def test_get_group_by_name(standard_download, standard_upload):
group = get_group_by_name("standard-download")
assert group == standard_download
group = get_group_by_name("standard-upload")
assert group == standard_upload
def delegate_auth_to_aws(session):
"""
When running the admin interface locally delegate the
authentication step to get the user credentials and
role from the assumed IAM role
"""
client = boto3.client("sts")
caller = client.get_caller_identity()
role_arn = caller.get("Arn", "")
matched = re.search("assumed-role/([^/]+)/", role_arn)
# role_name should look like `first.last-role_type`
role_name = matched.group(1)
role_name_components = role_name.split("-")
user_name = role_name_components[0]
role_type = role_name_components[1]
if role_type in ["admin", "cognito"]:
user_group = get_group_by_name("admin-full")
user_email = f"{user_name}@aws"
session["attributes"] = {
"custom:is_la": "0",
"custom:paths": "",
"email": user_email,
}
session["user"] = user_email
session["email"] = user_email
session["details"] = "yes"
session["group"] = user_group
def group(username):
response = cognito.list_groups_for_user(username)
groups = []
if "Groups" in response:
for group in response["Groups"]:
if "GroupName" in group:
groups.append(group["GroupName"])
# Currently you can attach a list of users in cognito
# but we're currently only interested in the first group
group_name = None if len(groups) == 0 else groups[0]
LOG.debug("User group returns: %s", group_name)
return get_group_by_name(group_name)
def parse_edit_form_fields(post_fields: dict, admin_user_object: dict,
app: Flask):
sanitised_fields = {
"custom_paths": [
sanitise_string(input_path).replace("&", "&")
for input_path in post_fields.getlist("custom_paths")
]
}
for field in post_fields:
if field != "custom_paths":
sanitised_fields[field] = sanitise_input(post_fields, field)
admin_user_object["name"] = sanitised_fields["full-name"]
admin_user_object["phone_number"] = sanitised_fields["telephone-number"]
is_local_authority = sanitised_fields["is-la-radio"] == "yes"
user_group = get_group_by_name(sanitised_fields["account"])
admin_user_object["custom:is_la"] = "1" if is_local_authority else "0"
admin_user_object["group"] = user_group
custom_path_multiple = []
for requested_path in sanitised_fields["custom_paths"]:
if requested_path_matches_user_type(is_local_authority,
requested_path):
custom_path_multiple.append(requested_path)
else:
app.logger.error({
"error": "User denied access to requested path",
"user": admin_user_object["email"],
"path": requested_path,
})
admin_user_object["custom:paths"] = str.join(";", custom_path_multiple)
return admin_user_object