@aws-amplify/data-schema 0.13.10 → 0.13.12

package/lib-esm/src/Authorization.d.ts

@@ -1,4 +1,4 @@
-import type { UnionToIntersection } from '@aws-amplify/data-schema-types';
+import type { UnionToIntersection, FunctionSchemaAccess } from '@aws-amplify/data-schema-types';
 declare const __data: unique symbol;
 /**
  * All possible providers.
@@ -41,6 +41,24 @@ export type Strategy = (typeof Strategies)[number];
  */
 export declare const Operations: readonly ["create", "update", "delete", "read", "get", "list", "sync", "listen", "search"];
 export type Operation = (typeof Operations)[number];
+/**
+ * The operations that can be performed against an API by a Lambda function.
+ */
+export declare const ResourceOperations: readonly ["query", "mutate", "listen"];
+export type ResourceOperation = (typeof ResourceOperations)[number];
+/**
+ * Super-set of regular auth type; includes schema-level resource access configuration
+ */
+export type SchemaAuthorization<AuthStrategy extends Strategy, AuthField extends string | undefined, AuthFieldPlurality extends boolean> = Authorization<AuthStrategy, AuthField, AuthFieldPlurality> | ResourceAuthorization;
+export type ResourceAuthorization = {
+    [__data]: ResourceAuthorizationData;
+};
+type DefineFunction = FunctionSchemaAccess['resourceProvider'];
+export type ResourceAuthorizationData = {
+    strategy: 'resource';
+    resource: DefineFunction;
+    operations?: ResourceOperation[];
+};
 export type Authorization<AuthStrategy extends Strategy, AuthField extends string | undefined, AuthFieldPlurality extends boolean> = {
     [__data]: {
         strategy?: AuthStrategy;
@@ -200,7 +218,11 @@ export declare const allow: {
     readonly custom: (provider?: CustomProvider) => Authorization<"custom", undefined, false> & {
         to: typeof to;
     };
+    readonly resource: (fn: DefineFunction) => ResourceAuthorization & {
+        to: typeof resourceTo;
+    };
 };
+declare function resourceTo<SELF extends ResourceAuthorization>(this: SELF, operations: ResourceOperation[]): Omit<SELF, "to">;
 /**
  * Turns the type from a list of `Authorization` rules like this:
  *
@@ -261,4 +283,5 @@ export declare const accessData: <T extends Authorization<any, any, any>>(author
     identityClaim?: string | undefined;
     groupClaim?: string | undefined;
 };
+export declare const accessSchemaData: <T extends SchemaAuthorization<any, any, any>>(authorization: T) => T[typeof __data];
 export {};

package/lib-esm/src/Authorization.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.accessData = exports.allow = exports.Operations = exports.Strategies = exports.CustomProviders = exports.GroupProviders = exports.OwnerProviders = exports.PrivateProviders = exports.PublicProviders = exports.Providers = void 0;
+exports.accessSchemaData = exports.accessData = exports.allow = exports.ResourceOperations = exports.Operations = exports.Strategies = exports.CustomProviders = exports.GroupProviders = exports.OwnerProviders = exports.PrivateProviders = exports.PublicProviders = exports.Providers = void 0;
 const __data = Symbol('data');
 /**
  * All possible providers.
@@ -57,6 +57,10 @@ exports.Operations = [
     'listen',
     'search',
 ];
+/**
+ * The operations that can be performed against an API by a Lambda function.
+ */
+exports.ResourceOperations = ['query', 'mutate', 'listen'];
 /**
  * Creates a shallow copy of an object with an individual field pruned away.
  *
@@ -302,6 +306,27 @@ exports.allow = {
             to,
         });
     },
+    resource(fn) {
+        return resourceAuthData(fn, {
+            to: resourceTo,
+        });
+    },
 };
+function resourceTo(operations) {
+    this[__data].operations = operations;
+    return omit(this, 'to');
+}
+function resourceAuthData(resource, builderMethods) {
+    return {
+        [__data]: {
+            strategy: 'resource',
+            resource,
+        },
+        ...builderMethods,
+    };
+}
 const accessData = (authorization) => authorization[__data];
 exports.accessData = accessData;
+// TODO: delete when we make resource auth available at each level in the schema (model, field)
+const accessSchemaData = (authorization) => authorization[__data];
+exports.accessSchemaData = accessSchemaData;

package/lib-esm/src/CustomOperation.d.ts

@@ -5,7 +5,7 @@ import { Authorization } from './Authorization';
 import { RefType, InternalRef } from './RefType';
 import { EnumType, EnumTypeParamShape } from './EnumType';
 import { CustomType } from './CustomType';
-import type { HandlerType as Handler } from './Handler';
+import type { CustomHandler, FunctionHandler, HandlerType as Handler } from './Handler';
 declare const queryBrand = "queryCustomOperation";
 declare const mutationBrand = "mutationCustomOperation";
 declare const subscriptionBrand = "subscriptionCustomOperation";
@@ -15,7 +15,7 @@ type CustomReturnType = RefType<any> | CustomType<any>;
 type CustomFunctionRefType = string;
 type InternalCustomArguments = Record<string, InternalField>;
 type InternalCustomReturnType = InternalRef;
-type HandlerInputType = Handler | Handler[number];
+type HandlerInputType = FunctionHandler[] | CustomHandler[] | Handler;
 export declare const CustomOperationNames: readonly ["Query", "Mutation", "Subscription"];
 type CustomOperationName = (typeof CustomOperationNames)[number];
 type CustomData = {
@@ -24,7 +24,7 @@ type CustomData = {
     functionRef: string | null;
     authorization: Authorization<any, any, any>[];
     typeName: CustomOperationName;
-    handlers: Handler | null;
+    handlers: Handler[] | null;
 };
 type InternalCustomData = CustomData & {
     arguments: InternalCustomArguments;

package/lib-esm/src/Handler.d.ts

@@ -1,6 +1,6 @@
 import { Brand } from './util';
 import { RefType } from './RefType';
-export type HandlerType = InlineSqlHandler[] | SqlReferenceHandler[] | CustomHandler[] | FunctionHandler[];
+export type HandlerType = InlineSqlHandler | SqlReferenceHandler | CustomHandler | FunctionHandler;
 declare const dataSymbol: unique symbol;
 type AllHandlers = InlineSqlHandler | SqlReferenceHandler | CustomHandler | FunctionHandler;
 export declare function getHandlerData<H extends AllHandlers>(handler: H): H[typeof dataSymbol];

package/lib-esm/src/ModelSchema.d.ts

@@ -3,7 +3,7 @@ import { type ModelType, type ModelTypeParamShape, type InternalModel, SchemaMod
 import type { EnumType, EnumTypeParamShape } from './EnumType';
 import type { CustomType, CustomTypeParamShape } from './CustomType';
 import type { CustomOperation, CustomOperationParamShape, InternalCustom, MutationCustomOperation, QueryCustomOperation, SubscriptionCustomOperation } from './CustomOperation';
-import { Authorization } from './Authorization';
+import { SchemaAuthorization } from './Authorization';
 type SchemaContent = ModelType<ModelTypeParamShape, any> | CustomType<CustomTypeParamShape> | EnumType<EnumTypeParamShape> | CustomOperation<CustomOperationParamShape, any>;
 type ModelSchemaContents = Record<string, SchemaContent>;
 type InternalSchemaModels = Record<string, InternalModel | EnumType<any> | CustomType<any> | InternalCustom>;
@@ -35,7 +35,7 @@ export type SchemaConfig<DE extends DatasourceEngine, DC extends DatasourceConfi
 };
 export type ModelSchemaParamShape = {
     types: ModelSchemaContents;
-    authorization: Authorization<any, any, any>[];
+    authorization: SchemaAuthorization<any, any, any>[];
     configuration: SchemaConfig<any, any>;
 };
 export type SQLModelSchemaParamShape = ModelSchemaParamShape & {
@@ -44,11 +44,12 @@ export type SQLModelSchemaParamShape = ModelSchemaParamShape & {
 export type InternalSchema = {
     data: {
         types: InternalSchemaModels;
-        authorization: Authorization<any, any, any>[];
+        authorization: SchemaAuthorization<any, any, any>[];
+        configuration: SchemaConfig<any, any>;
     };
 };
 export type ModelSchema<T extends ModelSchemaParamShape, UsedMethods extends 'authorization' = never> = Omit<{
-    authorization: <AuthRules extends Authorization<any, any, any>>(auth: AuthRules[]) => ModelSchema<SetTypeSubArg<T, 'authorization', AuthRules[]>, UsedMethods | 'authorization'>;
+    authorization: <AuthRules extends SchemaAuthorization<any, any, any>>(auth: AuthRules[]) => ModelSchema<SetTypeSubArg<T, 'authorization', AuthRules[]>, UsedMethods | 'authorization'>;
 }, UsedMethods> & {
     data: T;
     models: {

package/lib-esm/src/SchemaProcessor.js

@@ -155,8 +155,8 @@ function refFieldToGql(fieldDef) {
     }
     return field;
 }
-function customOperationToGql(typeName, typeDef, authorization, isCustom = false) {
-    const { arguments: fieldArgs, returnType, functionRef } = typeDef.data;
+function customOperationToGql(typeName, typeDef, authorization, isCustom = false, databaseType) {
+    const { arguments: fieldArgs, returnType, functionRef, handlers, } = typeDef.data;
     let callSignature = typeName;
     const implicitModels = [];
     const { authString } = isCustom
@@ -181,10 +181,29 @@ function customOperationToGql(typeName, typeDef, authorization, isCustom = false
         callSignature += `(${gqlFields.join(', ')})`;
         implicitModels.push(...models);
     }
-    const fnString = functionRef ? `@function(name: "${functionRef}") ` : '';
-    const gqlField = `${callSignature}: ${returnTypeName} ${fnString}${authString}`;
+    const handler = handlers && handlers[0];
+    const brand = handler && (0, util_1.getBrand)(handler);
+    let gqlHandlerContent = '';
+    if (functionRef) {
+        gqlHandlerContent = `@function(name: "${functionRef}") `;
+    }
+    else if (databaseType === 'sql' && handler && brand === 'inlineSql') {
+        gqlHandlerContent = `@sql(statement: ${escapeGraphQlString(String((0, Handler_1.getHandlerData)(handler)))}) `;
+    }
+    else if (databaseType === 'sql' && handler && brand === 'sqlReference') {
+        gqlHandlerContent = `@sql(reference: "${(0, Handler_1.getHandlerData)(handler)}") `;
+    }
+    const gqlField = `${callSignature}: ${returnTypeName} ${gqlHandlerContent}${authString}`;
     return { gqlField, models: implicitModels };
 }
+/**
+ * Escape a string that will be used inside of a graphql string.
+ * @param str The input string to be escaped
+ * @returns The string with special charactars escaped
+ */
+function escapeGraphQlString(str) {
+    return JSON.stringify(str);
+}
 /**
  * Tests whether two ModelField definitions are in conflict.
  *
@@ -243,6 +262,18 @@ function mergeFieldObjects(...fieldsObjects) {
     }
     return result;
 }
+/**
+ * Throws if resource/lambda auth is configured at the model or field level
+ *
+ * @param authorization A list of authorization rules.
+ */
+function validateAuth(authorization = []) {
+    for (const entry of authorization) {
+        if (ruleIsResourceAuth(entry)) {
+            throw new Error('Lambda resource authorization is only confiugrable at the schema level');
+        }
+    }
+}
 /**
  * Given a list of authorization rules, produces a set of the implied owner and/or
  * group fields, along with the associated graphql `@auth` string directive.
@@ -530,7 +561,9 @@ const idFields = (model) => {
 function processFieldLevelAuthRules(fields, authFields) {
     const fieldLevelAuthRules = {};
     for (const [fieldName, fieldDef] of Object.entries(fields)) {
-        const { authString, authFields: fieldAuthField } = calculateAuth(fieldDef?.data?.authorization || []);
+        const fieldAuth = fieldDef?.data?.authorization || [];
+        validateAuth(fieldAuth);
+        const { authString, authFields: fieldAuthField } = calculateAuth(fieldAuth);
         if (authString)
             fieldLevelAuthRules[fieldName] = authString;
         if (fieldAuthField) {
@@ -621,18 +654,55 @@ const transformedSecondaryIndexesForModel = (secondaryIndexes) => {
         return acc;
     }, {});
 };
+const ruleIsResourceAuth = (authRule) => {
+    const data = (0, Authorization_1.accessSchemaData)(authRule);
+    return data.strategy === 'resource';
+};
+/**
+ * Separates out lambda resource auth rules from remaining schema rules.
+ *
+ * @param authRules schema auth rules
+ */
+const extractFunctionSchemaAccess = (authRules) => {
+    const schemaAuth = [];
+    const functionSchemaAccess = [];
+    const defaultActions = [
+        'query',
+        'mutate',
+        'listen',
+    ];
+    for (const rule of authRules) {
+        if (ruleIsResourceAuth(rule)) {
+            const ruleData = (0, Authorization_1.accessSchemaData)(rule);
+            const fnAccess = {
+                resourceProvider: ruleData.resource,
+                actions: ruleData.operations || defaultActions,
+            };
+            functionSchemaAccess.push(fnAccess);
+        }
+        else {
+            schemaAuth.push(rule);
+        }
+    }
+    return { schemaAuth, functionSchemaAccess };
+};
 const schemaPreprocessor = (schema) => {
     const gqlModels = [];
     const customQueries = [];
     const customMutations = [];
     const customSubscriptions = [];
     const jsFunctions = [];
+    const databaseType = schema.data.configuration.database.engine === 'dynamodb'
+        ? 'dynamodb'
+        : 'sql';
     const fkFields = allImpliedFKs(schema);
     const topLevelTypes = Object.entries(schema.data.types);
+    const { schemaAuth, functionSchemaAccess } = extractFunctionSchemaAccess(schema.data.authorization);
     for (const [typeName, typeDef] of topLevelTypes) {
+        validateAuth(typeDef.data?.authorization);
         const mostRelevantAuthRules = typeDef.data?.authorization?.length > 0
             ? typeDef.data.authorization
-            : schema.data.authorization;
+            : schemaAuth;
         if (!isInternalModel(typeDef)) {
             if (isEnumType(typeDef)) {
                 if (typeDef.values.some((value) => /\s/.test(value))) {
@@ -655,7 +725,7 @@ const schemaPreprocessor = (schema) => {
             }
             else if (isCustomOperation(typeDef)) {
                 const { typeName: opType } = typeDef.data;
-                const { gqlField, models, jsFunctionForField } = transformCustomOperations(typeDef, typeName, mostRelevantAuthRules);
+                const { gqlField, models, jsFunctionForField } = transformCustomOperations(typeDef, typeName, mostRelevantAuthRules, databaseType);
                 topLevelTypes.push(...models);
                 if (jsFunctionForField) {
                     jsFunctions.push(jsFunctionForField);
@@ -706,7 +776,7 @@ const schemaPreprocessor = (schema) => {
     };
     gqlModels.push(...generateCustomOperationTypes(customOperations));
     const processedSchema = gqlModels.join('\n\n');
-    return { schema: processedSchema, jsFunctions };
+    return { schema: processedSchema, jsFunctions, functionSchemaAccess };
 };
 function validateCustomOperations(typeDef, typeName, authRules) {
     const { functionRef, handlers } = typeDef.data;
@@ -789,7 +859,7 @@ const handleCustom = (handlers, opType, typeName) => {
     };
     return jsFn;
 };
-function transformCustomOperations(typeDef, typeName, authRules) {
+function transformCustomOperations(typeDef, typeName, authRules, databaseType) {
     const { typeName: opType, handlers } = typeDef.data;
     let jsFunctionForField = undefined;
     validateCustomOperations(typeDef, typeName, authRules);
@@ -797,7 +867,7 @@ function transformCustomOperations(typeDef, typeName, authRules) {
         jsFunctionForField = handleCustom(handlers, opType, typeName);
     }
     const isCustom = Boolean(jsFunctionForField);
-    const { gqlField, models } = customOperationToGql(typeName, typeDef, authRules, isCustom);
+    const { gqlField, models } = customOperationToGql(typeName, typeDef, authRules, isCustom, databaseType);
     return { gqlField, models, jsFunctionForField };
 }
 function generateCustomOperationTypes({ queries, mutations, subscriptions, }) {
@@ -819,7 +889,7 @@ function generateCustomOperationTypes({ queries, mutations, subscriptions, }) {
  * @returns DerivedApiDefinition that conforms to IAmplifyGraphqlDefinition
  */
 function processSchema(arg) {
-    const { schema, jsFunctions } = schemaPreprocessor(arg.schema);
-    return { schema, functionSlots: [], jsFunctions };
+    const { schema, jsFunctions, functionSchemaAccess } = schemaPreprocessor(arg.schema);
+    return { schema, functionSlots: [], jsFunctions, functionSchemaAccess };
 }
 exports.processSchema = processSchema;