switch to tlsma

NHSDigital · May 10, 2024 · 0d4c5fb · 0d4c5fb
1 parent 0654a58
commit 0d4c5fb
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 1 deletion.
diff --git a/proxies/live/apiproxy/proxies/default.xml b/proxies/live/apiproxy/proxies/default.xml
@@ -67,7 +67,7 @@
     <Condition>(proxy.pathsuffix MatchesPath "/_status") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
   </RouteRule>
   <RouteRule name="nhse-tsas-solarch-mhdspoc-api-target">
-    <TargetEndpoint>tsas-solarch-mhdpoc-api-target</TargetEndpoint>
+    <TargetEndpoint>tsas-solarch-mhdpoc-api-tlsma-target</TargetEndpoint>
     <Condition>(proxy.pathsuffix MatchesPath "/mhdspoc/**") and ((request.verb = "GET") or (request.verb = "HEAD") or (request.verb = "POST") or (request.verb = "PUT"))</Condition>
   </RouteRule>
   <RouteRule name="nhse-tsas-solarch-demo-api-target">

diff --git a/proxies/live/apiproxy/targets/targetmhdspoctlsma.xml b/proxies/live/apiproxy/targets/targetmhdspoctlsma.xml
@@ -0,0 +1,53 @@
+<TargetEndpoint name="tsas-solarch-mhdpoc-api-tlsma-target">
+  <PreFlow>
+    <Request>
+      <Step>
+        <Name>VerifyApiKey.FromHeader</Name>
+        <Condition>request.header.Authorization Is null</Condition>
+      </Step>
+      <Step>
+        <Name>OauthV2.VerifyAccessTokenAppAllLevels</Name>
+        <Condition>request.header.apikey Is null</Condition>
+      </Step>
+      <Step>
+        <Name>FlowCallout.ApplyRateLimiting</Name>
+      </Step>
+    </Request>
+  </PreFlow>
+  <FaultRules>
+    <FaultRule name="access_token_expired">
+      <Step>
+        <Name>ExtractVariables.OAuthErrorFaultString</Name>
+      </Step>
+      <Step>
+        <Name>AssignMessage.OAuthPolicyErrorResponse</Name>
+      </Step>
+      <Condition>oauthV2.OauthV2.VerifyAccessToken.failed</Condition>
+    </FaultRule>
+  </FaultRules>
+  <!--
+    To point to a named target server as this is how it SHOULD be implemented:
+    For example:
+    <HTTPTargetConnection>
+      <SSLInfo>
+        <Enabled>true</Enabled>
+      </SSLInfo>
+      <LoadBalancer>
+        <Server name="nhse-tsas-solarch-demo-api" />
+      </LoadBalancer>
+    </HTTPTargetConnection>
+  -->
+  <HTTPTargetConnection>
+    <Properties>
+      <Property name="supports.http10">true</Property>
+      <Property name="request.retain.headers">User-Agent,Referer,Accept-Language</Property>
+      <Property name="retain.queryparams">apikey</Property>
+    </Properties>
+    <SSLInfo>
+      <Enabled>false</Enabled>
+    </SSLInfo>
+    <LoadBalancer>
+      <Server name="tsas-solarch-mhdpoc-api-tlsma" />
+    </LoadBalancer>
+  </HTTPTargetConnection>
+</TargetEndpoint>