Add RESTful API for managing Groups members

aws/iam/main.tf

@@ -37,7 +37,11 @@ resource "aws_iam_policy" "server" {
   name        = local.server_policy_name
   description = local.server_policy_description
 
-  policy = file("${path.module}/policy/${local.server_policy_name}.json")
+  policy = templatefile(
+    "${path.module}/policy/${local.server_policy_name}.tftpl.json", {
+      COGNITO_USER_POOL_ID = var.COGNITO_USER_POOL_ID
+    }
+  )
 }
 
 moved {

aws/iam/policy/NextstrainDotOrgServerInstance-testing.json → aws/iam/policy/NextstrainDotOrgServerInstance-testing.tftpl.json

@@ -43,6 +43,18 @@
         "arn:aws:s3:::nextstrain-groups/test/*",
         "arn:aws:s3:::nextstrain-groups/test-private/*"
       ]
+    },
+    {
+      "Sid": "CognitoUserPoolActions",
+      "Effect": "Allow",
+      "Action": [
+        "cognito-idp:AdminAddUserToGroup",
+        "cognito-idp:AdminRemoveUserFromGroup",
+        "cognito-idp:ListUsersInGroup"
+      ],
+      "Resource": [
+        "arn:aws:cognito-idp:us-east-1:827581582529:userpool/${COGNITO_USER_POOL_ID}"
+      ]
     }
   ]
 }

aws/iam/policy/NextstrainDotOrgServerInstance.json → aws/iam/policy/NextstrainDotOrgServerInstance.tftpl.json

@@ -32,6 +32,18 @@
       "Resource": [
         "arn:aws:s3:::nextstrain-groups/*"
       ]
+    },
+    {
+      "Sid": "CognitoUserPoolActions",
+      "Effect": "Allow",
+      "Action": [
+        "cognito-idp:AdminAddUserToGroup",
+        "cognito-idp:AdminRemoveUserFromGroup",
+        "cognito-idp:ListUsersInGroup"
+      ],
+      "Resource": [
+        "arn:aws:cognito-idp:us-east-1:827581582529:userpool/${COGNITO_USER_POOL_ID}"
+      ]
     }
   ]
 }

aws/iam/variable-COGNITO_USER_POOL_ID.tf

@@ -0,0 +1 @@
+../variable-COGNITO_USER_POOL_ID.tf

aws/variable-COGNITO_USER_POOL_ID.tf

@@ -0,0 +1,4 @@
+variable "COGNITO_USER_POOL_ID" {
+  type        = string
+  description = "Id of the Cognito user pool for this environment"
+}

docs/api-restful.rst

@@ -293,6 +293,16 @@ The following group settings endpoints exist::
 
     {GET, HEAD, PUT, DELETE, OPTIONS} /groups/{name}/settings/overview
 
+The following group membership endpoints exist::
+
+    {GET, HEAD, OPTIONS} /groups/{name}/settings/members
+
+    {GET, HEAD, OPTIONS} /groups/{name}/settings/roles
+
+    {GET, HEAD, OPTIONS} /groups/{name}/settings/roles/{role}/members
+
+    {GET, HEAD, PUT, DELETE, OPTIONS} /groups/{name}/settings/roles/{role}/members/{username}
+
 .. _motivation:
 
 Motivation

env/production/terraform.tf

@@ -52,6 +52,8 @@ module "iam" {
   }
 
   env = "production"
+
+  COGNITO_USER_POOL_ID = module.cognito.COGNITO_USER_POOL_ID
 }
 
 moved {

env/testing/terraform.tf

@@ -46,4 +46,6 @@ module "iam" {
   }
 
   env = "testing"
+
+  COGNITO_USER_POOL_ID = module.cognito.COGNITO_USER_POOL_ID
 }

src/app.js

@@ -348,6 +348,21 @@ app.routeAsync("/groups/:groupName/settings/overview")
   .optionsAsync(optionsGroup)
 ;
 
+app.routeAsync("/groups/:groupName/settings/members")
+  .getAsync(endpoints.groups.listMembers);
+
+app.routeAsync("/groups/:groupName/settings/roles")
+  .getAsync(endpoints.groups.listRoles);
+
+app.routeAsync("/groups/:groupName/settings/roles/:roleName/members")
+  .getAsync(endpoints.groups.listRoleMembers);
+
+app.routeAsync("/groups/:groupName/settings/roles/:roleName/members/:username")
+  .getAsync(endpoints.groups.getRoleMember)
+  .putAsync(endpoints.groups.putRoleMember)
+  .deleteAsync(endpoints.groups.deleteRoleMember)
+;
+
 app.route("/groups/:groupName/settings/*")
   .all(() => { throw new NotFound(); });
 

src/cognito.js

@@ -0,0 +1,85 @@
+/**
+ * Cognito user pool (IdP) management.
+ *
+ * @module cognito
+ */
+/* eslint-disable no-await-in-loop */
+import {
+  CognitoIdentityProviderClient,
+  AdminAddUserToGroupCommand,
+  AdminRemoveUserFromGroupCommand,
+  paginateListUsersInGroup,
+  UserNotFoundException,
+} from "@aws-sdk/client-cognito-identity-provider";
+
+import { COGNITO_USER_POOL_ID } from "./config.js";
+import { NotFound } from "./httpErrors.js";
+
+
+const REGION = COGNITO_USER_POOL_ID.split("_")[0];
+
+const cognito = new CognitoIdentityProviderClient({ region: REGION });
+
+
+/**
+ * Retrieve AWS Cognito users in a Cognito group.
+ *
+ * @param {string} name - Name of the AWS Cognito group
+ * @yields {object} user, see <https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/interfaces/usertype.html>
+ */
+export async function* listUsersInGroup(name) {
+  const paginator = paginateListUsersInGroup({client: cognito}, {
+    UserPoolId: COGNITO_USER_POOL_ID,
+    GroupName: name,
+  });
+
+  for await (const page of paginator) {
+    yield* page.Users;
+  }
+}
+
+
+/**
+ * Add an AWS Cognito user to a Cognito group.
+ *
+ * @param {string} username
+ * @param {string} group - Name of the AWS Cognito group
+ * @throws {NotFound} if username is unknown
+ */
+export async function addUserToGroup(username, group) {
+  try {
+    await cognito.send(new AdminAddUserToGroupCommand({
+      UserPoolId: COGNITO_USER_POOL_ID,
+      Username: username,
+      GroupName: group,
+    }));
+  } catch (err) {
+    if (err instanceof UserNotFoundException) {
+      throw new NotFound(`unknown user: ${username}`);
+    }
+    throw err;
+  }
+}
+
+
+/**
+ * Remove an AWS Cognito user from a Cognito group.
+ *
+ * @param {string} username
+ * @param {string} group - Name of the AWS Cognito group
+ * @throws {NotFound} if username is unknown
+ */
+export async function removeUserFromGroup(username, group) {
+  try {
+    await cognito.send(new AdminRemoveUserFromGroupCommand({
+      UserPoolId: COGNITO_USER_POOL_ID,
+      Username: username,
+      GroupName: group,
+    }));
+  } catch (err) {
+    if (err instanceof UserNotFoundException) {
+      throw new NotFound(`unknown user: ${username}`);
+    }
+    throw err;
+  }
+}

src/endpoints/groups.js

@@ -1,7 +1,9 @@
 import * as authz from "../authz/index.js";
+import { NotFound } from "../httpErrors.js";
 import { Group } from "../groups.js";
 import {contentTypesProvided, contentTypesConsumed} from "../negotiate.js";
 import {deleteByUrls, proxyFromUpstream, proxyToUpstream} from "../upstream.js";
+import { slurp } from "../utils/iterators.js";
 import * as options from "./options.js";
 
 
@@ -152,13 +154,94 @@ async function receiveGroupLogo(req, res) {
 }
 
 
+/* Members and roles
+ */
+const listMembers = async (req, res) => {
+  const group = req.context.group;
+
+  authz.assertAuthorized(req.user, authz.actions.Read, group);
+
+  return res.json(await group.members());
+};
+
+
+const listRoles = (req, res) => {
+  const group = req.context.group;
+
+  authz.assertAuthorized(req.user, authz.actions.Read, group);
+
+  const roles = [...group.membershipRoles.keys()];
+  return res.json(roles.map(name => ({name})));
+};
+
+
+const listRoleMembers = async (req, res) => {
+  const group = req.context.group;
+  const {roleName} = req.params;
+
+  authz.assertAuthorized(req.user, authz.actions.Read, group);
+
+  return res.json(await slurp(group.membersWithRole(roleName)));
+};
+
+
+const getRoleMember = async (req, res) => {
+  const group = req.context.group;
+  const {roleName, username} = req.params;
+
+  authz.assertAuthorized(req.user, authz.actions.Read, group);
+
+  for await (const member of group.membersWithRole(roleName)) {
+    if (member.username === username) {
+      return res.status(204).end();
+    }
+  }
+
+  throw new NotFound(`user ${username} does not have role ${roleName} in group ${group.name}`);
+};
+
+
+const putRoleMember = async (req, res) => {
+  const group = req.context.group;
+  const {roleName, username} = req.params;
+
+  authz.assertAuthorized(req.user, authz.actions.Write, group);
+
+  await group.grantRole(roleName, username);
+
+  return res.status(204).end();
+};
+
+
+const deleteRoleMember = async (req, res) => {
+  const group = req.context.group;
+  const {roleName, username} = req.params;
+
+  authz.assertAuthorized(req.user, authz.actions.Write, group);
+
+  await group.revokeRole(roleName, username);
+
+  return res.status(204).end();
+};
+
+
 export {
   setGroup,
   optionsGroup,
+
   getGroupLogo,
   putGroupLogo,
   deleteGroupLogo,
+
   getGroupOverview,
   putGroupOverview,
   deleteGroupOverview,
+
+  listMembers,
+  listRoles,
+  listRoleMembers,
+
+  getRoleMember,
+  putRoleMember,
+  deleteRoleMember,
 };