Primary responsibility of this micro service is to retrieve blobs from source blob storage containers and then dispatch them to destination blob storage containers based on source containers. Currently it only routes blobs (zip files) to CFT and Crime blob storage containers. Blobs are uploaded to source storage by the third party scanning supplier. Before dispatching blobs it verifies if the files were uploaded by third party supplier through non repudiation checks. It also provides infrastructure to deploy API management service for retrieving SAS tokens used to upload blobs to source containers.
The project uses Gradle as a build tool. It already contains
./gradlew wrapper script, so there's no need to install gradle.
To build the project execute the following command:
./gradlew buildCreate the image of the application by executing the following command:
./gradlew assembleCreate docker image:
docker-compose buildRun the distribution (created in build/install/blob-router-service directory)
by executing the following command:
docker-compose upThis will start the API container exposing the application's port
(set to 8584 in this template app).
In order to test if the application is up, you can call its health endpoint:
curl http://localhost:8584/healthYou should get a response similar to this:
{"status":"UP","diskSpace":{"status":"UP","total":249644974080,"free":137188298752,"threshold":10485760}}
Blob Router uses an (Azure API Management) API to protect its SAS token dispensing endpoint. The API allows only HTTPS requests with approved client certificates and valid subscription keys to reach the service.
Azure API Management is based on public swagger specs. As part of creating API in there documentation had to be published. The full url to documentation can be found here.
If SAS dispensing endpoint has changed in some incompatible way which causes amended specs - the management needs to be notified. This means tiny alteration in terraform file.
In case any new endpoint needs to be included - same treatment must be applied.
In order to talk to the SAS dispensing endpoint through the API, you need to have the following pieces of information:
- a certificate whose thumbprint is known to the API (has to be added to the list of allowed thumbprints in
var.allowed_client_certificate_thumbprintsterraform variable) - a valid subscription key
- name of an existing client service (e.g.
test)
First, generate client private key, a certificate for that key and import both into a key store:
# generate private key
openssl genrsa 2048 > private.pem
# generate certificate
openssl req -x509 -new -key private.pem -out cert.pem -days 365
# create the key store
# when asked for password, provide one
openssl pkcs12 -export -in cert.pem -inkey private.pem -out cert.pfx -noiter -nomaciter
Next, calculate the thumbprint of your certificate:
openssl x509 -noout -fingerprint -inform pem -in cert.pem | sed -e s/://g
Finally, add this thumbprint to allowed_client_certificate_thumbprints terraform variable for the target environment (e.g. in aat.tfvars file). Your definition may look similar to this:
allowed_client_certificate_thumbprints = ["2FC66765E63BB2436F0F9E4F59E951A6D1D20D43"]
Once you're run the deployment, the API will recognise your certificate.
You can get the subscription key for the API from the reform-scan-{env} key vault. The available subscription keys in the key vault are:
- bulk-scan-team-cft-apim-subscription-key
- exela-cft-apim-subscription-key (supplier key)
- iron-mountain-cft-apim-subscription-key (supplier key)
You can call the API using the following curl command (assuming your current directory contains the private key and certificate you've created earlier):
curl -v --key private.pem --cert cert.pem https://cft-api-mgmt.{env}.platform.hmcts.net/reform-scan/token/{serviceName} -H "Ocp-Apim-Subscription-Key:{subscription key}"
You should get a response with status 200 and a token in the body.
This project is licensed under the MIT License - see the LICENSE file for details