fix(security): implement fine-grained authorization for request appro…

…val workflow - Add field-level authorization rules in GraphQL schema - Restrict approver field modifications to prevent injection - Enforce proper authorization for status updates - Implement strict access control for approval-related fields
aws-samples · Nov 7, 2024 · 085f765 · 085f765
1 parent 08a33ab
commit 085f765
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 6 deletions.
diff --git a/amplify/backend/api/team/resolvers/Mutation.createRequests.init.1.req.vtl b/amplify/backend/api/team/resolvers/Mutation.createRequests.init.1.req.vtl
@@ -23,10 +23,6 @@ $util.qr($ctx.stash.defaultValues.put("status", "pending"))
     	$util.error('Invalid input')
 #end
 
-#if ($ctx.args.input.email || $ctx.args.input.status || $ctx.args.input.username || $ctx.args.input.approvers || $ctx.args.input.approver_ids)
-    $util.error('Invalid input')
-#end
-
 $util.qr($ctx.args.input.put("username", $ctx.identity.username))
 $util.toJson({
   "version": "2018-05-29",

diff --git a/amplify/backend/api/team/schema.graphql b/amplify/backend/api/team/schema.graphql
@@ -3,8 +3,8 @@ type requests
   @auth(
     rules: [
       { allow: groups, groups: ["Auditors"], operations: [read] }
-      { allow: owner }
-      { allow: owner, ownerField: "approver_ids", operations: [update, read] }
+      { allow: owner, operations: [create, read] }
+      { allow: owner, ownerField: "approver_ids", operations: [read] }
       { allow: private, provider: iam, operations: [read, update] }
     ]
   ) {
@@ -15,6 +15,14 @@ type requests
       sortKeyFields: ["status"]
       queryField: "requestByEmailAndStatus"
     )
+  @auth(
+    rules: [
+      { allow: groups, groups: ["Auditors"], operations: [read] }
+      { allow: owner, operations: [read]}
+      { allow: owner, ownerField: "approver_ids", operations: [read] }
+      { allow: private, provider: iam, operations: [read, update] }
+    ]
+  )
   accountId: String!
   accountName: String!
   role: String!
@@ -23,22 +31,86 @@ type requests
   duration: String!
   justification: String
   status: String
+  @auth(
+    rules: [
+      { allow: groups, groups: ["Auditors"], operations: [read] }
+      { allow: owner, operations: [create, read, update] }
+      { allow: owner, ownerField: "approver_ids", operations: [update, read] }
+      { allow: private, provider: iam, operations: [read, update] }
+    ]
+  )
   comment: String
+  @auth(
+    rules: [
+      { allow: groups, groups: ["Auditors"], operations: [read] }
+      { allow: owner, operations: [read] }
+      { allow: owner, ownerField: "approver_ids", operations: [update, read] }
+      { allow: private, provider: iam, operations: [read, update] }
+    ]
+  )
   username: String
   approver: String
+  @auth(
+    rules: [
+      { allow: groups, groups: ["Auditors"], operations: [read] }
+      { allow: owner, operations: [read]}
+      { allow: owner, ownerField: "approver_ids", operations: [read] }
+      { allow: private, provider: iam, operations: [read, update] }
+    ]
+  )
   approverId: String
     @index(
       name: "byApproverAndStatus"
       sortKeyFields: ["status"]
       queryField: "requestByApproverAndStatus"
     )
+  @auth(
+    rules: [
+      { allow: groups, groups: ["Auditors"], operations: [read] }
+      { allow: owner, operations: [read]}
+      { allow: owner, ownerField: "approver_ids", operations: [update,read] }
+      { allow: private, provider: iam, operations: [read, update] }
+    ]
+  )
   approvers: [String]
+  @auth(
+    rules: [
+      { allow: groups, groups: ["Auditors"], operations: [read] }
+      { allow: owner, operations: [read]}
+      { allow: owner, ownerField: "approver_ids", operations: [read] }
+      { allow: private, provider: iam, operations: [read, update] }
+    ]
+  )
   approver_ids: [String]
+  @auth(
+    rules: [
+      { allow: groups, groups: ["Auditors"], operations: [read] }
+      { allow: owner, operations: [read]}
+      { allow: owner, ownerField: "approver_ids", operations: [read] }
+      { allow: private, provider: iam, operations: [read, update] }
+    ]
+  )
   revoker: String
   revokerId: String
+  @auth(
+    rules: [
+      { allow: groups, groups: ["Auditors"], operations: [read] }
+      { allow: owner, operations: [read]}
+      { allow: owner, ownerField: "approver_ids", operations: [update,read] }
+      { allow: private, provider: iam, operations: [read, update] }
+    ]
+  )
   endTime: AWSDateTime
   ticketNo: String
   revokeComment: String
+  @auth(
+    rules: [
+      { allow: groups, groups: ["Auditors"], operations: [read] }
+      { allow: owner, operations: [update,read]}
+      { allow: owner, ownerField: "approver_ids", operations: [update,read] }
+      { allow: private, provider: iam, operations: [read,update] }
+    ]
+  )
   session_duration: String
 }
 type sessions