feat: no longer bypassing server certs (#794)

SamRobinson75684 · web-flow · commit 591b3300dfc9 · 2025-03-19T10:29:43.000Z
diff --git a/.gitignore b/.gitignore
@@ -84,3 +84,4 @@ application/CohortManager/.vscode/
 # Ignore generated feature bindings
 *.feature.cs
 tests/smoke-tests/dtos-cohort-manager-smoke-tests/Config/appsettings-local.json
+*.crt
diff --git a/application/CohortManager/src/Functions/CaasIntegration/RetrieveMeshFile/Program.cs b/application/CohortManager/src/Functions/CaasIntegration/RetrieveMeshFile/Program.cs
@@ -9,7 +9,6 @@
 using Microsoft.Extensions.Logging;
 using NHS.Screening.RetrieveMeshFile;
 using HealthChecks.Extensions;
-using Microsoft.Extensions.HealthChecks;
 
 
 var loggerFactory = LoggerFactory.Create(builder => builder.AddConsole());
@@ -20,13 +19,16 @@
     var host = new HostBuilder();
 
     X509Certificate2 cert = null;
+    X509Certificate2Collection caCerts = new X509Certificate2Collection();
+
+    var KeyVaultConnectionString = Environment.GetEnvironmentVariable("KeyVaultConnectionString");
 
     host.AddConfiguration<RetrieveMeshFileConfig>(out RetrieveMeshFileConfig config);
 
-    if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("KeyVaultConnectionString")))
+    if (!string.IsNullOrEmpty(KeyVaultConnectionString))
     {
         logger.LogInformation("Pulling Mesh Certificate from KeyVault");
-        var client = new CertificateClient(vaultUri: new Uri(Environment.GetEnvironmentVariable("KeyVaultConnectionString")), credential: new DefaultAzureCredential());
+        var client = new CertificateClient(vaultUri: new Uri(KeyVaultConnectionString), credential: new DefaultAzureCredential());
         var certificate = await client.DownloadCertificateAsync(config.MeshKeyName);
         cert = certificate.Value;
     }
@@ -36,6 +38,36 @@
         cert = new X509Certificate2(config.MeshKeyName, config.MeshKeyPassphrase);
     }
 
+    if (!string.IsNullOrEmpty(KeyVaultConnectionString))
+    {
+        var client = new CertificateClient(new Uri(KeyVaultConnectionString), new DefaultAzureCredential());
+        var allCertificates = client.GetPropertiesOfCertificates();
+
+        foreach (var certificateProperties in allCertificates)
+        {
+            if (certificateProperties.Name.StartsWith("CaCert"))
+            {
+                var certificateWithPolicy = await client.DownloadCertificateAsync(certificateProperties.Name);
+                caCerts.Add(certificateWithPolicy.Value);
+            }
+        }
+    }
+    else if (!string.IsNullOrEmpty(config.ServerSideCerts))
+    {
+        var pemCerts = File.ReadAllText(config.ServerSideCerts)
+            .Split(new string[] { "-----END CERTIFICATE-----" }, StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
+            .Select(pem => pem + "\n-----END CERTIFICATE-----")
+            .Select(pem => new X509Certificate2(Convert.FromBase64String(
+            pem.Replace("-----BEGIN CERTIFICATE-----", "")
+                .Replace("-----END CERTIFICATE-----", "")
+                .Replace("\n", "")
+        )))
+        .ToArray();
+
+        caCerts.AddRange(pemCerts);
+    }
+
+
     host.ConfigureFunctionsWebApplication();
     host.ConfigureServices(services =>
     {
@@ -47,7 +79,8 @@
             {
                 Password = config.MeshPassword,
                 SharedKey = config.MeshSharedKey,
-                Cert = cert
+                Cert = cert,
+                serverSideCertCollection = caCerts
             })
             .Build();
         services.AddSingleton<IBlobStorageHelper, BlobStorageHelper>();
diff --git a/application/CohortManager/src/Functions/CaasIntegration/RetrieveMeshFile/RetrieveMeshFile.csproj b/application/CohortManager/src/Functions/CaasIntegration/RetrieveMeshFile/RetrieveMeshFile.csproj
@@ -23,6 +23,9 @@
         <None Update="meshpfx.pfx">
             <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
         </None>
+        <None Update="meshServerSideCerts.crt">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
         <None Update="local.settings.json">
             <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
             <CopyToPublishDirectory>Never</CopyToPublishDirectory>
diff --git a/application/CohortManager/src/Functions/CaasIntegration/RetrieveMeshFile/RetrieveMeshFileConfig.cs b/application/CohortManager/src/Functions/CaasIntegration/RetrieveMeshFile/RetrieveMeshFileConfig.cs
@@ -4,14 +4,16 @@ namespace NHS.Screening.RetrieveMeshFile;
 
 public class RetrieveMeshFileConfig
 {
-    public string MeshApiBaseUrl {get; set;}
+    public string MeshApiBaseUrl { get; set; }
     [Required]
-    public string BSSMailBox {get; set;}
+    public string BSSMailBox { get; set; }
     [Required]
-    public string MeshPassword {get; set;}
+    public string MeshPassword { get; set; }
     [Required]
-    public string MeshSharedKey {get; set;}
-    public string MeshKeyPassphrase {get; set;}
-    public string MeshKeyName {get; set;}
+    public string MeshSharedKey { get; set; }
+    public string MeshKeyPassphrase { get; set; }
+    public string MeshKeyName { get; set; }
+
+    public string ServerSideCerts { get; set; }
 
 }
diff --git a/application/CohortManager/src/Functions/Shared/dotnet-mesh-client b/application/CohortManager/src/Functions/Shared/dotnet-mesh-client
@@ -1 +1 @@
-Subproject commit d69dde8f75d4090fae5f03d2002c21acca3791e7
+Subproject commit 72734dab815bce94977a1e3dd3ee7b7b24e625ee
