CCM-10922 Adding sample authorizer

Author: aidenvaines-cgi

.tool-versions

@@ -2,7 +2,6 @@ act 0.2.64
 gitleaks 8.24.0
 jq 1.6
 nodejs 22.11.0
-pnpm 10.4.1
 pre-commit 3.6.0
 python 3.13.2
 terraform 1.9.2

infrastructure/terraform/components/api/iam_role_api_gateway_execution_role.tf

@@ -48,7 +48,7 @@ data "aws_iam_policy_document" "api_gateway_execution_policy" {
     ]
 
     resources = [
-      # module.authorizer_lambda.function_arn,
+      module.authorizer_lambda.function_arn,
       module.hello_world.function_arn,
     ]
   }

infrastructure/terraform/components/api/locals.tf

@@ -4,7 +4,7 @@ locals {
     openapi_spec = templatefile("${path.module}/resources/spec.tmpl.json", {
         APIG_EXECUTION_ROLE_ARN  = aws_iam_role.api_gateway_execution_role.arn
         AWS_REGION               = var.region
-        # AUTHORIZER_LAMBDA_ARN    = module.authorizer_lambda.function_arn
+        AUTHORIZER_LAMBDA_ARN    = module.authorizer_lambda.function_arn
         HELLO_WORLD_LAMBDA_ARN    = module.hello_world.function_arn
     })
 }

infrastructure/terraform/components/api/module_authorizer_lambda.tf

@@ -1,29 +1,29 @@
-# module "authorizer_lambda" {
-#   source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda?ref=v2.0.4"
+module "authorizer_lambda" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda?ref=v2.0.4"
 
-#   aws_account_id = var.aws_account_id
-#   component      = var.component
-#   environment    = var.environment
-#   project        = var.project
-#   region         = var.region
-#   group          = var.group
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+  group          = var.group
 
-#   log_retention_in_days = var.log_retention_in_days
-#   kms_key_arn = var.kms_key_arn
+  log_retention_in_days = var.log_retention_in_days
+  kms_key_arn           = module.kms.key_arn
 
-#   function_name = "authorizer"
-#   description   = "Authorizer for Suppliers API"
+  function_name = "authorizer"
+  description   = "Authorizer for Suppliers API"
 
-#   memory  = 512
-#   timeout = 20
-#   runtime = "nodejs22.x"
+  memory  = 512
+  timeout = 20
+  runtime = "nodejs22.x"
 
-#   function_s3_bucket      = local.acct.s3_buckets["lambda_function_artefacts"]["id"]
-#   function_code_base_path = local.aws_lambda_functions_dir_path
-#   function_code_dir       = "authorizer/dist"
-#   function_module_name  = "index"
-#   handler_function_name = "handler"
+  function_s3_bucket      = local.acct.s3_buckets["lambda_function_artefacts"]["id"]
+  function_code_base_path = local.aws_lambda_functions_dir_path
+  function_code_dir       = "authorizer/dist"
+  function_module_name    = "index"
+  handler_function_name   = "handler"
 
-#   enable_lambda_insights   = false
-#   force_lambda_code_deploy = var.force_lambda_code_deploy
-# }
+  enable_lambda_insights   = false
+  force_lambda_code_deploy = var.force_lambda_code_deploy
+}

infrastructure/terraform/components/api/outputs.tf

@@ -1 +1,3 @@
-# Define the outputs for the component. The outputs may well be referenced by other component in the same or different environments using terraform_remote_state data sources...
+output "api_urll" {
+  value = aws_api_gateway_stage.main.invoke_url
+}

infrastructure/terraform/components/api/resources/spec.tmpl.json

@@ -1,6 +1,19 @@
 {
   "components": {
     "securitySchemes": {
+      "LambdaAuthorizer": {
+        "type": "apiKey",
+        "name": "Authorization",
+        "in": "header",
+        "x-amazon-apigateway-authtype": "custom",
+        "x-amazon-apigateway-authorizer": {
+          "type": "request",
+          "authorizerUri": "arn:aws:apigateway:${AWS_REGION}:lambda:path/2015-03-31/functions/${AUTHORIZER_LAMBDA_ARN}/invocations",
+          "authorizerCredentials": "${APIG_EXECUTION_ROLE_ARN}",
+          "identitySource": "method.request.header.HeaderAuth1",
+          "authorizerResultTtlInSeconds": 300
+        }
+      }
     }
   },
   "info": {
@@ -32,7 +45,12 @@
           "timeoutInMillis": 29000,
           "type": "AWS_PROXY",
           "uri": "arn:aws:apigateway:${AWS_REGION}:lambda:path/2015-03-31/functions/${HELLO_WORLD_LAMBDA_ARN}/invocations"
-        }
+        },
+        "security": [
+          {
+            "LambdaAuthorizer": []
+          }
+        ]
       }
     }
   }

infrastructure/terraform/components/api/variables.tf

@@ -63,6 +63,12 @@ variable "log_retention_in_days" {
   default     = 0
 }
 
+variable "log_level" {
+  type        = string
+  description = "The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels"
+  default     = "INFO"
+}
+
 variable "force_lambda_code_deploy" {
   type        = bool
   description = "If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development"

lambdas/authorizer/jest.config.ts

@@ -1,9 +1,60 @@
 import type { Config } from 'jest';
-import { baseJestConfig } from 'nhs-notify-web-template-management-utils';
 
-const config: Config = {
+export const baseJestConfig: Config = {
+  preset: 'ts-jest',
+
+  // Automatically clear mock calls, instances, contexts and results before every test
+  clearMocks: true,
+
+  // Indicates whether the coverage information should be collected while executing the test
+  collectCoverage: true,
+
+  // The directory where Jest should output its coverage files
+  coverageDirectory: './.reports/unit/coverage',
+
+  // Indicates which provider should be used to instrument code for coverage
+  coverageProvider: 'babel',
+
+  coverageThreshold: {
+    global: {
+      branches: 100,
+      functions: 100,
+      lines: 100,
+      statements: -10,
+    },
+  },
+
+  coveragePathIgnorePatterns: ['/__tests__/'],
+  transform: { '^.+\\.ts$': 'ts-jest' },
+  testPathIgnorePatterns: ['.build'],
+  testMatch: ['**/?(*.)+(spec|test).[jt]s?(x)'],
+
+  // Use this configuration option to add custom reporters to Jest
+  reporters: [
+    'default',
+    [
+      'jest-html-reporter',
+      {
+        pageTitle: 'Test Report',
+        outputPath: './.reports/unit/test-report.html',
+        includeFailureMsg: true,
+      },
+    ],
+  ],
+
+  // The test environment that will be used for testing
+  testEnvironment: 'jsdom',
+};
+
+const utilsJestConfig = {
   ...baseJestConfig,
+
   testEnvironment: 'node',
+
+  coveragePathIgnorePatterns: [
+    ...(baseJestConfig.coveragePathIgnorePatterns ?? []),
+    'zod-validators.ts',
+  ],
 };
 
-export default config;
+export default utilsJestConfig;

lambdas/authorizer/src/__tests__/index.test.ts

@@ -0,0 +1,84 @@
+import { handler } from '../index';
+import { APIGatewayRequestAuthorizerEvent, Context, Callback } from 'aws-lambda';
+
+describe('Authorizer Lambda Function', () => {
+  let mockEvent: APIGatewayRequestAuthorizerEvent;
+  let mockContext: Context;
+  let mockCallback: jest.MockedFunction<Callback<any>>;
+
+  beforeEach(() => {
+    mockEvent = {
+      type: 'REQUEST',
+      methodArn: 'arn:aws:execute-api:region:account-id:api-id/stage/GET/resource',
+      headers: {},
+      pathParameters: {}
+    } as APIGatewayRequestAuthorizerEvent;
+
+    mockContext = {} as Context;
+    mockCallback = jest.fn();
+  });
+
+  it('Should allow access when headers match', () => {
+    mockEvent.headers = { HeaderAuth1: 'headerValue1' };
+
+    handler(mockEvent, mockContext, mockCallback);
+
+    expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+      policyDocument: expect.objectContaining({
+        Statement: expect.arrayContaining([
+          expect.objectContaining({
+            Effect: 'Allow',
+          }),
+        ]),
+      }),
+    }));
+  });
+
+  it('Should deny access when headers do not match', () => {
+    mockEvent.headers = { HeaderAuth1: 'wrongValue' };
+
+    handler(mockEvent, mockContext, mockCallback);
+
+    expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+      policyDocument: expect.objectContaining({
+        Statement: expect.arrayContaining([
+          expect.objectContaining({
+            Effect: 'Deny',
+          }),
+        ]),
+      }),
+    }));
+  });
+
+  it('Should handle null headers gracefully', () => {
+    mockEvent.headers = null;
+
+    handler(mockEvent, mockContext, mockCallback);
+
+    expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+      policyDocument: expect.objectContaining({
+        Statement: expect.arrayContaining([
+          expect.objectContaining({
+            Effect: 'Deny',
+          }),
+        ]),
+      }),
+    }));
+  });
+
+  it('Should handle defined headers correctly', () => {
+    mockEvent.headers = { HeaderAuth1: 'headerValue1' };
+
+    handler(mockEvent, mockContext, mockCallback);
+
+    expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+      policyDocument: expect.objectContaining({
+        Statement: expect.arrayContaining([
+          expect.objectContaining({
+            Effect: 'Allow',
+          }),
+        ]),
+      }),
+    }));
+  });
+});

lambdas/authorizer/src/index.ts

@@ -20,12 +20,7 @@ export const handler = (
 ): void => {
   console.log('Received event:', JSON.stringify(event, null, 2));
 
-  // Retrieve request parameters from the Lambda function input:
   const headers = event.headers || {};
-  const pathParameters = event.pathParameters || {};
-  const stageVariables = event.stageVariables || {};
-
-  // Parse the input for the parameter values
   const tmp = event.methodArn.split(':');
   const apiGatewayArnTmp = tmp[5].split('/');
   const awsAccountId = tmp[4];
@@ -34,15 +29,15 @@ export const handler = (
   const stage = apiGatewayArnTmp[1];
   const method = apiGatewayArnTmp[2];
   let resource = '/'; // root resource
+
   if (apiGatewayArnTmp[3]) {
     resource += apiGatewayArnTmp[3];
   }
 
   // Perform authorization to return the Allow policy for correct parameters and
   // the 'Unauthorized' error, otherwise.
   if (
-    headers['HeaderAuth1'] === 'headerValue1' &&
-    stageVariables['StageVar1'] === 'stageValue1'
+    headers['HeaderAuth1'] === 'headerValue1'
   ) {
     callback(null, generateAllow('me', event.methodArn));
   } else {