entry_checker: add sender validation lambda

.github/workflows/tests.yml → .github/workflows/tests-go.yml

@@ -1,5 +1,5 @@
 ---
-name: Run tests
+name: Run tests (Go)
 
 on:
   push:

.github/workflows/tests-python.yml

@@ -0,0 +1,32 @@
+---
+name: Run tests (Python)
+on:
+  push:
+  workflow_dispatch:
+  pull_request:
+jobs:
+  pytest:
+    strategy:
+      fail-fast: false
+      matrix:
+        cfg:
+          - component: "lambda/entry_checker"
+    runs-on: ubuntu-latest
+    env:
+      python_version: "1.12"
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install poetry
+        run: pipx install poetry
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.python_version }}
+          cache: "poetry"
+          cache-dependency-path: |
+            ${{ matrix.cfg.component }}/pyproject.toml
+            ${{ matrix.cfg.component }}/poetry.lock
+      - name: Run pytest
+        run: |
+          cd ${{ matrix.cfg.component }}
+          poetry run pytest

README.md

@@ -44,7 +44,7 @@ This repository consists of two parts:
 
 Terraform module is provided in `terraform` directory.
 It can be used to create necessary components on AWS's end.
-It's required to set up [SES email receiving](https://docs.aws.amazon.com/ses/latest/dg/receiving-email-setting-up.html) first and
+It's required to set up [SES email receiving](https://docs.aws.amazon.com/ses/latest/dg/receiving-email-setting-up.html) first,
 configuring this part is outside the scope of this project.
 
 The minimum to get started is:
@@ -55,6 +55,14 @@ The minimum to get started is:
 recipients = ["[email protected]", "[email protected]"]
 ```
 
+It's also recommended (but optional) to set a regex describing allowed senders.
+Emails sent from different addresses will simply be ignored.
+It can be set as below:
+
+```
+senders = ".*@example.com"
+```
+
 2. run `terraform init`
 3. run `terraform apply`
 4. plug in the values obtained via `terraform output` as env variables in the following section

lambda/entry_checker/.gitignore

@@ -0,0 +1,5 @@
+venv
+.venv
+_pycache_
+
+payload

lambda/entry_checker/entry_checker/main.py

@@ -0,0 +1,45 @@
+import logging
+import os
+from entry_checker.validate import validate_sender
+
+logger = logging.getLogger(__name__)
+logger.setLevel(logging.DEBUG)
+
+
+def main(event, context):
+    allowed_senders_regex = os.environ["ALLOWED_SENDERS_REGEX"]
+
+    ses_notification = event["Records"].pop()["ses"]
+    receipt = ses_notification["receipt"]
+
+    logger.debug(receipt)
+
+    stop_email = False
+
+    if receipt["spfVerdict"]["status"] == "FAIL":
+        logger.debug("SPF FAIL detected, cutting off")
+        stop_email = True
+
+    elif receipt["dkimVerdict"]["status"] == "FAIL":
+        logger.debug("DKIM FAIL detected, cutting off")
+        stop_email = True
+
+    elif receipt["spamVerdict"]["status"] == "FAIL":
+        logger.debug("SPAM FAIL detected, cutting off")
+        stop_email = True
+
+    elif receipt["virusVerdict"]["status"] == "FAIL":
+        logger.debug("VIRUS FAIL detected, cutting off")
+        stop_email = True
+
+    else:
+        # Such validation is not perfect, but paired with the above conditions
+        # that rely on Amazon checks, it's definitely better than nothing.
+        sender = ses_notification["mail"]["commonHeaders"]["from"].pop()
+
+        if not validate_sender(allowed_senders_regex, sender):
+            logger.debug("sender validation FAIL detected, cutting off")
+            stop_email = True
+
+    if stop_email:
+        return {"disposition": "STOP_RULE_SET"}

lambda/entry_checker/entry_checker/validate.py

@@ -0,0 +1,11 @@
+import re
+
+
+def validate_sender(allowed_senders_regex: str, sender: str):
+    # Get rid of the "quotation marks"
+    sender = sender.replace("<", "").replace(">", "")
+
+    if re.search(allowed_senders_regex, sender):
+        return True
+
+    return False

lambda/entry_checker/pyproject.toml

@@ -0,0 +1,16 @@
+[tool.poetry]
+name = "entry-checker"
+version = "0.1.0"
+description = ""
+authors = ["dezeroku <[email protected]>"]
+readme = "README.md"
+
+[tool.poetry.dependencies]
+python = "^3.12"
+
+[tool.poetry.group.dev.dependencies]
+pytest = "^8.3.4"
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"

lambda/entry_checker/tests/validate_test.py

@@ -0,0 +1,17 @@
+from entry_checker.validate import validate_sender
+
+import pytest
+
+allowed_senders_regex = ".*@example.com"
+
+
+@pytest.mark.parametrize("sender", ["[email protected]", "<[email protected]>"])
+def test_validate_sender_success(sender):
+    assert validate_sender(allowed_senders_regex, sender)
+
+
+@pytest.mark.parametrize(
+    "sender", ["[email protected]", "<[email protected]>"]
+)
+def test_validate_sender_fail(sender):
+    assert not validate_sender(allowed_senders_regex, sender)

terraform/.gitignore

@@ -1,3 +1,4 @@
 .terraform*
 terraform*
 !.terraform.lock.hcl
+!terraform.tfvars.development

terraform/bucket.tf

@@ -10,10 +10,10 @@ resource "aws_s3_bucket" "bucket" {
 
 resource "aws_s3_bucket_policy" "allow_ses_access" {
   bucket = aws_s3_bucket.bucket.id
-  policy = data.aws_iam_policy_document.allow_ses_access.json
+  policy = data.aws_iam_policy_document.bucket_allow_ses_access.json
 }
 
-data "aws_iam_policy_document" "allow_ses_access" {
+data "aws_iam_policy_document" "bucket_allow_ses_access" {
   statement {
     principals {
       type        = "Service"