Support rotating private keys

ks-no · May 31, 2023 · 7c5b304 · jarleborsheim · May 31, 2023 · 7c5b304
1 parent e947208
commit 7c5b304
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 16 deletions.
diff --git a/KS.Fiks.IO.Client.Tests/Configuration/FiksIOConfigurationBuilderTests.cs b/KS.Fiks.IO.Client.Tests/Configuration/FiksIOConfigurationBuilderTests.cs
@@ -1,4 +1,6 @@
 using System;
+using System.Collections.Generic;
+using System.Linq;
 using System.Security.Cryptography.X509Certificates;
 using FluentAssertions;
 using KS.Fiks.IO.Client.Configuration;
@@ -38,6 +40,36 @@ public void ProdConfigurationWithAllRequiredConfigurations()
             configuration.AmqpConfiguration.Host.Should().Be(AmqpConfiguration.ProdHost);
         }
 
+        [Fact]
+        public void ConfigWithSinglPrivateKey()
+        {
+            var dummyPrivateKey = Guid.NewGuid().ToString();
+            var config = FiksIOConfigurationBuilder
+                .Init()
+                .WithAmqpConfiguration(Guid.NewGuid().ToString(), 10)
+                .WithMaskinportenConfiguration(new X509Certificate2(), Guid.NewGuid().ToString())
+                .WithFiksIntegrasjonConfiguration(Guid.NewGuid(), Guid.NewGuid().ToString())
+                .WithFiksKontoConfiguration(Guid.NewGuid(), dummyPrivateKey)
+                .BuildTestConfiguration();
+
+            config.KontoConfiguration.PrivatNokler.Single().Should().Be(dummyPrivateKey);
+        }
+
+        [Fact]
+        public void ConfigWithMultiplePrivateKeys()
+        {
+            var dummyPrivateKeys = Enumerable.Range(0, 3).Select(_ => Guid.NewGuid().ToString()).ToList();
+            var config = FiksIOConfigurationBuilder
+                .Init()
+                .WithAmqpConfiguration(Guid.NewGuid().ToString(), 10)
+                .WithMaskinportenConfiguration(new X509Certificate2(), Guid.NewGuid().ToString())
+                .WithFiksIntegrasjonConfiguration(Guid.NewGuid(), Guid.NewGuid().ToString())
+                .WithFiksKontoConfiguration(Guid.NewGuid(), dummyPrivateKeys)
+                .BuildTestConfiguration();
+
+            config.KontoConfiguration.PrivatNokler.Should().BeEquivalentTo(dummyPrivateKeys);
+        }
+
         [Fact]
         public void ConfigurationFailsWithoutCertificateInMaskinportenConfiguration()
         {

diff --git a/KS.Fiks.IO.Client/Amqp/AmqpConsumerFactory.cs b/KS.Fiks.IO.Client/Amqp/AmqpConsumerFactory.cs
@@ -11,28 +11,32 @@ namespace KS.Fiks.IO.Client.Amqp
 {
     internal class AmqpConsumerFactory : IAmqpConsumerFactory
     {
-        private readonly IFileWriter fileWriter;
+        private readonly IFileWriter _fileWriter;
 
-        private readonly IAsicDecrypter decrypter;
+        private readonly IAsicDecrypter _decrypter;
 
-        private readonly ISendHandler sendHandler;
+        private readonly ISendHandler _sendHandler;
 
-        private readonly IDokumentlagerHandler dokumentlagerHandler;
+        private readonly IDokumentlagerHandler _dokumentlagerHandler;
 
-        private readonly Guid accountId;
+        private readonly Guid _accountId;
 
-        public AmqpConsumerFactory(ISendHandler sendHandler, IDokumentlagerHandler dokumentlagerHandler, KontoConfiguration kontoConfiguration)
+        public AmqpConsumerFactory(
+            ISendHandler sendHandler,
+            IDokumentlagerHandler dokumentlagerHandler,
+            KontoConfiguration kontoConfiguration)
         {
-            this.dokumentlagerHandler = dokumentlagerHandler;
-            this.fileWriter = new FileWriter();
-            this.decrypter = new AsicDecrypter(DecryptionService.Create(kontoConfiguration.PrivatNokkel));
-            this.sendHandler = sendHandler;
-            this.accountId = kontoConfiguration.KontoId;
+            _dokumentlagerHandler = dokumentlagerHandler;
+            _fileWriter = new FileWriter();
+            _decrypter = new AsicDecrypter(DecryptionService.Create(kontoConfiguration.PrivatNokler));
+
+            _sendHandler = sendHandler;
+            _accountId = kontoConfiguration.KontoId;
         }
 
         public IAmqpReceiveConsumer CreateReceiveConsumer(IModel channel)
         {
-            return new AmqpReceiveConsumer(channel, this.dokumentlagerHandler, this.fileWriter, this.decrypter, this.sendHandler, this.accountId);
+            return new AmqpReceiveConsumer(channel, _dokumentlagerHandler, _fileWriter, _decrypter, _sendHandler, _accountId);
         }
     }
 }
diff --git a/KS.Fiks.IO.Client/Configuration/FiksIOConfigurationBuilder.cs b/KS.Fiks.IO.Client/Configuration/FiksIOConfigurationBuilder.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Security.Cryptography.X509Certificates;
 
 namespace KS.Fiks.IO.Client.Configuration
@@ -91,6 +92,12 @@ public FiksIOConfigurationBuilder WithFiksKontoConfiguration(Guid fiksKontoId, s
             _kontoConfiguration = new KontoConfiguration(fiksKontoId, fiksPrivateKey);
             return this;
         }
+
+        public FiksIOConfigurationBuilder WithFiksKontoConfiguration(Guid fiksKontoId, IEnumerable<string> fiksPrivateKeys)
+        {
+            _kontoConfiguration = new KontoConfiguration(fiksKontoId, fiksPrivateKeys);
+            return this;
+        }
 
         public FiksIOConfigurationBuilder WithAmqpConfiguration(string applicationName, ushort prefetchCount, bool keepAlive = true, int keepAliveHealthCheckInterval = AmqpConfiguration.DefaultKeepAliveHealthCheckInterval)
         {

diff --git a/KS.Fiks.IO.Client/Configuration/KontoConfiguration.cs b/KS.Fiks.IO.Client/Configuration/KontoConfiguration.cs
@@ -1,4 +1,6 @@
 using System;
+using System.Collections.Generic;
+using System.Linq;
 
 namespace KS.Fiks.IO.Client.Configuration
 {
@@ -7,14 +9,32 @@ public class KontoConfiguration
         public KontoConfiguration(Guid kontoId, string privatNokkel)
         {
             KontoId = kontoId;
-            PrivatNokkel = privatNokkel;
+            PrivatNokler = new List<string> {privatNokkel};
+        }
+
+        public KontoConfiguration(Guid kontoId, IEnumerable<string> privatNokler)
+        {
+            KontoId = kontoId;
+            if (privatNokler == null)
+            {
+                throw new ArgumentNullException(nameof(privatNokler));
+            }
+
+            PrivatNokler = privatNokler.ToList();
+
+            if (!PrivatNokler.Any())
+            {
+                throw new ArgumentNullException(nameof(privatNokler), "Must provide atleast one private key");
+            }
         }
 
         public Guid KontoId { get; }
 
         /**
         * Privat nøkkel som matcher den offentlige nøkkelen som er spesifisert for kontoen i fiks-konfigurasjon. Benyttes for å dekryptere innkommende meldinger.
+        *
+        * For å støtte nøkkelrotasjon er det mulig å legge til flere private nøkler.
         */
-        public string PrivatNokkel { get; }
+        public List<string> PrivatNokler { get; }
     }
 }
diff --git a/KS.Fiks.IO.Client/KS.Fiks.IO.Client.csproj b/KS.Fiks.IO.Client/KS.Fiks.IO.Client.csproj
@@ -13,7 +13,7 @@
 		<RepositoryType>git</RepositoryType>
 		<PackageTags>FIKS</PackageTags>
 		<VersionPrefix>3.0.6</VersionPrefix>
-		<TargetFrameworks>netcoreapp3.1;netstandard2.0</TargetFrameworks>
+		<TargetFrameworks>netstandard2.0;net6.0</TargetFrameworks>
 		<IncludeSymbols>true</IncludeSymbols>
 		<SymbolPackageFormat>snupkg</SymbolPackageFormat>
 		<AssemblyVersion>3.0.0.0</AssemblyVersion>
@@ -43,7 +43,7 @@
 	</ItemGroup>
 	<ItemGroup>
 		<PackageReference Include="KS.Fiks.ASiC-E" Version="1.0.5" />
-		<PackageReference Include="KS.Fiks.Crypto" Version="1.0.5" />
+		<PackageReference Include="KS.Fiks.Crypto" Version="1.0.6" />
 		<PackageReference Include="KS.Fiks.IO.Send.Client" Version="1.0.9" />
 		<PackageReference Include="KS.Fiks.Maskinporten.Client" Version="1.1.5" />
 		<PackageReference Include="Microsoft.Extensions.Logging" Version="6.0.0" />