@ttoss/cloud-auth 0.6.4 → 0.7.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ttoss/cloud-auth",
-  "version": "0.6.4",
+  "version": "0.7.1",
   "main": "./dist/index.js",
   "module": "./dist/esm/index.js",
   "scripts": {
@@ -9,16 +9,16 @@
   },
   "typings": "./dist/index.d.ts",
   "dependencies": {
-    "@ttoss/cloudformation": "^0.5.4"
+    "@ttoss/cloudformation": "^0.6.1"
   },
   "devDependencies": {
-    "@ttoss/config": "^1.28.2",
+    "@ttoss/config": "^1.28.3",
     "@types/jest": "^29.4.0",
-    "jest": "^29.4.3",
+    "jest": "^29.5.0",
     "typescript": "^4.9.5"
   },
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "7ce61c5deab1deb32f9f2b573fe2ae6cebb778cd"
+  "gitHead": "56e8cfde36a962deaa5514453618280699824b4f"
 }

package/src/template.ts

@@ -1,5 +1,5 @@
-import { CloudFormationTemplate } from '@ttoss/cloudformation';
 import { PASSWORD_MINIMUM_LENGTH } from './config';
+import type { CloudFormationTemplate, Policy } from '@ttoss/cloudformation';
 
 const CognitoUserPoolLogicalId = 'CognitoUserPool';
 
@@ -7,41 +7,46 @@ const CognitoUserPoolClientLogicalId = 'CognitoUserPoolClient';
 
 const CognitoIdentityPoolLogicalId = 'CognitoIdentityPool';
 
-type Role =
-  | string
-  | {
-      'Fn::ImportValue': string;
-    };
+const IdentityPoolAuthenticatedIAMRoleLogicalId =
+  'IdentityPoolAuthenticatedIAMRole';
+
+const IdentityPoolUnauthenticatedIAMRoleLogicalId =
+  'IdentityPoolUnauthenticatedIAMRole';
+
+export const DenyStatement = {
+  Effect: 'Deny' as const,
+  Action: ['*'],
+  Resource: ['*'],
+};
 
 export const createAuthTemplate = ({
   autoVerifiedAttributes = ['email'],
-  identityPool = true,
-  roles,
+  identityPool,
   schema,
   usernameAttributes = ['email'],
 }: {
   autoVerifiedAttributes?: Array<'email' | 'phone_number'> | null | false;
-  identityPool?: boolean;
-  roles?: {
-    authenticated?: Role;
-    unauthenticated?: Role;
+  identityPool?: {
+    enabled?: boolean;
+    authenticatedPolicies?: Policy[];
+    unauthenticatedPolicies?: Policy[];
   };
   /**
    * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html
    */
   schema?: {
-    AttributeDataType?: 'Boolean' | 'DateTime' | 'Number' | 'String';
-    DeveloperOnlyAttribute?: boolean;
-    Mutable?: boolean;
-    Name?: string;
-    NumberAttributeConstraints?: {
-      MaxValue?: string;
-      MinValue?: string;
+    attributeDataType?: 'Boolean' | 'DateTime' | 'Number' | 'String';
+    developerOnlyAttribute?: boolean;
+    mutable?: boolean;
+    name?: string;
+    numberAttributeConstraints?: {
+      maxValue?: string;
+      minValue?: string;
     };
-    Required?: boolean;
-    StringAttributeConstraints?: {
-      MaxLength: string;
-      MinLength: string;
+    required?: boolean;
+    stringAttributeConstraints?: {
+      maxLength: string;
+      minLength: string;
     };
   }[];
   usernameAttributes?: Array<'email' | 'phone_number'> | null;
@@ -56,6 +61,7 @@ export const createAuthTemplate = ({
     Resources: {
       [CognitoUserPoolLogicalId]: {
         Type: 'AWS::Cognito::UserPool',
+        DeletionPolicy: 'Retain',
         Properties: {
           AutoVerifiedAttributes,
           Policies: {
@@ -68,7 +74,6 @@ export const createAuthTemplate = ({
               TemporaryPasswordValidityDays: 30,
             },
           },
-          Schema: schema,
           UsernameAttributes: usernameAttributes,
           UsernameConfiguration: {
             CaseSensitive: false,
@@ -126,7 +131,41 @@ export const createAuthTemplate = ({
     },
   };
 
-  if (identityPool) {
+  if (schema) {
+    const Schema = schema.map((attribute) => {
+      let NumberAttributeConstraints = undefined;
+
+      if (attribute.numberAttributeConstraints) {
+        NumberAttributeConstraints = {
+          MaxValue: attribute.numberAttributeConstraints?.maxValue,
+          MinValue: attribute.numberAttributeConstraints?.minValue,
+        };
+      }
+
+      let StringAttributeConstraints = undefined;
+
+      if (attribute.stringAttributeConstraints) {
+        StringAttributeConstraints = {
+          MaxLength: attribute.stringAttributeConstraints?.maxLength,
+          MinLength: attribute.stringAttributeConstraints?.minLength,
+        };
+      }
+
+      return {
+        AttributeDataType: attribute.attributeDataType,
+        DeveloperOnlyAttribute: attribute.developerOnlyAttribute,
+        Mutable: attribute.mutable,
+        Name: attribute.name,
+        NumberAttributeConstraints,
+        Required: attribute.required,
+        StringAttributeConstraints,
+      };
+    });
+
+    template.Resources[CognitoUserPoolLogicalId].Properties.Schema = Schema;
+  }
+
+  if (identityPool?.enabled) {
     /**
      * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
      */
@@ -147,20 +186,99 @@ export const createAuthTemplate = ({
       },
     };
 
-    if (roles) {
-      /**
-       * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
-       */
-      template.Resources.CognitoIdentityPoolRoleAttachment = {
-        Type: 'AWS::Cognito::IdentityPoolRoleAttachment',
-        Properties: {
-          IdentityPoolId: {
-            Ref: CognitoIdentityPoolLogicalId,
+    template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
+      Type: 'AWS::IAM::Role',
+      Properties: {
+        AssumeRolePolicyDocument: {
+          Version: '2012-10-17' as const,
+          Statement: [
+            {
+              Effect: 'Allow' as const,
+              Principal: {
+                Federated: 'cognito-identity.amazonaws.com',
+              },
+              Action: ['sts:AssumeRoleWithWebIdentity', 'sts:TagSession'],
+              Condition: {
+                StringEquals: {
+                  'cognito-identity.amazonaws.com:aud': {
+                    Ref: CognitoIdentityPoolLogicalId,
+                  },
+                },
+                'ForAnyValue:StringLike': {
+                  'cognito-identity.amazonaws.com:amr': 'authenticated',
+                },
+              },
+            },
+          ],
+        },
+        Policies: identityPool.authenticatedPolicies || [
+          {
+            PolicyName: 'IdentityPoolAuthenticatedIAMRolePolicyName',
+            PolicyDocument: {
+              Version: '2012-10-17' as const,
+              Statement: [DenyStatement],
+            },
+          },
+        ],
+      },
+    };
+
+    template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
+      Type: 'AWS::IAM::Role',
+      Properties: {
+        AssumeRolePolicyDocument: {
+          Version: '2012-10-17' as const,
+          Statement: [
+            {
+              Effect: 'Allow' as const,
+              Principal: {
+                Federated: 'cognito-identity.amazonaws.com',
+              },
+              Action: 'sts:AssumeRoleWithWebIdentity',
+              Condition: {
+                StringEquals: {
+                  'cognito-identity.amazonaws.com:aud': {
+                    Ref: CognitoIdentityPoolLogicalId,
+                  },
+                },
+                'ForAnyValue:StringLike': {
+                  'cognito-identity.amazonaws.com:amr': 'unauthenticated',
+                },
+              },
+            },
+          ],
+        },
+        Policies: identityPool.authenticatedPolicies || [
+          {
+            PolicyName: 'IdentityPoolUnauthenticatedIAMRolePolicyName',
+            PolicyDocument: {
+              Version: '2012-10-17' as const,
+              Statement: [DenyStatement],
+            },
+          },
+        ],
+      },
+    };
+
+    /**
+     * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
+     */
+    template.Resources.CognitoIdentityPoolRoleAttachment = {
+      Type: 'AWS::Cognito::IdentityPoolRoleAttachment',
+      Properties: {
+        IdentityPoolId: {
+          Ref: CognitoIdentityPoolLogicalId,
+        },
+        Roles: {
+          authenticated: {
+            'Fn::GetAtt': [IdentityPoolAuthenticatedIAMRoleLogicalId, 'Arn'],
+          },
+          unauthenticated: {
+            'Fn::GetAtt': [IdentityPoolUnauthenticatedIAMRoleLogicalId, 'Arn'],
           },
-          Roles: roles,
         },
-      };
-    }
+      },
+    };
 
     if (!template.Outputs) {
       template.Outputs = {};

package/tests/unit/template.test.ts

@@ -1,80 +1,100 @@
 import { createAuthTemplate } from '../../src';
 
-test('do not add schema if not provided', () => {
-  const template = createAuthTemplate();
-  expect(template.Resources.CognitoUserPool.Properties.Schema).toBeUndefined();
-});
+describe('user pool', () => {
+  test('do not add schema if not provided', () => {
+    const template = createAuthTemplate();
+    expect(
+      template.Resources.CognitoUserPool.Properties.Schema
+    ).toBeUndefined();
+  });
 
-test('add schema if provided', () => {
-  const schema = [
-    {
-      AttributeDataType: 'String' as const,
-      DeveloperOnlyAttribute: false,
-      Mutable: true,
-      Name: 'email',
-      Required: true,
-      StringAttributeConstraints: {
-        MaxLength: '2048',
-        MinLength: '0',
+  test('add schema if provided', () => {
+    const schema = [
+      {
+        attributeDataType: 'String' as const,
+        developerOnlyAttribute: false,
+        mutable: true,
+        name: 'email',
+        required: true,
+        stringAttributeConstraints: {
+          maxLength: '2048',
+          minLength: '0',
+        },
       },
-    },
-  ];
-
-  const template = createAuthTemplate({ schema });
-  expect(template.Resources.CognitoUserPool.Properties.Schema).toEqual(schema);
-});
+    ];
 
-test('should have autoVerifiedAttributes equal email by default', () => {
-  const template = createAuthTemplate();
-  expect(
-    template.Resources.CognitoUserPool.Properties.AutoVerifiedAttributes
-  ).toEqual(['email']);
-});
+    const template = createAuthTemplate({ schema });
+    expect(template.Resources.CognitoUserPool.Properties.Schema).toEqual([
+      {
+        AttributeDataType: 'String',
+        DeveloperOnlyAttribute: false,
+        Mutable: true,
+        Name: 'email',
+        Required: true,
+        StringAttributeConstraints: {
+          MaxLength: '2048',
+          MinLength: '0',
+        },
+      },
+    ]);
+  });
 
-test.each([[], null, false])(
-  'should have autoVerifiedAttributes undefined: %p',
-  (autoVerifiedAttributes: any) => {
-    const template = createAuthTemplate({ autoVerifiedAttributes });
+  test('should have autoVerifiedAttributes equal email by default', () => {
+    const template = createAuthTemplate();
     expect(
       template.Resources.CognitoUserPool.Properties.AutoVerifiedAttributes
-    ).toEqual([]);
-  }
-);
+    ).toEqual(['email']);
+  });
 
-test.each([true, undefined])(
-  'should have identity pool by default or true: %p',
-  (identityPool) => {
-    const template = createAuthTemplate({ identityPool });
-    expect(template.Resources.CognitoIdentityPool).toBeDefined();
-    expect(template.Outputs?.IdentityPoolId).toBeDefined();
-  }
-);
+  test('default usernameAttributes should be email', () => {
+    const template = createAuthTemplate();
+    expect(
+      template.Resources.CognitoUserPool.Properties.UsernameAttributes
+    ).toEqual(['email']);
+  });
 
-test('should not have identity pool if false', () => {
-  const template = createAuthTemplate({ identityPool: false });
-  expect(template.Resources.CognitoIdentityPool).toBeUndefined();
-  expect(template.Outputs?.IdentityPoolId).toBeUndefined();
-});
+  test.each([[], null, false])(
+    'should have autoVerifiedAttributes undefined: %p',
+    (autoVerifiedAttributes: any) => {
+      const template = createAuthTemplate({ autoVerifiedAttributes });
+      expect(
+        template.Resources.CognitoUserPool.Properties.AutoVerifiedAttributes
+      ).toEqual([]);
+    }
+  );
 
-test('should have identity pool role attachment with roles', () => {
-  const roles = {
-    authenticated: 'arn:aws:iam::123456789012:role/authenticated',
-    unauthenticated: 'arn:aws:iam::123456789012:role/unauthenticated',
-  };
-  const template = createAuthTemplate({ roles });
-  expect(
-    template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles
-  ).toEqual(roles);
+  test('should retain user pool', () => {
+    const template = createAuthTemplate();
+    expect(template.Resources.CognitoUserPool.DeletionPolicy).toEqual('Retain');
+  });
 });
 
-test('should not have identity pool role attachment without roles', () => {
-  const template = createAuthTemplate();
-  expect(template.Resources.CognitoIdentityPoolRoleAttachment).toBeUndefined();
-});
+describe('identity pool', () => {
+  test.each([false, undefined])(
+    'should not have identity pool by default or false: %p',
+    (enabled) => {
+      const template = createAuthTemplate({ identityPool: { enabled } });
+      expect(template.Resources.CognitoIdentityPool).not.toBeDefined();
+      expect(template.Outputs?.IdentityPoolId).not.toBeDefined();
+    }
+  );
+
+  test('should have identity pool if false', () => {
+    const template = createAuthTemplate({
+      identityPool: {
+        enabled: true,
+      },
+    });
+    expect(template.Resources.CognitoIdentityPool).toBeDefined();
+    expect(template.Outputs?.IdentityPoolId).toBeDefined();
+  });
 
-test('default usernameAttributes should be email', () => {
-  const template = createAuthTemplate();
-  expect(
-    template.Resources.CognitoUserPool.Properties.UsernameAttributes
-  ).toEqual(['email']);
+  test('should have identity pool role attachment', () => {
+    const template = createAuthTemplate({
+      identityPool: {
+        enabled: true,
+      },
+    });
+    expect(template.Resources.CognitoIdentityPoolRoleAttachment).toBeDefined();
+  });
 });