chore(deps): bump the python-dependencies group across 1 directory with 39 updates

.amazon/updatabot-config.ion

@@ -0,0 +1,13 @@
+/* This is a config file for Updatabot */
+
+// Updatabot works to keep your third-party dependencies up-to-date automatically
+// by sending weekly code reviews with any updates to package lock files
+
+// Lock files will be generated automatically for packages without them on first build
+// Python packages currently have support for Poetry only.
+
+// An empty updatabot-config.ion allows Ubot to discover package configuration automatically
+// learn more in the Updatabot docs: https://builderhub.corp.amazon.com/docs/brazil/peru-user-guide/updatabot.html
+{
+   autoPushChanges: true
+}

.crux_dry_run_build

@@ -0,0 +1,2 @@
+AUTOBUILD
+AimlAdcLisa/development-peru

.gitignore

@@ -5,6 +5,7 @@
 !esbuild.js
 !eslint.config.js
 *.d.ts
+.npmrc
 node_modules/
 /build
 /dist
@@ -32,6 +33,8 @@ lib/rag/ingestion/ingestion-image/build
 *.code-workspace
 .cursor
 memory-bank/
+.sync_state
+.direnv
 
 # Coverage Statistic Folders
 coverage
@@ -46,3 +49,6 @@ config-custom.yaml
 # Test Artifacts
 /cypress/videos
 /cypress/screenshots
+
+# Ignore PeruHatch local cache directory
+/.hatch

COMMIT_ID

@@ -0,0 +1 @@
+a29ea945055029192e1acc2140a9d3490a48e0f6

bin/build-assets

@@ -1,7 +0,0 @@
-#!/bin/bash
-set -e
-
-ROOT=$(pwd)
-
-./bin/build-lambdas
-./bin/build-images --export

bin/package-lambda

@@ -0,0 +1,144 @@
+#!/bin/bash
+set -e
+
+SRC=src
+OUTPUT=Lambda.zip
+EXCLUDE_PACKAGES=""
+BUILD_DIR=$PWD/build
+IS_LAYER=0
+TMP_DIR=$BUILD_DIR/tmp/
+PYPI_URL=
+
+# Parse named parameters
+while [ $# -gt 0 ]; do
+    if [[ $1 == *"="* ]]; then
+        # Handle --param=value style
+        param="${1%%=*}"
+        value="${1#*=}"
+
+        case "$param" in
+            --src)
+                SRC="$value"
+                ;;
+            --output)
+                OUTPUT="$value"
+                ;;
+            --build)
+                BUILD_DIR="$value"
+                ;;
+            --exclude)
+                EXCLUDE_PACKAGES="$value"
+                ;;
+            --pypi)
+                PYPI_URL="$value"
+                ;;
+            --layer)
+                IS_LAYER=1
+                ;;
+            *)
+                echo "Unknown parameter: $param"
+                echo "Usage: $0 --src <source_dir> --output <output_file> --exclude <packages> --layer"
+                exit 1
+                ;;
+        esac
+    else
+        # Handle --param value style
+        case "$1" in
+            --src)
+                shift
+                SRC="$1"
+                ;;
+            --output)
+                shift
+                OUTPUT="$1"
+                ;;
+            --build)
+                shift
+                BUILD_DIR="$1"
+                TMP_DIR=$BUILD_DIR/tmp/python/
+                ;;
+            --exclude)
+                shift
+                EXCLUDE_PACKAGES="$1"
+                ;;
+            --pypi)
+                shift
+                PYPI_URL="$1"
+                ;;
+            --layer)
+                IS_LAYER=1
+                ;;
+            *)
+                echo "Unknown parameter: $1"
+                echo "Usage: $0 --src <source_dir> --output <output_file> --exclude <packages>"
+                exit 1
+                ;;
+        esac
+    fi
+    shift
+done
+
+echo "Starting"
+if [ $IS_LAYER -eq 1 ]; then
+    TMP_DIR=$BUILD_DIR/tmp/python/
+fi
+
+if [ -z "$PYPI_URL" ]; then
+    echo "Must supply PYPI_URL via --pypi"
+    exit 1
+fi
+
+# Extract IP from PYPI_URL for trusted host
+TRUSTED_HOST=$(echo $PYPI_URL | sed 's|http://||' | sed 's|/.*||')
+
+# Print parameters for debugging
+echo "Source directory: $SRC"
+echo "Output file: $OUTPUT"
+echo "Build directory: $BUILD_DIR"
+echo "Temp directory: $TMP_DIR"
+
+
+install_requirements() {
+    echo "Installing requirements"
+    rm -rf "$TMP_DIR"
+    mkdir -p "$TMP_DIR"
+    if [ -f "$SRC/requirements.txt" ]; then
+        echo "Installing requirements from $SRC/requirements.txt"
+        echo "Using python version $(python3 --version)"
+        python3 -m pip install -r "$SRC/requirements.txt" --force-reinstall --no-cache-dir --target "$TMP_DIR" --index-url $PYPI_URL --trusted-host $TRUSTED_HOST
+    else
+        echo "No requirements.txt found in $SRC"
+    fi
+}
+
+
+build_package() {
+    echo "Building package"
+    if [ -d "$SRC" ]; then
+        find "$SRC" -type f -not -path "*/build/*" -not -path "*/.hatch/*" -not -path "*/.venv/*" -exec cp --parents {} "$TMP_DIR" \;
+    fi
+}
+
+package_artifacts() {
+    echo "Packaging"
+    if [ -n "$EXCLUDE_PACKAGES" ]; then
+        echo "Removing excluded packages: $EXCLUDE_PACKAGES"
+        for pkg in ${EXCLUDE_PACKAGES//,/ }; do
+            echo "Removing $pkg"
+            rm -rf ${TMP_DIR}/${pkg}
+            rm -rf ${TMP_DIR}/${pkg}-*
+            # Also remove egg-info directories
+            find "$TMP_DIR" -type d -name "${pkg}*egg-info" -exec rm -rf {} +
+        done
+    fi
+
+    # AWS Lambda recommends to exclude __pycache__: https://docs.aws.amazon.com/lambda/latest/dg/python-package.html#python-package-pycache
+    find "${TMP_DIR}" -depth -name __pycache__ -exec rm -rf {} \;
+    cd "${BUILD_DIR}/tmp/"
+    zip -r "${BUILD_DIR}/${OUTPUT}" .
+    rm -rf "${BUILD_DIR}/tmp"
+}
+
+install_requirements
+build_package
+package_artifacts

brazil.ion

@@ -0,0 +1,33 @@
+'[email protected]'
+
+common::{
+  name : "LISA-ADC",
+  major_version : "1.0",
+
+  dependencies : {
+    default_closure : run,
+    closures : {
+      run: public::{
+        include: [self],
+        build_requires: [
+          "BrassServicePythonClient"
+        ],
+      },
+    },
+  },
+
+  build : {
+    command : "run-npm",
+    env: {
+      PATH: [
+        (farm "PeruNPM" "bin"),
+        (farm "PeruHatch" "bin"),
+        (env PATH),
+        "bin"
+      ]
+    },
+    outputs : {
+      public_dir : "dist"
+    }
+  },
+}

crossover.config.toml

@@ -0,0 +1,8 @@
+# Used for dependencies which are still in Brazil (i.e. live) and not in Peru
+# Refer to https://docs.hub.amazon.dev/brazil/peru-user-guide/python-peru/#using-crossover-for-python-packages
+version_set = "live"
+
+# Because this is a PeruPython app, we specify `pypi` as the repository here.
+[pypi]
+# This is a list of Package-MajorVersion's to crossover,
+packages = ["BrassServicePythonClient-1.0"]

crossover.lockfile

@@ -0,0 +1,29 @@
+# This is a generated file. It should be
+# checked into source control. Do not edit
+# this file by hand.
+#
+# You can safely update this lock by deleting this file and re-building.
+#
+# (Generated by styx)
+versionSet=live
+eventId=6351914535
+platforms.AL2023_aarch64=AL2023_aarch64
+platforms.AL2023_x86_64=AL2023_x86_64
+platforms.AL2_aarch64=AL2_aarch64
+platforms.AL2_x86_64=AL2_x86_64
+
+BrassServicePythonClient-1.0
+CoralAvailabilityPythonTypes-1.0
+CoralAwsAuthenticationPythonTypes-1.0
+CoralOrchestratorPythonTypes-1.0
+CoralPythonClient-2.2
+CoralPythonClientDependencies-2.2
+CoralPythonConstraints-1.0
+CoralPythonTypesBase-1.0
+CoralServicePythonTypes-1.0
+CoralTransmutePythonTypes-1.0
+CoralValidateModelPython-1.0
+OdinLocalPythonInterface-1.2
+PyAmazonCACerts-1.0
+PythonCoralConfig-1.0
+RequestsBetterSSL-1.0

flake.nix

@@ -31,9 +31,11 @@
           packages = with pkgs; [
             awscli2     # AWS command-line interface for deployment and management
             jq          # JSON processor for parsing AWS responses and configuration
+            pnpm        # Fast, disk space efficient package manager for JavaScript
             pre-commit  # Git hook framework for code quality checks
             python3     # Python runtime for LISA backend services
             nodejs      # Node.js runtime for CDK infrastructure and frontend tooling
+            nodePackages.aws-cdk # AWS CDK CLI, the command line tool for CDK apps
             uv          # Fast Python package installer and virtual environment manager
             yq          # YAML processor for configuration management
           ];
@@ -89,7 +91,7 @@
 
             # Install Node.js dependencies
             echo "Installing Node.js dependencies..."
-            npm install
+            pnpm install
 
             # Configure git hooks for pre-commit
             # Unset any existing hooks path to ensure pre-commit can manage hooks

lambda/authorizer/lambda_functions.py

@@ -25,6 +25,7 @@
 import jwt
 import requests
 from botocore.exceptions import ClientError
+from utilities.brass_client import BrassClient
 from cachetools import cached, TTLCache
 from utilities.common_functions import authorization_wrapper, get_id_token, get_property_path, retry_config
 
@@ -60,28 +61,19 @@ def lambda_handler(event: Dict[str, Any], context) -> Dict[str, Any]:  # type: i
 
     deny_policy = generate_policy(effect="Deny", resource=event["methodArn"])
     groups: str
-    if id_token in get_management_tokens():
-        username = "lisa-management-token"
-        # Add management token to Admin groups
-        groups = json.dumps([admin_group])
-        allow_policy = generate_policy(effect="Allow", resource=event["methodArn"], username=username)
-        allow_policy["context"] = {"username": username, "groups": groups}
-        logger.debug(f"Generated policy: {allow_policy}")
-        return allow_policy
-
-    if os.environ.get("TOKEN_TABLE_NAME", None) and is_valid_api_token(id_token):
-        username = "api-token"
-        groups = json.dumps([])
-        allow_policy = generate_policy(effect="Allow", resource=event["methodArn"], username=username)
-        allow_policy["context"] = {"username": username, "groups": groups}
-        logger.debug(f"Generated policy: {allow_policy}")
-        return allow_policy
 
     if jwt_data := id_token_is_valid(id_token=id_token, client_id=client_id, authority=authority):
-        is_admin_user = is_admin(jwt_data, admin_group, jwt_groups_property)
-        is_in_user_group = is_user(jwt_data, user_group, jwt_groups_property) if user_group != "" else True
-        groups = json.dumps(get_property_path(jwt_data, jwt_groups_property) or [])
         username = find_jwt_username(jwt_data)
+        is_admin_user = is_admin(username)
+
+        # Check app bindle access for all users (including admins for UI access)
+        has_app_access = check_app_bindle_access(username)
+
+        if not is_admin_user and not has_app_access:
+            logger.info(f"User {username} denied access - no app bindle lock permission")
+            return deny_policy
+
+        groups = json.dumps(get_property_path(jwt_data, jwt_groups_property) or [])
         allow_policy = generate_policy(effect="Allow", resource=event["methodArn"], username=username)
         allow_policy["context"] = {"username": username, "groups": groups}
 
@@ -178,13 +170,22 @@ def id_token_is_valid(*, id_token: str, client_id: str, authority: str) -> Dict[
         return None
 
 
-def is_admin(jwt_data: dict[str, Any], admin_group: str, jwt_groups_property: str) -> bool:
-    """Check if the user is an admin."""
-    return admin_group in (get_property_path(jwt_data, jwt_groups_property) or [])
+def is_admin(username: str) -> bool:
+    """Check if the user is an admin using BRASS bindle lock authorization."""
+    brass_client = BrassClient()
+    return brass_client.check_admin_access(username)
+
+
+def check_app_bindle_access(username: str) -> bool:
+    """Check if user has general app access via app bindle lock."""
+    brass_client = BrassClient()
+    return brass_client.check_app_access(username)
 
 
-def is_user(jwt_data: dict[str, Any], user_group: str, jwt_groups_property: str) -> bool:
-    return user_group in (get_property_path(jwt_data, jwt_groups_property) or [])
+def check_app_bindle_access(username: str) -> bool:
+    """Check if user has general app access via app bindle lock."""
+    brass_client = BrassClient()
+    return brass_client.check_app_access(username)
 
 
 def find_jwt_username(jwt_data: dict[str, str]) -> str:

lambda/brass/__init__.py

@@ -0,0 +1,15 @@
+#   Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+#   Licensed under the Apache License, Version 2.0 (the "License").
+#   You may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+"""BRASS authorization Lambda functions."""