First working iteration

Author: rimutaka

.gitignore

@@ -0,0 +1,3 @@
+/target
+Cargo.lock
+*.zip

Cargo.toml

@@ -0,0 +1,28 @@
+[package]
+name = "stm_inbox"
+version = "0.1.1"
+authors = ["rimutaka <[email protected]>"]
+edition = "2018"
+homepage = "https://stackmuncher.com"
+repository = "https://github.com/stackmuncher/stm_inbox"
+license = "AGPL-3.0-or-later"
+description = "An AWS Lambda function for storing StackMuncher reports in AWS S3. The reports are sent by StackMuncher client app (https://github.com/stackmuncher/stm)."
+
+[dependencies]
+serde_json = "1.0.64"
+serde = { version = "1.0.126", features = ["derive"] }
+tokio = { version = "1.6", features = ["full"] }
+tracing = { version = "0.1.26", features = ["log"] }
+tracing-subscriber = "0.2.18"
+log = "0.4.14"
+lambda_runtime = { git = "https://github.com/awslabs/aws-lambda-rust-runtime.git" }
+hyper = { version = "0.14.7", features = ["http2"] }
+hyper-rustls = "0.22.1"
+rusoto_signature = "0.46.0"
+rusoto_sqs = { version = "0.46.0", features = ["rustls"], default-features = false }
+rusoto_core = { version = "0.46.0", features = ["rustls"], default-features = false }
+rusoto_s3 = { version = "0.46.0", features = ["rustls"], default-features = false }
+base64 = "0.13.0"
+bs58 = "0.4.0"
+ring = "0.16.20"
+chrono = { version = "0.4.19" }

README.md

@@ -0,0 +1,57 @@
+# StackMuncher Inbox for Report Submissions
+
+This app is used as a Lambda function for receiving user report submissions.
+
+The client app signs and submits one or more reports at the end of its stack analysis. The submissions contain the report in the body of HTTP POST message and several meta-headers:
+
+* **StackMuncher_Key**: the public key of the user (required)
+* **StackMuncher_Sig**: the signature generated by the client app (required)
+
+The sole purpose of this app is to save validated stack report submissions from devs and return a response as soon as possible.
+The validation is limited to checking the signature using the public key included in the submission.
+Validated reports are saved as-is with the key and timestamp of the submission.
+E.g. `s3://stm-reports-dev/queue/1621680890_7prBWD7pzYk2czeXZeXzjxjDQbnuka2RLShdW5AxWuk7.json`, where:
+* queue: prefix for new, unprocessed reports
+* 1621680890: an epoch timestamp of the submission
+* 7prBWD7pzYk2czeXZeXzjxjDQbnuka2RLShdW5AxWuk7: dev's public key in base58 format
+
+## Deployment
+
+The deployment should be automated. This section is a quick memo for manual deployment.
+
+#### Lambda deployment
+
+Create function called `stm_inbox` with `stm_inbox` role, a custom runtime and customize these settings:
+* env vars: see [config.rs](./src/config.rs) for the full list
+* timeout: 30s
+* reserved concurrency: 25
+* async invocation: ... TBC
+
+```
+cargo build --release --target x86_64-unknown-linux-gnu
+cp ./target/x86_64-unknown-linux-gnu/release/stm_inbox ./bootstrap && zip proxy.zip bootstrap && rm bootstrap
+aws lambda update-function-code --region us-east-1 --function-name stm_inbox --zip-file fileb://proxy.zip
+```
+
+#### API Gateway
+
+* HTTP API with Lambda
+* ANY /{proxy+}
+* `stm_inbox` Lambda
+* `$default` stage
+
+## Debugging
+
+This app relies on https://github.com/rimutaka/lambda-debug-proxy to run a local copy on your dev machine connected to the GatewayAPI via SQS.
+This is a bit of a hack. Watch https://github.com/awslabs/aws-lambda-rust-runtime/issues/260 for possible standardization of this feature.
+
+1. Deploy https://github.com/rimutaka/lambda-debug-proxy in place of *stm_inbox*
+2. Configure the request and response SQS queues
+3. Add `STM_INBOX_LAMBDA_PROXY_REQ` and `STM_INBOX_LAMBDA_PROXY_RESP` with the queue URLs to your *.bashrc*
+4. Use `cargo run` to launch *stm_inbox* app locally
+5. Send a request to the GWAPI endpoint to invoke *stm_inbox* 
+
+The above steps should trigger a chain of requests and responses: 
+> APIGW -> Lambda *stm_inbox* proxy -> SQS Request Queue -> the locally run *stm_inbox* app -> SQS Response Queue -> Lambda *stm_inbox* proxy -> APIGW
+
+[main.rs](./src/main.rs) has sections of code annotated with `#[cfg(debug_assertions)]` to use *lambda-debug-proxy* feature in DEBUG mode or exclude it when built with `--release`.

api-req-sample.json

@@ -0,0 +1,39 @@
+{
+  "body": "eyJ0ZWNoIjpbeyJsYW5ndWFnZSI6IlJ1c3QiLCJtdW5jaGVyX25hbWUiOiJydXN0LnJzIiwibXVuY2hlcl9oYXNoIjoyNzQ2ODk1MjU1NjI1ODQ0OTYsImZpbGVzIjozLCJ0b3RhbF9saW5lcyI6MTM1OSwiYmxhbmtfbGluZXMiOjE0NywiYnJhY2tldF9vbmx5X2xpbmVzIjoxNTUsImNvZGVfbGluZXMiOjg1NSwiaW5saW5lX2NvbW1lbnRzIjowLCJsaW5lX2NvbW1lbnRzIjoxMzEsImJsb2NrX2NvbW1lbnRzIjowLCJkb2NzX2NvbW1lbnRzIjo3MSwia2V5d29yZHMiOlt7ImsiOiJjcmF0ZSIsImMiOjZ9LHsiayI6InB1YiIsImMiOjUxfSx7ImsiOiJmbiIsImMiOjI2fSx7ImsiOiJtb2QiLCJjIjoxMn0seyJrIjoiYnJlYWsiLCJjIjoxfSx7ImsiOiJmYWxzZSIsImMiOjh9LHsiayI6ImZvciIsImMiOjMzfSx7ImsiOiJ0cnVlIiwiYyI6NX0seyJrIjoidXNlIiwiYyI6Mjd9LHsiayI6Im11dCIsImMiOjQwfSx7ImsiOiJzZWxmIiwiYyI6NDR9LHsiayI6ImltcGwiLCJjIjozfSx7ImsiOiJlbHNlIiwiYyI6MjJ9LHsiayI6ImFzeW5jIiwiYyI6Nn0seyJrIjoiaW4iLCJjIjo0Mn0seyJrIjoiYXMiLCJjIjoyfSx7ImsiOiJjb25zdCIsImMiOjN9LHsiayI6InJldHVybiIsImMiOjE1fSx7ImsiOiJzdGF0aWMiLCJjIjozfSx7ImsiOiJTZWxmIiwiYyI6MTB9LHsiayI6InN1cGVyIiwiYyI6NH0seyJrIjoiY29udGludWUiLCJjIjo1fSx7ImsiOiJzdHJ1Y3QiLCJjIjoxfSx7ImsiOiJpZiIsImMiOjY5fSx7ImsiOiJsb29wIiwiYyI6MX0seyJrIjoibWF0Y2giLCJjIjoxMH0seyJrIjoibGV0IiwiYyI6MTEyfSx7ImsiOiJhd2FpdCIsImMiOjEyfV19XSwicGVyX2ZpbGVfdGVjaCI6W3siZmlsZV9uYW1lIjoic3RhY2ttdW5jaGVyL3NyYy9saWIucnMiLCJsYW5ndWFnZSI6IlJ1c3QiLCJtdW5jaGVyX25hbWUiOiJydXN0LnJzIiwibXVuY2hlcl9oYXNoIjoyNzQ2ODk1MjU1NjI1ODQ0OTYsImNvbW1pdF9zaGExIjoiZDMzZmIzNmE3ZTk4YmQ5OWZhOTg4NWM1OWRkYTg5NjVmM2UxOTBhNiIsImNvbW1pdF9kYXRlX2Vwb2NoIjoxNjExMDI0MjY0LCJjb21taXRfZGF0ZV9pc28iOiIyMDIxLTAxLTE5VDAyOjQ0OjI0KzAwOjAwIiwiZmlsZXMiOjEsInRvdGFsX2xpbmVzIjo0NjIsImJsYW5rX2xpbmVzIjo0OSwiYnJhY2tldF9vbmx5X2xpbmVzIjo0MywiY29kZV9saW5lcyI6Mjk1LCJpbmxpbmVfY29tbWVudHMiOjAsImxpbmVfY29tbWVudHMiOjU0LCJibG9ja19jb21tZW50cyI6MCwiZG9jc19jb21tZW50cyI6MjEsImtleXdvcmRzIjpbeyJrIjoiY3JhdGUiLCJjIjoyfSx7ImsiOiJwdWIiLCJjIjoxNX0seyJrIjoiZm4iLCJjIjo2fSx7ImsiOiJtb2QiLCJjIjoxMX0seyJrIjoiZmFsc2UiLCJjIjozfSx7ImsiOiJmb3IiLCJjIjoxM30seyJrIjoidHJ1ZSIsImMiOjV9LHsiayI6InVzZSIsImMiOjd9LHsiayI6Im11dCIsImMiOjE0fSx7ImsiOiJzZWxmIiwiYyI6MTF9LHsiayI6ImltcGwiLCJjIjoxfSx7ImsiOiJlbHNlIiwiYyI6Nn0seyJrIjoiYXN5bmMiLCJjIjozfSx7ImsiOiJpbiIsImMiOjEwfSx7ImsiOiJhcyIsImMiOjF9LHsiayI6InJldHVybiIsImMiOjZ9LHsiayI6IlNlbGYiLCJjIjoyfSx7ImsiOiJjb250aW51ZSIsImMiOjJ9LHsiayI6ImlmIiwiYyI6MjV9LHsiayI6ImxldCIsImMiOjQ1fSx7ImsiOiJhd2FpdCIsImMiOjh9XX0seyJmaWxlX25hbWUiOiJzdGFja211bmNoZXIvc3JjL3JlcG9ydC5ycyIsImxhbmd1YWdlIjoiUnVzdCIsIm11bmNoZXJfbmFtZSI6InJ1c3QucnMiLCJtdW5jaGVyX2hhc2giOjI3NDY4OTUyNTU2MjU4NDQ5NiwiY29tbWl0X3NoYTEiOiJkMzNmYjM2YTdlOThiZDk5ZmE5ODg1YzU5ZGRhODk2NWYzZTE5MGE2IiwiY29tbWl0X2RhdGVfZXBvY2giOjE2MTEwMjQyNjQsImNvbW1pdF9kYXRlX2lzbyI6IjIwMjEtMDEtMTlUMDI6NDQ6MjQrMDA6MDAiLCJmaWxlcyI6MSwidG90YWxfbGluZXMiOjY3NiwiYmxhbmtfbGluZXMiOjcwLCJicmFja2V0X29ubHlfbGluZXMiOjg2LCJjb2RlX2xpbmVzIjo0MTQsImlubGluZV9jb21tZW50cyI6MCwibGluZV9jb21tZW50cyI6NTgsImJsb2NrX2NvbW1lbnRzIjowLCJkb2NzX2NvbW1lbnRzIjo0OCwia2V5d29yZHMiOlt7ImsiOiJjcmF0ZSIsImMiOjR9LHsiayI6InB1YiIsImMiOjM1fSx7ImsiOiJpbiIsImMiOjI3fSx7ImsiOiJpbXBsIiwiYyI6Mn0seyJrIjoiZm4iLCJjIjoxN30seyJrIjoidXNlIiwiYyI6MTZ9LHsiayI6IlNlbGYiLCJjIjo4fSx7ImsiOiJlbHNlIiwiYyI6MTR9LHsiayI6Im1vZCIsImMiOjF9LHsiayI6Im11dCIsImMiOjIxfSx7ImsiOiJhcyIsImMiOjF9LHsiayI6ImxldCIsImMiOjQ5fSx7ImsiOiJmYWxzZSIsImMiOjR9LHsiayI6InNlbGYiLCJjIjozM30seyJrIjoibWF0Y2giLCJjIjo3fSx7ImsiOiJyZXR1cm4iLCJjIjo3fSx7ImsiOiJjb25zdCIsImMiOjF9LHsiayI6ImF3YWl0IiwiYyI6MX0seyJrIjoiaWYiLCJjIjozNX0seyJrIjoiZm9yIiwiYyI6MTd9LHsiayI6InN0YXRpYyIsImMiOjF9LHsiayI6InN1cGVyIiwiYyI6NH0seyJrIjoiY29udGludWUiLCJjIjoxfSx7ImsiOiJhc3luYyIsImMiOjJ9LHsiayI6InN0cnVjdCIsImMiOjF9XX0seyJmaWxlX25hbWUiOiJzdG1hcHAvc3JjL21haW4ucnMiLCJsYW5ndWFnZSI6IlJ1c3QiLCJtdW5jaGVyX25hbWUiOiJydXN0LnJzIiwibXVuY2hlcl9oYXNoIjoyNzQ2ODk1MjU1NjI1ODQ0OTYsImNvbW1pdF9zaGExIjoiNmYzNGY4ODA4OTM4NGE3YzgwYmFkNGU0YmVmMjUyMTA1NGRhYjk4NCIsImNvbW1pdF9kYXRlX2Vwb2NoIjoxNjEwOTM0MjY3LCJjb21taXRfZGF0ZV9pc28iOiIyMDIxLTAxLTE4VDAxOjQ0OjI3KzAwOjAwIiwiZmlsZXMiOjEsInRvdGFsX2xpbmVzIjoyMjEsImJsYW5rX2xpbmVzIjoyOCwiYnJhY2tldF9vbmx5X2xpbmVzIjoyNiwiY29kZV9saW5lcyI6MTQ2LCJpbmxpbmVfY29tbWVudHMiOjAsImxpbmVfY29tbWVudHMiOjE5LCJibG9ja19jb21tZW50cyI6MCwiZG9jc19jb21tZW50cyI6Miwia2V5d29yZHMiOlt7ImsiOiJhc3luYyIsImMiOjF9LHsiayI6ImlmIiwiYyI6OX0seyJrIjoibGV0IiwiYyI6MTh9LHsiayI6Im11dCIsImMiOjV9LHsiayI6ImZuIiwiYyI6M30seyJrIjoiZm9yIiwiYyI6M30seyJrIjoidXNlIiwiYyI6NH0seyJrIjoicHViIiwiYyI6MX0seyJrIjoiaW4iLCJjIjo1fSx7ImsiOiJlbHNlIiwiYyI6Mn0seyJrIjoicmV0dXJuIiwiYyI6Mn0seyJrIjoibWF0Y2giLCJjIjozfSx7ImsiOiJjb25zdCIsImMiOjJ9LHsiayI6Imxvb3AiLCJjIjoxfSx7ImsiOiJmYWxzZSIsImMiOjF9LHsiayI6ImF3YWl0IiwiYyI6M30seyJrIjoiY29udGludWUiLCJjIjoyfSx7ImsiOiJicmVhayIsImMiOjF9LHsiayI6InN0YXRpYyIsImMiOjJ9XX1dLCJ0aW1lc3RhbXAiOiIyMDIxLTA1LTIxVDAxOjM2OjA5LjA5MDI0MzkzNSswMDowMCIsInJlbW90ZV91cmxfaGFzaGVzIjpbImIwYzMxN2I3YThiZmFiZjk1MTU0YmIyN2I3MDE5NzU2MWUzMjE4MTMiLCIyOWYwOGQ4ZDdiZGQxZDg5NWYxNTIwOGMwY2VjNmJiMTJjNzFiMmE2Il0sInJlcG9ydF9pZCI6ImRkZTEzYjAzLTliMmQtNGFhNS1iNWQxLTU5MzYyZGMxZTgxYyIsInJlcG9ydF9jb21taXRfc2hhMSI6IjBmZGRjZGE1YmEwMTBkNWMzMmE0ZTk4NDkzNjEwODU2NGVmODZmMDgiLCJsb2dfaGFzaCI6ImM1N2Y0NWE5N2FiMjg1N2Q4OTcxZDEwZGFiNGZhMzY4ODUyMTdiMjgiLCJnaXRfaWRzX2luY2x1ZGVkIjpbInVidW50dUBpcC0xNzItMzEtNDctMjguYXAtc291dGhlYXN0LTIuY29tcHV0ZS5pbnRlcm5hbCJdLCJpc19zaW5nbGVfY29tbWl0Ijp0cnVlLCJsYXN0X2NvbW1pdF9hdXRob3IiOiJtYXhAb25lYnJvLm1lIn0=",
+  "headers": {
+    "content-length": "3839",
+    "host": "emvuertw1ec.execute-api.us-east-1.amazonaws.com",
+    "stackmuncher_key": "EFY9NXEytYgBgGsyAeGfXzkBEBQzC9NXFyj47EPdmVLB",
+    "stackmuncher_sig": "3phLLQyiquyX4xge3CXYGCfb1KdrXQ8cTgBbvE8obwCkcm7vPdLsKT6JtNCdF9qeyjcgF2b4kTRXEsoMTHcQr43n",
+    "x-amzn-trace-id": "Root=1-60a70e8a-7a28629c2fce00f17f26aa16",
+    "x-forwarded-for": "13.54.209.171",
+    "x-forwarded-port": "443",
+    "x-forwarded-proto": "https"
+  },
+  "isBase64Encoded": true,
+  "pathParameters": {
+    "proxy": ""
+  },
+  "rawPath": "/",
+  "rawQueryString": "",
+  "requestContext": {
+    "accountId": "11111111111",
+    "apiId": "emvuertw1ec",
+    "domainName": "emvuertw1ec.execute-api.us-east-1.amazonaws.com",
+    "domainPrefix": "emvuertw1ec",
+    "http": {
+      "method": "POST",
+      "path": "/",
+      "protocol": "HTTP/1.1",
+      "sourceIp": "13.54.209.171",
+      "userAgent": ""
+    },
+    "requestId": "fp81nhsBoAMESKw=",
+    "routeKey": "POST /{proxy+}",
+    "stage": "$default",
+    "time": "21/May/2021:01:36:10 +0000",
+    "timeEpoch": 1621560970266
+  },
+  "routeKey": "POST /{proxy+}",
+  "version": "2.0"
+}

src/config.rs

@@ -0,0 +1,84 @@
+use hyper_rustls::HttpsConnector;
+use rusoto_core::credential::DefaultCredentialsProvider;
+use rusoto_core::HttpClient;
+use rusoto_core::Region;
+use rusoto_s3::S3Client;
+use std::str::FromStr;
+use std::time::Duration;
+
+/// Name of a required env variable (STM_INBOX_S3_REGION)
+/// E.g. `us-east-1`
+pub const S3_REGION_ENV: &str = "STM_INBOX_S3_REGION";
+/// Name of a required env variable (STM_INBOX_S3_BUCKET)
+/// E.g. `stm-reports-prod`
+pub const S3_BUCKET_ENV: &str = "STM_INBOX_S3_BUCKET";
+/// Name of a required env variable (STM_INBOX_S3_BUCKET)
+/// The storage tree with any additional folders is placed under this prefix.
+/// E.g. `queue`, leading/trailing `/` are removed
+pub const S3_PREFIX_ENV: &str = "STM_INBOX_S3_PREFIX";
+
+/// A struct with all the config info passed around as a single param
+pub struct Config {
+    /// The name of the bucket for storing contributor reports.
+    /// E.g. `stm-subs-j5awwhv9pb9np7d`
+    pub s3_bucket: String,
+    /// The base prefix within the bucket to the root of the report storage.
+    /// The storage tree with any additional folders is placed under this prefix.
+    /// E.g. `queue`, leading/trailing `/` are removed
+    pub s3_prefix: String,
+    /// Contains an initialized S3 Client for reuse. Doesn't need to be public.
+    pub s3_client: S3Client,
+}
+
+impl Config {
+    /// Initializes a new Config struct from the environment. Panics on invalid config values.
+    pub fn new() -> Self {
+        let s3_region = std::env::var(S3_REGION_ENV)
+            .expect(&format!(
+                "Missing {} env var with S3 region name, e.g. us-east-1",
+                S3_REGION_ENV
+            ))
+            .trim()
+            .to_string();
+
+        let s3_region = Region::from_str(&s3_region)
+            .expect("Invalid S3 Region value. Must look like `us-east-1`.");
+
+        Config {
+            s3_bucket: std::env::var(S3_BUCKET_ENV)
+                .expect(&format!(
+                    "Missing {} env var with S3 bucket name, e.g. stm-subs-j5awwhv9pb9np7d",
+                    S3_BUCKET_ENV
+                ))
+                .trim()
+                .trim_end_matches("/")
+                .to_string(),
+            s3_prefix: std::env::var(S3_PREFIX_ENV)
+                .expect(&format!(
+                    "Missing {} env var with S3 prefix, e.g. `queue`",
+                    S3_PREFIX_ENV
+                ))
+                .trim()
+                .trim_end_matches("/")
+                .to_string(),
+            s3_client: generate_s3_client(s3_region),
+        }
+    }
+}
+
+/// Generates an S3Client with custom settings to match AWS server defaults.
+fn generate_s3_client(s3_region: Region) -> S3Client {
+    let https_connector = HttpsConnector::with_native_roots();
+
+    let cred_prov =
+        DefaultCredentialsProvider::new().expect("Cannot unwrap DefaultCredentialsProvider");
+
+    let mut builder = hyper::Client::builder();
+    builder.pool_idle_timeout(Duration::from_secs(15));
+    builder.http2_keep_alive_interval(Duration::from_secs(5));
+    builder.http2_keep_alive_timeout(Duration::from_secs(3));
+
+    let http_client = HttpClient::from_builder(builder, https_connector);
+
+    S3Client::new_with(http_client, cred_prov, s3_region)
+}

src/handler.rs

@@ -0,0 +1,179 @@
+use crate::s3;
+use crate::{config::Config, Error};
+use base64::decode;
+use lambda_runtime::Context;
+use ring::signature;
+use serde::{Deserialize, Serialize};
+use serde_json::Value;
+use std::collections::HashMap;
+use tracing::{debug, error, info};
+
+#[derive(Serialize, Debug)]
+#[serde(rename_all = "camelCase")]
+struct ApiGatewayResponse {
+    is_base64_encoded: bool,
+    status_code: u32,
+    headers: HashMap<String, String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    body: Option<String>,
+}
+
+#[derive(Deserialize, Debug)]
+struct ApiGatewayRequestHeaders {
+    /// The user public key, which may or may not be known to us at the time of submission.
+    /// A base58 encoded string, e.g. "EFY9NXEytYgBgGsyAeGfXzkBEBQzC9NXFyj47EPdmVLB"
+    stackmuncher_key: Option<String>,
+    /// The signature for the content sent in the body, base58 encoded, e.g.
+    /// "3phLLQyiquyX4xge3CXYGCfb1KdrXQ8cTgBbvE8obwCkcm7vPdLsKT6JtNCdF9qeyjcgF2b4kTRXEsoMTHcQr43n"
+    stackmuncher_sig: Option<String>,
+    /// The IP address of the user. Apparently it is preferred over sourceIp field.
+    /// See https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html
+    #[serde(rename = "x-forwarded-for")]
+    x_forwarded_for: Option<String>,
+}
+
+#[derive(Deserialize, Debug)]
+#[serde(rename_all = "camelCase")]
+struct ApiGatewayRequest {
+    headers: ApiGatewayRequestHeaders,
+    is_base64_encoded: bool,
+    body: Option<String>,
+}
+
+/// A generic error message sent to the user when the request cannot be processed for a reason the user can't do much about.
+const ERROR_500_MSG: &str = "stackmuncher.com failed to process the report. If the error persists, can you log an issue at https://github.com/stackmuncher/stm_inbox/issues?";
+
+pub(crate) async fn my_handler(event: Value, ctx: Context) -> Result<Value, Error> {
+    // these 2 lines are for debugging only to see the raw APIGW request
+    debug!("Event: {}", event);
+    debug!("Context: {:?}", ctx);
+
+    // parse the request
+    let api_request = match serde_json::from_value::<ApiGatewayRequest>(event.clone()) {
+        Err(e) => {
+            error!(
+                "Failed to deser APIGW request due to {}. Request: {}",
+                e, event
+            );
+            return gw_response(Some(ERROR_500_MSG.to_owned()), 500);
+        }
+        Ok(v) => v,
+    };
+
+    info!("Report from IP: {:?}", api_request.headers.x_forwarded_for);
+
+    // these 2 headers are required no matter what
+    if api_request.headers.stackmuncher_key.is_none()
+        || api_request.headers.stackmuncher_sig.is_none()
+    {
+        error!(
+            "Missing a header. Key: {:?}, Sig: {:?}",
+            api_request.headers.stackmuncher_key, api_request.headers.stackmuncher_sig
+        );
+        return gw_response(
+            Some("stackmuncher.com failed to process the report: missing required HTTP headers. If you have not modified the source code it's a bug at stackmuncher.com end.".to_owned()),
+            500,
+        );
+    }
+
+    // get the body contents and decode it if needed
+    let body = match api_request.body {
+        Some(v) => v,
+        None => {
+            error!("Empty body");
+            return gw_response(
+            Some("stackmuncher.com: no report found in the request. It's a bug in the app. Can you log an issue at https://github.com/stackmuncher/stm_inbox/issues?".to_owned()),
+            500,
+        );
+        }
+    };
+    let body = if api_request.is_base64_encoded {
+        match decode(body) {
+            Ok(v) => v,
+            Err(e) => {
+                error!("Failed to decode the body due to: {}", e);
+                return gw_response(Some(ERROR_500_MSG.to_owned()), 500);
+            }
+        }
+    } else {
+        body.as_bytes().into()
+    };
+
+    info!("Body len: {}", body.len());
+    debug!("Body: {}", String::from_utf8_lossy(&body));
+
+    // convert the public key from base58 into bytes
+    let pub_key_bs58 = api_request
+        .headers
+        .stackmuncher_key
+        .expect("Cannot unwrap stackmuncher_key. It's a bug.");
+
+    info!("Report for pub key: {}", pub_key_bs58);
+
+    let pub_key = match bs58::decode(pub_key_bs58.clone()).into_vec() {
+        Ok(v) => v,
+        Err(e) => {
+            error!(
+                "Failed to decode the stackmuncher_key from based58 due to: {}",
+                e
+            );
+            return gw_response(Some(ERROR_500_MSG.to_owned()), 500);
+        }
+    };
+
+    // convert the signature from base58 into bytes
+    let signature = match bs58::decode(
+        api_request
+            .headers
+            .stackmuncher_sig
+            .expect("Cannot unwrap stackmuncher_sig. It's a bug."),
+    )
+    .into_vec()
+    {
+        Ok(v) => v,
+        Err(e) => {
+            error!(
+                "Failed to decode the stackmuncher_key from based58 due to: {}",
+                e
+            );
+            return gw_response(Some(ERROR_500_MSG.to_owned()), 500);
+        }
+    };
+
+    // validate the signature
+    let pub_key = signature::UnparsedPublicKey::new(&signature::ED25519, pub_key);
+    match pub_key.verify(&body, &signature) {
+        Ok(_) => {
+            info!("Signature OK");
+        }
+        Err(e) => {
+            error!("Invalid signature: {}", e);
+            return gw_response(Some("Invalid StackMuncher signature. If the error persists, can you log an issue at https://github.com/stackmuncher/stm_inbox/issues?".to_owned()), 500);
+        }
+    };
+
+    let config = Config::new();
+    s3::upload_to_s3(&config, body, pub_key_bs58).await;
+
+    // render the prepared data as HTML
+    info!("Report stored");
+
+    // Submission accepted - return 200 with no body
+    gw_response(None, 200)
+}
+
+/// Prepares the response with the status and text or json body. May fail and return an error.
+fn gw_response(body: Option<String>, status_code: u32) -> Result<Value, Error> {
+    let mut headers: HashMap<String, String> = HashMap::new();
+    headers.insert("Content-Type".to_owned(), "text/text".to_owned());
+    headers.insert("Cache-Control".to_owned(), "no-store".to_owned());
+
+    let resp = ApiGatewayResponse {
+        is_base64_encoded: false,
+        status_code,
+        headers,
+        body,
+    };
+
+    Ok(serde_json::to_value(resp).expect("Failed to serialize response"))
+}