chore: add gen2 auth e2e infra (#5179)

* chore(infra): Api migrate to Gen 2 E2E

* fix: git update-index --chmod=+x

* fix: code review

* chore: port auth backend

* chore: port lambda triggers for create user and custom email sender

* chore: move utils to infra-common

* chore: compile infra common to js

* chore: update utils for js restructure, add missing deps

* chore: fix confirmation code infra

* chore: update tests to run for gen2 stacks

* chore: remove alias from custom sender lambda

* chore: fix deliveryMedium in reset password test

* chore: add phone sign in infra

* chore: rename email-sign-in

* chore: add license header

* chore: fix formatting in GH workflow

* chore: update package-lock

* chore: remove deleted file

* chore: fix formatting

* chore: update package lock

* chore: remove dup function

* chore: remove changes from merge conflicts

* chore: fix build script

* chore: fetch auth amplify_outputs

* chore: remove libgit2dart

* chore: add custom sms sender

* chore: add stack name to infra resources

* chore: pull gen2 backend for authenticator

* chore: update package-lock

* chore: move dependencies to dev_dependencies

* chore: update fetch auth session tests

* chore: separate reset pw and confirmation delivery medium

* chore: fix hanging test

* chore: rename test group

* chore: update comments, remove unused type

* chore: update package lock

---------

Co-authored-by: Elijah Quartey <quaelija@amazon.com>

Author: Jordan-Nelson

infra-gen2/backends/auth/email-sign-in/.gitignore

@@ -0,0 +1,5 @@
+# amplify
+node_modules
+.amplify
+amplify_outputs*
+amplifyconfiguration*

infra-gen2/backends/auth/email-sign-in/amplify/auth/resource.ts

@@ -0,0 +1,14 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { defineAuth } from "@aws-amplify/backend";
+
+/**
+ * Define and configure your auth resource
+ * @see https://docs.amplify.aws/gen2/build-a-backend/auth
+ */
+export const auth = defineAuth({
+  loginWith: {
+    email: true,
+  },
+});

infra-gen2/backends/auth/email-sign-in/amplify/backend.ts

@@ -0,0 +1,25 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { defineBackend } from "@aws-amplify/backend";
+import { addAuthUserExtensions } from "infra-common";
+import { auth } from "./auth/resource";
+
+const backend = defineBackend({
+  auth,
+});
+
+const resources = backend.auth.resources;
+const { userPool, cfnResources } = resources;
+const { stack } = userPool;
+const { cfnUserPool } = cfnResources;
+
+// Adds infra for creating/deleting users via App Sync and fetching confirmation
+// and MFA codes from App Sync.
+const customOutputs = addAuthUserExtensions({
+  name: "email-sign-in",
+  stack,
+  userPool,
+  cfnUserPool,
+});
+backend.addOutput(customOutputs);

infra-gen2/backends/auth/email-sign-in/amplify/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

infra-gen2/backends/auth/email-sign-in/amplify/tsconfig.json

@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "es2022",
+    "module": "es2022",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "strict": true,
+    "skipLibCheck": true,
+    "paths": {
+      "$amplify/*": [
+        "../.amplify/generated/*"
+      ]
+    }
+  }
+}

infra-gen2/backends/auth/email-sign-in/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "email-sign-in",
+  "version": "1.0.0",
+  "main": "index.js"
+}

infra-gen2/backends/auth/phone-sign-in/.gitignore

@@ -0,0 +1,5 @@
+# amplify
+node_modules
+.amplify
+amplify_outputs*
+amplifyconfiguration*

infra-gen2/backends/auth/phone-sign-in/amplify/auth/resource.ts

@@ -0,0 +1,14 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { defineAuth } from "@aws-amplify/backend";
+
+/**
+ * Define and configure your auth resource
+ * @see https://docs.amplify.aws/gen2/build-a-backend/auth
+ */
+export const auth = defineAuth({
+  loginWith: {
+    phone: true,
+  },
+});

infra-gen2/backends/auth/phone-sign-in/amplify/backend.ts

@@ -0,0 +1,25 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { defineBackend } from "@aws-amplify/backend";
+import { addAuthUserExtensions } from "infra-common";
+import { auth } from "./auth/resource";
+
+const backend = defineBackend({
+  auth,
+});
+
+const resources = backend.auth.resources;
+const { userPool, cfnResources } = resources;
+const { stack } = userPool;
+const { cfnUserPool } = cfnResources;
+
+// Adds infra for creating/deleting users via App Sync and fetching confirmation
+// and MFA codes from App Sync.
+const customOutputs = addAuthUserExtensions({
+  name: "phone-sign-in",
+  stack,
+  userPool,
+  cfnUserPool,
+});
+backend.addOutput(customOutputs);

infra-gen2/backends/auth/phone-sign-in/amplify/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

infra-gen2/backends/auth/phone-sign-in/amplify/tsconfig.json

@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "es2022",
+    "module": "es2022",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "strict": true,
+    "skipLibCheck": true,
+    "paths": {
+      "$amplify/*": [
+        "../.amplify/generated/*"
+      ]
+    }
+  }
+}

infra-gen2/backends/auth/phone-sign-in/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "phone-sign-in",
+  "version": "1.0.0",
+  "main": "index.js"
+}

infra-gen2/infra-common/package.json

@@ -7,6 +7,7 @@
     ".": "./dist/index.js"
   },
   "scripts": {
-    "build": "tsc"
+    "build": "tsc && npm run copy-graphql",
+    "copy-graphql": "cp -r ./src/schemas ./dist"
   }
 }

infra-gen2/infra-common/src/auth-user-extensions/README.md

@@ -0,0 +1,6 @@
+# auth-user-extensions
+
+This directory contains extensions useful for managing authorized users, including:
+
+- creating & deleting users via App Sync
+- sending confirmation codes to App Sync instead of email/SMS

infra-gen2/infra-common/src/auth-user-extensions/auth-user-extensions.ts

@@ -0,0 +1,35 @@
+import { BackendBase } from "@aws-amplify/backend";
+import { Stack } from "aws-cdk-lib";
+import { CfnUserPool, IUserPool } from "aws-cdk-lib/aws-cognito";
+import { addCreateUserLambda } from "./create-user-lambda";
+import { addCustomSenderLambda } from "./custom-sender-lambda";
+import { addDeleteUserLambda } from "./delete-user-lambda";
+import { addUserGraphql } from "./user-graphql";
+
+type AmplifyOutputs = Parameters<BackendBase["addOutput"]>[0];
+
+export const addAuthUserExtensions = ({
+  name,
+  stack,
+  userPool,
+  cfnUserPool,
+}: {
+  name: string;
+  stack: Stack;
+  userPool: IUserPool;
+  cfnUserPool: CfnUserPool;
+}): AmplifyOutputs => {
+  const graphQL = addUserGraphql(stack);
+  addCustomSenderLambda({ name, stack, cfnUserPool, graphQL });
+  addCreateUserLambda({ name, stack, userPool, graphQL });
+  addDeleteUserLambda({ name, stack, userPool, graphQL });
+  return {
+    data: {
+      aws_region: stack.region,
+      url: graphQL.graphqlUrl,
+      api_key: graphQL.apiKey,
+      default_authorization_type: "API_KEY",
+      authorization_types: [],
+    },
+  };
+};

infra-gen2/infra-common/src/auth-user-extensions/create-user-lambda.ts

@@ -0,0 +1,46 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { Stack } from "aws-cdk-lib";
+import { GraphqlApi, MappingTemplate } from "aws-cdk-lib/aws-appsync";
+import { IUserPool } from "aws-cdk-lib/aws-cognito";
+import { Runtime } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
+import path from "path";
+
+export function addCreateUserLambda({
+  name,
+  stack,
+  graphQL,
+  userPool,
+}: {
+  name: string;
+  stack: Stack;
+  graphQL: GraphqlApi;
+  userPool: IUserPool;
+}) {
+  const createUserLambda = new NodejsFunction(stack, `${name}-createUser`, {
+    entry: path.resolve(__dirname, "..", "lambda-triggers", "create-user.js"),
+    runtime: Runtime.NODEJS_18_X,
+    environment: {
+      USER_POOL_ID: userPool.userPoolId,
+    },
+  });
+  userPool.grant(
+    createUserLambda,
+    "cognito-idp:AdminCreateUser",
+    "cognito-idp:AdminSetUserPassword",
+    "cognito-idp:AdminSetUserMFAPreference",
+    "cognito-idp:AdminUpdateUserAttributes"
+  );
+  const createUserSource = graphQL.addLambdaDataSource(
+    `${name}-GraphQLApiCreateUserLambda`,
+    createUserLambda
+  );
+  createUserSource.createResolver(`${name}-MutationCreateUserResolver`, {
+    typeName: "Mutation",
+    fieldName: "createUser",
+    requestMappingTemplate: MappingTemplate.lambdaRequest(),
+    responseMappingTemplate: MappingTemplate.lambdaResult(),
+  });
+}

infra-gen2/infra-common/src/auth-user-extensions/custom-sender-lambda.ts

@@ -0,0 +1,145 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { RemovalPolicy, Stack } from "aws-cdk-lib";
+import {
+  Assign,
+  GraphqlApi,
+  MappingTemplate,
+  PrimaryKey,
+  Values,
+} from "aws-cdk-lib/aws-appsync";
+import { CfnUserPool } from "aws-cdk-lib/aws-cognito";
+import { AttributeType, BillingMode, Table } from "aws-cdk-lib/aws-dynamodb";
+import { ServicePrincipal } from "aws-cdk-lib/aws-iam";
+import { Key } from "aws-cdk-lib/aws-kms";
+import { Runtime } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
+import path from "path";
+
+export function addCustomSenderLambda({
+  name,
+  stack,
+  graphQL,
+  cfnUserPool,
+}: {
+  name: string;
+  stack: Stack;
+  graphQL: GraphqlApi;
+  cfnUserPool: CfnUserPool;
+}): NodejsFunction {
+  const customSenderKmsKey = new Key(stack, `${name}-CustomSenderKey`, {
+    description: `Key for encrypting/decrypting SMS messages sent from ${stack.stackId}`,
+    removalPolicy: RemovalPolicy.DESTROY,
+  });
+
+  const customEmailSender = new NodejsFunction(
+    stack,
+    `${name}-customEmailSender`,
+    {
+      entry: path.resolve(
+        __dirname,
+        "..",
+        "lambda-triggers",
+        "custom-email-sender.js"
+      ),
+      runtime: Runtime.NODEJS_18_X,
+      bundling: {
+        nodeModules: ["@aws-crypto/client-node"],
+      },
+      environment: {
+        GRAPHQL_API_ENDPOINT: graphQL.graphqlUrl,
+        GRAPHQL_API_KEY: graphQL.apiKey!,
+        KMS_KEY_ARN: customSenderKmsKey.keyArn,
+      },
+    }
+  );
+
+  customEmailSender.addPermission("PermitCognitoInvoke", {
+    principal: new ServicePrincipal("cognito-idp.amazonaws.com"),
+    sourceArn: cfnUserPool.attrArn,
+  });
+
+  const customSmsSender = new NodejsFunction(stack, `${name}-customSmsSender`, {
+    entry: path.resolve(
+      __dirname,
+      "..",
+      "lambda-triggers",
+      "custom-sms-sender.js"
+    ),
+    runtime: Runtime.NODEJS_18_X,
+    bundling: {
+      nodeModules: ["@aws-crypto/client-node"],
+    },
+    environment: {
+      GRAPHQL_API_ENDPOINT: graphQL.graphqlUrl,
+      GRAPHQL_API_KEY: graphQL.apiKey!,
+      KMS_KEY_ARN: customSenderKmsKey.keyArn,
+    },
+  });
+
+  customSmsSender.addPermission("PermitCognitoInvoke", {
+    principal: new ServicePrincipal("cognito-idp.amazonaws.com"),
+    sourceArn: cfnUserPool.attrArn,
+  });
+
+  cfnUserPool.lambdaConfig = {
+    customEmailSender: {
+      lambdaArn: customEmailSender.functionArn,
+      lambdaVersion: "V1_0",
+    },
+    customSmsSender: {
+      lambdaArn: customSmsSender.functionArn,
+      lambdaVersion: "V1_0",
+    },
+    kmsKeyId: customSenderKmsKey.keyArn,
+  };
+
+  graphQL.grantMutation(customEmailSender);
+  customSenderKmsKey.grantDecrypt(customEmailSender);
+
+  graphQL.grantMutation(customSmsSender);
+  customSenderKmsKey.grantDecrypt(customSmsSender);
+
+  const mfaCodesTable = new Table(stack, `${name}-MFACodesTable`, {
+    removalPolicy: RemovalPolicy.DESTROY,
+    billingMode: BillingMode.PAY_PER_REQUEST,
+    partitionKey: {
+      type: AttributeType.STRING,
+      name: "username",
+    },
+    sortKey: {
+      type: AttributeType.STRING,
+      name: "code",
+    },
+  });
+
+  const mfaCodesSource = graphQL.addDynamoDbDataSource(
+    "GraphQLApiMFACodes",
+    mfaCodesTable
+  );
+
+  // Mutation.createMFACode
+  mfaCodesSource.createResolver(`${name}-MutationCreateMFACodeResolver`, {
+    typeName: "Mutation",
+    fieldName: "createMFACode",
+    requestMappingTemplate: MappingTemplate.dynamoDbPutItem(
+      new PrimaryKey(
+        new Assign("username", "$input.username"),
+        new Assign("code", "$input.code")
+      ),
+      Values.projecting("input")
+    ),
+    responseMappingTemplate: MappingTemplate.dynamoDbResultItem(),
+  });
+
+  // Query.listMFACodes
+  mfaCodesSource.createResolver(`${name}-QueryListMFACodesResolver`, {
+    typeName: "Query",
+    fieldName: "listMFACodes",
+    requestMappingTemplate: MappingTemplate.dynamoDbScanTable(),
+    responseMappingTemplate: MappingTemplate.dynamoDbResultItem(),
+  });
+
+  return customEmailSender;
+}