send emails on sensitive actions

devksingh4 · devksingh4 · commit 16f16779ee57 · 2025-06-23T21:17:15.000-04:00
diff --git a/src/api/functions/entraId.ts b/src/api/functions/entraId.ts
@@ -21,6 +21,7 @@ import { ConfidentialClientApplication } from "@azure/msal-node";
 import { getItemFromCache, insertItemIntoCache } from "./cache.js";
 import {
   EntraGroupActions,
+  EntraGroupMetadata,
   EntraInvitationResponse,
   ProfilePatchRequest,
 } from "../../common/types/iam.js";
@@ -553,3 +554,54 @@ export async function listGroupIDsByEmail(
     });
   }
 }
+
+/**
+ * Retrieves metadata for a specific Entra ID group.
+ * @param token - Entra ID token authorized to take this action.
+ * @param groupId - The group ID to fetch metadata for.
+ * @throws {EntraGroupError} If fetching the group metadata fails.
+ * @returns {Promise<EntraGroupMetadata>} The group's metadata.
+ */
+export async function getGroupMetadata(
+  token: string,
+  groupId: string,
+): Promise<EntraGroupMetadata> {
+  if (!validateGroupId(groupId)) {
+    throw new EntraGroupError({
+      message: "Invalid group ID format",
+      group: groupId,
+    });
+  }
+  try {
+    const url = `https://graph.microsoft.com/v1.0/groups/${groupId}?$select=id,displayName,mail,description`;
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+      },
+    });
+
+    if (!response.ok) {
+      const errorData = (await response.json()) as {
+        error?: { message?: string };
+      };
+      throw new EntraGroupError({
+        message: errorData?.error?.message ?? response.statusText,
+        group: groupId,
+      });
+    }
+
+    const data = (await response.json()) as EntraGroupMetadata;
+    return data;
+  } catch (error) {
+    if (error instanceof EntraGroupError) {
+      throw error;
+    }
+
+    throw new EntraGroupError({
+      message: error instanceof Error ? error.message : String(error),
+      group: groupId,
+    });
+  }
+}
diff --git a/src/api/routes/apiKey.ts b/src/api/routes/apiKey.ts
@@ -22,6 +22,8 @@ import {
   ValidationError,
 } from "common/errors/index.js";
 import { z } from "zod";
+import { AvailableSQSFunctions, SQSPayload } from "common/types/sqsMessage.js";
+import { SendMessageCommand, SQSClient } from "@aws-sdk/client-sqs";
 
 const apiKeyRoute: FastifyPluginAsync = async (fastify, _options) => {
   await fastify.register(rateLimiter, {
@@ -86,6 +88,47 @@ const apiKeyRoute: FastifyPluginAsync = async (fastify, _options) => {
           message: "Could not create API key.",
         });
       }
+      request.log.debug("Constructing SQS payload to send email notification.");
+      const sqsPayload: SQSPayload<AvailableSQSFunctions.EmailNotifications> = {
+        function: AvailableSQSFunctions.EmailNotifications,
+        metadata: {
+          initiator: request.username!,
+          reqId: request.id,
+        },
+        payload: {
+          to: [request.username!],
+          subject: "Important: ACM @ UIUC API Key Created",
+          content: `
+This email confirms that an API key for the ACM @ UIUC API has been generated from your account.
+
+Key ID: acmuiuc_${keyId}
+
+IP address: ${request.ip}.
+
+Roles: ${roles.join(", ")}.
+
+If you did not create this API key, please secure your account and notify the ACM Infrastructure team.
+          `,
+          callToActionButton: {
+            name: "View API Keys",
+            url: `${fastify.environmentConfig.UserFacingUrl}/apiKeys`,
+          },
+        },
+      };
+      if (!fastify.sqsClient) {
+        fastify.sqsClient = new SQSClient({
+          region: genericConfig.AwsRegion,
+        });
+      }
+      const result = await fastify.sqsClient.send(
+        new SendMessageCommand({
+          QueueUrl: fastify.environmentConfig.SqsQueueUrl,
+          MessageBody: JSON.stringify(sqsPayload),
+        }),
+      );
+      if (result.MessageId) {
+        request.log.info(`Queued notification with ID ${result.MessageId}.`);
+      }
       return reply.status(201).send({
         apiKey,
         expiresAt,
@@ -149,6 +192,45 @@ const apiKeyRoute: FastifyPluginAsync = async (fastify, _options) => {
           message: "Could not delete API key.",
         });
       }
+      request.log.debug("Constructing SQS payload to send email notification.");
+      const sqsPayload: SQSPayload<AvailableSQSFunctions.EmailNotifications> = {
+        function: AvailableSQSFunctions.EmailNotifications,
+        metadata: {
+          initiator: request.username!,
+          reqId: request.id,
+        },
+        payload: {
+          to: [request.username!],
+          subject: "Important: ACM @ UIUC API Key Deleted",
+          content: `
+This email confirms that an API key for the ACM @ UIUC API has been deleted from your account.
+
+Key ID: acmuiuc_${keyId}
+
+IP address: ${request.ip}.
+
+If you did not delete this API key, please secure your account and notify the ACM Infrastructure team.
+          `,
+          callToActionButton: {
+            name: "View API Keys",
+            url: `${fastify.environmentConfig.UserFacingUrl}/apiKeys`,
+          },
+        },
+      };
+      if (!fastify.sqsClient) {
+        fastify.sqsClient = new SQSClient({
+          region: genericConfig.AwsRegion,
+        });
+      }
+      const result = await fastify.sqsClient.send(
+        new SendMessageCommand({
+          QueueUrl: fastify.environmentConfig.SqsQueueUrl,
+          MessageBody: JSON.stringify(sqsPayload),
+        }),
+      );
+      if (result.MessageId) {
+        request.log.info(`Queued notification with ID ${result.MessageId}.`);
+      }
       return reply.status(204).send();
     },
   );
diff --git a/src/api/routes/iam.ts b/src/api/routes/iam.ts
@@ -3,6 +3,7 @@ import { AppRoles } from "../../common/roles.js";
 import {
   addToTenant,
   getEntraIdToken,
+  getGroupMetadata,
   listGroupMembers,
   modifyGroup,
   patchUserProfile,
@@ -39,6 +40,9 @@ import { Modules } from "common/modules.js";
 import { groupId, withRoles, withTags } from "api/components/index.js";
 import { FastifyZodOpenApiTypeProvider } from "fastify-zod-openapi";
 import { z } from "zod";
+import { AvailableSQSFunctions, SQSPayload } from "common/types/sqsMessage.js";
+import { SendMessageBatchCommand, SQSClient } from "@aws-sdk/client-sqs";
+import { v4 as uuidv4 } from "uuid";
 
 const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
   const getAuthorizedClients = async () => {
@@ -305,6 +309,7 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
         await getAuthorizedClients(),
         fastify.environmentConfig.AadValidClientId,
       );
+      const groupMetadataPromise = getGroupMetadata(entraIdToken, groupId);
       const addResults = await Promise.allSettled(
         request.body.add.map((email) =>
           modifyGroup(
@@ -327,15 +332,19 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
           ),
         ),
       );
+      const groupMetadata = await groupMetadataPromise;
       const response: Record<string, Record<string, string>[]> = {
         success: [],
         failure: [],
       };
       const logPromises = [];
+      const addedEmails = [];
+      const removedEmails = [];
       for (let i = 0; i < addResults.length; i++) {
         const result = addResults[i];
         if (result.status === "fulfilled") {
           response.success.push({ email: request.body.add[i] });
+          addedEmails.push(request.body.add[i]);
           logPromises.push(
             createAuditLogEntry({
               dynamoClient: fastify.dynamoClient,
@@ -378,6 +387,7 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
         const result = removeResults[i];
         if (result.status === "fulfilled") {
           response.success.push({ email: request.body.remove[i] });
+          removedEmails.push(request.body.remove[i]);
           logPromises.push(
             createAuditLogEntry({
               dynamoClient: fastify.dynamoClient,
@@ -416,6 +426,81 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
           }
         }
       }
+      const sqsAddedPayloads = addedEmails.map((x) => {
+        return {
+          function: AvailableSQSFunctions.EmailNotifications,
+          metadata: {
+            initiator: request.username!,
+            reqId: request.id,
+          },
+          payload: {
+            to: [x],
+            subject: "You have been added to an access group",
+            content: `
+Hello,
+
+We're letting you know that you have been added to the "${groupMetadata.displayName}" access group by ${request.username}. Changes may take up to 2 hours to reflect in all systems.
+
+No action is required from you at this time.
+          `,
+          },
+        };
+      });
+      const sqsRemovedPayloads = removedEmails.map((x) => {
+        return {
+          function: AvailableSQSFunctions.EmailNotifications,
+          metadata: {
+            initiator: request.username!,
+            reqId: request.id,
+          },
+          payload: {
+            to: [x],
+            subject: "You have been removed from an access group",
+            content: `
+Hello,
+
+We're letting you know that you have been removed from the "${groupMetadata.displayName}" access group by ${request.username}.
+
+No action is required from you at this time.
+          `,
+          },
+        };
+      });
+      if (!fastify.sqsClient) {
+        fastify.sqsClient = new SQSClient({
+          region: genericConfig.AwsRegion,
+        });
+      }
+      if (sqsAddedPayloads.length > 0) {
+        request.log.debug("Sending added emails");
+        const addedQueued = await fastify.sqsClient.send(
+          new SendMessageBatchCommand({
+            QueueUrl: fastify.environmentConfig.SqsQueueUrl,
+            Entries: sqsAddedPayloads.map((x) => ({
+              Id: uuidv4(),
+              MessageBody: JSON.stringify(x),
+            })),
+          }),
+        );
+        request.log.info(
+          `Sent added emails, queue ID ${addedQueued.$metadata.requestId}`,
+        );
+      }
+      if (sqsRemovedPayloads.length > 0) {
+        request.log.debug("Sending removed emails");
+        const removedQueued = await fastify.sqsClient.send(
+          new SendMessageBatchCommand({
+            QueueUrl: fastify.environmentConfig.SqsQueueUrl,
+            Entries: sqsRemovedPayloads.map((x) => ({
+              Id: uuidv4(),
+              MessageBody: JSON.stringify(x),
+            })),
+          }),
+        );
+        request.log.info(
+          `Sent removed emails, queue ID ${removedQueued.$metadata.requestId}`,
+        );
+      }
       await Promise.allSettled(logPromises);
       reply.status(202).send(response);
     },
diff --git a/src/common/types/iam.ts b/src/common/types/iam.ts
@@ -6,6 +6,13 @@ export enum EntraGroupActions {
   REMOVE,
 }
 
+export interface EntraGroupMetadata {
+  id: string;
+  displayName: string;
+  mail: string | null;
+  description: string | null;
+}
+
 export interface EntraInvitationResponse {
   status: number;
   data?: Record<string, string>;
