def reset_password_forced(email, old_password, new_password): """ Change the user's password if user is in forced password change state """ client = get_boto_client('cognito-idp') # try to authenticate and see if cognito responds with new password challenge try: response = client.admin_initiate_auth( UserPoolId=settings.COGNITO_USER_POOL_ID, ClientId=settings.COGNITO_APP_ID, AuthFlow='ADMIN_NO_SRP_AUTH', AuthParameters={ 'USERNAME': email, 'PASSWORD': old_password }) except client.exceptions.NotAuthorizedException: raise exceptions.NotAuthorizedException except client.exceptions.UserNotConfirmedException: raise exceptions.UserNotConfirmedException except client.exceptions.UserNotFoundException: raise exceptions.UserNotFoundException # change password as admin - user has already proven they know old password if response.get('ChallengeName') == 'NEW_PASSWORD_REQUIRED': try: client.admin_set_user_password( UserPoolId=settings.COGNITO_USER_POOL_ID, Username=email, Password=new_password, Permanent=True) except ParamValidationError: raise exceptions.ParamValidationError
def create_sub_user(email): client = get_boto_client('cognito-idp') temp_password = create_temp_password() try: response = client.admin_create_user( UserPoolId=settings.COGNITO_USER_POOL_ID, Username=email, UserAttributes=[{ 'Name': 'email', 'Value': email }], TemporaryPassword=temp_password, DesiredDeliveryMediums=['EMAIL']) except client.exceptions.UsernameExistsException: raise exceptions.UsernameExistsException else: # when ready, use this method below instead #attrs = {a['Name']: a['Value'] for a in response['User']['Attributes']} #return attrs.get('sub') # TODO: clean this up for attr in response['User']['Attributes']: if attr['Name'] == 'sub': return attr['Value']
def create_user(email, password, registration_method="email"): # using this to add superusers as well, with registration "superuser", lambda checks this client = get_boto_client('cognito-idp') try: response = client.sign_up(ClientId=settings.COGNITO_APP_ID, Username=email, Password=password, UserAttributes=[{ 'Name': 'email', 'Value': email }], ValidationData=[ { 'Name': 'registration_method', 'Value': registration_method }, ]) except ParamValidationError: raise exceptions.ParamValidationError except client.exceptions.InvalidParameterException: raise exceptions.InvalidParameterException except client.exceptions.UsernameExistsException: raise exceptions.UsernameExistsException else: return response.get('UserSub')
def sign_in_user(email, password): client = get_boto_client('cognito-idp') try: response = client.admin_initiate_auth( UserPoolId=settings.COGNITO_USER_POOL_ID, ClientId=settings.COGNITO_APP_ID, AuthFlow='ADMIN_NO_SRP_AUTH', # must configure app client AuthParameters={ 'USERNAME': email, 'PASSWORD': password } ) except client.exceptions.NotAuthorizedException: raise exceptions.NotAuthorizedException except client.exceptions.UserNotConfirmedException: raise exceptions.UserNotConfirmedException except client.exceptions.UserNotFoundException: raise exceptions.UserNotFoundException # check if password change required if response.get('ChallengeName') == 'NEW_PASSWORD_REQUIRED': raise exceptions.NewPasswordRequiredError return { 'access_token': response['AuthenticationResult']['AccessToken'], 'refresh_token': response['AuthenticationResult']['RefreshToken'], 'id_token': response['AuthenticationResult']['IdToken'] }
def get_presigned_url(object_key, bucket, expiration_secs): client = get_boto_client('s3') url = client.generate_presigned_url('get_object', Params={'Bucket': bucket, 'Key': object_key}, ExpiresIn=expiration_secs) return url
def put_firehose_record(payload, stream_name): # newline is the record deliminator so remove it from inside the record data = json.dumps(payload).replace('\n', '') client = get_boto_client('firehose') client.put_record(DeliveryStreamName=stream_name, Record={'Data': data + '\n'})
def delete_cloudwatch_rule(rule_name): if rule_name is None: return client = get_boto_client('events') client.remove_targets(Rule=rule_name, Ids=["1"]) client.delete_rule(Name=rule_name)
def get_global_config(): client = get_boto_client('dynamodb') data = client.scan(TableName=settings.DYNAMO_CONFIG_TABLE_NAME, ) items = dynamodb_json_util.loads(data['Items']) config = {item['name']: item['value'] for item in items} return config
def verify_user_attribute(attribute, code, access_token): client = get_boto_client('cognito-idp') try: client.verify_user_attribute(AccessToken=access_token, AttributeName=attribute, Code=code) except client.exceptions.CodeMismatchException: raise exceptions.CodeMismatchException
def update_account(email, attrs): client = get_boto_client('cognito-idp') try: client.admin_update_user_attributes( UserPoolId=settings.COGNITO_USER_POOL_ID, Username=email, UserAttributes=attrs) except client.exceptions.AliasExistsException: raise exceptions.AliasExistsException
def verify_email(email): client = get_boto_client('cognito-idp') client.admin_update_user_attributes( UserPoolId=settings.COGNITO_USER_POOL_ID, Username=email, UserAttributes=[ { 'Name': 'email_verified', 'Value': 'true' }, ])
def get_is_email_verified(email): client = get_boto_client('cognito-idp') cognito_response = client.admin_get_user( UserPoolId=settings.COGNITO_USER_POOL_ID, Username=email) for attr in cognito_response['UserAttributes']: if attr['Name'] == 'email_verified': return attr['Value'] == 'true' return False
def get_dynamodb_credentials(short_name): client = get_boto_client('dynamodb') item = client.get_item(TableName=settings.S3_USER_CREDENTIALS_TABLE, Key={'organization': { 'S': short_name }}) print(short_name) print(item) item = dynamodb_json_util.loads(item)['Item'] return item['credentials']
def change_password(old_password, new_password, access_token): client = get_boto_client('cognito-idp') try: client.change_password(PreviousPassword=old_password, ProposedPassword=new_password, AccessToken=access_token) except client.exceptions.NotAuthorizedException: raise exceptions.NotAuthorizedException except client.exceptions.LimitExceededException: raise exceptions.LimitExceededException except ParamValidationError: raise exceptions.ParamValidationError
def refresh_access_token(refresh_token): client = get_boto_client('cognito-idp') try: response = client.initiate_auth(ClientId=settings.COGNITO_APP_ID, AuthFlow='REFRESH_TOKEN_AUTH', AuthParameters={ 'REFRESH_TOKEN': refresh_token, }) except client.exceptions.NotAuthorizedException: raise exceptions.NotAuthorizedException return response['AuthenticationResult'][ 'AccessToken'] # fixme: is this safe?
def delete_all_users(): assert settings.STAGE != 'production' client = get_boto_client('cognito-idp') response = client.list_users( UserPoolId=settings.COGNITO_USER_POOL_ID, AttributesToGet=[ 'email', ], ) users = response['Users'] print("...removing %d Cognito users" % (len(users))) for user in users: sub = user['Username'] client.admin_delete_user(UserPoolId=settings.COGNITO_USER_POOL_ID, Username=sub)
def get_files(prefix, suffix, bucket_name): s3_client = get_boto_client('s3') response = s3_client.list_objects( Bucket=bucket_name, EncodingType='url', Prefix=prefix ) is_truncated = response['IsTruncated'] next_marker = response.get('NextMarker') # if is_truncated, use next_marker contents = response.get('Contents', None) if contents is not None: objects = [c['Key'] for c in contents if c['Key'].endswith(suffix)] return objects else: return []
def reset_password_start(email): """ Start the password reset flow - sends an email to the user """ client = get_boto_client('cognito-idp') try: client.forgot_password(ClientId=settings.COGNITO_APP_ID, Username=email) except client.exceptions.NotAuthorizedException: raise exceptions.NotAuthorizedException except client.exceptions.InvalidParameterException: raise exceptions.InvalidParameterException except client.exceptions.LimitExceededException: raise exceptions.LimitExceededException except client.exceptions.UserNotFoundException: raise exceptions.UserNotFoundException
def create_dynamodb_credentials(org_short_name, username, password, permissions): assert isinstance(permissions, list) client = get_boto_client('dynamodb') item = { 'organization': org_short_name, 'credentials': [{ 'p': password, 'u': username, 'permissions': permissions }] } dynamodb_json = dynamodb_json_util.dumps(item) dynamodb_json = json.loads(dynamodb_json) client.put_item(TableName=settings.S3_USER_CREDENTIALS_TABLE, Item=dynamodb_json)
def delete_testing_users(): # remove testing users that start with a digit client = get_boto_client('cognito-idp') response = client.list_users( UserPoolId=settings.COGNITO_USER_POOL_ID, AttributesToGet=[ 'email', ], ) users = response['Users'] print("...retrieving %d Cognito users" % (len(users))) for user in users: for attr in user['Attributes']: if attr['Name'] == 'email' and attr['Value'][0].isdigit(): print("...removing %s" % attr['Value']) sub = user['Username'] client.admin_delete_user( UserPoolId=settings.COGNITO_USER_POOL_ID, Username=sub) break
def reset_password_confirm(email, code, password): """ Complete the password reset flow - use code and new password to change """ client = get_boto_client('cognito-idp') try: client.confirm_forgot_password(ClientId=settings.COGNITO_APP_ID, Username=email, ConfirmationCode=code, Password=password) except client.exceptions.CodeMismatchException: raise exceptions.CodeMismatchException except client.exceptions.ExpiredCodeException: raise exceptions.ExpiredCodeException except client.exceptions.UserNotFoundException: raise exceptions.UserNotFoundException except ParamValidationError: raise exceptions.ParamValidationError
def put_s3_item(body, bucket, object_key): client = get_boto_client('s3') client.put_object(Body=body, Bucket=bucket, Key=object_key)
def confirm_account(email): client = get_boto_client('cognito-idp') client.admin_confirm_sign_up(UserPoolId=settings.COGNITO_USER_POOL_ID, Username=email)
def sign_out_user(email): client = get_boto_client('cognito-idp') client.admin_user_global_sign_out(UserPoolId=settings.COGNITO_USER_POOL_ID, Username=email)