From 9108321b5cab3a7ce596406cc6a1871d45ae462e Mon Sep 17 00:00:00 2001
From: Stuart Ferguson <stuart_ferguson1@btinternet.com>
Date: Thu, 17 Jun 2021 18:46:33 +0100
Subject: [PATCH] Use HTTPS Security Service

---
 .../Common/DockerHelper.cs                    |  15 ++++++--
 ...actionProcessorACL.IntegrationTests.csproj |   4 +--
 TransactionProcessorACL/Dockerfile            |   5 +++
 TransactionProcessorACL/Startup.cs            |  34 ++++++++++++------
 TransactionProcessorACL/appsettings.json      |   4 +--
 .../aspnetapp-root-cert.cer                   | Bin 0 -> 820 bytes
 6 files changed, 46 insertions(+), 16 deletions(-)
 create mode 100644 TransactionProcessorACL/aspnetapp-root-cert.cer

diff --git a/TransactionProcessorACL.IntegrationTests/Common/DockerHelper.cs b/TransactionProcessorACL.IntegrationTests/Common/DockerHelper.cs
index f61b827..b674c33 100644
--- a/TransactionProcessorACL.IntegrationTests/Common/DockerHelper.cs
+++ b/TransactionProcessorACL.IntegrationTests/Common/DockerHelper.cs
@@ -300,11 +300,22 @@ await Retry.For(async () =>
 
             // Setup the base address resolvers
             String EstateManagementBaseAddressResolver(String api) => $"http://127.0.0.1:{this.EstateManagementApiPort}";
-            String SecurityServiceBaseAddressResolver(String api) => $"http://127.0.0.1:{this.SecurityServicePort}";
+            String SecurityServiceBaseAddressResolver(String api) => $"https://127.0.0.1:{this.SecurityServicePort}";
             String TransactionProcessorBaseAddressResolver(String api) => $"http://127.0.0.1:{this.TransactionProcessorPort}";
             String TransactionProcessorAclBaseAddressResolver(String api) => $"http://127.0.0.1:{this.TransactionProcessorACLPort}";
 
-            HttpClient httpClient = new HttpClient();
+            HttpClientHandler clientHandler = new HttpClientHandler
+                                              {
+                                                  ServerCertificateCustomValidationCallback = (message,
+                                                                                               certificate2,
+                                                                                               arg3,
+                                                                                               arg4) =>
+                                                                                              {
+                                                                                                  return true;
+                                                                                              }
+
+                                              };
+            HttpClient httpClient = new HttpClient(clientHandler);
             this.EstateClient = new EstateClient(EstateManagementBaseAddressResolver, httpClient);
             this.SecurityServiceClient = new SecurityServiceClient(SecurityServiceBaseAddressResolver, httpClient);
             this.TransactionProcessorClient = new TransactionProcessorClient(TransactionProcessorBaseAddressResolver, httpClient);
diff --git a/TransactionProcessorACL.IntegrationTests/TransactionProcessorACL.IntegrationTests.csproj b/TransactionProcessorACL.IntegrationTests/TransactionProcessorACL.IntegrationTests.csproj
index 3696605..0210cab 100644
--- a/TransactionProcessorACL.IntegrationTests/TransactionProcessorACL.IntegrationTests.csproj
+++ b/TransactionProcessorACL.IntegrationTests/TransactionProcessorACL.IntegrationTests.csproj
@@ -8,7 +8,7 @@
 
   <ItemGroup>
     <PackageReference Include="ClientProxyBase" Version="1.0.5" />
-    <PackageReference Include="Ductus.FluentDocker" Version="2.7.3" />
+    <PackageReference Include="Ductus.FluentDocker" Version="2.10.7" />
     <PackageReference Include="EstateManagement.Client" Version="1.0.9.2" />
     <PackageReference Include="EstateReporting.Database" Version="1.0.12" />
     <PackageReference Include="EventStore.Client.Grpc.PersistentSubscriptions" Version="20.10.0" />
@@ -17,7 +17,7 @@
     <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="5.0.2" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.8.3" />
     <PackageReference Include="SecurityService.Client" Version="1.0.5.1" />
-    <PackageReference Include="Shared.IntegrationTesting" Version="1.0.5" />
+    <PackageReference Include="Shared.IntegrationTesting" Version="1.0.7" />
     <PackageReference Include="Shouldly" Version="4.0.3" />
     <PackageReference Include="SpecFlow" Version="3.5.14" />
     <PackageReference Include="SpecFlow.Tools.MsBuild.Generation" Version="3.5.14" />
diff --git a/TransactionProcessorACL/Dockerfile b/TransactionProcessorACL/Dockerfile
index 90730c5..6a0d2ab 100644
--- a/TransactionProcessorACL/Dockerfile
+++ b/TransactionProcessorACL/Dockerfile
@@ -13,6 +13,11 @@ COPY . .
 WORKDIR "/src/TransactionProcessorACL"
 RUN dotnet build "TransactionProcessorACL.csproj" -c Release -o /app/build
 
+# Sort out certificate stuff here
+RUN openssl x509 -inform DER -in /src/TransactionProcessorACL/aspnetapp-root-cert.cer -out /src/TransactionProcessorACL/aspnetapp-root-cert.crt
+RUN cp /src/TransactionProcessorACL/aspnetapp-root-cert.crt /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 FROM build AS publish
 RUN dotnet publish "TransactionProcessorACL.csproj" -c Release -o /app/publish
 
diff --git a/TransactionProcessorACL/Startup.cs b/TransactionProcessorACL/Startup.cs
index 146c59c..f4500a5 100644
--- a/TransactionProcessorACL/Startup.cs
+++ b/TransactionProcessorACL/Startup.cs
@@ -89,7 +89,18 @@ public void ConfigureServices(IServiceCollection services)
                                                                      {
                                                                          return ConfigurationReader.GetBaseServerUri(serviceName).OriginalString;
                                                                      });
-            services.AddSingleton<HttpClient>();
+            HttpClientHandler httpClientHandler = new HttpClientHandler
+                                                  {
+                                                      ServerCertificateCustomValidationCallback = (message,
+                                                                                                   certificate2,
+                                                                                                   arg3,
+                                                                                                   arg4) =>
+                                                                                                  {
+                                                                                                      return true;
+                                                                                                  }
+                                                  };
+            HttpClient httpClient = new HttpClient(httpClientHandler);
+            services.AddSingleton<HttpClient>(httpClient);
         }
 
         private void ConfigureMiddlewareServices(IServiceCollection services)
@@ -154,17 +165,20 @@ private void ConfigureMiddlewareServices(IServiceCollection services)
                                        })
                     .AddJwtBearer(options =>
                     {
-                       //options.SaveToken = true;
-                       options.Authority = ConfigurationReader.GetValue("SecurityConfiguration", "Authority");
+                        options.BackchannelHttpHandler = new HttpClientHandler
+                                                         {
+                                                             ServerCertificateCustomValidationCallback =
+                                                                 (message, certificate, chain, sslPolicyErrors) => true
+                                                         };
+                        options.Authority = ConfigurationReader.GetValue("SecurityConfiguration", "Authority");
                         options.Audience = ConfigurationReader.GetValue("SecurityConfiguration", "ApiName");
-                        options.RequireHttpsMetadata = false;
+
                         options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
-                        {
-                            ValidateIssuer = true,
-                            ValidateAudience = false,
-                            ValidAudience = ConfigurationReader.GetValue("SecurityConfiguration", "ApiName"),
-                            ValidIssuer = ConfigurationReader.GetValue("SecurityConfiguration", "Authority"),
-                        };
+                                                            {
+                                                                ValidateAudience = false,
+                                                                ValidAudience = ConfigurationReader.GetValue("SecurityConfiguration", "ApiName"),
+                                                                ValidIssuer = ConfigurationReader.GetValue("SecurityConfiguration", "Authority"),
+                                                            };
                         options.IncludeErrorDetails = true;
                     });
 
diff --git a/TransactionProcessorACL/appsettings.json b/TransactionProcessorACL/appsettings.json
index 0c7e520..5f98c58 100644
--- a/TransactionProcessorACL/appsettings.json
+++ b/TransactionProcessorACL/appsettings.json
@@ -7,7 +7,7 @@
     }
   },
   "AppSettings": {
-    "SecurityService": "http://192.168.1.133:5001",
+    "SecurityService": "https://192.168.1.133:5001",
     "ClientId": "serviceClient",
     "ClientSecret": "d192cbc46d834d0da90e8a9d50ded543",
     "TransactionProcessorApi": "http://192.168.1.133:5002",
@@ -15,7 +15,7 @@
   },
   "SecurityConfiguration": {
     "ApiName": "transactionProcessorACL",
-    "Authority": "http://192.168.1.133:5001"
+    "Authority": "https://192.168.1.133:5001"
   },
   "AllowedHosts": "*"
 }
diff --git a/TransactionProcessorACL/aspnetapp-root-cert.cer b/TransactionProcessorACL/aspnetapp-root-cert.cer
new file mode 100644
index 0000000000000000000000000000000000000000..c6ac5e9f3677496ffe9fec8bc89ca0d05242761b
GIT binary patch
literal 820
zcmXqLVm2^nVv<<E%*4pVBoO}ogq(d+;(jOX&?zEzFIO1wvT<s)d9;1!Wn|=LWiZe-
z)HG0MV-96u=27rWNzE(CEU64mEh<Yba>-B529l|{`9b;lCC;fuB?fZhyherwW(Jmq
zW~N34=21Yd5twUk2;!1vSQDcXvSS!o8JL?G`56qF7`d357#SJPbMn7_psIgsmgCt4
z)>)EyE!Pq*|6aP7r}DTmXTuZg)k>_%oLc{*H_q(eJyEN0I-mQq3I|`YBYg7RC9L^>
z?=mv3oTOSN`NE(1td;5C%@6k%N9_1-7|rWaa!s!LT=R<*-fv>>5B={eU%G409p*-1
z|CEQVdY2RCoBzDNe|p8-wRS!gM|V3#UM-ujQFwMxkh8<0aF)5t!kyaFUHQJ>PYlyA
znb=*k@zsKJRf>(vT26+BUjJ<Rc9Y!oTb-93nzvV3JD#8JH}lacv2%6jL~3q+_LJ6s
zJbg(oU)&LYiE`zbH!5tJO3!K)_fP8mwcOzFwQQ%VX<75$^&dHsmuB@?<nxtvJDHdn
z85kD_82B0R0pmxOpONuD3kx$76N`Z?h_A{bW+1}Gq0Pp~%F52n1ZOcqr1@CHSVS7S
zSZq(aE3@W*n45ax%RTiIhi26yhdD3-0K=S-VMe>&ueicJU)zGG-7`8mVR?{aW4FEU
z^_U}!tE9?ih2FdqUmf{aU0KKeyy6^FnT>gCH_K_JYTJGY=SpI!nNwzbUwPe?)61{S
zPCkEd(G}6!T~F8K<uE&5a=v`1G5e^n`m|k7Zg=tTIkw!k{jXun#1q#a1}(N&u=c?>
z_cN}QH;#U*+Styz@N>MKafg6uq!O$4l)BwnFaFE!+Ob;f(CWrDQ=Dcc-qc^FUwm@Q
zw|8R38J@-yqx&Yg*=7AGo3o_gWohWMxFcKte`>$vwUE2OI&HauiNVxMUY>t-S02y3
s#CsyC;o!?%TU^YZNN8Qr=YKWPPI1c#4euZ?=X+5T)cc-3k#9-@0CM<BjQ{`u

literal 0
HcmV?d00001