Merge pull request #591 from hmcts/PAY-6706-New-APIM-Migration

PAY-6706: New CFT APIM Migration
hmcts · Jul 29, 2024 · b9195c7 · b9195c7
2 parents a5d8c83 + e49a269
commit b9195c7
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 20 deletions.
diff --git a/infrastructure/cft-api-mgmt.tf b/infrastructure/cft-api-mgmt.tf
@@ -39,6 +39,7 @@ module "cft_api_mgmt_api" {
   path          = local.cft_api_base_path
   service_url   = local.feeregister_api_url
   swagger_url   = "https://raw.githubusercontent.com/hmcts/cnp-api-docs/master/docs/specs/ccpay-payment-app.freg_api1.json"
+  protocols     = ["http", "https"]
   revision      = "1"
   providers = {
     azurerm = azurerm.aks-cftapps

diff --git a/infrastructure/demo.tfvars b/infrastructure/demo.tfvars
@@ -1,10 +1,11 @@
 # Test Certificate refunds_api_gateway_certificate_thumbprints
 # "7744A2F56BD3B73C0D7FED61309E1C65AF08538C" - Shravan test cert
 # "BFE89B4BA1F47E048CFDF125C2E1BB4E2CC26083" - Dave test cert
+# "7620DCB455C20A072D8B613434CED819E48BD843" - Exela App-Gateway cert
 sku_name                                        = "GP_Gen5_2"
 flexible_sku_name                               = "GP_Standard_D2s_v3"
 sku_capacity                                    = "2"
-feeregister_api_gateway_certificate_thumbprints = ["B1BF8007527F85085D7C4A3DC406A9A6D124D721", "E5F54E7BA2B780E2B1B1FFAC68F801251935BE80", "B9D9E70AC23EAF8EA094F6B59EF77FF77D977CBE", "D36AC5686200258AE7C03CCCA70E14B69C17F94B", "7744A2F56BD3B73C0D7FED61309E1C65AF08538C", "BFE89B4BA1F47E048CFDF125C2E1BB4E2CC26083"]
+feeregister_api_gateway_certificate_thumbprints = ["B1BF8007527F85085D7C4A3DC406A9A6D124D721", "E5F54E7BA2B780E2B1B1FFAC68F801251935BE80", "B9D9E70AC23EAF8EA094F6B59EF77FF77D977CBE", "D36AC5686200258AE7C03CCCA70E14B69C17F94B", "7744A2F56BD3B73C0D7FED61309E1C65AF08538C", "BFE89B4BA1F47E048CFDF125C2E1BB4E2CC26083", "7620DCB455C20A072D8B613434CED819E48BD843"]
 aks_subscription_id                             = "d025fece-ce99-4df2-b7a9-b649d3ff2060"
 additional_databases = [
   "postgresql-db2"

diff --git a/infrastructure/perftest.tfvars b/infrastructure/perftest.tfvars
@@ -3,4 +3,4 @@ flexible_sku_name                               = "GP_Standard_D4s_v3"
 sku_capacity                                    = "4"
 aks_subscription_id                             = "8a07fdcd-6abd-48b3-ad88-ff737a4b9e3c"
 apim_suffix                                     = "test"
-feeregister_api_gateway_certificate_thumbprints = ["B1BF8007527F85085D7C4A3DC406A9A6D124D721", "E5F54E7BA2B780E2B1B1FFAC68F801251935BE80", "B9D9E70AC23EAF8EA094F6B59EF77FF77D977CBE"]
+feeregister_api_gateway_certificate_thumbprints = ["B1BF8007527F85085D7C4A3DC406A9A6D124D721", "E5F54E7BA2B780E2B1B1FFAC68F801251935BE80", "B9D9E70AC23EAF8EA094F6B59EF77FF77D977CBE", "7744A2F56BD3B73C0D7FED61309E1C65AF08538C", "BFE89B4BA1F47E048CFDF125C2E1BB4E2CC26083", "7620DCB455C20A072D8B613434CED819E48BD843"]
diff --git a/infrastructure/state.tf b/infrastructure/state.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.107.0"
+      version = "~> 3.105.0"
     }
     azuread = {
       source  = "hashicorp/azuread"

diff --git a/infrastructure/template/cft-api-policy.xml b/infrastructure/template/cft-api-policy.xml
@@ -6,23 +6,24 @@
     <base/>
     <choose>
       <when condition="@(context.Request.Headers["X-ARR-ClientCertThumbprint"] == null)">
-      <return-response>
-        <set-status code="401" />
-        <set-body>Missing client certificate</set-body>
-      </return-response>
-    </when>
-    <when condition="@(!(new string[] {${allowed_certificate_thumbprints}}.Any(c => context.Request.Headers.ContainsKey(&quot;X-ARR-ClientCertThumbprint&quot;) && context.Request.Headers[&quot;X-ARR-ClientCertThumbprint&quot;].Contains(c))))">
-      <return-response>
-        <set-status code="401" />
-        <set-body>Invalid client certificate</set-body>
-      </return-response>
-    </when>
-    <when condition="@(context.Request.Certificate == null || context.Request.Certificate.NotAfter < DateTime.Now || context.Request.Certificate.NotBefore > DateTime.Now || !(new string[] {${allowed_certificate_thumbprints}}.Any(c => c == context.Request.Certificate.Thumbprint)))" >
-      <return-response>
-        <set-status code="401" reason="Invalid client certificate. Please check expiry."/>
-      </return-response>
-    </when>
-  </choose>
+        <return-response>
+          <set-status code="401" />
+          <set-body>Missing client certificate.</set-body>
+        </return-response>
+      </when>
+      <when condition="@(!(new string[] {${allowed_certificate_thumbprints}}.Contains(context.Request.Headers[&quot;X-ARR-ClientCertThumbprint&quot;].First().ToUpperInvariant())))">
+        <return-response>
+          <set-status code="401" />
+          <set-body>Invalid client certificate.</set-body>
+        </return-response>
+      </when>
+<!--      <when condition="@(context.Request.Certificate == null || context.Request.Certificate.NotAfter < DateTime.Now || context.Request.Certificate.NotBefore > DateTime.Now || !(new string[] {${allowed_certificate_thumbprints}}.Any(c => c == context.Request.Certificate.Thumbprint)))" >-->
+<!--        <return-response>-->
+<!--          <set-status code="401" />-->
+<!--          <set-body>Invalid client certificate. Please check expiry.</set-body>-->
+<!--        </return-response>-->
+<!--      </when>-->
+    </choose>
   </inbound>
   <outbound>
     <base/>