@digitraffic/common 2022.10.25-1 → 2022.10.31-1

package/src/aws/infra/canaries/url-canary.ts

@@ -0,0 +1,74 @@
+import { Construct } from "constructs";
+import { CanaryParameters } from "./canary-parameters";
+import { Role } from "aws-cdk-lib/aws-iam";
+import { DigitrafficCanary } from "./canary";
+import { ISecret } from "aws-cdk-lib/aws-secretsmanager";
+import { DigitrafficStack } from "../stack/stack";
+import { LambdaEnvironment } from "../stack/lambda-configs";
+import { DigitrafficRestApi } from "../stack/rest_apis";
+import { ENV_API_KEY, ENV_HOSTNAME, ENV_SECRET } from "./canary-keys";
+
+export interface UrlCanaryParameters extends CanaryParameters {
+    readonly hostname: string;
+    readonly apiKeyId?: string;
+}
+
+export class UrlCanary extends DigitrafficCanary {
+    constructor(
+        stack: Construct,
+        role: Role,
+        params: UrlCanaryParameters,
+        secret?: ISecret
+    ) {
+        const canaryName = `${params.name}-url`;
+        const environmentVariables: LambdaEnvironment = {};
+        environmentVariables[ENV_HOSTNAME] = params.hostname;
+
+        if (params.secret) {
+            environmentVariables[ENV_SECRET] = params.secret;
+        }
+
+        if (params.apiKeyId) {
+            environmentVariables[ENV_API_KEY] = params.apiKeyId;
+        }
+
+        if (secret) {
+            secret.grantRead(role);
+        }
+
+        // the handler code is defined at the actual project using this
+        super(stack, canaryName, role, params, environmentVariables);
+    }
+
+    static create(
+        stack: DigitrafficStack,
+        role: Role,
+        publicApi: DigitrafficRestApi,
+        params: Partial<UrlCanaryParameters>
+    ): UrlCanary {
+        return new UrlCanary(stack, role, {
+            ...{
+                handler: `${params.name}.handler`,
+                hostname: publicApi.hostname(),
+                apiKeyId: this.getApiKey(publicApi),
+            },
+            ...params,
+        } as UrlCanaryParameters);
+    }
+
+    static getApiKey(publicApi: DigitrafficRestApi): string | undefined {
+        const apiKeys = publicApi.apiKeyIds;
+
+        if (apiKeys.length > 1) {
+            console.info("rest api has more than one api key");
+        }
+
+        if (apiKeys.length === 0) {
+            console.info("rest api has no api keys");
+            return undefined;
+        }
+
+        // always use first api key
+        return publicApi.apiKeyIds[0];
+    }
+}

package/src/aws/infra/canaries/url-checker.ts

@@ -0,0 +1,366 @@
+import { IncomingMessage, RequestOptions } from "http";
+import { Asserter } from "../../../test/asserter";
+
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const synthetics = require("Synthetics");
+import zlib = require("zlib");
+import { MediaType } from "../../types/mediatypes";
+import { getApiKeyFromAPIGateway } from "../../runtime/apikey";
+import { FeatureCollection } from "geojson";
+import { isValidGeoJson } from "../../../utils/geometry";
+import { getEnvVariable } from "../../../utils/utils";
+import { ENV_API_KEY, ENV_HOSTNAME } from "./canary-keys";
+
+export const API_KEY_HEADER = "x-api-key";
+
+const baseHeaders = {
+    "Digitraffic-User": "internal-digitraffic-canary",
+    "Accept-Encoding": "gzip",
+    Accept: "*/*",
+} as Record<string, string>;
+
+type CheckerFunction = (Res: IncomingMessage) => void;
+type JsonCheckerFunction<T> = (
+    json: T,
+    body: string,
+    message: IncomingMessage
+) => void;
+
+export class UrlChecker {
+    private readonly requestOptions: RequestOptions;
+
+    constructor(hostname: string, apiKey?: string) {
+        const headers = { ...baseHeaders };
+
+        if (apiKey) {
+            headers[API_KEY_HEADER] = apiKey;
+        }
+
+        this.requestOptions = {
+            hostname,
+            method: "GET",
+            protocol: "https:",
+            headers,
+        };
+
+        synthetics.getConfiguration().disableRequestMetrics();
+
+        synthetics
+            .getConfiguration()
+            .withIncludeRequestBody(false)
+            .withIncludeRequestHeaders(false)
+            .withIncludeResponseBody(false)
+            .withIncludeResponseHeaders(false)
+            .withFailedCanaryMetric(true);
+    }
+
+    static create(hostname: string, apiKeyId: string): Promise<UrlChecker> {
+        return getApiKeyFromAPIGateway(apiKeyId).then((apiKey) => {
+            return new UrlChecker(hostname, apiKey.value);
+        });
+    }
+
+    static createV2(): Promise<UrlChecker> {
+        return this.create(
+            getEnvVariable(ENV_HOSTNAME),
+            getEnvVariable(ENV_API_KEY)
+        );
+    }
+
+    expectStatus<T>(
+        statusCode: number,
+        url: string,
+        callback: JsonCheckerFunction<T>
+    ): Promise<void> {
+        const requestOptions = {
+            ...this.requestOptions,
+            ...{
+                path: url,
+            },
+        };
+
+        return synthetics.executeHttpStep(
+            `Verify ${statusCode} for ${url.replace(/auth=.*/, "")}`,
+            requestOptions,
+            callback
+        );
+    }
+
+    expect200<T>(
+        url: string,
+        ...callbacks: JsonCheckerFunction<T>[]
+    ): Promise<void> {
+        const callback = async (
+            json: T,
+            body: string,
+            res: IncomingMessage
+        ) => {
+            await Promise.allSettled(callbacks.map((c) => c(json, body, res)));
+        };
+
+        return this.expectStatus(200, url, callback);
+    }
+
+    expect404(url: string): Promise<void> {
+        const requestOptions = {
+            ...this.requestOptions,
+            ...{
+                path: url,
+            },
+        };
+
+        return synthetics.executeHttpStep(
+            `Verify 404 for ${url}`,
+            requestOptions,
+            validateStatusCodeAndContentType(404, MediaType.TEXT_PLAIN)
+        );
+    }
+
+    expect400(url: string): Promise<void> {
+        const requestOptions = {
+            ...this.requestOptions,
+            ...{
+                path: url,
+            },
+        };
+
+        return synthetics.executeHttpStep(
+            `Verify 400 for ${url}`,
+            requestOptions,
+            validateStatusCodeAndContentType(400, MediaType.TEXT_PLAIN)
+        );
+    }
+
+    expect403WithoutApiKey(url: string, mediaType?: MediaType): Promise<void> {
+        if (
+            !this.requestOptions.headers ||
+            !this.requestOptions.headers[API_KEY_HEADER]
+        ) {
+            console.error("No api key defined");
+        }
+
+        const requestOptions = {
+            ...this.requestOptions,
+            ...{
+                path: url,
+                headers: baseHeaders,
+            },
+        };
+
+        return synthetics.executeHttpStep(
+            `Verify 403 for ${url}`,
+            requestOptions,
+            validateStatusCodeAndContentType(
+                403,
+                mediaType || MediaType.APPLICATION_JSON
+            )
+        );
+    }
+
+    done(): string {
+        return "Canary successful";
+    }
+}
+
+async function getResponseBody(response: IncomingMessage): Promise<string> {
+    const body = await getBodyFromResponse(response);
+
+    if (response.headers["content-encoding"] === "gzip") {
+        try {
+            return zlib.gunzipSync(body).toString();
+        } catch (e) {
+            console.info("error " + JSON.stringify(e));
+        }
+    }
+
+    return body.toString();
+}
+
+function getBodyFromResponse(response: IncomingMessage): Promise<string> {
+    return new Promise((resolve: (value: string) => void) => {
+        const buffers: Buffer[] = [];
+
+        response.on("data", (data: Buffer) => {
+            buffers.push(data);
+        });
+
+        response.on("end", () => {
+            resolve(Buffer.concat(buffers).toString());
+        });
+    });
+}
+
+/**
+ * Returns function, that validates that the status code and content-type from response are the given values
+ * @param statusCode
+ * @param contentType
+ */
+function validateStatusCodeAndContentType(
+    statusCode: number,
+    contentType: MediaType
+): (Res: IncomingMessage) => Promise<void> {
+    return (res: IncomingMessage) => {
+        return new Promise((resolve) => {
+            if (res.statusCode !== statusCode) {
+                throw new Error(`${res.statusCode} ${res.statusMessage}`);
+            }
+
+            if (res.headers["content-type"] !== contentType) {
+                throw new Error(
+                    "Wrong content-type " + res.headers["content-type"]
+                );
+            }
+
+            resolve();
+        });
+    };
+}
+
+// DEPRECATED
+export class ResponseChecker {
+    private readonly contentType;
+    private checkCors = true;
+
+    constructor(contentType: string) {
+        this.contentType = contentType;
+    }
+
+    static forJson(): ResponseChecker {
+        return new ResponseChecker(MediaType.APPLICATION_JSON);
+    }
+
+    static forCSV(): ResponseChecker {
+        return new ResponseChecker(MediaType.TEXT_CSV);
+    }
+
+    static forGeojson(): ResponseChecker {
+        return new ResponseChecker(MediaType.APPLICATION_GEOJSON);
+    }
+
+    static forJpeg(): ResponseChecker {
+        return new ResponseChecker(MediaType.IMAGE_JPEG);
+    }
+
+    check(): CheckerFunction {
+        return this.responseChecker(() => {
+            // no need to do anything
+        });
+    }
+
+    checkJson<T>(
+        fn: (json: T, body: string, res: IncomingMessage) => void
+    ): CheckerFunction {
+        return this.responseChecker((body: string, res: IncomingMessage) => {
+            fn(JSON.parse(body), body, res);
+        });
+    }
+
+    responseChecker(
+        fn: (body: string, res: IncomingMessage) => void
+    ): CheckerFunction {
+        return async (res: IncomingMessage): Promise<void> => {
+            if (!res.statusCode) {
+                throw new Error("statusCode missing");
+            }
+
+            if (res.statusCode < 200 || res.statusCode > 299) {
+                throw new Error(`${res.statusCode} ${res.statusMessage}`);
+            }
+
+            if (this.checkCors && !res.headers["access-control-allow-origin"]) {
+                throw new Error("CORS missing");
+            }
+
+            if (res.headers["content-type"] !== this.contentType) {
+                throw new Error(
+                    "Wrong content-type " + res.headers["content-type"]
+                );
+            }
+
+            const body = await getResponseBody(res);
+
+            fn(body, res);
+        };
+    }
+}
+
+export class ContentChecker {
+    static checkJson<T>(
+        fn: (json: T, body: string, res: IncomingMessage) => void
+    ): CheckerFunction {
+        return async (res: IncomingMessage): Promise<void> => {
+            const body = await getResponseBody(res);
+
+            fn(JSON.parse(body), body, res);
+        };
+    }
+
+    static checkResponse(
+        fn: (body: string, res: IncomingMessage) => void
+    ): CheckerFunction {
+        return async (res: IncomingMessage): Promise<void> => {
+            const body = await getResponseBody(res);
+
+            fn(body, res);
+        };
+    }
+}
+
+export class ContentTypeChecker {
+    static checkContentType(contentType: MediaType) {
+        return (res: IncomingMessage) => {
+            if (!res.statusCode) {
+                throw new Error("statusCode missing");
+            }
+
+            if (res.statusCode < 200 || res.statusCode > 299) {
+                throw new Error(`${res.statusCode} ${res.statusMessage}`);
+            }
+
+            if (!res.headers["access-control-allow-origin"]) {
+                throw new Error("CORS missing");
+            }
+
+            if (res.headers["content-type"] !== contentType) {
+                throw new Error(
+                    "Wrong content-type " + res.headers["content-type"]
+                );
+            }
+        };
+    }
+}
+
+export class GeoJsonChecker {
+    static validFeatureCollection(
+        fn?: (json: FeatureCollection) => void
+    ): CheckerFunction {
+        return ResponseChecker.forGeojson().checkJson(
+            (json: FeatureCollection) => {
+                Asserter.assertEquals(json.type, "FeatureCollection");
+                Asserter.assertTrue(isValidGeoJson(json));
+
+                if (fn) {
+                    fn(json);
+                }
+            }
+        );
+    }
+}
+
+export class HeaderChecker {
+    static checkHeaderExists(headerName: string): CheckerFunction {
+        return (res: IncomingMessage) => {
+            if (!res.headers[headerName]) {
+                throw new Error("Missing header: " + headerName);
+            }
+        };
+    }
+
+    static checkHeaderMissing(headerName: string): CheckerFunction {
+        return (res: IncomingMessage) => {
+            if (res.headers[headerName]) {
+                throw new Error("Header should not exist: " + headerName);
+            }
+        };
+    }
+}

package/src/aws/infra/documentation.ts

@@ -0,0 +1,124 @@
+import {Construct} from "constructs";
+import {CfnDocumentationPart, Resource} from "aws-cdk-lib/aws-apigateway";
+
+// Documentation parts are objects that describe an API Gateway API or parts of an API
+// https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-documenting-api.html
+
+/**
+ * Add description to a query parameter
+ * @param name query parameter name
+ * @param description query parameter description
+ * @param resource REST API resource
+ * @param stack CloudFormation stack
+ *
+ * @deprecated Use DigitrafficRestApi.documentResource
+ */
+export function addQueryParameterDescription(name: string,
+    description: string,
+    resource: Resource,
+    stack: Construct) {
+    new CfnDocumentationPart(stack, `${name}Documentation`, {
+        restApiId: resource.api.restApiId,
+        location: {
+            type: 'QUERY_PARAMETER',
+            name,
+            path: resource.path,
+        },
+        properties: JSON.stringify({description}),
+    });
+}
+
+/**
+ * Add a documentation part to a method
+ * @param methodDescription
+ * @param documentationProperties
+ * @param resource REST API resource
+ * @param stack CloudFormation stack
+ */
+export function addDocumentation(methodDescription: string,
+    documentationProperties: object,
+    resource: Resource,
+    stack: Construct) {
+    new CfnDocumentationPart(stack, `${methodDescription}Documentation`, {
+        restApiId: resource.api.restApiId,
+        location: {
+            type: 'METHOD',
+            path: resource.path,
+        },
+        properties: JSON.stringify(documentationProperties),
+    });
+}
+
+/**
+ * Adds OpenAPI tags to an API method
+ * @param methodDescription Description of API method
+ * @param tags OpenAPI tags
+ * @param resource REST API resource
+ * @param stack CloudFormation stack
+ */
+export function addTags(methodDescription: string,
+    tags: string[],
+    resource: Resource,
+    stack: Construct) {
+    addDocumentation(methodDescription, {tags}, resource, stack);
+}
+
+/**
+ * Adds OpenAPI tags and a method summary to an API method
+ *
+ * @deprecated Use DigitrafficRestApi.documentResource
+ *
+ * @param methodDescription Description of API method
+ * @param tags OpenAPI tags
+ * @param summary OpenAPI summary
+ * @param resource REST API resource
+ * @param stack CloudFormation stack
+ */
+export function addTagsAndSummary(
+    methodDescription: string,
+    tags: string[],
+    summary: string,
+    resource: Resource,
+    stack: Construct,
+) {
+    addDocumentation(methodDescription, {tags, summary}, resource, stack);
+}
+
+export interface DocumentationProperties {
+    description?: string
+    tags?: string[]
+    summary?: string
+    deprecated?: boolean
+}
+
+export class DocumentationPart {
+    readonly parameterName: string;
+    readonly type: string;
+    readonly documentationProperties: DocumentationProperties;
+
+    private constructor(parameterName: string, documentationProperties: DocumentationProperties, type: string) {
+        this.parameterName = parameterName;
+        this.documentationProperties = documentationProperties;
+        this.type = type;
+    }
+
+    deprecated(note: string): DocumentationPart {
+        // deprecated is not supported ATM: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-known-issues.html
+        this.documentationProperties.deprecated = true;
+        this.documentationProperties.summary+= '. ' + note;
+
+        return this;
+    }
+
+    static queryParameter(parameterName: string, description: string) {
+        return new DocumentationPart(parameterName, {description}, "QUERY_PARAMETER");
+    }
+
+    static pathParameter(parameterName: string, description: string) {
+        return new DocumentationPart(parameterName, {description}, "PATH_PARAMETER");
+    }
+
+    static method(tags: string[], name: string, summary: string) {
+        return new DocumentationPart(name, {tags, summary}, "METHOD");
+    }
+}

package/src/aws/infra/scheduler.ts

@@ -0,0 +1,59 @@
+import { Rule, Schedule } from "aws-cdk-lib/aws-events";
+import { Duration } from "aws-cdk-lib";
+import { LambdaFunction } from "aws-cdk-lib/aws-events-targets";
+import { Function as AWSFunction } from "aws-cdk-lib/aws-lambda";
+import { Construct } from "constructs";
+
+export class Scheduler extends Rule {
+    constructor(
+        stack: Construct,
+        ruleName: string,
+        schedule: Schedule,
+        lambda?: AWSFunction
+    ) {
+        super(stack, ruleName, { ruleName, schedule });
+
+        if (lambda) {
+            this.addTarget(new LambdaFunction(lambda));
+        }
+    }
+
+    static everyMinute(
+        stack: Construct,
+        ruleName: string,
+        lambda?: AWSFunction
+    ) {
+        return Scheduler.every(stack, ruleName, Duration.minutes(1), lambda);
+    }
+
+    static everyMinutes(
+        stack: Construct,
+        ruleName: string,
+        minutes: number,
+        lambda?: AWSFunction
+    ) {
+        return Scheduler.every(
+            stack,
+            ruleName,
+            Duration.minutes(minutes),
+            lambda
+        );
+    }
+
+    static everyHour(stack: Construct, ruleName: string, lambda?: AWSFunction) {
+        return Scheduler.every(stack, ruleName, Duration.hours(1), lambda);
+    }
+
+    static everyDay(stack: Construct, ruleName: string, lambda?: AWSFunction) {
+        return Scheduler.every(stack, ruleName, Duration.days(1), lambda);
+    }
+
+    static every(
+        stack: Construct,
+        ruleName: string,
+        duration: Duration,
+        lambda?: AWSFunction
+    ) {
+        return new Scheduler(stack, ruleName, Schedule.rate(duration), lambda);
+    }
+}

package/src/aws/infra/security-rule.ts

@@ -0,0 +1,38 @@
+import {Construct} from "constructs";
+import {Rule} from "aws-cdk-lib/aws-events";
+import {ITopic} from "aws-cdk-lib/aws-sns";
+import {SnsTopic} from "aws-cdk-lib/aws-events-targets";
+
+/**
+ * Automatic rule for Security Hub.  Send notification to given topic if the following conditions apply:
+ * * There is a finding with a status of NEW
+ * * It has severity of HIGH or CRITICAL
+ * * It is in a FAILED state
+ */
+export class DigitrafficSecurityRule extends Rule {
+    constructor(scope: Construct, topic: ITopic) {
+        const ruleName = 'SecurityHubRule';
+        super(scope, ruleName, {
+            ruleName,
+            eventPattern: {
+                source: ['aws.securityhub'],
+                detailType: ["Security Hub Findings - Imported"],
+                detail: {
+                    findings: {
+                        "Compliance": {
+                            "Status": ["FAILED"],
+                        },
+                        "Workflow": {
+                            "Status": ["NEW"],
+                        },
+                        "Severity": {
+                            "Label": ["HIGH", "CRITICAL"],
+                        },
+                    },
+                },
+            },
+        });
+
+        this.addTarget(new SnsTopic(topic));
+    }
+}