Press n or j to go to the next uncovered block, b, p or k for the previous block.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 | 1x 11x 1x 10x 1x 9x 9x 1x 8x 8x 1x 1x 7x 7x 7x 7x 7x 6x 6x 2x 4x 1x 3x 2x 1x 1x 5x 5x 5x 5x 1x 5x 1x 1x 1x | import { APIGatewayEvent } from "aws-lambda";
import { getAuthDetails, lookupUserAttributes } from "libs/api/auth/user";
import { produceMessage } from "libs/api/kafka";
import { response } from "libs/handler-lib";
import { RoleRequest } from "react-app/src/api";
import { canRequestAccess, canSelfRevokeAccess, canUpdateAccess } from "shared-utils";
import { submitGroupDivision } from "./submitGroupDivision";
import { getLatestActiveRoleByEmail, getUserByEmail } from "./userManagementService";
type RoleStatus = "active" | "denied" | "pending" | "revoked";
export const submitRoleRequests = async (event: APIGatewayEvent) => {
if (!event?.body) {
return response({
statusCode: 400,
body: { message: "Event body required" },
});
}
if (!event?.requestContext) {
return response({
statusCode: 400,
body: { message: "Request context required" },
});
}
const topicName = process.env.topicName as string;
if (!topicName) {
throw new Error("Topic name is not defined");
}
let authDetails;
try {
authDetails = getAuthDetails(event);
} catch (err) {
console.error(err);
return response({
statusCode: 401,
body: { message: "User not authenticated" },
});
}
try {
const { userId, poolId } = authDetails;
const userAttributes = await lookupUserAttributes(userId, poolId);
const userInfo = await getUserByEmail(userAttributes?.email);
const latestActiveRole =
(await getLatestActiveRoleByEmail(userAttributes.email))?.role ?? "norole";
// if (!latestActiveRoleObj) {
// return response({
// statusCode: 403,
// body: { message: "No active role found for user" },
// });
// }
const {
email,
state,
role: roleToUpdate,
eventType,
grantAccess = "pending",
requestRoleChange,
group = null,
division = null,
} = JSON.parse(event.body) as RoleRequest;
let status: RoleStatus;
// Determine the status based on the user's role and action
// Not a role request change; user is updating another role access request
if (!requestRoleChange && canUpdateAccess(latestActiveRole, roleToUpdate)) {
status = grantAccess;
} else if (
!requestRoleChange &&
grantAccess === "revoked" &&
canSelfRevokeAccess(latestActiveRole, userInfo.email, email)
) {
// Not a role request change; user is revoking their own access
status = "revoked";
} else if (requestRoleChange && canRequestAccess(latestActiveRole)) {
// User is permitted to request a role change
status = "pending";
} else {
console.warn(`Unauthorized action attempt by ${userInfo.email}`);
return response({
statusCode: 403,
body: { message: "You are not authorized to perform this action." },
});
}
const id = `${email}_${state}_${roleToUpdate}`;
const date = Date.now(); // correct time format?
await produceMessage(
topicName,
id,
JSON.stringify({
eventType,
email,
status,
territory: state,
role: roleToUpdate, // role for this state or newly requested role
doneByEmail: userInfo.email,
doneByName: userInfo.fullName, // full name of current user. Cognito (userAttributes) may have a different full name
date,
group,
division,
}),
);
// Update group and division info for new cmsroleapprovers
if (
canUpdateAccess(latestActiveRole, roleToUpdate) &&
grantAccess === "active" &&
group &&
division
) {
await submitGroupDivision({ userEmail: email, group, division });
}
return response({
statusCode: 200,
body: {
message: `Request to access ${state} has been submitted.`,
eventType,
email,
status,
territory: state,
role: roleToUpdate, // role for this state
doneByEmail: userAttributes.email,
doneByName: userInfo.fullName, // full name of current user. Cognito (userAttributes) may have a different full name
date,
},
});
} catch (err: unknown) {
console.log("An error occurred: ", err);
return response({
statusCode: 500,
body: { message: "Internal server error" },
});
}
};
export const handler = submitRoleRequests;
|