Skip to content

Commit

Permalink
chore(cognito-identitypool): refactor and remove Digits authenticatio…
Browse files Browse the repository at this point in the history
…n provider (#31482)

### Issue # (if applicable)

N/A

### Reason for this change

The authentication providers and their logic in this module have bad code smells, and thus, we have refactored them to bring the module more in line with CDK standards and best practices. In addition, the Digits authentication provider has been deprecated since September 2017, so it has been removed.

### Description of changes

* Any modules relating to the Digits auth have been removed, as the service itself is deprecated.
* The `IdentityPoolProviders` and `IdentityPoolAuthenticationProviders` interfaces have been merged, as there did not seem to be a reason to keep them separate, aside from differentiating third-party and internal providers.
* Some grammar, punctuation, formatting, and capitalization changes

### Description of how you validated changes

Unit tests and integration tests have been tweaked only as necessary to confirm these changes. Since they all still pass or show no need to be updated, we can confirm that this refactor does not affect them. The integration test has also been updated to reflect that the previous Google prop for `clientSecret` is deprecated, and use `clientSecretValue` instead.

**BREAKING CHANGE**: The `IdentityPoolProviderType.DIGITS` and `IdentityPoolProviderUrl.DIGITS` enum values, and `IdentityPoolDigitsLoginProvider` interface have been removed, as well as the `digits` attribute of the `IdentityPoolAuthenticationProviders` interface.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
Leo10Gama authored Sep 26, 2024
1 parent 4ddc702 commit a633ee6
Show file tree
Hide file tree
Showing 9 changed files with 139 additions and 237 deletions.
9 changes: 5 additions & 4 deletions packages/@aws-cdk/aws-cognito-identitypool-alpha/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@
[Amazon Cognito Identity Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html) enable you to grant your users access to other AWS services.

Identity Pools are one of the two main components of [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html), which provides authentication, authorization, and
user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through
a third party such as Facebook, Amazon, Google or Apple.
user management for your web and mobile apps. Your users can sign in through a a trusted identity provider, like a user
pool or a SAML 2.0 service, as well as with third party providers such as Facebook, Amazon, Google or Apple.

The other main component in Amazon Cognito is [user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html). User Pools are user directories that provide sign-up and
sign-in options for your app users.
Expand Down Expand Up @@ -53,8 +53,9 @@ import { IdentityPool, UserPoolAuthenticationProvider } from '@aws-cdk/aws-cogni

## Identity Pools

Identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have been
authenticated and received a token. An identity pool is a store of user identity data specific to an account.
Identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have
authenticated by presenting a token from another identity provider. An identity pool is a store of user identity data
specific to an account.

Identity pools can be used in conjunction with Cognito User Pools or by accessing external federated identity providers
directly. Learn more at [Amazon Cognito Identity Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html).
Expand Down
Original file line number Diff line number Diff line change
@@ -1,28 +1,15 @@
import {
CfnIdentityPoolRoleAttachment,
} from 'aws-cdk-lib/aws-cognito';
import {
IRole,
} from 'aws-cdk-lib/aws-iam';
import {
Resource,
IResource,
Token,
} from 'aws-cdk-lib/core';
import {
Construct,
} from 'constructs';
import {
IIdentityPool,
IdentityPoolProviderUrl,
} from './identitypool';
import { CfnIdentityPoolRoleAttachment } from 'aws-cdk-lib/aws-cognito';
import { IRole } from 'aws-cdk-lib/aws-iam';
import { Resource, IResource, Token } from 'aws-cdk-lib/core';
import { Construct } from 'constructs';
import { IIdentityPool, IdentityPoolProviderUrl } from './identitypool';

/**
* Represents an Identity Pool Role Attachment
*/
export interface IIdentityPoolRoleAttachment extends IResource {
/**
* Id of the Attachments Underlying Identity Pool
* ID of the Attachment's underlying Identity Pool
*/
readonly identityPoolId: string;
}
Expand All @@ -33,47 +20,47 @@ export interface IIdentityPoolRoleAttachment extends IResource {
export interface IdentityPoolRoleAttachmentProps {

/**
* Id of the Attachments Underlying Identity Pool
* ID of the Attachment's underlying Identity Pool
*/
readonly identityPool: IIdentityPool;

/**
* Default Authenticated (User) Role
* @default - No default authenticated role will be added
* Default authenticated (User) Role
* @default - No default authenticated Role will be added
*/
readonly authenticatedRole?: IRole;

/**
* Default Unauthenticated (Guest) Role
* @default - No default unauthenticated role will be added
*/
* Default unauthenticated (Guest) Role
* @default - No default unauthenticated Role will be added
*/
readonly unauthenticatedRole?: IRole;

/**
* Rules for mapping roles to users
* @default - no Role Mappings
* @default - No role mappings
*/
readonly roleMappings?: IdentityPoolRoleMapping[];
}

/**
* Map roles to users in the identity pool based on claims from the Identity Provider
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
* Map roles to users in the Identity Pool based on claims from the Identity Provider
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
*/
export interface IdentityPoolRoleMapping {
/**
* The url of the provider of for which the role is mapped
* The url of the Provider for which the role is mapped
*/
readonly providerUrl: IdentityPoolProviderUrl;

/**
* The key used for the role mapping in the role mapping hash. Required if the providerUrl is a token.
* @default - the provided providerUrl
* @default - The provided providerUrl
*/
readonly mappingKey?: string;

/**
* If true then mapped roles must be passed through the cognito:roles or cognito:preferred_role claims from identity provider.
* If true then mapped roles must be passed through the cognito:roles or cognito:preferred_role claims from Identity Provider.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-tokens-to-assign-roles-to-users
*
* @default false
Expand All @@ -88,47 +75,47 @@ export interface IdentityPoolRoleMapping {

/**
* The claim and value that must be matched in order to assume the role. Required if useToken is false
* @default - No Rule Mapping Rule
* @default - No role mapping rule
*/
readonly rules?: RoleMappingRule[];
}

/**
* Types of matches allowed for Role Mapping
* Types of matches allowed for role mapping
*/
export enum RoleMappingMatchType {
/**
* The Claim from the token must equal the given value in order for a match
* The claim from the token must equal the given value in order for a match
*/
EQUALS = 'Equals',

/**
* The Claim from the token must contain the given value in order for a match
* The claim from the token must contain the given value in order for a match
*/
CONTAINS = 'Contains',

/**
* The Claim from the token must start with the given value in order for a match
* The claim from the token must start with the given value in order for a match
*/
STARTS_WITH = 'StartsWith',

/**
* The Claim from the token must not equal the given value in order for a match
* The claim from the token must not equal the given value in order for a match
*/
NOTEQUAL = 'NotEqual',
}

/**
* Represents an Identity Pool Role Attachment Role Mapping Rule
* Represents an Identity Pool Role Attachment role mapping rule
*/
export interface RoleMappingRule {
/**
* The key sent in the token by the federated identity provider.
* The key sent in the token by the federated Identity Provider
*/
readonly claim: string;

/**
* The Role to be assumed when Claim Value is matched.
* The role to be assumed when the claim value is matched
*/
readonly mappedRole: IRole;

Expand All @@ -138,9 +125,9 @@ export interface RoleMappingRule {
readonly claimValue: string;

/**
* How to match with the Claim value
* How to match with the claim value
* @default RoleMappingMatchType.EQUALS
*/
*/
readonly matchType?: RoleMappingMatchType;
}

Expand All @@ -151,7 +138,7 @@ export interface RoleMappingRule {
*/
export class IdentityPoolRoleAttachment extends Resource implements IIdentityPoolRoleAttachment {
/**
* Id of the underlying identity pool
* ID of the underlying Identity Pool
*/
public readonly identityPoolId: string

Expand All @@ -176,7 +163,7 @@ export class IdentityPoolRoleAttachment extends Resource implements IIdentityPoo
}

/**
* Configures Role Mappings for Identity Pool Role Attachment
* Configures role mappings for the Identity Pool Role Attachment
*/
private configureRoleMappings(
...props: IdentityPoolRoleMapping[]
Expand Down
Loading

0 comments on commit a633ee6

Please sign in to comment.