Merge pull request #58 from TransactionProcessing/task/httpssecurity

Use HTTPS Security Service

Author: StuartFerguson

.gitignore

@@ -228,7 +228,7 @@ ClientBin/
 *.dbmdl
 *.dbproj.schemaview
 *.jfm
-*.pfx
+#*.pfx
 *.publishsettings
 orleans.codegen.cs
 

MessagingService.IntegrationTests/Common/DockerHelper.cs

@@ -171,10 +171,21 @@ public override async Task StartContainersForScenarioRun(String scenarioName)
             this.MessagingServicePort = messagingServiceContainer.ToHostExposedEndpoint("5006/tcp").Port;
 
             // Setup the base address resolvers
-            String SecurityServiceBaseAddressResolver(String api) => $"http://127.0.0.1:{this.SecurityServicePort}";
+            String SecurityServiceBaseAddressResolver(String api) => $"https://127.0.0.1:{this.SecurityServicePort}";
             String MessagingServiceBaseAddressResolver(String api) => $"http://127.0.0.1:{this.MessagingServicePort}";
 
-            HttpClient httpClient = new HttpClient();
+            HttpClientHandler clientHandler = new HttpClientHandler
+                                              {
+                                                  ServerCertificateCustomValidationCallback = (message,
+                                                                                               certificate2,
+                                                                                               arg3,
+                                                                                               arg4) =>
+                                                                                              {
+                                                                                                  return true;
+                                                                                              }
+
+                                              };
+            HttpClient httpClient = new HttpClient(clientHandler);
             this.SecurityServiceClient = new SecurityServiceClient(SecurityServiceBaseAddressResolver, httpClient);
             this.MessagingServiceClient = new MessagingServiceClient(MessagingServiceBaseAddressResolver, httpClient);
         }

MessagingService.IntegrationTests/MessagingService.IntegrationTests.csproj

@@ -8,10 +8,10 @@
 
   <ItemGroup>
     <PackageReference Include="ClientProxyBase" Version="1.0.5" />
-    <PackageReference Include="Ductus.FluentDocker" Version="2.7.3" />
+    <PackageReference Include="Ductus.FluentDocker" Version="2.10.7" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.8.3" />
     <PackageReference Include="SecurityService.Client" Version="1.0.5" />
-    <PackageReference Include="Shared.IntegrationTesting" Version="1.0.5" />
+    <PackageReference Include="Shared.IntegrationTesting" Version="1.0.7" />
     <PackageReference Include="Shouldly" Version="4.0.3" />
     <PackageReference Include="SpecFlow.Tools.MsBuild.Generation" Version="3.5.14" />
     <PackageReference Include="SpecFlow.xUnit" Version="3.5.14" />

MessagingService/Dockerfile

@@ -16,6 +16,11 @@ COPY . .
 WORKDIR "/src/MessagingService"
 RUN dotnet build "MessagingService.csproj" -c Release -o /app/build
 
+# Sort out certificate stuff here
+RUN openssl x509 -inform DER -in /src/MessagingService/aspnetapp-root-cert.cer -out /src/MessagingService/aspnetapp-root-cert.crt
+RUN cp /src/MessagingService/aspnetapp-root-cert.crt /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 FROM build AS publish
 RUN dotnet publish "MessagingService.csproj" -c Release -o /app/publish
 

MessagingService/Startup.cs

@@ -282,17 +282,20 @@ private void ConfigureMiddlewareServices(IServiceCollection services)
             })
                 .AddJwtBearer(options =>
                 {
-                    //options.SaveToken = true;
+                    options.BackchannelHttpHandler = new HttpClientHandler
+                                                     {
+                                                         ServerCertificateCustomValidationCallback =
+                                                             (message, certificate, chain, sslPolicyErrors) => true
+                                                     };
                     options.Authority = ConfigurationReader.GetValue("SecurityConfiguration", "Authority");
                     options.Audience = ConfigurationReader.GetValue("SecurityConfiguration", "ApiName");
-                    options.RequireHttpsMetadata = false;
+
                     options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
-                    {
-                        ValidateIssuer = true,
-                        ValidateAudience = false,
-                        ValidAudience = ConfigurationReader.GetValue("SecurityConfiguration", "ApiName"),
-                        ValidIssuer = ConfigurationReader.GetValue("SecurityConfiguration", "Authority"),
-                    };
+                                                        {
+                                                            ValidateAudience = false,
+                                                            ValidAudience = ConfigurationReader.GetValue("SecurityConfiguration", "ApiName"),
+                                                            ValidIssuer = ConfigurationReader.GetValue("SecurityConfiguration", "Authority"),
+                                                        };
                     options.IncludeErrorDetails = true;
                 });
 

MessagingService/appsettings.json

@@ -24,7 +24,7 @@
     "ApiVersion":  "1.0.9",
     "SubscriptionFilter": "Messaging",
     "UseConnectionStringConfig": false,
-    "SecurityService": "http://192.168.1.133:5001",
+    "SecurityService": "https://192.168.1.133:5001",
     "EmailProxy": "Smtp2Go",
     "SMSProxy": "TheSMSWorks",
     "SMTP2GoBaseAddress": "https://api.smtp2go.com/v3/",
@@ -44,7 +44,7 @@
   },
     "SecurityConfiguration": {
       "ApiName": "messagingService",
-      "Authority": "http://192.168.1.133:5001"
+      "Authority": "https://192.168.1.133:5001"
     },
     "AllowedHosts": "*"
   }