Further development

Author: stevebux

infrastructure/terraform/components/api/module_authorizer_lambda.tf

@@ -11,6 +11,10 @@ module "authorizer_lambda" {
   log_retention_in_days = var.log_retention_in_days
   kms_key_arn           = module.kms.key_arn
 
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.authorizer_lambda.json
+  }
+
   function_name = "authorizer"
   description   = "Authorizer for Suppliers API"
 
@@ -52,4 +56,18 @@ data "aws_iam_policy_document" "authorizer_lambda" {
       "*"
     ]
   }
+
+  statement {
+    sid    = "AllowDynamoDBAccess"
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:Query"
+    ]
+
+    resources = [
+      aws_dynamodb_table.suppliers.arn,
+      "${aws_dynamodb_table.suppliers.arn}/index/supplier-apim-index"
+    ]
+  }
 }

lambdas/api-handler/src/handlers/__tests__/utils/test-utils.ts

@@ -18,7 +18,7 @@ export function makeApiGwEvent(
     requestContext: {
       accountId: '123456789012',
       apiId: 'api-id',
-      authorizer: {},
+      authorizer: null,
       protocol: 'HTTP/1.1',
       httpMethod: 'GET',
       identity: {} as any,

lambdas/api-handler/src/handlers/get-letter-data.ts

@@ -1,5 +1,6 @@
 import { APIGatewayProxyHandler } from "aws-lambda";
-import { assertNotEmpty, validateCommonHeaders } from "../utils/validation";
+import { assertNotEmpty } from "../utils/validation";
+import { extractCommonIds } from '../utils/commonIds';
 import { ApiErrorDetail } from '../contracts/errors';
 import { mapErrorToResponse } from "../mappers/error-mapper";
 import { ValidationError } from "../errors";
@@ -11,10 +12,10 @@ export function createGetLetterDataHandler(deps: Deps): APIGatewayProxyHandler {
 
   return async (event) => {
 
-    const commonHeadersResult = validateCommonHeaders(event.headers, deps);
+    const commonIds = extractCommonIds(event.headers, event.requestContext, deps);
 
-    if (!commonHeadersResult.ok) {
-      return mapErrorToResponse(commonHeadersResult.error, commonHeadersResult.correlationId, deps.logger);
+    if (!commonIds.ok) {
+      return mapErrorToResponse(commonIds.error, commonIds.correlationId, deps.logger);
     }
 
     try {
@@ -24,13 +25,13 @@ export function createGetLetterDataHandler(deps: Deps): APIGatewayProxyHandler {
       return {
         statusCode: 303,
         headers: {
-          'Location': await getLetterDataUrl(commonHeadersResult.value.supplierId, letterId, deps)
+          'Location': await getLetterDataUrl(commonIds.value.supplierId, letterId, deps)
         },
         body: ''
       };
     }
     catch (error) {
-      return mapErrorToResponse(error, commonHeadersResult.value.correlationId, deps.logger);
+      return mapErrorToResponse(error, commonIds.value.correlationId, deps.logger);
     }
   }
 };

lambdas/api-handler/src/handlers/get-letter.ts

@@ -1,5 +1,6 @@
 import { APIGatewayProxyHandler } from "aws-lambda";
-import { assertNotEmpty, validateCommonHeaders } from "../utils/validation";
+import { assertNotEmpty } from "../utils/validation";
+import { extractCommonIds } from '../utils/commonIds';
 import { ValidationError } from "../errors";
 import { ApiErrorDetail } from "../contracts/errors";
 import { getLetterById } from "../services/letter-operations";
@@ -12,22 +13,22 @@ export function createGetLetterHandler(deps: Deps): APIGatewayProxyHandler {
 
   return async (event) => {
 
-    const commonHeadersResult = validateCommonHeaders(event.headers, deps);
+    const commonIds = extractCommonIds(event.headers, event.requestContext, deps);
 
-    if (!commonHeadersResult.ok) {
-      return mapErrorToResponse(commonHeadersResult.error, commonHeadersResult.correlationId, deps.logger);
+    if (!commonIds.ok) {
+      return mapErrorToResponse(commonIds.error, commonIds.correlationId, deps.logger);
     }
 
     try {
       const letterId = assertNotEmpty(event.pathParameters?.id, new ValidationError(ApiErrorDetail.InvalidRequestMissingLetterIdPathParameter));
 
-      const letter = await getLetterById(commonHeadersResult.value.supplierId, letterId, deps.letterRepo);
+      const letter = await getLetterById(commonIds.value.supplierId, letterId, deps.letterRepo);
 
       const response = mapToGetLetterResponse(letter);
 
       deps.logger.info({
         description: 'Letter successfully fetched by id',
-        supplierId: commonHeadersResult.value.supplierId,
+        supplierId: commonIds.value.supplierId,
         letterId
       });
 
@@ -37,7 +38,7 @@ export function createGetLetterHandler(deps: Deps): APIGatewayProxyHandler {
       };
     } catch (error)
     {
-      return mapErrorToResponse(error, commonHeadersResult.value.correlationId, deps.logger);
+      return mapErrorToResponse(error, commonIds.value.correlationId, deps.logger);
     }
   }
 }

lambdas/api-handler/src/handlers/get-letters.ts

@@ -1,6 +1,6 @@
 import { APIGatewayProxyEventQueryStringParameters, APIGatewayProxyHandler } from 'aws-lambda';
 import { getLettersForSupplier } from '../services/letter-operations';
-import { validateCommonHeaders } from '../utils/validation';
+import { extractCommonIds } from '../utils/commonIds';
 import { ApiErrorDetail } from '../contracts/errors';
 import { mapErrorToResponse } from '../mappers/error-mapper';
 import { ValidationError } from '../errors';
@@ -16,10 +16,10 @@ export function createGetLettersHandler(deps: Deps): APIGatewayProxyHandler {
 
   return async (event) => {
 
-    const commonHeadersResult = validateCommonHeaders(event.headers, deps);
+    const commonIds = extractCommonIds(event.headers, event.requestContext, deps);
 
-    if (!commonHeadersResult.ok) {
-      return mapErrorToResponse(commonHeadersResult.error, commonHeadersResult.correlationId, deps.logger);
+    if (!commonIds.ok) {
+      return mapErrorToResponse(commonIds.error, commonIds.correlationId, deps.logger);
     }
 
     try {
@@ -28,7 +28,7 @@ export function createGetLettersHandler(deps: Deps): APIGatewayProxyHandler {
       const limitNumber = getLimitOrDefault(event.queryStringParameters, maxLimit, deps.logger);
 
       const letters = await getLettersForSupplier(
-        commonHeadersResult.value.supplierId,
+        commonIds.value.supplierId,
         status,
         limitNumber,
         deps.letterRepo,
@@ -38,7 +38,7 @@ export function createGetLettersHandler(deps: Deps): APIGatewayProxyHandler {
 
       deps.logger.info({
         description: 'Pending letters successfully fetched',
-        supplierId: commonHeadersResult.value.supplierId,
+        supplierId: commonIds.value.supplierId,
         limitNumber,
         status,
         lettersCount: letters.length
@@ -50,7 +50,7 @@ export function createGetLettersHandler(deps: Deps): APIGatewayProxyHandler {
       };
     }
     catch (error) {
-      return mapErrorToResponse(error, commonHeadersResult.value.correlationId, deps.logger);
+      return mapErrorToResponse(error, commonIds.value.correlationId, deps.logger);
     }
   }
 };

lambdas/api-handler/src/handlers/patch-letter.ts

@@ -4,7 +4,8 @@ import { PatchLetterRequest, PatchLetterRequestSchema } from '../contracts/lette
 import { ApiErrorDetail } from '../contracts/errors';
 import { ValidationError } from '../errors';
 import { mapErrorToResponse } from '../mappers/error-mapper';
-import { assertNotEmpty, validateCommonHeaders } from '../utils/validation';
+import { assertNotEmpty } from '../utils/validation';
+import { extractCommonIds } from '../utils/commonIds';
 import { mapToLetterDto } from '../mappers/letter-mapper';
 import type { Deps } from "../config/deps";
 
@@ -13,10 +14,10 @@ export function createPatchLetterHandler(deps: Deps): APIGatewayProxyHandler {
 
   return async (event) => {
 
-    const commonHeadersResult = validateCommonHeaders(event.headers, deps);
+    const commonIds = extractCommonIds(event.headers, event.requestContext, deps);
 
-    if (!commonHeadersResult.ok) {
-      return mapErrorToResponse(commonHeadersResult.error, commonHeadersResult.correlationId, deps.logger);
+    if (!commonIds.ok) {
+      return mapErrorToResponse(commonIds.error, commonIds.correlationId, deps.logger);
     }
 
     try {
@@ -35,15 +36,15 @@ export function createPatchLetterHandler(deps: Deps): APIGatewayProxyHandler {
         else throw error;
       }
 
-      const updatedLetter = await patchLetterStatus(mapToLetterDto(patchLetterRequest, commonHeadersResult.value.supplierId), letterId, deps.letterRepo);
+      const updatedLetter = await patchLetterStatus(mapToLetterDto(patchLetterRequest, commonIds.value.supplierId), letterId, deps.letterRepo);
 
       return {
         statusCode: 200,
         body: JSON.stringify(updatedLetter, null, 2)
       };
 
     } catch (error) {
-      return mapErrorToResponse(error, commonHeadersResult.value.correlationId, deps.logger);
+      return mapErrorToResponse(error, commonIds.value.correlationId, deps.logger);
     }
   };
 };

lambdas/api-handler/src/handlers/post-mi.ts

@@ -3,7 +3,8 @@ import { postMI as postMIOperation } from '../services/mi-operations';
 import { ApiErrorDetail } from "../contracts/errors";
 import { ValidationError } from "../errors";
 import { mapErrorToResponse } from "../mappers/error-mapper";
-import { assertNotEmpty, validateCommonHeaders, validateIso8601Timestamp } from "../utils/validation";
+import { assertNotEmpty, validateIso8601Timestamp } from "../utils/validation";
+import { extractCommonIds } from '../utils/commonIds';
 import { PostMIRequest, PostMIRequestSchema } from "../contracts/mi";
 import { mapToMI } from "../mappers/mi-mapper";
 import { Deps } from "../config/deps";
@@ -12,10 +13,10 @@ export function createPostMIHandler(deps: Deps): APIGatewayProxyHandler {
 
   return async (event) => {
 
-    const commonHeadersResult = validateCommonHeaders(event.headers, deps);
+    const commonIds = extractCommonIds(event.headers, event.requestContext, deps);
 
-    if (!commonHeadersResult.ok) {
-      return mapErrorToResponse(commonHeadersResult.error, commonHeadersResult.correlationId, deps.logger);
+    if (!commonIds.ok) {
+      return mapErrorToResponse(commonIds.error, commonIds.correlationId, deps.logger);
     }
 
     try {
@@ -33,15 +34,15 @@ export function createPostMIHandler(deps: Deps): APIGatewayProxyHandler {
       }
       validateIso8601Timestamp(postMIRequest.data.attributes.timestamp);
 
-      const result = await postMIOperation(mapToMI(postMIRequest, commonHeadersResult.value.supplierId), deps.miRepo);
+      const result = await postMIOperation(mapToMI(postMIRequest, commonIds.value.supplierId), deps.miRepo);
 
       return {
         statusCode: 201,
         body: JSON.stringify(result, null, 2)
       };
 
     } catch (error) {
-      return mapErrorToResponse(error, commonHeadersResult.value.correlationId, deps.logger);
+      return mapErrorToResponse(error, commonIds.value.correlationId, deps.logger);
     }
   }
 };

lambdas/api-handler/src/utils/__tests__/commonIds.test.ts

@@ -0,0 +1,98 @@
+import { APIGatewayProxyEvent } from 'aws-lambda';
+import { extractCommonIds } from '../commonIds';
+
+const mockDeps = {
+  env: {
+    APIM_CORRELATION_HEADER: 'x-correlation-id',
+    SUPPLIER_ID_HEADER: 'x-supplier-id',
+  }
+} as any;
+
+const mockContext =  {} as APIGatewayProxyEvent['requestContext'];
+
+describe('extractCommonIds', () => {
+  it('returns error if headers are missing', () => {
+    expect(extractCommonIds({}, mockContext, mockDeps)).toEqual({
+      ok: false,
+      error: expect.any(Error)
+    });
+  });
+
+  it('returns error if correlation id is missing', () => {
+    const headers = { 'x-supplier-id': 'SUP123', 'x-request-id': 'REQ123' };
+    expect(extractCommonIds(headers, mockContext, mockDeps)).toEqual({
+      ok: false,
+      error: expect.any(Error)
+    });
+  });
+
+  it('returns error if request id is missing', () => {
+    const headers = { 'x-correlation-id': 'CORR123', 'x-supplier-id': 'SUP123' };
+    expect(extractCommonIds(headers, mockContext, mockDeps)).toEqual({
+      ok: false,
+      error: expect.any(Error),
+      correlationId: 'CORR123'
+    });
+  });
+
+  it('returns error if supplier id is missing', () => {
+    const headers = { 'x-correlation-id': 'CORR123', 'x-request-id': 'REQ123' };
+    expect(extractCommonIds(headers, mockContext, mockDeps)).toEqual({
+      ok: false,
+      error: expect.any(Error),
+      correlationId: 'CORR123'
+    });
+  });
+
+  it('returns ok and ids if all present', () => {
+    const headers = {
+      'x-correlation-id': 'CORR123',
+      'x-request-id': 'REQ123',
+      'x-supplier-id': 'SUP123'
+    };
+    expect(extractCommonIds(headers, mockContext, mockDeps)).toEqual({
+      ok: true,
+      value: {
+        correlationId: 'CORR123',
+        supplierId: 'SUP123'
+      }
+    });
+  });
+
+  it('handles mixed case header names', () => {
+    const headers = {
+      'X-Correlation-Id': 'CORR123',
+      'X-Request-Id': 'REQ123',
+      'X-Supplier-Id': 'SUP123'
+    };
+    expect(extractCommonIds(headers, mockContext, mockDeps)).toEqual({
+      ok: true,
+      value: {
+        correlationId: 'CORR123',
+        supplierId: 'SUP123'
+      }
+    });
+  });
+
+  it('uses the supplier id from the authorizer if present', () => {
+    const headers = { 'x-correlation-id': 'CORR123', 'x-supplier-id': 'SUP123', 'x-request-id': 'REQ123' };
+    const context = { 'authorizer': {'principalId': 'SUP456'}} as unknown as APIGatewayProxyEvent['requestContext'];
+    expect(extractCommonIds(headers, context, mockDeps)).toEqual({
+      ok: true,
+      value: {
+        correlationId: 'CORR123',
+        supplierId: 'SUP456'
+      }
+    });
+  });
+
+  it('refuses to use the supplier id from the header if authorizer is present', () => {
+    const headers = { 'x-correlation-id': 'CORR123', 'x-supplier-id': 'SUP123', 'x-request-id': 'REQ123' };
+    const context = { 'authorizer': {}} as unknown as APIGatewayProxyEvent['requestContext'];
+    expect(extractCommonIds(headers, context, mockDeps)).toEqual({
+      ok: false,
+      error: expect.any(Error),
+      correlationId: 'CORR123'
+    });
+  });
+});

lambdas/api-handler/src/utils/commonIds.ts

@@ -0,0 +1,45 @@
+import { APIGatewayProxyEvent, APIGatewayProxyEventHeaders } from 'aws-lambda';
+import { Deps } from '../config/deps';
+import { lowerCaseKeys } from './validation';
+
+
+export function extractCommonIds(headers: APIGatewayProxyEventHeaders, context: APIGatewayProxyEvent['requestContext'], deps: Deps
+): { ok: true; value: { correlationId: string; supplierId: string; }; } | { ok: false; error: Error; correlationId?: string; } {
+
+  if (!headers || Object.keys(headers).length === 0) {
+    return { ok: false, error: new Error('The request headers are empty') };
+  }
+
+  const lowerCasedHeaders = lowerCaseKeys(headers);
+
+  const correlationId = lowerCasedHeaders[deps.env.APIM_CORRELATION_HEADER];
+  if (!correlationId) {
+    return { ok: false, error: new Error("The request headers don't contain the APIM correlation id") };
+  }
+
+  const requestId = lowerCasedHeaders['x-request-id'];
+  if (!requestId) {
+    return {
+      ok: false,
+      error: new Error("The request headers don't contain the x-request-id"),
+      correlationId
+    };
+  }
+
+  // In normal API usage, we expect the authorizer to provide the supplier ID. When the lambda is invoked directly, for instance
+  // in the AWS console, then fall back to using the header.
+
+  const supplierId = context.authorizer?
+    context.authorizer.principalId:
+    lowerCasedHeaders[deps.env.SUPPLIER_ID_HEADER];
+
+  if (!supplierId) {
+    return {
+      ok: false,
+      error: new Error('The supplier ID is missing from the request'),
+      correlationId
+    };
+  }
+
+  return { ok: true, value: { correlationId, supplierId } };
+}