Merge branch 'main' into main

Author: bmoffatt

.github/workflows/lint.yml

@@ -3,21 +3,24 @@ on:
   push:
   pull_request:
 
+permissions:
+  # Required: allow read access to the content for analysis.
+  contents: read
+  # Optional: allow read access to pull request. Use with `only-new-issues` option.
+  pull-requests: read
+  # Optional: allow write access to checks to allow the action to annotate code in the PR.
+  checks: write
+
 jobs:
   lint:
     name: run golangci-golint on the project
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: '^1'
-      
-      - run: go version
-
-      - uses: actions/checkout@v3
-
+          go-version: 'stable'
       - name: golangci-golint
-        run: |
-          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.55.2
-          ./bin/golangci-lint run -v ./...
-       
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: v1.64.5

.github/workflows/tests.yml

@@ -11,6 +11,8 @@ jobs:
       fail-fast: false
       matrix:
         go:
+          - "1.24"
+          - "1.23"
           - "1.22"
           - "1.21"
           - "1.20"

.golangci.yml

@@ -11,14 +11,17 @@ linters:
     - unused
     - stylecheck
 
-run:
-  skip-files:
+issues:
+  exclude-dirs:
     # These were code-generated, and cannot be changed without breaking RPC compatibility.
-    - lambda/messages/*.go
+    - lambda/messages
 
 linters-settings:
+  staticcheck:
+    checks:
+      - all
+      - '-SA1029'
   stylecheck:
-    go: "1.20"
     checks:
       - "all"
     initialisms:
@@ -43,6 +46,7 @@ linters-settings:
       - "IP"
       - "JSON"
       - "MQTT"
+      - "OTF"
       - "QPS"
       - "RAM"
       - "RPC"

events/cognito.go

@@ -54,12 +54,23 @@ type CognitoEventUserPoolsPreTokenGen struct {
 
 // CognitoEventUserPoolsPreTokenGenV2 is sent by Amazon Cognito User Pools when a user attempts to retrieve
 // credentials, allowing a Lambda to perform insert, suppress or override claims and scopes
+//
+// Deprecated: Use CognitoEventUserPoolsPreTokenGenV2_0 instead.
+// This struct incorrectly restricts the ClaimsToAddOrOverride values as strings, but Cogntio supports any type.
 type CognitoEventUserPoolsPreTokenGenV2 struct {
 	CognitoEventUserPoolsHeader
 	Request  CognitoEventUserPoolsPreTokenGenV2Request  `json:"request"`
 	Response CognitoEventUserPoolsPreTokenGenV2Response `json:"response"`
 }
 
+// CognitoEventUserPoolsPreTokenGenV2_0 is sent by Amazon Cognito User Pools when a user attempts to retrieve
+// credentials, allowing a Lambda to perform insert, suppress or override claims and scopes
+type CognitoEventUserPoolsPreTokenGenV2_0 struct {
+	CognitoEventUserPoolsHeader
+	Request  CognitoEventUserPoolsPreTokenGenRequestV2_0  `json:"request"`
+	Response CognitoEventUserPoolsPreTokenGenResponseV2_0 `json:"response"`
+}
+
 // CognitoEventUserPoolsPostAuthentication is sent by Amazon Cognito User Pools after a user is authenticated,
 // allowing the Lambda to add custom logic.
 type CognitoEventUserPoolsPostAuthentication struct {
@@ -134,23 +145,40 @@ type CognitoEventUserPoolsPreTokenGenRequest struct {
 }
 
 // CognitoEventUserPoolsPreTokenGenV2Request contains request portion of V2 PreTokenGen event
+//
+// Deprecated: Use CognitoEventUserPoolsPreTokenGenRequestV2_0 instead
 type CognitoEventUserPoolsPreTokenGenV2Request struct {
 	UserAttributes     map[string]string  `json:"userAttributes"`
 	GroupConfiguration GroupConfiguration `json:"groupConfiguration"`
 	ClientMetadata     map[string]string  `json:"clientMetadata,omitempty"`
 	Scopes             []string           `json:"scopes"`
 }
 
+// CognitoEventUserPoolsPreTokenGenRequestV2_0 contains request portion of V2 PreTokenGen event
+type CognitoEventUserPoolsPreTokenGenRequestV2_0 struct {
+	UserAttributes     map[string]string      `json:"userAttributes"`
+	GroupConfiguration GroupConfigurationV2_0 `json:"groupConfiguration"`
+	ClientMetadata     map[string]string      `json:"clientMetadata,omitempty"`
+	Scopes             []string               `json:"scopes"`
+}
+
 // CognitoEventUserPoolsPreTokenGenResponse contains the response portion of a PreTokenGen event
 type CognitoEventUserPoolsPreTokenGenResponse struct {
 	ClaimsOverrideDetails ClaimsOverrideDetails `json:"claimsOverrideDetails"`
 }
 
 // CognitoEventUserPoolsPreTokenGenV2Response contains the response portion of a V2 PreTokenGen event
+//
+// Deprecated: Use CognitoEventUserPoolsPreTokenGenResponseV2_0 instead
 type CognitoEventUserPoolsPreTokenGenV2Response struct {
 	ClaimsAndScopeOverrideDetails ClaimsAndScopeOverrideDetails `json:"claimsAndScopeOverrideDetails"`
 }
 
+// CognitoEventUserPoolsPreTokenGenResponseV2_0 contains the response portion of a V2 PreTokenGen event
+type CognitoEventUserPoolsPreTokenGenResponseV2_0 struct {
+	ClaimsAndScopeOverrideDetails ClaimsAndScopeOverrideDetailsV2_0 `json:"claimsAndScopeOverrideDetails"`
+}
+
 // CognitoEventUserPoolsPostAuthenticationRequest contains the request portion of a PostAuthentication event
 type CognitoEventUserPoolsPostAuthenticationRequest struct {
 	NewDeviceUsed  bool              `json:"newDeviceUsed"`
@@ -179,26 +207,51 @@ type CognitoEventUserPoolsMigrateUserResponse struct {
 }
 
 // ClaimsAndScopeOverrideDetails allows lambda to add, suppress or override V2 claims and scopes in the token
+//
+// Deprecated: Use ClaimsAndScopeOverrideDetailsV2_0 instead
 type ClaimsAndScopeOverrideDetails struct {
 	IDTokenGeneration     IDTokenGeneration     `json:"idTokenGeneration"`
 	AccessTokenGeneration AccessTokenGeneration `json:"accessTokenGeneration"`
 	GroupOverrideDetails  GroupConfiguration    `json:"groupOverrideDetails"`
 }
 
+// ClaimsAndScopeOverrideDetailsV2 allows lambda to add, suppress or override V2 claims and scopes in the token
+type ClaimsAndScopeOverrideDetailsV2_0 struct {
+	IDTokenGeneration     IDTokenGenerationV2_0     `json:"idTokenGeneration"`
+	AccessTokenGeneration AccessTokenGenerationV2_0 `json:"accessTokenGeneration"`
+	GroupOverrideDetails  GroupConfigurationV2_0    `json:"groupOverrideDetails"`
+}
+
 // IDTokenGeneration allows lambda to modify the ID token
 type IDTokenGeneration struct {
 	ClaimsToAddOrOverride map[string]string `json:"claimsToAddOrOverride"`
 	ClaimsToSuppress      []string          `json:"claimsToSuppress"`
 }
 
+// IDTokenGenerationV2_0 allows lambda to modify the ID token
+type IDTokenGenerationV2_0 struct {
+	ClaimsToAddOrOverride map[string]interface{} `json:"claimsToAddOrOverride"`
+	ClaimsToSuppress      []string               `json:"claimsToSuppress"`
+}
+
 // AccessTokenGeneration allows lambda to modify the access token
+//
+// Deprecated: Use AccessTokenGenerationV2_0 instead
 type AccessTokenGeneration struct {
 	ClaimsToAddOrOverride map[string]string `json:"claimsToAddOrOverride"`
 	ClaimsToSuppress      []string          `json:"claimsToSuppress"`
 	ScopesToAdd           []string          `json:"scopesToAdd"`
 	ScopesToSuppress      []string          `json:"scopesToSuppress"`
 }
 
+// AccessTokenGenerationV2_0 allows lambda to modify the access token
+type AccessTokenGenerationV2_0 struct {
+	ClaimsToAddOrOverride map[string]interface{} `json:"claimsToAddOrOverride"`
+	ClaimsToSuppress      []string               `json:"claimsToSuppress"`
+	ScopesToAdd           []string               `json:"scopesToAdd"`
+	ScopesToSuppress      []string               `json:"scopesToSuppress"`
+}
+
 // ClaimsOverrideDetails allows lambda to add, suppress or override claims in the token
 type ClaimsOverrideDetails struct {
 	GroupOverrideDetails  GroupConfiguration `json:"groupOverrideDetails"`
@@ -213,6 +266,13 @@ type GroupConfiguration struct {
 	PreferredRole      *string  `json:"preferredRole"`
 }
 
+// GroupConfigurationV2_0 allows lambda to override groups, roles and set a preferred role
+type GroupConfigurationV2_0 struct {
+	GroupsToOverride   []string `json:"groupsToOverride"`
+	IAMRolesToOverride []string `json:"iamRolesToOverride"`
+	PreferredRole      *string  `json:"preferredRole"`
+}
+
 // CognitoEventUserPoolsChallengeResult represents a challenge that is presented to the user in the authentication
 // process that is underway, along with the corresponding result.
 type CognitoEventUserPoolsChallengeResult struct {

events/cognito_test.go

@@ -162,6 +162,28 @@ func TestCognitoEventUserPoolsPreTokenGenV2Marshaling(t *testing.T) {
 	test.AssertJsonsEqual(t, inputJSON, outputJSON)
 }
 
+func TestCognitoEventUserPoolsPreTokenGenV2_0Marshaling(t *testing.T) {
+	// read json from file
+	inputJSON, err := ioutil.ReadFile("./testdata/cognito-event-userpools-pretokengen-v2_0.json")
+	if err != nil {
+		t.Errorf("could not open test file. details: %v", err)
+	}
+
+	// de-serialize into CognitoEvent
+	var inputEvent CognitoEventUserPoolsPreTokenGenV2_0
+	if err := json.Unmarshal(inputJSON, &inputEvent); err != nil {
+		t.Errorf("could not unmarshal event. details: %v", err)
+	}
+
+	// serialize to json
+	outputJSON, err := json.Marshal(inputEvent)
+	if err != nil {
+		t.Errorf("could not marshal event. details: %v", err)
+	}
+
+	test.AssertJsonsEqual(t, inputJSON, outputJSON)
+}
+
 func TestCognitoEventUserPoolsDefineAuthChallengeMarshaling(t *testing.T) {
 	var inputEvent CognitoEventUserPoolsDefineAuthChallenge
 	test.AssertJsonFile(t, "./testdata/cognito-event-userpools-define-auth-challenge.json", &inputEvent)

events/testdata/cognito-event-userpools-pretokengen-v2_0.json

@@ -0,0 +1,73 @@
+{
+  "version": "2",
+  "triggerSource": "TokenGeneration_Authentication",
+  "region": "us-east-1",
+  "userPoolId": "us-east-1_EXAMPLE",
+  "userName": "testuser",
+  "callerContext": {
+    "awsSdkVersion": "aws-sdk-unknown-unknown",
+    "clientId": "1example23456789"
+  },
+  "request": {
+    "userAttributes": {
+      "sub": "a36036a8-9061-424d-a737-56d57dae7bc6",
+      "cognito:email_alias": "[email protected]",
+      "cognito:user_status": "CONFIRMED",
+      "email_verified": "true",
+      "email": "[email protected]"
+    },
+    "groupConfiguration": {
+      "groupsToOverride": [],
+      "iamRolesToOverride": [],
+      "preferredRole": null
+    },
+    "scopes": [
+      "aws.cognito.signin.user.admin"
+    ]
+  },
+  "response": {
+    "claimsAndScopeOverrideDetails": {
+      "idTokenGeneration": {
+        "claimsToAddOrOverride": {
+          "family_name": "xyz",
+          "favorite_number": 2
+        },
+        "claimsToSuppress": [
+          "email",
+          "birthdate"
+        ]
+      },
+      "accessTokenGeneration": {
+        "claimsToAddOrOverride": {
+          "family_name": "xyz",
+          "favorite_number": 2
+        },
+        "claimsToSuppress": [
+          "email",
+          "birthdate"
+        ],
+        "scopesToAdd": [
+          "scope1",
+          "scope2",
+          "scopeLomond"
+        ],
+        "scopesToSuppress": [
+          "phone_number"
+        ]
+      },
+      "groupOverrideDetails": {
+        "groupsToOverride": [
+          "group-A",
+          "group-B",
+          "group-C"
+        ],
+        "iamRolesToOverride": [
+          "arn:aws:iam::123456789012:role/sns_callerA",
+          "arn:aws:iam::123456789012:role/sns_callerB",
+          "arn:aws:iam::123456789012:role/sns_callerC"
+        ],
+        "preferredRole": "arn:aws:iam::123456789012:role/sns_caller"
+      }
+    }
+  }
+}