fix(datastore): fix owner based subscriptions queries w/ multiauth (#1553)

* fix(datastore): fix owner based subscriptions queries w/ multiauth

* chore(datastore): update tests with comments

* chore(datastore): add OIDC test

Author: diegocstn

AmplifyPlugins/Core/AWSPluginsCore/Model/Decorator/AuthRuleDecorator.swift

@@ -30,9 +30,18 @@ public enum AuthRuleDecoratorInput {
 public struct AuthRuleDecorator: ModelBasedGraphQLDocumentDecorator {
 
     private let input: AuthRuleDecoratorInput
+    private let authType: AWSAuthorizationType?
 
-    public init(_ authRuleDecoratorInput: AuthRuleDecoratorInput) {
+
+    /// Initializes a new AuthRuleDecorator
+    /// - Parameters:
+    ///   - authRuleDecoratorInput: decorator input
+    ///   - authType: authentication type, if provided will be used to filter the auth rules based on the provider field.
+    ///               Only use when multi-auth is enabled.
+    public init(_ authRuleDecoratorInput: AuthRuleDecoratorInput,
+                authType: AWSAuthorizationType? = nil) {
         self.input = authRuleDecoratorInput
+        self.authType = authType
     }
 
     public func decorate(_ document: SingleDirectiveGraphQLDocument,
@@ -42,7 +51,7 @@ public struct AuthRuleDecorator: ModelBasedGraphQLDocumentDecorator {
 
     public func decorate(_ document: SingleDirectiveGraphQLDocument,
                          modelSchema: ModelSchema) -> SingleDirectiveGraphQLDocument {
-        let authRules = modelSchema.authRules
+        let authRules = modelSchema.authRules.filterBy(authType: authType)
         guard !authRules.isEmpty else {
             return document
         }
@@ -171,4 +180,22 @@ public struct AuthRuleDecorator: ModelBasedGraphQLDocumentDecorator {
     }
 }
 
+private extension AuthRules {
+    func filterBy(authType: AWSAuthorizationType?) -> AuthRules {
+        guard let authType = authType else {
+            return self
+        }
+
+        return filter {
+            guard let provider = $0.provider else {
+                // if an authType is available but not a provider
+                // means DataStore is using multi-auth with an outdated
+                // version of models (prior to codegen v2.26.0).
+                return true
+            }
+            return authType == provider.toAWSAuthorizationType()
+        }
+    }
+}
+
 extension AuthRuleDecorator: DefaultLogger { }

AmplifyPlugins/Core/AWSPluginsCore/Model/GraphQLRequest/GraphQLRequest+AnyModelWithSync.swift

@@ -65,7 +65,7 @@ extension GraphQLRequest: ModelSyncGraphQLRequestFactory {
         documentBuilder.add(decorator: DirectiveNameDecorator(type: .get))
         documentBuilder.add(decorator: ModelIdDecorator(id: id))
         documentBuilder.add(decorator: ConflictResolutionDecorator())
-        documentBuilder.add(decorator: AuthRuleDecorator(.query))
+        documentBuilder.add(decorator: AuthRuleDecorator(.query, authType: authType))
         let document = documentBuilder.build()
 
         let awsPluginOptions = AWSPluginOptions(authType: authType)
@@ -150,7 +150,7 @@ extension GraphQLRequest: ModelSyncGraphQLRequestFactory {
             documentBuilder.add(decorator: FilterDecorator(filter: filter))
         }
         documentBuilder.add(decorator: ConflictResolutionDecorator(version: version))
-        documentBuilder.add(decorator: AuthRuleDecorator(.mutation))
+        documentBuilder.add(decorator: AuthRuleDecorator(.mutation, authType: authType))
         let document = documentBuilder.build()
 
         let awsPluginOptions = AWSPluginOptions(authType: authType)
@@ -171,7 +171,7 @@ extension GraphQLRequest: ModelSyncGraphQLRequestFactory {
                                                                operationType: .subscription)
         documentBuilder.add(decorator: DirectiveNameDecorator(type: subscriptionType))
         documentBuilder.add(decorator: ConflictResolutionDecorator())
-        documentBuilder.add(decorator: AuthRuleDecorator(.subscription(subscriptionType, nil)))
+        documentBuilder.add(decorator: AuthRuleDecorator(.subscription(subscriptionType, nil), authType: authType))
         let document = documentBuilder.build()
 
         let awsPluginOptions = AWSPluginOptions(authType: authType)
@@ -193,7 +193,7 @@ extension GraphQLRequest: ModelSyncGraphQLRequestFactory {
                                                                operationType: .subscription)
         documentBuilder.add(decorator: DirectiveNameDecorator(type: subscriptionType))
         documentBuilder.add(decorator: ConflictResolutionDecorator())
-        documentBuilder.add(decorator: AuthRuleDecorator(.subscription(subscriptionType, claims)))
+        documentBuilder.add(decorator: AuthRuleDecorator(.subscription(subscriptionType, claims), authType: authType))
         let document = documentBuilder.build()
 
         let awsPluginOptions = AWSPluginOptions(authType: authType)
@@ -220,7 +220,7 @@ extension GraphQLRequest: ModelSyncGraphQLRequestFactory {
         }
         documentBuilder.add(decorator: PaginationDecorator(limit: limit, nextToken: nextToken))
         documentBuilder.add(decorator: ConflictResolutionDecorator(lastSync: lastSync))
-        documentBuilder.add(decorator: AuthRuleDecorator(.query))
+        documentBuilder.add(decorator: AuthRuleDecorator(.query, authType: authType))
         let document = documentBuilder.build()
 
         let awsPluginOptions = AWSPluginOptions(authType: authType)
@@ -249,7 +249,7 @@ extension GraphQLRequest: ModelSyncGraphQLRequestFactory {
             documentBuilder.add(decorator: FilterDecorator(filter: filter))
         }
         documentBuilder.add(decorator: ConflictResolutionDecorator(version: version))
-        documentBuilder.add(decorator: AuthRuleDecorator(.mutation))
+        documentBuilder.add(decorator: AuthRuleDecorator(.mutation, authType: authType))
         let document = documentBuilder.build()
 
         let awsPluginOptions = AWSPluginOptions(authType: authType)

AmplifyPlugins/Core/AWSPluginsCoreTests/Model/Decorator/AuthRuleDecorator/ModelWithOwnerFieldAuthRuleTests.swift

@@ -11,46 +11,7 @@ import XCTest
 @testable import AmplifyTestCommon
 @testable import AWSPluginsCore
 
-/*
- type ModelWithOwnerField
-   @model
-   @auth(rules: [ { allow: owner, ownerField: "author" } ])
- {
-   id: ID!
-   content: String!
-   author: String
- }
-*/
-public struct ModelWithOwnerField: Model {
-    public let id: String
-    public var content: String
-    public var author: String?
-    public init(id: String = UUID().uuidString,
-                content: String,
-                author: String?) {
-        self.id = id
-        self.content = content
-        self.author = author
-    }
-    public enum CodingKeys: String, ModelKey {
-        case id
-        case content
-        case author
-    }
-    public static let keys = CodingKeys.self
-
-    public static let schema = defineSchema { model in
-        let modelWithOwnerField = ModelWithOwnerField.keys
-        model.authRules = [
-            rule(allow: .owner, ownerField: "author")
-        ]
-        model.fields(
-            .id(),
-            .field(modelWithOwnerField.content, is: .required, ofType: .string),
-            .field(modelWithOwnerField.author, is: .optional, ofType: .string))
-    }
-}
-
+// swiftlint:disable type_body_length
 class ModelWithOwnerFieldAuthRuleTests: XCTestCase {
 
     override func setUp() {
@@ -286,4 +247,194 @@ class ModelWithOwnerFieldAuthRuleTests: XCTestCase {
         }
         XCTAssertEqual(variables["author"] as? String, "user1")
     }
+
+    func testModelWithMultipleAuthRules_Subscription() {
+        var documentBuilder = ModelBasedGraphQLDocumentBuilder(modelSchema: ModelWithMultipleAuthRules.schema,
+                                                               operationType: .subscription)
+        documentBuilder.add(decorator: DirectiveNameDecorator(type: .onCreate))
+        documentBuilder.add(decorator: AuthRuleDecorator(.subscription(.onCreate, nil)))
+        let document = documentBuilder.build()
+        let expectedQueryDocument = """
+        subscription OnCreateModelWithMultipleAuthRules($author: String!) {
+          onCreateModelWithMultipleAuthRules(author: $author) {
+            id
+            author
+            content
+            __typename
+          }
+        }
+        """
+        XCTAssertEqual(document.name, "onCreateModelWithMultipleAuthRules")
+        XCTAssertEqual(document.stringValue, expectedQueryDocument)
+    }
+
+    func testModelWithMultipleAuthRulesAPIKey_Subscription() {
+        var documentBuilder = ModelBasedGraphQLDocumentBuilder(modelSchema: ModelWithMultipleAuthRules.schema,
+                                                               operationType: .subscription)
+        documentBuilder.add(decorator: DirectiveNameDecorator(type: .onCreate))
+        documentBuilder.add(decorator: AuthRuleDecorator(.subscription(.onCreate, nil),
+                                                         authType: .apiKey))
+        let document = documentBuilder.build()
+        let expectedQueryDocument = """
+        subscription OnCreateModelWithMultipleAuthRules {
+          onCreateModelWithMultipleAuthRules {
+            id
+            author
+            content
+            __typename
+          }
+        }
+        """
+        XCTAssertEqual(document.name, "onCreateModelWithMultipleAuthRules")
+        XCTAssertEqual(document.stringValue, expectedQueryDocument)
+    }
+
+    func testModelWithOIDCOwner_Subscription() {
+        var documentBuilder = ModelBasedGraphQLDocumentBuilder(modelSchema: ModelWithOIDCOwnerField.schema,
+                                                               operationType: .subscription)
+        documentBuilder.add(decorator: DirectiveNameDecorator(type: .onCreate))
+        documentBuilder.add(decorator: AuthRuleDecorator(.subscription(.onCreate, nil)))
+        let document = documentBuilder.build()
+        let expectedQueryDocument = """
+        subscription OnCreateModelWithOIDCOwnerField($author: String!) {
+          onCreateModelWithOIDCOwnerField(author: $author) {
+            id
+            author
+            content
+            __typename
+          }
+        }
+        """
+        XCTAssertEqual(document.name, "onCreateModelWithOIDCOwnerField")
+        XCTAssertEqual(document.stringValue, expectedQueryDocument)
+    }
+}
+
+// MARK: Test schemas
+
+/*
+ type ModelWithOwnerField
+   @model
+   @auth(rules: [ { allow: owner, ownerField: "author" } ])
+ {
+   id: ID!
+   content: String!
+   author: String
+ }
+*/
+public struct ModelWithOwnerField: Model {
+    public let id: String
+    public var content: String
+    public var author: String?
+    public init(id: String = UUID().uuidString,
+                content: String,
+                author: String?) {
+        self.id = id
+        self.content = content
+        self.author = author
+    }
+    public enum CodingKeys: String, ModelKey {
+        case id
+        case content
+        case author
+    }
+    public static let keys = CodingKeys.self
+
+    public static let schema = defineSchema { model in
+        let modelWithOwnerField = ModelWithOwnerField.keys
+        model.authRules = [
+            rule(allow: .owner, ownerField: "author")
+        ]
+        model.fields(
+            .id(),
+            .field(modelWithOwnerField.content, is: .required, ofType: .string),
+            .field(modelWithOwnerField.author, is: .optional, ofType: .string))
+    }
+}
+
+/*
+ type ModelWithOIDCOwnerField
+   @model
+   @auth(rules: [ { allow: owner, ownerField: "author" } ])
+ {
+   id: ID!
+   content: String!
+   author: String
+ }
+*/
+public struct ModelWithOIDCOwnerField: Model {
+    public let id: String
+    public var content: String
+    public var author: String?
+    public init(id: String = UUID().uuidString,
+                content: String,
+                author: String?) {
+        self.id = id
+        self.content = content
+        self.author = author
+    }
+    public enum CodingKeys: String, ModelKey {
+        case id
+        case content
+        case author
+    }
+    public static let keys = CodingKeys.self
+
+    public static let schema = defineSchema { model in
+        let modelWithOwnerField = ModelWithOwnerField.keys
+        model.authRules = [
+            rule(allow: .owner, ownerField: "author", provider: .oidc)
+        ]
+        model.fields(
+            .id(),
+            .field(modelWithOwnerField.content, is: .required, ofType: .string),
+            .field(modelWithOwnerField.author, is: .optional, ofType: .string))
+    }
+}
+
+/*
+ Example of model with multiple authorization rules,
+ and one of them doesn't require an `owner`.
+
+ type ModelWithOwnerField
+   @model
+   @auth(rules: [
+        { allow: owner, ownerField: "author" },
+        { allow: public, provider: "apiKey" }
+    ])
+ {
+   id: ID!
+   content: String!
+   author: String
+ }
+*/
+public struct ModelWithMultipleAuthRules: Model {
+    public let id: String
+    public var content: String
+    public var author: String?
+    public init(id: String = UUID().uuidString,
+                content: String,
+                author: String?) {
+        self.id = id
+        self.content = content
+        self.author = author
+    }
+    public enum CodingKeys: String, ModelKey {
+        case id
+        case content
+        case author
+    }
+    public static let keys = CodingKeys.self
+
+    public static let schema = defineSchema { model in
+        let modelWithMultipleAuthRules = ModelWithMultipleAuthRules.keys
+        model.authRules = [
+            rule(allow: .owner, ownerField: "author", provider: .userPools),
+            rule(allow: .public, provider: .apiKey)
+        ]
+        model.fields(
+            .id(),
+            .field(modelWithMultipleAuthRules.content, is: .required, ofType: .string),
+            .field(modelWithMultipleAuthRules.author, is: .optional, ofType: .string))
+    }
 }