@cxbuilder/flow-config 1.0.1 → 1.1.0

package/.jsii

@@ -20,7 +20,6 @@
     "yaml": "^2.8.0"
   },
   "dependencies": {
-    "@aws-solutions-constructs/aws-openapigateway-lambda": "^2.85.2",
     "aws-cdk-lib": "2.194.0",
     "constructs": "^10.0.0"
   },
@@ -107,78 +106,6 @@
         }
       }
     },
-    "@aws-solutions-constructs/aws-openapigateway-lambda": {
-      "targets": {
-        "dotnet": {
-          "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png",
-          "namespace": "Amazon.SolutionsConstructs.AWS.OpenApiGatewayLambda",
-          "packageId": "Amazon.SolutionsConstructs.AWS.OpenApiGatewayLambda",
-          "signAssembly": true
-        },
-        "java": {
-          "maven": {
-            "artifactId": "openapigatewaylambda",
-            "groupId": "software.amazon.awsconstructs"
-          },
-          "package": "software.amazon.awsconstructs.services.openapigatewaylambda"
-        },
-        "js": {
-          "npm": "@aws-solutions-constructs/aws-openapigateway-lambda"
-        },
-        "python": {
-          "distName": "aws-solutions-constructs.aws-openapigateway-lambda",
-          "module": "aws_solutions_constructs.aws_openapigateway_lambda"
-        }
-      }
-    },
-    "@aws-solutions-constructs/core": {
-      "targets": {
-        "dotnet": {
-          "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png",
-          "namespace": "Amazon.SolutionsConstructs.AWS.Core",
-          "packageId": "Amazon.SolutionsConstructs.AWS.Core",
-          "signAssembly": true
-        },
-        "java": {
-          "maven": {
-            "artifactId": "core",
-            "groupId": "software.amazon.awsconstructs"
-          },
-          "package": "software.amazon.awsconstructs.services.core"
-        },
-        "js": {
-          "npm": "@aws-solutions-constructs/core"
-        },
-        "python": {
-          "distName": "aws-solutions-constructs.core",
-          "module": "aws_solutions_constructs.core"
-        }
-      }
-    },
-    "@aws-solutions-constructs/resources": {
-      "targets": {
-        "dotnet": {
-          "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png",
-          "namespace": "Amazon.SolutionsConstructs.AWS.Resources",
-          "packageId": "Amazon.SolutionsConstructs.AWS.Resources",
-          "signAssembly": true
-        },
-        "java": {
-          "maven": {
-            "artifactId": "resources",
-            "groupId": "software.amazon.awsconstructs"
-          },
-          "package": "software.amazon.awsconstructs.services.resources"
-        },
-        "js": {
-          "npm": "@aws-solutions-constructs/resources"
-        },
-        "python": {
-          "distName": "aws-solutions-constructs.resources",
-          "module": "aws_solutions_constructs.resources"
-        }
-      }
-    },
     "aws-cdk-lib": {
       "submodules": {
         "aws-cdk-lib.alexa_ask": {
@@ -4089,7 +4016,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "infrastructure/FlowConfigStack.ts",
-        "line": 23
+        "line": 24
       },
       "name": "CognitoConfig",
       "properties": [
@@ -4102,7 +4029,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 29
+            "line": 30
           },
           "name": "domain",
           "type": {
@@ -4117,7 +4044,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 24
+            "line": 25
           },
           "name": "userPoolId",
           "type": {
@@ -4134,7 +4061,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 34
+            "line": 35
           },
           "name": "ssoProviderName",
           "optional": true,
@@ -4158,7 +4085,7 @@
         },
         "locationInModule": {
           "filename": "infrastructure/FlowConfigStack.ts",
-          "line": 142
+          "line": 143
         },
         "parameters": [
           {
@@ -4184,7 +4111,7 @@
       "kind": "class",
       "locationInModule": {
         "filename": "infrastructure/FlowConfigStack.ts",
-        "line": 117
+        "line": 118
       },
       "methods": [
         {
@@ -4194,7 +4121,7 @@
           },
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 233
+            "line": 267
           },
           "name": "associate3pApp"
         },
@@ -4204,7 +4131,7 @@
           },
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 205
+            "line": 207
           },
           "name": "createUserPoolClient",
           "returns": {
@@ -4212,6 +4139,17 @@
               "fqn": "aws-cdk-lib.aws_cognito.UserPoolClient"
             }
           }
+        },
+        {
+          "docs": {
+            "stability": "stable",
+            "summary": "Create Cognito User Groups for role-based access control."
+          },
+          "locationInModule": {
+            "filename": "infrastructure/FlowConfigStack.ts",
+            "line": 235
+          },
+          "name": "createUserPoolGroups"
         }
       ],
       "name": "FlowConfigStack",
@@ -4223,7 +4161,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 137
+            "line": 138
           },
           "name": "appUrl",
           "type": {
@@ -4236,7 +4174,7 @@
           },
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 121
+            "line": 122
           },
           "name": "alertTopic",
           "type": {
@@ -4249,7 +4187,7 @@
           },
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 145
+            "line": 146
           },
           "name": "props",
           "type": {
@@ -4262,7 +4200,7 @@
           },
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 122
+            "line": 123
           },
           "name": "table",
           "type": {
@@ -4275,7 +4213,7 @@
           },
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 118
+            "line": 119
           },
           "name": "userPool",
           "type": {
@@ -4288,7 +4226,7 @@
           },
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 120
+            "line": 121
           },
           "name": "userPoolClient",
           "type": {
@@ -4311,7 +4249,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "infrastructure/FlowConfigStack.ts",
-        "line": 88
+        "line": 89
       },
       "name": "FlowConfigStackProps",
       "properties": [
@@ -4324,7 +4262,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 99
+            "line": 100
           },
           "name": "alertEmails",
           "type": {
@@ -4344,7 +4282,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 93
+            "line": 94
           },
           "name": "cognito",
           "type": {
@@ -4359,7 +4297,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 94
+            "line": 95
           },
           "name": "connectInstanceArn",
           "type": {
@@ -4375,7 +4313,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 92
+            "line": 93
           },
           "name": "prefix",
           "type": {
@@ -4392,7 +4330,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 114
+            "line": 115
           },
           "name": "globalTable",
           "optional": true,
@@ -4408,7 +4346,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 100
+            "line": 101
           },
           "name": "prod",
           "optional": true,
@@ -4426,7 +4364,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 107
+            "line": 108
           },
           "name": "vpc",
           "optional": true,
@@ -4448,7 +4386,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "infrastructure/FlowConfigStack.ts",
-        "line": 65
+        "line": 66
       },
       "name": "GlobalTableConfig",
       "properties": [
@@ -4461,7 +4399,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 69
+            "line": 70
           },
           "name": "isPrimaryRegion",
           "type": {
@@ -4477,7 +4415,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 75
+            "line": 76
           },
           "name": "replicaRegions",
           "optional": true,
@@ -4504,7 +4442,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "infrastructure/FlowConfigStack.ts",
-        "line": 40
+        "line": 41
       },
       "name": "VpcConfig",
       "properties": [
@@ -4517,7 +4455,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 49
+            "line": 50
           },
           "name": "lambdaSecurityGroupIds",
           "type": {
@@ -4538,7 +4476,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 54
+            "line": 55
           },
           "name": "privateSubnetIds",
           "type": {
@@ -4559,7 +4497,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 59
+            "line": 60
           },
           "name": "vpcEndpointSecurityGroupIds",
           "type": {
@@ -4580,7 +4518,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "infrastructure/FlowConfigStack.ts",
-            "line": 44
+            "line": 45
           },
           "name": "vpcId",
           "type": {
@@ -4591,6 +4529,6 @@
       "symbolId": "infrastructure/FlowConfigStack:VpcConfig"
     }
   },
-  "version": "1.0.1",
-  "fingerprint": "V7ICP5NiiXfM53BnBQnXOFRX/nYJTyaFcStmhn/v5jo="
+  "version": "1.1.0",
+  "fingerprint": "HFZB1viUfyeGHk8/FgKUYwz6TaxogYZ+PsdAxRdPVdA="
 }

package/CHANGELOG.md

@@ -5,6 +5,28 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.0] - 2025-06-23
+
+### Added
+
+- Role-based access control (RBAC) using Amazon Cognito User Groups
+- Three permission levels: FlowConfigAdmin, FlowConfigEdit, and FlowConfigRead
+- Backend permission validation for all API endpoints
+- Frontend UI adapts based on user permissions
+- Read-only mode for users without edit access
+- Access denied screen for users without any FlowConfig permissions
+
+### Changed
+
+- Replaced placeholder permission system with full Cognito Groups implementation
+- FlowConfigEdit users can add languages to prompts but cannot remove existing ones
+- FlowConfigEdit users can add/remove channels but cannot modify structure
+- Preview functionality remains available to all permission levels
+
+## [1.0.2] - 2025-06-20
+
+- Converted to `SpecRestApi` because `@aws-solutions-constructs/aws-openapigateway-lambda` is not compatible with `Role.customizeRoles`
+
 ## [1.0.0] - 2025-06-18
 
 ### Added

package/dist/backend/FlowConfig/index.js

@@ -151,6 +151,78 @@ function stripSSML(text) {
 }
 __name(stripSSML, "stripSSML");
 
+// backend/shared/permissions.ts
+var COGNITO_GROUPS = {
+  ADMIN: "FlowConfigAdmin",
+  EDIT: "FlowConfigEdit",
+  READ: "FlowConfigRead"
+};
+function extractCognitoGroups(claims) {
+  const groupsClaim = claims["cognito:groups"];
+  if (!groupsClaim) {
+    return [];
+  }
+  if (typeof groupsClaim === "string") {
+    return groupsClaim.split(",").map((group) => group.trim());
+  }
+  if (Array.isArray(groupsClaim)) {
+    return groupsClaim;
+  }
+  return [];
+}
+__name(extractCognitoGroups, "extractCognitoGroups");
+function hasFlowConfigAccess(claims) {
+  const userGroups = extractCognitoGroups(claims);
+  const flowConfigGroups = Object.values(COGNITO_GROUPS);
+  return userGroups.some((group) => flowConfigGroups.includes(group));
+}
+__name(hasFlowConfigAccess, "hasFlowConfigAccess");
+function getAccessLevel(claims) {
+  const userGroups = extractCognitoGroups(claims);
+  if (userGroups.includes(COGNITO_GROUPS.ADMIN)) {
+    return "Full";
+  }
+  if (userGroups.includes(COGNITO_GROUPS.EDIT)) {
+    return "Edit";
+  }
+  if (userGroups.includes(COGNITO_GROUPS.READ)) {
+    return "Read";
+  }
+  return null;
+}
+__name(getAccessLevel, "getAccessLevel");
+function checkActionPermission(claims, action) {
+  const accessLevel = getAccessLevel(claims);
+  if (!accessLevel) {
+    return null;
+  }
+  switch (action) {
+    case "Read":
+      return accessLevel;
+    case "Edit":
+      if (accessLevel === "Edit" || accessLevel === "Full") {
+        return accessLevel;
+      }
+      return null;
+    case "Create":
+    case "Delete":
+      if (accessLevel === "Full") {
+        return accessLevel;
+      }
+      return null;
+    default:
+      return null;
+  }
+}
+__name(checkActionPermission, "checkActionPermission");
+function validateFlowConfigPermission(claims, _flowConfigId, action) {
+  if (!hasFlowConfigAccess(claims)) {
+    return null;
+  }
+  return checkActionPermission(claims, action);
+}
+__name(validateFlowConfigPermission, "validateFlowConfigPermission");
+
 // backend/FlowConfig.ts
 var env = process.env;
 var client2 = new import_client_dynamodb.DynamoDBClient();
@@ -198,7 +270,7 @@ async function listFlowConfigs(event, claims) {
     }
     const resultItems = [];
     for (const config of filteredConfigs) {
-      const accessLevel = await checkPermissions(claims, config.id, "Read");
+      const accessLevel = validateFlowConfigPermission(claims, config.id, "Read");
       if (accessLevel) {
         resultItems.push({
           id: config.id,
@@ -216,7 +288,7 @@ async function listFlowConfigs(event, claims) {
 __name(listFlowConfigs, "listFlowConfigs");
 async function getFlowConfig(flowConfigId, claims) {
   try {
-    const accessLevel = await checkPermissions(claims, flowConfigId, "Read");
+    const accessLevel = validateFlowConfigPermission(claims, flowConfigId, "Read");
     if (!accessLevel) {
       return respondMessage(403, "Access denied");
     }
@@ -278,10 +350,16 @@ async function saveFlowConfig(flowConfigId, event, claims) {
     const response = await docClient.send(getCommand);
     const existingConfig = response.Item;
     const action = existingConfig ? "Edit" : "Create";
-    const accessLevel = await checkPermissions(claims, flowConfigId, action);
+    const accessLevel = validateFlowConfigPermission(claims, flowConfigId, action);
     if (!accessLevel) {
       return respondMessage(403, "Access denied");
     }
+    if (accessLevel === "Edit" && existingConfig) {
+      const structuralChangeError = validateEditOnlyChanges(existingConfig, body);
+      if (structuralChangeError) {
+        return respondMessage(403, `FlowConfigEdit users cannot make structural changes: ${structuralChangeError}`);
+      }
+    }
     const putCommand = new import_lib_dynamodb.PutCommand({
       TableName: env.FLOW_CONFIGS_TABLE_NAME,
       Item: body
@@ -296,7 +374,7 @@ async function saveFlowConfig(flowConfigId, event, claims) {
 __name(saveFlowConfig, "saveFlowConfig");
 async function deleteFlowConfig(flowConfigId, claims) {
   try {
-    const accessLevel = await checkPermissions(claims, flowConfigId, "Delete");
+    const accessLevel = validateFlowConfigPermission(claims, flowConfigId, "Delete");
     if (!accessLevel) {
       return respondMessage(403, "Access denied");
     }
@@ -355,7 +433,7 @@ async function previewFlowConfig(event, claims) {
         "FlowConfig must have id, description, variables, and prompts"
       );
     }
-    const accessLevel = await checkPermissions(claims, flowConfig.id, "Read");
+    const accessLevel = validateFlowConfigPermission(claims, flowConfig.id, "Read");
     if (!accessLevel) {
       return respondMessage(403, "Access denied");
     }
@@ -369,18 +447,34 @@ async function previewFlowConfig(event, claims) {
   }
 }
 __name(previewFlowConfig, "previewFlowConfig");
-async function checkPermissions(_claims, flowConfigId, action) {
-  try {
-    return Promise.resolve("Full");
-  } catch (error) {
-    console.error(
-      `Error checking permissions for ${flowConfigId}, action ${action}:`,
-      error
-    );
-    return null;
+function validateEditOnlyChanges(existingConfig, newConfig) {
+  if (existingConfig.description !== newConfig.description) {
+    return "Cannot modify description";
+  }
+  const existingVarKeys = Object.keys(existingConfig.variables || {}).sort();
+  const newVarKeys = Object.keys(newConfig.variables || {}).sort();
+  if (existingVarKeys.length !== newVarKeys.length || !existingVarKeys.every((key, index) => key === newVarKeys[index])) {
+    return "Cannot add or remove variables";
+  }
+  const existingPromptKeys = Object.keys(existingConfig.prompts || {}).sort();
+  const newPromptKeys = Object.keys(newConfig.prompts || {}).sort();
+  if (existingPromptKeys.length !== newPromptKeys.length || !existingPromptKeys.every((key, index) => key === newPromptKeys[index])) {
+    return "Cannot add or remove prompts";
+  }
+  for (const promptName of existingPromptKeys) {
+    const existingPrompt = existingConfig.prompts[promptName];
+    const newPrompt = newConfig.prompts[promptName];
+    const existingLangs = Object.keys(existingPrompt || {});
+    const newLangs = Object.keys(newPrompt || {});
+    for (const existingLang of existingLangs) {
+      if (!newLangs.includes(existingLang)) {
+        return `Cannot remove language ${existingLang} from prompt ${promptName}`;
+      }
+    }
   }
+  return null;
 }
-__name(checkPermissions, "checkPermissions");
+__name(validateEditOnlyChanges, "validateEditOnlyChanges");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   handler