feat: Implementieren der Verschlüsselungs- und Entschlüsselungsdienste mit AES und Integration in die API

- Hinzufügen der `Encryptor`-Klasse für AES-Verschlüsselung und -Entschlüsselung. - Implementierung des `EncryptionController` zur Bereitstellung von Endpunkten für Verschlüsselung, Entschlüsselung und Generierung von Verschlüsselungsparametern. - Erweiterung der DI-Konfiguration mit `AddEncryptor`-Erweiterungsmethode und Integration in `Program.cs`. - Bedingte Registrierung des `EncryptionController` basierend auf der Konfiguration `UseEncryptor`, um sicherzustellen, dass der Controller nur bei Bedarf verfügbar ist. - Implementierung von Lazy Loading für die Verbindungszeichenfolge in `UserManagerDbContext` zur sicheren Handhabung von verschlüsselten Verbindungszeichenfolgen.
2024-08-29 11:35:47 +02:00
parent c8bcb5a6ac
commit 6e973a494e
8 changed files with 179 additions and 12 deletions
--- a/DigitalData.UserManager.API/Controllers/EncryptionController.cs
+++ b/DigitalData.UserManager.API/Controllers/EncryptionController.cs
@@ -0,0 +1,46 @@
+using DigitalData.UserManager.Application.Services;
+using DigitalData.UserManager.Application.Services.Options;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Options;
+
+namespace DigitalData.UserManager.API.Controllers
+{
+    [Route("api/[controller]")]
+    [ApiController]
+    public class EncryptionController : ControllerBase
+    {
+        private readonly Encryptor _encryptor;
+
+        public EncryptionController(Encryptor encryptor)
+        {
+            _encryptor = encryptor;
+        }
+
+        [HttpPost("encrypt")]
+        public IActionResult Encrypt([FromQuery] string plainText, [FromBody] EncryptionParameters? options = null)
+        {
+            string cipherText = options is null 
+                ? _encryptor.Encrypt(plainText) 
+                : Encryptor.Encrypt(plainText, options.Key, options.IV);
+
+            return Ok(cipherText);
+        }
+
+        [HttpPost("decrypt")]
+        public IActionResult Decrypt([FromQuery] string cipherText, [FromBody] EncryptionParameters? options = null)
+        {
+            var plainText = options is null 
+                ? _encryptor.Decrypt(cipherText)
+                : Encryptor.Decrypt(cipherText, options.Key, options.IV);
+
+            return Ok(plainText);
+        }
+
+        [HttpGet]
+        public IActionResult Generate()
+        {
+            var param = Encryptor.GenerateParameters();
+            return Ok(param);
+        }
+    }
+}
--- a/DigitalData.UserManager.API/Program.cs
+++ b/DigitalData.UserManager.API/Program.cs
@@ -6,12 +6,19 @@ using Microsoft.AspNetCore.Authentication.Cookies;
 using NLog.Web;
 using NLog;
 using DigitalData.Core.API;
+using DigitalData.UserManager.API;
+using DigitalData.UserManager.API.Controllers;
+using DigitalData.UserManager.Application.Services;

 var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger();
 logger.Debug("init main");

 try {
    var builder = WebApplication.CreateBuilder(args);
+    
+    var config = builder.Configuration;
+
+    builder.Services.AddEncryptor(builder.Configuration.GetSection("EncryptionParameters"));

    if (builder.Configuration.GetValue<bool>("RunAsWindowsService"))
        builder.Host.UseWindowsService();
@@ -27,7 +34,12 @@ try {
        builder.Services.AddSwaggerGen();
    }

-    builder.Services.AddControllers();
+    builder.Services.AddControllers(opt =>
+    {
+        opt.Conventions.Add(new RemoveIfControllerConvention()
+            .AndIf(c => c.ControllerName == nameof(EncryptionController).Replace("Controller", ""))
+            .AndIf(c => !config.GetValue<bool>("UseEncryptor")));
+    });

    builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie(options =>
@@ -39,9 +51,10 @@ try {
            options.LogoutPath = "/api/auth/logout";
        });

-    builder.Services.AddDbContext<UserManagerDbContext>(options =>
-        options.UseSqlServer(builder.Configuration.GetConnectionString("DD_ECM_Connection"))
-        .EnableDetailedErrors());
+    // Once the app is built, the password will be decrypted with Encryptor. lazy loading also acts as a call back method.
+    Lazy<string>? cnn_str = null;
+
+    builder.Services.AddDbContext<UserManagerDbContext>(options => options.UseSqlServer(cnn_str!.Value).EnableDetailedErrors());

    var allowedOrigins = builder.Configuration.GetSection("AllowedOrigins").Get<string[]>() ?? throw new InvalidOperationException("In appsettings there is no allowed origin.");

@@ -64,9 +77,17 @@ try {
    builder.Services.AddDirectorySearchService();

    builder.Services.AddCookieBasedLocalizer();
-
+    
    var app = builder.Build();

+    cnn_str = new(() =>
+    {
+        var encryptor = app.Services.GetRequiredService<Encryptor>();
+        var eCnnStr = config.GetConnectionString("DD_ECM_Connection") ?? throw new InvalidOperationException("Connection string 'DD_ECM_Connection' is missing from the configuration.");
+        var cnnStr = encryptor.Decrypt(eCnnStr);
+        return cnnStr;
+    });
+
    app.UseCors("DefaultCorsPolicy");

    if (builder.Configuration.GetValue<bool>("UseSwagger"))
--- a/DigitalData.UserManager.API/appsettings.Development.json
+++ b/DigitalData.UserManager.API/appsettings.Development.json
@@ -5,9 +5,6 @@
      "Microsoft.AspNetCore": "Warning"
    }
  },
-  "ConnectionStrings": {
-    "DD_ECM_Connection": "Server=SDD-VMP04-SQL17\\DD_DEVELOP01;Database=DD_ECM;User Id=sa;Password=dd;Encrypt=false;TrustServerCertificate=True;"
-  },
  "AllowedOrigins": [ "http://localhost:4200" ],
  "Jwt": {
    "Key": "pJBcBWZSjsWlhi1OlCcw6ERTMRNb7qsdvsfvdfbagdfbdfsSDGSDMhsjkfdhsdfbgkHKSDF",
--- a/DigitalData.UserManager.API/appsettings.json
+++ b/DigitalData.UserManager.API/appsettings.json
@@ -6,10 +6,9 @@
    }
  },
  "ConnectionStrings": {
-    "DD_ECM_Connection": "Server=SDD-VMP04-SQL17\\DD_DEVELOP01;Database=DD_ECM;User Id=sa;Password=dd;Encrypt=false;TrustServerCertificate=True;"
+    "DD_ECM_Connection": "cIFSoeMqHel7SDkAj4MWjy1UHrNJgoHrLkBJ/I/1Y95MsV9vFQjJLn6Shm9qtAyymwSNrX9s+78mW2PX4KulSA/KAaRwNQteP6SHrX0nNOJptot8TcohuiT0m9K2M/GsJEnLyJ+3yb0nJHR5yzRaVvjl8ERhgntW47dFMni98YA="
  },
-  "AllowedOrigins": [ "http://172.24.12.39:85", "http://localhost:85", "http://localhost:4200", "http://localhost:5500", "https://localhost:7202" ],
-  "UseSwagger": true,
+  "AllowedOrigins": [ "https://localhost:7103", "http://172.24.12.39:85", "http://localhost:85", "http://localhost:4200", "http://localhost:5500", "https://localhost:7202" ],
  "RunAsWindowsService": false,
  "DirectorySearchOptions": {
    "ServerName": "DD-VMP01-DC01",
@@ -67,5 +66,12 @@
        "writeTo": "criticalLogs"
      }
    ]
-  }
+  },
+  "EncryptionParameters": {
+    "Key": "JGPwHVD0BQmC7upi5OV11PzzIk47ugTJoqBV/et5w40=",
+    "IV": "gMuetIjlPvJnSzu+i7I3xg=="
+  },
+  // Delete below in production
+  "UseEncryptor": true,
+  "UseSwagger": true
 }