Embedding QS into Control Panel (#1350)

* Inital commit

* Added code from UI to control panel

* Code added to enable embedding of quicksight

* Removed call to check group as not required

* Bumped dependencies. Added new env vars to test settings

* Added page name to template

* made QS superuser only for now

* Removed bucket message on quicksight page. Added tests

controlpanel/api/aws.py

@@ -1140,11 +1140,41 @@ def delete_messages(self, queue, messages):
 
 class AWSQuicksight(AWSService):
 
+    service_name = "quicksight"
+
     def __init__(self, assume_role_name=None, profile_name=None, region_name=None):
         super().__init__(assume_role_name, profile_name, region_name or "eu-west-1")
 
         self.client = self.boto3_session.client("quicksight")
 
+    def get_embed_url(self, user):
+
+        if not user.justice_email:
+            return None
+
+        user_arn = arn(
+            service=self.service_name,
+            resource=f"user/default/{user.justice_email}",
+            region=settings.QUICKSIGHT_ACCOUNT_REGION,
+            account=settings.QUICKSIGHT_ACCOUNT_ID,
+        )
+
+        response = self.client.generate_embed_url_for_registered_user(
+            AwsAccountId=settings.QUICKSIGHT_ACCOUNT_ID,
+            UserArn=user_arn,
+            ExperienceConfiguration={
+                "QuickSightConsole": {
+                    "InitialPath": "/start",
+                    "FeatureConfigurations": {"StatePersistence": {"Enabled": True}},
+                },
+            },
+            AllowedDomains=settings.QUICKSIGHT_DOMAINS,
+        )
+        if response:
+            return response["EmbedUrl"]
+
+        return response
+
 
 class AWSLakeFormation(AWSService):
 

controlpanel/api/rules.py

@@ -60,6 +60,7 @@ def is_app_admin(user, obj):
 add_perm("api.remove_app_bucket", is_authenticated & is_superuser)  # TODO change to is_app_admin
 add_perm("api.view_app_logs", is_authenticated & is_app_admin)
 add_perm("api.manage_groups", is_authenticated & is_superuser)
+add_perm("api.quicksight_embed_access", is_authenticated & is_superuser)
 add_perm("api.create_policys3bucket", is_authenticated & is_superuser)
 add_perm("api.update_app_settings", is_authenticated & is_app_admin)
 add_perm("api.update_app_ip_allowlists", is_authenticated & is_app_admin)

controlpanel/frontend/jinja2/base.html

@@ -122,6 +122,12 @@
         "href": url("list-parameters"),
         "active": page_name == "parameters",
       },
+      {
+        "hide": not request.user.is_superuser,
+        "text": "QuickSight",
+        "href": url("quicksight"),
+        "active": page_name == "quicksight",
+      },
       {
         "hide": not request.user.is_superuser,
         "text": "Groups",

controlpanel/frontend/jinja2/govuk-frontend.html

@@ -53,7 +53,7 @@
 
   {% block main %}
     {% block beforeContent %}{% endblock %}
-    <div class="govuk-width-container">
+    <div class="{% block container_class_names %}govuk-width-container{% endblock container_class_names %}">
       <main class="govuk-main-wrapper {{ mainClasses or "" }}" id="main-content" role="main">
         {% block content %}{% endblock %}
       </main>

controlpanel/frontend/jinja2/quicksight.html

@@ -0,0 +1,67 @@
+{% extends "base.html" %}
+
+{% set page_name = "quicksight" %}
+{% set page_title = "Quicksight" %}
+
+{% block container_class_names %}govuk-grid-column-full{% endblock container_class_names %}
+
+{% block content %}
+    {% if embed_url %}
+        <body onload="embedConsole()">
+            <div id="experience-container"></div>
+        </body>
+    {% else %}
+    <div class="govuk-width-container">
+        <h2 class="govuk-heading-m">Something went wrong, try refreshing the page</h2>
+        <p class="govuk-body">If the problem persists, please contact the AP support team.</p>
+    </div>
+    {% endif %}
+{% endblock content %}
+
+{% block body_end %}
+    <script src="https://unpkg.com/[email protected]/dist/quicksight-embedding-js-sdk.min.js"></script>
+    <script type="text/javascript">
+        const embedConsole = async() => {
+            const {
+                createEmbeddingContext,
+            } = QuickSightEmbedding;
+
+            const embeddingContext = await createEmbeddingContext({
+                onChange: (changeEvent, metadata) => {
+                    console.log('Context received a change', changeEvent, metadata);
+                },
+            });
+
+            const frameOptions = {
+                url: "{{ embed_url|safe }}", // replace this value with the url generated via embedding API
+                container: '#experience-container',
+                height: "700px",
+                width: "100%",
+                onChange: (changeEvent, metadata) => {
+                    switch (changeEvent.eventName) {
+                        case 'FRAME_MOUNTED': {
+                            console.log("Do something when the experience frame is mounted.");
+                            break;
+                        }
+                        case 'FRAME_LOADED': {
+                            console.log("Do something when the experience frame is loaded.");
+                            break;
+                        }
+                    }
+                },
+            };
+
+            const contentOptions = {
+                onMessage: async (messageEvent, experienceMetadata) => {
+                    switch (messageEvent.eventName) {
+                        case 'ERROR_OCCURRED': {
+                            console.log("Do something when the embedded experience fails loading.");
+                            break;
+                        }
+                    }
+                }
+            };
+            const embeddedConsoleExperience = await embeddingContext.embedConsole(frameOptions, contentOptions);
+        };
+    </script>
+{% endblock body_end %}

controlpanel/frontend/urls.py

@@ -260,4 +260,5 @@
         name="create-parameter",
     ),
     path("parameters/<int:pk>/delete/", views.ParameterDelete.as_view(), name="delete-parameter"),
+    path("quicksight/", views.QuicksightView.as_view(), name="quicksight"),
 ]

controlpanel/frontend/views/__init__.py

@@ -80,6 +80,7 @@
     IAMManagedPolicyList,
     IAMManagedPolicyRemoveUser,
 )
+from controlpanel.frontend.views.quicksight import QuicksightView
 from controlpanel.frontend.views.release import (
     ReleaseCreate,
     ReleaseDelete,

controlpanel/frontend/views/quicksight.py

@@ -0,0 +1,27 @@
+# Standard library
+from typing import Any
+
+# Third-party
+from django.conf import settings
+from django.views.generic import TemplateView
+from rules.contrib.views import PermissionRequiredMixin
+
+# First-party/Local
+from controlpanel.api.aws import AWSQuicksight
+from controlpanel.oidc import OIDCLoginRequiredMixin
+
+
+class QuicksightView(OIDCLoginRequiredMixin, PermissionRequiredMixin, TemplateView):
+    template_name = "quicksight.html"
+    permission_required = "api.quicksight_embed_access"
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        context = super().get_context_data(**kwargs)
+        profile_name = f"quicksight_user_{self.request.user.justice_email}"
+        context["broadcast_messages"] = None
+        context["embed_url"] = AWSQuicksight(
+            assume_role_name=settings.QUICKSIGHT_ASSUMED_ROLE,
+            profile_name=profile_name,
+            region_name=settings.QUICKSIGHT_ACCOUNT_REGION,
+        ).get_embed_url(user=self.request.user)
+        return context

controlpanel/settings/common.py

@@ -2,6 +2,7 @@
 import os
 import sys
 from os.path import abspath, dirname, join
+from socket import gaierror, gethostbyname, gethostname
 
 # Third-party
 import structlog
@@ -248,6 +249,19 @@
 # Whitelist values for the HTTP Host header, to prevent certain attacks
 ALLOWED_HOSTS = [host for host in os.environ.get("ALLOWED_HOSTS", "").split() if host]
 
+
+# set this before adding the IP address below
+# TODO We may be able to set this in terraform instead, we should check this
+QUICKSIGHT_DOMAINS = []
+for host in ALLOWED_HOSTS:
+    prefix = "*" if host.startswith(".") else ""
+    QUICKSIGHT_DOMAINS.append(f"https://{prefix}{host}")
+
+try:
+    ALLOWED_HOSTS.append(gethostbyname(gethostname()))
+except gaierror:
+    pass
+
 # Sets the X-XSS-Protection: 1; mode=block header
 SECURE_BROWSER_XSS_FILTER = True
 
@@ -486,6 +500,10 @@
 
 # -- AWS
 AWS_DATA_ACCOUNT_ID = os.environ.get("AWS_DATA_ACCOUNT_ID")
+QUICKSIGHT_ACCOUNT_ID = os.environ.get("QUICKSIGHT_ACCOUNT_ID")
+QUICKSIGHT_ACCOUNT_REGION = os.environ.get("QUICKSIGHT_ACCOUNT_REGION")
+QUICKSIGHT_DOMAINS = os.environ.get("QUICKSIGHT_DOMAINS")
+QUICKSIGHT_ASSUMED_ROLE = os.environ.get("QUICKSIGHT_ASSUMED_ROLE")
 
 # The EKS OIDC provider, referenced in user policies to allow service accounts
 # to grant AWS permissions.

controlpanel/settings/development.py

@@ -9,6 +9,7 @@
 
 # Allow all hostnames to access the server
 ALLOWED_HOSTS = ["localhost", "127.0.0.1", "0.0.0.0"]
+QUICKSIGHT_DOMAINS = ["http://localhost:8000"]
 
 # Enable Django debug toolbar
 if os.environ.get("ENABLE_DJANGO_DEBUG_TOOLBAR"):

controlpanel/settings/test.py

@@ -35,3 +35,8 @@
 DPR_DATABASE_NAME = "test_database"
 SQS_REGION = "eu-west-1"
 USE_LOCAL_MESSAGE_BROKER = False
+
+QUICKSIGHT_ACCOUNT_ID = "123456789012"
+QUICKSIGHT_ACCOUNT_REGION = "eu-west-2"
+QUICKSIGHT_DOMAINS = "http://localhost:8000"
+QUICKSIGHT_ASSUMED_ROLE = "arn:aws:iam::123456789012:role/quicksight_test"

requirements.txt

@@ -2,12 +2,12 @@ asgiref==3.8.1
 auth0-python==4.7.1
 authlib==1.3.1
 beautifulsoup4==4.12.3
-boto3==1.35.24
+boto3==1.35.39
 celery[sqs]==5.3.6
 channels==4.0.0
 channels-redis==4.2.0
 daphne==4.1.2
-Django==5.0.4
+Django==5.1.2
 django-crequest==2018.5.11
 django-extensions==3.2.3
 django-filter==24.1

tests/api/test_aws.py

@@ -2,7 +2,7 @@
 import hashlib
 import json
 import uuid
-from unittest.mock import MagicMock, call, patch
+from unittest.mock import MagicMock, Mock, call, patch
 
 # Third-party
 import pytest
@@ -1134,3 +1134,24 @@ def test_list_attached_policies_returns_list_of_policies(iam, roles, test_policy
 
     assert len(policies) == 1
     assert policies[0].arn == test_policy["Arn"]
+
+
+@pytest.fixture
+def quicksight_service():
+    yield aws.AWSQuicksight()
+
+
+def test_get_embed_url(quicksight_service):
+    """
+    Patching client as no way to get url from moto.
+    Should return some URL anyway
+    """
+
+    embedded_url = "https://embedded-url.com"
+    client = Mock()
+    client.generate_embed_url_for_registered_user.return_value = {"EmbedUrl": embedded_url}
+
+    with patch.object(quicksight_service, "client", client):
+        mock_user = Mock(email="[email protected]")
+        url = quicksight_service.get_embed_url(mock_user)
+        assert url == embedded_url

tests/frontend/views/test_quicksight.py

@@ -0,0 +1,32 @@
+# Standard library
+from unittest.mock import patch
+
+# Third-party
+import botocore
+import pytest
+from django.conf import settings
+from django.urls import reverse
+from rest_framework import status
+
+# Original botocore _make_api_call function
+orig = botocore.client.BaseClient._make_api_call
+
+
+def quicksight(client):
+    return client.get(reverse("quicksight"))
+
+
+@pytest.mark.parametrize(
+    "view,user,expected_status",
+    [
+        (quicksight, "superuser", status.HTTP_200_OK),
+        (quicksight, "database_user", status.HTTP_403_FORBIDDEN),
+        (quicksight, "normal_user", status.HTTP_403_FORBIDDEN),
+    ],
+)
+def test_permission(client, users, view, user, expected_status):
+    for key, val in users.items():
+        client.force_login(val)
+    client.force_login(users[user])
+    response = view(client)
+    assert response.status_code == expected_status