fix: add threat scanning of uploaded assets using aws guard duty (#4530)

Author: Pavel910

Diff for: apps/api/webiny.application.ts

@@ -1,4 +1,4 @@
-import { createApiApp } from "@webiny/serverless-cms-aws";
+import { createApiApp } from "@webiny/serverless-cms-aws/enterprise";
 
 export default createApiApp({
     pulumiResourceNamePrefix: "wby-"

Diff for: apps/core/webiny.application.ts

@@ -1,4 +1,4 @@
-import { createCoreApp } from "@webiny/serverless-cms-aws";
+import { createCoreApp } from "@webiny/serverless-cms-aws/enterprise";
 
 export default createCoreApp({
     pulumiResourceNamePrefix: "wby-"

Diff for: docs/DEPLOY_WEBINY_PROJECT_CF_TEMPLATE.yaml

@@ -516,6 +516,26 @@ Resources:
                   - logs:Unmask
                   - logs:GetLogEvents
 
+              # Malware Protection Plan (File Manager Threat Detection)
+              - Effect: Allow
+                Resource: "arn:aws:guardduty:*:*:malware-protection-plan/*"
+                Action:
+                  - guardduty:CreateMalwareProtectionPlan
+                  - guardduty:GetMalwareProtectionPlan
+                  - guardduty:DeleteMalwareProtectionPlan
+                  - guardduty:UpdateMalwareProtectionPlan
+
+              # IoT
+              - Effect: Allow
+                Resource: "arn:aws:iot:*:*:authorizer/*"
+                Action:
+                  - iot:CreateAuthorizer
+                  - iot:DescribeAuthorizer
+                  - iot:DescribeDefaultAuthorizer
+                  - iot:UpdateAuthorizer
+                  - iot:DeleteAuthorizer
+                  - iot:ListTagsForResource
+
   UserToDeployWebinyProjectGroup1:
     Type: AWS::IAM::UserToGroupAddition
     Properties:

Diff for: packages/api-audit-logs/__tests__/helpers/handlerCore.ts

@@ -27,6 +27,7 @@ import { ImportExportTaskStorageOperations } from "@webiny/api-page-builder-impo
 import { AdminUsersStorageOperations } from "@webiny/api-admin-users/types";
 import createAdminUsersApp from "@webiny/api-admin-users";
 import { createMailerContext } from "@webiny/api-mailer";
+import { NullLicense } from "@webiny/wcp";
 import { createAcoAuditLogsContext } from "~/app";
 
 export interface CreateHandlerCoreParams {
@@ -65,6 +66,11 @@ export const createHandlerCore = (params?: CreateHandlerCoreParams) => {
 
     const enableContextPlugin = createContextPlugin<AuditLogsContext>(async context => {
         context.wcp = {
+            getProject: () => null,
+            getRawLicense: () => null,
+            canUseRecordLocking: () => true,
+            canUseAuditLogs: () => true,
+            canUseFileManagerThreatDetection: () => false,
             ensureCanUseFeature: () => void 0,
             canUseFolderLevelPermissions: () => true,
             canUseAacl: () => true,
@@ -75,7 +81,7 @@ export const createHandlerCore = (params?: CreateHandlerCoreParams) => {
             decrementTenants: async () => void 0,
             incrementTenants: async () => void 0,
             getProjectEnvironment: () => null,
-            getProjectLicense: () => null,
+            getProjectLicense: () => new NullLicense(),
             canUseFeature: () => true
         };
     });

Diff for: packages/api-audit-logs/package.json

@@ -45,6 +45,7 @@
     "@webiny/api-page-builder-import-export": "0.0.0",
     "@webiny/error": "0.0.0",
     "@webiny/handler": "0.0.0",
-    "@webiny/utils": "0.0.0"
+    "@webiny/utils": "0.0.0",
+    "@webiny/wcp": "0.0.0"
   }
 }

Diff for: packages/api-audit-logs/tsconfig.build.json

@@ -12,6 +12,7 @@
     { "path": "../error/tsconfig.build.json" },
     { "path": "../handler/tsconfig.build.json" },
     { "path": "../utils/tsconfig.build.json" },
+    { "path": "../wcp/tsconfig.build.json" },
     { "path": "../api-admin-users/tsconfig.build.json" },
     { "path": "../api-file-manager/tsconfig.build.json" },
     { "path": "../api-headless-cms/tsconfig.build.json" },

Diff for: packages/api-audit-logs/tsconfig.json

@@ -12,6 +12,7 @@
     { "path": "../error" },
     { "path": "../handler" },
     { "path": "../utils" },
+    { "path": "../wcp" },
     { "path": "../api-admin-users" },
     { "path": "../api-file-manager" },
     { "path": "../api-headless-cms" },
@@ -50,6 +51,8 @@
       "@webiny/handler": ["../handler/src"],
       "@webiny/utils/*": ["../utils/src/*"],
       "@webiny/utils": ["../utils/src"],
+      "@webiny/wcp/*": ["../wcp/src/*"],
+      "@webiny/wcp": ["../wcp/src"],
       "@webiny/api-admin-users/*": ["../api-admin-users/src/*"],
       "@webiny/api-admin-users": ["../api-admin-users/src"],
       "@webiny/api-file-manager/*": ["../api-file-manager/src/*"],

Diff for: packages/api-file-manager-s3/package.json

@@ -13,9 +13,12 @@
     "@webiny/api": "0.0.0",
     "@webiny/api-file-manager": "0.0.0",
     "@webiny/api-security": "0.0.0",
+    "@webiny/api-wcp": "0.0.0",
+    "@webiny/api-websockets": "0.0.0",
     "@webiny/aws-sdk": "0.0.0",
     "@webiny/error": "0.0.0",
     "@webiny/handler": "0.0.0",
+    "@webiny/handler-aws": "0.0.0",
     "@webiny/handler-graphql": "0.0.0",
     "@webiny/plugins": "0.0.0",
     "@webiny/tasks": "0.0.0",

Diff for: packages/api-file-manager-s3/src/assetDelivery/assetDeliveryConfig.ts

@@ -6,17 +6,7 @@ import { S3 } from "@webiny/aws-sdk/client-s3";
 import { S3AssetResolver } from "~/assetDelivery/s3/S3AssetResolver";
 import { S3OutputStrategy } from "~/assetDelivery/s3/S3OutputStrategy";
 import { SharpTransform } from "~/assetDelivery/s3/SharpTransform";
-
-export type AssetDeliveryParams = Parameters<typeof createBaseAssetDelivery>[0] & {
-    imageResizeWidths?: number[];
-    /**
-     * BE CAREFUL!
-     * Setting this to more than 1 hour may cause your URLs to still expire before the desired expiration time.
-     * @see https://repost.aws/knowledge-center/presigned-url-s3-bucket-expiration
-     */
-    presignedUrlTtl?: number;
-    assetStreamingMaxSize?: number;
-};
+import type { AssetDeliveryParams } from "~/assetDelivery/types";
 
 export const assetDeliveryConfig = (params: AssetDeliveryParams) => {
     const bucket = process.env.S3_BUCKET as string;

Diff for: packages/api-file-manager-s3/src/assetDelivery/createAssetDelivery.ts

@@ -1,14 +1,25 @@
 import { createAssetDeliveryPluginLoader } from "@webiny/api-file-manager";
 import { PluginFactory } from "@webiny/plugins/types";
-import type { AssetDeliveryParams } from "./assetDeliveryConfig";
+import { createThreatDetectionPluginLoader } from "~/assetDelivery/threatDetection";
+import type { AssetDeliveryParams } from "~/assetDelivery/types";
 
-export const createAssetDelivery = (params: AssetDeliveryParams): PluginFactory => {
-    /**
-     * We only want to load this plugin in the context of the Asset Delivery Lambda function.
-     */
-    return createAssetDeliveryPluginLoader(() => {
-        return import(/* webpackChunkName: "s3AssetDelivery" */ "./assetDeliveryConfig").then(
-            ({ assetDeliveryConfig }) => assetDeliveryConfig(params)
-        );
-    });
+export const createAssetDelivery = (params: AssetDeliveryParams): PluginFactory[] => {
+    return [
+        /**
+         * We only want to load this plugin in the context of the Asset Delivery Lambda function.
+         */
+        createAssetDeliveryPluginLoader(() => {
+            return import(/* webpackChunkName: "s3AssetDelivery" */ "./assetDeliveryConfig").then(
+                ({ assetDeliveryConfig }) => assetDeliveryConfig(params)
+            );
+        }),
+        /**
+         * We only want to load this plugin in the context of the Threat Detection Lambda function.
+         */
+        createThreatDetectionPluginLoader(() => {
+            return import(
+                /* webpackChunkName: "threatDetectionEventHandler" */ "./threatDetection/createThreatDetectionEventHandler"
+            ).then(({ createThreatDetectionEventHandler }) => createThreatDetectionEventHandler());
+        })
+    ];
 };

Diff for: packages/api-file-manager-s3/src/assetDelivery/threatDetection/createThreatDetectionEventHandler.ts

@@ -0,0 +1,63 @@
+import { S3 } from "@webiny/aws-sdk/client-s3";
+import { createEventBridgeEventHandler } from "@webiny/handler-aws";
+import { createHandlerOnRequest } from "@webiny/handler";
+import { GuardDutyEvent, ThreatDetectionContext } from "./types";
+import { processThreatScanResult } from "./processThreatScanResult";
+import { S3AssetMetadataReader } from "~/assetDelivery/s3/S3AssetMetadataReader";
+import { EventBridgeEvent } from "@webiny/aws-sdk/types";
+
+const detailType = "GuardDuty Malware Protection Object Scan Result";
+
+const bucket = process.env.S3_BUCKET as string;
+const region = process.env.AWS_REGION as string;
+
+export const createThreatDetectionEventHandler = () => {
+    const s3 = new S3({ region });
+
+    const handlerOnRequest = createHandlerOnRequest(async request => {
+        const payload = request.body as EventBridgeEvent<string, GuardDutyEvent>;
+
+        if (payload["detail-type"] !== detailType) {
+            return;
+        }
+
+        const objectKey = payload.detail.s3ObjectDetails.objectKey;
+        if (objectKey.endsWith(".metadata")) {
+            return;
+        }
+
+        try {
+            const s3Metadata = new S3AssetMetadataReader(s3, bucket);
+            const metadata = await s3Metadata.getMetadata(payload.detail.s3ObjectDetails.objectKey);
+
+            request.headers = {
+                ...request.headers,
+                "x-tenant": metadata.tenant,
+                "x-i18n-locale": `default:${metadata.locale};content:${metadata.locale};`
+            };
+        } catch {
+            // If metadata can't be loaded, we ignore the file.
+            // Most likely it's because the file is a rendition of the original file,
+            // so we don't need to do anything with it.
+        }
+    });
+    // Guard Duty event handler.
+    const threatScanEventHandler = createEventBridgeEventHandler<typeof detailType, GuardDutyEvent>(
+        async ({ payload, next, ...rest }) => {
+            const context = rest.context as ThreatDetectionContext;
+
+            const threatDetectionEnabled = context.wcp.canUseFileManagerThreatDetection();
+
+            if (!threatDetectionEnabled || payload["detail-type"] !== detailType) {
+                return next();
+            }
+
+            await processThreatScanResult(context, payload.detail);
+        }
+    );
+
+    // Assign a human-readable name for easier debugging.
+    threatScanEventHandler.name = threatScanEventHandler.type + ".threatDetectionEventHandler";
+
+    return [handlerOnRequest, threatScanEventHandler];
+};

Diff for: packages/api-file-manager-s3/src/assetDelivery/threatDetection/createThreatDetectionPluginLoader.ts

@@ -0,0 +1,9 @@
+import { PluginFactory } from "@webiny/plugins/types";
+import { createConditionalPluginFactory } from "@webiny/api";
+
+export const createThreatDetectionPluginLoader = (cb: PluginFactory) => {
+    return createConditionalPluginFactory(
+        () => process.env.WEBINY_FUNCTION_TYPE === "threat-detection-event-handler",
+        cb
+    );
+};

Diff for: packages/api-file-manager-s3/src/assetDelivery/threatDetection/index.ts

@@ -0,0 +1,2 @@
+export * from "./createThreatDetectionEventHandler";
+export * from "./createThreatDetectionPluginLoader";

Diff for: packages/api-file-manager-s3/src/assetDelivery/threatDetection/processThreatScanResult.ts

@@ -0,0 +1,72 @@
+import { GuardDutyEvent, ThreatDetectionContext } from "./types";
+
+export const processThreatScanResult = async (
+    context: ThreatDetectionContext,
+    eventDetail: GuardDutyEvent
+) => {
+    await context.security.withoutAuthorization(async () => {
+        try {
+            const scanStatus = eventDetail.scanResultDetails.scanResultStatus;
+            const s3Object = eventDetail.s3ObjectDetails;
+
+            const [[file]] = await context.fileManager.listFiles({
+                limit: 1,
+                where: {
+                    key: s3Object.objectKey
+                }
+            });
+
+            if (!file) {
+                return;
+            }
+
+            const allConnections = await context.websockets.listConnections();
+
+            if (scanStatus === "NO_THREATS_FOUND") {
+                const newTags = file.tags.filter(tag => tag !== "threatScanInProgress");
+                await context.fileManager.updateFile(file.id, {
+                    tags: newTags,
+                    savedBy: file.savedBy
+                });
+
+                await context.websockets.sendToConnections(allConnections, {
+                    action: "fm.threatScan.noThreatFound",
+                    data: {
+                        id: file.id,
+                        tags: newTags
+                    }
+                });
+
+                return;
+            }
+
+            if (scanStatus === "THREATS_FOUND") {
+                // Delete infected file.
+                await context.fileManager.deleteFile(file.id);
+
+                await context.websockets.sendToConnections(allConnections, {
+                    action: "fm.threatScan.threatDetected",
+                    data: {
+                        id: file.id,
+                        name: file.name
+                    }
+                });
+
+                return;
+            }
+
+            // For all other outcomes, we delete the file, until better logic is implemented.
+            await context.fileManager.deleteFile(file.id);
+
+            await context.websockets.sendToConnections(allConnections, {
+                action: "fm.threatScan.unsupported",
+                data: {
+                    id: file.id,
+                    name: file.name
+                }
+            });
+        } catch (e) {
+            console.log(e.message);
+        }
+    });
+};

Diff for: packages/api-file-manager-s3/src/assetDelivery/threatDetection/types.ts

@@ -0,0 +1,20 @@
+import type { Context as IWebsocketsContext } from "@webiny/api-websockets";
+import type { WcpContext } from "@webiny/api-wcp/types";
+import type { FileManagerContext } from "@webiny/api-file-manager/types";
+
+export type ThreatDetectionContext = FileManagerContext & IWebsocketsContext & WcpContext;
+
+export type GuardDutyEvent = {
+    scanResultDetails: {
+        scanResultStatus:
+            | "UNSUPPORTED"
+            | "FAILED"
+            | "ACCESS_DENIED"
+            | "THREATS_FOUND"
+            | "NO_THREATS_FOUND";
+    };
+    s3ObjectDetails: {
+        bucketName: string;
+        objectKey: string;
+    };
+};

Diff for: packages/api-file-manager-s3/src/assetDelivery/types.ts

@@ -0,0 +1,12 @@
+import { createAssetDelivery as createBaseAssetDelivery } from "@webiny/api-file-manager";
+
+export type AssetDeliveryParams = Parameters<typeof createBaseAssetDelivery>[0] & {
+    imageResizeWidths?: number[];
+    /**
+     * BE CAREFUL!
+     * Setting this to more than 1 hour may cause your URLs to still expire before the desired expiration time.
+     * @see https://repost.aws/knowledge-center/presigned-url-s3-bucket-expiration
+     */
+    presignedUrlTtl?: number;
+    assetStreamingMaxSize?: number;
+};

Diff for: packages/api-file-manager-s3/tsconfig.build.json

@@ -5,9 +5,12 @@
     { "path": "../api/tsconfig.build.json" },
     { "path": "../api-file-manager/tsconfig.build.json" },
     { "path": "../api-security/tsconfig.build.json" },
+    { "path": "../api-wcp/tsconfig.build.json" },
+    { "path": "../api-websockets/tsconfig.build.json" },
     { "path": "../aws-sdk/tsconfig.build.json" },
     { "path": "../error/tsconfig.build.json" },
     { "path": "../handler/tsconfig.build.json" },
+    { "path": "../handler-aws/tsconfig.build.json" },
     { "path": "../handler-graphql/tsconfig.build.json" },
     { "path": "../plugins/tsconfig.build.json" },
     { "path": "../tasks/tsconfig.build.json" },

Diff for: packages/api-file-manager-s3/tsconfig.json

@@ -5,9 +5,12 @@
     { "path": "../api" },
     { "path": "../api-file-manager" },
     { "path": "../api-security" },
+    { "path": "../api-wcp" },
+    { "path": "../api-websockets" },
     { "path": "../aws-sdk" },
     { "path": "../error" },
     { "path": "../handler" },
+    { "path": "../handler-aws" },
     { "path": "../handler-graphql" },
     { "path": "../plugins" },
     { "path": "../tasks" },
@@ -27,12 +30,18 @@
       "@webiny/api-file-manager": ["../api-file-manager/src"],
       "@webiny/api-security/*": ["../api-security/src/*"],
       "@webiny/api-security": ["../api-security/src"],
+      "@webiny/api-wcp/*": ["../api-wcp/src/*"],
+      "@webiny/api-wcp": ["../api-wcp/src"],
+      "@webiny/api-websockets/*": ["../api-websockets/src/*"],
+      "@webiny/api-websockets": ["../api-websockets/src"],
       "@webiny/aws-sdk/*": ["../aws-sdk/src/*"],
       "@webiny/aws-sdk": ["../aws-sdk/src"],
       "@webiny/error/*": ["../error/src/*"],
       "@webiny/error": ["../error/src"],
       "@webiny/handler/*": ["../handler/src/*"],
       "@webiny/handler": ["../handler/src"],
+      "@webiny/handler-aws/*": ["../handler-aws/src/*"],
+      "@webiny/handler-aws": ["../handler-aws/src"],
       "@webiny/handler-graphql/*": ["../handler-graphql/src/*"],
       "@webiny/handler-graphql": ["../handler-graphql/src"],
       "@webiny/plugins/*": ["../plugins/src/*"],