@ttoss/cloud-auth 0.6.4 → 0.7.0

package/dist/index.js

@@ -33,10 +33,16 @@ var PASSWORD_MINIMUM_LENGTH = 8;
 var CognitoUserPoolLogicalId = "CognitoUserPool";
 var CognitoUserPoolClientLogicalId = "CognitoUserPoolClient";
 var CognitoIdentityPoolLogicalId = "CognitoIdentityPool";
+var IdentityPoolAuthenticatedIAMRoleLogicalId = "IdentityPoolAuthenticatedIAMRole";
+var IdentityPoolUnauthenticatedIAMRoleLogicalId = "IdentityPoolUnauthenticatedIAMRole";
+var DenyStatement = {
+  Effect: "Deny",
+  Action: ["*"],
+  Resource: ["*"]
+};
 var createAuthTemplate = ({
   autoVerifiedAttributes = ["email"],
-  identityPool = true,
-  roles,
+  identityPool,
   schema,
   usernameAttributes = ["email"]
 } = {}) => {
@@ -58,7 +64,6 @@ var createAuthTemplate = ({
               TemporaryPasswordValidityDays: 30
             }
           },
-          Schema: schema,
           UsernameAttributes: usernameAttributes,
           UsernameConfiguration: {
             CaseSensitive: false
@@ -114,7 +119,35 @@ var createAuthTemplate = ({
       }
     }
   };
-  if (identityPool) {
+  if (schema) {
+    const Schema = schema.map((attribute) => {
+      let NumberAttributeConstraints = void 0;
+      if (attribute.numberAttributeConstraints) {
+        NumberAttributeConstraints = {
+          MaxValue: attribute.numberAttributeConstraints?.maxValue,
+          MinValue: attribute.numberAttributeConstraints?.minValue
+        };
+      }
+      let StringAttributeConstraints = void 0;
+      if (attribute.stringAttributeConstraints) {
+        StringAttributeConstraints = {
+          MaxLength: attribute.stringAttributeConstraints?.maxLength,
+          MinLength: attribute.stringAttributeConstraints?.minLength
+        };
+      }
+      return {
+        AttributeDataType: attribute.attributeDataType,
+        DeveloperOnlyAttribute: attribute.developerOnlyAttribute,
+        Mutable: attribute.mutable,
+        Name: attribute.name,
+        NumberAttributeConstraints,
+        Required: attribute.required,
+        StringAttributeConstraints
+      };
+    });
+    template.Resources[CognitoUserPoolLogicalId].Properties.Schema = Schema;
+  }
+  if (identityPool?.enabled) {
     template.Resources[CognitoIdentityPoolLogicalId] = {
       Type: "AWS::Cognito::IdentityPool",
       Properties: {
@@ -131,17 +164,94 @@ var createAuthTemplate = ({
         ]
       }
     };
-    if (roles) {
-      template.Resources.CognitoIdentityPoolRoleAttachment = {
-        Type: "AWS::Cognito::IdentityPoolRoleAttachment",
-        Properties: {
-          IdentityPoolId: {
-            Ref: CognitoIdentityPoolLogicalId
+    template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
+      Type: "AWS::IAM::Role",
+      Properties: {
+        AssumeRolePolicyDocument: {
+          Version: "2012-10-17",
+          Statement: [
+            {
+              Effect: "Allow",
+              Principal: {
+                Federated: "cognito-identity.amazonaws.com"
+              },
+              Action: ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"],
+              Condition: {
+                StringEquals: {
+                  "cognito-identity.amazonaws.com:aud": {
+                    Ref: CognitoIdentityPoolLogicalId
+                  }
+                },
+                "ForAnyValue:StringLike": {
+                  "cognito-identity.amazonaws.com:amr": "authenticated"
+                }
+              }
+            }
+          ]
+        },
+        Policies: identityPool.authenticatedPolicies || [
+          {
+            PolicyName: "IdentityPoolAuthenticatedIAMRolePolicyName",
+            PolicyDocument: {
+              Version: "2012-10-17",
+              Statement: [DenyStatement]
+            }
+          }
+        ]
+      }
+    };
+    template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
+      Type: "AWS::IAM::Role",
+      Properties: {
+        AssumeRolePolicyDocument: {
+          Version: "2012-10-17",
+          Statement: [
+            {
+              Effect: "Allow",
+              Principal: {
+                Federated: "cognito-identity.amazonaws.com"
+              },
+              Action: "sts:AssumeRoleWithWebIdentity",
+              Condition: {
+                StringEquals: {
+                  "cognito-identity.amazonaws.com:aud": {
+                    Ref: CognitoIdentityPoolLogicalId
+                  }
+                },
+                "ForAnyValue:StringLike": {
+                  "cognito-identity.amazonaws.com:amr": "unauthenticated"
+                }
+              }
+            }
+          ]
+        },
+        Policies: identityPool.authenticatedPolicies || [
+          {
+            PolicyName: "IdentityPoolUnauthenticatedIAMRolePolicyName",
+            PolicyDocument: {
+              Version: "2012-10-17",
+              Statement: [DenyStatement]
+            }
+          }
+        ]
+      }
+    };
+    template.Resources.CognitoIdentityPoolRoleAttachment = {
+      Type: "AWS::Cognito::IdentityPoolRoleAttachment",
+      Properties: {
+        IdentityPoolId: {
+          Ref: CognitoIdentityPoolLogicalId
+        },
+        Roles: {
+          authenticated: {
+            "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
           },
-          Roles: roles
+          unauthenticated: {
+            "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
+          }
         }
-      };
-    }
+      }
+    };
     if (!template.Outputs) {
       template.Outputs = {};
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ttoss/cloud-auth",
-  "version": "0.6.4",
+  "version": "0.7.0",
   "main": "./dist/index.js",
   "module": "./dist/esm/index.js",
   "scripts": {
@@ -9,7 +9,7 @@
   },
   "typings": "./dist/index.d.ts",
   "dependencies": {
-    "@ttoss/cloudformation": "^0.5.4"
+    "@ttoss/cloudformation": "^0.6.0"
   },
   "devDependencies": {
     "@ttoss/config": "^1.28.2",
@@ -20,5 +20,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "7ce61c5deab1deb32f9f2b573fe2ae6cebb778cd"
+  "gitHead": "ff8bed71bb39e2e7d7385f8bb4a1bfda3553cb5c"
 }

package/src/template.ts

@@ -1,5 +1,5 @@
-import { CloudFormationTemplate } from '@ttoss/cloudformation';
 import { PASSWORD_MINIMUM_LENGTH } from './config';
+import type { CloudFormationTemplate, Policy } from '@ttoss/cloudformation';
 
 const CognitoUserPoolLogicalId = 'CognitoUserPool';
 
@@ -7,41 +7,46 @@ const CognitoUserPoolClientLogicalId = 'CognitoUserPoolClient';
 
 const CognitoIdentityPoolLogicalId = 'CognitoIdentityPool';
 
-type Role =
-  | string
-  | {
-      'Fn::ImportValue': string;
-    };
+const IdentityPoolAuthenticatedIAMRoleLogicalId =
+  'IdentityPoolAuthenticatedIAMRole';
+
+const IdentityPoolUnauthenticatedIAMRoleLogicalId =
+  'IdentityPoolUnauthenticatedIAMRole';
+
+export const DenyStatement = {
+  Effect: 'Deny' as const,
+  Action: ['*'],
+  Resource: ['*'],
+};
 
 export const createAuthTemplate = ({
   autoVerifiedAttributes = ['email'],
-  identityPool = true,
-  roles,
+  identityPool,
   schema,
   usernameAttributes = ['email'],
 }: {
   autoVerifiedAttributes?: Array<'email' | 'phone_number'> | null | false;
-  identityPool?: boolean;
-  roles?: {
-    authenticated?: Role;
-    unauthenticated?: Role;
+  identityPool?: {
+    enabled?: boolean;
+    authenticatedPolicies?: Policy[];
+    unauthenticatedPolicies?: Policy[];
   };
   /**
    * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html
    */
   schema?: {
-    AttributeDataType?: 'Boolean' | 'DateTime' | 'Number' | 'String';
-    DeveloperOnlyAttribute?: boolean;
-    Mutable?: boolean;
-    Name?: string;
-    NumberAttributeConstraints?: {
-      MaxValue?: string;
-      MinValue?: string;
+    attributeDataType?: 'Boolean' | 'DateTime' | 'Number' | 'String';
+    developerOnlyAttribute?: boolean;
+    mutable?: boolean;
+    name?: string;
+    numberAttributeConstraints?: {
+      maxValue?: string;
+      minValue?: string;
     };
-    Required?: boolean;
-    StringAttributeConstraints?: {
-      MaxLength: string;
-      MinLength: string;
+    required?: boolean;
+    stringAttributeConstraints?: {
+      maxLength: string;
+      minLength: string;
     };
   }[];
   usernameAttributes?: Array<'email' | 'phone_number'> | null;
@@ -68,7 +73,6 @@ export const createAuthTemplate = ({
               TemporaryPasswordValidityDays: 30,
             },
           },
-          Schema: schema,
           UsernameAttributes: usernameAttributes,
           UsernameConfiguration: {
             CaseSensitive: false,
@@ -126,7 +130,41 @@ export const createAuthTemplate = ({
     },
   };
 
-  if (identityPool) {
+  if (schema) {
+    const Schema = schema.map((attribute) => {
+      let NumberAttributeConstraints = undefined;
+
+      if (attribute.numberAttributeConstraints) {
+        NumberAttributeConstraints = {
+          MaxValue: attribute.numberAttributeConstraints?.maxValue,
+          MinValue: attribute.numberAttributeConstraints?.minValue,
+        };
+      }
+
+      let StringAttributeConstraints = undefined;
+
+      if (attribute.stringAttributeConstraints) {
+        StringAttributeConstraints = {
+          MaxLength: attribute.stringAttributeConstraints?.maxLength,
+          MinLength: attribute.stringAttributeConstraints?.minLength,
+        };
+      }
+
+      return {
+        AttributeDataType: attribute.attributeDataType,
+        DeveloperOnlyAttribute: attribute.developerOnlyAttribute,
+        Mutable: attribute.mutable,
+        Name: attribute.name,
+        NumberAttributeConstraints,
+        Required: attribute.required,
+        StringAttributeConstraints,
+      };
+    });
+
+    template.Resources[CognitoUserPoolLogicalId].Properties.Schema = Schema;
+  }
+
+  if (identityPool?.enabled) {
     /**
      * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
      */
@@ -147,20 +185,99 @@ export const createAuthTemplate = ({
       },
     };
 
-    if (roles) {
-      /**
-       * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
-       */
-      template.Resources.CognitoIdentityPoolRoleAttachment = {
-        Type: 'AWS::Cognito::IdentityPoolRoleAttachment',
-        Properties: {
-          IdentityPoolId: {
-            Ref: CognitoIdentityPoolLogicalId,
+    template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
+      Type: 'AWS::IAM::Role',
+      Properties: {
+        AssumeRolePolicyDocument: {
+          Version: '2012-10-17' as const,
+          Statement: [
+            {
+              Effect: 'Allow' as const,
+              Principal: {
+                Federated: 'cognito-identity.amazonaws.com',
+              },
+              Action: ['sts:AssumeRoleWithWebIdentity', 'sts:TagSession'],
+              Condition: {
+                StringEquals: {
+                  'cognito-identity.amazonaws.com:aud': {
+                    Ref: CognitoIdentityPoolLogicalId,
+                  },
+                },
+                'ForAnyValue:StringLike': {
+                  'cognito-identity.amazonaws.com:amr': 'authenticated',
+                },
+              },
+            },
+          ],
+        },
+        Policies: identityPool.authenticatedPolicies || [
+          {
+            PolicyName: 'IdentityPoolAuthenticatedIAMRolePolicyName',
+            PolicyDocument: {
+              Version: '2012-10-17' as const,
+              Statement: [DenyStatement],
+            },
+          },
+        ],
+      },
+    };
+
+    template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
+      Type: 'AWS::IAM::Role',
+      Properties: {
+        AssumeRolePolicyDocument: {
+          Version: '2012-10-17' as const,
+          Statement: [
+            {
+              Effect: 'Allow' as const,
+              Principal: {
+                Federated: 'cognito-identity.amazonaws.com',
+              },
+              Action: 'sts:AssumeRoleWithWebIdentity',
+              Condition: {
+                StringEquals: {
+                  'cognito-identity.amazonaws.com:aud': {
+                    Ref: CognitoIdentityPoolLogicalId,
+                  },
+                },
+                'ForAnyValue:StringLike': {
+                  'cognito-identity.amazonaws.com:amr': 'unauthenticated',
+                },
+              },
+            },
+          ],
+        },
+        Policies: identityPool.authenticatedPolicies || [
+          {
+            PolicyName: 'IdentityPoolUnauthenticatedIAMRolePolicyName',
+            PolicyDocument: {
+              Version: '2012-10-17' as const,
+              Statement: [DenyStatement],
+            },
+          },
+        ],
+      },
+    };
+
+    /**
+     * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
+     */
+    template.Resources.CognitoIdentityPoolRoleAttachment = {
+      Type: 'AWS::Cognito::IdentityPoolRoleAttachment',
+      Properties: {
+        IdentityPoolId: {
+          Ref: CognitoIdentityPoolLogicalId,
+        },
+        Roles: {
+          authenticated: {
+            'Fn::GetAtt': [IdentityPoolAuthenticatedIAMRoleLogicalId, 'Arn'],
+          },
+          unauthenticated: {
+            'Fn::GetAtt': [IdentityPoolUnauthenticatedIAMRoleLogicalId, 'Arn'],
           },
-          Roles: roles,
         },
-      };
-    }
+      },
+    };
 
     if (!template.Outputs) {
       template.Outputs = {};

package/tests/unit/template.test.ts

@@ -8,7 +8,22 @@ test('do not add schema if not provided', () => {
 test('add schema if provided', () => {
   const schema = [
     {
-      AttributeDataType: 'String' as const,
+      attributeDataType: 'String' as const,
+      developerOnlyAttribute: false,
+      mutable: true,
+      name: 'email',
+      required: true,
+      stringAttributeConstraints: {
+        maxLength: '2048',
+        minLength: '0',
+      },
+    },
+  ];
+
+  const template = createAuthTemplate({ schema });
+  expect(template.Resources.CognitoUserPool.Properties.Schema).toEqual([
+    {
+      AttributeDataType: 'String',
       DeveloperOnlyAttribute: false,
       Mutable: true,
       Name: 'email',
@@ -18,10 +33,7 @@ test('add schema if provided', () => {
         MinLength: '0',
       },
     },
-  ];
-
-  const template = createAuthTemplate({ schema });
-  expect(template.Resources.CognitoUserPool.Properties.Schema).toEqual(schema);
+  ]);
 });
 
 test('should have autoVerifiedAttributes equal email by default', () => {
@@ -31,6 +43,13 @@ test('should have autoVerifiedAttributes equal email by default', () => {
   ).toEqual(['email']);
 });
 
+test('default usernameAttributes should be email', () => {
+  const template = createAuthTemplate();
+  expect(
+    template.Resources.CognitoUserPool.Properties.UsernameAttributes
+  ).toEqual(['email']);
+});
+
 test.each([[], null, false])(
   'should have autoVerifiedAttributes undefined: %p',
   (autoVerifiedAttributes: any) => {
@@ -41,40 +60,32 @@ test.each([[], null, false])(
   }
 );
 
-test.each([true, undefined])(
-  'should have identity pool by default or true: %p',
-  (identityPool) => {
-    const template = createAuthTemplate({ identityPool });
+describe('identity pool', () => {
+  test.each([false, undefined])(
+    'should not have identity pool by default or false: %p',
+    (enabled) => {
+      const template = createAuthTemplate({ identityPool: { enabled } });
+      expect(template.Resources.CognitoIdentityPool).not.toBeDefined();
+      expect(template.Outputs?.IdentityPoolId).not.toBeDefined();
+    }
+  );
+
+  test('should have identity pool if false', () => {
+    const template = createAuthTemplate({
+      identityPool: {
+        enabled: true,
+      },
+    });
     expect(template.Resources.CognitoIdentityPool).toBeDefined();
     expect(template.Outputs?.IdentityPoolId).toBeDefined();
-  }
-);
-
-test('should not have identity pool if false', () => {
-  const template = createAuthTemplate({ identityPool: false });
-  expect(template.Resources.CognitoIdentityPool).toBeUndefined();
-  expect(template.Outputs?.IdentityPoolId).toBeUndefined();
-});
+  });
 
-test('should have identity pool role attachment with roles', () => {
-  const roles = {
-    authenticated: 'arn:aws:iam::123456789012:role/authenticated',
-    unauthenticated: 'arn:aws:iam::123456789012:role/unauthenticated',
-  };
-  const template = createAuthTemplate({ roles });
-  expect(
-    template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles
-  ).toEqual(roles);
-});
-
-test('should not have identity pool role attachment without roles', () => {
-  const template = createAuthTemplate();
-  expect(template.Resources.CognitoIdentityPoolRoleAttachment).toBeUndefined();
-});
-
-test('default usernameAttributes should be email', () => {
-  const template = createAuthTemplate();
-  expect(
-    template.Resources.CognitoUserPool.Properties.UsernameAttributes
-  ).toEqual(['email']);
+  test('should have identity pool role attachment', () => {
+    const template = createAuthTemplate({
+      identityPool: {
+        enabled: true,
+      },
+    });
+    expect(template.Resources.CognitoIdentityPoolRoleAttachment).toBeDefined();
+  });
 });