Merge branch 'python-311-test' of github.com:ministryofjustice/analyt…

…ics-platform-control-panel into python-311-test
ministryofjustice · Feb 14, 2024 · 8ced4cd · 8ced4cd
2 parents db39385 + bb03c5d
commit 8ced4cd
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 15 deletions.
diff --git a/controlpanel/api/cluster.py b/controlpanel/api/cluster.py
@@ -388,6 +388,8 @@ class App(EntityResource):
     AUTH0_CONNECTIONS = "AUTH0_CONNECTIONS"
     AUTHENTICATION_REQUIRED = "AUTHENTICATION_REQUIRED"
     AUTH0_PASSWORDLESS = "AUTH0_PASSWORDLESS"
+    APP_ROLE_ARN = "APP_ROLE_ARN"
+    DATA_ACCOUNT_ID = 'DATA_ACCOUNT_ID'
 
     def __init__(self, app, github_api_token=None, auth0_instance=None):
         super(App, self).__init__()
@@ -411,7 +413,9 @@ def create_or_update_secrets(self, env_name, secret_data):
 
     def _create_secrets(self, env_name, client=None):
         secret_data: dict = {
-            App.IP_RANGES: self.app.env_allowed_ip_ranges(env_name=env_name)
+            App.IP_RANGES: self.app.env_allowed_ip_ranges(env_name=env_name),
+            App.APP_ROLE_ARN: self.app.iam_role_arn,
+            App.DATA_ACCOUNT_ID: settings.AWS_DATA_ACCOUNT_ID
         }
         if client:
             secret_data[App.AUTH0_CLIENT_ID] = client["client_id"]
@@ -651,12 +655,13 @@ def get_env_vars(self, env_name):
         return app_env_vars
 
     def create_auth_settings(
-            self, env_name, disable_authentication=False, connections=None, app_domain=None
+        self, env_name, disable_authentication=False, connections=None, app_domain=None
     ):
         client = None
         group = None
-        connections = connections or \
-                      {auth0.ExtendedAuth0.DEFAULT_CONNECTION_OPTION: {}}
+        if connections is None:
+            connections = {auth0.ExtendedAuth0.DEFAULT_CONNECTION_OPTION: {}}
+
         if not disable_authentication:
             client, group = self._get_auth0_instance().setup_auth0_client(
                 client_name=self.app.auth0_client_name(env_name),
@@ -665,7 +670,8 @@ def create_auth_settings(
                 app_domain=app_domain
             )
             self.app.save_auth_settings(
-                env_name=env_name, client=client, group=group)
+                env_name=env_name, client=client, group=group
+            )
         self._create_secrets(env_name, client=client)
         self._create_env_vars(
             env_name,

diff --git a/controlpanel/api/models/app.py b/controlpanel/api/models/app.py
@@ -79,6 +79,10 @@ def _repo_name(self):
     def release_name(self):
         return webapp_release_name(self._repo_name)
 
+    @property
+    def iam_role_arn(self):
+        return cluster.iam_arn(f"role/{self.iam_role_name}")
+
     def get_group_id(self, env_name):
         return self.get_auth_client(env_name).get("group_id")
 

diff --git a/controlpanel/frontend/views/apps_mng.py b/controlpanel/frontend/views/apps_mng.py
@@ -81,16 +81,6 @@ def _add_ip_allowlists(self, app, envs, ip_allowlists):
         for env in envs:
             AppIPAllowList.objects.update_records(app, env, ip_allowlists)
 
-    def _create_auth_settigs(
-        self, app, envs, github_api_token, disable_authentication, connections
-    ):
-        for env in envs:
-            cluster.App(app, github_api_token).create_auth_settings(
-                env_name=env,
-                disable_authentication=disable_authentication,
-                connections=connections,
-            )
-
     def _create_or_link_datasource(self, app, user, bucket_data):
         if bucket_data.get("new_datasource_name"):
             bucket = S3Bucket.objects.create(

diff --git a/tests/api/cluster/test_app.py b/tests/api/cluster/test_app.py
@@ -4,6 +4,7 @@
 
 # Third-party
 import pytest
+from django.conf import settings
 
 # First-party/Local
 from controlpanel.api import cluster, models
@@ -156,5 +157,22 @@ def test_update_auth_connections(app, ExtendedAuth0):
             existing_conns='github')
 
 
+@patch("controlpanel.api.models.App.env_allowed_ip_ranges", new=MagicMock(return_value="1.2.3"))
+def test_create_secrets(app):
+    app_cluster = cluster.App(app)
+    secrets = {
+        app_cluster.IP_RANGES: "1.2.3",
+        app_cluster.APP_ROLE_ARN: app.iam_role_arn,
+        app_cluster.DATA_ACCOUNT_ID: settings.AWS_DATA_ACCOUNT_ID
+    }
+    with patch.object(app_cluster, "create_or_update_secrets"):
+        app_cluster._create_secrets(env_name="dev", client=None)
+        app_cluster.create_or_update_secrets.assert_called_once_with(
+            env_name="dev",
+            secret_data=secrets
+        )
+
+
+# TODO can this be removed?
 mock_ingress = MagicMock(name="Ingress")
 mock_ingress.spec.rules = [MagicMock(name="Rule", host="test-app.example.com")]
diff --git a/tests/api/models/test_app.py b/tests/api/models/test_app.py
@@ -204,3 +204,8 @@ def test_app_allowed_ip_ranges():
     full_app_ip_ranges = app.app_allowed_ip_ranges
     assert " " not in full_app_ip_ranges
     assert len(full_app_ip_ranges.split(",")) == 4
+
+
+def test_iam_role_arn():
+    app = App(slug="example-app")
+    assert app.iam_role_arn == f"arn:aws:iam::{settings.AWS_DATA_ACCOUNT_ID}:role/test_app_example-app"