Skip to content

Commit

Permalink
Merge pull request #1673 from hmcts/PAY-6704-API-Policy-Update-APIM
Browse files Browse the repository at this point in the history 
PAY-6704: Update to API Policy and corrections to subscriptions
  • Loading branch information
@davejones74
davejones74 authored Jul 29, 2024
2 parents 2050387 + 347a8f3 commit 5871c33
Show file tree
Hide file tree
Showing 6 changed files with 103 additions and 7 deletions.
2 changes: 1 addition & 1 deletion infrastructure/.terraform-version
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.7.5
1.8.5
2 changes: 1 addition & 1 deletion infrastructure/cft-api-mgmt-subscriptions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ resource "azurerm_api_management_subscription" "fee_pay_team_telephony_subscript
provider = azurerm.aks-cftapps
}

resource "azurerm_key_vault_secret" "fee_pay_team_bulk_scan_subscription_key" {
resource "azurerm_key_vault_secret" "fee_pay_team_telephony_subscription_key" {
name = "fee-pay-team-telephony-cft-apim-subscription-key"
value = azurerm_api_management_subscription.fee_pay_team_telephony_subscription.primary_key
key_vault_id = data.azurerm_key_vault.payment_key_vault.id
Expand Down
15 changes: 13 additions & 2 deletions infrastructure/cft-api-mgmt.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,17 @@ locals {
cft_api_mgmt_rg = join("-", ["cft", var.env, "network-rg"])
}

data "template_file" "cft_policy_template" {
template = file(join("", [path.module, "/template/cft-api-policy.xml"]))

vars = {
allowed_certificate_thumbprints = local.thumbprints_in_quotes_str
s2s_client_id = data.azurerm_key_vault_secret.s2s_client_id.value
s2s_client_secret = data.azurerm_key_vault_secret.s2s_client_secret.value
s2s_base_url = local.s2sUrl
}
}

module "cft_api_mgmt_product" {
source = "git@github.com:hmcts/cnp-module-api-mgmt-product?ref=master"
name = var.product_name
Expand All @@ -27,9 +38,9 @@ module "cft_api_mgmt_api" {
api_mgmt_rg = local.cft_api_mgmt_rg
product_id = module.cft_api_mgmt_product.product_id
path = local.api_base_path
protocols = ["http", "https"]
service_url = "http://payment-api-${var.env}.service.core-compute-${var.env}.internal"
swagger_url = "https://raw.githubusercontent.com/hmcts/cnp-api-docs/master/docs/specs/ccpay-payment-app.telephony.json"
protocols = ["http", "https"]
revision = "1"
providers = {
azurerm = azurerm.aks-cftapps
Expand All @@ -41,7 +52,7 @@ module "cft_api_mgmt_policy" {
api_mgmt_name = local.cft_api_mgmt_name
api_mgmt_rg = local.cft_api_mgmt_rg
api_name = module.cft_api_mgmt_api.name
api_policy_xml_content = data.template_file.policy_template.rendered
api_policy_xml_content = data.template_file.cft_policy_template.rendered
providers = {
azurerm = azurerm.aks-cftapps
}
Expand Down
9 changes: 8 additions & 1 deletion infrastructure/demo.tfvars
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# API Gateway Thumbprint
# Last three thumbprints are for the new API Gateway
# "7744A2F56BD3B73C0D7FED61309E1C65AF08538C" - Shravan test cert
# "BFE89B4BA1F47E048CFDF125C2E1BB4E2CC26083" - Dave test cert
# "3D4A8AD0F5EF4779347B0E448ABC1ADC4D61BDF9" - Exela Cert (old)
# "792265A947D0C76D4F67A0878B1D06E60976DFDA" - Exela Cert (current)
# "7620DCB455C20A072D8B613434CED819E48BD843" - New Exela Cert (testing app-gateway)
aks_subscription_id = "d025fece-ce99-4df2-b7a9-b649d3ff2060"
telephony_api_gateway_certificate_thumbprints = ["B1BF8007527F85085D7C4A3DC406A9A6D124D721", "68EDF481C5394D65962E9810913455D3EC635FA5", "13D1848E8B050CE55E4D41A35A60FF4A17E686A6", "C46826BF1E82DF37664F7A3678E6498D056DA4A9", "B660C97A7CC2734ABD41FBF9F6ADAA61B0C399D4"]
telephony_api_gateway_certificate_thumbprints = ["B1BF8007527F85085D7C4A3DC406A9A6D124D721", "68EDF481C5394D65962E9810913455D3EC635FA5", "13D1848E8B050CE55E4D41A35A60FF4A17E686A6", "C46826BF1E82DF37664F7A3678E6498D056DA4A9", "B660C97A7CC2734ABD41FBF9F6ADAA61B0C399D4", "BFE89B4BA1F47E048CFDF125C2E1BB4E2CC26083", "7620DCB455C20A072D8B613434CED819E48BD843"]
sku_name = "GP_Gen5_2"
flexible_sku_name = "GP_Standard_D2s_v3"
sku_capacity = "2"
Expand Down
4 changes: 2 additions & 2 deletions infrastructure/state.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.40"
version = "~> 3.112.0"
}
azuread = {
source = "hashicorp/azuread"
version = "2.47.0"
version = "2.51.0"
}
}
}
78 changes: 78 additions & 0 deletions infrastructure/template/cft-api-policy.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
<policies>
<backend>
<base/>
</backend>
<inbound>
<base/>
<choose>
<when condition="@(context.Request.Headers["X-ARR-ClientCertThumbprint"] == null)">
<return-response>
<set-status code="401" />
<set-body>Missing client certificate.</set-body>
</return-response>
</when>
<when condition="@(!(new string[] {${allowed_certificate_thumbprints}}.Contains(context.Request.Headers[&quot;X-ARR-ClientCertThumbprint&quot;].First().ToUpperInvariant())))">
<return-response>
<set-status code="401" />
<set-body>Invalid client certificate.</set-body>
</return-response>
</when>
<!-- <when condition="@(context.Request.Certificate == null || context.Request.Certificate.NotAfter < DateTime.Now || context.Request.Certificate.NotBefore > DateTime.Now || !(new string[] {${allowed_certificate_thumbprints}}.Any(c => c == context.Request.Certificate.Thumbprint)))" >-->
<!-- <return-response>-->
<!-- <set-status code="401" />-->
<!-- <set-body>Invalid client certificate. Please check expiry.</set-body>-->
<!-- </return-response>-->
<!-- </when>-->
</choose>
<!-- generate totp -->
<set-variable name="client_id" value="${s2s_client_id}" />
<set-variable name="client_secret" value="${s2s_client_secret}" />
<set-variable name="one_time_password" value="@{
const string Base32AllowedCharacters = &quot;ABCDEFGHIJKLMNOPQRSTUVWXYZ234567&quot;;
var bits = &quot;${s2s_client_secret}&quot;.ToUpper().ToCharArray().Select(c => Convert.ToString(Base32AllowedCharacters.IndexOf(c), 2).PadLeft(5, '0')).Aggregate((a, b) => a + b);
var secretKeyBytes = Enumerable.Range(0, bits.Length / 8).Select(i => Convert.ToByte(bits.Substring(i * 8, 8), 2)).ToArray();
var unixTimestamp = (long) (DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds;
var timeIndex = unixTimestamp / 30;
byte[] challenge = BitConverter.GetBytes(timeIndex);
if (BitConverter.IsLittleEndian) {
Array.Reverse(challenge);
}
HMACSHA1 hmac = new HMACSHA1(secretKeyBytes);
byte[] hash = hmac.ComputeHash(challenge);
int offset = hash[19] &amp; 0xf;
int truncatedHash = hash[offset] &amp; 0x7f;
for (int i = 1; i &lt; 4; i++)
{
truncatedHash &lt;&lt;= 8;
truncatedHash |= hash[offset + i] &amp; 0xff;
}
truncatedHash %= 1000000;
return truncatedHash.ToString(&quot;D6&quot;);
}"/>
<send-request ignore-error="false" timeout="20" response-variable-name="s2sBearerToken" mode="new">
<set-url>${s2s_base_url}/lease</set-url>
<set-method>POST</set-method>
<set-header name="Content-Type" exists-action="override">
<value>application/json</value>
</set-header>
<set-body>@{
return new JObject(
new JProperty("microservice", (string)context.Variables["client_id"]),
new JProperty("oneTimePassword", (string)context.Variables["one_time_password"])
).ToString();
}</set-body>
</send-request>

<set-header name="ServiceAuthorization" exists-action="override">
<value>@("Bearer " + ((IResponse)context.Variables["s2sBearerToken"]).Body.As&lt;string&gt;())</value>
</set-header>
</inbound>
<outbound>
<base/>
</outbound>
<on-error>
<base/>
</on-error>
</policies>

0 comments on commit 5871c33

Please sign in to comment.