From 453738d658aff579d9de8927fba02225f251c415 Mon Sep 17 00:00:00 2001 From: Stuart Ferguson Date: Thu, 17 Jun 2021 12:43:43 +0100 Subject: [PATCH] Use HTTPS Security Service --- .../Common/DockerHelper.cs | 15 +++++++++++++-- .../TransactionProcessor.IntegrationTests.csproj | 4 ++-- TransactionProcessor/Dockerfile | 5 +++++ TransactionProcessor/Startup.cs | 9 ++++++--- TransactionProcessor/appsettings.json | 4 ++-- TransactionProcessor/aspnetapp-root-cert.cer | Bin 0 -> 820 bytes 6 files changed, 28 insertions(+), 9 deletions(-) create mode 100644 TransactionProcessor/aspnetapp-root-cert.cer diff --git a/TransactionProcessor.IntegrationTests/Common/DockerHelper.cs b/TransactionProcessor.IntegrationTests/Common/DockerHelper.cs index de877170..186c65a9 100644 --- a/TransactionProcessor.IntegrationTests/Common/DockerHelper.cs +++ b/TransactionProcessor.IntegrationTests/Common/DockerHelper.cs @@ -307,10 +307,21 @@ await Retry.For(async () => // Setup the base address resolvers String EstateManagementBaseAddressResolver(String api) => $"http://127.0.0.1:{this.EstateManagementApiPort}"; - String SecurityServiceBaseAddressResolver(String api) => $"http://127.0.0.1:{this.SecurityServicePort}"; + String SecurityServiceBaseAddressResolver(String api) => $"https://127.0.0.1:{this.SecurityServicePort}"; String TransactionProcessorBaseAddressResolver(String api) => $"http://127.0.0.1:{this.TransactionProcessorPort}"; - HttpClient httpClient = new HttpClient(); + HttpClientHandler clientHandler = new HttpClientHandler + { + ServerCertificateCustomValidationCallback = (message, + certificate2, + arg3, + arg4) => + { + return true; + } + + }; + HttpClient httpClient = new HttpClient(clientHandler); this.EstateClient = new EstateClient(EstateManagementBaseAddressResolver, httpClient); this.SecurityServiceClient = new SecurityServiceClient(SecurityServiceBaseAddressResolver, httpClient); this.TransactionProcessorClient = new TransactionProcessorClient(TransactionProcessorBaseAddressResolver, httpClient); diff --git a/TransactionProcessor.IntegrationTests/TransactionProcessor.IntegrationTests.csproj b/TransactionProcessor.IntegrationTests/TransactionProcessor.IntegrationTests.csproj index 0618d973..9e298c5b 100644 --- a/TransactionProcessor.IntegrationTests/TransactionProcessor.IntegrationTests.csproj +++ b/TransactionProcessor.IntegrationTests/TransactionProcessor.IntegrationTests.csproj @@ -8,7 +8,7 @@ - + @@ -17,7 +17,7 @@ - + diff --git a/TransactionProcessor/Dockerfile b/TransactionProcessor/Dockerfile index d14444fa..ffcf9b8b 100644 --- a/TransactionProcessor/Dockerfile +++ b/TransactionProcessor/Dockerfile @@ -14,6 +14,11 @@ COPY . . WORKDIR "/src/TransactionProcessor" RUN dotnet build "TransactionProcessor.csproj" -c Release -o /app/build +# Sort out certificate stuff here +RUN openssl x509 -inform DER -in /src/TransactionProcessor/aspnetapp-root-cert.cer -out /src/TransactionProcessor/aspnetapp-root-cert.crt +RUN cp /src/TransactionProcessor/aspnetapp-root-cert.crt /usr/local/share/ca-certificates/ +RUN update-ca-certificates + FROM build AS publish RUN dotnet publish "TransactionProcessor.csproj" -c Release -o /app/publish diff --git a/TransactionProcessor/Startup.cs b/TransactionProcessor/Startup.cs index 4ca09dba..747e6306 100644 --- a/TransactionProcessor/Startup.cs +++ b/TransactionProcessor/Startup.cs @@ -331,13 +331,16 @@ private void ConfigureMiddlewareServices(IServiceCollection services) }) .AddJwtBearer(options => { - //options.SaveToken = true; + options.BackchannelHttpHandler = new HttpClientHandler + { + ServerCertificateCustomValidationCallback = + (message, certificate, chain, sslPolicyErrors) => true + }; options.Authority = ConfigurationReader.GetValue("SecurityConfiguration", "Authority"); options.Audience = ConfigurationReader.GetValue("SecurityConfiguration", "ApiName"); - options.RequireHttpsMetadata = false; + options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters() { - ValidateIssuer = true, ValidateAudience = false, ValidAudience = ConfigurationReader.GetValue("SecurityConfiguration", "ApiName"), ValidIssuer = ConfigurationReader.GetValue("SecurityConfiguration", "Authority"), diff --git a/TransactionProcessor/appsettings.json b/TransactionProcessor/appsettings.json index 6b7988a6..7162c6ef 100644 --- a/TransactionProcessor/appsettings.json +++ b/TransactionProcessor/appsettings.json @@ -24,7 +24,7 @@ "HandlerEventTypesToSilentlyHandle": { }, "UseConnectionStringConfig": false, - "SecurityService": "http://192.168.1.133:5001", + "SecurityService": "https://192.168.1.133:5001", "EstateManagementApi": "http://192.168.1.133:5000", "MessagingServiceApi": "http://192.168.1.133:5006", "VoucherManagementApi": "http://192.168.1.133:5007", @@ -41,7 +41,7 @@ }, "SecurityConfiguration": { "ApiName": "transactionProcessor", - "Authority": "http://192.168.1.133:5001" + "Authority": "https://192.168.1.133:5001" }, "AllowedHosts": "*", "OperatorConfiguration": { diff --git a/TransactionProcessor/aspnetapp-root-cert.cer b/TransactionProcessor/aspnetapp-root-cert.cer new file mode 100644 index 0000000000000000000000000000000000000000..c6ac5e9f3677496ffe9fec8bc89ca0d05242761b GIT binary patch literal 820 zcmXqLVm2^nVv<-B529l|{`9b;lCC;fuB?fZhyherwW(Jmq zW~N34=21Yd5twUk2;!1vSQDcXvSS!o8JL?G`56qF7`d357#SJPbMn7_psIgsmgCt4 z)>)EyE!Pq*|6aP7r}DTmXTuZg)k>_%oLc{*H_q(eJyEN0I-mQq3I|`YBYg7RC9L^> z?=mv3oTOSN`NE(1td;5C%@6k%N9_1-7|rWaa!s!LT=R<*-fv>>5B={eU%G409p*-1 z|CEQVdY2RCoBzDNe|p8-wRS!gM|V3#UM-ujQFwMxkh8<0aF)5t!kyaFUHQJ>PYlyA znb=*k@zsKJRf>(vT26+BUjJ&ueicJU)zGG-7`8mVR?{aW4FEU z^_U}!tE9?ih2FdqUmf{aU0KKeyy6^FnT>gCH_K_JYTJGY=SpI!nNwzbUwPe?)61{S zPCkEd(G}6!T~F8K z_cN}QH;#U*+Styz@N>MKafg6uq!O$4l)BwnFaFE!+Ob;f(CWrDQ=Dcc-qc^FUwm@Q zw|8R38J@-yqx&Yg*=7AGo3o_gWohWMxFcKte`>$vwUE2OI&HauiNVxMUY>t-S02y3 s#CsyC;o!?%TU^YZNN8Qr=YKWPPI1c#4euZ?=X+5T)cc-3k#9-@0CM