@aws-amplify/data-schema 1.1.1 → 1.1.2

package/dist/esm/SchemaProcessor.mjs

@@ -157,29 +157,48 @@ function transformFunctionHandler(handlers, functionFieldName) {
 function customOperationToGql(typeName, typeDef, authorization, isCustom = false, databaseType, getRefType) {
     const { arguments: fieldArgs, typeName: opType, returnType, handlers, subscriptionSource, } = typeDef.data;
     let callSignature = typeName;
-    const implicitModels = [];
+    const implicitTypes = [];
+    // When Custom Operations are defined with a Custom Type return type,
+    // the Custom Type inherits the operation's auth rules
+    let customTypeAuthRules = undefined;
     const { authString } = isCustom
-        ? calculateCustomAuth(authorization)
+        ? mapToNativeAppSyncAuthDirectives(authorization, true)
         : calculateAuth(authorization);
     /**
      *
      * @param returnType The return type from the `data` field of a customer operation.
      * @param refererTypeName The type the refers {@link returnType} by `a.ref()`.
-     * @param shouldAddCustomTypeToImplicitModels A flag indicates wether it should push
-     * the return type resolved CustomType to the `implicitModels` list.
+     * @param shouldAddCustomTypeToImplicitTypes A flag indicates wether it should push
+     * the return type resolved CustomType to the `implicitTypes` list.
      * @returns
      */
-    const resolveReturnTypeNameFromReturnType = (returnType, { refererTypeName, shouldAddCustomTypeToImplicitModels = true, }) => {
+    const resolveReturnTypeNameFromReturnType = (returnType, { refererTypeName, shouldAddCustomTypeToImplicitTypes = true, }) => {
         if (isRefField(returnType)) {
+            const { type } = getRefType(returnType.data.link, typeName);
+            if (type === 'CustomType') {
+                customTypeAuthRules = {
+                    typeName: returnType.data.link,
+                    authRules: authorization,
+                };
+            }
             return refFieldToGql(returnType?.data);
         }
         else if (isCustomType(returnType)) {
             const returnTypeName = `${capitalize(refererTypeName)}ReturnType`;
-            if (shouldAddCustomTypeToImplicitModels) {
-                implicitModels.push([returnTypeName, returnType]);
+            if (shouldAddCustomTypeToImplicitTypes) {
+                customTypeAuthRules = {
+                    typeName: returnTypeName,
+                    authRules: authorization,
+                };
+                implicitTypes.push([returnTypeName, returnType]);
             }
             return returnTypeName;
         }
+        else if (isEnumType(returnType)) {
+            const returnTypeName = `${capitalize(refererTypeName)}ReturnType`;
+            implicitTypes.push([returnTypeName, returnType]);
+            return returnTypeName;
+        }
         else if (isScalarField(returnType)) {
             return scalarFieldToGql(returnType?.data);
         }
@@ -195,7 +214,7 @@ function customOperationToGql(typeName, typeDef, authorization, isCustom = false
         if (type === 'CustomOperation') {
             returnTypeName = resolveReturnTypeNameFromReturnType(def.data.returnType, {
                 refererTypeName: subscriptionSource[0].data.link,
-                shouldAddCustomTypeToImplicitModels: false,
+                shouldAddCustomTypeToImplicitTypes: false,
             });
         }
         else {
@@ -208,9 +227,9 @@ function customOperationToGql(typeName, typeDef, authorization, isCustom = false
         });
     }
     if (Object.keys(fieldArgs).length > 0) {
-        const { gqlFields, models } = processFields(typeName, fieldArgs, {}, {});
+        const { gqlFields, implicitTypes } = processFields(typeName, fieldArgs, {}, {});
         callSignature += `(${gqlFields.join(', ')})`;
-        implicitModels.push(...models);
+        implicitTypes.push(...implicitTypes);
     }
     const handler = handlers && handlers[0];
     const brand = handler && getBrand(handler);
@@ -258,7 +277,8 @@ function customOperationToGql(typeName, typeDef, authorization, isCustom = false
     const gqlField = `${callSignature}: ${returnTypeName} ${gqlHandlerContent}${authString}`;
     return {
         gqlField,
-        models: implicitModels,
+        implicitTypes: implicitTypes,
+        customTypeAuthRules,
         lambdaFunctionDefinition,
         customSqlDataSourceStrategy,
     };
@@ -439,23 +459,29 @@ function calculateAuth(authorization) {
     const authString = rules.length > 0 ? `@auth(rules: [${rules.join(',\n  ')}])` : '';
     return { authString, authFields };
 }
-function validateCustomAuthRule(rule) {
+function validateCustomHandlerAuthRule(rule) {
     if (rule.groups && rule.provider === 'oidc') {
         throw new Error('OIDC group auth is not supported with a.handler.custom');
     }
+    // not currently supported with handler.custom (JS Resolvers), but will be in the future
+    if (rule.provider === 'identityPool' || rule.provider === 'iam') {
+        throw new Error("identityPool-based auth (allow.guest() and allow.authenticated('identityPool')) is not supported with a.handler.custom");
+    }
 }
-function getCustomAuthProvider(rule) {
+function getAppSyncAuthDirectiveFromRule(rule) {
     const strategyDict = {
         public: {
             default: '@aws_api_key',
             apiKey: '@aws_api_key',
             iam: '@aws_iam',
+            identityPool: '@aws_iam',
         },
         private: {
             default: '@aws_cognito_user_pools',
             userPools: '@aws_cognito_user_pools',
             oidc: '@aws_oidc',
             iam: '@aws_iam',
+            identityPool: '@aws_iam',
         },
         groups: {
             default: '@aws_cognito_user_pools',
@@ -477,23 +503,23 @@ function getCustomAuthProvider(rule) {
     }
     return stratProvider;
 }
-function calculateCustomAuth(authorization) {
-    const rules = [];
+function mapToNativeAppSyncAuthDirectives(authorization, isCustomHandler) {
+    const rules = new Set();
     for (const entry of authorization) {
         const rule = accessData(entry);
-        validateCustomAuthRule(rule);
-        const provider = getCustomAuthProvider(rule);
+        isCustomHandler && validateCustomHandlerAuthRule(rule);
+        const provider = getAppSyncAuthDirectiveFromRule(rule);
         if (rule.groups) {
             // example: (cognito_groups: ["Bloggers", "Readers"])
-            rules.push(`${provider}(cognito_groups: [${rule.groups
+            rules.add(`${provider}(cognito_groups: [${rule.groups
                 .map((group) => `"${group}"`)
                 .join(', ')}])`);
         }
         else {
-            rules.push(provider);
+            rules.add(provider);
         }
     }
-    const authString = rules.join(' ');
+    const authString = [...rules].join(' ');
     return { authString };
 }
 function capitalize(s) {
@@ -514,7 +540,9 @@ function processFieldLevelAuthRules(fields, authFields) {
 }
 function processFields(typeName, fields, impliedFields, fieldLevelAuthRules, identifier, partitionKey, secondaryIndexes = {}) {
     const gqlFields = [];
-    const models = [];
+    // stores nested, field-level type definitions (custom types and enums)
+    // the need to be hoisted to top-level schema types and processed accordingly
+    const implicitTypes = [];
     validateImpliedFields(fields, impliedFields);
     for (const [fieldName, fieldDef] of Object.entries(fields)) {
         const fieldAuth = fieldLevelAuthRules[fieldName]
@@ -534,14 +562,14 @@ function processFields(typeName, fields, impliedFields, fieldLevelAuthRules, ide
                 // The inline enum type name should be `<TypeName><FieldName>` to avoid
                 // enum type name conflicts
                 const enumName = `${capitalize(typeName)}${capitalize(fieldName)}`;
-                models.push([enumName, fieldDef]);
+                implicitTypes.push([enumName, fieldDef]);
                 gqlFields.push(`${fieldName}: ${enumFieldToGql(enumName, secondaryIndexes[fieldName])}`);
             }
             else if (isCustomType(fieldDef)) {
                 // The inline CustomType name should be `<TypeName><FieldName>` to avoid
                 // CustomType name conflicts
                 const customTypeName = `${capitalize(typeName)}${capitalize(fieldName)}`;
-                models.push([customTypeName, fieldDef]);
+                implicitTypes.push([customTypeName, fieldDef]);
                 gqlFields.push(`${fieldName}: ${customTypeName}`);
             }
             else {
@@ -552,7 +580,7 @@ function processFields(typeName, fields, impliedFields, fieldLevelAuthRules, ide
             throw new Error(`Unexpected field definition: ${fieldDef}`);
         }
     }
-    return { gqlFields, models };
+    return { gqlFields, implicitTypes };
 }
 /**
  *
@@ -661,11 +689,47 @@ const getRefTypeForSchema = (schema) => {
     };
     return getRefType;
 };
+/**
+ * Sorts top-level schema types to where Custom Types are processed last
+ * This allows us to accrue and then apply inherited auth rules for custom types from custom operations
+ * that reference them in their return values
+ */
+const sortTopLevelTypes = (topLevelTypes) => {
+    return topLevelTypes.sort(([_typeNameA, typeDefA], [_typeNameB, typeDefB]) => {
+        if ((isCustomType(typeDefA) && isCustomType(typeDefB)) ||
+            (!isCustomType(typeDefA) && !isCustomType(typeDefB))) {
+            return 0;
+        }
+        else if (isCustomType(typeDefA) && !isCustomType(typeDefB)) {
+            return 1;
+        }
+        else {
+            return -1;
+        }
+    });
+};
+/**
+ * Builds up dictionary of Custom Type name - array of inherited auth rules
+ */
+const mergeCustomTypeAuthRules = (existing, added) => {
+    if (!added)
+        return;
+    const { typeName, authRules } = added;
+    if (typeName in existing) {
+        existing[typeName] = [...existing[typeName], ...authRules];
+    }
+    else {
+        existing[typeName] = authRules;
+    }
+};
 const schemaPreprocessor = (schema) => {
     const gqlModels = [];
     const customQueries = [];
     const customMutations = [];
     const customSubscriptions = [];
+    // Dict of auth rules to be applied to custom types
+    // Inherited from the auth configured on the custom operations that return these custom types
+    const customTypeInheritedAuthRules = {};
     const jsFunctions = [];
     const lambdaFunctions = {};
     const customSqlDataSourceStrategies = [];
@@ -673,7 +737,7 @@ const schemaPreprocessor = (schema) => {
         ? 'dynamodb'
         : 'sql';
     const staticSchema = schema.data.configuration.database.engine === 'dynamodb' ? false : true;
-    const topLevelTypes = Object.entries(schema.data.types);
+    const topLevelTypes = sortTopLevelTypes(Object.entries(schema.data.types));
     const { schemaAuth, functionSchemaAccess } = extractFunctionSchemaAccess(schema.data.authorization);
     const getRefType = getRefTypeForSchema(schema);
     for (const [typeName, typeDef] of topLevelTypes) {
@@ -692,20 +756,25 @@ const schemaPreprocessor = (schema) => {
                 const fields = typeDef.data.fields;
                 validateRefUseCases(typeName, 'customType', fields, getRefType);
                 const fieldAuthApplicableFields = Object.fromEntries(Object.entries(fields).filter((pair) => isModelField(pair[1])));
-                const authString = '';
+                let customAuth = '';
+                if (typeName in customTypeInheritedAuthRules) {
+                    const { authString } = mapToNativeAppSyncAuthDirectives(customTypeInheritedAuthRules[typeName], false);
+                    customAuth = authString;
+                }
                 const authFields = {};
                 const fieldLevelAuthRules = processFieldLevelAuthRules(fieldAuthApplicableFields, authFields);
-                const { gqlFields, models } = processFields(typeName, fields, authFields, fieldLevelAuthRules);
-                topLevelTypes.push(...models);
+                const { gqlFields, implicitTypes } = processFields(typeName, fields, authFields, fieldLevelAuthRules);
+                topLevelTypes.push(...implicitTypes);
                 const joined = gqlFields.join('\n  ');
-                const model = `type ${typeName} ${authString}\n{\n  ${joined}\n}`;
+                const model = `type ${typeName} ${customAuth}\n{\n  ${joined}\n}`;
                 gqlModels.push(model);
             }
             else if (isCustomOperation(typeDef)) {
                 const { typeName: opType } = typeDef.data;
-                const { gqlField, models, jsFunctionForField, lambdaFunctionDefinition, customSqlDataSourceStrategy, } = transformCustomOperations(typeDef, typeName, mostRelevantAuthRules, databaseType, getRefType);
+                const { gqlField, implicitTypes, customTypeAuthRules, jsFunctionForField, lambdaFunctionDefinition, customSqlDataSourceStrategy, } = transformCustomOperations(typeDef, typeName, mostRelevantAuthRules, databaseType, getRefType);
+                mergeCustomTypeAuthRules(customTypeInheritedAuthRules, customTypeAuthRules);
                 Object.assign(lambdaFunctions, lambdaFunctionDefinition);
-                topLevelTypes.push(...models);
+                topLevelTypes.push(...implicitTypes);
                 if (jsFunctionForField) {
                     jsFunctions.push(jsFunctionForField);
                 }
@@ -736,8 +805,8 @@ const schemaPreprocessor = (schema) => {
             }
             const fieldLevelAuthRules = processFieldLevelAuthRules(fields, authFields);
             validateStaticFields(fields, authFields);
-            const { gqlFields, models } = processFields(typeName, fields, authFields, fieldLevelAuthRules, identifier, partitionKey);
-            topLevelTypes.push(...models);
+            const { gqlFields, implicitTypes } = processFields(typeName, fields, authFields, fieldLevelAuthRules, identifier, partitionKey);
+            topLevelTypes.push(...implicitTypes);
             const joined = gqlFields.join('\n  ');
             // TODO: update @model(timestamps: null) once a longer term solution gets
             // determined.
@@ -759,8 +828,8 @@ const schemaPreprocessor = (schema) => {
                 throw new Error(`Model \`${typeName}\` is missing authorization rules. Add global rules to the schema or ensure every model has its own rules.`);
             }
             const fieldLevelAuthRules = processFieldLevelAuthRules(fields, authFields);
-            const { gqlFields, models } = processFields(typeName, fields, authFields, fieldLevelAuthRules, identifier, partitionKey, transformedSecondaryIndexes);
-            topLevelTypes.push(...models);
+            const { gqlFields, implicitTypes } = processFields(typeName, fields, authFields, fieldLevelAuthRules, identifier, partitionKey, transformedSecondaryIndexes);
+            topLevelTypes.push(...implicitTypes);
             const joined = gqlFields.join('\n  ');
             const model = `type ${typeName} @model ${authString}\n{\n  ${joined}\n}`;
             gqlModels.push(model);
@@ -919,10 +988,11 @@ function transformCustomOperations(typeDef, typeName, authRules, databaseType, g
         jsFunctionForField = handleCustom(handlers, opType, typeName);
     }
     const isCustom = Boolean(jsFunctionForField);
-    const { gqlField, models, lambdaFunctionDefinition, customSqlDataSourceStrategy, } = customOperationToGql(typeName, typeDef, authRules, isCustom, databaseType, getRefType);
+    const { gqlField, implicitTypes, customTypeAuthRules, lambdaFunctionDefinition, customSqlDataSourceStrategy, } = customOperationToGql(typeName, typeDef, authRules, isCustom, databaseType, getRefType);
     return {
         gqlField,
-        models,
+        implicitTypes,
+        customTypeAuthRules,
         jsFunctionForField,
         lambdaFunctionDefinition,
         customSqlDataSourceStrategy,