From c4f613a10d4c107a7cf1eea5d463244907391f17 Mon Sep 17 00:00:00 2001 From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com> Date: Mon, 6 Jan 2025 11:53:20 +0000 Subject: [PATCH 1/8] Configure Hsts options --- .../Program.cs | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs index ac3a30e..5f5741e 100644 --- a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs +++ b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs @@ -74,6 +74,15 @@ options.Scope.Add("User.Read"); }); +// Enforce HTTPS in ASP.NET Core +// @link https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl? +builder.Services.AddHsts(options => +{ + options.Preload = true; + options.IncludeSubDomains = true; + options.MaxAge = TimeSpan.FromDays(365); +}); + builder.Services.Configure(CookieAuthenticationDefaults.AuthenticationScheme, options => { @@ -148,4 +157,4 @@ app.Run(); -public partial class Program { } // Make the Program class partial for testing \ No newline at end of file +public partial class Program { } // Make the Program class partial for testing From d6ac90eaca92445b7ab742913c2657704bf79097 Mon Sep 17 00:00:00 2001 From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com> Date: Mon, 6 Jan 2025 11:57:06 +0000 Subject: [PATCH 2/8] Removed unused packages and added HttpOverrides --- .../Program.cs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs index 5f5741e..6549703 100644 --- a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs +++ b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs @@ -1,6 +1,4 @@ - using Microsoft.AspNetCore.CookiePolicy; - using Dfe.Academisation.CorrelationIdMiddleware; using Dfe.RegionalImprovementForStandardsAndExcellence.Frontend.Models; using Dfe.RegionalImprovementForStandardsAndExcellence.Frontend.Services; @@ -8,11 +6,10 @@ using Dfe.RegionalImprovementForStandardsAndExcellence.Frontend.Services.Http; using Microsoft.Identity.Web; using Microsoft.AspNetCore.Authorization; -using Microsoft.Extensions.Configuration; using System.Security.Claims; using Microsoft.AspNetCore.Authentication.OpenIdConnect; using Microsoft.AspNetCore.Authentication.Cookies; -using Microsoft.AspNetCore.Hosting; +using Microsoft.AspNetCore.HttpOverrides; var builder = WebApplication.CreateBuilder(args); From 861ffba947ace41ef50051d2ff971627bb6bcc3e Mon Sep 17 00:00:00 2001 From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com> Date: Mon, 6 Jan 2025 11:57:16 +0000 Subject: [PATCH 3/8] Ensure X-Forwarded-For headers are passed into the web project --- .../Program.cs | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs index 6549703..ef0ec63 100644 --- a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs +++ b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs @@ -124,6 +124,15 @@ var app = builder.Build(); +var forwardOptions = new ForwardedHeadersOptions +{ + ForwardedHeaders = ForwardedHeaders.All, + RequireHeaderSymmetry = false +}; +forwardOptions.KnownNetworks.Clear(); +forwardOptions.KnownProxies.Clear(); +app.UseForwardedHeaders(forwardOptions); + // Configure the HTTP request pipeline. if (!app.Environment.IsDevelopment()) { From 2e5b874f11daa8fd5dd5206a1bbd1033258720ab Mon Sep 17 00:00:00 2001 From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com> Date: Mon, 6 Jan 2025 11:58:52 +0000 Subject: [PATCH 4/8] Use developer debug page in development mode --- src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs index ef0ec63..5442009 100644 --- a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs +++ b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs @@ -139,6 +139,8 @@ app.UseExceptionHandler("/Error"); // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts. app.UseHsts(); +} else { + app.UseDeveloperExceptionPage(); } app.UseHttpsRedirection(); From f96dd5e2ada0e69b0b21c40b0e19ee91338536e6 Mon Sep 17 00:00:00 2001 From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com> Date: Mon, 6 Jan 2025 11:59:39 +0000 Subject: [PATCH 5/8] Registered /health as healthcheck endpoint --- .../Program.cs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs index 5442009..417d7f8 100644 --- a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs +++ b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs @@ -41,6 +41,8 @@ // options.Cookie.SecurePolicy = CookieSecurePolicy.Always; }); +builder.Services.AddHealthChecks(); + builder.Services.AddScoped(sp => sp.GetService()?.HttpContext?.Session); // Add services to the container. builder.Services.AddRazorPages(options => @@ -163,6 +165,8 @@ endpoints.MapControllerRoute("default", "{controller}/{action}/"); }); +app.UseHealthChecks("/health"); + app.Run(); public partial class Program { } // Make the Program class partial for testing From ab6b56bb46f8b8714a76fa795fe97e15953e8fb9 Mon Sep 17 00:00:00 2001 From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:00:21 +0000 Subject: [PATCH 6/8] Standardise casing for Cookie prefix --- src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs index 417d7f8..13ec010 100644 --- a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs +++ b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs @@ -86,7 +86,7 @@ options => { options.AccessDeniedPath = "/access-denied"; - options.Cookie.Name = ".Rise.Login"; + options.Cookie.Name = ".RISE.Login"; options.Cookie.HttpOnly = true; options.Cookie.IsEssential = true; options.ExpireTimeSpan = _authenticationExpiration; From 4e0d06f9ffc7515c2a11c86185694115da85458e Mon Sep 17 00:00:00 2001 From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:03:14 +0000 Subject: [PATCH 7/8] Add DbContext Health Check --- ...ovementForStandardsAndExcellence.Infrastructure.csproj | 1 + .../InfrastructureServiceCollectionExtensions.cs | 8 ++++++++ .../Program.cs | 2 -- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/Dfe.RegionalImprovementForStandardsAndExcellence.Infrastructure/Dfe.RegionalImprovementForStandardsAndExcellence.Infrastructure.csproj b/src/Dfe.RegionalImprovementForStandardsAndExcellence.Infrastructure/Dfe.RegionalImprovementForStandardsAndExcellence.Infrastructure.csproj index c4bc26c..0e8b8a7 100644 --- a/src/Dfe.RegionalImprovementForStandardsAndExcellence.Infrastructure/Dfe.RegionalImprovementForStandardsAndExcellence.Infrastructure.csproj +++ b/src/Dfe.RegionalImprovementForStandardsAndExcellence.Infrastructure/Dfe.RegionalImprovementForStandardsAndExcellence.Infrastructure.csproj @@ -13,6 +13,7 @@ + diff --git a/src/Dfe.RegionalImprovementForStandardsAndExcellence.Infrastructure/InfrastructureServiceCollectionExtensions.cs b/src/Dfe.RegionalImprovementForStandardsAndExcellence.Infrastructure/InfrastructureServiceCollectionExtensions.cs index 3ce0328..7f70d00 100644 --- a/src/Dfe.RegionalImprovementForStandardsAndExcellence.Infrastructure/InfrastructureServiceCollectionExtensions.cs +++ b/src/Dfe.RegionalImprovementForStandardsAndExcellence.Infrastructure/InfrastructureServiceCollectionExtensions.cs @@ -31,7 +31,15 @@ public static IServiceCollection AddInfrastructureDependencyGroup( // Utils services.AddScoped(); + // Health check + AddInfrastructureHealthCheck(services); + return services; } + + public static void AddInfrastructureHealthCheck(this IServiceCollection services) { + services.AddHealthChecks() + .AddDbContextCheck("RISE Database"); + } } } diff --git a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs index 13ec010..2d9db5d 100644 --- a/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs +++ b/src/Dfe.RegionalImprovementForStandardsAndExcellence/Program.cs @@ -41,8 +41,6 @@ // options.Cookie.SecurePolicy = CookieSecurePolicy.Always; }); -builder.Services.AddHealthChecks(); - builder.Services.AddScoped(sp => sp.GetService()?.HttpContext?.Session); // Add services to the container. builder.Services.AddRazorPages(options => From 365450573439bd67bf24f0a6c4e92e52ef39456e Mon Sep 17 00:00:00 2001 From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:17:14 +0000 Subject: [PATCH 8/8] Add missing tests project to Docker --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index ef29a45..6f9bada 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,6 +30,7 @@ COPY ./src/${PROJECT_NAME}.Utils/${PROJECT_NAME}.Utils.csproj COPY ./src/Tests/${PROJECT_NAME}.Api.Tests.Integration/${PROJECT_NAME}.Api.Tests.Integration.csproj ./src/Tests/${PROJECT_NAME}.Api.Tests.Integration/ COPY ./src/Tests/${PROJECT_NAME}.Application.Tests/${PROJECT_NAME}.Application.Tests.csproj ./src/Tests/${PROJECT_NAME}.Application.Tests/ COPY ./src/Tests/${PROJECT_NAME}.Domain.Tests/${PROJECT_NAME}.Domain.Tests.csproj ./src/Tests/${PROJECT_NAME}.Domain.Tests/ +COPY ./src/Tests/${PROJECT_NAME}.Frontend.Tests/${PROJECT_NAME}.Frontend.Tests.csproj ./src/Tests/${PROJECT_NAME}.Frontend.Tests/ COPY ./src/Tests/${PROJECT_NAME}.Tests.Common/${PROJECT_NAME}.Tests.Common.csproj ./src/Tests/${PROJECT_NAME}.Tests.Common/ # Mount GitHub Token as a Docker secret so that NuGet Feed can be accessed