CCM-8861: Add SFTP poll

Author: chris-elliott-nhsd

infrastructure/terraform/modules/backend-api/README.md

@@ -44,6 +44,7 @@ No requirements.
 | <a name="module_lambda_enrich_guardduty_scan_result"></a> [lambda\_enrich\_guardduty\_scan\_result](#module\_lambda\_enrich\_guardduty\_scan\_result) | ../lambda-function | n/a |
 | <a name="module_lambda_send_letter_proof"></a> [lambda\_send\_letter\_proof](#module\_lambda\_send\_letter\_proof) | ../lambda-function | n/a |
 | <a name="module_lambda_set_file_virus_scan_status"></a> [lambda\_set\_file\_virus\_scan\_status](#module\_lambda\_set\_file\_virus\_scan\_status) | ../lambda-function | n/a |
+| <a name="module_lambda_sftp_poll"></a> [lambda\_sftp\_poll](#module\_lambda\_sftp\_poll) | ../lambda-function | n/a |
 | <a name="module_list_template_lambda"></a> [list\_template\_lambda](#module\_list\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_s3bucket_internal"></a> [s3bucket\_internal](#module\_s3bucket\_internal) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_s3bucket_quarantine"></a> [s3bucket\_quarantine](#module\_s3bucket\_quarantine) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |

infrastructure/terraform/modules/backend-api/api_gateway_rest_api_main.tf

@@ -4,5 +4,5 @@ resource "aws_api_gateway_rest_api" "main" {
   description                  = "Templates API"
   disable_execute_api_endpoint = false
 
-  binary_media_types = [ "multipart/form-data" ]
+  binary_media_types = ["multipart/form-data"]
 }

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_sftp_poll.tf

@@ -0,0 +1,17 @@
+resource "aws_cloudwatch_event_rule" "sftp_poll" {
+  name                = "${local.csi}-sftp-poll"
+  schedule_expression = "rate(1 hour)" # Runs at the top of every hour
+}
+
+resource "aws_cloudwatch_event_target" "sftp_poll" {
+  rule = aws_cloudwatch_event_rule.sftp_poll.name
+  arn  = module.lambda_sftp_poll.function_arn
+}
+
+resource "aws_lambda_permission" "allow_cloudwatch" {
+  statement_id  = "AllowExecutionFromCloudWatch"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_sftp_poll.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.sftp_poll.arn
+}

infrastructure/terraform/modules/backend-api/guardduty_malware_protection_plan_quarantine.tf

@@ -4,7 +4,7 @@ resource "aws_guardduty_malware_protection_plan" "quarantine" {
   protected_resource {
     s3_bucket {
       bucket_name     = module.s3bucket_quarantine.id
-      object_prefixes = ["pdf-template/", "test-data/"]
+      object_prefixes = ["pdf-template/", "test-data/", "proofs/"]
     }
   }
 

infrastructure/terraform/modules/backend-api/module_build_sftp_letters_lambdas.tf

@@ -5,5 +5,6 @@ module "build_sftp_letters_lambdas" {
 
   entrypoints = [
     "src/send-proof.ts",
+    "src/sftp-poll.ts",
   ]
 }

infrastructure/terraform/modules/backend-api/module_lambda_send_letter_proof.tf

@@ -18,6 +18,7 @@ module "lambda_send_letter_proof" {
     CREDENTIALS_TTL_SECONDS = 900
     CSI                     = local.csi
     ENVIRONMENT             = var.environment
+    QUARANTINE_BUCKET_NAME  = module.s3bucket_quarantine.id
     INTERNAL_BUCKET_NAME    = module.s3bucket_internal.id
     NODE_OPTIONS            = "--enable-source-maps",
     REGION                  = var.region

infrastructure/terraform/modules/backend-api/module_lambda_sftp_poll.tf

@@ -0,0 +1,86 @@
+module "lambda_sftp_poll" {
+  source      = "../lambda-function"
+  description = "Lambda to poll the SFTP suppliers and "
+
+  function_name    = "${local.csi}-sftp-poll"
+  filename         = module.build_sftp_letters_lambdas.zips["src/sftp-poll.ts"].path
+  source_code_hash = module.build_sftp_letters_lambdas.zips["src/sftp-poll.ts"].base64sha256
+  handler          = "sftp-poll.handler"
+
+  log_retention_in_days = var.log_retention_in_days
+
+  execution_role_policy_document = data.aws_iam_policy_document.sftp_poll.json
+
+  environment_variables = {
+    CREDENTIALS_TTL_MS      = 900 * 1000
+    CSI                     = local.csi
+    DEFAULT_LETTER_SUPPLIER = local.default_letter_supplier.name
+    ENVIRONMENT             = var.environment
+    QUARANTINE_BUCKET_NAME  = module.s3bucket_quarantine.id
+    INTERNAL_BUCKET_NAME    = module.s3bucket_internal.id
+    NODE_OPTIONS            = "--enable-source-maps",
+    REGION                  = var.region
+    SEND_LOCK_TTL_MS        = 50 * 1000 // visibility timeout 60s
+    SFTP_ENVIRONMENT        = local.sftp_environment
+    TEMPLATES_TABLE_NAME    = aws_dynamodb_table.templates.name
+  }
+
+  timeout = 20
+}
+
+data "aws_iam_policy_document" "sftp_poll" {
+  statement {
+    sid    = "AllowDynamoAccess"
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:UpdateItem",
+    ]
+
+    resources = [
+      aws_dynamodb_table.templates.arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowS3"
+    effect = "Allow"
+
+    actions = [
+      "s3:PutObject",
+      "s3:ListBucket",
+    ]
+
+    resources = [module.s3bucket_quarantine.arn, "${module.s3bucket_quarantine.arn}/*"]
+  }
+
+  statement {
+    sid    = "AllowSSMParameterRead"
+    effect = "Allow"
+    actions = [
+      "ssm:GetParameter",
+      "ssm:GetParametersByPath",
+    ]
+    resources = [
+      "arn:aws:ssm:${var.region}:${var.aws_account_id}:parameter/${local.csi}/sftp-config/*",
+      "arn:aws:ssm:${var.region}:${var.aws_account_id}:parameter/${local.csi}/sftp-config",
+    ]
+  }
+
+  statement {
+    sid    = "AllowKMSDynamoAccess"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:Encrypt",
+      "kms:GenerateDataKey*",
+      "kms:ReEncrypt*",
+    ]
+
+    resources = [
+      var.kms_key_arn
+    ]
+  }
+}

infrastructure/terraform/modules/lambda-function/README.md

@@ -31,6 +31,7 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_function_arn"></a> [function\_arn](#output\_function\_arn) | n/a |
+| <a name="output_function_name"></a> [function\_name](#output\_function\_name) | n/a |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->

infrastructure/terraform/modules/lambda-function/outputs.tf

@@ -1,3 +1,6 @@
 output "function_arn" {
   value = aws_lambda_function.main.arn
 }
+output "function_name" {
+  value = aws_lambda_function.main.function_name
+}

lambdas/sftp-letters/src/__tests__/app/poll.test.ts

@@ -0,0 +1,145 @@
+import type { FileInfo } from 'ssh2-sftp-client';
+import { mockDeep } from 'jest-mock-extended';
+import { App } from '../../app/poll';
+import { SftpSupplierClientRepository } from '../../infra/sftp-supplier-client-repository';
+import { SftpClient } from '../../infra/sftp-client';
+import { Logger } from 'nhs-notify-web-template-management-utils/logger';
+import { S3Repository } from 'nhs-notify-web-template-management-utils';
+
+const mockPdfBuffer = Buffer.from([0x25, 0x50, 0x44, 0x46]);
+const mockMalformedPdfBuffer = Buffer.from([]);
+const downloadError = new Error('Download error');
+
+const directoryType: FileInfo['type'] = 'd';
+const fileType: FileInfo['type'] = '-';
+
+test('polls SFTP clients', async () => {
+  const sftpClient = mockDeep<SftpClient>({
+    exists: async (path: string) => {
+      const existsMappings: Record<string, FileInfo['type']> = {
+        'download-dir/sftp-environment/proofs': directoryType,
+        'download-dir/sftp-environment/proofs/template-1-folder': directoryType,
+      };
+
+      return existsMappings[path] ?? false;
+    },
+    get: async (path: string) => {
+      if (
+        path ===
+        'download-dir/sftp-environment/proofs/template-1-folder/download-error.pdf'
+      ) {
+        throw downloadError;
+      }
+
+      const buffer = {
+        'download-dir/sftp-environment/proofs/template-3.pdf': mockPdfBuffer,
+        'download-dir/sftp-environment/proofs/template-1-folder/template-1.pdf':
+          mockPdfBuffer,
+        'download-dir/sftp-environment/proofs/template-1-folder/template-2.pdf':
+          mockPdfBuffer,
+        'download-dir/sftp-environment/proofs/template-1-folder/invalid-file.pdf':
+          mockMalformedPdfBuffer,
+      }[path];
+
+      if (!buffer) {
+        throw new Error('File not found');
+      }
+
+      return buffer;
+    },
+    list: async (path: string) =>
+      ({
+        'download-dir/sftp-environment/proofs': [
+          {
+            name: 'template-1-folder',
+            type: directoryType,
+            modifyTime: Date.now(),
+          },
+          {
+            name: 'template-3.pdf',
+            type: fileType,
+            modifyTime: Date.now(),
+          },
+          {
+            name: 'folder-does-not-exist',
+            type: directoryType,
+            modifyTime: Date.now(),
+          },
+        ],
+        'download-dir/sftp-environment/proofs/template-1-folder': [
+          {
+            name: 'template-1.pdf',
+            type: fileType,
+            modifyTime: Date.now(),
+          },
+          {
+            name: 'template-2.pdf',
+            type: fileType,
+            modifyTime: Date.now(),
+          },
+          {
+            name: 'invalid-file.pdf',
+            type: fileType,
+            modifyTime: Date.now(),
+          },
+          {
+            name: 'download-error.pdf',
+            type: fileType,
+            modifyTime: Date.now(),
+          },
+        ],
+      })[path] ?? [],
+  });
+
+  const sftpSupplierClientRepository = mockDeep<SftpSupplierClientRepository>({
+    listClients: async () => [
+      {
+        sftpClient,
+        baseUploadDir: 'upload-dir',
+        baseDownloadDir: 'download-dir',
+        name: 'supplier',
+      },
+    ],
+  });
+
+  const mockLogger = mockDeep<Logger>();
+  const s3Repository = mockDeep<S3Repository>();
+
+  const app = new App(
+    sftpSupplierClientRepository,
+    mockLogger,
+    s3Repository,
+    'sftp-environment'
+  );
+
+  await app.poll();
+
+  expect(s3Repository.putRawData).toHaveBeenCalledTimes(3);
+  expect(s3Repository.putRawData).toHaveBeenCalledWith(
+    mockPdfBuffer,
+    'proofs/template-1-folder/template-1.pdf'
+  );
+  expect(s3Repository.putRawData).toHaveBeenCalledWith(
+    mockPdfBuffer,
+    'proofs/template-1-folder/template-2.pdf'
+  );
+  expect(s3Repository.putRawData).toHaveBeenCalledWith(
+    mockPdfBuffer,
+    'proofs/template-3.pdf'
+  );
+
+  expect(mockLogger.error).toHaveBeenCalledWith('PDF file failed validation', {
+    copyPath:
+      'download-dir/sftp-environment/proofs/template-1-folder/invalid-file.pdf',
+    pastePath: 'proofs/template-1-folder/invalid-file.pdf',
+  });
+  expect(mockLogger.error).toHaveBeenCalledWith('Failed to copy file', {
+    copyPath:
+      'download-dir/sftp-environment/proofs/template-1-folder/download-error.pdf',
+    pastePath: 'proofs/template-1-folder/download-error.pdf',
+    error: downloadError,
+  });
+
+  expect(sftpClient.connect).toHaveBeenCalledTimes(1);
+  expect(sftpClient.end).toHaveBeenCalledTimes(1);
+});