## [Start] Determine request authentication mode ** #if( $util.isNullOrEmpty($authMode) && !$util.isNull($ctx.identity) && !$util.isNull($ctx.identity.sub) && !$util.isNull($ctx.identity.issuer) && !$util.isNull($ctx.identity.username) && !$util.isNull($ctx.identity.claims) && !$util.isNull($ctx.identity.sourceIp) && !$util.isNull($ctx.identity.defaultAuthStrategy) ) #set( $authMode = "userPools" ) #end ## [End] Determine request authentication mode ** ## [Start] Check authMode and execute owner/group checks ** #if( $authMode == "userPools" ) ## [Start] Static Group Authorization Checks ** #set($isStaticGroupAuthorized = $util.defaultIfNull( $isStaticGroupAuthorized, false)) ## Authorization rule: { allow: groups, groups: ["AdminGroup"], groupClaim: "cognito:groups" } ** #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get("cognito:groups"), []) ) #set( $allowedGroups = ["AdminGroup"] ) #foreach( $userGroup in $userGroups ) #if( $allowedGroups.contains($userGroup) ) #set( $isStaticGroupAuthorized = true ) #break #end #end ## Authorization rule: { allow: groups, groups: ["ManagerGroup"], groupClaim: "cognito:groups" } ** #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get("cognito:groups"), []) ) #set( $allowedGroups = ["ManagerGroup"] ) #foreach( $userGroup in $userGroups ) #if( $allowedGroups.contains($userGroup) ) #set( $isStaticGroupAuthorized = true ) #break #end #end ## Authorization rule: { allow: groups, groups: ["AssociateGroup"], groupClaim: "cognito:groups" } ** #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get("cognito:groups"), []) ) #set( $allowedGroups = ["AssociateGroup"] ) #foreach( $userGroup in $userGroups ) #if( $allowedGroups.contains($userGroup) ) #set( $isStaticGroupAuthorized = true ) #break #end #end ## Authorization rule: { allow: groups, groups: ["EngineerGroup"], groupClaim: "cognito:groups" } ** #set( $userGroups = $util.defaultIfNull($ctx.identity.claims.get("cognito:groups"), []) ) #set( $allowedGroups = ["EngineerGroup"] ) #foreach( $userGroup in $userGroups ) #if( $allowedGroups.contains($userGroup) ) #set( $isStaticGroupAuthorized = true ) #break #end #end ## [End] Static Group Authorization Checks ** #if( ! $isStaticGroupAuthorized ) ## No dynamic group authorization rules ** ## No owner authorization rules ** ## [Start] Collect Auth Condition ** #set( $authCondition = $util.defaultIfNull($authCondition, { "expression": "", "expressionNames": {}, "expressionValues": {} }) ) #set( $totalAuthExpression = "" ) ## Add dynamic group auth conditions if they exist ** #if( $groupAuthExpressions ) #foreach( $authExpr in $groupAuthExpressions ) #set( $totalAuthExpression = "$totalAuthExpression $authExpr" ) #if( $foreach.hasNext ) #set( $totalAuthExpression = "$totalAuthExpression OR" ) #end #end #end #if( $groupAuthExpressionNames ) $util.qr($authCondition.expressionNames.putAll($groupAuthExpressionNames)) #end #if( $groupAuthExpressionValues ) $util.qr($authCondition.expressionValues.putAll($groupAuthExpressionValues)) #end ## Add owner auth conditions if they exist ** #if( $totalAuthExpression != "" && $ownerAuthExpressions && $ownerAuthExpressions.size() > 0 ) #set( $totalAuthExpression = "$totalAuthExpression OR" ) #end #if( $ownerAuthExpressions ) #foreach( $authExpr in $ownerAuthExpressions ) #set( $totalAuthExpression = "$totalAuthExpression $authExpr" ) #if( $foreach.hasNext ) #set( $totalAuthExpression = "$totalAuthExpression OR" ) #end #end #end #if( $ownerAuthExpressionNames ) $util.qr($authCondition.expressionNames.putAll($ownerAuthExpressionNames)) #end #if( $ownerAuthExpressionValues ) $util.qr($authCondition.expressionValues.putAll($ownerAuthExpressionValues)) #end ## Set final expression if it has changed. ** #if( $totalAuthExpression != "" ) #if( $util.isNullOrEmpty($authCondition.expression) ) #set( $authCondition.expression = "($totalAuthExpression)" ) #else #set( $authCondition.expression = "$authCondition.expression AND ($totalAuthExpression)" ) #end #end ## [End] Collect Auth Condition ** #end ## [Start] Throw if unauthorized ** #if( !($isStaticGroupAuthorized == true || ($totalAuthExpression != "")) ) $util.unauthorized() #end ## [End] Throw if unauthorized ** #end ## [End] Check authMode and execute owner/group checks ** ## [Start] Validate update mutation for @key 'ByDevice'. ** #set( $hasSeenSomeKeyArg = false ) #set( $keyFieldNames = ["areaName", "status", "processName", "stationName", "deviceName", "created"] ) #foreach( $keyFieldName in $keyFieldNames ) #if( $ctx.args.input.containsKey("$keyFieldName") ) #set( $hasSeenSomeKeyArg = true ) #end #end #foreach( $keyFieldName in $keyFieldNames ) #if( $hasSeenSomeKeyArg && !$ctx.args.input.containsKey("$keyFieldName") ) $util.error("When updating any part of the composite sort key for @key 'ByDevice', you must provide all fields for the key. Missing key: '$keyFieldName'.") #end #end ## [End] Validate update mutation for @key 'ByDevice'. ** #if( $util.isNull($dynamodbNameOverrideMap) ) #set( $dynamodbNameOverrideMap = { "areaName#status#processName#stationName#deviceName#created": "areaNameStatusProcessNameStationNameDeviceNameCreated" } ) #else $util.qr($dynamodbNameOverrideMap.put("areaName#status#processName#stationName#deviceName#created", "areaNameStatusProcessNameStationNameDeviceNameCreated")) #end $util.qr($ctx.args.input.put("areaName#status#processName#stationName#deviceName#created","${ctx.args.input.areaName}#${ctx.args.input.status}#${ctx.args.input.processName}#${ctx.args.input.stationName}#${ctx.args.input.deviceName}#${ctx.args.input.created}")) ## [Start] Validate update mutation for @key 'BySiteAreaStatus'. ** #set( $hasSeenSomeKeyArg = false ) #set( $keyFieldNames = ["areaName", "status", "processName", "eventDescription", "stationName", "deviceName", "created"] ) #foreach( $keyFieldName in $keyFieldNames ) #if( $ctx.args.input.containsKey("$keyFieldName") ) #set( $hasSeenSomeKeyArg = true ) #end #end #foreach( $keyFieldName in $keyFieldNames ) #if( $hasSeenSomeKeyArg && !$ctx.args.input.containsKey("$keyFieldName") ) $util.error("When updating any part of the composite sort key for @key 'BySiteAreaStatus', you must provide all fields for the key. Missing key: '$keyFieldName'.") #end #end ## [End] Validate update mutation for @key 'BySiteAreaStatus'. ** #if( $util.isNull($dynamodbNameOverrideMap) ) #set( $dynamodbNameOverrideMap = { "areaName#status#processName#eventDescription#stationName#deviceName#created": "areaNameStatusProcessNameEventDescriptionStationNameDeviceNameCreated" } ) #else $util.qr($dynamodbNameOverrideMap.put("areaName#status#processName#eventDescription#stationName#deviceName#created", "areaNameStatusProcessNameEventDescriptionStationNameDeviceNameCreated")) #end $util.qr($ctx.args.input.put("areaName#status#processName#eventDescription#stationName#deviceName#created","${ctx.args.input.areaName}#${ctx.args.input.status}#${ctx.args.input.processName}#${ctx.args.input.eventDescription}#${ctx.args.input.stationName}#${ctx.args.input.deviceName}#${ctx.args.input.created}")) ## [Start] Set the primary @key. ** #set( $modelObjectKey = { "id": $util.dynamodb.toDynamoDB($ctx.args.input.id) } ) ## [End] Set the primary @key. ** ## [Start] Inject @versioned condition.. ** #set( $versionedCondition = { "expression": "#version = :expectedVersion", "expressionValues": { ":expectedVersion": $util.dynamodb.toDynamoDB($ctx.args.input.expectedVersion) }, "expressionNames": { "#version": "version" } } ) #set( $newVersion = $ctx.args.input.expectedVersion + 1 ) $util.qr($ctx.args.input.put("version", $newVersion)) $util.qr($ctx.args.input.remove("expectedVersion")) ## [End] Inject @versioned condition.. ** #if( $authCondition && $authCondition.expression != "" ) #set( $condition = $authCondition ) #if( $modelObjectKey ) #foreach( $entry in $modelObjectKey.entrySet() ) $util.qr($condition.put("expression", "$condition.expression AND attribute_exists(#keyCondition$velocityCount)")) $util.qr($condition.expressionNames.put("#keyCondition$velocityCount", "$entry.key")) #end #else $util.qr($condition.put("expression", "$condition.expression AND attribute_exists(#id)")) $util.qr($condition.expressionNames.put("#id", "id")) #end #else #if( $modelObjectKey ) #set( $condition = { "expression": "", "expressionNames": {}, "expressionValues": {} } ) #foreach( $entry in $modelObjectKey.entrySet() ) #if( $velocityCount == 1 ) $util.qr($condition.put("expression", "attribute_exists(#keyCondition$velocityCount)")) #else $util.qr($condition.put("expression", "$condition.expression AND attribute_exists(#keyCondition$velocityCount)")) #end $util.qr($condition.expressionNames.put("#keyCondition$velocityCount", "$entry.key")) #end #else #set( $condition = { "expression": "attribute_exists(#id)", "expressionNames": { "#id": "id" }, "expressionValues": {} } ) #end #end ## Automatically set the updatedAt timestamp. ** $util.qr($context.args.input.put("updatedAt", $util.defaultIfNull($ctx.args.input.updatedAt, $util.time.nowISO8601()))) ## Update condition if type is @versioned ** #if( $versionedCondition ) $util.qr($condition.put("expression", "($condition.expression) AND $versionedCondition.expression")) $util.qr($condition.expressionNames.putAll($versionedCondition.expressionNames)) $util.qr($condition.expressionValues.putAll($versionedCondition.expressionValues)) #end #if( $context.args.condition ) #set( $conditionFilterExpressions = $util.parseJson($util.transform.toDynamoDBConditionExpression($context.args.condition)) ) $util.qr($condition.put("expression", "($condition.expression) AND $conditionFilterExpressions.expression")) $util.qr($condition.expressionNames.putAll($conditionFilterExpressions.expressionNames)) $util.qr($condition.expressionValues.putAll($conditionFilterExpressions.expressionValues)) #end #if( $condition.expressionValues && $condition.expressionValues.size() == 0 ) #set( $condition = { "expression": $condition.expression, "expressionNames": $condition.expressionNames } ) #end #set( $expNames = {} ) #set( $expValues = {} ) #set( $expSet = {} ) #set( $expAdd = {} ) #set( $expRemove = [] ) #if( $modelObjectKey ) #set( $keyFields = [] ) #foreach( $entry in $modelObjectKey.entrySet() ) $util.qr($keyFields.add("$entry.key")) #end #else #set( $keyFields = ["id"] ) #end #foreach( $entry in $util.map.copyAndRemoveAllKeys($context.args.input, $keyFields).entrySet() ) #if( !$util.isNull($dynamodbNameOverrideMap) && $dynamodbNameOverrideMap.containsKey("$entry.key") ) #set( $entryKeyAttributeName = $dynamodbNameOverrideMap.get("$entry.key") ) #else #set( $entryKeyAttributeName = $entry.key ) #end #if( $util.isNull($entry.value) ) #set( $discard = $expRemove.add("#$entryKeyAttributeName") ) $util.qr($expNames.put("#$entryKeyAttributeName", "$entry.key")) #else $util.qr($expSet.put("#$entryKeyAttributeName", ":$entryKeyAttributeName")) $util.qr($expNames.put("#$entryKeyAttributeName", "$entry.key")) $util.qr($expValues.put(":$entryKeyAttributeName", $util.dynamodb.toDynamoDB($entry.value))) #end #end #set( $expression = "" ) #if( !$expSet.isEmpty() ) #set( $expression = "SET" ) #foreach( $entry in $expSet.entrySet() ) #set( $expression = "$expression $entry.key = $entry.value" ) #if( $foreach.hasNext() ) #set( $expression = "$expression," ) #end #end #end #if( !$expAdd.isEmpty() ) #set( $expression = "$expression ADD" ) #foreach( $entry in $expAdd.entrySet() ) #set( $expression = "$expression $entry.key $entry.value" ) #if( $foreach.hasNext() ) #set( $expression = "$expression," ) #end #end #end #if( !$expRemove.isEmpty() ) #set( $expression = "$expression REMOVE" ) #foreach( $entry in $expRemove ) #set( $expression = "$expression $entry" ) #if( $foreach.hasNext() ) #set( $expression = "$expression," ) #end #end #end #set( $update = {} ) $util.qr($update.put("expression", "$expression")) #if( !$expNames.isEmpty() ) $util.qr($update.put("expressionNames", $expNames)) #end #if( !$expValues.isEmpty() ) $util.qr($update.put("expressionValues", $expValues)) #end { "version": "2017-02-28", "operation": "UpdateItem", "key": #if( $modelObjectKey ) $util.toJson($modelObjectKey) #else { "id": { "S": "$context.args.input.id" } } #end, "update": $util.toJson($update), "condition": $util.toJson($condition) }