# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
import json
import utils
# These are the roles being supported in this reference architecture
class UserRoles:
SYSTEM_ADMIN = "SystemAdmin"
CUSTOMER_SUPPORT = "CustomerSupport"
TENANT_ADMIN = "TenantAdmin"
TENANT_USER = "TenantUser"
def isTenantAdmin(user_role):
if (user_role == UserRoles.TENANT_ADMIN):
return True
else:
return False
def isSystemAdmin(user_role):
if (user_role == UserRoles.SYSTEM_ADMIN):
return True
else:
return False
def isSaaSProvider(user_role):
if (user_role == UserRoles.SYSTEM_ADMIN or user_role == UserRoles.CUSTOMER_SUPPORT):
return True
else:
return False
def isTenantUser(user_role):
if (user_role == UserRoles.TENANT_USER):
return True
else:
return False
def getPolicyForUser(user_role, service_identifier, tenant_id, region, aws_account_id):
""" This method is being used by Authorizer to get appropriate policy by user role
Args:
user_role (string): UserRoles enum
tenant_id (string):
region (string):
aws_account_id (string):
Returns:
string: policy that tenant needs to assume
"""
iam_policy = ""
if (isSystemAdmin(user_role)):
iam_policy = __getPolicyForSystemAdmin(region, aws_account_id)
elif (isTenantAdmin(user_role)):
iam_policy = __getPolicyForTenantAdmin(tenant_id, service_identifier, region, aws_account_id)
elif (isTenantUser(user_role)):
iam_policy = __getPolicyForTenantUser(tenant_id, region, aws_account_id)
return iam_policy
def __getPolicyForSystemAdmin(region, aws_account_id):
policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": [
"arn:aws:dynamodb:{0}:{1}:table/*".format(region, aws_account_id),
]
}
]
}
return json.dumps(policy)
def __getPolicyForTenantAdmin(tenant_id, sevice_identifier, region, aws_account_id):
if (sevice_identifier == utils.Service_Identifier.SHARED_SERVICES.value):
policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:{0}:{1}:table/ServerlessSaaS-TenantUserMapping".format(region, aws_account_id),
"arn:aws:dynamodb:{0}:{1}:table/ServerlessSaaS-TenantDetails".format(region, aws_account_id)
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"{0}".format(tenant_id)
]
}
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:{0}:{1}:table/ServerlessSaaS-TenantStackMapping".format(region, aws_account_id),
"arn:aws:dynamodb:{0}:{1}:table/ServerlessSaaS-Settings".format(region, aws_account_id)
]
}
]
}
else:
policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:{0}:{1}:table/Product-*".format(region, aws_account_id),
],
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": [
"{0}-*".format(tenant_id)
]
}
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:{0}:{1}:table/Order-*".format(region, aws_account_id),
],
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": [
"{0}-*".format(tenant_id)
]
}
}
}
]
}
return json.dumps(policy)
def __getPolicyForTenantUser(tenant_id, region, aws_account_id):
policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:{0}:{1}:table/Product-*".format(region, aws_account_id),
],
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": [
"{0}-*".format(tenant_id)
]
}
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:{0}:{1}:table/Order-*".format(region, aws_account_id),
],
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": [
"{0}-*".format(tenant_id)
]
}
}
}
]
}
return json.dumps(policy)