amplify-category-api
amplify-category-api copied to clipboard
aws-amplify
Owner- and group-rules failing in V2 search resolvers
Before opening, please confirm:
- [X] I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
- [X] I have searched for duplicate or closed issues.
- [X] I have read the guide for submitting bug reports.
- [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
- [X] I have removed any sensitive information from my code snippets and submission.
How did you install the Amplify CLI?
npm
If applicable, what version of Node.js are you using?
14
Amplify CLI Version
7.6.26
What operating system are you using?
Mac
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
Custom Cognito attributes
Amplify Categories
api
Amplify Commands
Not applicable
Describe the bug
When making a search query with owner- or group rules, the query is failing and not returning any results.
For the ForeignNational model below, a user with a custom:person_id should be able to read any ForeignNational whose relatives field includes the claim.
But here is a user with person_id of 9af7... searching for his relatives and it’s empty. In the same query, I'm doing a get query for a known relative Zdf... to show that the user does indeed have rights to their record..
Here is the identical query made as a member of the Admins group, showing the expected response:
In the Query.searchForeignNationals.req.vtl resolver that the CLI generates, I can tell that it is making the following query to OpenSearch:
"bool": {
"must": [
{
"bool": {
"should": [
{
"terms_set": {
"companyID.keyword": {
"terms": ["___xamznone____"],
"minimum_should_match_script": { "source": "1" }
}
}
},
{
"terms_set": {
"id.keyword": {
"terms": ["9af7e450-a8c2-4808-bfef-dfb878ba628d"],
"minimum_should_match_script": { "source": "1" }
}
}
},
{
"terms_set": {
"relatives": {
"terms": ["9af7e450-a8c2-4808-bfef-dfb878ba628d"],
"minimum_should_match_script": { "source": "1" }
}
}
},
{
"terms_set": {
"relativeAdmins": {
"terms": ["9af7e450-a8c2-4808-bfef-dfb878ba628d"],
"minimum_should_match_script": { "source": "1" }
}
}
}
]
}
},
{ "match": { "relatives": "9af7e450-a8c2-4808-bfef-dfb878ba628d" } }
]
}
}
Perhaps this filter is malformed? I don't know enough about Query DSL to diagnose.
Expected behavior
Search queries should correctly respect the owner and group rules in models.
Reproduction steps
- Create model with owner and group auth rules
- Search for records employing those rules
GraphQL schema(s)
# Put schemas below this line
type ForeignNational implements Person
@model(
queries: { get: "getForeignNational", list: null }
subscriptions: null
)
@searchable
@auth(
rules: [
{
allow: groups
groups: ["Admins", "Team", "Employers"] # TODO: Remove employer
}
{
allow: groups
groupsField: "companyID"
groupClaim: "custom:company_access"
operations: [read, update, delete]
}
{
allow: owner
ownerField: "id"
identityClaim: "custom:person_id"
operations: [read, update, delete]
}
{
allow: owner
ownerField: "relatives"
identityClaim: "custom:person_id"
operations: [read]
}
{
allow: owner
ownerField: "relativeAdmins"
identityClaim: "custom:person_id"
operations: [read, update, delete]
}
]
) {
id: ID!
firstname: String
relatives: [String!]
relativeAdmins: [String!]
...
}
Log output
# Put your logs below this line
Additional information
No response
