fix: generate OAuth keys from cognito for amplify pull workflow

packages/amplify-category-auth/src/__tests__/provider-utils/awscloudformation/index.test.ts

@@ -1,7 +1,9 @@
 import { $TSContext } from '@aws-amplify/amplify-cli-core';
 import { updateConfigOnEnvInit } from '../../../provider-utils/awscloudformation/index';
+import { getOAuthObjectFromCognito } from '../../../provider-utils/awscloudformation/utils/get-oauth-secrets-from-cognito';
 
 jest.mock('@aws-amplify/amplify-environment-parameters');
+jest.mock('../../../provider-utils/awscloudformation/utils/get-oauth-secrets-from-cognito');
 jest.mock('@aws-amplify/amplify-cli-core', () => ({
   ...(jest.requireActual('@aws-amplify/amplify-cli-core') as {}),
   JSONUtilities: {
@@ -18,12 +20,14 @@ jest.mock('@aws-amplify/amplify-cli-core', () => ({
 const pluginInstanceMock = jest.fn();
 const loadResourceParametersMock = jest.fn().mockReturnValue({
   hostedUIProviderMeta:
-    '[{"ProviderName":"Facebook","authorize_scopes":"email,public_profile","AttributeMapping":{"email":"email","username":"id"}},{"ProviderName":"LoginWithAmazon","authorize_scopes":"profile profile:user_id","AttributeMapping":{"email":"email","username":"user_id"}},{"ProviderName":"Google","authorize_scopes":"openid email profile","AttributeMapping":{"email":"email","username":"sub"}}]',
+    '[{"ProviderName":"Facebook","authorize_scopes":"email,public_profile","AttributeMapping":{"email":"email","username":"id"}},{"ProviderName":"LoginWithAmazon","authorize_scopes":"profile profile:user_id","AttributeMapping":{"email":"email","username":"user_id"}},{"ProviderName":"Google","authorize_scopes":"openid email profile","AttributeMapping":{"email":"email","username":"sub"}},{"ProviderName":"SignInWithApple","authorize_scopes":"openid email profile","AttributeMapping":{"email":"email","username":"sub"}}]',
 });
 const pluginInstance = {
   loadResourceParameters: loadResourceParametersMock,
 };
 
+const getOAuthObjectFromCognitoMock = getOAuthObjectFromCognito as jest.MockedFunction<typeof getOAuthObjectFromCognito>;
+
 // mock context
 let mockContext = {
   amplify: {
@@ -61,8 +65,106 @@ let mockContext = {
   },
 } as unknown as $TSContext;
 
-test('throws amplify error when auth headless params are missing during pull', async () => {
-  expect(() => updateConfigOnEnvInit(mockContext, 'auth', 'Cognito')).rejects.toThrowErrorMatchingInlineSnapshot(
-    `"auth headless is missing the following inputParameters facebookAppIdUserPool, facebookAppSecretUserPool, loginwithamazonAppIdUserPool, loginwithamazonAppSecretUserPool, googleAppIdUserPool, googleAppSecretUserPool"`,
-  );
+describe('import checks', () => {
+  test('throws amplify error when auth headless params are missing during pull', async () => {
+    expect(() => updateConfigOnEnvInit(mockContext, 'auth', 'Cognito')).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"auth headless is missing the following inputParameters facebookAppIdUserPool, facebookAppSecretUserPool, loginwithamazonAppIdUserPool, loginwithamazonAppSecretUserPool, googleAppIdUserPool, googleAppSecretUserPool"`,
+    );
+  });
+});
+
+describe('update config when amplify pull headless command', () => {
+  test('throws amplify error when auth headless params are missing during pull', async () => {
+    mockContext.input.command = 'pull';
+    getOAuthObjectFromCognitoMock.mockResolvedValue(undefined);
+    expect(() => updateConfigOnEnvInit(mockContext, 'auth', 'Cognito')).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"auth headless is missing the following inputParameters facebookAppIdUserPool, facebookAppSecretUserPool, loginwithamazonAppIdUserPool, loginwithamazonAppSecretUserPool, googleAppIdUserPool, googleAppSecretUserPool"`,
+    );
+  });
+
+  test('works when secrets are fetched from userpool', async () => {
+    mockContext.input.command = 'pull';
+    getOAuthObjectFromCognitoMock.mockResolvedValue([
+      {
+        client_id: 'mockClientFacebook',
+        client_secret: 'mockSecretFacebook',
+        ProviderName: 'Facebook',
+      },
+      {
+        client_id: 'mockClientGoogle',
+        client_secret: 'mockSecretGoogle',
+        ProviderName: 'Google',
+      },
+      {
+        client_id: 'mockClientLoginWithAmazon',
+        client_secret: 'mockSecretLoginWithAmazon',
+        ProviderName: 'LoginWithAmazon',
+      },
+      {
+        client_id: 'mockClientSignInWithApple',
+        team_id: 'mockTeamIdSignInWithApple',
+        key_id: 'mockKeyIdSignInWithApple',
+        private_key: 'mockPrivayKeySignInWithApple',
+        ProviderName: 'SignInWithApple',
+      },
+    ]);
+    const params = await updateConfigOnEnvInit(mockContext, 'auth', 'Cognito');
+    expect(params).toMatchInlineSnapshot(`
+      Object {
+        "hostedUIProviderCreds": "[{\\"ProviderName\\":\\"Facebook\\"},{\\"ProviderName\\":\\"LoginWithAmazon\\"},{\\"ProviderName\\":\\"Google\\"},{\\"ProviderName\\":\\"SignInWithApple\\"}]",
+      }
+    `);
+  });
+
+  test('works when secrets are present in deployment params', async () => {
+    mockContext.input.command = 'pull';
+    getOAuthObjectFromCognitoMock.mockResolvedValue(undefined);
+    mockContext.amplify.loadEnvResourceParameters = jest.fn().mockReturnValue({
+      hostedUIProviderCreds:
+        '[{"ProviderName":"Facebook","client_id":"sdcsdc","client_secret":"bfdsvsr"},{"ProviderName":"Google","client_id":"avearver","client_secret":"vcvereger"},{"ProviderName":"LoginWithAmazon","client_id":"vercvdsavcer","client_secret":"revfdsavrtv"},{"ProviderName":"SignInWithApple","client_id":"vfdvergver","team_id":"ervervre","key_id":"vfdavervfer","private_key":"vaveb"}]',
+    });
+    const params = await updateConfigOnEnvInit(mockContext, 'auth', 'Cognito');
+    expect(params).toMatchInlineSnapshot(`
+      Object {
+        "hostedUIProviderCreds": "[{\\"ProviderName\\":\\"Facebook\\"},{\\"ProviderName\\":\\"LoginWithAmazon\\"},{\\"ProviderName\\":\\"Google\\"},{\\"ProviderName\\":\\"SignInWithApple\\"}]",
+      }
+    `);
+  });
+
+  test('test works when secrets are present in context input params', async () => {
+    mockContext.input.command = 'pull';
+    getOAuthObjectFromCognitoMock.mockResolvedValue(undefined);
+    mockContext.amplify.loadEnvResourceParameters = jest.fn().mockReturnValue('[]');
+    mockContext.exeInfo = {
+      inputParams: {
+        yes: true,
+        categories: {
+          auth: {
+            facebookAppIdUserPool: 'mockfacebookAppIdUserPool',
+            facebookAppSecretUserPool: 'facebookAppSecretUserPool',
+            googleAppIdUserPool: 'googleAppIdUserPool',
+            googleAppSecretUserPool: 'googleAppSecretUserPool',
+            loginwithamazonAppIdUserPool: 'loginwithamazonAppIdUserPool',
+            loginwithamazonAppSecretUserPool: 'loginwithamazonAppSecretUserPool',
+            signinwithappleClientIdUserPool: 'signinwithappleClientIdUserPool',
+            signinwithappleTeamIdUserPool: 'signinwithappleTeamIdUserPool',
+            signinwithappleKeyIdUserPool: 'signinwithappleKeyIdUserPool',
+            signinwithapplePrivateKeyUserPool: 'signinwithapplePrivateKeyUserPool',
+          },
+        },
+      },
+      localEnvInfo: {
+        projectPath: 'mockProjectPath',
+        defaultEditor: 'vscode',
+        envName: 'dev',
+        noUpdateBackend: false,
+      },
+    };
+    const params = await updateConfigOnEnvInit(mockContext, 'auth', 'Cognito');
+    expect(params).toMatchInlineSnapshot(`
+      Object {
+        "hostedUIProviderCreds": "[{\\"ProviderName\\":\\"Facebook\\",\\"client_id\\":\\"mockfacebookAppIdUserPool\\",\\"client_secret\\":\\"facebookAppSecretUserPool\\"},{\\"ProviderName\\":\\"LoginWithAmazon\\",\\"client_id\\":\\"loginwithamazonAppIdUserPool\\",\\"client_secret\\":\\"loginwithamazonAppSecretUserPool\\"},{\\"ProviderName\\":\\"Google\\",\\"client_id\\":\\"googleAppIdUserPool\\",\\"client_secret\\":\\"googleAppSecretUserPool\\"},{\\"ProviderName\\":\\"SignInWithApple\\",\\"client_id\\":\\"signinwithappleClientIdUserPool\\",\\"team_id\\":\\"signinwithappleTeamIdUserPool\\",\\"key_id\\":\\"signinwithappleKeyIdUserPool\\",\\"private_key\\":\\"signinwithapplePrivateKeyUserPool\\"}]",
+      }
+    `);
+  });
 });

packages/amplify-category-auth/src/provider-utils/awscloudformation/import/index.ts

@@ -897,7 +897,7 @@ const createEnvSpecificResourceParameters = (
   return envSpecificResourceParameters;
 };
 
-const createOAuthCredentials = (identityProviders: IdentityProviderType[]): string => {
+export const createOAuthCredentials = (identityProviders: IdentityProviderType[]): string => {
   const credentials = identityProviders.map((idp) => {
     if (idp.ProviderName === 'SignInWithApple') {
       return {

packages/amplify-category-auth/src/provider-utils/awscloudformation/index.ts

@@ -10,6 +10,7 @@ import { getAddAuthHandler, getUpdateAuthHandler } from './handlers/resource-han
 import { getSupportedServices } from '../supported-services';
 import { importResource, importedAuthEnvInit } from './import';
 import { AuthContext } from '../../context';
+import { getOAuthObjectFromCognito } from './utils/get-oauth-secrets-from-cognito';
 
 export { importResource } from './import';
 
@@ -133,6 +134,14 @@ export const updateConfigOnEnvInit = async (context: $TSContext, category: any,
 
   if (hostedUIProviderMeta) {
     currentEnvSpecificValues = getOAuthProviderKeys(currentEnvSpecificValues, resourceParams);
+    const authParamsFromCognito = await getOAuthObjectFromCognito(context, resourceParams.userPoolName);
+    // fill in the OAuthProvider Keys from userpool if missing from currentEnvValues
+    if (authParamsFromCognito) {
+      currentEnvSpecificValues = {
+        ...getOAuthProviderKeys({ hostedUIProviderCreds: JSON.stringify(authParamsFromCognito) }, resourceParams),
+        ...currentEnvSpecificValues,
+      };
+    }
   }
 
   // legacy headless mode (only supports init)

packages/amplify-category-auth/src/provider-utils/awscloudformation/utils/get-oauth-secrets-from-cognito.ts

@@ -0,0 +1,50 @@
+import { ICognitoUserPoolService } from '@aws-amplify/amplify-util-import';
+import { $TSContext, stateManager, JSONUtilities } from '@aws-amplify/amplify-cli-core';
+import { IdentityProviderType } from 'aws-sdk/clients/cognitoidentityserviceprovider';
+import { createOAuthCredentials } from '../import';
+
+/**
+ * get oAuth secrets from cognito only for amplify generated userPools
+ */
+export const getOAuthObjectFromCognito = async (
+  context: $TSContext,
+  userPoolName: string,
+): Promise<Array<OAuthProviderDetails> | undefined> => {
+  const { envName } = stateManager.getLocalEnvInfo();
+  const envUserPoolName = `${userPoolName}-${envName}`;
+  const cognito = (await context.amplify.invokePluginMethod(context, 'awscloudformation', undefined, 'createCognitoUserPoolService', [
+    context,
+  ])) as ICognitoUserPoolService;
+  const userPool = (await cognito.listUserPools()).filter((userPoolCognito) => userPoolCognito.Name === envUserPoolName)[0];
+  const userPoolId = userPool?.Id;
+  if (userPoolId) {
+    const identityProviders: IdentityProviderType[] = await cognito.listUserPoolIdentityProviders(userPoolId);
+    if (identityProviders.length > 0) {
+      const providerObj = JSONUtilities.parse<Array<OAuthProviderDetails>>(createOAuthCredentials(identityProviders));
+      return providerObj;
+    }
+  }
+  return undefined;
+};
+
+/**
+ *  type  for "Facebook"|"Google"|"LoginWithAmazon"
+ */
+export type GenericProviderDetails = {
+  ProviderName: string;
+  client_id: string;
+  client_secret: string;
+};
+
+/**
+ * type for SignInWithApple
+ */
+export type AppleProviderDetails = {
+  ProviderName: string;
+  client_id: string;
+  team_id: string;
+  key_id: string;
+  private_key: string;
+};
+
+export type OAuthProviderDetails = GenericProviderDetails | AppleProviderDetails;

packages/amplify-e2e-tests/src/__tests__/auth_2a.test.ts

@@ -1,10 +1,14 @@
 /* eslint-disable spellcheck/spell-checker */
 import {
   addAuthWithDefaultSocial,
+  addFunction,
+  amplifyPull,
   amplifyPushAuth,
   createNewProjectDir,
   deleteProject,
   deleteProjectDir,
+  generateRandomShortId,
+  getAppId,
   getProjectMeta,
   getUserPool,
   getUserPoolClients,
@@ -29,10 +33,11 @@ describe('amplify add auth...', () => {
   });
 
   it('...should init a project and add auth with defaultSocial', async () => {
-    await initJSProjectWithProfile(projRoot, defaultsSettings);
+    await initJSProjectWithProfile(projRoot, { ...defaultsSettings, disableAmplifyAppCreation: false });
     await addAuthWithDefaultSocial(projRoot);
     expect(isDeploymentSecretForEnvExists(projRoot, 'integtest')).toBeTruthy();
     await amplifyPushAuth(projRoot);
+    const appId = getAppId(projRoot);
     const meta = getProjectMeta(projRoot);
     expect(isDeploymentSecretForEnvExists(projRoot, 'integtest')).toBeFalsy();
     const authMeta = Object.keys(meta.auth).map((key) => meta.auth[key])[0];
@@ -47,5 +52,12 @@ describe('amplify add auth...', () => {
     expect(clients[0].UserPoolClient.CallbackURLs[0]).toEqual('https://www.google.com/');
     expect(clients[0].UserPoolClient.LogoutURLs[0]).toEqual('https://www.nytimes.com/');
     expect(clients[0].UserPoolClient.SupportedIdentityProviders).toHaveLength(5);
+
+    // amplify pull should work
+    const functionName = `testcorsfunction${generateRandomShortId()}`;
+    const projRoot2 = await createNewProjectDir('auth2');
+    await addFunction(projRoot, { functionTemplate: 'Hello World', name: functionName }, 'nodejs');
+    await amplifyPull(projRoot2, { emptyDir: true, appId, envName: 'integtest', yesFlag: true });
+    deleteProjectDir(projRoot2);
   });
 });