fix: Multiple custom operation group auth definition of custom type (#572)

Author: stocaaro

.changeset/six-cats-make.md

@@ -0,0 +1,5 @@
+---
+'@aws-amplify/data-schema': patch
+---
+
+Fix custom type authorization rule bug

packages/data-schema/__tests__/ModelType.test.ts

@@ -198,6 +198,39 @@ describe('model auth rules', () => {
     expect(graphql).toMatchSnapshot();
   });
 
+  it(`can merge group authorization to allow groups to be defined by multiple custom operations`, () => {
+    const schema = a.schema({
+      CustomType: a.customType({
+        id: a.string().required(),
+        name: a.string().required(),
+      }),
+      exampleAdminAndUserQuery: a
+        .query()
+        .arguments({
+          arg1: a.string().required(),
+        })
+        .returns(a.ref("CustomType").required().array().required())
+        .handler(a.handler.function('exampleFunc'))
+        .authorization((allow) => [allow.groups(["Admin", "User"])]),
+      exampleAdminOnlyQuery: a
+        .query()
+        .arguments({
+          arg1: a.string().required(),
+        })
+        .returns(a.ref("CustomType").required().array().required())
+        .handler(a.handler.function('exampleFunc'))
+        .authorization((allow) => [allow.groups(["Admin"])]),
+      ExampleModel: a.model({
+        name: a.ref("CustomType").required().array().required().authorization((allow) => [allow.groups(["Admin3", "User3"])]),
+        description: a.string().authorization((allow) => [allow.groups(["Admin3"])]),
+      })
+      .authorization((allow) => [allow.groups(["Admin2", "User2"])])
+    });
+
+    const graphql = schema.transform().schema;
+    expect(graphql).toMatchSnapshot();
+  });
+
   it(`can create a "multiple owners" rule on an implied (auto-created) field`, () => {
     const schema = a.schema({
       widget: a

packages/data-schema/__tests__/__snapshots__/ModelType.test.ts.snap

@@ -516,6 +516,25 @@ exports[`model auth rules can define public auth with no provider 1`] = `
 }"
 `;
 
+exports[`model auth rules can merge group authorization to allow groups to be defined by multiple custom operations 1`] = `
+"type ExampleModel @model @auth(rules: [{allow: groups, groups: ["Admin2", "User2"]}])
+{
+  name: [CustomType!]! @auth(rules: [{allow: groups, groups: ["Admin3", "User3"]}])
+  description: String @auth(rules: [{allow: groups, groups: ["Admin3"]}])
+}
+
+type CustomType @aws_cognito_user_pools(cognito_groups: ["Admin", "User"])
+{
+  id: String!
+  name: String!
+}
+
+type Query {
+  exampleAdminAndUserQuery(arg1: String!): [CustomType!]! @function(name: "exampleFunc") @auth(rules: [{allow: groups, groups: ["Admin", "User"]}])
+  exampleAdminOnlyQuery(arg1: String!): [CustomType!]! @function(name: "exampleFunc") @auth(rules: [{allow: groups, groups: ["Admin"]}])
+}"
+`;
+
 exports[`model auth rules can specify an owner identityClaim 1`] = `
 "type widget @model @auth(rules: [{allow: owner, ownerField: "owner", identityClaim: "user_id"}])
 {

packages/data-schema/src/SchemaProcessor.ts

@@ -896,6 +896,8 @@ function mapToNativeAppSyncAuthDirectives(
 ) {
   const rules = new Set<string>();
 
+  const groupProvider: Map<string, Set<string>> = new Map();
+
   for (const entry of authorization) {
     const rule = accessData(entry);
 
@@ -904,17 +906,25 @@ function mapToNativeAppSyncAuthDirectives(
     const provider = getAppSyncAuthDirectiveFromRule(rule);
 
     if (rule.groups) {
-      // example: (cognito_groups: ["Bloggers", "Readers"])
+      if(!groupProvider.has(provider)) {
+        groupProvider.set(provider, new Set());
+      };
+      rule.groups.forEach((group) => groupProvider.get(provider)?.add(group));
+    } else {
+      rules.add(provider);
+    }
+
+    groupProvider.forEach((groups, provider) => {
       rules.add(
-        `${provider}(cognito_groups: [${rule.groups
+        `${provider}(cognito_groups: [${Array.from(groups)
           .map((group) => `"${group}"`)
           .join(', ')}])`,
       );
-    } else {
-      rules.add(provider);
-    }
+      // example: (cognito_groups: ["Bloggers", "Readers"])
+    })
   }
 
+
   const authString = [...rules].join(' ');
 
   return { authString };