Skip to content

Latest commit

 

History

History
164 lines (113 loc) · 6.14 KB

README.md

File metadata and controls

164 lines (113 loc) · 6.14 KB

Blob Router

codecov Codacy Badge

Table of Contents

Purpose

Primary responsibility of this micro service is to retrieve blobs from source blob storage containers and then dispatch them to destination blob storage containers based on source containers. Currently it only routes blobs (zip files) to CFT and Crime blob storage containers. Blobs are uploaded to source storage by the third party scanning supplier. Before dispatching blobs it verifies if the files were uploaded by third party supplier through non repudiation checks. It also provides infrastructure to deploy API management service for retrieving SAS tokens used to upload blobs to source containers.

Building and deploying the application

Building the application

The project uses Gradle as a build tool. It already contains ./gradlew wrapper script, so there's no need to install gradle.

To build the project execute the following command:

  ./gradlew build

Running the application

Create the image of the application by executing the following command:

  ./gradlew assemble

Create docker image:

  docker-compose build

Run the distribution (created in build/install/blob-router-service directory) by executing the following command:

  docker-compose up

This will start the API container exposing the application's port (set to 8584 in this template app).

In order to test if the application is up, you can call its health endpoint:

  curl http://localhost:8584/health

You should get a response similar to this:

  {"status":"UP","diskSpace":{"status":"UP","total":249644974080,"free":137188298752,"threshold":10485760}}

Quick Start

An alternative faster way getting started is by using the automated setup script. This script will help set up all bulk scan/print repos including blob-router-service and its dependencies. See the common-dev-env-bsbp repository for more information. Once set up script has ran successfully you can move the blob-router-service from the newly created common-dev-env-bsbp/apps directory to your desired location.

API gateway

Blob Router uses an (Azure API Management) API to protect its SAS token dispensing endpoint. The API allows only HTTPS requests with approved client certificates and valid subscription keys to reach the service.

Azure API Management is based on public swagger specs. As part of creating API in there documentation had to be published. The full url to documentation can be found here.

If SAS dispensing endpoint has changed in some incompatible way which causes amended specs - the management needs to be notified. This means tiny alteration in terraform file.

In case any new endpoint needs to be included - same treatment must be applied.

Calling the API

In order to talk to the SAS dispensing endpoint through the API, you need to have the following pieces of information:

  • a certificate whose thumbprint is known to the API (has to be added to the list of allowed thumbprints in var.allowed_client_certificate_thumbprints terraform variable)
  • a valid subscription key
  • name of an existing client service (e.g. test)

Preparing client certificate

First, generate client private key, a certificate for that key and import both into a key store:

# generate private key
openssl genrsa 2048 > private.pem

# generate certificate
openssl req -x509 -new -key private.pem -out cert.pem -days 365

# create the key store
# when asked for password, provide one
openssl pkcs12 -export -in cert.pem -inkey private.pem -out cert.pfx -noiter -nomaciter

Next, calculate the thumbprint of your certificate:

openssl x509 -noout -fingerprint -inform pem -in cert.pem | sed -e s/://g

Add this thumbprint to allowed_client_certificate_thumbprints terraform variable for the target environment (e.g. in aat.tfvars file). Your definition may look similar to this:

allowed_client_certificate_thumbprints = ["2FC66765E63BB2436F0F9E4F59E951A6D1D20D43"]

Once you're run the deployment, the API will recognise your certificate.

Retrieving subscription key

You can get the subscription key for the API from the reform-scan-{env} key vault. The available subscription keys in the key vault are:

  • bulk-scan-team-cft-apim-subscription-key
  • exela-cft-apim-subscription-key (supplier key)

Getting the token through the API

You can call the API using the following curl command (assuming your current directory contains the private key and certificate you've created earlier):

curl -v --key private.pem --cert cert.pem https://cft-mtls-api-mgmt-appgw.{env}.platform.hmcts.net/reform-scan/token/{serviceName} -H "Ocp-Apim-Subscription-Key:{subscription key}"

You should get a response with status 200 and a token in the body.

License

This project is licensed under the MIT License - see the LICENSE file for details