Add cognitoidp.admin_respond_to_auth_challenge (#7136)

This commit is contained in:
Matus Faro 2023-12-19 09:27:30 -05:00 committed by GitHub
parent 5473117e36
commit 34a0c20d03
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 60 additions and 7 deletions

View File

@ -1180,7 +1180,7 @@
## cognito-idp ## cognito-idp
<details> <details>
<summary>59% implemented</summary> <summary>60% implemented</summary>
- [X] add_custom_attributes - [X] add_custom_attributes
- [X] admin_add_user_to_group - [X] admin_add_user_to_group
@ -1201,7 +1201,7 @@
- [ ] admin_list_user_auth_events - [ ] admin_list_user_auth_events
- [X] admin_remove_user_from_group - [X] admin_remove_user_from_group
- [X] admin_reset_user_password - [X] admin_reset_user_password
- [ ] admin_respond_to_auth_challenge - [X] admin_respond_to_auth_challenge
- [X] admin_set_user_mfa_preference - [X] admin_set_user_mfa_preference
- [X] admin_set_user_password - [X] admin_set_user_password
- [ ] admin_set_user_settings - [ ] admin_set_user_settings

View File

@ -46,7 +46,7 @@ cognito-idp
- [ ] admin_list_user_auth_events - [ ] admin_list_user_auth_events
- [X] admin_remove_user_from_group - [X] admin_remove_user_from_group
- [X] admin_reset_user_password - [X] admin_reset_user_password
- [ ] admin_respond_to_auth_challenge - [X] admin_respond_to_auth_challenge
- [X] admin_set_user_mfa_preference - [X] admin_set_user_mfa_preference
- [X] admin_set_user_password - [X] admin_set_user_password
- [ ] admin_set_user_settings - [ ] admin_set_user_settings

View File

@ -1483,6 +1483,27 @@ class CognitoIdpBackend(BaseBackend):
# We shouldn't get here due to enum validation of auth_flow # We shouldn't get here due to enum validation of auth_flow
return None # type: ignore[return-value] return None # type: ignore[return-value]
def admin_respond_to_auth_challenge(
self,
session: str,
client_id: str,
challenge_name: str,
challenge_responses: Dict[str, str],
) -> Dict[str, Any]:
"""
Responds to an authentication challenge, as an administrator.
The only differences between this admin endpoint and public endpoint are not relevant and so we can safely call
the public endpoint to do the work:
- The admin endpoint requires a user pool id along with a session; the public endpoint searches across all pools
- ContextData is passed in; we don't use it
ref: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html
"""
return self.respond_to_auth_challenge(
session, client_id, challenge_name, challenge_responses
)
def respond_to_auth_challenge( def respond_to_auth_challenge(
self, self,
session: str, session: str,
@ -1490,6 +1511,11 @@ class CognitoIdpBackend(BaseBackend):
challenge_name: str, challenge_name: str,
challenge_responses: Dict[str, str], challenge_responses: Dict[str, str],
) -> Dict[str, Any]: ) -> Dict[str, Any]:
"""
Responds to an authentication challenge, from public client.
ref: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html
"""
if challenge_name == "PASSWORD_VERIFIER": if challenge_name == "PASSWORD_VERIFIER":
session = challenge_responses.get("PASSWORD_CLAIM_SECRET_BLOCK") # type: ignore[assignment] session = challenge_responses.get("PASSWORD_CLAIM_SECRET_BLOCK") # type: ignore[assignment]
@ -2180,6 +2206,18 @@ class RegionAgnosticBackend:
backend = self._find_backend_by_access_token(access_token) backend = self._find_backend_by_access_token(access_token)
return backend.get_user(access_token) return backend.get_user(access_token)
def admin_respond_to_auth_challenge(
self,
session: str,
client_id: str,
challenge_name: str,
challenge_responses: Dict[str, str],
) -> Dict[str, Any]:
backend = self._find_backend_for_clientid(client_id)
return backend.admin_respond_to_auth_challenge(
session, client_id, challenge_name, challenge_responses
)
def respond_to_auth_challenge( def respond_to_auth_challenge(
self, self,
session: str, session: str,

View File

@ -449,6 +449,17 @@ class CognitoIdpResponse(BaseResponse):
return json.dumps(auth_result) return json.dumps(auth_result)
def admin_respond_to_auth_challenge(self) -> str:
session = self._get_param("Session")
client_id = self._get_param("ClientId")
challenge_name = self._get_param("ChallengeName")
challenge_responses = self._get_param("ChallengeResponses")
auth_result = region_agnostic_backend.admin_respond_to_auth_challenge(
session, client_id, challenge_name, challenge_responses
)
return json.dumps(auth_result)
def respond_to_auth_challenge(self) -> str: def respond_to_auth_challenge(self) -> str:
session = self._get_param("Session") session = self._get_param("Session")
client_id = self._get_param("ClientId") client_id = self._get_param("ClientId")

View File

@ -1532,7 +1532,8 @@ def test_group_in_access_token():
# This sets a new password and logs the user in (creates tokens) # This sets a new password and logs the user in (creates tokens)
new_password = "P2$Sword" new_password = "P2$Sword"
result = conn.respond_to_auth_challenge( result = conn.admin_respond_to_auth_challenge(
UserPoolId=user_pool_id,
Session=result["Session"], Session=result["Session"],
ClientId=client_id, ClientId=client_id,
ChallengeName="NEW_PASSWORD_REQUIRED", ChallengeName="NEW_PASSWORD_REQUIRED",
@ -1585,7 +1586,8 @@ def test_group_in_id_token():
# This sets a new password and logs the user in (creates tokens) # This sets a new password and logs the user in (creates tokens)
new_password = "P2$Sword" new_password = "P2$Sword"
result = conn.respond_to_auth_challenge( result = conn.admin_respond_to_auth_challenge(
UserPoolId=user_pool_id,
Session=result["Session"], Session=result["Session"],
ClientId=client_id, ClientId=client_id,
ChallengeName="NEW_PASSWORD_REQUIRED", ChallengeName="NEW_PASSWORD_REQUIRED",
@ -2749,7 +2751,8 @@ def authentication_flow(conn, auth_flow):
# This sets a new password and logs the user in (creates tokens) # This sets a new password and logs the user in (creates tokens)
new_password = "P2$Sword" new_password = "P2$Sword"
result = conn.respond_to_auth_challenge( result = conn.admin_respond_to_auth_challenge(
UserPoolId=user_pool_id,
Session=result["Session"], Session=result["Session"],
ClientId=client_id, ClientId=client_id,
ChallengeName="NEW_PASSWORD_REQUIRED", ChallengeName="NEW_PASSWORD_REQUIRED",
@ -4388,7 +4391,8 @@ def test_admin_initiate_auth_when_token_totp_enabled():
assert result["Session"] != "" assert result["Session"] != ""
# Respond to challenge with TOTP # Respond to challenge with TOTP
result = conn.respond_to_auth_challenge( result = conn.admin_respond_to_auth_challenge(
UserPoolId=user_pool_id,
ClientId=client_id, ClientId=client_id,
ChallengeName="SOFTWARE_TOKEN_MFA", ChallengeName="SOFTWARE_TOKEN_MFA",
Session=result["Session"], Session=result["Session"],