@aws-amplify/graphql-model-transformer 0.7.1-graphql-vnext-dev-preview.10 → 0.7.1-graphql-vnext-dev-preview.11

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@aws-amplify/graphql-model-transformer",
-    "version": "0.7.1-graphql-vnext-dev-preview.10",
+    "version": "0.7.1-graphql-vnext-dev-preview.11",
     "description": "Amplify graphql @model transformer",
     "repository": {
         "type": "git",
@@ -28,8 +28,8 @@
         "test-watch": "jest --watch"
     },
     "dependencies": {
-        "@aws-amplify/graphql-transformer-core": "0.11.0-graphql-vnext-dev-preview.10",
-        "@aws-amplify/graphql-transformer-interfaces": "1.10.2-graphql-vnext-dev-preview.10",
+        "@aws-amplify/graphql-transformer-core": "0.11.0-graphql-vnext-dev-preview.11",
+        "@aws-amplify/graphql-transformer-interfaces": "1.10.2-graphql-vnext-dev-preview.11",
         "@aws-cdk/assets": "~1.124.0",
         "@aws-cdk/aws-applicationautoscaling": "~1.124.0",
         "@aws-cdk/aws-appsync": "~1.124.0",
@@ -58,7 +58,7 @@
         "constructs": "^3.3.125",
         "graphql": "^14.5.8",
         "graphql-mapping-template": "4.18.4",
-        "graphql-transformer-common": "4.20.0",
+        "graphql-transformer-common": "4.20.1-graphql-vnext-dev-preview.11",
         "lodash": "^4.17.21",
         "md5": "^2.3.0"
     },
@@ -83,5 +83,5 @@
         ],
         "collectCoverage": true
     },
-    "gitHead": "5b1112889d1f79c787c564dc73dc08f4b992d451"
+    "gitHead": "16e9cc68157644de729457cec7dd51a8ce353228"
 }

package/src/__tests__/model-transformer.test.ts

@@ -1215,4 +1215,59 @@ describe('ModelTransformer: ', () => {
     expect(todoStack).toBeDefined();
     expect(todoStack.Parameters).toMatchObject(modelParams);
   });
+
+  it('global auth enabled should add apiKey if not default mode of auth', () => {
+    const validSchema = `
+    type Post @model {
+      id: ID!
+      title: String!
+      tags: [Tag]
+    }
+
+    type Tag {
+      id: ID
+      tags: [Tag]
+    }`;
+    const transformer = new GraphQLTransform({
+      authConfig: {
+        defaultAuthentication: {
+          authenticationType: 'AMAZON_COGNITO_USER_POOLS',
+        },
+        additionalAuthenticationProviders: [
+          {
+            authenticationType: 'API_KEY',
+          },
+        ],
+      },
+      sandboxModeEnabled: true,
+      transformers: [new ModelTransformer()],
+    });
+    const out = transformer.transform(validSchema);
+    expect(out).toBeDefined();
+
+    const schema = parse(out.schema);
+    validateModelSchema(schema);
+
+    const postType = getObjectType(schema, 'Post')!;
+    expect(postType).toBeDefined();
+    expect(postType.directives).toBeDefined();
+    expect(postType.directives!.some(dir => dir.name.value === 'aws_api_key')).toEqual(true);
+
+    const tagType = getObjectType(schema, 'Tag')!;
+    expect(tagType).toBeDefined();
+    expect(tagType.directives).toBeDefined();
+    expect(tagType.directives!.some(dir => dir.name.value === 'aws_api_key')).toEqual(true);
+
+    // check operations
+    const queryType = getObjectType(schema, 'Query')!;
+    expect(queryType).toBeDefined();
+    const mutationType = getObjectType(schema, 'Mutation')!;
+    expect(mutationType).toBeDefined();
+    const subscriptionType = getObjectType(schema, 'Subscription')!;
+    expect(subscriptionType).toBeDefined();
+
+    for (const field of [...queryType.fields!, ...mutationType.fields!, ...subscriptionType.fields!]) {
+      expect(field.directives!.some(dir => dir.name.value === 'aws_api_key')).toEqual(true);
+    }
+  });
 });

package/src/definitions.ts

@@ -14,3 +14,5 @@ export const BOOLEAN_FUNCTIONS = new Set<string>(['attributeExists', 'attributeT
 export const ATTRIBUTE_TYPES = ['binary', 'binarySet', 'bool', 'list', 'map', 'number', 'numberSet', 'string', 'stringSet', '_null'];
 
 export const OPERATION_KEY = '__operation';
+
+export const API_KEY_DIRECTIVE = 'aws_api_key';

package/src/graphql-model-transformer.ts

@@ -53,8 +53,10 @@ import {
   toPascalCase,
 } from 'graphql-transformer-common';
 import {
+  addDirectivesToOperation,
   addModelConditionInputs,
   createEnumModelFilters,
+  extendTypeWithDirectives,
   makeCreateInputField,
   makeDeleteInputField,
   makeListQueryFilterInput,
@@ -62,6 +64,7 @@ import {
   makeModelSortDirectionEnumObject,
   makeMutationConditionInput,
   makeUpdateInputField,
+  propagateApiKeyToNestedTypes,
 } from './graphql-types';
 import {
   generateAuthExpressionForSandboxMode,
@@ -84,6 +87,7 @@ import {
 import { FieldWrapper, InputObjectDefinitionWrapper, ObjectDefinitionWrapper } from './wrappers/object-definition-wrapper';
 import { CfnRole } from '@aws-cdk/aws-iam';
 import md5 from 'md5';
+import { API_KEY_DIRECTIVE } from './definitions';
 
 export type Nullable<T> = T | null;
 export type OptionalAndNullable<T> = Partial<T>;
@@ -260,6 +264,7 @@ export class ModelTransformer extends TransformerModelBase implements Transforme
     this.ensureModelSortDirectionEnum(ctx);
     for (const type of this.typesWithModelDirective) {
       const def = ctx.output.getObject(type)!;
+      const hasAuth = def.directives!.some(dir => dir.name.value === 'auth');
 
       // add Non Model type inputs
       this.createNonModelInputs(ctx, def);
@@ -279,6 +284,24 @@ export class ModelTransformer extends TransformerModelBase implements Transforme
       if (ctx.isProjectUsingDataStore()) {
         this.addModelSyncFields(ctx, type);
       }
+      // global auth check
+      if (!hasAuth && ctx.sandboxModeEnabled && ctx.authConfig.defaultAuthentication.authenticationType !== 'API_KEY') {
+        const apiKeyDirArray = [makeDirective(API_KEY_DIRECTIVE, [])];
+        extendTypeWithDirectives(ctx, def.name.value, apiKeyDirArray);
+        propagateApiKeyToNestedTypes(ctx as TransformerContextProvider, def, new Set<string>());
+        for (let operationField of queryFields) {
+          const operationName = operationField.name.value;
+          addDirectivesToOperation(ctx, ctx.output.getQueryTypeName()!, operationName, apiKeyDirArray);
+        }
+        for (let operationField of mutationFields) {
+          const operationName = operationField.name.value;
+          addDirectivesToOperation(ctx, ctx.output.getMutationTypeName()!, operationName, apiKeyDirArray);
+        }
+        for (let operationField of subscriptionsFields) {
+          const operationName = operationField.name.value;
+          addDirectivesToOperation(ctx, ctx.output.getSubscriptionTypeName()!, operationName, apiKeyDirArray);
+        }
+      }
     }
   };
 
@@ -307,10 +330,12 @@ export class ModelTransformer extends TransformerModelBase implements Transforme
           default:
             throw new Error('Unknown query field type');
         }
+        // TODO: add mechanism to add an auth like rule to all non auth @models
+        // this way we can just depend on auth to add the check
         resolver.addToSlot(
           'postAuth',
           MappingTemplate.s3MappingTemplateFromString(
-            generateAuthExpressionForSandboxMode(context),
+            generateAuthExpressionForSandboxMode(context.sandboxModeEnabled),
             `${query.typeName}.${query.fieldName}.{slotName}.{slotIndex}.req.vtl`,
           ),
         );
@@ -337,7 +362,7 @@ export class ModelTransformer extends TransformerModelBase implements Transforme
         resolver.addToSlot(
           'postAuth',
           MappingTemplate.s3MappingTemplateFromString(
-            generateAuthExpressionForSandboxMode(context),
+            generateAuthExpressionForSandboxMode(context.sandboxModeEnabled),
             `${mutation.typeName}.${mutation.fieldName}.{slotName}.{slotIndex}.req.vtl`,
           ),
         );
@@ -385,7 +410,7 @@ export class ModelTransformer extends TransformerModelBase implements Transforme
           resolver.addToSlot(
             'postAuth',
             MappingTemplate.s3MappingTemplateFromString(
-              generateAuthExpressionForSandboxMode(context),
+              generateAuthExpressionForSandboxMode(context.sandboxModeEnabled),
               `${subscription.typeName}.${subscription.fieldName}.{slotName}.{slotIndex}.req.vtl`,
             ),
           );

package/src/graphql-types/common.ts

@@ -1,14 +1,20 @@
-import { TransformerTransformSchemaStepContextProvider } from '@aws-amplify/graphql-transformer-interfaces';
+import { TransformerContextProvider, TransformerTransformSchemaStepContextProvider } from '@aws-amplify/graphql-transformer-interfaces';
 import {
+  DirectiveNode,
   EnumTypeDefinitionNode,
   FieldDefinitionNode,
   InputObjectTypeDefinitionNode,
   Kind,
+  NamedTypeNode,
   ObjectTypeDefinitionNode,
   TypeDefinitionNode,
 } from 'graphql';
 import {
+  blankObjectExtension,
   DEFAULT_SCALARS,
+  extendFieldWithDirectives,
+  extensionWithDirectives,
+  getBaseType,
   makeArgument,
   makeDirective,
   makeField,
@@ -29,6 +35,7 @@ import {
   SIZE_CONDITIONS,
   STRING_CONDITIONS,
   STRING_FUNCTIONS,
+  API_KEY_DIRECTIVE,
 } from '../definitions';
 import {
   EnumWrapper,
@@ -245,7 +252,96 @@ export function makeEnumFilterInput(fieldWrapper: FieldWrapper): InputObjectType
   return input.serialize();
 }
 
+export const addDirectivesToField = (
+  ctx: TransformerTransformSchemaStepContextProvider,
+  typeName: string,
+  fieldName: string,
+  directives: Array<DirectiveNode>,
+) => {
+  const type = ctx.output.getType(typeName) as ObjectTypeDefinitionNode;
+  if (type) {
+    const field = type.fields?.find(f => f.name.value === fieldName);
+    if (field) {
+      const newFields = [...type.fields!.filter(f => f.name.value !== field.name.value), extendFieldWithDirectives(field, directives)];
+
+      const newType = {
+        ...type,
+        fields: newFields,
+      };
+
+      ctx.output.putType(newType);
+    }
+  }
+};
+
+export const addDirectivesToOperation = (
+  ctx: TransformerTransformSchemaStepContextProvider,
+  typeName: string,
+  operationName: string,
+  directives: Array<DirectiveNode>,
+) => {
+  // add directives to the given operation
+  addDirectivesToField(ctx, typeName, operationName, directives);
+
+  // add the directives to the result type of the operation
+  const type = ctx.output.getType(typeName) as ObjectTypeDefinitionNode;
+  if (type) {
+    const field = type.fields!.find(f => f.name.value === operationName);
+
+    if (field) {
+      const returnFieldType = field.type as NamedTypeNode;
+
+      if (returnFieldType.name) {
+        const returnTypeName = returnFieldType.name.value;
+
+        extendTypeWithDirectives(ctx, returnTypeName, directives);
+      }
+    }
+  }
+};
+
+export const extendTypeWithDirectives = (
+  ctx: TransformerTransformSchemaStepContextProvider,
+  typeName: string,
+  directives: Array<DirectiveNode>,
+): void => {
+  let objectTypeExtension = blankObjectExtension(typeName);
+  objectTypeExtension = extensionWithDirectives(objectTypeExtension, directives);
+  ctx.output.addObjectExtension(objectTypeExtension);
+};
+
 export function makeModelSortDirectionEnumObject(): EnumTypeDefinitionNode {
   const name = 'ModelSortDirection';
   return EnumWrapper.create(name, ['ASC', 'DESC']).serialize();
 }
+// the smaller version of it's @auth equivalent since we only support
+// apikey as the only global auth rule
+export const propagateApiKeyToNestedTypes = (
+  ctx: TransformerContextProvider,
+  def: ObjectTypeDefinitionNode,
+  seenNonModelTypes: Set<string>,
+) => {
+  const nonModelTypePredicate = (fieldType: TypeDefinitionNode): TypeDefinitionNode | undefined => {
+    if (fieldType) {
+      if (fieldType.kind !== 'ObjectTypeDefinition') {
+        return undefined;
+      }
+      const typeModel = fieldType.directives!.find(dir => dir.name.value === 'model');
+      return typeModel !== undefined ? undefined : fieldType;
+    }
+    return fieldType;
+  };
+  const nonModelFieldTypes = def
+    .fields!.map(f => ctx.output.getType(getBaseType(f.type)) as TypeDefinitionNode)
+    .filter(nonModelTypePredicate);
+  for (const nonModelFieldType of nonModelFieldTypes) {
+    const nonModelName = nonModelFieldType.name.value;
+    const hasSeenType = seenNonModelTypes.has(nonModelName);
+    const hasApiKey = nonModelFieldType.directives?.some(dir => dir.name.value === API_KEY_DIRECTIVE) ?? false;
+    if (!hasSeenType && !hasApiKey) {
+      seenNonModelTypes.add(nonModelName);
+      extendTypeWithDirectives(ctx, nonModelName, [makeDirective(API_KEY_DIRECTIVE, [])]);
+      propagateApiKeyToNestedTypes(ctx, nonModelFieldType as ObjectTypeDefinitionNode, seenNonModelTypes);
+    }
+  }
+};

package/src/resolvers/common.ts

@@ -96,10 +96,8 @@ export const generateResolverKey = (typeName: string, fieldName: string): string
 
 /**
  * Util function to generate sandbox mode expression
- * @param ctx context to get sandbox mode
  */
-export const generateAuthExpressionForSandboxMode = (ctx: any): string => {
-  const enabled = ctx.resourceHelper.api.sandboxModeEnabled;
+export const generateAuthExpressionForSandboxMode = (enabled: boolean): string => {
   let exp;
 
   if (enabled) exp = iff(notEquals(methodCall(ref('util.authType')), str(API_KEY)), methodCall(ref('util.unauthorized')));