Merge pull request #148 from TransactionProcessing/task/httpssecurityservice

Use HTTPS Security Service

Author: StuartFerguson

TransactionProcessor.IntegrationTests/Common/DockerHelper.cs

@@ -307,10 +307,21 @@ await Retry.For(async () =>
 
             // Setup the base address resolvers
             String EstateManagementBaseAddressResolver(String api) => $"http://127.0.0.1:{this.EstateManagementApiPort}";
-            String SecurityServiceBaseAddressResolver(String api) => $"http://127.0.0.1:{this.SecurityServicePort}";
+            String SecurityServiceBaseAddressResolver(String api) => $"https://127.0.0.1:{this.SecurityServicePort}";
             String TransactionProcessorBaseAddressResolver(String api) => $"http://127.0.0.1:{this.TransactionProcessorPort}";
 
-            HttpClient httpClient = new HttpClient();
+            HttpClientHandler clientHandler = new HttpClientHandler
+                                              {
+                                                  ServerCertificateCustomValidationCallback = (message,
+                                                                                               certificate2,
+                                                                                               arg3,
+                                                                                               arg4) =>
+                                                                                              {
+                                                                                                  return true;
+                                                                                              }
+
+                                              };
+            HttpClient httpClient = new HttpClient(clientHandler);
             this.EstateClient = new EstateClient(EstateManagementBaseAddressResolver, httpClient);
             this.SecurityServiceClient = new SecurityServiceClient(SecurityServiceBaseAddressResolver, httpClient);
             this.TransactionProcessorClient = new TransactionProcessorClient(TransactionProcessorBaseAddressResolver, httpClient);

TransactionProcessor.IntegrationTests/TransactionProcessor.IntegrationTests.csproj

@@ -8,7 +8,7 @@
 
   <ItemGroup>
     <PackageReference Include="ClientProxyBase" Version="1.0.5" />
-    <PackageReference Include="Ductus.FluentDocker" Version="2.7.3" />
+    <PackageReference Include="Ductus.FluentDocker" Version="2.10.7" />
     <PackageReference Include="EstateManagement.Client" Version="1.0.10.2" />
     <PackageReference Include="EstateReporting.Database" Version="1.0.13.1" />
 	<PackageReference Include="EventStore.Client.Grpc.PersistentSubscriptions" Version="20.10.0" />
@@ -17,7 +17,7 @@
     <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="5.0.2" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.8.3" />
     <PackageReference Include="SecurityService.Client" Version="1.0.6.2" />
-    <PackageReference Include="Shared.IntegrationTesting" Version="1.0.5" />
+    <PackageReference Include="Shared.IntegrationTesting" Version="1.0.7" />
     <PackageReference Include="Shouldly" Version="4.0.3" />
     <PackageReference Include="SpecFlow" Version="3.5.14" />
     <PackageReference Include="SpecFlow.Tools.MsBuild.Generation" Version="3.5.14" />

TransactionProcessor/Dockerfile

@@ -14,6 +14,11 @@ COPY . .
 WORKDIR "/src/TransactionProcessor"
 RUN dotnet build "TransactionProcessor.csproj" -c Release -o /app/build
 
+# Sort out certificate stuff here
+RUN openssl x509 -inform DER -in /src/TransactionProcessor/aspnetapp-root-cert.cer -out /src/TransactionProcessor/aspnetapp-root-cert.crt
+RUN cp /src/TransactionProcessor/aspnetapp-root-cert.crt /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 FROM build AS publish
 RUN dotnet publish "TransactionProcessor.csproj" -c Release -o /app/publish
 

TransactionProcessor/Startup.cs

@@ -331,13 +331,16 @@ private void ConfigureMiddlewareServices(IServiceCollection services)
                                       })
                    .AddJwtBearer(options =>
                                  {
-                                     //options.SaveToken = true;
+                                     options.BackchannelHttpHandler = new HttpClientHandler
+                                                                      {
+                                                                          ServerCertificateCustomValidationCallback =
+                                                                              (message, certificate, chain, sslPolicyErrors) => true
+                                                                      };
                                      options.Authority = ConfigurationReader.GetValue("SecurityConfiguration", "Authority");
                                      options.Audience = ConfigurationReader.GetValue("SecurityConfiguration", "ApiName");
-                                     options.RequireHttpsMetadata = false;
+
                                      options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
                                                                          {
-                                                                             ValidateIssuer = true,
                                                                              ValidateAudience = false,
                                                                              ValidAudience = ConfigurationReader.GetValue("SecurityConfiguration", "ApiName"),
                                                                              ValidIssuer = ConfigurationReader.GetValue("SecurityConfiguration", "Authority"),

TransactionProcessor/appsettings.json

@@ -24,7 +24,7 @@
     "HandlerEventTypesToSilentlyHandle": {
     },
     "UseConnectionStringConfig": false,
-    "SecurityService": "http://192.168.1.133:5001",
+    "SecurityService": "https://192.168.1.133:5001",
     "EstateManagementApi": "http://192.168.1.133:5000",
     "MessagingServiceApi": "http://192.168.1.133:5006",
     "VoucherManagementApi": "http://192.168.1.133:5007",
@@ -41,7 +41,7 @@
   },
   "SecurityConfiguration": {
     "ApiName": "transactionProcessor",
-    "Authority": "http://192.168.1.133:5001"
+    "Authority": "https://192.168.1.133:5001"
   },
   "AllowedHosts": "*",
   "OperatorConfiguration": {