feat: attach policy & ssm params to access userpool from auth resource (#1090)

* feat: attach policy & ssm params to acces userpool from auth resource

* remove action scope, introduce meta actions and granular iam action

* update type naming to match other access pattern

* Update packages/backend-auth/src/access_builder.ts

Co-authored-by: Amplifiyer <[email protected]>

* fix comments

* fix name

* update jsdoc

* rename to manageUsers

* addressing nit

* update permission mapping

* update API.md

* removed type enforcement between meta & iam actions, updated list

* use flatmap

---------

Co-authored-by: Amplifiyer <[email protected]>

Author: bombguy

.changeset/good-wasps-sin.md

@@ -0,0 +1,5 @@
+---
+'@aws-amplify/backend-auth': minor
+---
+
+attach policy & ssm params to acces userpool from auth resource

packages/backend-auth/API.md

@@ -11,15 +11,23 @@ import { AuthResources } from '@aws-amplify/plugin-types';
 import { AuthRoleName } from '@aws-amplify/plugin-types';
 import { BackendSecret } from '@aws-amplify/plugin-types';
 import { ConstructFactory } from '@aws-amplify/plugin-types';
+import { ConstructFactoryGetInstanceProps } from '@aws-amplify/plugin-types';
 import { ExternalProviderOptions } from '@aws-amplify/auth-construct-alpha';
 import { FacebookProviderProps } from '@aws-amplify/auth-construct-alpha';
 import { FunctionResources } from '@aws-amplify/plugin-types';
 import { GoogleProviderProps } from '@aws-amplify/auth-construct-alpha';
 import { OidcProviderProps } from '@aws-amplify/auth-construct-alpha';
+import { ResourceAccessAcceptor } from '@aws-amplify/plugin-types';
 import { ResourceAccessAcceptorFactory } from '@aws-amplify/plugin-types';
 import { ResourceProvider } from '@aws-amplify/plugin-types';
 import { TriggerEvent } from '@aws-amplify/auth-construct-alpha';
 
+// @public
+export type ActionIam = 'addUserToGroup' | 'createUser' | 'deleteUser' | 'deleteUserAttributes' | 'disableUser' | 'enableUser' | 'forgetDevice' | 'getDevice' | 'getUser' | 'listDevices' | 'listGroupsForUser' | 'removeUserFromGroup' | 'resetUserPassword' | 'setUserMfaPreference' | 'setUserPassword' | 'setUserSettings' | 'updateDeviceStatus' | 'updateUserAttributes';
+
+// @public
+export type ActionMeta = 'manageUsers' | 'manageGroupMembership' | 'manageUserDevices' | 'managePasswordRecovery';
+
 // @public
 export type AmazonProviderFactoryProps = Omit<AmazonProviderProps, 'clientId' | 'clientSecret'> & {
     clientId: BackendSecret;
@@ -30,6 +38,7 @@ export type AmazonProviderFactoryProps = Omit<AmazonProviderProps, 'clientId' |
 export type AmplifyAuthProps = Expand<Omit<AuthProps, 'outputStorageStrategy' | 'loginWith'> & {
     loginWith: Expand<AuthLoginWithFactoryProps>;
     triggers?: Partial<Record<TriggerEvent, ConstructFactory<ResourceProvider<FunctionResources>>>>;
+    access?: AuthAccessGenerator;
 }>;
 
 // @public
@@ -40,6 +49,28 @@ export type AppleProviderFactoryProps = Omit<AppleProviderProps, 'clientId' | 't
     privateKey: BackendSecret;
 };
 
+// @public (undocumented)
+export type AuthAccessBuilder = {
+    resource: (other: ConstructFactory<ResourceProvider & ResourceAccessAcceptorFactory>) => AuthActionBuilder;
+};
+
+// @public (undocumented)
+export type AuthAccessDefinition = {
+    getResourceAccessAcceptor: (getInstanceProps: ConstructFactoryGetInstanceProps) => ResourceAccessAcceptor;
+    actions: AuthAction[];
+};
+
+// @public (undocumented)
+export type AuthAccessGenerator = (allow: AuthAccessBuilder) => AuthAccessDefinition[];
+
+// @public (undocumented)
+export type AuthAction = ActionIam | ActionMeta;
+
+// @public (undocumented)
+export type AuthActionBuilder = {
+    to: (actions: AuthAction[]) => AuthAccessDefinition;
+};
+
 // @public
 export type AuthLoginWithFactoryProps = Omit<AuthProps['loginWith'], 'externalProviders'> & {
     externalProviders?: ExternalProviderSpecificFactoryProps;

packages/backend-auth/src/access_builder.test.ts

@@ -0,0 +1,57 @@
+import { describe, it, mock } from 'node:test';
+import { authAccessBuilder } from './access_builder.js';
+import {
+  ConstructContainer,
+  ConstructFactoryGetInstanceProps,
+  ResourceAccessAcceptorFactory,
+  ResourceProvider,
+} from '@aws-amplify/plugin-types';
+import assert from 'node:assert';
+
+void describe('allowAccessBuilder', () => {
+  const resourceAccessAcceptorMock = mock.fn();
+
+  const getResourceAccessAcceptorMock = mock.fn(
+    // allows us to get proper typing on the mock args
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    (_: string) => resourceAccessAcceptorMock
+  );
+
+  const getConstructFactoryMock = mock.fn(
+    // this lets us get proper typing on the mock args
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    <T extends ResourceProvider>(_: string) => ({
+      getInstance: () =>
+        ({
+          getResourceAccessAcceptor: getResourceAccessAcceptorMock,
+        } as unknown as T),
+    })
+  );
+
+  const stubGetInstanceProps = {
+    constructContainer: {
+      getConstructFactory: getConstructFactoryMock,
+    } as unknown as ConstructContainer,
+  } as unknown as ConstructFactoryGetInstanceProps;
+
+  void it('builds access definition for resource', () => {
+    const accessDefinition = authAccessBuilder
+      .resource({
+        getInstance: () =>
+          ({
+            getResourceAccessAcceptor: getResourceAccessAcceptorMock,
+          } as unknown as ResourceProvider & ResourceAccessAcceptorFactory),
+      })
+      .to(['createUser', 'deleteUser', 'setUserPassword']);
+
+    assert.deepStrictEqual(accessDefinition.actions, [
+      'createUser',
+      'deleteUser',
+      'setUserPassword',
+    ]);
+    assert.equal(
+      accessDefinition.getResourceAccessAcceptor(stubGetInstanceProps),
+      resourceAccessAcceptorMock
+    );
+  });
+});

packages/backend-auth/src/access_builder.ts

@@ -0,0 +1,11 @@
+import { AuthAccessBuilder } from './types.js';
+
+export const authAccessBuilder: AuthAccessBuilder = {
+  resource: (grantee) => ({
+    to: (actions) => ({
+      getResourceAccessAcceptor: (getInstanceProps) =>
+        grantee.getInstance(getInstanceProps).getResourceAccessAcceptor(),
+      actions,
+    }),
+  }),
+};

packages/backend-auth/src/auth_access_policy_arbiter.test.ts

@@ -0,0 +1,132 @@
+import { beforeEach, describe, it, mock } from 'node:test';
+import { App, Stack } from 'aws-cdk-lib';
+import {
+  BackendOutputEntry,
+  BackendOutputStorageStrategy,
+  ConstructContainer,
+  ConstructFactoryGetInstanceProps,
+  ImportPathVerifier,
+} from '@aws-amplify/plugin-types';
+import {
+  ConstructContainerStub,
+  ImportPathVerifierStub,
+  StackResolverStub,
+} from '@aws-amplify/backend-platform-test-stubs';
+import { StackMetadataBackendOutputStorageStrategy } from '@aws-amplify/backend-output-storage';
+import { UserPool } from 'aws-cdk-lib/aws-cognito';
+import { AuthAccessPolicyArbiter } from './auth_access_policy_arbiter.js';
+import assert from 'node:assert';
+import { UserPoolAccessPolicyFactory } from './userpool_access_policy_factory.js';
+
+void describe('AuthAccessPolicyArbiter', () => {
+  void describe('arbitratePolicies', () => {
+    let stack: Stack;
+    let constructContainer: ConstructContainer;
+    let outputStorageStrategy: BackendOutputStorageStrategy<BackendOutputEntry>;
+    let importPathVerifier: ImportPathVerifier;
+    let getInstanceProps: ConstructFactoryGetInstanceProps;
+
+    beforeEach(() => {
+      stack = createStackAndSetContext();
+
+      constructContainer = new ConstructContainerStub(
+        new StackResolverStub(stack)
+      );
+
+      outputStorageStrategy = new StackMetadataBackendOutputStorageStrategy(
+        stack
+      );
+
+      importPathVerifier = new ImportPathVerifierStub();
+
+      getInstanceProps = {
+        constructContainer,
+        outputStorageStrategy,
+        importPathVerifier,
+      };
+    });
+
+    void it('passes expected policy and ssm context to resource access acceptor', () => {
+      const userpool = new UserPool(stack, 'testUserPool');
+      const acceptResourceAccessMock = mock.fn();
+      const authAccessPolicyArbiter = new AuthAccessPolicyArbiter(
+        [
+          {
+            actions: ['manageUsers'],
+            getResourceAccessAcceptor: () => ({
+              identifier: 'testResourceAccessAcceptor',
+              acceptResourceAccess: acceptResourceAccessMock,
+            }),
+          },
+          {
+            actions: ['deleteUser', 'disableUser', 'deleteUserAttributes'],
+            getResourceAccessAcceptor: () => ({
+              identifier: 'testResourceAccessAcceptor',
+              acceptResourceAccess: acceptResourceAccessMock,
+            }),
+          },
+        ],
+        getInstanceProps,
+        [{ name: 'TEST_USERPOOL_ID', path: 'test/ssm/path/to/userpool/id' }],
+        new UserPoolAccessPolicyFactory(userpool)
+      );
+
+      authAccessPolicyArbiter.arbitratePolicies();
+      assert.equal(acceptResourceAccessMock.mock.callCount(), 2);
+      assert.deepStrictEqual(
+        acceptResourceAccessMock.mock.calls[0].arguments[0].document.toJSON(),
+        {
+          Statement: [
+            {
+              Action: [
+                'cognito-idp:AdminConfirmSignUp',
+                'cognito-idp:AdminCreateUser',
+                'cognito-idp:AdminDeleteUser',
+                'cognito-idp:AdminDeleteUserAttributes',
+                'cognito-idp:AdminDisableUser',
+                'cognito-idp:AdminEnableUser',
+                'cognito-idp:AdminGetUser',
+                'cognito-idp:AdminListGroupsForUser',
+                'cognito-idp:AdminRespondToAuthChallenge',
+                'cognito-idp:AdminSetUserMFAPreference',
+                'cognito-idp:AdminSetUserSettings',
+                'cognito-idp:AdminUpdateUserAttributes',
+                'cognito-idp:AdminUserGlobalSignOut',
+              ],
+              Effect: 'Allow',
+              Resource: `${userpool.userPoolArn}`,
+            },
+          ],
+          Version: '2012-10-17',
+        }
+      );
+      assert.deepStrictEqual(
+        acceptResourceAccessMock.mock.calls[1].arguments[0].document.toJSON(),
+        {
+          Statement: [
+            {
+              Action: [
+                'cognito-idp:AdminDeleteUser',
+                'cognito-idp:AdminDisableUser',
+                'cognito-idp:AdminDeleteUserAttributes',
+              ],
+              Effect: 'Allow',
+              Resource: `${userpool.userPoolArn}`,
+            },
+          ],
+          Version: '2012-10-17',
+        }
+      );
+      assert.deepStrictEqual(
+        acceptResourceAccessMock.mock.calls[0].arguments[1],
+        [{ name: 'TEST_USERPOOL_ID', path: 'test/ssm/path/to/userpool/id' }]
+      );
+    });
+  });
+});
+
+const createStackAndSetContext = (): Stack => {
+  const app = new App();
+  const stack = new Stack(app);
+  return stack;
+};

packages/backend-auth/src/auth_access_policy_arbiter.ts

@@ -0,0 +1,58 @@
+import {
+  ConstructFactoryGetInstanceProps,
+  SsmEnvironmentEntry,
+} from '@aws-amplify/plugin-types';
+import { AuthAccessDefinition } from './types.js';
+import { UserPoolAccessPolicyFactory } from './userpool_access_policy_factory.js';
+
+/**
+ * Middleman between creating bucket policies and attaching those policies to corresponding roles
+ */
+export class AuthAccessPolicyArbiter {
+  /**
+   * Instantiate with context from the auth factory
+   */
+  constructor(
+    private readonly accessDefinition: AuthAccessDefinition[],
+    private readonly getInstanceProps: ConstructFactoryGetInstanceProps,
+    private readonly ssmEnvironmentEntries: SsmEnvironmentEntry[],
+    private readonly userPoolAccessPolicyFactory: UserPoolAccessPolicyFactory
+  ) {}
+
+  /**
+   * Responsible for creating policies corresponding to the definition,
+   * then invoking the corresponding ResourceAccessAcceptor to accept the policies
+   */
+  arbitratePolicies = () => {
+    this.accessDefinition.forEach(this.acceptResourceAccess);
+  };
+
+  acceptResourceAccess = (accessDefinition: AuthAccessDefinition) => {
+    const accessAcceptor = accessDefinition.getResourceAccessAcceptor(
+      this.getInstanceProps
+    );
+    const policy = this.userPoolAccessPolicyFactory.createPolicy(
+      accessDefinition.actions
+    );
+
+    accessAcceptor.acceptResourceAccess(policy, this.ssmEnvironmentEntries);
+  };
+}
+
+/**
+ *
+ */
+export class AuthAccessPolicyArbiterFactory {
+  getInstance = (
+    accessDefinition: AuthAccessDefinition[],
+    getInstanceProps: ConstructFactoryGetInstanceProps,
+    ssmEnvironmentEntries: SsmEnvironmentEntry[],
+    userpoolAccessPolicyFactory: UserPoolAccessPolicyFactory
+  ) =>
+    new AuthAccessPolicyArbiter(
+      accessDefinition,
+      getInstanceProps,
+      ssmEnvironmentEntries,
+      userpoolAccessPolicyFactory
+    );
+}