Added supplier ID lookup

Author: stevebux

infrastructure/terraform/components/api/module_authorizer_lambda.tf

@@ -32,8 +32,10 @@ module "authorizer_lambda" {
   log_subscription_role_arn = local.acct.log_subscription_role_arn
 
   lambda_env_vars = {
-    CLOUDWATCH_NAMESPACE                     = "/aws/api-gateway/supplier/alarms"
-    CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS = 14
+    CLOUDWATCH_NAMESPACE                     = "/aws/api-gateway/supplier/alarms",
+    CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS = 14,
+    APIM_APPLICATION_ID_HEADER               = "apim-application-id",
+    SUPPLIERS_TABLE_NAME                     = aws_dynamodb_table.suppliers.name
   }
 }
 

infrastructure/terraform/components/api/resources/spec.tmpl.json

@@ -3,13 +3,13 @@
     "securitySchemes": {
       "LambdaAuthorizer": {
         "in": "header",
-        "name": "NHSD-Supplier-ID",
+        "name": "apim-application-id",
         "type": "apiKey",
         "x-amazon-apigateway-authorizer": {
           "authorizerCredentials": "${APIG_EXECUTION_ROLE_ARN}",
           "authorizerResultTtlInSeconds": 0,
           "authorizerUri": "arn:aws:apigateway:${AWS_REGION}:lambda:path/2015-03-31/functions/${AUTHORIZER_LAMBDA_ARN}/invocations",
-          "identitySource": "method.request.header.NHSD-Supplier-ID",
+          "identitySource": "method.request.header.apim-application-id",
           "type": "request"
         },
         "x-amazon-apigateway-authtype": "custom"

lambdas/api-handler/src/config/deps.ts

@@ -19,25 +19,21 @@ function createDocumentClient(): DynamoDBDocumentClient {
 }
 
 function createLetterRepository(documentClient: DynamoDBDocumentClient, log: pino.Logger, envVars: EnvVars): LetterRepository {
-  const ddbClient = new DynamoDBClient({});
-  const docClient = DynamoDBDocumentClient.from(ddbClient);
   const config = {
     lettersTableName: envVars.LETTERS_TABLE_NAME,
     lettersTtlHours: envVars.LETTER_TTL_HOURS
   };
 
-  return new LetterRepository(docClient, log, config);
+  return new LetterRepository(documentClient, log, config);
 }
 
 function createMIRepository(documentClient: DynamoDBDocumentClient, log: pino.Logger, envVars: EnvVars): MIRepository {
-  const ddbClient = new DynamoDBClient({});
-  const docClient = DynamoDBDocumentClient.from(ddbClient);
   const config = {
     miTableName: envVars.MI_TABLE_NAME,
     miTtlHours: envVars.MI_TTL_HOURS
   };
 
-  return new MIRepository(docClient, log, config);
+  return new MIRepository(documentClient, log, config);
 }
 
 export function createDependenciesContainer(): Deps {

lambdas/authorizer/src/__tests__/index.test.ts

@@ -8,11 +8,15 @@ const mockedDeps: jest.Mocked<Deps> = {
     logger: { info: jest.fn(), error: jest.fn() } as unknown as pino.Logger,
     env: {
       CLOUDWATCH_NAMESPACE: 'cloudwatch-namespace',
-      CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS: 14
+      CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS: 14,
+      APIM_APPLICATION_ID_HEADER: 'apim-application-id'
     } as unknown as EnvVars,
     cloudWatchClient: {
       send: jest.fn().mockResolvedValue({}),
     } as any,
+    supplierRepo: {
+      getSupplierByApimId: jest.fn(),
+    } as any,
   } as Deps;
 
 
@@ -34,100 +38,6 @@ describe('Authorizer Lambda Function', () => {
     mockCallback = jest.fn();
   });
 
-  it('Should allow access when headers match', async() => {
-    mockEvent.headers = { headerauth1: 'headervalue1' };
-
-    const handler = createAuthorizerHandler(mockedDeps);
-    handler(mockEvent, mockContext, mockCallback);
-    await new Promise(process.nextTick);
-
-    expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
-      policyDocument: expect.objectContaining({
-        Statement: expect.arrayContaining([
-          expect.objectContaining({
-            Effect: 'Allow',
-          }),
-        ]),
-      }),
-    }));
-  });
-
-  it('Should deny access when headers do not match', async() => {
-    mockEvent.headers = { headerauth1: 'wrongValue' };
-
-    const handler = createAuthorizerHandler(mockedDeps);
-    handler(mockEvent, mockContext, mockCallback);
-    await new Promise(process.nextTick);
-
-    expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
-      policyDocument: expect.objectContaining({
-        Statement: expect.arrayContaining([
-          expect.objectContaining({
-            Effect: 'Deny',
-          }),
-        ]),
-      }),
-    }));
-  });
-
-  it('Should handle null headers gracefully', async() => {
-    mockEvent.headers = null;
-
-    const handler = createAuthorizerHandler(mockedDeps);
-    handler(mockEvent, mockContext, mockCallback);
-    await new Promise(process.nextTick);
-
-    expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
-      policyDocument: expect.objectContaining({
-        Statement: expect.arrayContaining([
-          expect.objectContaining({
-            Effect: 'Deny',
-          }),
-        ]),
-      }),
-    }));
-  });
-
-  it('Should handle defined headers correctly', async() => {
-    mockEvent.headers = { headerauth1: 'headervalue1' };
-
-    const handler = createAuthorizerHandler(mockedDeps);
-    handler(mockEvent, mockContext, mockCallback);
-    await new Promise(process.nextTick);
-
-    expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
-      policyDocument: expect.objectContaining({
-        Statement: expect.arrayContaining([
-          expect.objectContaining({
-            Effect: 'Allow',
-          }),
-        ]),
-      }),
-    }));
-  });
-
-  it('Should handle additional headers correctly', async() => {
-    mockEvent.headers = {
-      headerauth1: 'headervalue1' ,
-      otherheader1: 'headervalue2',
-      otherheader2: 'headervalue3'
-    };
-
-    const handler = createAuthorizerHandler(mockedDeps);
-    handler(mockEvent, mockContext, mockCallback);
-    await new Promise(process.nextTick);
-
-    expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
-      policyDocument: expect.objectContaining({
-        Statement: expect.arrayContaining([
-          expect.objectContaining({
-            Effect: 'Allow',
-          }),
-        ]),
-      }),
-    }));
-  });
-
   describe('Certificate expiry check', () => {
 
     beforeEach(() => {
@@ -140,7 +50,6 @@ describe('Authorizer Lambda Function', () => {
     })
 
     it('Should not send CloudWatch metric when certificate is null', async () => {
-      mockEvent.headers = { headerauth1: 'headervalue1' };
       mockEvent.requestContext.identity.clientCert = null;
 
       const handler = createAuthorizerHandler(mockedDeps);
@@ -151,7 +60,6 @@ describe('Authorizer Lambda Function', () => {
     });
 
     it('Should send CloudWatch metric when the certificate expiry threshold is reached', async () => {
-      mockEvent.headers = { headerauth1: 'headervalue1' };
       mockEvent.requestContext.identity.clientCert = buildCertWithExpiry('2025-11-17T14:19:00Z');
 
       const handler = createAuthorizerHandler(mockedDeps);
@@ -177,7 +85,6 @@ describe('Authorizer Lambda Function', () => {
     });
 
     it('Should not send CloudWatch metric when the certificate expiry threshold is not yet reached', async () => {
-      mockEvent.headers = { headerauth1: 'headervalue1' };
       mockEvent.requestContext.identity.clientCert = buildCertWithExpiry('2025-11-18T14:19:00Z');
 
       const handler = createAuthorizerHandler(mockedDeps);
@@ -197,4 +104,88 @@ describe('Authorizer Lambda Function', () => {
       } as APIGatewayEventClientCertificate['validity'],
     } as APIGatewayEventClientCertificate;
   }
+
+    describe('Supplier ID lookup', () => {
+
+      it('Should deny the request when no headers are present', async () => {
+        mockEvent.headers = null;
+
+        const handler = createAuthorizerHandler(mockedDeps);
+        handler(mockEvent, mockContext, mockCallback);
+        await new Promise(process.nextTick);
+
+        expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+          policyDocument: expect.objectContaining({
+            Statement: [
+              expect.objectContaining({
+                Effect: 'Deny',
+              }),
+            ],
+          }),
+        }));
+      });
+
+      it('Should deny the request when the APIM application ID header is absent', async () => {
+        mockEvent.headers = {'x-apim-correlation-id': 'correlation-id'};
+
+        const handler = createAuthorizerHandler(mockedDeps);
+        handler(mockEvent, mockContext, mockCallback);
+        await new Promise(process.nextTick);
+
+        expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+          policyDocument: expect.objectContaining({
+            Statement: [
+              expect.objectContaining({
+                Effect: 'Deny',
+              }),
+            ],
+          }),
+        }));
+      });
+
+      it('Should deny the request when no supplier ID is found', async () => {
+        mockEvent.headers = { 'apim-application-id': 'unknown-apim-id' };
+        (mockedDeps.supplierRepo.getSupplierByApimId as jest.Mock).mockRejectedValue(new Error('Supplier not found'));
+
+        const handler = createAuthorizerHandler(mockedDeps);
+        handler(mockEvent, mockContext, mockCallback);
+        await new Promise(process.nextTick);
+
+        expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+          policyDocument: expect.objectContaining({
+            Statement: [
+              expect.objectContaining({
+                Effect: 'Deny',
+              }),
+            ],
+          }),
+        }));
+      });
+
+      it('Should allow the request when the supplier ID is found', async () => {
+        mockEvent.headers = { 'apim-application-id': 'valid-apim-id' };
+        (mockedDeps.supplierRepo.getSupplierByApimId as jest.Mock).mockResolvedValue({
+          id: 'supplier-123',
+          apimApplicationId: 'valid-apim-id',
+          name: 'Test Supplier',
+        });
+
+        const handler = createAuthorizerHandler(mockedDeps);
+        handler(mockEvent, mockContext, mockCallback);
+        await new Promise(process.nextTick);
+
+        expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+          policyDocument: expect.objectContaining({
+            Statement: [
+              expect.objectContaining({
+                Effect: 'Allow',
+              }),
+            ],
+          }),
+          context: {
+            supplierId: 'supplier-123',
+          },
+        }));
+      });
+    });
 });

lambdas/authorizer/src/authorizer.ts

@@ -11,10 +11,11 @@
 
 // See https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html for the original JS documentation
 
-import {APIGatewayAuthorizerResult, APIGatewayEventClientCertificate, APIGatewayRequestAuthorizerEvent, APIGatewayRequestAuthorizerHandler,
+import {APIGatewayAuthorizerResult, APIGatewayAuthorizerResultContext, APIGatewayEventClientCertificate, APIGatewayRequestAuthorizerEvent, APIGatewayRequestAuthorizerEventHeaders, APIGatewayRequestAuthorizerHandler,
   Callback, Context } from 'aws-lambda';
 import { Deps } from './deps';
 import { PutMetricDataCommand } from '@aws-sdk/client-cloudwatch';
+import { Supplier } from '@internal/datastore';
 
 export function createAuthorizerHandler(deps: Deps): APIGatewayRequestAuthorizerHandler {
 
@@ -25,30 +26,38 @@ export function createAuthorizerHandler(deps: Deps): APIGatewayRequestAuthorizer
   ): void => {
     deps.logger.info(event, 'Received event');
 
-    const headers = event.headers || {};
 
-    checkCertificateExpiry(event.requestContext.identity.clientCert, deps).then(() => {
-      // Perform authorization to return the Allow policy for correct parameters and
-      // the 'Unauthorized' error, otherwise.
-      if (
-        headers['headerauth1'] === 'headervalue1'
-      ) {
+    checkCertificateExpiry(event.requestContext.identity.clientCert, deps)
+      .then(() => deps.supplierRepo.getSupplierByApimId(extractApimId(event.headers, deps)))
+      .then((supplier: Supplier) => {
         deps.logger.info('Allow event');
-        callback(null, generateAllow('me', event.methodArn));
-      } else {
-        deps.logger.info('Deny event');
+        callback(null, generateAllow('me', event.methodArn, supplier.id));
+      })
+      .catch((error) => {
+        deps.logger.info('Deny event', {error});
         callback(null, generateDeny('me', event.methodArn));
-      }
-    });
+      });
   };
 }
 
 
+function extractApimId(headers: APIGatewayRequestAuthorizerEventHeaders | null, deps: Deps): string {
+  const apimId = Object.entries(headers || {})
+    .find(([headerName, _]) => headerName.toLowerCase() === deps.env.APIM_APPLICATION_ID_HEADER)?.[1];
+
+    if(!apimId) {
+      throw new Error("No APIM application ID found in header");
+    }
+    return apimId;
+}
+
+
   // Helper function to generate an IAM policy
   function generatePolicy(
     principalId: string,
     effect: 'Allow' | 'Deny',
-    resource: string
+    resource: string,
+    context: APIGatewayAuthorizerResultContext
   ): APIGatewayAuthorizerResult {
     // Required output:
     const authResponse: APIGatewayAuthorizerResult = {
@@ -63,21 +72,17 @@ export function createAuthorizerHandler(deps: Deps): APIGatewayRequestAuthorizer
           },
         ],
       },
-      context: {
-        stringKey: 'stringval',
-        numberKey: 123,
-        booleanKey: true,
-      },
+      context: context,
     };
     return authResponse;
   }
 
-function generateAllow(principalId: string, resource: string): APIGatewayAuthorizerResult {
-  return generatePolicy(principalId, 'Allow', resource);
+function generateAllow(principalId: string, resource: string, supplierId: string): APIGatewayAuthorizerResult {
+  return generatePolicy(principalId, 'Allow', resource, {supplierId: supplierId});
 }
 
 function generateDeny(principalId: string, resource: string): APIGatewayAuthorizerResult {
-  return generatePolicy(principalId, 'Deny', resource);
+  return generatePolicy(principalId, 'Deny', resource, {});
 }
 
 function getCertificateExpiryInDays(certificate: APIGatewayEventClientCertificate): number {