use of com.amplifyframework.core.model.AuthRule in project amplify-android by aws-amplify.
the class MultiAuthorizationTypeIteratorTest method testMultiOwnerRules.
/**
* If there are multiple owner based rules (a couple using userPools and one using oidc),
* it should only return 2 auth types (one for userPools and one for oidc).
*/
@Test
public void testMultiOwnerRules() {
Iterator<AuthorizationType> expectedAuthTypes = Arrays.asList(AuthorizationType.AMAZON_COGNITO_USER_POOLS, AuthorizationType.OPENID_CONNECT).iterator();
Iterator<Boolean> expectedIsOwnerFlags = Arrays.asList(true, true).iterator();
List<AuthRule> authRules = Arrays.asList(buildOwnerRule(AuthStrategy.Provider.OIDC, "differentOwner", "myClaim", Arrays.asList(ModelOperation.CREATE, ModelOperation.DELETE)), buildOwnerRule(null, null, null, null), buildOwnerRule(AuthStrategy.Provider.USER_POOLS, "differentOwnerField", null, Arrays.asList(ModelOperation.CREATE, ModelOperation.DELETE)));
MultiAuthorizationTypeIterator actualAuthTypeIterator = new MultiAuthorizationTypeIterator(authRules);
assertIteratorState(expectedAuthTypes, expectedIsOwnerFlags, actualAuthTypeIterator);
}
use of com.amplifyframework.core.model.AuthRule in project amplify-android by aws-amplify.
the class AuthRuleRequestDecorator method decorate.
/**
* Decorate given GraphQL request instance with additional variables for owner-based or
* group-based authorization.
*
* This will only work if the request is compliant with the AppSync specifications.
* @param request an instance of {@link GraphQLRequest}.
* @param authType the mode of authorization being used to authorize the request
* @param <R> The type of data contained in the GraphQLResponse expected from this request.
* @return the input request with additional variables that specify model's owner and/or
* groups
* @throws ApiException If an error is encountered while processing the auth rules associated
* with the request or if the authorization fails
*/
public <R> GraphQLRequest<R> decorate(@NonNull GraphQLRequest<R> request, @NonNull AuthorizationType authType) throws ApiException {
if (!(request instanceof AppSyncGraphQLRequest)) {
return request;
}
AppSyncGraphQLRequest<R> appSyncRequest = (AppSyncGraphQLRequest<R>) request;
AuthRule ownerRuleWithReadRestriction = null;
Map<String, Set<String>> readAuthorizedGroupsMap = new HashMap<>();
// and it's not clear what a good solution would be until AppSync supports real time filters.
for (AuthRule authRule : appSyncRequest.getModelSchema().getAuthRules()) {
if (isReadRestrictingOwner(authRule)) {
if (ownerRuleWithReadRestriction == null) {
ownerRuleWithReadRestriction = authRule;
} else {
throw new ApiAuthException("Detected multiple owner type auth rules with a READ operation", "We currently do not support this use case. Please limit your type to just one owner " + "auth rule with a READ operation restriction.");
}
} else if (isReadRestrictingStaticGroup(authRule)) {
// Group read-restricting groups by the claim name
String groupClaim = authRule.getGroupClaimOrDefault();
List<String> groups = authRule.getGroups();
Set<String> readAuthorizedGroups = readAuthorizedGroupsMap.get(groupClaim);
if (readAuthorizedGroups != null) {
readAuthorizedGroups.addAll(groups);
} else {
readAuthorizedGroupsMap.put(groupClaim, new HashSet<>(groups));
}
}
}
// them.
if (ownerRuleWithReadRestriction != null && userNotInReadRestrictingGroups(readAuthorizedGroupsMap, authType)) {
String idClaim = ownerRuleWithReadRestriction.getIdentityClaimOrDefault();
String key = ownerRuleWithReadRestriction.getOwnerFieldOrDefault();
String value = getIdentityValue(idClaim, authType);
try {
return appSyncRequest.newBuilder().variable(key, "String!", value).build();
} catch (AmplifyException error) {
// This should not happen normally
throw new ApiAuthException("Failed to set owner field on AppSyncGraphQLRequest.", error, AmplifyException.REPORT_BUG_TO_AWS_SUGGESTION);
}
}
return request;
}
Aggregations