@aws-amplify/data-schema 0.0.0-20240412222732

package/lib-esm/src/SchemaProcessor.js

@@ -0,0 +1,1106 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.processSchema = void 0;
+const ModelField_1 = require("./ModelField");
+const ModelRelationalField_1 = require("./ModelRelationalField");
+const Authorization_1 = require("./Authorization");
+const CustomOperation_1 = require("./CustomOperation");
+const util_1 = require("./util");
+const Handler_1 = require("./Handler");
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+function isInternalModel(model) {
+    if (model.data &&
+        !isCustomType(model) &&
+        !isCustomOperation(model)) {
+        return true;
+    }
+    return false;
+}
+function isEnumType(data) {
+    if (data?.type === 'enum') {
+        return true;
+    }
+    return false;
+}
+function isCustomType(data) {
+    if (data?.data?.type === 'customType') {
+        return true;
+    }
+    return false;
+}
+function isCustomOperation(type) {
+    if (CustomOperation_1.CustomOperationNames.includes(type?.data?.typeName)) {
+        return true;
+    }
+    return false;
+}
+function isModelFieldDef(data) {
+    return data?.fieldType === 'model';
+}
+function isScalarFieldDef(data) {
+    return data?.fieldType !== 'model';
+}
+function isRefFieldDef(data) {
+    return data?.type === 'ref';
+}
+function isModelField(field) {
+    return isModelFieldDef(field?.data);
+}
+function dataSourceIsRef(dataSource) {
+    return (typeof dataSource !== 'string' &&
+        dataSource?.data &&
+        dataSource.data.type === 'ref');
+}
+function isScalarField(field) {
+    return isScalarFieldDef(field?.data);
+}
+function isRefField(field) {
+    return isRefFieldDef(field?.data);
+}
+function scalarFieldToGql(fieldDef, identifier, secondaryIndexes = []) {
+    const { fieldType, required, array, arrayRequired, default: _default, } = fieldDef;
+    let field = fieldType;
+    if (identifier !== undefined) {
+        field += '!';
+        if (identifier.length > 1) {
+            const [_pk, ...sk] = identifier;
+            field += ` @primaryKey(sortKeyFields: [${sk
+                .map((sk) => `"${sk}"`)
+                .join(', ')}])`;
+        }
+        else {
+            field += ' @primaryKey';
+        }
+        for (const index of secondaryIndexes) {
+            field += ` ${index}`;
+        }
+        return field;
+    }
+    if (required === true) {
+        field += '!';
+    }
+    if (array) {
+        field = `[${field}]`;
+        if (arrayRequired === true) {
+            field += '!';
+        }
+    }
+    if (_default !== undefined) {
+        field += ` @default(value: "${_default?.toString()}")`;
+    }
+    for (const index of secondaryIndexes) {
+        field += ` ${index}`;
+    }
+    return field;
+}
+function modelFieldToGql(fieldDef) {
+    const { type, relatedModel, array, relationName, valueRequired, arrayRequired, references, } = fieldDef;
+    let field = relatedModel;
+    if (valueRequired === true) {
+        field += '!';
+    }
+    if (array) {
+        field = `[${field}]`;
+    }
+    if (arrayRequired === true) {
+        field += '!';
+    }
+    if (references && Array.isArray(references) && references.length > 0) {
+        field += ` @${type}(references: [${references.map((s) => `"${String(s)}"`)}])`;
+    }
+    else {
+        field += ` @${type}`;
+    }
+    // TODO: accept other relationship options e.g. `fields`
+    if (type === 'manyToMany') {
+        field += `(relationName: "${relationName}")`;
+    }
+    return field;
+}
+function refFieldToGql(fieldDef) {
+    const { link, valueRequired, array, arrayRequired } = fieldDef;
+    let field = link;
+    if (valueRequired === true) {
+        field += '!';
+    }
+    if (array === true) {
+        field = `[${field}]`;
+    }
+    if (arrayRequired === true) {
+        field += '!';
+    }
+    return field;
+}
+function transformFunctionHandler(handlers, functionFieldName) {
+    let gqlHandlerContent = '';
+    const lambdaFunctionDefinition = {};
+    handlers.forEach((handler, idx) => {
+        const handlerData = (0, Handler_1.getHandlerData)(handler);
+        if (typeof handlerData === 'string') {
+            gqlHandlerContent += `@function(name: "${handlerData}") `;
+        }
+        else if (typeof handlerData.getInstance === 'function') {
+            const fnName = `Fn${capitalize(functionFieldName)}${idx === 0 ? '' : `${idx + 1}`}`;
+            lambdaFunctionDefinition[fnName] = handlerData;
+            gqlHandlerContent += `@function(name: "${fnName}") `;
+        }
+        else {
+            throw new Error(`Invalid value specified for ${functionFieldName} handler.function(). Expected: defineFunction or string.`);
+        }
+    });
+    return { gqlHandlerContent, lambdaFunctionDefinition };
+}
+function customOperationToGql(typeName, typeDef, authorization, isCustom = false, databaseType, getRefType) {
+    const { arguments: fieldArgs, typeName: opType, returnType, functionRef, handlers, subscriptionSource, } = typeDef.data;
+    let callSignature = typeName;
+    const implicitModels = [];
+    const { authString } = isCustom
+        ? calculateCustomAuth(authorization)
+        : calculateAuth(authorization);
+    /**
+     *
+     * @param returnType The return type from the `data` field of a customer operation.
+     * @param refererTypeName The type the refers {@link returnType} by `a.ref()`.
+     * @param shouldAddCustomTypeToImplicitModels A flag indicates wether it should push
+     * the return type resolved CustomType to the `implicitModels` list.
+     * @returns
+     */
+    const resolveReturnTypeNameFromReturnType = (returnType, { refererTypeName, shouldAddCustomTypeToImplicitModels = true, }) => {
+        if (isRefField(returnType)) {
+            return refFieldToGql(returnType?.data);
+        }
+        else if (isCustomType(returnType)) {
+            const returnTypeName = `${capitalize(refererTypeName)}ReturnType`;
+            if (shouldAddCustomTypeToImplicitModels) {
+                implicitModels.push([returnTypeName, returnType]);
+            }
+            return returnTypeName;
+        }
+        else if (isScalarField(returnType)) {
+            return scalarFieldToGql(returnType?.data);
+        }
+        else {
+            throw new Error(`Unrecognized return type on ${typeName}`);
+        }
+    };
+    let returnTypeName;
+    if (opType === 'Subscription' && returnType === null) {
+        // up to this point, we've validated that each subscription resource resolves
+        // the same return type, so it's safe to use subscriptionSource[0] here.
+        const { type, def } = getRefType(subscriptionSource[0].data.link, typeName);
+        if (type === 'CustomOperation') {
+            returnTypeName = resolveReturnTypeNameFromReturnType(def.data.returnType, {
+                refererTypeName: subscriptionSource[0].data.link,
+                shouldAddCustomTypeToImplicitModels: false,
+            });
+        }
+        else {
+            returnTypeName = refFieldToGql(subscriptionSource[0].data);
+        }
+    }
+    else {
+        returnTypeName = resolveReturnTypeNameFromReturnType(returnType, {
+            refererTypeName: typeName,
+        });
+    }
+    if (Object.keys(fieldArgs).length > 0) {
+        const { gqlFields, models } = processFields(typeName, fieldArgs, {}, {});
+        callSignature += `(${gqlFields.join(', ')})`;
+        implicitModels.push(...models);
+    }
+    const handler = handlers && handlers[0];
+    const brand = handler && (0, util_1.getBrand)(handler);
+    let gqlHandlerContent = '';
+    let lambdaFunctionDefinition = {};
+    let customSqlDataSourceStrategy;
+    if (isFunctionHandler(handlers)) {
+        ({ gqlHandlerContent, lambdaFunctionDefinition } = transformFunctionHandler(handlers, typeName));
+    }
+    else if (functionRef) {
+        gqlHandlerContent = `@function(name: "${functionRef}") `;
+    }
+    else if (databaseType === 'sql' && handler && brand === 'inlineSql') {
+        gqlHandlerContent = `@sql(statement: ${escapeGraphQlString(String((0, Handler_1.getHandlerData)(handler)))}) `;
+        customSqlDataSourceStrategy = {
+            typeName: opType,
+            fieldName: typeName,
+        };
+    }
+    else if (isSqlReferenceHandler(handlers)) {
+        const handlerData = (0, Handler_1.getHandlerData)(handlers[0]);
+        const entry = resolveEntryPath(handlerData, 'Could not determine import path to construct absolute code path for sql reference handler. Consider using an absolute path instead.');
+        const reference = typeof entry === 'string' ? entry : entry.relativePath;
+        customSqlDataSourceStrategy = {
+            typeName: opType,
+            fieldName: typeName,
+            entry,
+        };
+        gqlHandlerContent = `@sql(reference: "${reference}") `;
+    }
+    if (opType === 'Subscription') {
+        const subscriptionSources = subscriptionSource
+            .flatMap((source) => {
+            const refTarget = source.data.link;
+            const { type } = getRefType(refTarget, typeName);
+            if (type === 'CustomOperation') {
+                return refTarget;
+            }
+            if (type === 'Model') {
+                return source.data.mutationOperations.map(
+                // capitalize explicitly in case customer used lowercase model name
+                (op) => `${op}${capitalize(refTarget)}`);
+            }
+        })
+            .join('", "');
+        gqlHandlerContent += `@aws_subscribe(mutations: ["${subscriptionSources}"]) `;
+    }
+    const gqlField = `${callSignature}: ${returnTypeName} ${gqlHandlerContent}${authString}`;
+    return {
+        gqlField,
+        models: implicitModels,
+        lambdaFunctionDefinition,
+        customSqlDataSourceStrategy,
+    };
+}
+/**
+ * Escape a string that will be used inside of a graphql string.
+ * @param str The input string to be escaped
+ * @returns The string with special charactars escaped
+ */
+function escapeGraphQlString(str) {
+    return JSON.stringify(str);
+}
+/**
+ * Tests whether two ModelField definitions are in conflict.
+ *
+ * This is a shallow check intended to catch conflicts between defined fields
+ * and fields implied by authorization rules. Hence, it only compares type
+ * and plurality.
+ *
+ * @param left
+ * @param right
+ * @returns
+ */
+function areConflicting(left, right) {
+    // These are the only props we care about for this comparison, because the others
+    // (required, arrayRequired, etc) are not specified on auth or FK directives.
+    const relevantProps = ['array', 'fieldType'];
+    for (const prop of relevantProps) {
+        if (left.data[prop] !== right.data[prop]) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Merges one field defition object onto an existing one, performing
+ * validation (conflict detection) along the way.
+ *
+ * @param existing An existing field map
+ * @param additions A field map to merge in
+ */
+function addFields(existing, additions) {
+    for (const [k, addition] of Object.entries(additions)) {
+        if (!existing[k]) {
+            existing[k] = addition;
+        }
+        else if (areConflicting(existing[k], addition)) {
+            throw new Error(`Field ${k} defined twice with conflicting definitions.`);
+        }
+        else {
+            // fields are defined on both sides, but match.
+        }
+    }
+}
+/**
+ * Validate that no implicit fields are used by the model definition
+ *
+ * @param existing An existing field map
+ * @param implicitFields A field map inferred from other schema usage
+ *
+ * @throws An error when an undefined field is used or when a field is used in a way that conflicts with its generated definition
+ */
+function validateStaticFields(existing, implicitFields) {
+    if (implicitFields === undefined) {
+        return;
+    }
+    for (const [k, field] of Object.entries(implicitFields)) {
+        if (!existing[k]) {
+            throw new Error(`Field ${k} isn't defined.`);
+        }
+        else if (areConflicting(existing[k], field)) {
+            throw new Error(`Field ${k} defined twice with conflicting definitions.`);
+        }
+    }
+}
+/**
+ * Validate that no implicit fields conflict with explicitly defined fields.
+ *
+ * @param existing An existing field map
+ * @param implicitFields A field map inferred from other schema usage
+ *
+ * @throws An error when an undefined field is used or when a field is used in a way that conflicts with its generated definition
+ */
+function validateImpliedFields(existing, implicitFields) {
+    if (implicitFields === undefined) {
+        return;
+    }
+    for (const [k, field] of Object.entries(implicitFields)) {
+        if (existing[k] && areConflicting(existing[k], field)) {
+            throw new Error(`Implicit field ${k} conflicts with the explicit field definition.`);
+        }
+    }
+}
+/**
+ * Produces a new field definition object from every field definition object
+ * given as an argument. Performs validation (conflict detection) as objects
+ * are merged together.
+ *
+ * @param fieldsObjects A list of field definition objects to merge.
+ * @returns
+ */
+function mergeFieldObjects(...fieldsObjects) {
+    const result = {};
+    for (const fields of fieldsObjects) {
+        if (fields)
+            addFields(result, fields);
+    }
+    return result;
+}
+/**
+ * Throws if resource/lambda auth is configured at the model or field level
+ *
+ * @param authorization A list of authorization rules.
+ */
+function validateAuth(authorization = []) {
+    for (const entry of authorization) {
+        if (ruleIsResourceAuth(entry)) {
+            throw new Error('Lambda resource authorization is only confiugrable at the schema level');
+        }
+    }
+}
+/**
+ * Given a list of authorization rules, produces a set of the implied owner and/or
+ * group fields, along with the associated graphql `@auth` string directive.
+ *
+ * This is intended to be called for each model and field to collect the implied
+ * fields and directives from that individual "item's" auth rules.
+ *
+ * The computed directives are intended to be appended to the graphql field definition.
+ *
+ * The computed fields will be used to confirm no conflicts between explicit field definitions
+ * and implicit auth fields.
+ *
+ * @param authorization A list of authorization rules.
+ * @returns
+ */
+function calculateAuth(authorization) {
+    const authFields = {};
+    const rules = [];
+    for (const entry of authorization) {
+        const rule = (0, Authorization_1.accessData)(entry);
+        const ruleParts = [];
+        if (rule.strategy) {
+            ruleParts.push([`allow: ${rule.strategy}`]);
+        }
+        else {
+            return {
+                authFields,
+                authString: '',
+            };
+        }
+        if (rule.provider) {
+            ruleParts.push(`provider: ${rule.provider}`);
+        }
+        if (rule.operations) {
+            ruleParts.push(`operations: [${rule.operations.join(', ')}]`);
+        }
+        if (rule.groupOrOwnerField) {
+            // directive attribute, depending whether it's owner or group auth
+            if (rule.strategy === 'groups') {
+                // does this need to be escaped?
+                ruleParts.push(`groupsField: "${rule.groupOrOwnerField}"`);
+            }
+            else {
+                // does this need to be escaped?
+                ruleParts.push(`ownerField: "${rule.groupOrOwnerField}"`);
+            }
+            // model field dep, type of which depends on whether multiple owner/group
+            // is required.
+            if (rule.multiOwner) {
+                addFields(authFields, { [rule.groupOrOwnerField]: (0, ModelField_1.string)().array() });
+            }
+            else {
+                addFields(authFields, { [rule.groupOrOwnerField]: (0, ModelField_1.string)() });
+            }
+        }
+        if (rule.groups) {
+            // does `group` need to be escaped?
+            ruleParts.push(`groups: [${rule.groups.map((group) => `"${group}"`).join(', ')}]`);
+        }
+        // identityClaim
+        if (rule.identityClaim) {
+            // does this need to be escaped?
+            ruleParts.push(`identityClaim: "${rule.identityClaim}"`);
+        }
+        // groupClaim
+        if (rule.groupClaim) {
+            // does this need to be escaped?
+            ruleParts.push(`groupClaim: "${rule.groupClaim}"`);
+        }
+        rules.push(`{${ruleParts.join(', ')}}`);
+    }
+    const authString = rules.length > 0 ? `@auth(rules: [${rules.join(',\n  ')}])` : '';
+    return { authString, authFields };
+}
+function validateCustomAuthRule(rule) {
+    if (rule.operations) {
+        throw new Error('.to() modifier is not supported for custom queries/mutations');
+    }
+    if (rule.groupOrOwnerField) {
+        throw new Error('Dynamic auth (owner or dynamic groups) is not supported for custom queries/mutations');
+    }
+    // identityClaim
+    if (rule.identityClaim) {
+        throw new Error('identityClaim attr is not supported with a.handler.custom');
+    }
+    // groupClaim
+    if (rule.groupClaim) {
+        throw new Error('groupClaim attr is not supported with a.handler.custom');
+    }
+    if (rule.groups && rule.provider === 'oidc') {
+        throw new Error('OIDC group auth is not supported with a.handler.custom');
+    }
+}
+function getCustomAuthProvider(rule) {
+    const strategyDict = {
+        public: {
+            default: '@aws_api_key',
+            apiKey: '@aws_api_key',
+            iam: '@aws_iam',
+        },
+        private: {
+            default: '@aws_cognito_user_pools',
+            userPools: '@aws_cognito_user_pools',
+            oidc: '@aws_oidc',
+            iam: '@aws_iam',
+        },
+        groups: {
+            default: '@aws_cognito_user_pools',
+            userPools: '@aws_cognito_user_pools',
+        },
+        custom: {
+            default: '@aws_lambda',
+            function: '@aws_lambda',
+        },
+    };
+    const stratProviders = strategyDict[rule.strategy];
+    if (stratProviders === undefined) {
+        throw new Error(`Unsupported auth strategy for custom handlers: ${rule.strategy}`);
+    }
+    const provider = rule.provider || 'default';
+    const stratProvider = stratProviders[provider];
+    if (stratProvider === undefined) {
+        throw new Error(`Unsupported provider for custom handlers: ${rule.provider}`);
+    }
+    return stratProvider;
+}
+function calculateCustomAuth(authorization) {
+    const rules = [];
+    for (const entry of authorization) {
+        const rule = (0, Authorization_1.accessData)(entry);
+        validateCustomAuthRule(rule);
+        const provider = getCustomAuthProvider(rule);
+        if (rule.groups) {
+            // example: (cognito_groups: ["Bloggers", "Readers"])
+            rules.push(`${provider}(cognito_groups: [${rule.groups
+                .map((group) => `"${group}"`)
+                .join(', ')}])`);
+        }
+        else {
+            rules.push(provider);
+        }
+    }
+    const authString = rules.join(' ');
+    return { authString };
+}
+function capitalize(s) {
+    return `${s[0].toUpperCase()}${s.slice(1)}`;
+}
+function uncapitalize(s) {
+    return `${s[0].toLowerCase()}${s.slice(1)}`;
+}
+function fkName(model, field, identifier) {
+    return `${uncapitalize(model)}${capitalize(field)}${capitalize(identifier)}`;
+}
+/**
+ * Returns all explicitly defined and implied fields from a model.
+ *
+ * @param schema The schema the model is part of. Necessary to derive implied FK's.
+ * @param model The model to extract fields from and derive fields for.
+ * @returns
+ */
+const allImpliedFKs = (schema) => {
+    const fks = {};
+    function addFk({ onModel, asField, fieldDef, }) {
+        fks[onModel] = fks[onModel] || {};
+        fks[onModel][asField] = fieldDef;
+    }
+    // implied FK's
+    for (const [modelName, typeDef] of Object.entries(schema.data.types)) {
+        if (!isInternalModel(typeDef))
+            continue;
+        for (const [fieldName, fieldDef] of Object.entries(typeDef.data.fields)) {
+            if (!isModelField(fieldDef))
+                continue;
+            const relatedModel = schema.data.types[fieldDef.data.relatedModel];
+            switch (fieldDef.data.type) {
+                case ModelRelationalField_1.ModelRelationshipTypes.hasOne:
+                    for (const idField of relatedModel.data.identifier) {
+                        addFk({
+                            onModel: modelName,
+                            asField: fkName(modelName, fieldName, idField),
+                            fieldDef: {
+                                data: {
+                                    ...fieldDef.data,
+                                    fieldType: relatedModel.data.fields[idField]?.data.fieldType ||
+                                        ModelField_1.ModelFieldType.Id,
+                                },
+                            },
+                        });
+                    }
+                    break;
+                case ModelRelationalField_1.ModelRelationshipTypes.hasMany:
+                    {
+                        let authorization = [];
+                        let required = false;
+                        const [_belongsToName, belongsToDef] = Object.entries(relatedModel.data.fields).find(([_name, def]) => {
+                            return (isModelField(def) &&
+                                def.data.type === ModelRelationalField_1.ModelRelationshipTypes.belongsTo &&
+                                def.data.relatedModel === fieldName);
+                        }) || [];
+                        if (belongsToDef && isModelField(belongsToDef)) {
+                            authorization = belongsToDef.data.authorization;
+                            required = belongsToDef.data.valueRequired;
+                        }
+                        for (const idField of typeDef.data.identifier) {
+                            addFk({
+                                onModel: fieldDef.data.relatedModel,
+                                asField: fkName(modelName, fieldName, idField),
+                                fieldDef: {
+                                    data: {
+                                        ...(typeDef.data.fields[idField]?.data ||
+                                            (0, ModelField_1.id)().data),
+                                        authorization,
+                                        required,
+                                    },
+                                },
+                            });
+                        }
+                    }
+                    break;
+                case ModelRelationalField_1.ModelRelationshipTypes.belongsTo:
+                    {
+                        // only create if corresponds to hasOne
+                        const [_hasOneName, hasOneDef] = Object.entries(relatedModel.data.fields).find(([_name, def]) => {
+                            return (isModelField(def) &&
+                                def.data.type === ModelRelationalField_1.ModelRelationshipTypes.hasOne &&
+                                def.data.relatedModel === modelName);
+                        }) || [];
+                        if (hasOneDef && isModelField(hasOneDef)) {
+                            for (const idField of relatedModel.data.identifier) {
+                                addFk({
+                                    onModel: modelName,
+                                    asField: fkName(modelName, fieldName, idField),
+                                    fieldDef: {
+                                        data: {
+                                            ...typeDef.data,
+                                            fieldType: relatedModel.data.fields[idField]?.data.fieldType ||
+                                                ModelField_1.ModelFieldType.Id,
+                                        },
+                                    },
+                                });
+                            }
+                        }
+                    }
+                    break;
+                case ModelRelationalField_1.ModelRelationshipTypes.manyToMany:
+                    // pretty sure there's nothing to do here.
+                    // the implicit join table already has everything, AFAIK.
+                    break;
+                default:
+                // nothing to do.
+            }
+        }
+    }
+    return fks;
+};
+function processFieldLevelAuthRules(fields, authFields) {
+    const fieldLevelAuthRules = {};
+    for (const [fieldName, fieldDef] of Object.entries(fields)) {
+        const fieldAuth = fieldDef?.data?.authorization || [];
+        validateAuth(fieldAuth);
+        const { authString, authFields: fieldAuthField } = calculateAuth(fieldAuth);
+        if (authString)
+            fieldLevelAuthRules[fieldName] = authString;
+        if (fieldAuthField) {
+            addFields(authFields, fieldAuthField);
+        }
+    }
+    return fieldLevelAuthRules;
+}
+function processFields(typeName, fields, impliedFields, fieldLevelAuthRules, identifier, partitionKey, secondaryIndexes = {}) {
+    const gqlFields = [];
+    const models = [];
+    validateImpliedFields(fields, impliedFields);
+    for (const [fieldName, fieldDef] of Object.entries(fields)) {
+        const fieldAuth = fieldLevelAuthRules[fieldName]
+            ? ` ${fieldLevelAuthRules[fieldName]}`
+            : '';
+        if (isModelField(fieldDef)) {
+            gqlFields.push(`${fieldName}: ${modelFieldToGql(fieldDef.data)}${fieldAuth}`);
+        }
+        else if (isScalarField(fieldDef)) {
+            if (fieldName === partitionKey) {
+                gqlFields.push(`${fieldName}: ${scalarFieldToGql(fieldDef.data, identifier, secondaryIndexes[fieldName])}${fieldAuth}`);
+            }
+            else if (isRefField(fieldDef)) {
+                gqlFields.push(`${fieldName}: ${refFieldToGql(fieldDef.data)}${fieldAuth}`);
+            }
+            else if (isEnumType(fieldDef)) {
+                // The inline enum type name should be `<TypeName><FieldName>` to avoid
+                // enum type name conflicts
+                const enumName = `${capitalize(typeName)}${capitalize(fieldName)}`;
+                models.push([enumName, fieldDef]);
+                gqlFields.push(`${fieldName}: ${enumName}`);
+            }
+            else if (isCustomType(fieldDef)) {
+                // The inline CustomType name should be `<TypeName><FieldName>` to avoid
+                // CustomType name conflicts
+                const customTypeName = `${capitalize(typeName)}${capitalize(fieldName)}`;
+                models.push([customTypeName, fieldDef]);
+                gqlFields.push(`${fieldName}: ${customTypeName}`);
+            }
+            else {
+                gqlFields.push(`${fieldName}: ${scalarFieldToGql(fieldDef.data, undefined, secondaryIndexes[fieldName])}${fieldAuth}`);
+            }
+        }
+        else {
+            throw new Error(`Unexpected field definition: ${fieldDef}`);
+        }
+    }
+    return { gqlFields, models };
+}
+/**
+ *
+ * @param pk - partition key field name
+ * @param sk - (optional) array of sort key field names
+ * @returns default query field name
+ */
+const secondaryIndexDefaultQueryField = (pk, sk) => {
+    const skName = sk?.length ? 'And' + sk?.map(capitalize).join('And') : '';
+    const queryField = `listBy${capitalize(pk)}${skName}`;
+    return queryField;
+};
+/**
+ * Given InternalModelIndexType[] returns a map where the key is the model field to be annotated with an @index directive
+ * and the value is an array of transformed Amplify @index directives with all supplied attributes
+ */
+const transformedSecondaryIndexesForModel = (secondaryIndexes) => {
+    const indexDirectiveWithAttributes = (partitionKey, sortKeys, indexName, queryField) => {
+        if (!sortKeys.length && !indexName && !queryField) {
+            return `@index(queryField: "${secondaryIndexDefaultQueryField(partitionKey)}")`;
+        }
+        const attributes = [];
+        if (indexName) {
+            attributes.push(`name: "${indexName}"`);
+        }
+        if (sortKeys.length) {
+            attributes.push(`sortKeyFields: [${sortKeys.map((sk) => `"${sk}"`).join(', ')}]`);
+        }
+        if (queryField) {
+            attributes.push(`queryField: "${queryField}"`);
+        }
+        else {
+            attributes.push(`queryField: "${secondaryIndexDefaultQueryField(partitionKey, sortKeys)}"`);
+        }
+        return `@index(${attributes.join(', ')})`;
+    };
+    return secondaryIndexes.reduce((acc, { data: { partitionKey, sortKeys, indexName, queryField } }) => {
+        acc[partitionKey] = acc[partitionKey] || [];
+        acc[partitionKey].push(indexDirectiveWithAttributes(partitionKey, sortKeys, indexName, queryField));
+        return acc;
+    }, {});
+};
+const ruleIsResourceAuth = (authRule) => {
+    const data = (0, Authorization_1.accessSchemaData)(authRule);
+    return data.strategy === 'resource';
+};
+/**
+ * Separates out lambda resource auth rules from remaining schema rules.
+ *
+ * @param authRules schema auth rules
+ */
+const extractFunctionSchemaAccess = (authRules) => {
+    const schemaAuth = [];
+    const functionSchemaAccess = [];
+    const defaultActions = [
+        'query',
+        'mutate',
+        'listen',
+    ];
+    for (const rule of authRules) {
+        if (ruleIsResourceAuth(rule)) {
+            const ruleData = (0, Authorization_1.accessSchemaData)(rule);
+            const fnAccess = {
+                resourceProvider: ruleData.resource,
+                actions: ruleData.operations || defaultActions,
+            };
+            functionSchemaAccess.push(fnAccess);
+        }
+        else {
+            schemaAuth.push(rule);
+        }
+    }
+    return { schemaAuth, functionSchemaAccess };
+};
+/**
+ * Returns a closure for retrieving reference type and definition from schema
+ */
+const getRefTypeForSchema = (schema) => {
+    const getRefType = (source, target) => {
+        const typeDef = schema.data.types[source];
+        if (typeDef === undefined) {
+            throw new Error(`Invalid ref. ${target} is referencing ${source} which is not defined in the schema`);
+        }
+        if (isInternalModel(typeDef)) {
+            return { type: 'Model', def: typeDef };
+        }
+        if (isCustomOperation(typeDef)) {
+            return { type: 'CustomOperation', def: typeDef };
+        }
+        if (isCustomType(typeDef)) {
+            return { type: 'CustomType', def: typeDef };
+        }
+        if (isEnumType(typeDef)) {
+            return { type: 'Enum', def: typeDef };
+        }
+        throw new Error(`Invalid ref. ${target} is referencing ${source} which is neither a Model, Custom Operation, Custom Type, or Enum`);
+    };
+    return getRefType;
+};
+const schemaPreprocessor = (schema) => {
+    const gqlModels = [];
+    const customQueries = [];
+    const customMutations = [];
+    const customSubscriptions = [];
+    const jsFunctions = [];
+    const lambdaFunctions = {};
+    const customSqlDataSourceStrategies = [];
+    const databaseType = schema.data.configuration.database.engine === 'dynamodb'
+        ? 'dynamodb'
+        : 'sql';
+    const staticSchema = schema.data.configuration.database.engine === 'dynamodb' ? false : true;
+    const fkFields = staticSchema ? {} : allImpliedFKs(schema);
+    const topLevelTypes = Object.entries(schema.data.types);
+    const { schemaAuth, functionSchemaAccess } = extractFunctionSchemaAccess(schema.data.authorization);
+    const getRefType = getRefTypeForSchema(schema);
+    for (const [typeName, typeDef] of topLevelTypes) {
+        validateAuth(typeDef.data?.authorization);
+        const mostRelevantAuthRules = typeDef.data?.authorization?.length > 0
+            ? typeDef.data.authorization
+            : schemaAuth;
+        if (!isInternalModel(typeDef)) {
+            if (isEnumType(typeDef)) {
+                if (typeDef.values.some((value) => /\s/.test(value))) {
+                    throw new Error(`Values of the enum type ${typeName} should not contain any whitespace.`);
+                }
+                const enumType = `enum ${typeName} {\n  ${typeDef.values.join('\n  ')}\n}`;
+                gqlModels.push(enumType);
+            }
+            else if (isCustomType(typeDef)) {
+                const fields = typeDef.data.fields;
+                const fieldAuthApplicableFields = Object.fromEntries(Object.entries(fields).filter((pair) => isModelField(pair[1])));
+                const authString = '';
+                const authFields = {};
+                const fieldLevelAuthRules = processFieldLevelAuthRules(fieldAuthApplicableFields, authFields);
+                const { gqlFields, models } = processFields(typeName, fields, authFields, fieldLevelAuthRules);
+                topLevelTypes.push(...models);
+                const joined = gqlFields.join('\n  ');
+                const model = `type ${typeName} ${authString}\n{\n  ${joined}\n}`;
+                gqlModels.push(model);
+            }
+            else if (isCustomOperation(typeDef)) {
+                const { typeName: opType } = typeDef.data;
+                const { gqlField, models, jsFunctionForField, lambdaFunctionDefinition, customSqlDataSourceStrategy, } = transformCustomOperations(typeDef, typeName, mostRelevantAuthRules, databaseType, getRefType);
+                Object.assign(lambdaFunctions, lambdaFunctionDefinition);
+                topLevelTypes.push(...models);
+                if (jsFunctionForField) {
+                    jsFunctions.push(jsFunctionForField);
+                }
+                if (customSqlDataSourceStrategy) {
+                    customSqlDataSourceStrategies.push(customSqlDataSourceStrategy);
+                }
+                switch (opType) {
+                    case 'Query':
+                        customQueries.push(gqlField);
+                        break;
+                    case 'Mutation':
+                        customMutations.push(gqlField);
+                        break;
+                    case 'Subscription':
+                        customSubscriptions.push(gqlField);
+                        break;
+                    default:
+                        break;
+                }
+            }
+        }
+        else if (staticSchema) {
+            const fields = { ...typeDef.data.fields };
+            const identifier = typeDef.data.identifier;
+            const [partitionKey] = identifier;
+            validateStaticFields(fields, fkFields[typeName]);
+            const { authString, authFields } = calculateAuth(mostRelevantAuthRules);
+            if (authString == '') {
+                throw new Error(`Model \`${typeName}\` is missing authorization rules. Add global rules to the schema or ensure every model has its own rules.`);
+            }
+            const fieldLevelAuthRules = processFieldLevelAuthRules(fields, authFields);
+            validateStaticFields(fields, authFields);
+            const { gqlFields, models } = processFields(typeName, fields, authFields, fieldLevelAuthRules, identifier, partitionKey);
+            topLevelTypes.push(...models);
+            const joined = gqlFields.join('\n  ');
+            const model = `type ${typeName} @model ${authString}\n{\n  ${joined}\n}`;
+            gqlModels.push(model);
+        }
+        else {
+            const fields = mergeFieldObjects(typeDef.data.fields, fkFields[typeName]);
+            const identifier = typeDef.data.identifier;
+            const [partitionKey] = identifier;
+            const transformedSecondaryIndexes = transformedSecondaryIndexesForModel(typeDef.data.secondaryIndexes);
+            const { authString, authFields } = calculateAuth(mostRelevantAuthRules);
+            if (authString == '') {
+                throw new Error(`Model \`${typeName}\` is missing authorization rules. Add global rules to the schema or ensure every model has its own rules.`);
+            }
+            const fieldLevelAuthRules = processFieldLevelAuthRules(fields, authFields);
+            const { gqlFields, models } = processFields(typeName, fields, authFields, fieldLevelAuthRules, identifier, partitionKey, transformedSecondaryIndexes);
+            topLevelTypes.push(...models);
+            const joined = gqlFields.join('\n  ');
+            const model = `type ${typeName} @model ${authString}\n{\n  ${joined}\n}`;
+            gqlModels.push(model);
+        }
+    }
+    const customOperations = {
+        queries: customQueries,
+        mutations: customMutations,
+        subscriptions: customSubscriptions,
+    };
+    gqlModels.push(...generateCustomOperationTypes(customOperations));
+    const processedSchema = gqlModels.join('\n\n');
+    return {
+        schema: processedSchema,
+        jsFunctions,
+        functionSchemaAccess,
+        lambdaFunctions,
+        customSqlDataSourceStrategies,
+    };
+};
+function validateCustomOperations(typeDef, typeName, authRules, getRefType) {
+    const { functionRef, handlers, typeName: opType, subscriptionSource, } = typeDef.data;
+    // TODO: remove `functionRef` after deprecating
+    const handlerConfigured = functionRef !== null || handlers?.length;
+    const authConfigured = authRules.length > 0;
+    if ((authConfigured && !handlerConfigured) ||
+        (handlerConfigured && !authConfigured)) {
+        // Deploying a custom operation with auth and no handler reference OR
+        // with a handler reference but no auth
+        // causes the CFN stack to reach an unrecoverable state. Ideally, this should be fixed
+        // in the CDK construct, but we're catching it early here as a stopgap
+        throw new Error(`Custom operation ${typeName} requires both an authorization rule and a handler reference`);
+    }
+    // Handlers must all be of the same type
+    if (handlers?.length) {
+        const configuredHandlers = new Set();
+        for (const handler of handlers) {
+            configuredHandlers.add((0, util_1.getBrand)(handler));
+        }
+        if (configuredHandlers.size > 1) {
+            const configuredHandlersStr = JSON.stringify(Array.from(configuredHandlers));
+            throw new Error(`Field handlers must be of the same type. ${typeName} has been configured with ${configuredHandlersStr}`);
+        }
+    }
+    if (opType === 'Subscription') {
+        if (subscriptionSource.length < 1) {
+            throw new Error(`${typeName} is missing a mutation source. Custom subscriptions must reference a mutation source via subscription().for(a.ref('ModelOrOperationName')) `);
+        }
+        let expectedReturnType;
+        for (const source of subscriptionSource) {
+            const sourceName = source.data.link;
+            const { type, def } = getRefType(sourceName, typeName);
+            if (type !== 'Model' && source.data.mutationOperations.length > 0) {
+                throw new Error(`Invalid subscription definition. .mutations() modifier can only be used with a Model ref. ${typeName} is referencing ${type}`);
+            }
+            let resolvedReturnType;
+            if (type === 'Model') {
+                if (source.data.mutationOperations.length === 0) {
+                    throw new Error(`Invalid subscription definition. .mutations() modifier must be used with a Model ref subscription source. ${typeName} is referencing ${sourceName} without specifying a mutation`);
+                }
+                else {
+                    resolvedReturnType = def;
+                }
+            }
+            if (type === 'CustomOperation') {
+                if (def.data.typeName !== 'Mutation') {
+                    throw new Error(`Invalid subscription definition. .for() can only reference a mutation. ${typeName} is referencing ${sourceName} which is a ${def.data.typeName}`);
+                }
+                else {
+                    const returnType = def.data.returnType;
+                    if (isRefField(returnType)) {
+                        ({ def: resolvedReturnType } = getRefType(returnType.data.link, typeName));
+                    }
+                    else {
+                        resolvedReturnType = returnType;
+                    }
+                }
+            }
+            expectedReturnType = expectedReturnType ?? resolvedReturnType;
+            // As the return types are resolved from the root `schema` object and they should
+            // not be mutated, we compare by references here.
+            if (expectedReturnType !== resolvedReturnType) {
+                throw new Error(`Invalid subscription definition. .for() can only reference resources that have the same return type. ${typeName} is referencing resources that have different return types.`);
+            }
+        }
+    }
+}
+const isSqlReferenceHandler = (handler) => {
+    return Array.isArray(handler) && (0, util_1.getBrand)(handler[0]) === 'sqlReference';
+};
+const isCustomHandler = (handler) => {
+    return Array.isArray(handler) && (0, util_1.getBrand)(handler[0]) === 'customHandler';
+};
+const isFunctionHandler = (handler) => {
+    return Array.isArray(handler) && (0, util_1.getBrand)(handler[0]) === 'functionHandler';
+};
+const normalizeDataSourceName = (dataSource) => {
+    // default data source
+    const noneDataSourceName = 'NONE_DS';
+    if (dataSource === undefined) {
+        return noneDataSourceName;
+    }
+    if (dataSourceIsRef(dataSource)) {
+        return `${dataSource.data.link}Table`;
+    }
+    return dataSource;
+};
+const sanitizeStackTrace = (stackTrace) => {
+    // normalize EOL to \n so that parsing is consistent across platforms
+    const normalizedStackTrace = stackTrace.replaceAll(os.EOL, '\n');
+    return (normalizedStackTrace
+        .split('\n')
+        .map((line) => line.trim())
+        // filters out noise not relevant to the stack trace. All stack trace lines begin with 'at'
+        .filter((line) => line.startsWith('at')) || []);
+};
+// copied from the defineFunction path resolution impl:
+// https://github.com/aws-amplify/amplify-backend/blob/main/packages/backend-function/src/get_caller_directory.ts
+const resolveEntryPath = (data, errorMessage) => {
+    if (path.isAbsolute(data.entry)) {
+        return data.entry;
+    }
+    if (!data.stack) {
+        throw new Error(errorMessage);
+    }
+    const stackTraceLines = sanitizeStackTrace(data.stack);
+    if (stackTraceLines.length < 2) {
+        throw new Error(errorMessage);
+    }
+    const stackTraceImportLine = stackTraceLines[1]; // the first entry is the file where the error was initialized (our code). The second entry is where the customer called our code which is what we are interested in
+    // if entry is relative, compute with respect to the caller directory
+    return { relativePath: data.entry, importLine: stackTraceImportLine };
+};
+const handleCustom = (handlers, opType, typeName) => {
+    const transformedHandlers = handlers.map((handler) => {
+        const handlerData = (0, Handler_1.getHandlerData)(handler);
+        return {
+            dataSource: normalizeDataSourceName(handlerData.dataSource),
+            entry: resolveEntryPath(handlerData, 'Could not determine import path to construct absolute code path for custom handler. Consider using an absolute path instead.'),
+        };
+    });
+    const jsFn = {
+        typeName: opType,
+        fieldName: typeName,
+        handlers: transformedHandlers,
+    };
+    return jsFn;
+};
+function transformCustomOperations(typeDef, typeName, authRules, databaseType, getRefType) {
+    const { typeName: opType, handlers } = typeDef.data;
+    let jsFunctionForField = undefined;
+    validateCustomOperations(typeDef, typeName, authRules, getRefType);
+    if (isCustomHandler(handlers)) {
+        jsFunctionForField = handleCustom(handlers, opType, typeName);
+    }
+    const isCustom = Boolean(jsFunctionForField);
+    const { gqlField, models, lambdaFunctionDefinition, customSqlDataSourceStrategy, } = customOperationToGql(typeName, typeDef, authRules, isCustom, databaseType, getRefType);
+    return {
+        gqlField,
+        models,
+        jsFunctionForField,
+        lambdaFunctionDefinition,
+        customSqlDataSourceStrategy,
+    };
+}
+function generateCustomOperationTypes({ queries, mutations, subscriptions, }) {
+    const types = [];
+    if (mutations.length > 0) {
+        types.push(`type Mutation {\n  ${mutations.join('\n  ')}\n}`);
+    }
+    if (queries.length > 0) {
+        types.push(`type Query {\n  ${queries.join('\n  ')}\n}`);
+    }
+    if (subscriptions.length > 0) {
+        types.push(`type Subscription {\n  ${subscriptions.join('\n  ')}\n}`);
+    }
+    return types;
+}
+/**
+ * Returns API definition from ModelSchema or string schema
+ * @param arg - { schema }
+ * @returns DerivedApiDefinition that conforms to IAmplifyGraphqlDefinition
+ */
+function processSchema(arg) {
+    const { schema, jsFunctions, functionSchemaAccess, lambdaFunctions, customSqlDataSourceStrategies, } = schemaPreprocessor(arg.schema);
+    return {
+        schema,
+        functionSlots: [],
+        jsFunctions,
+        functionSchemaAccess,
+        lambdaFunctions,
+        customSqlDataSourceStrategies,
+    };
+}
+exports.processSchema = processSchema;