Add certificate expiry check

stevebux · stevebux · commit 00ea22755704 · 2025-11-04T13:41:03.000Z
diff --git a/infrastructure/terraform/components/api/module_authorizer_lambda.tf b/infrastructure/terraform/components/api/module_authorizer_lambda.tf
@@ -30,4 +30,24 @@ module "authorizer_lambda" {
   send_to_firehose          = true
   log_destination_arn       = local.destination_arn
   log_subscription_role_arn = local.acct.log_subscription_role_arn
+
+  lambda_env_vars = {
+    CLOUDWATCH_NAMESPACE                     = "/aws/api-gateway/supplier/alarms"
+    CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS = 14
+  }
+}
+
+data "aws_iam_policy_document" "authorizer_lambda" {
+  statement {
+    sid    = "AllowPutMetricData"
+    effect = "Allow"
+
+    actions = [
+      "cloudwatch:PutMetricData"
+    ]
+
+    resources = [
+      "*"
+    ]
+  }
 }
diff --git a/lambdas/authorizer/package.json b/lambdas/authorizer/package.json
@@ -1,6 +1,9 @@
 {
   "dependencies": {
-    "esbuild": "^0.25.11"
+    "@aws-sdk/client-cloudwatch": "^3.922.0",
+    "esbuild": "^0.25.11",
+    "pino": "^10.1.0",
+    "zod": "^4.1.12"
   },
   "devDependencies": {
     "@tsconfig/node22": "^22.0.2",
diff --git a/lambdas/authorizer/src/__tests__/index.test.ts b/lambdas/authorizer/src/__tests__/index.test.ts
@@ -1,5 +1,20 @@
-import { APIGatewayRequestAuthorizerEvent, Callback, Context } from 'aws-lambda';
-import { handler } from '../index';
+import { APIGatewayEventClientCertificate, APIGatewayRequestAuthorizerEvent, Callback, Context } from 'aws-lambda';
+import { Deps } from '../deps';
+import pino from 'pino';
+import { EnvVars } from '../env';
+import { createAuthorizerHandler } from '../authorizer';
+
+const mockedDeps: jest.Mocked<Deps> = {
+    logger: { info: jest.fn(), error: jest.fn() } as unknown as pino.Logger,
+    env: {
+      CLOUDWATCH_NAMESPACE: 'cloudwatch-namespace',
+      CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS: 14
+    } as unknown as EnvVars,
+    cloudWatchClient: {
+      send: jest.fn().mockResolvedValue({}),
+    } as any,
+  } as Deps;
+
 
 describe('Authorizer Lambda Function', () => {
   let mockEvent: APIGatewayRequestAuthorizerEvent;
@@ -11,17 +26,20 @@ describe('Authorizer Lambda Function', () => {
       type: 'REQUEST',
       methodArn: 'arn:aws:execute-api:region:account-id:api-id/stage/GET/resource',
       headers: {},
-      pathParameters: {}
+      pathParameters: {},
+      requestContext: {identity: {clientCert: null}},
     } as APIGatewayRequestAuthorizerEvent;
 
     mockContext = {} as Context;
     mockCallback = jest.fn();
   });
 
-  it('Should allow access when headers match', () => {
+  it('Should allow access when headers match', async() => {
     mockEvent.headers = { headerauth1: 'headervalue1' };
 
+    const handler = createAuthorizerHandler(mockedDeps);
     handler(mockEvent, mockContext, mockCallback);
+    await new Promise(process.nextTick);
 
     expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
       policyDocument: expect.objectContaining({
@@ -34,10 +52,12 @@ describe('Authorizer Lambda Function', () => {
     }));
   });
 
-  it('Should deny access when headers do not match', () => {
+  it('Should deny access when headers do not match', async() => {
     mockEvent.headers = { headerauth1: 'wrongValue' };
 
+    const handler = createAuthorizerHandler(mockedDeps);
     handler(mockEvent, mockContext, mockCallback);
+    await new Promise(process.nextTick);
 
     expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
       policyDocument: expect.objectContaining({
@@ -50,10 +70,12 @@ describe('Authorizer Lambda Function', () => {
     }));
   });
 
-  it('Should handle null headers gracefully', () => {
+  it('Should handle null headers gracefully', async() => {
     mockEvent.headers = null;
 
+    const handler = createAuthorizerHandler(mockedDeps);
     handler(mockEvent, mockContext, mockCallback);
+    await new Promise(process.nextTick);
 
     expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
       policyDocument: expect.objectContaining({
@@ -66,10 +88,12 @@ describe('Authorizer Lambda Function', () => {
     }));
   });
 
-  it('Should handle defined headers correctly', () => {
+  it('Should handle defined headers correctly', async() => {
     mockEvent.headers = { headerauth1: 'headervalue1' };
 
+    const handler = createAuthorizerHandler(mockedDeps);
     handler(mockEvent, mockContext, mockCallback);
+    await new Promise(process.nextTick);
 
     expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
       policyDocument: expect.objectContaining({
@@ -82,14 +106,16 @@ describe('Authorizer Lambda Function', () => {
     }));
   });
 
-  it('Should handle additional headers correctly', () => {
+  it('Should handle additional headers correctly', async() => {
     mockEvent.headers = {
       headerauth1: 'headervalue1' ,
       otherheader1: 'headervalue2',
       otherheader2: 'headervalue3'
     };
 
+    const handler = createAuthorizerHandler(mockedDeps);
     handler(mockEvent, mockContext, mockCallback);
+    await new Promise(process.nextTick);
 
     expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
       policyDocument: expect.objectContaining({
@@ -101,4 +127,74 @@ describe('Authorizer Lambda Function', () => {
       }),
     }));
   });
+
+  describe('Certificate expiry check', () => {
+
+    beforeEach(() => {
+      jest.useFakeTimers({ doNotFake: ['nextTick'] })
+        .setSystemTime(new Date('2025-11-03T14:19:00Z'));
+    });
+
+    afterEach(() => {
+      jest.useRealTimers();
+    })
+
+    it('Should not send CloudWatch metric when certificate is null', async () => {
+      mockEvent.headers = { headerauth1: 'headervalue1' };
+      mockEvent.requestContext.identity.clientCert = null;
+
+      const handler = createAuthorizerHandler(mockedDeps);
+      handler(mockEvent, mockContext, mockCallback);
+      await new Promise(process.nextTick);
+
+      expect(mockedDeps.cloudWatchClient.send).not.toHaveBeenCalled();
+    });
+
+    it('Should send CloudWatch metric when the certificate expiry threshold is reached', async () => {
+      mockEvent.headers = { headerauth1: 'headervalue1' };
+      mockEvent.requestContext.identity.clientCert = buildCertWithExpiry('2025-11-17T14:19:00Z');
+
+      const handler = createAuthorizerHandler(mockedDeps);
+      handler(mockEvent, mockContext, mockCallback);
+      await new Promise(process.nextTick);
+
+      expect(mockedDeps.cloudWatchClient.send).toHaveBeenCalledWith(
+        expect.objectContaining({
+          input: {
+            Namespace: 'cloudwatch-namespace',
+            MetricData: [
+              {
+                MetricName: 'apim-client-certificate-near-expiry',
+                Dimensions: [
+                  { Name: 'SUBJECT_DN', Value: 'CN=test-subject' },
+                  { Name: 'NOT_AFTER', Value: '2025-11-17T14:19:00Z' },
+                ],
+              },
+            ],
+          },
+        })
+      );
+    });
+
+    it('Should not send CloudWatch metric when the certificate expiry threshold is not yet reached', async () => {
+      mockEvent.headers = { headerauth1: 'headervalue1' };
+      mockEvent.requestContext.identity.clientCert = buildCertWithExpiry('2025-11-18T14:19:00Z');
+
+      const handler = createAuthorizerHandler(mockedDeps);
+      handler(mockEvent, mockContext, mockCallback);
+      await new Promise(process.nextTick);
+
+      expect(mockedDeps.cloudWatchClient.send).not.toHaveBeenCalled();
+    });
+  });
+
+  function buildCertWithExpiry(expiry: string): APIGatewayEventClientCertificate {
+
+    return {
+      subjectDN: 'CN=test-subject',
+      validity: {
+        notAfter: expiry,
+      } as APIGatewayEventClientCertificate['validity'],
+    } as APIGatewayEventClientCertificate;
+  }
 });
diff --git a/lambdas/authorizer/src/authorizer.ts b/lambdas/authorizer/src/authorizer.ts
@@ -0,0 +1,127 @@
+// A simple request-based authorizer example to demonstrate how to use request
+// parameters to allow or deny a request. In this example, a request is
+// authorized if the client-supplied HeaderAuth1 header and stage variable of StageVar1
+// both match specified values of 'headerValue1' and 'stageValue1', respectively.
+//
+// Example curl request (replace <api-url> and <stage> as appropriate):
+//
+//   curl -H "HeaderAuth1: headerValue1" \
+//        "<api-url>/<stage>/your-resource"
+//
+
+// See https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html for the original JS documentation
+
+import {APIGatewayAuthorizerResult, APIGatewayEventClientCertificate, APIGatewayRequestAuthorizerEvent, APIGatewayRequestAuthorizerHandler,
+  Callback, Context } from 'aws-lambda';
+import { Deps } from './deps';
+import { PutMetricDataCommand } from '@aws-sdk/client-cloudwatch';
+
+export function createAuthorizerHandler(deps: Deps): APIGatewayRequestAuthorizerHandler {
+
+    return  (
+    event: APIGatewayRequestAuthorizerEvent,
+    context: Context,
+    callback: Callback<APIGatewayAuthorizerResult>
+  ): void => {
+    deps.logger.info(event, 'Received event');
+
+    const headers = event.headers || {};
+
+    checkCertificateExpiry(event.requestContext.identity.clientCert, deps).then(() => {
+      // Perform authorization to return the Allow policy for correct parameters and
+      // the 'Unauthorized' error, otherwise.
+      if (
+        headers['headerauth1'] === 'headervalue1'
+      ) {
+        deps.logger.info('Allow event');
+        callback(null, generateAllow('me', event.methodArn));
+      } else {
+        deps.logger.info('Deny event');
+        callback(null, generateDeny('me', event.methodArn));
+      }
+    });
+  };
+}
+
+
+  // Helper function to generate an IAM policy
+  function generatePolicy(
+    principalId: string,
+    effect: 'Allow' | 'Deny',
+    resource: string
+  ): APIGatewayAuthorizerResult {
+    // Required output:
+    const authResponse: APIGatewayAuthorizerResult = {
+      principalId,
+      policyDocument: {
+        Version: '2012-10-17',
+        Statement: [
+          {
+            Action: 'execute-api:Invoke',
+            Effect: effect,
+            Resource: resource,
+          },
+        ],
+      },
+      context: {
+        stringKey: 'stringval',
+        numberKey: 123,
+        booleanKey: true,
+      },
+    };
+    return authResponse;
+  }
+
+function generateAllow(principalId: string, resource: string): APIGatewayAuthorizerResult {
+  return generatePolicy(principalId, 'Allow', resource);
+}
+
+function generateDeny(principalId: string, resource: string): APIGatewayAuthorizerResult {
+  return generatePolicy(principalId, 'Deny', resource);
+}
+
+function getCertificateExpiryInDays(certificate: APIGatewayEventClientCertificate): number {
+  const now = new Date().getTime();
+  const expiry = new Date(certificate.validity.notAfter).getTime();
+  return (expiry - now)  / (1000 * 60 * 60 * 24);
+}
+
+async function checkCertificateExpiry(certificate: APIGatewayEventClientCertificate | null, deps: Deps): Promise<void> {
+  deps.logger.info({
+    description: 'Client certificate details',
+    issuerDN: certificate?.issuerDN,
+    subjectDN: certificate?.subjectDN,
+    validity: certificate?.validity,
+  });
+
+  if (!certificate) {
+    // In a real production environment, we won't have got this far if there wasn't a cert
+    return;
+  }
+
+  const expiry = getCertificateExpiryInDays(certificate);
+
+  if (expiry <= deps.env.CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS) {
+    const { subjectDN, validity } = certificate;
+
+    deps.logger.info({
+      description: 'Client certificate near expiry',
+      certificateExpiry: validity.notAfter,
+      subjectDN,
+    });
+    await deps.cloudWatchClient.send(buildCloudWatchCommand(deps.env.CLOUDWATCH_NAMESPACE, certificate));
+  }
+
+  function buildCloudWatchCommand(namespace: string, certificate: APIGatewayEventClientCertificate): PutMetricDataCommand {
+    return new PutMetricDataCommand({
+      MetricData: [{
+        MetricName: 'apim-client-certificate-near-expiry',
+        Dimensions: [
+          {Name: 'SUBJECT_DN', Value: certificate.subjectDN},
+          {Name: 'NOT_AFTER', Value: certificate.validity.notAfter}
+        ]
+      }],
+      Namespace: namespace
+    });
+  }
+};
diff --git a/lambdas/authorizer/src/deps.ts b/lambdas/authorizer/src/deps.ts
@@ -0,0 +1,19 @@
+import { CloudWatchClient } from "@aws-sdk/client-cloudwatch";
+import pino from 'pino';
+import { envVars, EnvVars } from "./env";
+
+export type Deps = {
+  cloudWatchClient: CloudWatchClient;
+  logger: pino.Logger;
+  env: EnvVars;
+};
+
+export function createDependenciesContainer(): Deps {
+  const log = pino();
+
+  return {
+    cloudWatchClient: new CloudWatchClient({}),
+    logger: log,
+    env: envVars
+  };
+}
diff --git a/lambdas/authorizer/src/env.ts b/lambdas/authorizer/src/env.ts
@@ -0,0 +1,10 @@
+import {z} from 'zod';
+
+const EnvVarsSchema = z.object({
+  CLOUDWATCH_NAMESPACE: z.string(),
+  CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS: z.coerce.number().int()
+});
+
+export type EnvVars = z.infer<typeof EnvVarsSchema>;
+
+export const envVars = EnvVarsSchema.parse(process.env);
diff --git a/lambdas/authorizer/src/index.ts b/lambdas/authorizer/src/index.ts
diff --git a/package-lock.json b/package-lock.json
