Update policy generator and return errors on empty policies

asfadmin · Oct 21, 2022 · f4a39ef · f4a39ef
1 parent 85b7e8b
commit f4a39ef
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 2 deletions.
diff --git a/lambda/app.py b/lambda/app.py
@@ -976,6 +976,19 @@ def s3credentials():
     policy = b_map.to_iam_policy(groups)
     log.debug("policy: %s", policy)
 
+    if policy is None:
+        template_vars = {
+            "contentstring": "You do not have permission to access any data.",
+            "title": "Could not access data",
+            "requestid": get_request_id()
+        }
+        return make_html_response(
+            template_vars,
+            authorizer.get_success_response_headers(),
+            403,
+            "error.html"
+        )
+
     app_name = app.current_request.headers.get("app-name", "")
     role_session_name = get_role_session_name(user_profile.user_id, app_name)
 

diff --git a/requirements/requirements.in b/requirements/requirements.in
@@ -2,5 +2,5 @@ cachetools
 cfnresponse
 chalice
 flatdict
-git+https://github.com/asfadmin/rain-api-core.git@6acd2cb943cb552c525bc5320297f62b812a33ba
+git+https://github.com/asfadmin/rain-api-core.git@5acfb6403df35e302ad6d7ccdc050a51e4c827a7
 netaddr
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
@@ -52,7 +52,7 @@ pyyaml==6.0
     # via
     #   chalice
     #   rain-api-core
-rain-api-core @ git+https://github.com/asfadmin/rain-api-core.git@6acd2cb943cb552c525bc5320297f62b812a33ba
+rain-api-core @ git+https://github.com/asfadmin/rain-api-core.git@5acfb6403df35e302ad6d7ccdc050a51e4c827a7
     # via -r requirements/requirements.in
 readchar==4.0.3
     # via inquirer

diff --git a/tests/test_app.py b/tests/test_app.py
@@ -1441,6 +1441,34 @@ def test_s3credentials_unauthenticated(
     assert response.status_code == 301
 
 
+@mock.patch(f"{MODULE}.get_yaml_file", autospec=True)
+@mock.patch(f"{MODULE}.JwtManager.get_profile_from_headers", autospec=True)
+@mock.patch(f"{MODULE}.b_map", None)
+def test_s3credentials_no_permissions(
+    mock_get_profile,
+    mock_get_yaml_file,
+    mock_get_urs_creds,
+    mock_make_html_response,
+    user_profile,
+    client
+):
+    mock_get_yaml_file.return_value = {}
+    mock_get_profile.return_value = user_profile
+
+    client.http.get("/s3credentials")
+
+    mock_make_html_response.assert_called_once_with(
+        {
+            "contentstring": "You do not have permission to access any data.",
+            "title": "Could not access data",
+            "requestid": app.app.lambda_context.aws_request_id
+        },
+        {},
+        403,
+        "error.html"
+    )
+
+
 @mock.patch(f"{MODULE}.boto3")
 def test_get_s3_credentials(mock_boto3, monkeypatch):
     monkeypatch.setenv("EGRESS_APP_DOWNLOAD_ROLE_INREGION_ARN", "aws:role:arn")