Laitettu Lampi-lambdan autentikaatio päälle

cdk/lambda/lampi/LampiFileChangedReceiver.ts

@@ -1,20 +1,51 @@
+/* eslint @typescript-eslint/no-var-requires: "off" */
 import { SendMessageCommand, SQSClient } from '@aws-sdk/client-sqs';
 import { APIGatewayProxyEventV2 } from 'aws-lambda';
 import { Context } from 'aws-lambda/handler';
 
 import { LampiEvent, LampiS3Event, lampiKeyExists } from './common';
 
+const { SSMClient, GetParameterCommand } = require('@aws-sdk/client-ssm');
+
 exports.handler = async (event: APIGatewayProxyEventV2, context: Context) => {
+  const awsRegion = process.env.AWS_REGION;
+  console.log(`AWS Region: ${awsRegion}`);
+
+  const lampiAuthTokenSecretName = process.env.lampiAuthTokenSecretName;
+  console.log(`lampiAuthTokenSecretName: ${lampiAuthTokenSecretName}`);
+
+  const parameterCommand = new GetParameterCommand({
+    Name: lampiAuthTokenSecretName,
+    WithDecryption: true,
+  });
+
+  const ssmClient = new SSMClient({ region: awsRegion });
+  const ssmResponse = await ssmClient.send(parameterCommand);
+
+  const lampiAuthToken = ssmResponse.Parameter.Value;
+  console.log(`lampiAuthToken: ${lampiAuthToken}`);
+
   console.log(JSON.stringify(event, null, 4));
+
   if (!event?.body) {
     console.error('Viestissä ei ollut bodya tai viesti oli tyhjä');
     return {
       statusCode: 500,
     };
   }
+
   const lampiEvent: LampiEvent = JSON.parse(event.body);
+
+  if (lampiEvent.token !== lampiAuthToken) {
+    console.error('Autentikaatio epäonnistui!');
+    return {
+      statusCode: 401,
+    };
+  }
+
   const lampiS3Event: LampiS3Event = lampiEvent.s3;
   const lampiKey = lampiS3Event.object.key;
+
   if (lampiKeyExists(lampiKey)) {
     console.log(
       `Uusi tunnistettu tiedosto saapunut Lampeen (${lampiKey}). Lähetetään tiedosto ladattavaksi.`
@@ -31,6 +62,7 @@ exports.handler = async (event: APIGatewayProxyEventV2, context: Context) => {
   } else {
     console.log(`Tuntematon tiedosto: ${lampiKey}`);
   }
+
   return {
     statusCode: 200,
   };

cdk/lib/lambda-stack.ts

@@ -434,6 +434,8 @@ export class LambdaStack extends cdk.Stack {
       }
     );
 
+    const lampiAuthTokenSecretName = `/${config.environment}/lambda/lampi-auth-token`;
+
     const lampiTiedostoMuuttunutLambda = new lambdaNodejs.NodejsFunction(
       this,
       lampiTiedostoMuuttunutLambdaName,
@@ -451,6 +453,7 @@ export class LambdaStack extends cdk.Stack {
         environment: {
           environment: config.environment,
           lampiSiirtotiedostoQueueUrl: lampiSiirtotiedostoQueue.queueUrl,
+          lampiAuthTokenSecretName: lampiAuthTokenSecretName,
         },
         bundling: {
           commandHooks: {
@@ -470,6 +473,23 @@ export class LambdaStack extends cdk.Stack {
       })
     );
 
+    /*
+    const lampiAuthTokenParam = ssm.StringParameter.fromStringParameterName(
+      this,
+      'LampiAuthTokenParam',
+      lampiAuthTokenSecretName,
+    );
+    */
+
+    const lampiAuthTokenParam = ssm.StringParameter.fromSecureStringParameterAttributes(
+      this,
+      'LampiAuthTokenParam',
+      {
+        parameterName: lampiAuthTokenSecretName,
+      }
+    );
+    lampiAuthTokenParam.grantRead(lampiTiedostoMuuttunutLambda);
+
     const lampiTiedostoMuuttunutLambdaUrl = lampiTiedostoMuuttunutLambda.addFunctionUrl({
       authType: lambda.FunctionUrlAuthType.NONE,
     });