pagopa · pasqualedevita · May 12, 2021 · May 7, 2021 · May 12, 2021 · May 12, 2021
@@ -130,7 +130,8 @@ module "spid_login" {
 
     # SPID
     ORG_ISSUER       = "https://spid.agid.gov.it/cd"
-    ORG_URL          = format("https://%s/spid/v1", var.app_gateway_host_name)
+    ORG_URL          = "https://pagopa.gov.it"
+    ACS_BASE_URL     = format("https://%s/spid/v1", var.app_gateway_host_name)
     ORG_DISPLAY_NAME = "Organization display name"
     ORG_NAME         = "Organization name"
 
@@ -153,17 +154,18 @@ module "spid_login" {
     ENABLE_JWT                         = "true"
     INCLUDE_SPID_USER_ON_INTROSPECTION = "true"
 
-    DEFAULT_TOKEN_EXPIRATION = "3600"
-    JWT_TOKEN_EXPIRATION     = "3600" # TODO remove when new version released
-    JWT_TOKEN_ISSUER         = "SPID"
-    JWT_TOKEN_PRIVATE_KEY    = tls_private_key.jwt.private_key_pem
+    TOKEN_EXPIRATION      = "3600"
+    JWT_TOKEN_EXPIRATION  = "3600" # TODO remove when new version released
+    JWT_TOKEN_ISSUER      = "SPID"
+    JWT_TOKEN_PRIVATE_KEY = tls_private_key.jwt.private_key_pem
 
     # ADE
-    ENABLE_ADE_AA       = "true"
-    ADE_AA_API_ENDPOINT = format("https://%s/adeaa/v1", var.app_gateway_host_name)
-    ENDPOINT_L1_SUCCESS = format("https://%s/", module.cdn_portal_frontend.hostname)
-    L1_TOKEN_EXPIRATION = 60
-    L2_TOKEN_EXPIRATION = 3600
+    ENABLE_ADE_AA        = "true"
+    ADE_AA_API_ENDPOINT  = format("https://%s/adeaa/v1", var.app_gateway_host_name)
+    ENDPOINT_L1_SUCCESS  = format("https://%s/", module.cdn_portal_frontend.hostname)
+    L1_TOKEN_EXPIRATION  = 120
+    L1_TOKEN_HEADER_NAME = "x-cgn-token"
+    L2_TOKEN_EXPIRATION  = 3600
 
     # application insights key
     APPINSIGHTS_INSTRUMENTATIONKEY = azurerm_application_insights.application_insights.instrumentation_key
@@ -406,7 +408,10 @@ module "apim_backoffice_api" {
 
   content_value = file("./backoffice_api/swagger.json")
 
-  xml_content = file("./backoffice_api/policy.xml")
+  xml_content = templatefile("./backoffice_api/policy.xml.tpl", {
+    openid_config_url = var.adb2c_openid_config_url
+    audience          = var.adb2c_audience
+  })
 }
 
 module "apim_spid_login_api" {

@@ -17,6 +17,7 @@
         <header>Content-Type</header>
         <header>Authorization</header>
         <header>Accept</header>
+        <header>x-cgn-token</header>
       </allowed-headers>
       <expose-headers>
         <header>*</header>

@@ -0,0 +1,17 @@
+<policies>
+  <inbound>
+    <base />
+    <validate-jwt header-name="Authorization" failed-validation-httpcode="401" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true" >
+      <openid-config url="${openid_config_url}" />
+      <audiences>
+        <audience>${audience}</audience>
+      </audiences>
+    </validate-jwt>
+    <set-header name="X-CGN-USER-ROLE" exists-action="override">
+      <value>ROLE_ADMIN</value>
+    </set-header>
+  </inbound>
+  <outbound>
+    <base />
+  </outbound>
+</policies>
@@ -8,13 +8,21 @@ resource "azurerm_dns_zone" "public" {
   tags = var.tags
 }
 
+resource "azurerm_dns_zone" "public_uat" {
+  count               = (var.dns_zone_prefix_uat == null || var.external_domain == null) ? 0 : 1
+  name                = join(".", [var.dns_zone_prefix_uat, var.external_domain])
+  resource_group_name = azurerm_resource_group.rg_public.name
+
+  tags = var.tags
+}
+
 resource "azurerm_dns_a_record" "api" {
   count               = var.enable_custom_dns ? 1 : 0
   name                = "api"
   records             = [azurerm_public_ip.apigateway_public_ip.ip_address]
   resource_group_name = azurerm_resource_group.rg_public.name
   ttl                 = 300
-  zone_name           = azurerm_dns_zone.public[0].name
+  zone_name           = var.dns_zone_prefix != null ? azurerm_dns_zone.public[0].name : azurerm_dns_zone.public_uat[0].name
 
   tags = var.tags
 }
@@ -25,7 +33,7 @@ resource "azurerm_dns_cname_record" "frontend" {
   record              = module.cdn_portal_frontend.hostname
   resource_group_name = azurerm_resource_group.rg_public.name
   ttl                 = 300
-  zone_name           = azurerm_dns_zone.public[0].name
+  zone_name           = var.dns_zone_prefix != null ? azurerm_dns_zone.public[0].name : azurerm_dns_zone.public_uat[0].name
 
   tags = var.tags
 }
@@ -43,6 +43,8 @@ resource "azurerm_function_app" "this" {
   app_service_plan_id        = azurerm_app_service_plan.this.id
   storage_account_name       = azurerm_storage_account.this.name
   storage_account_access_key = azurerm_storage_account.this.primary_access_key
+  #tfsec:ignore:AZU028
+  https_only = false
 
   site_config {
     min_tls_version           = "1.2"

@@ -1,6 +1,18 @@
 <policies>
   <inbound>
     <base />
+    <choose>
+      <when condition="@(context.Request.Url.Path == "/upgradeToken" )">
+        <validate-jwt header-name="x-cgn-token" failed-validation-httpcode="401" require-expiration-time="true" require-signed-tokens="true">
+          <issuer-signing-keys>
+            <key certificate-id="jwt-spid-crt" />
+          </issuer-signing-keys>
+          <issuers>
+            <issuer>SPID</issuer>
+          </issuers>
+        </validate-jwt>
+      </when>
+    </choose>
   </inbound>
   <outbound>
     <base />

@@ -124,6 +124,13 @@ variable "dns_zone_prefix" {
   default = null
 }
 
+# TODO
+# these _uat are a temponary resources
+variable "dns_zone_prefix_uat" {
+  type    = string
+  default = null
+}
+
 ## Azure container registry
 variable "sku_container_registry" {
   type    = string
@@ -316,3 +323,14 @@ variable "enable_ade_aa_mock" {
   type    = bool
   default = false
 }
+
+## AD B2C
+variable "adb2c_openid_config_url" {
+  type        = string
+  description = "Azure AD B2C OpenID Connect metadata document"
+}
+
+variable "adb2c_audience" {
+  type        = string
+  description = "recipients that the JWT is intended for"
+}
@@ -238,3 +238,19 @@ resource "tfe_variable" "dev_enable_ade_aa_mock" {
 }
 
 
+
+resource "tfe_variable" "dev_adb2c_openid_config_url" {
+  key          = "adb2c_openid_config_url"
+  value        = "https://testcgnportalbitrock.b2clogin.com/testcgnportalbitrock.onmicrosoft.com/B2C_1_LOGIN/v2.0/.well-known/openid-configuration"
+  category     = "terraform"
+  sensitive    = true
+  workspace_id = data.tfe_workspace.dev.id
+}
+
+resource "tfe_variable" "dev_adb2c_audience" {
+  key          = "adb2c_audience"
+  value        = "5f75f12e-b5a0-4656-b0ff-334bb9d4222f"
+  category     = "terraform"
+  sensitive    = true
+  workspace_id = data.tfe_workspace.dev.id
+}
@@ -111,7 +111,7 @@ resource "tfe_variable" "uat_enable_custom_dns" {
 
 resource "tfe_variable" "uat_app_gateway_host_name" {
   key          = "app_gateway_host_name"
-  value        = "uat.cgnonboardingportal.pagopa.it"
+  value        = "api.cgnonboardingportal-uat.pagopa.it"
   category     = "terraform"
   workspace_id = data.tfe_workspace.uat.id
   description  = "Application gateway host name. CreatedBy Terraform"
@@ -239,3 +239,19 @@ resource "tfe_variable" "uat_enable_ade_aa_mock" {
   category     = "terraform"
   workspace_id = data.tfe_workspace.uat.id
 }
+
+resource "tfe_variable" "uat_adb2c_openid_config_url" {
+  key          = "adb2c_openid_config_url"
+  value        = "https://cgnonboardingportaluat.b2clogin.com/cgnonboardingportaluat.onmicrosoft.com/B2C_1_login/v2.0/.well-known/openid-configuration"
+  category     = "terraform"
+  sensitive    = true
+  workspace_id = data.tfe_workspace.uat.id
+}
+
+resource "tfe_variable" "uat_adb2c_audience" {
+  key          = "adb2c_audience"
+  value        = "2416d411-9cbb-4d4c-a902-2570f031b9f0"
+  category     = "terraform"
+  sensitive    = true
+  workspace_id = data.tfe_workspace.uat.id
+}