From 8f5691c86bf2fe266df08268be71919b605bd464 Mon Sep 17 00:00:00 2001 From: awstools Date: Fri, 5 Apr 2024 18:12:08 +0000 Subject: [PATCH] feat(client-verifiedpermissions): Adding BatchIsAuthorizedWithToken API which supports multiple authorization requests against a PolicyStore given a bearer token. --- clients/client-verifiedpermissions/README.md | 8 + .../src/VerifiedPermissions.ts | 23 ++ .../src/VerifiedPermissionsClient.ts | 6 + .../BatchIsAuthorizedWithTokenCommand.ts | 316 ++++++++++++++++++ .../commands/IsAuthorizedWithTokenCommand.ts | 9 - .../src/commands/index.ts | 1 + .../src/models/models_0.ts | 245 ++++++++++++-- .../src/protocols/Aws_json1_0.ts | 139 ++++++++ .../aws-models/verifiedpermissions.json | 195 ++++++++++- 9 files changed, 893 insertions(+), 49 deletions(-) create mode 100644 clients/client-verifiedpermissions/src/commands/BatchIsAuthorizedWithTokenCommand.ts diff --git a/clients/client-verifiedpermissions/README.md b/clients/client-verifiedpermissions/README.md index 78555cd01e8e1..c2b3745203fcb 100644 --- a/clients/client-verifiedpermissions/README.md +++ b/clients/client-verifiedpermissions/README.md @@ -274,6 +274,14 @@ BatchIsAuthorized [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/verifiedpermissions/command/BatchIsAuthorizedCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-verifiedpermissions/Interface/BatchIsAuthorizedCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-verifiedpermissions/Interface/BatchIsAuthorizedCommandOutput/) + +
+ +BatchIsAuthorizedWithToken + + +[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/verifiedpermissions/command/BatchIsAuthorizedWithTokenCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-verifiedpermissions/Interface/BatchIsAuthorizedWithTokenCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-verifiedpermissions/Interface/BatchIsAuthorizedWithTokenCommandOutput/) +
diff --git a/clients/client-verifiedpermissions/src/VerifiedPermissions.ts b/clients/client-verifiedpermissions/src/VerifiedPermissions.ts index f52de02d64624..5d2a9cf881a59 100644 --- a/clients/client-verifiedpermissions/src/VerifiedPermissions.ts +++ b/clients/client-verifiedpermissions/src/VerifiedPermissions.ts @@ -7,6 +7,11 @@ import { BatchIsAuthorizedCommandInput, BatchIsAuthorizedCommandOutput, } from "./commands/BatchIsAuthorizedCommand"; +import { + BatchIsAuthorizedWithTokenCommand, + BatchIsAuthorizedWithTokenCommandInput, + BatchIsAuthorizedWithTokenCommandOutput, +} from "./commands/BatchIsAuthorizedWithTokenCommand"; import { CreateIdentitySourceCommand, CreateIdentitySourceCommandInput, @@ -119,6 +124,7 @@ import { VerifiedPermissionsClient, VerifiedPermissionsClientConfig } from "./Ve const commands = { BatchIsAuthorizedCommand, + BatchIsAuthorizedWithTokenCommand, CreateIdentitySourceCommand, CreatePolicyCommand, CreatePolicyStoreCommand, @@ -163,6 +169,23 @@ export interface VerifiedPermissions { cb: (err: any, data?: BatchIsAuthorizedCommandOutput) => void ): void; + /** + * @see {@link BatchIsAuthorizedWithTokenCommand} + */ + batchIsAuthorizedWithToken( + args: BatchIsAuthorizedWithTokenCommandInput, + options?: __HttpHandlerOptions + ): Promise; + batchIsAuthorizedWithToken( + args: BatchIsAuthorizedWithTokenCommandInput, + cb: (err: any, data?: BatchIsAuthorizedWithTokenCommandOutput) => void + ): void; + batchIsAuthorizedWithToken( + args: BatchIsAuthorizedWithTokenCommandInput, + options: __HttpHandlerOptions, + cb: (err: any, data?: BatchIsAuthorizedWithTokenCommandOutput) => void + ): void; + /** * @see {@link CreateIdentitySourceCommand} */ diff --git a/clients/client-verifiedpermissions/src/VerifiedPermissionsClient.ts b/clients/client-verifiedpermissions/src/VerifiedPermissionsClient.ts index 4aa6c3fe794ab..826a3b3048126 100644 --- a/clients/client-verifiedpermissions/src/VerifiedPermissionsClient.ts +++ b/clients/client-verifiedpermissions/src/VerifiedPermissionsClient.ts @@ -54,6 +54,10 @@ import { resolveHttpAuthSchemeConfig, } from "./auth/httpAuthSchemeProvider"; import { BatchIsAuthorizedCommandInput, BatchIsAuthorizedCommandOutput } from "./commands/BatchIsAuthorizedCommand"; +import { + BatchIsAuthorizedWithTokenCommandInput, + BatchIsAuthorizedWithTokenCommandOutput, +} from "./commands/BatchIsAuthorizedWithTokenCommand"; import { CreateIdentitySourceCommandInput, CreateIdentitySourceCommandOutput, @@ -121,6 +125,7 @@ export { __Client }; */ export type ServiceInputTypes = | BatchIsAuthorizedCommandInput + | BatchIsAuthorizedWithTokenCommandInput | CreateIdentitySourceCommandInput | CreatePolicyCommandInput | CreatePolicyStoreCommandInput @@ -151,6 +156,7 @@ export type ServiceInputTypes = */ export type ServiceOutputTypes = | BatchIsAuthorizedCommandOutput + | BatchIsAuthorizedWithTokenCommandOutput | CreateIdentitySourceCommandOutput | CreatePolicyCommandOutput | CreatePolicyStoreCommandOutput diff --git a/clients/client-verifiedpermissions/src/commands/BatchIsAuthorizedWithTokenCommand.ts b/clients/client-verifiedpermissions/src/commands/BatchIsAuthorizedWithTokenCommand.ts new file mode 100644 index 0000000000000..da9adbc88a551 --- /dev/null +++ b/clients/client-verifiedpermissions/src/commands/BatchIsAuthorizedWithTokenCommand.ts @@ -0,0 +1,316 @@ +// smithy-typescript generated code +import { getEndpointPlugin } from "@smithy/middleware-endpoint"; +import { getSerdePlugin } from "@smithy/middleware-serde"; +import { Command as $Command } from "@smithy/smithy-client"; +import { MetadataBearer as __MetadataBearer } from "@smithy/types"; + +import { commonParams } from "../endpoint/EndpointParameters"; +import { + BatchIsAuthorizedWithTokenInput, + BatchIsAuthorizedWithTokenInputFilterSensitiveLog, + BatchIsAuthorizedWithTokenOutput, + BatchIsAuthorizedWithTokenOutputFilterSensitiveLog, +} from "../models/models_0"; +import { de_BatchIsAuthorizedWithTokenCommand, se_BatchIsAuthorizedWithTokenCommand } from "../protocols/Aws_json1_0"; +import { + ServiceInputTypes, + ServiceOutputTypes, + VerifiedPermissionsClientResolvedConfig, +} from "../VerifiedPermissionsClient"; + +/** + * @public + */ +export { __MetadataBearer, $Command }; +/** + * @public + * + * The input for {@link BatchIsAuthorizedWithTokenCommand}. + */ +export interface BatchIsAuthorizedWithTokenCommandInput extends BatchIsAuthorizedWithTokenInput {} +/** + * @public + * + * The output of {@link BatchIsAuthorizedWithTokenCommand}. + */ +export interface BatchIsAuthorizedWithTokenCommandOutput extends BatchIsAuthorizedWithTokenOutput, __MetadataBearer {} + +/** + *

Makes a series of decisions about multiple authorization requests for one token. The + * principal in this request comes from an external identity source in the form of an identity or + * access token, formatted as a JSON + * web token (JWT). The information in the parameters can also define + * additional context that Verified Permissions can include in the evaluations.

+ *

The request is evaluated against all policies in the specified policy store that match the + * entities that you provide in the entities declaration and in the token. The result of + * the decisions is a series of Allow or Deny responses, along + * with the IDs of the policies that produced each decision.

+ *

The entities of a BatchIsAuthorizedWithToken API request can + * contain up to 100 resources and up to 99 user groups. The requests of a + * BatchIsAuthorizedWithToken API request can contain up to 30 + * requests.

+ * + *

The BatchIsAuthorizedWithToken operation doesn't have its own + * IAM permission. To authorize this operation for Amazon Web Services principals, include the + * permission verifiedpermissions:IsAuthorizedWithToken in their IAM + * policies.

+ * + * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { VerifiedPermissionsClient, BatchIsAuthorizedWithTokenCommand } from "@aws-sdk/client-verifiedpermissions"; // ES Modules import + * // const { VerifiedPermissionsClient, BatchIsAuthorizedWithTokenCommand } = require("@aws-sdk/client-verifiedpermissions"); // CommonJS import + * const client = new VerifiedPermissionsClient(config); + * const input = { // BatchIsAuthorizedWithTokenInput + * policyStoreId: "STRING_VALUE", // required + * identityToken: "STRING_VALUE", + * accessToken: "STRING_VALUE", + * entities: { // EntitiesDefinition Union: only one key present + * entityList: [ // EntityList + * { // EntityItem + * identifier: { // EntityIdentifier + * entityType: "STRING_VALUE", // required + * entityId: "STRING_VALUE", // required + * }, + * attributes: { // EntityAttributes + * "": { // AttributeValue Union: only one key present + * boolean: true || false, + * entityIdentifier: { + * entityType: "STRING_VALUE", // required + * entityId: "STRING_VALUE", // required + * }, + * long: Number("long"), + * string: "STRING_VALUE", + * set: [ // SetAttribute + * {// Union: only one key present + * boolean: true || false, + * entityIdentifier: "", + * long: Number("long"), + * string: "STRING_VALUE", + * set: [ + * "", + * ], + * record: { // RecordAttribute + * "": "", + * }, + * }, + * ], + * record: { + * "": "", + * }, + * }, + * }, + * parents: [ // ParentList + * "", + * ], + * }, + * ], + * }, + * requests: [ // BatchIsAuthorizedWithTokenInputList // required + * { // BatchIsAuthorizedWithTokenInputItem + * action: { // ActionIdentifier + * actionType: "STRING_VALUE", // required + * actionId: "STRING_VALUE", // required + * }, + * resource: "", + * context: { // ContextDefinition Union: only one key present + * contextMap: { // ContextMap + * "": "", + * }, + * }, + * }, + * ], + * }; + * const command = new BatchIsAuthorizedWithTokenCommand(input); + * const response = await client.send(command); + * // { // BatchIsAuthorizedWithTokenOutput + * // principal: { // EntityIdentifier + * // entityType: "STRING_VALUE", // required + * // entityId: "STRING_VALUE", // required + * // }, + * // results: [ // BatchIsAuthorizedWithTokenOutputList // required + * // { // BatchIsAuthorizedWithTokenOutputItem + * // request: { // BatchIsAuthorizedWithTokenInputItem + * // action: { // ActionIdentifier + * // actionType: "STRING_VALUE", // required + * // actionId: "STRING_VALUE", // required + * // }, + * // resource: { + * // entityType: "STRING_VALUE", // required + * // entityId: "STRING_VALUE", // required + * // }, + * // context: { // ContextDefinition Union: only one key present + * // contextMap: { // ContextMap + * // "": { // AttributeValue Union: only one key present + * // boolean: true || false, + * // entityIdentifier: "", + * // long: Number("long"), + * // string: "STRING_VALUE", + * // set: [ // SetAttribute + * // {// Union: only one key present + * // boolean: true || false, + * // entityIdentifier: "", + * // long: Number("long"), + * // string: "STRING_VALUE", + * // set: [ + * // "", + * // ], + * // record: { // RecordAttribute + * // "": "", + * // }, + * // }, + * // ], + * // record: { + * // "": "", + * // }, + * // }, + * // }, + * // }, + * // }, + * // decision: "ALLOW" || "DENY", // required + * // determiningPolicies: [ // DeterminingPolicyList // required + * // { // DeterminingPolicyItem + * // policyId: "STRING_VALUE", // required + * // }, + * // ], + * // errors: [ // EvaluationErrorList // required + * // { // EvaluationErrorItem + * // errorDescription: "STRING_VALUE", // required + * // }, + * // ], + * // }, + * // ], + * // }; + * + * ``` + * + * @param BatchIsAuthorizedWithTokenCommandInput - {@link BatchIsAuthorizedWithTokenCommandInput} + * @returns {@link BatchIsAuthorizedWithTokenCommandOutput} + * @see {@link BatchIsAuthorizedWithTokenCommandInput} for command's `input` shape. + * @see {@link BatchIsAuthorizedWithTokenCommandOutput} for command's `response` shape. + * @see {@link VerifiedPermissionsClientResolvedConfig | config} for VerifiedPermissionsClient's `config` shape. + * + * @throws {@link ResourceNotFoundException} (client fault) + *

The request failed because it references a resource that doesn't exist.

+ * + * @throws {@link AccessDeniedException} (client fault) + *

You don't have sufficient access to perform this action.

+ * + * @throws {@link InternalServerException} (server fault) + *

The request failed because of an internal error. Try your request again later

+ * + * @throws {@link ThrottlingException} (client fault) + *

The request failed because it exceeded a throttling quota.

+ * + * @throws {@link ValidationException} (client fault) + *

The request failed because one or more input parameters don't satisfy their constraint + * requirements. The output is provided as a list of fields and a reason for each field that + * isn't valid.

+ *

The possible reasons include the following:

+ *
    + *
  • + *

    + * UnrecognizedEntityType + *

    + *

    The policy includes an entity type that isn't found in the schema.

    + *
    • + *
  • + *

    + * UnrecognizedActionId + *

    + *

    The policy includes an action id that isn't found in the schema.

    + *
    • + *
  • + *

    + * InvalidActionApplication + *

    + *

    The policy includes an action that, according to the schema, doesn't support + * the specified principal and resource.

    + *
    • + *
  • + *

    + * UnexpectedType + *

    + *

    The policy included an operand that isn't a valid type for the specified + * operation.

    + *
    • + *
  • + *

    + * IncompatibleTypes + *

    + *

    The types of elements included in a set, or the types of + * expressions used in an if...then...else clause aren't compatible in + * this context.

    + *
    • + *
  • + *

    + * MissingAttribute + *

    + *

    The policy attempts to access a record or entity attribute that isn't + * specified in the schema. Test for the existence of the attribute first before + * attempting to access its value. For more information, see the has (presence of attribute test) operator in the + * Cedar Policy Language Guide.

    + *
    • + *
  • + *

    + * UnsafeOptionalAttributeAccess + *

    + *

    The policy attempts to access a record or entity attribute that is optional + * and isn't guaranteed to be present. Test for the existence of the attribute + * first before attempting to access its value. For more information, see the + * has (presence of attribute test) operator in the + * Cedar Policy Language Guide.

    + *
    • + *
  • + *

    + * ImpossiblePolicy + *

    + *

    Cedar has determined that a policy condition always evaluates to false. If + * the policy is always false, it can never apply to any query, and so it can never + * affect an authorization decision.

    + *
    • + *
  • + *

    + * WrongNumberArguments + *

    + *

    The policy references an extension type with the wrong number of + * arguments.

    + *
    • + *
  • + *

    + * FunctionArgumentValidationError + *

    + *

    Cedar couldn't parse the argument passed to an extension type. For example, + * a string that is to be parsed as an IPv4 address can contain only digits and the + * period character.

    + *
    • + *
+ * + * @throws {@link VerifiedPermissionsServiceException} + *

Base exception class for all service exceptions from VerifiedPermissions service.

+ * + * @public + */ +export class BatchIsAuthorizedWithTokenCommand extends $Command + .classBuilder< + BatchIsAuthorizedWithTokenCommandInput, + BatchIsAuthorizedWithTokenCommandOutput, + VerifiedPermissionsClientResolvedConfig, + ServiceInputTypes, + ServiceOutputTypes + >() + .ep({ + ...commonParams, + }) + .m(function (this: any, Command: any, cs: any, config: VerifiedPermissionsClientResolvedConfig, o: any) { + return [ + getSerdePlugin(config, this.serialize, this.deserialize), + getEndpointPlugin(config, Command.getEndpointParameterInstructions()), + ]; + }) + .s("VerifiedPermissions", "BatchIsAuthorizedWithToken", {}) + .n("VerifiedPermissionsClient", "BatchIsAuthorizedWithTokenCommand") + .f(BatchIsAuthorizedWithTokenInputFilterSensitiveLog, BatchIsAuthorizedWithTokenOutputFilterSensitiveLog) + .ser(se_BatchIsAuthorizedWithTokenCommand) + .de(de_BatchIsAuthorizedWithTokenCommand) + .build() {} diff --git a/clients/client-verifiedpermissions/src/commands/IsAuthorizedWithTokenCommand.ts b/clients/client-verifiedpermissions/src/commands/IsAuthorizedWithTokenCommand.ts index 6792e3c12e058..4bdbec5383f95 100644 --- a/clients/client-verifiedpermissions/src/commands/IsAuthorizedWithTokenCommand.ts +++ b/clients/client-verifiedpermissions/src/commands/IsAuthorizedWithTokenCommand.ts @@ -44,15 +44,6 @@ export interface IsAuthorizedWithTokenCommandOutput extends IsAuthorizedWithToke * matching policies in the specified policy store. The result of the decision is either * Allow or Deny, along with a list of the policies that * resulted in the decision.

- * - *

If you specify the identityToken parameter, then this operation - * derives the principal from that token. You must not also include that principal in - * the entities parameter or the operation fails and reports a conflict - * between the two entity sources.

- *

If you provide only an accessToken, then you can include the entity - * as part of the entities parameter to provide additional - * attributes.

- * *

At this time, Verified Permissions accepts tokens from only Amazon Cognito.

*

Verified Permissions validates each token that is specified in a request by checking its expiration * date and its signature.

diff --git a/clients/client-verifiedpermissions/src/commands/index.ts b/clients/client-verifiedpermissions/src/commands/index.ts index 00b932898432f..2014a892d3abb 100644 --- a/clients/client-verifiedpermissions/src/commands/index.ts +++ b/clients/client-verifiedpermissions/src/commands/index.ts @@ -1,5 +1,6 @@ // smithy-typescript generated code export * from "./BatchIsAuthorizedCommand"; +export * from "./BatchIsAuthorizedWithTokenCommand"; export * from "./CreateIdentitySourceCommand"; export * from "./CreatePolicyCommand"; export * from "./CreatePolicyStoreCommand"; diff --git a/clients/client-verifiedpermissions/src/models/models_0.ts b/clients/client-verifiedpermissions/src/models/models_0.ts index 5028281cf8343..1ea04d63c695b 100644 --- a/clients/client-verifiedpermissions/src/models/models_0.ts +++ b/clients/client-verifiedpermissions/src/models/models_0.ts @@ -358,8 +358,8 @@ export class ValidationException extends __BaseException { } /** - *

The type of entity that a policy store maps to groups from an Amazon Cognito user - * pool identity source.

+ *

A list of user groups and entities from an Amazon Cognito user pool identity + * source.

*

This data type is part of a CognitoUserPoolConfiguration structure and is a request parameter in CreateIdentitySource.

* @public */ @@ -373,8 +373,8 @@ export interface CognitoGroupConfiguration { } /** - *

The type of entity that a policy store maps to groups from an Amazon Cognito user - * pool identity source.

+ *

A list of user groups and entities from an Amazon Cognito user pool identity + * source.

*

This data type is part of an CognitoUserPoolConfigurationDetail structure and is a response parameter to * GetIdentitySource.

* @public @@ -389,8 +389,8 @@ export interface CognitoGroupConfigurationDetail { } /** - *

The type of entity that a policy store maps to groups from an Amazon Cognito user - * pool identity source.

+ *

A list of user groups and entities from an Amazon Cognito user pool identity + * source.

*

This data type is part of an CognitoUserPoolConfigurationItem structure and is a response parameter to * ListIdentitySources.

* @public @@ -410,7 +410,7 @@ export interface CognitoGroupConfigurationItem { *

This data type is used as a field that is part of an Configuration structure that is * used as a parameter to CreateIdentitySource.

*

Example:"CognitoUserPoolConfiguration":\{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds": - * ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": \{"groupEntityType": "MyCorp::Group"\}\} + * ["a1b2c3d4e5f6g7h8i9j0kalbmc"]\} *

* @public */ @@ -435,8 +435,8 @@ export interface CognitoUserPoolConfiguration { clientIds?: string[]; /** - *

The type of entity that a policy store maps to groups from an Amazon Cognito user - * pool identity source.

+ *

The configuration of the user groups from an Amazon Cognito user pool identity + * source.

* @public */ groupConfiguration?: CognitoGroupConfiguration; @@ -448,7 +448,7 @@ export interface CognitoUserPoolConfiguration { *

This data type is used as a field that is part of an ConfigurationDetail structure that is * part of the response to GetIdentitySource.

*

Example:"CognitoUserPoolConfiguration":\{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds": - * ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": \{"groupEntityType": "MyCorp::Group"\}\} + * ["a1b2c3d4e5f6g7h8i9j0kalbmc"]\} *

* @public */ @@ -483,8 +483,8 @@ export interface CognitoUserPoolConfigurationDetail { issuer: string | undefined; /** - *

The type of entity that a policy store maps to groups from an Amazon Cognito user - * pool identity source.

+ *

The configuration of the user groups from an Amazon Cognito user pool identity + * source.

* @public */ groupConfiguration?: CognitoGroupConfigurationDetail; @@ -496,7 +496,7 @@ export interface CognitoUserPoolConfigurationDetail { *

This data type is used as a field that is part of the ConfigurationItem structure that is * part of the response to ListIdentitySources.

*

Example:"CognitoUserPoolConfiguration":\{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds": - * ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": \{"groupEntityType": "MyCorp::Group"\}\} + * ["a1b2c3d4e5f6g7h8i9j0kalbmc"]\} *

* @public */ @@ -531,8 +531,8 @@ export interface CognitoUserPoolConfigurationItem { issuer: string | undefined; /** - *

The type of entity that a policy store maps to groups from an Amazon Cognito user - * pool identity source.

+ *

The configuration of the user groups from an Amazon Cognito user pool identity + * source.

* @public */ groupConfiguration?: CognitoGroupConfigurationItem; @@ -543,7 +543,7 @@ export interface CognitoUserPoolConfigurationItem { * *

At this time, the only valid member of this structure is a Amazon Cognito user pool * configuration.

- *

Specifies a userPoolArn, a groupConfiguration, and a + *

You must specify a userPoolArn, and optionally, a * ClientId.

* *

This data type is used as a request parameter for the CreateIdentitySource @@ -607,8 +607,7 @@ export type ConfigurationDetail = export namespace ConfigurationDetail { /** *

Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of - * authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool, - * the policy store entity that you want to assign to user groups, + * authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool * and one or more application client IDs.

*

Example: * "configuration":\{"cognitoUserPoolConfiguration":\{"userPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","clientIds": @@ -655,8 +654,7 @@ export type ConfigurationItem = ConfigurationItem.CognitoUserPoolConfigurationMe export namespace ConfigurationItem { /** *

Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of - * authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool, - * the policy store entity that you want to assign to user groups, + * authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool * and one or more application client IDs.

*

Example: * "configuration":\{"cognitoUserPoolConfiguration":\{"userPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","clientIds": @@ -2068,7 +2066,7 @@ export interface ListIdentitySourcesOutput { } /** - *

The user group entities from an Amazon Cognito user pool identity + *

A list of user groups and entities from an Amazon Cognito user pool identity * source.

* @public */ @@ -3423,6 +3421,34 @@ export interface BatchIsAuthorizedInputItem { context?: ContextDefinition; } +/** + *

An authorization request that you include in a BatchIsAuthorizedWithToken + * API request.

+ * @public + */ +export interface BatchIsAuthorizedWithTokenInputItem { + /** + *

Specifies the requested action to be authorized. For example, + * PhotoFlash::ReadPhoto.

+ * @public + */ + action?: ActionIdentifier; + + /** + *

Specifies the resource that you want an authorization decision for. For example, + * PhotoFlash::Photo.

+ * @public + */ + resource?: EntityIdentifier; + + /** + *

Specifies additional context that can be used to make more granular authorization + * decisions.

+ * @public + */ + context?: ContextDefinition; +} + /** *

The decision, based on policy evaluation, from an individual authorization request in * a BatchIsAuthorized API request.

@@ -3461,6 +3487,43 @@ export interface BatchIsAuthorizedOutputItem { errors: EvaluationErrorItem[] | undefined; } +/** + *

The decision, based on policy evaluation, from an individual authorization request in a + * BatchIsAuthorizedWithToken API request.

+ * @public + */ +export interface BatchIsAuthorizedWithTokenOutputItem { + /** + *

The authorization request that initiated the decision.

+ * @public + */ + request: BatchIsAuthorizedWithTokenInputItem | undefined; + + /** + *

An authorization decision that indicates if the authorization request should be allowed + * or denied.

+ * @public + */ + decision: Decision | undefined; + + /** + *

The list of determining policies used to make the authorization decision. For example, + * if there are two matching policies, where one is a forbid and the other is a permit, then + * the forbid policy will be the determining policy. In the case of multiple matching permit + * policies then there would be multiple determining policies. In the case that no policies + * match, and hence the response is DENY, there would be no determining policies.

+ * @public + */ + determiningPolicies: DeterminingPolicyItem[] | undefined; + + /** + *

Errors that occurred while making an authorization decision. For example, a policy might + * reference an entity or attribute that doesn't exist in the request.

+ * @public + */ + errors: EvaluationErrorItem[] | undefined; +} + /** *

Contains the list of entities to be considered during an authorization request. This * includes all principals, resources, and actions required to successfully evaluate the @@ -3517,6 +3580,24 @@ export interface BatchIsAuthorizedOutput { results: BatchIsAuthorizedOutputItem[] | undefined; } +/** + * @public + */ +export interface BatchIsAuthorizedWithTokenOutput { + /** + *

The identifier of the principal in the ID or access token.

+ * @public + */ + principal?: EntityIdentifier; + + /** + *

A series of Allow or Deny decisions for each request, and + * the policies that produced them.

+ * @public + */ + results: BatchIsAuthorizedWithTokenOutputItem[] | undefined; +} + /** * @public */ @@ -3623,9 +3704,10 @@ export interface IsAuthorizedWithTokenInput { /** *

Specifies the list of resources and their associated attributes that Verified Permissions can examine * when evaluating the policies.

- * - *

You can include only resource and action entities in this parameter; you can't - * include principals.

+ * + *

You can't include principals in this parameter, only resource and action entities. + * This parameter can't include any entities of a type that matches the user or group + * entity types that you defined in your identity source.

*
    *
  • *

    The IsAuthorizedWithToken operation takes principal @@ -3640,7 +3722,7 @@ export interface IsAuthorizedWithTokenInput { * and EntityType.

    *
    • *
- * + * * @public */ entities?: EntitiesDefinition; @@ -3675,6 +3757,72 @@ export interface BatchIsAuthorizedInput { requests: BatchIsAuthorizedInputItem[] | undefined; } +/** + * @public + */ +export interface BatchIsAuthorizedWithTokenInput { + /** + *

Specifies the ID of the policy store. Policies in this policy store will be used to make an + * authorization decision for the input.

+ * @public + */ + policyStoreId: string | undefined; + + /** + *

Specifies an identity (ID) token for the principal that you want to authorize in each + * request. This token is provided to you by the identity provider (IdP) associated with + * the specified identity source. You must specify either an accessToken, an + * identityToken, or both.

+ *

Must be an ID token. Verified Permissions returns an error if the token_use claim in the + * submitted token isn't id.

+ * @public + */ + identityToken?: string; + + /** + *

Specifies an access token for the principal that you want to authorize in each + * request. This token is provided to you by the identity provider (IdP) associated with + * the specified identity source. You must specify either an accessToken, an + * identityToken, or both.

+ *

Must be an access token. Verified Permissions returns an error if the token_use claim in + * the submitted token isn't access.

+ * @public + */ + accessToken?: string; + + /** + *

Specifies the list of resources and their associated attributes that Verified Permissions can examine + * when evaluating the policies.

+ * + *

You can't include principals in this parameter, only resource and action entities. + * This parameter can't include any entities of a type that matches the user or group + * entity types that you defined in your identity source.

+ *
    + *
  • + *

    The BatchIsAuthorizedWithToken operation takes principal + * attributes from + * only + * + * the identityToken or accessToken passed to the + * operation.

    + *
    • + *
  • + *

    For action entities, you can include only their Identifier + * and EntityType.

    + *
    • + *
+ * + * @public + */ + entities?: EntitiesDefinition; + + /** + *

An array of up to 30 requests that you want Verified Permissions to evaluate.

+ * @public + */ + requests: BatchIsAuthorizedWithTokenInputItem[] | undefined; +} + /** * @internal */ @@ -4297,6 +4445,18 @@ export const BatchIsAuthorizedInputItemFilterSensitiveLog = (obj: BatchIsAuthori ...(obj.context && { context: ContextDefinitionFilterSensitiveLog(obj.context) }), }); +/** + * @internal + */ +export const BatchIsAuthorizedWithTokenInputItemFilterSensitiveLog = ( + obj: BatchIsAuthorizedWithTokenInputItem +): any => ({ + ...obj, + ...(obj.action && { action: ActionIdentifierFilterSensitiveLog(obj.action) }), + ...(obj.resource && { resource: EntityIdentifierFilterSensitiveLog(obj.resource) }), + ...(obj.context && { context: ContextDefinitionFilterSensitiveLog(obj.context) }), +}); + /** * @internal */ @@ -4306,6 +4466,17 @@ export const BatchIsAuthorizedOutputItemFilterSensitiveLog = (obj: BatchIsAuthor ...(obj.errors && { errors: SENSITIVE_STRING }), }); +/** + * @internal + */ +export const BatchIsAuthorizedWithTokenOutputItemFilterSensitiveLog = ( + obj: BatchIsAuthorizedWithTokenOutputItem +): any => ({ + ...obj, + ...(obj.request && { request: BatchIsAuthorizedWithTokenInputItemFilterSensitiveLog(obj.request) }), + ...(obj.errors && { errors: SENSITIVE_STRING }), +}); + /** * @internal */ @@ -4323,6 +4494,17 @@ export const BatchIsAuthorizedOutputFilterSensitiveLog = (obj: BatchIsAuthorized ...(obj.results && { results: obj.results.map((item) => BatchIsAuthorizedOutputItemFilterSensitiveLog(item)) }), }); +/** + * @internal + */ +export const BatchIsAuthorizedWithTokenOutputFilterSensitiveLog = (obj: BatchIsAuthorizedWithTokenOutput): any => ({ + ...obj, + ...(obj.principal && { principal: EntityIdentifierFilterSensitiveLog(obj.principal) }), + ...(obj.results && { + results: obj.results.map((item) => BatchIsAuthorizedWithTokenOutputItemFilterSensitiveLog(item)), + }), +}); + /** * @internal */ @@ -4356,3 +4538,16 @@ export const BatchIsAuthorizedInputFilterSensitiveLog = (obj: BatchIsAuthorizedI ...(obj.entities && { entities: EntitiesDefinitionFilterSensitiveLog(obj.entities) }), ...(obj.requests && { requests: obj.requests.map((item) => BatchIsAuthorizedInputItemFilterSensitiveLog(item)) }), }); + +/** + * @internal + */ +export const BatchIsAuthorizedWithTokenInputFilterSensitiveLog = (obj: BatchIsAuthorizedWithTokenInput): any => ({ + ...obj, + ...(obj.identityToken && { identityToken: SENSITIVE_STRING }), + ...(obj.accessToken && { accessToken: SENSITIVE_STRING }), + ...(obj.entities && { entities: EntitiesDefinitionFilterSensitiveLog(obj.entities) }), + ...(obj.requests && { + requests: obj.requests.map((item) => BatchIsAuthorizedWithTokenInputItemFilterSensitiveLog(item)), + }), +}); diff --git a/clients/client-verifiedpermissions/src/protocols/Aws_json1_0.ts b/clients/client-verifiedpermissions/src/protocols/Aws_json1_0.ts index 0014cc868ad88..93234c625cc5b 100644 --- a/clients/client-verifiedpermissions/src/protocols/Aws_json1_0.ts +++ b/clients/client-verifiedpermissions/src/protocols/Aws_json1_0.ts @@ -27,6 +27,10 @@ import { import { v4 as generateIdempotencyToken } from "uuid"; import { BatchIsAuthorizedCommandInput, BatchIsAuthorizedCommandOutput } from "../commands/BatchIsAuthorizedCommand"; +import { + BatchIsAuthorizedWithTokenCommandInput, + BatchIsAuthorizedWithTokenCommandOutput, +} from "../commands/BatchIsAuthorizedWithTokenCommand"; import { CreateIdentitySourceCommandInput, CreateIdentitySourceCommandOutput, @@ -86,6 +90,10 @@ import { BatchIsAuthorizedInputItem, BatchIsAuthorizedOutput, BatchIsAuthorizedOutputItem, + BatchIsAuthorizedWithTokenInput, + BatchIsAuthorizedWithTokenInputItem, + BatchIsAuthorizedWithTokenOutput, + BatchIsAuthorizedWithTokenOutputItem, CognitoGroupConfiguration, CognitoUserPoolConfiguration, Configuration, @@ -174,6 +182,19 @@ export const se_BatchIsAuthorizedCommand = async ( return buildHttpRpcRequest(context, headers, "/", undefined, body); }; +/** + * serializeAws_json1_0BatchIsAuthorizedWithTokenCommand + */ +export const se_BatchIsAuthorizedWithTokenCommand = async ( + input: BatchIsAuthorizedWithTokenCommandInput, + context: __SerdeContext +): Promise<__HttpRequest> => { + const headers: __HeaderBag = sharedHeaders("BatchIsAuthorizedWithToken"); + let body: any; + body = JSON.stringify(se_BatchIsAuthorizedWithTokenInput(input, context)); + return buildHttpRpcRequest(context, headers, "/", undefined, body); +}; + /** * serializeAws_json1_0CreateIdentitySourceCommand */ @@ -506,6 +527,26 @@ export const de_BatchIsAuthorizedCommand = async ( return response; }; +/** + * deserializeAws_json1_0BatchIsAuthorizedWithTokenCommand + */ +export const de_BatchIsAuthorizedWithTokenCommand = async ( + output: __HttpResponse, + context: __SerdeContext +): Promise => { + if (output.statusCode >= 300) { + return de_CommandError(output, context); + } + const data: any = await parseBody(output.body, context); + let contents: any = {}; + contents = de_BatchIsAuthorizedWithTokenOutput(data, context); + const response: BatchIsAuthorizedWithTokenCommandOutput = { + $metadata: deserializeMetadata(output), + ...contents, + }; + return response; +}; + /** * deserializeAws_json1_0CreateIdentitySourceCommand */ @@ -1181,6 +1222,47 @@ const se_BatchIsAuthorizedInputList = (input: BatchIsAuthorizedInputItem[], cont }); }; +/** + * serializeAws_json1_0BatchIsAuthorizedWithTokenInput + */ +const se_BatchIsAuthorizedWithTokenInput = (input: BatchIsAuthorizedWithTokenInput, context: __SerdeContext): any => { + return take(input, { + accessToken: [], + entities: (_) => se_EntitiesDefinition(_, context), + identityToken: [], + policyStoreId: [], + requests: (_) => se_BatchIsAuthorizedWithTokenInputList(_, context), + }); +}; + +/** + * serializeAws_json1_0BatchIsAuthorizedWithTokenInputItem + */ +const se_BatchIsAuthorizedWithTokenInputItem = ( + input: BatchIsAuthorizedWithTokenInputItem, + context: __SerdeContext +): any => { + return take(input, { + action: _json, + context: (_) => se_ContextDefinition(_, context), + resource: _json, + }); +}; + +/** + * serializeAws_json1_0BatchIsAuthorizedWithTokenInputList + */ +const se_BatchIsAuthorizedWithTokenInputList = ( + input: BatchIsAuthorizedWithTokenInputItem[], + context: __SerdeContext +): any => { + return input + .filter((e: any) => e != null) + .map((entry) => { + return se_BatchIsAuthorizedWithTokenInputItem(entry, context); + }); +}; + // se_ClientIds omitted. // se_CognitoGroupConfiguration omitted. @@ -1504,6 +1586,63 @@ const de_BatchIsAuthorizedOutputList = (output: any, context: __SerdeContext): B return retVal; }; +/** + * deserializeAws_json1_0BatchIsAuthorizedWithTokenInputItem + */ +const de_BatchIsAuthorizedWithTokenInputItem = ( + output: any, + context: __SerdeContext +): BatchIsAuthorizedWithTokenInputItem => { + return take(output, { + action: _json, + context: (_: any) => de_ContextDefinition(__expectUnion(_), context), + resource: _json, + }) as any; +}; + +/** + * deserializeAws_json1_0BatchIsAuthorizedWithTokenOutput + */ +const de_BatchIsAuthorizedWithTokenOutput = ( + output: any, + context: __SerdeContext +): BatchIsAuthorizedWithTokenOutput => { + return take(output, { + principal: _json, + results: (_: any) => de_BatchIsAuthorizedWithTokenOutputList(_, context), + }) as any; +}; + +/** + * deserializeAws_json1_0BatchIsAuthorizedWithTokenOutputItem + */ +const de_BatchIsAuthorizedWithTokenOutputItem = ( + output: any, + context: __SerdeContext +): BatchIsAuthorizedWithTokenOutputItem => { + return take(output, { + decision: __expectString, + determiningPolicies: _json, + errors: _json, + request: (_: any) => de_BatchIsAuthorizedWithTokenInputItem(_, context), + }) as any; +}; + +/** + * deserializeAws_json1_0BatchIsAuthorizedWithTokenOutputList + */ +const de_BatchIsAuthorizedWithTokenOutputList = ( + output: any, + context: __SerdeContext +): BatchIsAuthorizedWithTokenOutputItem[] => { + const retVal = (output || []) + .filter((e: any) => e != null) + .map((entry: any) => { + return de_BatchIsAuthorizedWithTokenOutputItem(entry, context); + }); + return retVal; +}; + // de_ClientIds omitted. // de_CognitoGroupConfigurationDetail omitted. diff --git a/codegen/sdk-codegen/aws-models/verifiedpermissions.json b/codegen/sdk-codegen/aws-models/verifiedpermissions.json index 7c2132e220ba5..40db9e7394388 100644 --- a/codegen/sdk-codegen/aws-models/verifiedpermissions.json +++ b/codegen/sdk-codegen/aws-models/verifiedpermissions.json @@ -255,6 +255,168 @@ "target": "com.amazonaws.verifiedpermissions#BatchIsAuthorizedOutputItem" } }, + "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithToken": { + "type": "operation", + "input": { + "target": "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithTokenInput" + }, + "output": { + "target": "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithTokenOutput" + }, + "errors": [ + { + "target": "com.amazonaws.verifiedpermissions#ResourceNotFoundException" + } + ], + "traits": { + "aws.iam#iamAction": { + "documentation": "Grants permission to make a batch authorization decision about a service request described in the parameters. The principal in this request comes from an external identity source", + "name": "IsAuthorizedWithToken" + }, + "smithy.api#documentation": "

Makes a series of decisions about multiple authorization requests for one token. The\n principal in this request comes from an external identity source in the form of an identity or\n access token, formatted as a JSON\n web token (JWT). The information in the parameters can also define\n additional context that Verified Permissions can include in the evaluations.

\n

The request is evaluated against all policies in the specified policy store that match the\n entities that you provide in the entities declaration and in the token. The result of\n the decisions is a series of Allow or Deny responses, along\n with the IDs of the policies that produced each decision.

\n

The entities of a BatchIsAuthorizedWithToken API request can\n contain up to 100 resources and up to 99 user groups. The requests of a\n BatchIsAuthorizedWithToken API request can contain up to 30\n requests.

\n \n

The BatchIsAuthorizedWithToken operation doesn't have its own\n IAM permission. To authorize this operation for Amazon Web Services principals, include the\n permission verifiedpermissions:IsAuthorizedWithToken in their IAM\n policies.

\n ", + "smithy.api#readonly": {} + } + }, + "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithTokenInput": { + "type": "structure", + "members": { + "policyStoreId": { + "target": "com.amazonaws.verifiedpermissions#PolicyStoreId", + "traits": { + "smithy.api#documentation": "

Specifies the ID of the policy store. Policies in this policy store will be used to make an\n authorization decision for the input.

", + "smithy.api#required": {} + } + }, + "identityToken": { + "target": "com.amazonaws.verifiedpermissions#Token", + "traits": { + "smithy.api#documentation": "

Specifies an identity (ID) token for the principal that you want to authorize in each\n request. This token is provided to you by the identity provider (IdP) associated with\n the specified identity source. You must specify either an accessToken, an\n identityToken, or both.

\n

Must be an ID token. Verified Permissions returns an error if the token_use claim in the\n submitted token isn't id.

" + } + }, + "accessToken": { + "target": "com.amazonaws.verifiedpermissions#Token", + "traits": { + "smithy.api#documentation": "

Specifies an access token for the principal that you want to authorize in each\n request. This token is provided to you by the identity provider (IdP) associated with\n the specified identity source. You must specify either an accessToken, an\n identityToken, or both.

\n

Must be an access token. Verified Permissions returns an error if the token_use claim in\n the submitted token isn't access.

" + } + }, + "entities": { + "target": "com.amazonaws.verifiedpermissions#EntitiesDefinition", + "traits": { + "smithy.api#documentation": "

Specifies the list of resources and their associated attributes that Verified Permissions can examine\n when evaluating the policies.

\n \n

You can't include principals in this parameter, only resource and action entities.\n This parameter can't include any entities of a type that matches the user or group\n entity types that you defined in your identity source.

\n
    \n
  • \n

    The BatchIsAuthorizedWithToken operation takes principal\n attributes from \n only\n \n the identityToken or accessToken passed to the\n operation.

    \n
    • \n
  • \n

    For action entities, you can include only their Identifier\n and EntityType.

    \n
    • \n
\n " + } + }, + "requests": { + "target": "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithTokenInputList", + "traits": { + "smithy.api#documentation": "

An array of up to 30 requests that you want Verified Permissions to evaluate.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#input": {} + } + }, + "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithTokenInputItem": { + "type": "structure", + "members": { + "action": { + "target": "com.amazonaws.verifiedpermissions#ActionIdentifier", + "traits": { + "smithy.api#documentation": "

Specifies the requested action to be authorized. For example,\n PhotoFlash::ReadPhoto.

" + } + }, + "resource": { + "target": "com.amazonaws.verifiedpermissions#EntityIdentifier", + "traits": { + "smithy.api#documentation": "

Specifies the resource that you want an authorization decision for. For example,\n PhotoFlash::Photo.

" + } + }, + "context": { + "target": "com.amazonaws.verifiedpermissions#ContextDefinition", + "traits": { + "smithy.api#documentation": "

Specifies additional context that can be used to make more granular authorization\n decisions.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

An authorization request that you include in a BatchIsAuthorizedWithToken\n API request.

" + } + }, + "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithTokenInputList": { + "type": "list", + "member": { + "target": "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithTokenInputItem" + }, + "traits": { + "smithy.api#length": { + "min": 1 + } + } + }, + "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithTokenOutput": { + "type": "structure", + "members": { + "principal": { + "target": "com.amazonaws.verifiedpermissions#EntityIdentifier", + "traits": { + "smithy.api#documentation": "

The identifier of the principal in the ID or access token.

" + } + }, + "results": { + "target": "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithTokenOutputList", + "traits": { + "smithy.api#documentation": "

A series of Allow or Deny decisions for each request, and\n the policies that produced them.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#output": {} + } + }, + "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithTokenOutputItem": { + "type": "structure", + "members": { + "request": { + "target": "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithTokenInputItem", + "traits": { + "smithy.api#documentation": "

The authorization request that initiated the decision.

", + "smithy.api#required": {} + } + }, + "decision": { + "target": "com.amazonaws.verifiedpermissions#Decision", + "traits": { + "smithy.api#documentation": "

An authorization decision that indicates if the authorization request should be allowed\n or denied.

", + "smithy.api#required": {} + } + }, + "determiningPolicies": { + "target": "com.amazonaws.verifiedpermissions#DeterminingPolicyList", + "traits": { + "smithy.api#documentation": "

The list of determining policies used to make the authorization decision. For example,\n if there are two matching policies, where one is a forbid and the other is a permit, then\n the forbid policy will be the determining policy. In the case of multiple matching permit\n policies then there would be multiple determining policies. In the case that no policies\n match, and hence the response is DENY, there would be no determining policies.

", + "smithy.api#required": {} + } + }, + "errors": { + "target": "com.amazonaws.verifiedpermissions#EvaluationErrorList", + "traits": { + "smithy.api#documentation": "

Errors that occurred while making an authorization decision. For example, a policy might\n reference an entity or attribute that doesn't exist in the request.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

The decision, based on policy evaluation, from an individual authorization request in a\n BatchIsAuthorizedWithToken API request.

" + } + }, + "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithTokenOutputList": { + "type": "list", + "member": { + "target": "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithTokenOutputItem" + } + }, "com.amazonaws.verifiedpermissions#BooleanAttribute": { "type": "boolean", "traits": { @@ -296,7 +458,7 @@ } }, "traits": { - "smithy.api#documentation": "

The type of entity that a policy store maps to groups from an Amazon Cognito user \n pool identity source.

\n

This data type is part of a CognitoUserPoolConfiguration structure and is a request parameter in CreateIdentitySource.

" + "smithy.api#documentation": "

A list of user groups and entities from an Amazon Cognito user pool identity\n source.

\n

This data type is part of a CognitoUserPoolConfiguration structure and is a request parameter in CreateIdentitySource.

" } }, "com.amazonaws.verifiedpermissions#CognitoGroupConfigurationDetail": { @@ -310,7 +472,7 @@ } }, "traits": { - "smithy.api#documentation": "

The type of entity that a policy store maps to groups from an Amazon Cognito user \n pool identity source.

\n

This data type is part of an CognitoUserPoolConfigurationDetail structure and is a response parameter to\n GetIdentitySource.

" + "smithy.api#documentation": "

A list of user groups and entities from an Amazon Cognito user pool identity\n source.

\n

This data type is part of an CognitoUserPoolConfigurationDetail structure and is a response parameter to\n GetIdentitySource.

" } }, "com.amazonaws.verifiedpermissions#CognitoGroupConfigurationItem": { @@ -324,7 +486,7 @@ } }, "traits": { - "smithy.api#documentation": "

The type of entity that a policy store maps to groups from an Amazon Cognito user \n pool identity source.

\n

This data type is part of an CognitoUserPoolConfigurationItem structure and is a response parameter to\n ListIdentitySources.

" + "smithy.api#documentation": "

A list of user groups and entities from an Amazon Cognito user pool identity\n source.

\n

This data type is part of an CognitoUserPoolConfigurationItem structure and is a response parameter to\n ListIdentitySources.

" } }, "com.amazonaws.verifiedpermissions#CognitoUserPoolConfiguration": { @@ -346,12 +508,12 @@ "groupConfiguration": { "target": "com.amazonaws.verifiedpermissions#CognitoGroupConfiguration", "traits": { - "smithy.api#documentation": "

The type of entity that a policy store maps to groups from an Amazon Cognito user \n pool identity source.

" + "smithy.api#documentation": "

The configuration of the user groups from an Amazon Cognito user pool identity\n source.

" } } }, "traits": { - "smithy.api#documentation": "

The configuration for an identity source that represents a connection to an Amazon Cognito user pool used\n as an identity provider for Verified Permissions.

\n

This data type is used as a field that is part of an Configuration structure that is\n used as a parameter to CreateIdentitySource.

\n

Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\":\n [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}\n

" + "smithy.api#documentation": "

The configuration for an identity source that represents a connection to an Amazon Cognito user pool used\n as an identity provider for Verified Permissions.

\n

This data type is used as a field that is part of an Configuration structure that is\n used as a parameter to CreateIdentitySource.

\n

Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\":\n [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"]}\n

" } }, "com.amazonaws.verifiedpermissions#CognitoUserPoolConfigurationDetail": { @@ -381,12 +543,12 @@ "groupConfiguration": { "target": "com.amazonaws.verifiedpermissions#CognitoGroupConfigurationDetail", "traits": { - "smithy.api#documentation": "

The type of entity that a policy store maps to groups from an Amazon Cognito user \n pool identity source.

" + "smithy.api#documentation": "

The configuration of the user groups from an Amazon Cognito user pool identity\n source.

" } } }, "traits": { - "smithy.api#documentation": "

The configuration for an identity source that represents a connection to an Amazon Cognito user pool used\n as an identity provider for Verified Permissions.

\n

This data type is used as a field that is part of an ConfigurationDetail structure that is\n part of the response to GetIdentitySource.

\n

Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\":\n [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}\n

" + "smithy.api#documentation": "

The configuration for an identity source that represents a connection to an Amazon Cognito user pool used\n as an identity provider for Verified Permissions.

\n

This data type is used as a field that is part of an ConfigurationDetail structure that is\n part of the response to GetIdentitySource.

\n

Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\":\n [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"]}\n

" } }, "com.amazonaws.verifiedpermissions#CognitoUserPoolConfigurationItem": { @@ -416,12 +578,12 @@ "groupConfiguration": { "target": "com.amazonaws.verifiedpermissions#CognitoGroupConfigurationItem", "traits": { - "smithy.api#documentation": "

The type of entity that a policy store maps to groups from an Amazon Cognito user \n pool identity source.

" + "smithy.api#documentation": "

The configuration of the user groups from an Amazon Cognito user pool identity\n source.

" } } }, "traits": { - "smithy.api#documentation": "

The configuration for an identity source that represents a connection to an Amazon Cognito user pool used\n as an identity provider for Verified Permissions.

\n

This data type is used as a field that is part of the ConfigurationItem structure that is\n part of the response to ListIdentitySources.

\n

Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\":\n [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}\n

" + "smithy.api#documentation": "

The configuration for an identity source that represents a connection to an Amazon Cognito user pool used\n as an identity provider for Verified Permissions.

\n

This data type is used as a field that is part of the ConfigurationItem structure that is\n part of the response to ListIdentitySources.

\n

Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\":\n [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"]}\n

" } }, "com.amazonaws.verifiedpermissions#Configuration": { @@ -435,7 +597,7 @@ } }, "traits": { - "smithy.api#documentation": "

Contains configuration information used when creating a new identity source.

\n \n

At this time, the only valid member of this structure is a Amazon Cognito user pool\n configuration.

\n

Specifies a userPoolArn, a groupConfiguration, and a\n ClientId.

\n \n

This data type is used as a request parameter for the CreateIdentitySource\n operation.

" + "smithy.api#documentation": "

Contains configuration information used when creating a new identity source.

\n \n

At this time, the only valid member of this structure is a Amazon Cognito user pool\n configuration.

\n

You must specify a userPoolArn, and optionally, a\n ClientId.

\n \n

This data type is used as a request parameter for the CreateIdentitySource\n operation.

" } }, "com.amazonaws.verifiedpermissions#ConfigurationDetail": { @@ -444,7 +606,7 @@ "cognitoUserPoolConfiguration": { "target": "com.amazonaws.verifiedpermissions#CognitoUserPoolConfigurationDetail", "traits": { - "smithy.api#documentation": "

Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of\n authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool,\n the policy store entity that you want to assign to user groups,\n and one or more application client IDs.

\n

Example:\n \"configuration\":{\"cognitoUserPoolConfiguration\":{\"userPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"clientIds\":\n [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}}\n

" + "smithy.api#documentation": "

Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of\n authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool\n and one or more application client IDs.

\n

Example:\n \"configuration\":{\"cognitoUserPoolConfiguration\":{\"userPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"clientIds\":\n [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}}\n

" } } }, @@ -458,7 +620,7 @@ "cognitoUserPoolConfiguration": { "target": "com.amazonaws.verifiedpermissions#CognitoUserPoolConfigurationItem", "traits": { - "smithy.api#documentation": "

Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of\n authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool,\n the policy store entity that you want to assign to user groups,\n and one or more application client IDs.

\n

Example:\n \"configuration\":{\"cognitoUserPoolConfiguration\":{\"userPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"clientIds\":\n [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}}\n

" + "smithy.api#documentation": "

Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of\n authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool\n and one or more application client IDs.

\n

Example:\n \"configuration\":{\"cognitoUserPoolConfiguration\":{\"userPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"clientIds\":\n [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}}\n

" } } }, @@ -2147,7 +2309,7 @@ "aws.iam#iamAction": { "documentation": "Grants permission to make an authorization decision about a service request described in the parameters. The principal in this request comes from an external identity source" }, - "smithy.api#documentation": "

Makes an authorization decision about a service request described in the parameters.\n The principal in this request comes from an external identity source in the form of an identity\n token formatted as a JSON web\n token (JWT). The information in the parameters can also define additional\n context that Verified Permissions can include in the evaluation. The request is evaluated against all\n matching policies in the specified policy store. The result of the decision is either\n Allow or Deny, along with a list of the policies that\n resulted in the decision.

\n \n

If you specify the identityToken parameter, then this operation\n derives the principal from that token. You must not also include that principal in\n the entities parameter or the operation fails and reports a conflict\n between the two entity sources.

\n

If you provide only an accessToken, then you can include the entity\n as part of the entities parameter to provide additional\n attributes.

\n \n

At this time, Verified Permissions accepts tokens from only Amazon Cognito.

\n

Verified Permissions validates each token that is specified in a request by checking its expiration\n date and its signature.

\n \n

If you delete a Amazon Cognito user pool or user, tokens from that deleted pool or that deleted user continue to be usable until they expire.

\n ", + "smithy.api#documentation": "

Makes an authorization decision about a service request described in the parameters.\n The principal in this request comes from an external identity source in the form of an identity\n token formatted as a JSON web\n token (JWT). The information in the parameters can also define additional\n context that Verified Permissions can include in the evaluation. The request is evaluated against all\n matching policies in the specified policy store. The result of the decision is either\n Allow or Deny, along with a list of the policies that\n resulted in the decision.

\n

At this time, Verified Permissions accepts tokens from only Amazon Cognito.

\n

Verified Permissions validates each token that is specified in a request by checking its expiration\n date and its signature.

\n \n

If you delete a Amazon Cognito user pool or user, tokens from that deleted pool or that deleted user continue to be usable until they expire.

\n ", "smithy.api#readonly": {} } }, @@ -2194,7 +2356,7 @@ "entities": { "target": "com.amazonaws.verifiedpermissions#EntitiesDefinition", "traits": { - "smithy.api#documentation": "

Specifies the list of resources and their associated attributes that Verified Permissions can examine\n when evaluating the policies.

\n \n

You can include only resource and action entities in this parameter; you can't\n include principals.

\n
    \n
  • \n

    The IsAuthorizedWithToken operation takes principal\n attributes from \n only\n \n the identityToken or accessToken passed to the\n operation.

    \n
    • \n
  • \n

    For action entities, you can include only their Identifier\n and EntityType.

    \n
    • \n
\n " + "smithy.api#documentation": "

Specifies the list of resources and their associated attributes that Verified Permissions can examine\n when evaluating the policies.

\n \n

You can't include principals in this parameter, only resource and action entities.\n This parameter can't include any entities of a type that matches the user or group\n entity types that you defined in your identity source.

\n
    \n
  • \n

    The IsAuthorizedWithToken operation takes principal\n attributes from \n only\n \n the identityToken or accessToken passed to the\n operation.

    \n
    • \n
  • \n

    For action entities, you can include only their Identifier\n and EntityType.

    \n
    • \n
\n " } } }, @@ -2855,6 +3017,9 @@ { "target": "com.amazonaws.verifiedpermissions#BatchIsAuthorized" }, + { + "target": "com.amazonaws.verifiedpermissions#BatchIsAuthorizedWithToken" + }, { "target": "com.amazonaws.verifiedpermissions#GetSchema" }, @@ -3566,7 +3731,7 @@ } }, "traits": { - "smithy.api#documentation": "

The user group entities from an Amazon Cognito user pool identity\n source.

" + "smithy.api#documentation": "

A list of user groups and entities from an Amazon Cognito user pool identity\n source.

" } }, "com.amazonaws.verifiedpermissions#UpdateCognitoUserPoolConfiguration": {