShape.new(name: 'BatchIsAuthorizedWithTokenOutputList')
     Boolean = Shapes::BooleanShape.new(name: 'Boolean')
     BooleanAttribute = Shapes::BooleanShape.new(name: 'BooleanAttribute')
     ClientId = Shapes::StringShape.new(name: 'ClientId')
@@ -220,6 +226,32 @@ module Aws::VerifiedPermissions
 
     BatchIsAuthorizedOutputList.member = Shapes::ShapeRef.new(shape: BatchIsAuthorizedOutputItem)
 
+    BatchIsAuthorizedWithTokenInput.add_member(:policy_store_id, Shapes::ShapeRef.new(shape: PolicyStoreId, required: true, location_name: "policyStoreId"))
+    BatchIsAuthorizedWithTokenInput.add_member(:identity_token, Shapes::ShapeRef.new(shape: Token, location_name: "identityToken"))
+    BatchIsAuthorizedWithTokenInput.add_member(:access_token, Shapes::ShapeRef.new(shape: Token, location_name: "accessToken"))
+    BatchIsAuthorizedWithTokenInput.add_member(:entities, Shapes::ShapeRef.new(shape: EntitiesDefinition, location_name: "entities"))
+    BatchIsAuthorizedWithTokenInput.add_member(:requests, Shapes::ShapeRef.new(shape: BatchIsAuthorizedWithTokenInputList, required: true, location_name: "requests"))
+    BatchIsAuthorizedWithTokenInput.struct_class = Types::BatchIsAuthorizedWithTokenInput
+
+    BatchIsAuthorizedWithTokenInputItem.add_member(:action, Shapes::ShapeRef.new(shape: ActionIdentifier, location_name: "action"))
+    BatchIsAuthorizedWithTokenInputItem.add_member(:resource, Shapes::ShapeRef.new(shape: EntityIdentifier, location_name: "resource"))
+    BatchIsAuthorizedWithTokenInputItem.add_member(:context, Shapes::ShapeRef.new(shape: ContextDefinition, location_name: "context"))
+    BatchIsAuthorizedWithTokenInputItem.struct_class = Types::BatchIsAuthorizedWithTokenInputItem
+
+    BatchIsAuthorizedWithTokenInputList.member = Shapes::ShapeRef.new(shape: BatchIsAuthorizedWithTokenInputItem)
+
+    BatchIsAuthorizedWithTokenOutput.add_member(:principal, Shapes::ShapeRef.new(shape: EntityIdentifier, location_name: "principal"))
+    BatchIsAuthorizedWithTokenOutput.add_member(:results, Shapes::ShapeRef.new(shape: BatchIsAuthorizedWithTokenOutputList, required: true, location_name: "results"))
+    BatchIsAuthorizedWithTokenOutput.struct_class = Types::BatchIsAuthorizedWithTokenOutput
+
+    BatchIsAuthorizedWithTokenOutputItem.add_member(:request, Shapes::ShapeRef.new(shape: BatchIsAuthorizedWithTokenInputItem, required: true, location_name: "request"))
+    BatchIsAuthorizedWithTokenOutputItem.add_member(:decision, Shapes::ShapeRef.new(shape: Decision, required: true, location_name: "decision"))
+    BatchIsAuthorizedWithTokenOutputItem.add_member(:determining_policies, Shapes::ShapeRef.new(shape: DeterminingPolicyList, required: true, location_name: "determiningPolicies"))
+    BatchIsAuthorizedWithTokenOutputItem.add_member(:errors, Shapes::ShapeRef.new(shape: EvaluationErrorList, required: true, location_name: "errors"))
+    BatchIsAuthorizedWithTokenOutputItem.struct_class = Types::BatchIsAuthorizedWithTokenOutputItem
+
+    BatchIsAuthorizedWithTokenOutputList.member = Shapes::ShapeRef.new(shape: BatchIsAuthorizedWithTokenOutputItem)
+
     ClientIds.member = Shapes::ShapeRef.new(shape: ClientId)
 
     CognitoGroupConfiguration.add_member(:group_entity_type, Shapes::ShapeRef.new(shape: GroupEntityType, required: true, location_name: "groupEntityType"))
@@ -797,6 +829,19 @@ module Aws::VerifiedPermissions
         o.errors << Shapes::ShapeRef.new(shape: InternalServerException)
       end)
 
+      api.add_operation(:batch_is_authorized_with_token, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "BatchIsAuthorizedWithToken"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: BatchIsAuthorizedWithTokenInput)
+        o.output = Shapes::ShapeRef.new(shape: BatchIsAuthorizedWithTokenOutput)
+        o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerException)
+      end)
+
       api.add_operation(:create_identity_source, Seahorse::Model::Operation.new.tap do |o|
         o.name = "CreateIdentitySource"
         o.http_method = "POST"

data/lib/aws-sdk-verifiedpermissions/endpoints.rb

@@ -26,6 +26,20 @@ module Aws::VerifiedPermissions
       end
     end
 
+    class BatchIsAuthorizedWithToken
+      def self.build(context)
+        unless context.config.regional_endpoint
+          endpoint = context.config.endpoint.to_s
+        end
+        Aws::VerifiedPermissions::EndpointParameters.new(
+          region: context.config.region,
+          use_dual_stack: context.config.use_dualstack_endpoint,
+          use_fips: context.config.use_fips_endpoint,
+          endpoint: endpoint,
+        )
+      end
+    end
+
     class CreateIdentitySource
       def self.build(context)
         unless context.config.regional_endpoint

data/lib/aws-sdk-verifiedpermissions/plugins/endpoints.rb

@@ -60,6 +60,8 @@ module Aws::VerifiedPermissions
           case context.operation_name
           when :batch_is_authorized
             Aws::VerifiedPermissions::Endpoints::BatchIsAuthorized.build(context)
+          when :batch_is_authorized_with_token
+            Aws::VerifiedPermissions::Endpoints::BatchIsAuthorizedWithToken.build(context)
           when :create_identity_source
             Aws::VerifiedPermissions::Endpoints::CreateIdentitySource.build(context)
           when :create_policy

data/lib/aws-sdk-verifiedpermissions/types.rb

@@ -278,8 +278,154 @@ module Aws::VerifiedPermissions
       include Aws::Structure
     end
 
-    # The type of entity that a policy store maps to groups from an Amazon
-    # Cognito user pool identity source.
+    # @!attribute [rw] policy_store_id
+    #   Specifies the ID of the policy store. Policies in this policy store
+    #   will be used to make an authorization decision for the input.
+    #   @return [String]
+    #
+    # @!attribute [rw] identity_token
+    #   Specifies an identity (ID) token for the principal that you want to
+    #   authorize in each request. This token is provided to you by the
+    #   identity provider (IdP) associated with the specified identity
+    #   source. You must specify either an `accessToken`, an
+    #   `identityToken`, or both.
+    #
+    #   Must be an ID token. Verified Permissions returns an error if the
+    #   `token_use` claim in the submitted token isn't `id`.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_token
+    #   Specifies an access token for the principal that you want to
+    #   authorize in each request. This token is provided to you by the
+    #   identity provider (IdP) associated with the specified identity
+    #   source. You must specify either an `accessToken`, an
+    #   `identityToken`, or both.
+    #
+    #   Must be an access token. Verified Permissions returns an error if
+    #   the `token_use` claim in the submitted token isn't `access`.
+    #   @return [String]
+    #
+    # @!attribute [rw] entities
+    #   Specifies the list of resources and their associated attributes that
+    #   Verified Permissions can examine when evaluating the policies.
+    #
+    #   You can't include principals in this parameter, only resource and
+    #   action entities. This parameter can't include any entities of a
+    #   type that matches the user or group entity types that you defined in
+    #   your identity source.
+    #
+    #    * The `BatchIsAuthorizedWithToken` operation takes principal
+    #     attributes from <b> <i>only</i> </b> the `identityToken` or
+    #     `accessToken` passed to the operation.
+    #
+    #   * For action entities, you can include only their `Identifier` and
+    #     `EntityType`.
+    #   @return [Types::EntitiesDefinition]
+    #
+    # @!attribute [rw] requests
+    #   An array of up to 30 requests that you want Verified Permissions to
+    #   evaluate.
+    #   @return [Array<Types::BatchIsAuthorizedWithTokenInputItem>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/BatchIsAuthorizedWithTokenInput AWS API Documentation
+    #
+    class BatchIsAuthorizedWithTokenInput < Struct.new(
+      :policy_store_id,
+      :identity_token,
+      :access_token,
+      :entities,
+      :requests)
+      SENSITIVE = [:identity_token, :access_token]
+      include Aws::Structure
+    end
+
+    # An authorization request that you include in a
+    # `BatchIsAuthorizedWithToken` API request.
+    #
+    # @!attribute [rw] action
+    #   Specifies the requested action to be authorized. For example,
+    #   `PhotoFlash::ReadPhoto`.
+    #   @return [Types::ActionIdentifier]
+    #
+    # @!attribute [rw] resource
+    #   Specifies the resource that you want an authorization decision for.
+    #   For example, `PhotoFlash::Photo`.
+    #   @return [Types::EntityIdentifier]
+    #
+    # @!attribute [rw] context
+    #   Specifies additional context that can be used to make more granular
+    #   authorization decisions.
+    #   @return [Types::ContextDefinition]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/BatchIsAuthorizedWithTokenInputItem AWS API Documentation
+    #
+    class BatchIsAuthorizedWithTokenInputItem < Struct.new(
+      :action,
+      :resource,
+      :context)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] principal
+    #   The identifier of the principal in the ID or access token.
+    #   @return [Types::EntityIdentifier]
+    #
+    # @!attribute [rw] results
+    #   A series of `Allow` or `Deny` decisions for each request, and the
+    #   policies that produced them.
+    #   @return [Array<Types::BatchIsAuthorizedWithTokenOutputItem>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/BatchIsAuthorizedWithTokenOutput AWS API Documentation
+    #
+    class BatchIsAuthorizedWithTokenOutput < Struct.new(
+      :principal,
+      :results)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The decision, based on policy evaluation, from an individual
+    # authorization request in a `BatchIsAuthorizedWithToken` API request.
+    #
+    # @!attribute [rw] request
+    #   The authorization request that initiated the decision.
+    #   @return [Types::BatchIsAuthorizedWithTokenInputItem]
+    #
+    # @!attribute [rw] decision
+    #   An authorization decision that indicates if the authorization
+    #   request should be allowed or denied.
+    #   @return [String]
+    #
+    # @!attribute [rw] determining_policies
+    #   The list of determining policies used to make the authorization
+    #   decision. For example, if there are two matching policies, where one
+    #   is a forbid and the other is a permit, then the forbid policy will
+    #   be the determining policy. In the case of multiple matching permit
+    #   policies then there would be multiple determining policies. In the
+    #   case that no policies match, and hence the response is DENY, there
+    #   would be no determining policies.
+    #   @return [Array<Types::DeterminingPolicyItem>]
+    #
+    # @!attribute [rw] errors
+    #   Errors that occurred while making an authorization decision. For
+    #   example, a policy might reference an entity or attribute that
+    #   doesn't exist in the request.
+    #   @return [Array<Types::EvaluationErrorItem>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/BatchIsAuthorizedWithTokenOutputItem AWS API Documentation
+    #
+    class BatchIsAuthorizedWithTokenOutputItem < Struct.new(
+      :request,
+      :decision,
+      :determining_policies,
+      :errors)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A list of user groups and entities from an Amazon Cognito user pool
+    # identity source.
     #
     # This data type is part of a [CognitoUserPoolConfiguration][1]
     # structure and is a request parameter in [CreateIdentitySource][2].
@@ -302,8 +448,8 @@ module Aws::VerifiedPermissions
       include Aws::Structure
     end
 
-    # The type of entity that a policy store maps to groups from an Amazon
-    # Cognito user pool identity source.
+    # A list of user groups and entities from an Amazon Cognito user pool
+    # identity source.
     #
     # This data type is part of an [CognitoUserPoolConfigurationDetail][1]
     # structure and is a response parameter to [GetIdentitySource][2].
@@ -326,8 +472,8 @@ module Aws::VerifiedPermissions
       include Aws::Structure
     end
 
-    # The type of entity that a policy store maps to groups from an Amazon
-    # Cognito user pool identity source.
+    # A list of user groups and entities from an Amazon Cognito user pool
+    # identity source.
     #
     # This data type is part of an [CognitoUserPoolConfigurationItem][1]
     # structure and is a response parameter to [ListIdentitySources][2].
@@ -359,8 +505,7 @@ module Aws::VerifiedPermissions
     # [CreateIdentitySource][2].
     #
     # Example:`"CognitoUserPoolConfiguration":\{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds":
-    # ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration":
-    # \{"groupEntityType": "MyCorp::Group"\}\}`
+    # ["a1b2c3d4e5f6g7h8i9j0kalbmc"]\}`
     #
     #
     #
@@ -387,8 +532,8 @@ module Aws::VerifiedPermissions
     #   @return [Array<String>]
     #
     # @!attribute [rw] group_configuration
-    #   The type of entity that a policy store maps to groups from an Amazon
-    #   Cognito user pool identity source.
+    #   The configuration of the user groups from an Amazon Cognito user
+    #   pool identity source.
     #   @return [Types::CognitoGroupConfiguration]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/CognitoUserPoolConfiguration AWS API Documentation
@@ -410,8 +555,7 @@ module Aws::VerifiedPermissions
     # [GetIdentitySource][2].
     #
     # Example:`"CognitoUserPoolConfiguration":\{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds":
-    # ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration":
-    # \{"groupEntityType": "MyCorp::Group"\}\}`
+    # ["a1b2c3d4e5f6g7h8i9j0kalbmc"]\}`
     #
     #
     #
@@ -446,8 +590,8 @@ module Aws::VerifiedPermissions
     #   @return [String]
     #
     # @!attribute [rw] group_configuration
-    #   The type of entity that a policy store maps to groups from an Amazon
-    #   Cognito user pool identity source.
+    #   The configuration of the user groups from an Amazon Cognito user
+    #   pool identity source.
     #   @return [Types::CognitoGroupConfigurationDetail]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/CognitoUserPoolConfigurationDetail AWS API Documentation
@@ -470,8 +614,7 @@ module Aws::VerifiedPermissions
     # [ListIdentitySources][2].
     #
     # Example:`"CognitoUserPoolConfiguration":\{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds":
-    # ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration":
-    # \{"groupEntityType": "MyCorp::Group"\}\}`
+    # ["a1b2c3d4e5f6g7h8i9j0kalbmc"]\}`
     #
     #
     #
@@ -506,8 +649,8 @@ module Aws::VerifiedPermissions
     #   @return [String]
     #
     # @!attribute [rw] group_configuration
-    #   The type of entity that a policy store maps to groups from an Amazon
-    #   Cognito user pool identity source.
+    #   The configuration of the user groups from an Amazon Cognito user
+    #   pool identity source.
     #   @return [Types::CognitoGroupConfigurationItem]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/CognitoUserPoolConfigurationItem AWS API Documentation
@@ -527,7 +670,7 @@ module Aws::VerifiedPermissions
     # <note markdown="1"> At this time, the only valid member of this structure is a Amazon
     # Cognito user pool configuration.
     #
-    #  Specifies a `userPoolArn`, a `groupConfiguration`, and a `ClientId`.
+    #  You must specify a `userPoolArn`, and optionally, a `ClientId`.
     #
     #  </note>
     #
@@ -584,8 +727,7 @@ module Aws::VerifiedPermissions
     #   Contains configuration details of a Amazon Cognito user pool that
     #   Verified Permissions can use as a source of authenticated identities
     #   as entities. It specifies the [Amazon Resource Name (ARN)][1] of a
-    #   Amazon Cognito user pool, the policy store entity that you want to
-    #   assign to user groups, and one or more application client IDs.
+    #   Amazon Cognito user pool and one or more application client IDs.
     #
     #   Example:
     #   `"configuration":\{"cognitoUserPoolConfiguration":\{"userPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","clientIds":
@@ -625,8 +767,7 @@ module Aws::VerifiedPermissions
     #   Contains configuration details of a Amazon Cognito user pool that
     #   Verified Permissions can use as a source of authenticated identities
     #   as entities. It specifies the [Amazon Resource Name (ARN)][1] of a
-    #   Amazon Cognito user pool, the policy store entity that you want to
-    #   assign to user groups, and one or more application client IDs.
+    #   Amazon Cognito user pool and one or more application client IDs.
     #
     #   Example:
     #   `"configuration":\{"cognitoUserPoolConfiguration":\{"userPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","clientIds":
@@ -1950,8 +2091,10 @@ module Aws::VerifiedPermissions
     #   Specifies the list of resources and their associated attributes that
     #   Verified Permissions can examine when evaluating the policies.
     #
-    #   <note markdown="1"> You can include only resource and action entities in this parameter;
-    #   you can't include principals.
+    #   You can't include principals in this parameter, only resource and
+    #   action entities. This parameter can't include any entities of a
+    #   type that matches the user or group entity types that you defined in
+    #   your identity source.
     #
     #    * The `IsAuthorizedWithToken` operation takes principal attributes
     #     from <b> <i>only</i> </b> the `identityToken` or `accessToken`
@@ -1959,8 +2102,6 @@ module Aws::VerifiedPermissions
     #
     #   * For action entities, you can include only their `Identifier` and
     #     `EntityType`.
-    #
-    #    </note>
     #   @return [Types::EntitiesDefinition]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/IsAuthorizedWithTokenInput AWS API Documentation
@@ -2926,8 +3067,8 @@ module Aws::VerifiedPermissions
       include Aws::Structure
     end
 
-    # The user group entities from an Amazon Cognito user pool identity
-    # source.
+    # A list of user groups and entities from an Amazon Cognito user pool
+    # identity source.
     #
     # @!attribute [rw] group_entity_type
     #   The name of the schema entity type that's mapped to the user pool

data/lib/aws-sdk-verifiedpermissions.rb

@@ -53,6 +53,6 @@ require_relative 'aws-sdk-verifiedpermissions/customizations'
 # @!group service
 module Aws::VerifiedPermissions
 
-  GEM_VERSION = '1.18.0'
+  GEM_VERSION = '1.19.0'
 
 end

data/sig/client.rbs

@@ -119,6 +119,51 @@ module Aws
                                ) -> _BatchIsAuthorizedResponseSuccess
                              | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _BatchIsAuthorizedResponseSuccess
 
+      interface _BatchIsAuthorizedWithTokenResponseSuccess
+        include ::Seahorse::Client::_ResponseSuccess[Types::BatchIsAuthorizedWithTokenOutput]
+        def principal: () -> Types::EntityIdentifier
+        def results: () -> ::Array[Types::BatchIsAuthorizedWithTokenOutputItem]
+      end
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/VerifiedPermissions/Client.html#batch_is_authorized_with_token-instance_method
+      def batch_is_authorized_with_token: (
+                                            policy_store_id: ::String,
+                                            ?identity_token: ::String,
+                                            ?access_token: ::String,
+                                            ?entities: {
+                                              entity_list: Array[
+                                                {
+                                                  identifier: {
+                                                    entity_type: ::String,
+                                                    entity_id: ::String
+                                                  },
+                                                  attributes: Hash[::String, untyped]?,
+                                                  parents: Array[
+                                                    {
+                                                      entity_type: ::String,
+                                                      entity_id: ::String
+                                                    },
+                                                  ]?
+                                                },
+                                              ]?
+                                            },
+                                            requests: Array[
+                                              {
+                                                action: {
+                                                  action_type: ::String,
+                                                  action_id: ::String
+                                                }?,
+                                                resource: {
+                                                  entity_type: ::String,
+                                                  entity_id: ::String
+                                                }?,
+                                                context: {
+                                                  context_map: Hash[::String, untyped]?
+                                                }?
+                                              },
+                                            ]
+                                          ) -> _BatchIsAuthorizedWithTokenResponseSuccess
+                                        | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _BatchIsAuthorizedWithTokenResponseSuccess
+
       interface _CreateIdentitySourceResponseSuccess
         include ::Seahorse::Client::_ResponseSuccess[Types::CreateIdentitySourceOutput]
         def created_date: () -> ::Time

data/sig/types.rbs

@@ -73,6 +73,36 @@ module Aws::VerifiedPermissions
       SENSITIVE: []
     end
 
+    class BatchIsAuthorizedWithTokenInput
+      attr_accessor policy_store_id: ::String
+      attr_accessor identity_token: ::String
+      attr_accessor access_token: ::String
+      attr_accessor entities: Types::EntitiesDefinition
+      attr_accessor requests: ::Array[Types::BatchIsAuthorizedWithTokenInputItem]
+      SENSITIVE: [:identity_token, :access_token]
+    end
+
+    class BatchIsAuthorizedWithTokenInputItem
+      attr_accessor action: Types::ActionIdentifier
+      attr_accessor resource: Types::EntityIdentifier
+      attr_accessor context: Types::ContextDefinition
+      SENSITIVE: []
+    end
+
+    class BatchIsAuthorizedWithTokenOutput
+      attr_accessor principal: Types::EntityIdentifier
+      attr_accessor results: ::Array[Types::BatchIsAuthorizedWithTokenOutputItem]
+      SENSITIVE: []
+    end
+
+    class BatchIsAuthorizedWithTokenOutputItem
+      attr_accessor request: Types::BatchIsAuthorizedWithTokenInputItem
+      attr_accessor decision: ("ALLOW" | "DENY")
+      attr_accessor determining_policies: ::Array[Types::DeterminingPolicyItem]
+      attr_accessor errors: ::Array[Types::EvaluationErrorItem]
+      SENSITIVE: []
+    end
+
     class CognitoGroupConfiguration
       attr_accessor group_entity_type: ::String
       SENSITIVE: [:group_entity_type]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-verifiedpermissions
 version: !ruby/object:Gem::Version
-  version: 1.18.0
+  version: 1.19.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-04-04 00:00:00.000000000 Z
+date: 2024-04-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core