fix(Core): use groupClaim in @auth rule for oidc (#847)

Author: wooj2

Amplify.xcodeproj/project.pbxproj

@@ -147,6 +147,8 @@
 		6BB7441023A9954900B0EB6C /* DispatchSource+MakeOneOff.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6BB7440F23A9954900B0EB6C /* DispatchSource+MakeOneOff.swift */; };
 		6BBECD7123ADA7E100C8DFBE /* AmplifyAWSServiceConfiguration.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6BBECD7023ADA7E100C8DFBE /* AmplifyAWSServiceConfiguration.swift */; };
 		6BBECD7423ADA9D100C8DFBE /* AmplifyAWSServiceConfigurationTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6BBECD7323ADA9D100C8DFBE /* AmplifyAWSServiceConfigurationTests.swift */; };
+		6BDF15B62541262000B5BE69 /* ModelWithOwnerAuthAndGroupWithGroupClaim.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6BDF15B52541262000B5BE69 /* ModelWithOwnerAuthAndGroupWithGroupClaim.swift */; };
+		6BDF15B825412DE600B5BE69 /* ModelWithOwnerAuthAndMultiGroup.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6BDF15B725412DE600B5BE69 /* ModelWithOwnerAuthAndMultiGroup.swift */; };
 		6BEE0817253114FD00133961 /* AWSAuthServiceTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6BEE0816253114FD00133961 /* AWSAuthServiceTests.swift */; };
 		6BEE08192533CAA600133961 /* GraphQLRequestOwnerAndGroupTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6BEE08182533CAA600133961 /* GraphQLRequestOwnerAndGroupTests.swift */; };
 		6BEE081C2533CCFA00133961 /* OGCScenarioBPost+Schema.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6BEE081A2533CCFA00133961 /* OGCScenarioBPost+Schema.swift */; };
@@ -912,6 +914,8 @@
 		6BB7440F23A9954900B0EB6C /* DispatchSource+MakeOneOff.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = "DispatchSource+MakeOneOff.swift"; sourceTree = "<group>"; };
 		6BBECD7023ADA7E100C8DFBE /* AmplifyAWSServiceConfiguration.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AmplifyAWSServiceConfiguration.swift; sourceTree = "<group>"; };
 		6BBECD7323ADA9D100C8DFBE /* AmplifyAWSServiceConfigurationTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AmplifyAWSServiceConfigurationTests.swift; sourceTree = "<group>"; };
+		6BDF15B52541262000B5BE69 /* ModelWithOwnerAuthAndGroupWithGroupClaim.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ModelWithOwnerAuthAndGroupWithGroupClaim.swift; sourceTree = "<group>"; };
+		6BDF15B725412DE600B5BE69 /* ModelWithOwnerAuthAndMultiGroup.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ModelWithOwnerAuthAndMultiGroup.swift; sourceTree = "<group>"; };
 		6BEE0816253114FD00133961 /* AWSAuthServiceTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AWSAuthServiceTests.swift; sourceTree = "<group>"; };
 		6BEE08182533CAA600133961 /* GraphQLRequestOwnerAndGroupTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = GraphQLRequestOwnerAndGroupTests.swift; sourceTree = "<group>"; };
 		6BEE081A2533CCFA00133961 /* OGCScenarioBPost+Schema.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "OGCScenarioBPost+Schema.swift"; sourceTree = "<group>"; };
@@ -1822,6 +1826,8 @@
 				21A3FDAE24630D7F00E76120 /* ModelWithOwnerFieldAuthRuleTests.swift */,
 				21A3FDB32463C49F00E76120 /* ModelReadUpdateAuthRuleTests.swift */,
 				21A3FDB52464590600E76120 /* ModelMultipleOwnerAuthRuleTests.swift */,
+				6BDF15B52541262000B5BE69 /* ModelWithOwnerAuthAndGroupWithGroupClaim.swift */,
+				6BDF15B725412DE600B5BE69 /* ModelWithOwnerAuthAndMultiGroup.swift */,
 			);
 			path = AuthRuleDecorator;
 			sourceTree = "<group>";
@@ -4325,6 +4331,7 @@
 				2129BE48239489AC006363A1 /* MutationSyncMetadataTests.swift in Sources */,
 				216E45F1248E971E0035E3CE /* GraphQLRequestNonModelTests.swift in Sources */,
 				21A3FDAF24630D7F00E76120 /* ModelWithOwnerFieldAuthRuleTests.swift in Sources */,
+				6BDF15B825412DE600B5BE69 /* ModelWithOwnerAuthAndMultiGroup.swift in Sources */,
 				2183A56823EA4A8E00232880 /* GraphQLDeleteMutationTests.swift in Sources */,
 				21A3FDB42463C49F00E76120 /* ModelReadUpdateAuthRuleTests.swift in Sources */,
 				2183A56323EA4A7800232880 /* GraphQLSubscriptionTests.swift in Sources */,
@@ -4337,6 +4344,7 @@
 				6BBECD7423ADA9D100C8DFBE /* AmplifyAWSServiceConfigurationTests.swift in Sources */,
 				6B9F7C5225267E1500F1F71C /* MockAWSAuthUser.swift in Sources */,
 				21AD425A249C0D910016FE95 /* AnyModelTester.swift in Sources */,
+				6BDF15B62541262000B5BE69 /* ModelWithOwnerAuthAndGroupWithGroupClaim.swift in Sources */,
 				2129BE3C2394828B006363A1 /* GraphQLRequestModelTests.swift in Sources */,
 				2183A56523EA4A8400232880 /* GraphQLListQueryTests.swift in Sources */,
 				6BEE08192533CAA600133961 /* GraphQLRequestOwnerAndGroupTests.swift in Sources */,

AmplifyPlugins/Core/AWSPluginsCore/Model/Decorator/AuthRuleDecorator.swift

@@ -51,7 +51,7 @@ public struct AuthRuleDecorator: ModelBasedGraphQLDocumentDecorator {
             return decorateDocument
         }
 
-        let readRestrictingStaticGroups = authRules.readRestrictingStaticGroups()
+        let readRestrictingStaticGroups = authRules.groupClaimsToReadRestrictingStaticGroups()
         authRules.forEach { authRule in
             decorateDocument = decorateAuthStrategy(document: decorateDocument,
                                                     authRule: authRule,
@@ -62,7 +62,7 @@ public struct AuthRuleDecorator: ModelBasedGraphQLDocumentDecorator {
 
     private func decorateAuthStrategy(document: SingleDirectiveGraphQLDocument,
                                       authRule: AuthRule,
-                                      readRestrictingStaticGroups: Set<String>) -> SingleDirectiveGraphQLDocument {
+                                      readRestrictingStaticGroups: [String: Set<String>]) -> SingleDirectiveGraphQLDocument {
         guard authRule.allow == .owner,
             var selectionSet = document.selectionSet else {
             return document
@@ -71,10 +71,10 @@ public struct AuthRuleDecorator: ModelBasedGraphQLDocumentDecorator {
         let ownerField = authRule.getOwnerFieldOrDefault()
         selectionSet = appendOwnerFieldToSelectionSetIfNeeded(selectionSet: selectionSet, ownerField: ownerField)
 
-       if case let .subscription(_, claims) = input,
+        if case let .subscription(_, claims) = input,
             authRule.isReadRestrictingOwner() &&
-                isNotInReadRestrictingStaticGroup(readRestrictingStaticGroups,
-                                                  cognitoGroupsFrom(claims: claims)) {
+                isNotInReadRestrictingStaticGroup(jwtTokenClaims: claims,
+                                                  readRestrictingStaticGroups: readRestrictingStaticGroups) {
             var inputs = document.inputs
             let identityClaimValue = resolveIdentityClaimValue(identityClaim: authRule.identityClaimOrDefault(),
                                                                claims: claims)
@@ -86,15 +86,25 @@ public struct AuthRuleDecorator: ModelBasedGraphQLDocumentDecorator {
         return document.copy(selectionSet: selectionSet)
     }
 
-    private func isNotInReadRestrictingStaticGroup(_ readRestrictingStaticGroups: Set<String>,
-                                                   _ cognitoGroupsFromClaims: Set<String>) -> Bool {
-        return (readRestrictingStaticGroups.isEmpty ||
-            readRestrictingStaticGroups.isDisjoint(with: cognitoGroupsFromClaims))
+    private func isNotInReadRestrictingStaticGroup(jwtTokenClaims: IdentityClaimsDictionary,
+                                                   readRestrictingStaticGroups: [String: Set<String>]) -> Bool {
+        for (groupClaim, readRestrictingStaticGroupsPerClaim) in readRestrictingStaticGroups {
+            let groupsFromClaim = groupsFrom(jwtTokenClaims: jwtTokenClaims, groupClaim: groupClaim)
+            let doesNotBelongToGroupsFromClaim = readRestrictingStaticGroupsPerClaim.isEmpty ||
+                readRestrictingStaticGroupsPerClaim.isDisjoint(with: groupsFromClaim)
+            if doesNotBelongToGroupsFromClaim {
+                continue
+            } else {
+                return false
+            }
+        }
+        return true
     }
 
-    private func cognitoGroupsFrom(claims: IdentityClaimsDictionary) -> Set<String> {
+    private func groupsFrom(jwtTokenClaims: IdentityClaimsDictionary,
+                            groupClaim: String) -> Set<String> {
         var groupSet = Set<String>()
-        if let groups = (claims["cognito:groups"] as? NSArray) as Array? {
+        if let groups = (jwtTokenClaims[groupClaim] as? NSArray) as Array? {
             for group in groups {
                 if let groupString = group as? String {
                     groupSet.insert(groupString)

AmplifyPlugins/Core/AWSPluginsCore/Model/Support/AuthRule+Extension.swift

@@ -42,15 +42,47 @@ extension AuthRule {
 }
 
 extension Array where Element == AuthRule {
-    func readRestrictingStaticGroups() -> Set<String> {
-        var readRestrictingStaticGroups = Set<String>()
+
+    // This function returns a map of all of the read restricting static groups defined for your app's schema
+    // Example 1: Single group with implicit read restriction
+    // {allow: groups, groups: ["Admins"]}
+    // Returns:
+    // {
+    //     "cognito:groups" : ["Admins"]
+    // }
+    //
+    // Example 2: Multiple groups with only one having read restriction
+    // {allow: groups, groups: ["Admins"], operations: [read, update, delete], groupClaim: "https://app1.com/claims/groups"}
+    // {allow: groups, groups: ["Users"], operations: [create]}
+    // Returns:
+    // {
+    //     "https://app1.com/claims/groups" : ["Admins"]
+    // }
+    //
+    // Example 3: Multiple groups with multiple group claims
+    // {allow: groups, provider: oidc, groups: ["Admins"], groupClaim: "https://app1.com/claims/groups"}
+    // {allow: groups, provider: oidc, groups: ["Moderators", "Editors"], groupClaim: "https://app2.com/claims/groups"}
+    // Returns:
+    // {
+    //     "https://app1.com/claims/groups" : ["Admins"],
+    //     "https://app2.com/claims/groups" : ["Moderators", "Editors"]
+    // }
+    //
+    func groupClaimsToReadRestrictingStaticGroups() -> [String: Set<String>] {
+        var readRestrictingStaticGroupsMap = [String: Set<String>]()
         let readRestrictingGroupRules = filter { $0.isReadRestrictingStaticGroup() }
-        for groupRules in readRestrictingGroupRules {
-            groupRules.groups.forEach { group in
-                readRestrictingStaticGroups.insert(group)
+        for groupRule in readRestrictingGroupRules {
+            let groupClaim = groupRule.groupClaim ?? "cognito:groups"
+            groupRule.groups.forEach { group in
+                if var existingSet = readRestrictingStaticGroupsMap[groupClaim] {
+                    existingSet.insert(group)
+                    readRestrictingStaticGroupsMap[groupClaim] = existingSet
+                } else {
+                    readRestrictingStaticGroupsMap[groupClaim] = [group]
+                }
             }
         }
-        return readRestrictingStaticGroups
+        return readRestrictingStaticGroupsMap
     }
 
     func readRestrictingOwnerRules() -> [AuthRule] {

AmplifyPlugins/Core/AWSPluginsCoreTests/Model/Decorator/AuthRuleDecorator/ModelWithOwnerAuthAndGroupWithGroupClaim.swift

@@ -0,0 +1,186 @@
+//
+// Copyright 2018-2020 Amazon.com,
+// Inc. or its affiliates. All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import XCTest
+
+@testable import Amplify
+@testable import AmplifyTestCommon
+@testable import AWSPluginsCore
+
+/*
+ type OIDCGroupPost
+   @model
+   @auth(
+     rules: [
+       { allow: owner, provider: oidc, identityClaim: "sub"},
+       { allow: groups, provider: oidc, groups: ["Admins"],
+                                    groupClaim: "https://myapp.com/claims/groups"}
+     ]
+   ) {
+   id: ID!
+   title: String!
+   owner: String
+ }
+ */
+
+public struct OIDCGroupPost: Model {
+  public let id: String
+  public var title: String
+  public var owner: String?
+
+  public init(id: String = UUID().uuidString,
+              title: String,
+              owner: String? = nil) {
+      self.id = id
+      self.title = title
+      self.owner = owner
+  }
+
+    // MARK: - CodingKeys
+     public enum CodingKeys: String, ModelKey {
+      case id
+      case title
+      case owner
+    }
+
+    public static let keys = CodingKeys.self
+    public static let schema = defineSchema { model in
+      let oIDCGroupPost = OIDCGroupPost.keys
+
+      model.authRules = [
+        rule(allow: .owner,
+             ownerField: "owner",
+             identityClaim: "sub",
+             operations: [.create, .update, .delete, .read]),
+        rule(allow: .groups,
+             groupClaim: "https://myapp.com/claims/groups",
+             groups: ["Admins"],
+             operations: [.create, .update, .delete, .read])
+      ]
+
+      model.pluralName = "OIDCGroupPosts"
+
+      model.fields(
+        .id(),
+        .field(oIDCGroupPost.title, is: .required, ofType: .string),
+        .field(oIDCGroupPost.owner, is: .optional, ofType: .string)
+      )
+      }
+}
+
+class ModelWithOwnerAuthAndGroupWithGroupClaim: XCTestCase {
+    override func setUp() {
+        ModelRegistry.register(modelType: OIDCGroupPost.self)
+    }
+
+    override func tearDown() {
+        ModelRegistry.reset()
+    }
+
+    func testOnCreateSubscription_NoGroupInfoPassed() {
+        let claims = ["username": "user1",
+                      "sub": "123e4567-dead-beef-a456-426614174000"] as IdentityClaimsDictionary
+        var documentBuilder = ModelBasedGraphQLDocumentBuilder(modelType: OIDCGroupPost.self,
+                                                               operationType: .subscription)
+        documentBuilder.add(decorator: DirectiveNameDecorator(type: .onCreate))
+        documentBuilder.add(decorator: AuthRuleDecorator(.subscription(.onCreate, claims)))
+        let document = documentBuilder.build()
+        let expectedQueryDocument = """
+        subscription OnCreateOIDCGroupPost($owner: String!) {
+          onCreateOIDCGroupPost(owner: $owner) {
+            id
+            owner
+            title
+            __typename
+          }
+        }
+        """
+        XCTAssertEqual(document.name, "onCreateOIDCGroupPost")
+        XCTAssertEqual(document.stringValue, expectedQueryDocument)
+        guard let variables = document.variables else {
+            XCTFail("The document doesn't contain variables")
+            return
+        }
+        XCTAssertEqual(variables["owner"] as? String, "123e4567-dead-beef-a456-426614174000")
+    }
+
+    func testOnCreateSubscription_InAdminsGroup() {
+        let claims = ["username": "user1",
+                      "sub": "123e4567-dead-beef-a456-426614174000",
+                      "https://myapp.com/claims/groups": ["Admins"]] as IdentityClaimsDictionary
+        var documentBuilder = ModelBasedGraphQLDocumentBuilder(modelType: OIDCGroupPost.self,
+                                                               operationType: .subscription)
+        documentBuilder.add(decorator: DirectiveNameDecorator(type: .onCreate))
+        documentBuilder.add(decorator: AuthRuleDecorator(.subscription(.onCreate, claims)))
+        let document = documentBuilder.build()
+        let expectedQueryDocument = """
+        subscription OnCreateOIDCGroupPost {
+          onCreateOIDCGroupPost {
+            id
+            owner
+            title
+            __typename
+          }
+        }
+        """
+        XCTAssertEqual(document.name, "onCreateOIDCGroupPost")
+        XCTAssertEqual(document.stringValue, expectedQueryDocument)
+        XCTAssert(document.variables.isEmpty)
+    }
+
+    func testOnCreateSubscription_InAdminsGroupAndAnother() {
+        let claims = ["username": "user1",
+                      "sub": "123e4567-dead-beef-a456-426614174000",
+                      "https://myapp.com/claims/groups": ["Admins", "Users"]] as IdentityClaimsDictionary
+        var documentBuilder = ModelBasedGraphQLDocumentBuilder(modelType: OIDCGroupPost.self,
+                                                               operationType: .subscription)
+        documentBuilder.add(decorator: DirectiveNameDecorator(type: .onCreate))
+        documentBuilder.add(decorator: AuthRuleDecorator(.subscription(.onCreate, claims)))
+        let document = documentBuilder.build()
+        let expectedQueryDocument = """
+        subscription OnCreateOIDCGroupPost {
+          onCreateOIDCGroupPost {
+            id
+            owner
+            title
+            __typename
+          }
+        }
+        """
+        XCTAssertEqual(document.name, "onCreateOIDCGroupPost")
+        XCTAssertEqual(document.stringValue, expectedQueryDocument)
+        XCTAssert(document.variables.isEmpty)
+    }
+
+    func testOnCreateSubscription_NotInAdminsGroup() {
+        let claims = ["username": "user1",
+                      "sub": "123e4567-dead-beef-a456-426614174000",
+                      "https://myapp.com/claims/groups": ["Users"]] as IdentityClaimsDictionary
+        var documentBuilder = ModelBasedGraphQLDocumentBuilder(modelType: OIDCGroupPost.self,
+                                                               operationType: .subscription)
+        documentBuilder.add(decorator: DirectiveNameDecorator(type: .onCreate))
+        documentBuilder.add(decorator: AuthRuleDecorator(.subscription(.onCreate, claims)))
+        let document = documentBuilder.build()
+        let expectedQueryDocument = """
+        subscription OnCreateOIDCGroupPost($owner: String!) {
+          onCreateOIDCGroupPost(owner: $owner) {
+            id
+            owner
+            title
+            __typename
+          }
+        }
+        """
+        XCTAssertEqual(document.name, "onCreateOIDCGroupPost")
+        XCTAssertEqual(document.stringValue, expectedQueryDocument)
+        guard let variables = document.variables else {
+            XCTFail("The document doesn't contain variables")
+            return
+        }
+        XCTAssertEqual(variables["owner"] as? String, "123e4567-dead-beef-a456-426614174000")
+    }
+}