Search in sources :

Example 6 with AuthRule

use of com.amplifyframework.core.model.AuthRule in project amplify-android by aws-amplify.

the class MultiAuthorizationTypeIteratorTest method testMultiOwnerRules.

/**
 * If there are multiple owner based rules (a couple using userPools and one using oidc),
 * it should only return 2 auth types (one for userPools and one for oidc).
 */
@Test
public void testMultiOwnerRules() {
    Iterator<AuthorizationType> expectedAuthTypes = Arrays.asList(AuthorizationType.AMAZON_COGNITO_USER_POOLS, AuthorizationType.OPENID_CONNECT).iterator();
    Iterator<Boolean> expectedIsOwnerFlags = Arrays.asList(true, true).iterator();
    List<AuthRule> authRules = Arrays.asList(buildOwnerRule(AuthStrategy.Provider.OIDC, "differentOwner", "myClaim", Arrays.asList(ModelOperation.CREATE, ModelOperation.DELETE)), buildOwnerRule(null, null, null, null), buildOwnerRule(AuthStrategy.Provider.USER_POOLS, "differentOwnerField", null, Arrays.asList(ModelOperation.CREATE, ModelOperation.DELETE)));
    MultiAuthorizationTypeIterator actualAuthTypeIterator = new MultiAuthorizationTypeIterator(authRules);
    assertIteratorState(expectedAuthTypes, expectedIsOwnerFlags, actualAuthTypeIterator);
}
Also used : MultiAuthorizationTypeIterator(com.amplifyframework.core.model.auth.MultiAuthorizationTypeIterator) AuthorizationType(com.amplifyframework.api.aws.AuthorizationType) AuthRule(com.amplifyframework.core.model.AuthRule) Test(org.junit.Test)

Example 7 with AuthRule

use of com.amplifyframework.core.model.AuthRule in project amplify-android by aws-amplify.

the class AuthRuleRequestDecorator method decorate.

/**
 * Decorate given GraphQL request instance with additional variables for owner-based or
 * group-based authorization.
 *
 * This will only work if the request is compliant with the AppSync specifications.
 * @param request an instance of {@link GraphQLRequest}.
 * @param authType the mode of authorization being used to authorize the request
 * @param <R> The type of data contained in the GraphQLResponse expected from this request.
 * @return the input request with additional variables that specify model's owner and/or
 *          groups
 * @throws ApiException If an error is encountered while processing the auth rules associated
 *          with the request or if the authorization fails
 */
public <R> GraphQLRequest<R> decorate(@NonNull GraphQLRequest<R> request, @NonNull AuthorizationType authType) throws ApiException {
    if (!(request instanceof AppSyncGraphQLRequest)) {
        return request;
    }
    AppSyncGraphQLRequest<R> appSyncRequest = (AppSyncGraphQLRequest<R>) request;
    AuthRule ownerRuleWithReadRestriction = null;
    Map<String, Set<String>> readAuthorizedGroupsMap = new HashMap<>();
    // and it's not clear what a good solution would be until AppSync supports real time filters.
    for (AuthRule authRule : appSyncRequest.getModelSchema().getAuthRules()) {
        if (isReadRestrictingOwner(authRule)) {
            if (ownerRuleWithReadRestriction == null) {
                ownerRuleWithReadRestriction = authRule;
            } else {
                throw new ApiAuthException("Detected multiple owner type auth rules with a READ operation", "We currently do not support this use case. Please limit your type to just one owner " + "auth rule with a READ operation restriction.");
            }
        } else if (isReadRestrictingStaticGroup(authRule)) {
            // Group read-restricting groups by the claim name
            String groupClaim = authRule.getGroupClaimOrDefault();
            List<String> groups = authRule.getGroups();
            Set<String> readAuthorizedGroups = readAuthorizedGroupsMap.get(groupClaim);
            if (readAuthorizedGroups != null) {
                readAuthorizedGroups.addAll(groups);
            } else {
                readAuthorizedGroupsMap.put(groupClaim, new HashSet<>(groups));
            }
        }
    }
    // them.
    if (ownerRuleWithReadRestriction != null && userNotInReadRestrictingGroups(readAuthorizedGroupsMap, authType)) {
        String idClaim = ownerRuleWithReadRestriction.getIdentityClaimOrDefault();
        String key = ownerRuleWithReadRestriction.getOwnerFieldOrDefault();
        String value = getIdentityValue(idClaim, authType);
        try {
            return appSyncRequest.newBuilder().variable(key, "String!", value).build();
        } catch (AmplifyException error) {
            // This should not happen normally
            throw new ApiAuthException("Failed to set owner field on AppSyncGraphQLRequest.", error, AmplifyException.REPORT_BUG_TO_AWS_SUGGESTION);
        }
    }
    return request;
}
Also used : ApiAuthException(com.amplifyframework.api.ApiException.ApiAuthException) HashSet(java.util.HashSet) Set(java.util.Set) AmplifyException(com.amplifyframework.AmplifyException) HashMap(java.util.HashMap) AppSyncGraphQLRequest(com.amplifyframework.api.aws.AppSyncGraphQLRequest) ArrayList(java.util.ArrayList) List(java.util.List) AuthRule(com.amplifyframework.core.model.AuthRule) HashSet(java.util.HashSet)

Aggregations

AuthRule (com.amplifyframework.core.model.AuthRule)7 MultiAuthorizationTypeIterator (com.amplifyframework.core.model.auth.MultiAuthorizationTypeIterator)4 AmplifyException (com.amplifyframework.AmplifyException)3 AuthorizationType (com.amplifyframework.api.aws.AuthorizationType)3 HashMap (java.util.HashMap)3 Test (org.junit.Test)3 ModelField (com.amplifyframework.core.model.ModelField)2 ArrayList (java.util.ArrayList)2 List (java.util.List)2 NonNull (androidx.annotation.NonNull)1 ApiAuthException (com.amplifyframework.api.ApiException.ApiAuthException)1 AppSyncGraphQLRequest (com.amplifyframework.api.aws.AppSyncGraphQLRequest)1 Consumer (com.amplifyframework.core.Consumer)1 Model (com.amplifyframework.core.model.Model)1 ModelAssociation (com.amplifyframework.core.model.ModelAssociation)1 ModelOperation (com.amplifyframework.core.model.ModelOperation)1 ModelSchema (com.amplifyframework.core.model.ModelSchema)1 SerializedModel (com.amplifyframework.core.model.SerializedModel)1 AuthorizationTypeIterator (com.amplifyframework.core.model.auth.AuthorizationTypeIterator)1 HashSet (java.util.HashSet)1