Skip to content

Commit

Permalink
fix(cognito-identitypool-alpha): cannot configure roleMappings with i…
Browse files Browse the repository at this point in the history 
…mported userPool and client (#30421)

### Issue # (if applicable)

Closes #30304

### Reason for this change
Currently, we cannot use imported user pools and clients for role mapping in an identity pool.
This is because the `IdentityPoolProviderUrl.userPool` method takes an L2 construct as its argument type instead of Interface (`IUserPool`, `IUserPoolClient`).

```ts
    const userPool = cognito.UserPool.fromUserPoolArn(this, 'CognitoUserPool', 'arn');
    const userPoolClient = cognito.UserPoolClient.fromUserPoolClientId(this, 'UserPoolClientId', 'client-id');
    const identityPool = new cognitoidp.IdentityPool(this, 'IdentityPool', {
      // ~
      roleMappings: [
        {
          mappingKey: 'cognito', 
          providerUrl: cognitoidp.IdentityPoolProviderUrl.userPool(userPool, userPoolClient), // ! type error here !
          useToken: true
        }
      ],
      allowUnauthenticatedIdentities: false
    });
```

### Description of changes
The argument types of the `IdentityPoolProviderUrl.userPool` method are changed to `IUserPool` and `IUserPoolClient`.
This method requires the `userPoolProviderName` of the userPool, but since it does not exist for `IUserPool`, a property was added.
Since this property is required in the `UserPool` construct, it is also required in `IUserPool`.
https://github.com/aws/aws-cdk/blob/c3003ab41f0efc763f39eb2cab490c8a005e146b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts#L902

I add a required attribute to the Interface of the aws-cognito module(stable), but I do not think this to be a breaking change.
Please let me know if it is not.



### Description of how you validated changes
Unit tests and integ tests are added to verify that the imported userPool and clinet can be used.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@sakurai-ryo
sakurai-ryo authored Sep 18, 2024
1 parent 1581190 commit 0fdd6a9
Show file tree
Hide file tree
Showing 11 changed files with 583 additions and 99 deletions.
6 changes: 3 additions & 3 deletions packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import {
CfnIdentityPool,
UserPool,
UserPoolClient,
IUserPool,
IUserPoolClient,
} from 'aws-cdk-lib/aws-cognito';
import {
IOpenIdConnectProvider,
Expand Down Expand Up @@ -158,7 +158,7 @@ export class IdentityPoolProviderUrl {
}

/** User Pool Provider Url */
public static userPool(userPool: UserPool, userPoolClient: UserPoolClient): IdentityPoolProviderUrl {
public static userPool(userPool: IUserPool, userPoolClient: IUserPoolClient): IdentityPoolProviderUrl {
const url = `${userPool.userPoolProviderName}:${userPoolClient.userPoolClientId}`;
return new IdentityPoolProviderUrl(IdentityPoolProviderType.USER_POOL, url);
}
Expand Down
36 changes: 36 additions & 0 deletions packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import {
} from 'aws-cdk-lib/assertions';
import {
UserPool,
UserPoolClient,
UserPoolIdentityProvider,
} from 'aws-cdk-lib/aws-cognito';
import {
Expand Down Expand Up @@ -728,4 +729,39 @@ describe('role mappings', () => {
},
});
});

test('role mapping with an imported user pool and client', () => {
const stack = new Stack();
const importedPool = UserPool.fromUserPoolArn(stack, 'ImportedPool', 'arn:aws:cognito-idp:us-east-1:0123456789012:userpool/test-user-pool');
const importedClient = UserPoolClient.fromUserPoolClientId(stack, 'ImportedPoolClient', 'client-id');
new IdentityPool(stack, 'TestIdentityPoolRoleMappingRules', {
roleMappings: [{
mappingKey: 'cognito',
providerUrl: IdentityPoolProviderUrl.userPool(importedPool, importedClient),
useToken: true,
}],
});
const temp = Template.fromStack(stack);
temp.resourceCountIs('AWS::Cognito::IdentityPoolRoleAttachment', 1);
temp.hasResourceProperties('AWS::Cognito::IdentityPoolRoleAttachment', {
IdentityPoolId: {
Ref: 'TestIdentityPoolRoleMappingRulesC8C07BC3',
},
RoleMappings: {
cognito: {
IdentityProvider: {
'Fn::Join': [
'',
[
'cognito-idp.us-east-1.',
{ Ref: 'AWS::URLSuffix' },
'/test-user-pool:client-id',
],
],
},
Type: 'Token',
},
},
});
});
});
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/cdk.out
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions ...ito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.assets.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

206 changes: 187 additions & 19 deletions ...o-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,6 @@
"PooltestClientFE8D4935": {
"Type": "AWS::Cognito::UserPoolClient",
"Properties": {
"UserPoolId": {
"Ref": "PoolD3F588B8"
},
"AllowedOAuthFlows": [
"implicit",
"code"
Expand All @@ -57,17 +54,15 @@
"Ref": "PoolProviderGoogle76A1E8D0"
},
"COGNITO"
]
],
"UserPoolId": {
"Ref": "PoolD3F588B8"
}
}
},
"PoolProviderGoogle76A1E8D0": {
"Type": "AWS::Cognito::UserPoolIdentityProvider",
"Properties": {
"ProviderName": "Google",
"ProviderType": "Google",
"UserPoolId": {
"Ref": "PoolD3F588B8"
},
"AttributeMapping": {
"given_name": "given_name",
"family_name": "family_name",
Expand All @@ -79,6 +74,11 @@
"client_id": "google-client-id",
"client_secret": "google-client-secret",
"authorize_scopes": "profile"
},
"ProviderName": "Google",
"ProviderType": "Google",
"UserPoolId": {
"Ref": "PoolD3F588B8"
}
}
},
Expand Down Expand Up @@ -116,9 +116,6 @@
"OtherPoolUserPoolAuthenticationProviderClient08F670F8": {
"Type": "AWS::Cognito::UserPoolClient",
"Properties": {
"UserPoolId": {
"Ref": "OtherPool7DA7F2F7"
},
"AllowedOAuthFlows": [
"implicit",
"code"
Expand All @@ -139,17 +136,15 @@
"Ref": "OtherPoolProviderAmazon4EB0592F"
},
"COGNITO"
]
],
"UserPoolId": {
"Ref": "OtherPool7DA7F2F7"
}
}
},
"OtherPoolProviderAmazon4EB0592F": {
"Type": "AWS::Cognito::UserPoolIdentityProvider",
"Properties": {
"ProviderName": "LoginWithAmazon",
"ProviderType": "LoginWithAmazon",
"UserPoolId": {
"Ref": "OtherPool7DA7F2F7"
},
"AttributeMapping": {
"given_name": "name",
"email": "email",
Expand All @@ -159,14 +154,76 @@
"client_id": "amzn-client-id",
"client_secret": "amzn-client-secret",
"authorize_scopes": "profile"
},
"ProviderName": "LoginWithAmazon",
"ProviderType": "LoginWithAmazon",
"UserPoolId": {
"Ref": "OtherPool7DA7F2F7"
}
}
},
"UserPoolToImport1A7C21D3": {
"Type": "AWS::Cognito::UserPool",
"Properties": {
"AccountRecoverySetting": {
"RecoveryMechanisms": [
{
"Name": "verified_phone_number",
"Priority": 1
},
{
"Name": "verified_email",
"Priority": 2
}
]
},
"AdminCreateUserConfig": {
"AllowAdminCreateUserOnly": true
},
"EmailVerificationMessage": "The verification code to your new account is {####}",
"EmailVerificationSubject": "Verify your new account",
"SmsVerificationMessage": "The verification code to your new account is {####}",
"VerificationMessageTemplate": {
"DefaultEmailOption": "CONFIRM_WITH_CODE",
"EmailMessage": "The verification code to your new account is {####}",
"EmailSubject": "Verify your new account",
"SmsMessage": "The verification code to your new account is {####}"
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain"
},
"UserPoolToImportclientToImport6885CDF7": {
"Type": "AWS::Cognito::UserPoolClient",
"Properties": {
"AllowedOAuthFlows": [
"implicit",
"code"
],
"AllowedOAuthFlowsUserPoolClient": true,
"AllowedOAuthScopes": [
"profile",
"phone",
"email",
"openid",
"aws.cognito.signin.user.admin"
],
"CallbackURLs": [
"https://example.com"
],
"SupportedIdentityProviders": [
"COGNITO"
],
"UserPoolId": {
"Ref": "UserPoolToImport1A7C21D3"
}
}
},
"identitypoolE2A6D099": {
"Type": "AWS::Cognito::IdentityPool",
"Properties": {
"AllowUnauthenticatedIdentities": false,
"AllowClassicFlow": true,
"AllowUnauthenticatedIdentities": false,
"CognitoIdentityProviders": [
{
"ClientId": {
Expand All @@ -193,6 +250,54 @@
},
"ServerSideTokenCheck": true
},
{
"ClientId": {
"Ref": "UserPoolToImportclientToImport6885CDF7"
},
"ProviderName": {
"Fn::Join": [
"",
[
"cognito-idp.",
{
"Ref": "AWS::Region"
},
".",
{
"Ref": "AWS::URLSuffix"
},
"/",
{
"Fn::Select": [
1,
{
"Fn::Split": [
"/",
{
"Fn::Select": [
5,
{
"Fn::Split": [
":",
{
"Fn::GetAtt": [
"UserPoolToImport1A7C21D3",
"Arn"
]
}
]
}
]
}
]
}
]
}
]
]
},
"ServerSideTokenCheck": true
},
{
"ClientId": {
"Ref": "OtherPoolUserPoolAuthenticationProviderClient08F670F8"
Expand Down Expand Up @@ -407,6 +512,69 @@
]
},
"Type": "Token"
},
"importedUserPool": {
"AmbiguousRoleResolution": "Deny",
"IdentityProvider": {
"Fn::Join": [
"",
[
"cognito-idp.",
{
"Fn::Select": [
3,
{
"Fn::Split": [
":",
{
"Fn::GetAtt": [
"UserPoolToImport1A7C21D3",
"Arn"
]
}
]
}
]
},
".",
{
"Ref": "AWS::URLSuffix"
},
"/",
{
"Fn::Select": [
1,
{
"Fn::Split": [
"/",
{
"Fn::Select": [
5,
{
"Fn::Split": [
":",
{
"Fn::GetAtt": [
"UserPoolToImport1A7C21D3",
"Arn"
]
}
]
}
]
}
]
}
]
},
":",
{
"Ref": "UserPoolToImportclientToImport6885CDF7"
}
]
]
},
"Type": "Token"
}
},
"Roles": {
Expand Down
2 changes: 1 addition & 1 deletion ...es/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 0fdd6a9

Please sign in to comment.