Merge pull request aws-amplify#2180 from RossWilliams/master

Allow more than one groupClaim in an auth ruleset.

packages/graphql-auth-transformer/src/__tests__/__snapshots__/OperationsArgument.test.ts.snap

@@ -13,16 +13,15 @@ exports[`Test "create", "update", "delete" auth operations 3`] = `
 ## [Start] Check authMode and execute owner/group checks **
 #if( $authMode == \\"userPools\\" )
   ## [Start] Static Group Authorization Checks **
-  ## Authorization rule: { allow: groups, groups: \\"[\\"Admin\\",\\"Dev\\"]\\" } **
+  #set($isStaticGroupAuthorized = $util.defaultIfNull(
+            $isStaticGroupAuthorized, false))
+  ## Authorization rule: { allow: groups, groups: [\\"Admin\\",\\"Dev\\"], groupClaim: \\"cognito:groups\\" } **
   #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:groups\\"), []) )
   #set( $allowedGroups = [\\"Admin\\", \\"Dev\\"] )
-  #set($isStaticGroupAuthorized = $util.defaultIfNull(
-                $isStaticGroupAuthorized, false))
   #foreach( $userGroup in $userGroups )
-    #foreach( $allowedGroup in $allowedGroups )
-      #if( $allowedGroup == $userGroup )
-        #set( $isStaticGroupAuthorized = true )
-      #end
+    #if( $allowedGroups.contains($userGroup) )
+      #set( $isStaticGroupAuthorized = true )
+      #break
     #end
   #end
   ## [End] Static Group Authorization Checks **
@@ -72,16 +71,15 @@ exports[`Test "create", "update", "delete" auth operations 4`] = `
 ## [Start] Check authMode and execute owner/group checks **
 #if( $authMode == \\"userPools\\" )
   ## [Start] Static Group Authorization Checks **
-  ## Authorization rule: { allow: groups, groups: \\"[\\"Admin\\",\\"Dev\\"]\\" } **
+  #set($isStaticGroupAuthorized = $util.defaultIfNull(
+            $isStaticGroupAuthorized, false))
+  ## Authorization rule: { allow: groups, groups: [\\"Admin\\",\\"Dev\\"], groupClaim: \\"cognito:groups\\" } **
   #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:groups\\"), []) )
   #set( $allowedGroups = [\\"Admin\\", \\"Dev\\"] )
-  #set($isStaticGroupAuthorized = $util.defaultIfNull(
-                $isStaticGroupAuthorized, false))
   #foreach( $userGroup in $userGroups )
-    #foreach( $allowedGroup in $allowedGroups )
-      #if( $allowedGroup == $userGroup )
-        #set( $isStaticGroupAuthorized = true )
-      #end
+    #if( $allowedGroups.contains($userGroup) )
+      #set( $isStaticGroupAuthorized = true )
+      #break
     #end
   #end
   ## [End] Static Group Authorization Checks **
@@ -285,16 +283,15 @@ exports[`Test "create", "update", "delete" auth operations 5`] = `
 ## [Start] Check authMode and execute owner/group checks **
 #if( $authMode == \\"userPools\\" )
   ## [Start] Static Group Authorization Checks **
-  ## Authorization rule: { allow: groups, groups: \\"[\\"Admin\\",\\"Dev\\"]\\" } **
+  #set($isStaticGroupAuthorized = $util.defaultIfNull(
+            $isStaticGroupAuthorized, false))
+  ## Authorization rule: { allow: groups, groups: [\\"Admin\\",\\"Dev\\"], groupClaim: \\"cognito:groups\\" } **
   #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:groups\\"), []) )
   #set( $allowedGroups = [\\"Admin\\", \\"Dev\\"] )
-  #set($isStaticGroupAuthorized = $util.defaultIfNull(
-                $isStaticGroupAuthorized, false))
   #foreach( $userGroup in $userGroups )
-    #foreach( $allowedGroup in $allowedGroups )
-      #if( $allowedGroup == $userGroup )
-        #set( $isStaticGroupAuthorized = true )
-      #end
+    #if( $allowedGroups.contains($userGroup) )
+      #set( $isStaticGroupAuthorized = true )
+      #break
     #end
   #end
   ## [End] Static Group Authorization Checks **
@@ -433,16 +430,15 @@ exports[`Test that checks subscription resolvers are generated with auth logic 1
 ## [Start] Check authMode and execute owner/group checks **
 #if( $authMode == \\"userPools\\" )
   ## [Start] Static Group Authorization Checks **
-  ## Authorization rule: { allow: groups, groups: \\"[\\"Admin\\"]\\" } **
+  #set($isStaticGroupAuthorized = $util.defaultIfNull(
+            $isStaticGroupAuthorized, false))
+  ## Authorization rule: { allow: groups, groups: [\\"Admin\\"], groupClaim: \\"cognito:groups\\" } **
   #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:groups\\"), []) )
   #set( $allowedGroups = [\\"Admin\\"] )
-  #set($isStaticGroupAuthorized = $util.defaultIfNull(
-                $isStaticGroupAuthorized, false))
   #foreach( $userGroup in $userGroups )
-    #foreach( $allowedGroup in $allowedGroups )
-      #if( $allowedGroup == $userGroup )
-        #set( $isStaticGroupAuthorized = true )
-      #end
+    #if( $allowedGroups.contains($userGroup) )
+      #set( $isStaticGroupAuthorized = true )
+      #break
     #end
   #end
   ## [End] Static Group Authorization Checks **
@@ -489,16 +485,15 @@ exports[`Test that checks subscription resolvers are generated with auth logic 2
 ## [Start] Check authMode and execute owner/group checks **
 #if( $authMode == \\"userPools\\" )
   ## [Start] Static Group Authorization Checks **
-  ## Authorization rule: { allow: groups, groups: \\"[\\"Admin\\"]\\" } **
+  #set($isStaticGroupAuthorized = $util.defaultIfNull(
+            $isStaticGroupAuthorized, false))
+  ## Authorization rule: { allow: groups, groups: [\\"Admin\\"], groupClaim: \\"cognito:groups\\" } **
   #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:groups\\"), []) )
   #set( $allowedGroups = [\\"Admin\\"] )
-  #set($isStaticGroupAuthorized = $util.defaultIfNull(
-                $isStaticGroupAuthorized, false))
   #foreach( $userGroup in $userGroups )
-    #foreach( $allowedGroup in $allowedGroups )
-      #if( $allowedGroup == $userGroup )
-        #set( $isStaticGroupAuthorized = true )
-      #end
+    #if( $allowedGroups.contains($userGroup) )
+      #set( $isStaticGroupAuthorized = true )
+      #break
     #end
   #end
   ## [End] Static Group Authorization Checks **
@@ -545,16 +540,15 @@ exports[`Test that checks subscription resolvers are generated with auth logic 3
 ## [Start] Check authMode and execute owner/group checks **
 #if( $authMode == \\"userPools\\" )
   ## [Start] Static Group Authorization Checks **
-  ## Authorization rule: { allow: groups, groups: \\"[\\"Admin\\"]\\" } **
+  #set($isStaticGroupAuthorized = $util.defaultIfNull(
+            $isStaticGroupAuthorized, false))
+  ## Authorization rule: { allow: groups, groups: [\\"Admin\\"], groupClaim: \\"cognito:groups\\" } **
   #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:groups\\"), []) )
   #set( $allowedGroups = [\\"Admin\\"] )
-  #set($isStaticGroupAuthorized = $util.defaultIfNull(
-                $isStaticGroupAuthorized, false))
   #foreach( $userGroup in $userGroups )
-    #foreach( $allowedGroup in $allowedGroups )
-      #if( $allowedGroup == $userGroup )
-        #set( $isStaticGroupAuthorized = true )
-      #end
+    #if( $allowedGroups.contains($userGroup) )
+      #set( $isStaticGroupAuthorized = true )
+      #break
     #end
   #end
   ## [End] Static Group Authorization Checks **
@@ -605,16 +599,15 @@ exports[`Test that operation overwrites queries in auth operations 3`] = `
 ## [Start] Check authMode and execute owner/group checks **
 #if( $authMode == \\"userPools\\" )
   ## [Start] Static Group Authorization Checks **
-  ## Authorization rule: { allow: groups, groups: \\"[\\"Admin\\",\\"Dev\\"]\\" } **
+  #set($isStaticGroupAuthorized = $util.defaultIfNull(
+            $isStaticGroupAuthorized, false))
+  ## Authorization rule: { allow: groups, groups: [\\"Admin\\",\\"Dev\\"], groupClaim: \\"cognito:groups\\" } **
   #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:groups\\"), []) )
   #set( $allowedGroups = [\\"Admin\\", \\"Dev\\"] )
-  #set($isStaticGroupAuthorized = $util.defaultIfNull(
-                $isStaticGroupAuthorized, false))
   #foreach( $userGroup in $userGroups )
-    #foreach( $allowedGroup in $allowedGroups )
-      #if( $allowedGroup == $userGroup )
-        #set( $isStaticGroupAuthorized = true )
-      #end
+    #if( $allowedGroups.contains($userGroup) )
+      #set( $isStaticGroupAuthorized = true )
+      #break
     #end
   #end
   ## [End] Static Group Authorization Checks **
@@ -664,16 +657,15 @@ exports[`Test that operation overwrites queries in auth operations 4`] = `
 ## [Start] Check authMode and execute owner/group checks **
 #if( $authMode == \\"userPools\\" )
   ## [Start] Static Group Authorization Checks **
-  ## Authorization rule: { allow: groups, groups: \\"[\\"Admin\\",\\"Dev\\"]\\" } **
+  #set($isStaticGroupAuthorized = $util.defaultIfNull(
+            $isStaticGroupAuthorized, false))
+  ## Authorization rule: { allow: groups, groups: [\\"Admin\\",\\"Dev\\"], groupClaim: \\"cognito:groups\\" } **
   #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:groups\\"), []) )
   #set( $allowedGroups = [\\"Admin\\", \\"Dev\\"] )
-  #set($isStaticGroupAuthorized = $util.defaultIfNull(
-                $isStaticGroupAuthorized, false))
   #foreach( $userGroup in $userGroups )
-    #foreach( $allowedGroup in $allowedGroups )
-      #if( $allowedGroup == $userGroup )
-        #set( $isStaticGroupAuthorized = true )
-      #end
+    #if( $allowedGroups.contains($userGroup) )
+      #set( $isStaticGroupAuthorized = true )
+      #break
     #end
   #end
   ## [End] Static Group Authorization Checks **
@@ -877,16 +869,15 @@ exports[`Test that operation overwrites queries in auth operations 5`] = `
 ## [Start] Check authMode and execute owner/group checks **
 #if( $authMode == \\"userPools\\" )
   ## [Start] Static Group Authorization Checks **
-  ## Authorization rule: { allow: groups, groups: \\"[\\"Admin\\",\\"Dev\\"]\\" } **
+  #set($isStaticGroupAuthorized = $util.defaultIfNull(
+            $isStaticGroupAuthorized, false))
+  ## Authorization rule: { allow: groups, groups: [\\"Admin\\",\\"Dev\\"], groupClaim: \\"cognito:groups\\" } **
   #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:groups\\"), []) )
   #set( $allowedGroups = [\\"Admin\\", \\"Dev\\"] )
-  #set($isStaticGroupAuthorized = $util.defaultIfNull(
-                $isStaticGroupAuthorized, false))
   #foreach( $userGroup in $userGroups )
-    #foreach( $allowedGroup in $allowedGroups )
-      #if( $allowedGroup == $userGroup )
-        #set( $isStaticGroupAuthorized = true )
-      #end
+    #if( $allowedGroups.contains($userGroup) )
+      #set( $isStaticGroupAuthorized = true )
+      #break
     #end
   #end
   ## [End] Static Group Authorization Checks **
@@ -1019,16 +1010,15 @@ exports[`Test that subscriptions are only generated if the respective mutation o
 ## [Start] Check authMode and execute owner/group checks **
 #if( $authMode == \\"userPools\\" )
   ## [Start] Static Group Authorization Checks **
-  ## Authorization rule: { allow: groups, groups: \\"[\\"Moderator\\"]\\" } **
+  #set($isStaticGroupAuthorized = $util.defaultIfNull(
+            $isStaticGroupAuthorized, false))
+  ## Authorization rule: { allow: groups, groups: [\\"Moderator\\"], groupClaim: \\"cognito:groups\\" } **
   #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:groups\\"), []) )
   #set( $allowedGroups = [\\"Moderator\\"] )
-  #set($isStaticGroupAuthorized = $util.defaultIfNull(
-                $isStaticGroupAuthorized, false))
   #foreach( $userGroup in $userGroups )
-    #foreach( $allowedGroup in $allowedGroups )
-      #if( $allowedGroup == $userGroup )
-        #set( $isStaticGroupAuthorized = true )
-      #end
+    #if( $allowedGroups.contains($userGroup) )
+      #set( $isStaticGroupAuthorized = true )
+      #break
     #end
   #end
   ## [End] Static Group Authorization Checks **

packages/graphql-auth-transformer/src/constants.ts

@@ -3,6 +3,7 @@ export const DEFAULT_OWNER_FIELD = "owner"
 export const DEFAULT_IDENTITY_FIELD = "username"
 export const GROUPS_AUTH_STRATEGY = "groups"
 export const DEFAULT_GROUPS_FIELD = "groups"
+export const DEFAULT_GROUP_CLAIM = "cognito:groups"
 export const ON_CREATE_FIELD = "onCreate"
 export const ON_UPDATE_FIELD = "onUpdate"
-export const ON_DELETE_FIELD = "onDelete"
+export const ON_DELETE_FIELD = "onDelete"