CCM-11171 Implement mTLS on proxy

* CCM-11171 Implement mTLS on proxy

* Remove getting certs

* CCM-11171: simplify the authorizer lambda

* CCM-11171: auth lambda to use supplier-id header

---------

Co-authored-by: mark.slowey1 <[email protected]>

Author: nhsd-david-wass

.github/actions/build-proxies/action.yml

@@ -19,6 +19,7 @@ runs:
       run: npm ci
       shell: bash
 
+
     - name: Setup Proxy Name and target
       shell: bash
       run: |
@@ -28,10 +29,13 @@ runs:
           echo "INSTANCE=$PROXYGEN_API_NAME" >> $GITHUB_ENV
           echo "TARGET=https://suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
           echo "SANDBOX_TAG=latest" >> $GITHUB_ENV
+          echo "MTLS_NAME=notify-supplier-mtls" >> $GITHUB_ENV
         else
           echo "TARGET=https://pr$PR_NUMBER.suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
           echo "INSTANCE=$PROXYGEN_API_NAME-PR-$PR_NUMBER" >> $GITHUB_ENV
           echo "SANDBOX_TAG=pr$PR_NUMBER" >> $GITHUB_ENV
+          echo "MTLS_NAME=notify-supplier-mtls-pr$PR_NUMBER" >> $GITHUB_ENV
+
         fi
 
 
@@ -50,22 +54,23 @@ runs:
         envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml
         envsubst < ./.github/proxygen-settings.yaml | cat
 
+
     - name: Build internal dev oas
       working-directory: .
       shell: bash
       run: |
         if [ -z $PR_NUMBER ]
         then
-          make build-json-oas-spec APIM_ENV=dev
+          make build-json-oas-spec APIM_ENV=internal-dev
         else
-          make build-json-oas-spec APIM_ENV=dev-pr
+          make build-json-oas-spec APIM_ENV=internal-dev-pr
         fi
 
-    - name: Set target
+    - name: Set target and cert
       shell: bash
       run: |
         jq --arg newurl "$TARGET" '.["x-nhsd-apim"].target.url = $newurl' build/notify-supplier.json > build/notify-supplier_target.json && mv build/notify-supplier_target.json build/notify-supplier.json
-
+        jq --arg newmtls "$MTLS_NAME" '.["x-nhsd-apim"].target.security.secret = $newmtls' build/notify-supplier.json > build/notify-supplier_target.json && mv build/notify-supplier_target.json build/notify-supplier.json
 
     - name: Deploy to Internal Dev
       shell: bash

.github/workflows/stage-3-build.yaml

@@ -36,6 +36,9 @@ on:
         required: false
         type: string
 
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
 jobs:
   artefact-jekyll-docs:
     name: "Build Docs"

.gitignore

@@ -25,6 +25,3 @@ dist
 .reports
 /sandbox/*.log
 /sandbox-staging
-/specification/components/x-nhsd-apim/access.yml
-/specification/components/x-nhsd-apim/target.yml
-/specification/components/security/security.yml

infrastructure/terraform/components/api/resources/spec.tmpl.json

@@ -3,13 +3,13 @@
     "securitySchemes": {
       "LambdaAuthorizer": {
         "in": "header",
-        "name": "Authorization",
+        "name": "NHSD-Supplier-ID",
         "type": "apiKey",
         "x-amazon-apigateway-authorizer": {
           "authorizerCredentials": "${APIG_EXECUTION_ROLE_ARN}",
           "authorizerResultTtlInSeconds": 0,
           "authorizerUri": "arn:aws:apigateway:${AWS_REGION}:lambda:path/2015-03-31/functions/${AUTHORIZER_LAMBDA_ARN}/invocations",
-          "identitySource": "method.request.header.Authorization",
+          "identitySource": "method.request.header.NHSD-Supplier-ID",
           "type": "request"
         },
         "x-amazon-apigateway-authtype": "custom"

lambdas/authorizer/src/__tests__/index.test.ts

@@ -1,5 +1,5 @@
+import { APIGatewayRequestAuthorizerEvent, Callback, Context } from 'aws-lambda';
 import { handler } from '../index';
-import { APIGatewayRequestAuthorizerEvent, Context, Callback } from 'aws-lambda';
 
 describe('Authorizer Lambda Function', () => {
   let mockEvent: APIGatewayRequestAuthorizerEvent;
@@ -81,4 +81,24 @@ describe('Authorizer Lambda Function', () => {
       }),
     }));
   });
+
+  it('Should handle additional headers correctly', () => {
+    mockEvent.headers = {
+      headerauth1: 'headervalue1' ,
+      otherheader1: 'headervalue2',
+      otherheader2: 'headervalue3'
+    };
+
+    handler(mockEvent, mockContext, mockCallback);
+
+    expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+      policyDocument: expect.objectContaining({
+        Statement: expect.arrayContaining([
+          expect.objectContaining({
+            Effect: 'Allow',
+          }),
+        ]),
+      }),
+    }));
+  });
 });

lambdas/authorizer/src/index.ts

@@ -11,36 +11,28 @@
 
 // See https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html for the original JS documentation
 
-import { APIGatewayRequestAuthorizerEvent, Context, Callback, APIGatewayAuthorizerResult } from 'aws-lambda';
+import { APIGatewayAuthorizerResult, APIGatewayRequestAuthorizerEvent, Callback, Context } from 'aws-lambda';
+import pino from 'pino';
 
 export const handler = (
   event: APIGatewayRequestAuthorizerEvent,
   context: Context,
-  callback: Callback<APIGatewayAuthorizerResult>
+  callback: Callback<APIGatewayAuthorizerResult>,
+  log = pino()
 ): void => {
-  console.log('Received event:', JSON.stringify(event, null, 2));
+  log.info(event, 'Received event');
 
   const headers = event.headers || {};
-  const tmp = event.methodArn.split(':');
-  const apiGatewayArnTmp = tmp[5].split('/');
-  const awsAccountId = tmp[4];
-  const region = tmp[3];
-  const restApiId = apiGatewayArnTmp[0];
-  const stage = apiGatewayArnTmp[1];
-  const method = apiGatewayArnTmp[2];
-  let resource = '/'; // root resource
-
-  if (apiGatewayArnTmp[3]) {
-    resource += apiGatewayArnTmp[3];
-  }
 
   // Perform authorization to return the Allow policy for correct parameters and
   // the 'Unauthorized' error, otherwise.
   if (
     headers['headerauth1'] === 'headervalue1'
   ) {
+    log.info('Allow event');
     callback(null, generateAllow('me', event.methodArn));
   } else {
+    log.info('Deny event');
     callback(null, generateDeny('me', event.methodArn));
   }
 };

…/components/security/security-dev-pr.yml …ts/security/security-internal-dev-pr.ymlspecification/api/components/security/security-dev-pr.yml renamed to specification/api/components/security/security-internal-dev-pr.yml specification/api/components/security/security-dev-pr.yml renamed to specification/api/components/security/security-internal-dev-pr.yml

@@ -1 +1 @@
-$ref: security-dev-pr.yml
+$ref: security-sandbox.yml