def test_get_group_by_name(standard_download, standard_upload):

    group = get_group_by_name("standard-download")
    assert group == standard_download

    group = get_group_by_name("standard-upload")
    assert group == standard_upload
def delegate_auth_to_aws(session):
    """
    When running the admin interface locally delegate the
    authentication step to get the user credentials and
    role from the assumed IAM role
    """

    client = boto3.client("sts")
    caller = client.get_caller_identity()
    role_arn = caller.get("Arn", "")
    matched = re.search("assumed-role/([^/]+)/", role_arn)
    # role_name should look like `first.last-role_type`
    role_name = matched.group(1)
    role_name_components = role_name.split("-")
    user_name = role_name_components[0]
    role_type = role_name_components[1]

    if role_type in ["admin", "cognito"]:
        user_group = get_group_by_name("admin-full")
        user_email = f"{user_name}@aws"

        session["attributes"] = {
            "custom:is_la": "0",
            "custom:paths": "",
            "email": user_email,
        }
        session["user"] = user_email
        session["email"] = user_email
        session["details"] = "yes"
        session["group"] = user_group
    def group(username):
        response = cognito.list_groups_for_user(username)

        groups = []
        if "Groups" in response:
            for group in response["Groups"]:
                if "GroupName" in group:
                    groups.append(group["GroupName"])

        # Currently you can attach a list of users in cognito
        # but we're currently only interested in the first group
        group_name = None if len(groups) == 0 else groups[0]

        LOG.debug("User group returns: %s", group_name)
        return get_group_by_name(group_name)
def parse_edit_form_fields(post_fields: dict, admin_user_object: dict,
                           app: Flask):
    sanitised_fields = {
        "custom_paths": [
            sanitise_string(input_path).replace("&", "&")
            for input_path in post_fields.getlist("custom_paths")
        ]
    }

    for field in post_fields:
        if field != "custom_paths":
            sanitised_fields[field] = sanitise_input(post_fields, field)

    admin_user_object["name"] = sanitised_fields["full-name"]
    admin_user_object["phone_number"] = sanitised_fields["telephone-number"]

    is_local_authority = sanitised_fields["is-la-radio"] == "yes"
    user_group = get_group_by_name(sanitised_fields["account"])

    admin_user_object["custom:is_la"] = "1" if is_local_authority else "0"
    admin_user_object["group"] = user_group

    custom_path_multiple = []

    for requested_path in sanitised_fields["custom_paths"]:
        if requested_path_matches_user_type(is_local_authority,
                                            requested_path):
            custom_path_multiple.append(requested_path)
        else:
            app.logger.error({
                "error": "User denied access to requested path",
                "user": admin_user_object["email"],
                "path": requested_path,
            })

    admin_user_object["custom:paths"] = str.join(";", custom_path_multiple)
    return admin_user_object