async def get(self):
"""
Provide information about site configuration for the frontend
:return:
"""
is_contractor = config.config_plugin().is_contractor(self.user)
site_config = {
"consoleme_logo": await get_random_security_logo(),
"google_tracking_uri": config.get("google_analytics.tracking_url"),
"documentation_url": config.get("documentation_page"),
"support_contact": config.get("support_contact"),
"support_chat_url": config.get("support_chat_url"),
"security_logo": config.get("security_logo.image"),
"security_url": config.get("security_logo.url"),
}
user_profile = {
"site_config":
site_config,
"user":
self.user,
"can_logout":
config.get("auth.set_auth_cookie"),
"is_contractor":
is_contractor,
"employee_photo_url":
config.config_plugin().get_employee_photo_url(self.user),
"employee_info_url":
config.config_plugin().get_employee_info_url(self.user),
"authorization": {
"can_edit_policies":
can_admin_policies(self.user, self.groups),
"can_create_roles": can_create_roles(self.user, self.groups),
"can_delete_roles": can_delete_roles(self.user, self.groups),
},
"pages": {
"header": {
"custom_header_message_title":
config.get("headers.custom_header_message.title", ""),
"custom_header_message_text":
config.get("headers.custom_header_message.text", ""),
},
"groups": {
"enabled": config.get("headers.group_access.enabled",
False)
},
"users": {
"enabled": config.get("headers.group_access.enabled",
False)
},
"policies": {
"enabled":
config.get("headers.policies.enabled", True)
and not is_contractor
},
"self_service": {
"enabled":
config.get("enable_self_service", True)
and not is_contractor
},
"api_health": {
"enabled":
is_in_group(
self.user,
self.groups,
config.get("groups.can_edit_health_alert", []),
)
},
"audit": {
"enabled":
is_in_group(self.user, self.groups,
config.get("groups.can_audit", []))
},
"config": {
"enabled": can_edit_dynamic_config(self.user, self.groups)
},
},
"accounts":
await get_account_id_to_name_mapping(),
}
self.set_header("Content-Type", "application/json")
self.write(user_profile)
async def delete(self, account_id, role_name):
"""
DELETE /api/v2/roles/{account_id}/{role_name}
"""
if not self.user:
self.write_error(403, message="No user detected")
return
log_data = {
"user": self.user,
"function":
f"{__name__}.{self.__class__.__name__}.{sys._getframe().f_code.co_name}",
"user-agent": self.request.headers.get("User-Agent"),
"request_id": self.request_uuid,
"ip": self.ip,
"account": account_id,
"role": role_name,
}
can_delete_role = can_delete_roles(self.user, self.groups)
if not can_delete_role:
stats.count(
f"{log_data['function']}.unauthorized",
tags={
"user": self.user,
"account": account_id,
"role": role_name,
"authorized": can_delete_role,
"ip": self.ip,
},
)
log_data["message"] = "User is unauthorized to delete a role"
log.error(log_data)
self.write_error(403,
message="User is unauthorized to delete a role")
return
try:
await delete_iam_role(account_id, role_name, self.user)
except Exception as e:
log_data["message"] = "Exception deleting role"
log.error(log_data, exc_info=True)
stats.count(
f"{log_data['function']}.exception",
tags={
"user": self.user,
"account": account_id,
"role": role_name,
"authorized": can_delete_role,
"ip": self.ip,
},
)
self.write_error(500,
message="Error occurred deleting role: " + str(e))
return
# if here, role has been successfully deleted
arn = f"arn:aws:iam::{account_id}:role/{role_name}"
await aws.fetch_iam_role(account_id, arn, force_refresh=True)
response_json = {
"status": "success",
"message": "Successfully deleted role from account",
"role": role_name,
"account": account_id,
}
self.write(response_json)