Add RBAC and call deletion functions to the web UI

[meduncan]

*Issue #346, #338, *

Description of changes:
Roles have been introduced to PCA along with the ability to define roles and permissions. This is in support of enabling the ability to delete calls from the web UI. To create roles and manage permissions in the UI a user must have the manage_roles permission. Role definitions are stored in a DynamoDB table and the role is attached to the user as an attribute on the user in Cognito. The attribute is called custom:pca_role and contains the role name assigned to the user. This attribute is added to a user's access token by Cognito's Pre token generation Lambda trigger when they sign in to the PCA web UI so if permissions are changed for a user they will need to log off and log back in to receive the new entitlements.

When the PCA solution is launched the admin user is granted the admin role which has full access to the web UI. Additional roles may be created using the new Admin widget in the top right of the web UI. Note that if a role is defined with the manage_roles permission the role cannot be deleted. This is a safety measure to avoid accidental deletion of role management. When a user with manage_roles creates, deletes, or changes anything in the Role Management page that action will be logged in a CloudWatch log group called /pca/audit. These roles only affect the web UI. Authentication and authorization to access the QuickSuite dashboard, if enabled, use a different mechanism.

The permissions available are:

• manage_roles: The ability to create, edit, assign, and delete roles that contain a collection of permissions.
• read_calls: The ability to read any call summarization and list all calls.
• delete_calls: The ability to delete calls from within the web UI. When defining a role with this permission you must also select the read_calls role. If read_calls is not selected it will automatically be added during role creation or update.
• upload_recordings: The ability to upload call recordings through the web UI.

Notes on Upgrading from prior versions of PCA
Before performing an upgrade to an existing version of PCA you will need to update the Cognito User Pool to the Plus Feature plan. This will enable support for identity and access token enrichment.

If you perform an upgrade from a prior version of PCA your users will start with no role assigned until they log in for the first time after the upgrade. At that point they will be automatically assigned the call-readwrite role which provides them the ability to read all calls and upload calls (identical to the functionality they had in the prior version). Initially the only user with rights to assign roles and create new roles will be the admin user. If you need to elevate privileges for a user because the admin user has been deleted you can go into Cognito, go into the details of a user, and change the value of the custom:pca_role attribute to admin.

Other enhancements

• Added logging to the API Gateway
• Updated the model list to include newer versions of Anthropic Claude and Sonnet models. Older versions have been deprecated, but are kept in the CloudFormation template for backwards compatibility.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[meduncan]

There is also a parameter added to the CloudFormation template to fix an issue with upgrades. The pca-main-nokendra.template and the pca-main.template have a "Version" parameter where the default value should be updated to match the version that will be compiled. In the version I was working on I assumed that due to the introduction of RBAC and call deletion this would be 0.8.0 so that is how I set the value.