You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
121 lines
7.8 KiB
Python
121 lines
7.8 KiB
Python
"""
|
|
Copyright (c) Contributors to the Open 3D Engine Project.
|
|
For complete copyright and license terms please see the LICENSE at the root of this distribution.
|
|
|
|
SPDX-License-Identifier: Apache-2.0 OR MIT
|
|
"""
|
|
|
|
from aws_cdk import (core,
|
|
aws_cognito as cognito,
|
|
aws_iam as iam)
|
|
from utils import name_utils
|
|
from auth.cognito_user_pool_sms_role import CognitoUserPoolSMSRole
|
|
|
|
|
|
class CognitoUserPool:
|
|
"""
|
|
Creates User pool. Sets up MFA with text. Allows enabling MFA. Allows signing up by email and phone.
|
|
"""
|
|
|
|
def __init__(self, scope: core.Construct, feature_name: str, project_name: str, env: core.Environment,
|
|
sms_role: CognitoUserPoolSMSRole) -> None:
|
|
"""
|
|
:param scope: Construct role scope will be attached to.
|
|
:param feature_name: Name of the feature for resource.
|
|
:param project_name: Name of the project for resource.
|
|
:param env: Environment set up by App.
|
|
:param sms_role: SMS IAM role created using
|
|
"""
|
|
self._user_pool = cognito.CfnUserPool(scope, name_utils.format_aws_resource_id(feature_name, project_name, env,
|
|
cognito.CfnUserPool.__name__),
|
|
user_pool_name=name_utils.format_aws_resource_name(feature_name,
|
|
project_name, env,
|
|
cognito.CfnUserPool.__name__),
|
|
admin_create_user_config=cognito.CfnUserPool.AdminCreateUserConfigProperty(
|
|
allow_admin_create_user_only=False),
|
|
account_recovery_setting=cognito.CfnUserPool.AccountRecoverySettingProperty(
|
|
recovery_mechanisms=[cognito.CfnUserPool.RecoveryOptionProperty(
|
|
name='verified_email', priority=1),
|
|
cognito.CfnUserPool.RecoveryOptionProperty(
|
|
name='verified_phone_number', priority=2)]),
|
|
auto_verified_attributes=['email', 'phone_number'],
|
|
enabled_mfas=['SMS_MFA'],
|
|
mfa_configuration='OPTIONAL',
|
|
sms_configuration=cognito.CfnUserPool.SmsConfigurationProperty(
|
|
external_id=name_utils.format_aws_resource_name(feature_name,
|
|
project_name, env,
|
|
cognito.CfnUserPool.__name__) + '-external',
|
|
sns_caller_arn=sms_role.get_role().role_arn))
|
|
|
|
self._user_pool.node.add_dependency(sms_role.get_role())
|
|
self._user_pool_client = cognito.CfnUserPoolClient(scope,
|
|
name_utils.format_aws_resource_id(feature_name, project_name,
|
|
env,
|
|
cognito.CfnUserPoolClient.__name__),
|
|
client_name=name_utils.format_aws_resource_name(feature_name,
|
|
project_name,
|
|
env,
|
|
cognito.CfnUserPoolClient.__name__),
|
|
user_pool_id=self._user_pool.ref,
|
|
explicit_auth_flows=['ALLOW_ADMIN_USER_PASSWORD_AUTH',
|
|
'ALLOW_CUSTOM_AUTH',
|
|
'ALLOW_USER_PASSWORD_AUTH',
|
|
'ALLOW_USER_SRP_AUTH',
|
|
'ALLOW_REFRESH_TOKEN_AUTH'],
|
|
# access_token_validity=5, # Does not work
|
|
# id_token_validity=5, # Does not work
|
|
# refresh_token_validity=30, # Does not work
|
|
)
|
|
self._user_pool_client.add_depends_on(self._user_pool)
|
|
|
|
core.CfnOutput(
|
|
scope,
|
|
'CognitoUserPoolId',
|
|
description="Cognito User pool id",
|
|
value=self._user_pool.ref)
|
|
|
|
core.CfnOutput(
|
|
scope,
|
|
'CognitoUserPoolAppClientId',
|
|
description="Cognito User pool App client id",
|
|
value=self._user_pool_client.ref)
|
|
|
|
def get_user_pool(self) -> cognito.CfnUserPool:
|
|
"""
|
|
:return: Cognito user pool
|
|
"""
|
|
return self._user_pool
|
|
|
|
def get_user_pool_client(self) -> cognito.CfnUserPoolClient:
|
|
"""
|
|
:return: Cognito user pool client.
|
|
"""
|
|
return self._user_pool_client
|
|
|
|
def create_using_higher_construct(self):
|
|
raise NotImplemented('Add implementation')
|
|
# # Below does not work as Creating App client without refresh tokens auth flow param is not accepted by CF.
|
|
# # Create Cognito user pool
|
|
# user_pool = cognito.UserPool(scope,
|
|
# id=name_utils.format_aws_resource_id(stack_feature_name, project_name, env,
|
|
# cognito.UserPool.__name__),
|
|
# user_pool_name=name_utils.format_aws_resource_name(stack_feature_name,
|
|
# project_name, env,
|
|
# cognito.UserPool.__name__),
|
|
# mfa=cognito.Mfa.OPTIONAL,
|
|
# mfa_second_factor=cognito.MfaSecondFactor(otp=False, sms=True),
|
|
# enable_sms_role=True,
|
|
# sms_role=sms_role.get_role(),
|
|
# sms_role_external_id='c87467be-4f34-11ea-b77f-2e728ce88125',
|
|
# self_sign_up_enabled=True)
|
|
#
|
|
# user_pool_client = user_pool.add_client(
|
|
# name_utils.format_aws_resource_id(stack_feature_name, project_name, env,
|
|
# cognito.UserPoolClient.__name__),
|
|
# # access_token_validity=core.Duration.minutes(6),
|
|
# auth_flows=cognito.AuthFlow(admin_user_password=True),
|
|
# # id_token_validity=core.Duration.minutes(6),
|
|
# user_pool_client_name=name_utils.format_aws_resource_name(stack_feature_name, project_name, env,
|
|
# cognito.UserPoolClient.__name__),
|
|
# disable_o_auth=True)
|