CCM-11600: header references, format, name consistency

Author: masl2

infrastructure/terraform/components/api/module_authorizer_lambda.tf

@@ -38,7 +38,7 @@ module "authorizer_lambda" {
   lambda_env_vars = {
     CLOUDWATCH_NAMESPACE                     = "/aws/api-gateway/supplier/alarms",
     CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS = 14,
-    APIM_APPLICATION_ID_HEADER               = "NHSD-Supplier-ID",
+    APIM_SUPPLIER_ID_HEADER               = "NHSD-Supplier-ID",
     SUPPLIERS_TABLE_NAME                     = aws_dynamodb_table.suppliers.name
   }
 }

infrastructure/terraform/components/api/resources/spec.tmpl.json

@@ -3,7 +3,7 @@
     "securitySchemes": {
       "LambdaAuthorizer": {
         "in": "header",
-        "name": "apim-application-id",
+        "name": "NHSD-Supplier-ID",
         "type": "apiKey",
         "x-amazon-apigateway-authorizer": {
           "authorizerCredentials": "${APIG_EXECUTION_ROLE_ARN}",

lambdas/authorizer/src/__tests__/index.test.ts

@@ -9,7 +9,7 @@ const mockedDeps: jest.Mocked<Deps> = {
     env: {
       CLOUDWATCH_NAMESPACE: 'cloudwatch-namespace',
       CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS: 14,
-      APIM_APPLICATION_ID_HEADER: 'apim-application-id'
+      APIM_SUPPLIER_ID_HEADER: 'NHSD-Supplier-ID'
     } as unknown as EnvVars,
     supplierRepo: {
       getSupplierByApimId: jest.fn(),
@@ -121,7 +121,7 @@ describe('Authorizer Lambda Function', () => {
       }));
     });
 
-    it('Should deny the request when the APIM application ID header is absent', async () => {
+    it('Should deny the request when the Supplier ID header is absent', async () => {
       mockEvent.headers = {'x-apim-correlation-id': 'correlation-id'};
 
       const handler = createAuthorizerHandler(mockedDeps);
@@ -140,7 +140,7 @@ describe('Authorizer Lambda Function', () => {
     });
 
     it('Should deny the request when no supplier ID is found', async () => {
-      mockEvent.headers = { 'apim-application-id': 'unknown-apim-id' };
+      mockEvent.headers = { 'NHSD-Supplier-ID': 'unknown-apim-id' };
       (mockedDeps.supplierRepo.getSupplierByApimId as jest.Mock).mockRejectedValue(new Error('Supplier not found'));
 
       const handler = createAuthorizerHandler(mockedDeps);
@@ -159,7 +159,7 @@ describe('Authorizer Lambda Function', () => {
     });
 
     it('Should allow the request when the supplier ID is found', async () => {
-      mockEvent.headers = { 'apim-application-id': 'valid-apim-id' };
+      mockEvent.headers = { 'NHSD-Supplier-ID': 'valid-apim-id' };
       (mockedDeps.supplierRepo.getSupplierByApimId as jest.Mock).mockResolvedValue({
         id: 'supplier-123',
         apimApplicationId: 'valid-apim-id',
@@ -184,7 +184,7 @@ describe('Authorizer Lambda Function', () => {
     });
 
     it('Should allow the request when the supplier ID case mismatches', async () => {
-      mockEvent.headers = { 'apim-application-id': 'Valid-Apim-Id' };
+      mockEvent.headers = { 'NHSD-Supplier-ID': 'Valid-Apim-Id' };
       (mockedDeps.supplierRepo.getSupplierByApimId as jest.Mock).mockResolvedValue({
         id: 'supplier-123',
         apimApplicationId: 'valid-apim-id',
@@ -211,7 +211,7 @@ describe('Authorizer Lambda Function', () => {
   });
 
   it('Should deny the request the supplier is disabled', async () => {
-    mockEvent.headers = { 'apim-application-id': 'unknown-apim-id' };
+    mockEvent.headers = { 'NHSD-Supplier-ID': 'unknown-apim-id' };
       (mockedDeps.supplierRepo.getSupplierByApimId as jest.Mock).mockResolvedValue({
         id: 'supplier-123',
         apimApplicationId: 'valid-apim-id',

lambdas/authorizer/src/authorizer.ts

@@ -1,11 +1,13 @@
-import {APIGatewayAuthorizerResult, APIGatewayEventClientCertificate, APIGatewayRequestAuthorizerEvent, APIGatewayRequestAuthorizerEventHeaders, APIGatewayRequestAuthorizerHandler,
-  Callback, Context } from 'aws-lambda';
+import {
+  APIGatewayAuthorizerResult, APIGatewayEventClientCertificate, APIGatewayRequestAuthorizerEvent, APIGatewayRequestAuthorizerEventHeaders, APIGatewayRequestAuthorizerHandler,
+  Callback, Context
+} from 'aws-lambda';
 import { Deps } from './deps';
 import { Supplier } from '@internal/datastore';
 
 export function createAuthorizerHandler(deps: Deps): APIGatewayRequestAuthorizerHandler {
 
-    return  (
+  return (
     event: APIGatewayRequestAuthorizerEvent,
     context: Context,
     callback: Callback<APIGatewayAuthorizerResult>
@@ -29,41 +31,41 @@ export function createAuthorizerHandler(deps: Deps): APIGatewayRequestAuthorizer
 
 async function getSupplier(headers: APIGatewayRequestAuthorizerEventHeaders | null, deps: Deps): Promise<Supplier> {
   const apimId = Object.entries(headers || {})
-    .find(([headerName, _]) => headerName.toLowerCase() === deps.env.APIM_APPLICATION_ID_HEADER.toLowerCase())?.[1] as string;
+    .find(([headerName, _]) => headerName.toLowerCase() === deps.env.APIM_SUPPLIER_ID_HEADER.toLowerCase())?.[1] as string;
 
-  if(!apimId) {
+  if (!apimId) {
     throw new Error('No APIM application ID found in header');
   }
   const supplier = await deps.supplierRepo.getSupplierByApimId(apimId);
   if (supplier.status === 'DISABLED') {
-      throw new Error(`Supplier ${supplier.id} is disabled`);
+    throw new Error(`Supplier ${supplier.id} is disabled`);
   }
   return supplier;
 }
 
 
-  // Helper function to generate an IAM policy
-  function generatePolicy(
-    principalId: string,
-    effect: 'Allow' | 'Deny',
-    resource: string
-  ): APIGatewayAuthorizerResult {
-    // Required output:
-    const authResponse: APIGatewayAuthorizerResult = {
-      principalId,
-      policyDocument: {
-        Version: '2012-10-17',
-        Statement: [
-          {
-            Action: 'execute-api:Invoke',
-            Effect: effect,
-            Resource: resource,
-          },
-        ],
-      },
-    };
-    return authResponse;
-  }
+// Helper function to generate an IAM policy
+function generatePolicy(
+  principalId: string,
+  effect: 'Allow' | 'Deny',
+  resource: string
+): APIGatewayAuthorizerResult {
+  // Required output:
+  const authResponse: APIGatewayAuthorizerResult = {
+    principalId,
+    policyDocument: {
+      Version: '2012-10-17',
+      Statement: [
+        {
+          Action: 'execute-api:Invoke',
+          Effect: effect,
+          Resource: resource,
+        },
+      ],
+    },
+  };
+  return authResponse;
+}
 
 function generateAllow(resource: string, supplierId: string): APIGatewayAuthorizerResult {
   return generatePolicy(supplierId, 'Allow', resource);
@@ -76,7 +78,7 @@ function generateDeny(resource: string): APIGatewayAuthorizerResult {
 function getCertificateExpiryInDays(certificate: APIGatewayEventClientCertificate): number {
   const now = new Date().getTime();
   const expiry = new Date(certificate.validity.notAfter).getTime();
-  return (expiry - now)  / (1000 * 60 * 60 * 24);
+  return (expiry - now) / (1000 * 60 * 60 * 24);
 }
 
 async function checkCertificateExpiry(certificate: APIGatewayEventClientCertificate | null, deps: Deps): Promise<void> {
@@ -117,7 +119,7 @@ async function checkCertificateExpiry(certificate: APIGatewayEventClientCertific
         ],
       },
       'SUBJECT_DN': certificate.subjectDN,
-      'NOT_AFTER':  certificate.validity.notAfter,
+      'NOT_AFTER': certificate.validity.notAfter,
       'apim-client-certificate-near-expiry': 1,
     };
   }

lambdas/authorizer/src/env.ts

@@ -3,7 +3,7 @@ import {z} from 'zod';
 const EnvVarsSchema = z.object({
   SUPPLIERS_TABLE_NAME: z.string(),
   CLOUDWATCH_NAMESPACE: z.string(),
-  APIM_APPLICATION_ID_HEADER: z.string(),
+  APIM_SUPPLIER_ID_HEADER: z.string(),
   CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS: z.coerce.number().int()
 });