.NET 9

swiss-ssi-group · Dec 15, 2024 · 9b02591 · 9b02591
1 parent f530f20
commit 9b02591
Show file tree

Hide file tree

Showing 8 changed files with 164 additions and 218 deletions.
diff --git a/IssuerDrivingLicense/IssuerDrivingLicense.csproj b/IssuerDrivingLicense/IssuerDrivingLicense.csproj
@@ -21,8 +21,8 @@
 
     <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="9.0.0" />
     <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="9.0.0" />
-    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.24.0" />
-    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.24.0" />
+    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="1.0.0-preview.2" />
+    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="1.0.0-preview.2" />
   </ItemGroup>
 
 </Project>
diff --git a/IssuerDrivingLicense/Program.cs b/IssuerDrivingLicense/Program.cs
@@ -1,18 +1,78 @@
-namespace IssuerDrivingLicense;
+using System.Configuration;
+using IssuerDrivingLicense;
+using IssuerDrivingLicense.Persistence;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Server.Kestrel.Core;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Identity.Web.UI;
+using Microsoft.Identity.Web;
 
-public class Program
+var builder = WebApplication.CreateBuilder(args);
+
+builder.WebHost.ConfigureKestrel(serverOptions =>
+{
+    serverOptions.AddServerHeader = false;
+});
+
+var services = builder.Services;
+var configuration = builder.Configuration;
+
+services.Configure<KestrelServerOptions>(options =>
+{
+    options.AllowSynchronousIO = true;
+});
+
+services.AddSecurityHeaderPolicies()
+    .SetPolicySelector(ctx => SecurityHeadersDefinitions
+        .GetHeaderPolicyCollection(builder.Environment.IsDevelopment()));
+
+services.Configure<CredentialSettings>(configuration.GetSection("CredentialSettings"));
+services.AddScoped<DriverLicenseService>();
+services.AddScoped<IssuerService>();
+
+services.AddDatabaseDeveloperPageExceptionFilter();
+services.AddDbContext<DrivingLicenseDbContext>(options =>
+    options.UseSqlServer(
+        configuration.GetConnectionString("DefaultConnection")));
+
+services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
+    .AddMicrosoftIdentityWebApp(configuration.GetSection("AzureAd"));
+
+services.AddAuthorization(options =>
+{
+    options.FallbackPolicy = options.DefaultPolicy;
+});
+
+services.AddDistributedMemoryCache();
+
+services.AddRazorPages()
+    .AddMvcOptions(options => { })
+    .AddMicrosoftIdentityUI();
+
+services.AddRazorPages();
+
+var app = builder.Build();
+
+app.UseSecurityHeaders();
+
+if (app.Environment.IsDevelopment())
+{
+    app.UseDeveloperExceptionPage();
+}
+else
 {
-    public static void Main(string[] args)
-    {
-        CreateHostBuilder(args).Build().Run();
-    }
-
-    public static IHostBuilder CreateHostBuilder(string[] args) =>
-    Host.CreateDefaultBuilder(args)
-        .ConfigureWebHostDefaults(webBuilder =>
-        {
-            webBuilder
-                .ConfigureKestrel(options => options.AddServerHeader = false)
-                .UseStartup<Startup>();
-        });
+    app.UseExceptionHandler("/Error");
 }
+
+app.UseHttpsRedirection();
+app.UseStaticFiles();
+
+app.UseRouting();
+
+app.UseAuthentication();
+app.UseAuthorization();
+
+app.MapRazorPages();
+app.MapControllers();
+
+app.Run();
diff --git a/IssuerDrivingLicense/SecurityHeadersDefinitions.cs b/IssuerDrivingLicense/SecurityHeadersDefinitions.cs
@@ -2,13 +2,22 @@ namespace IssuerDrivingLicense;
 
 public static class SecurityHeadersDefinitions
 {
+    private static HeaderPolicyCollection? policy;
+
     public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
     {
-        var policy = new HeaderPolicyCollection()
+        // Avoid building a new HeaderPolicyCollection on every request for performance reasons.
+        // Where possible, cache and reuse HeaderPolicyCollection instances.
+        if (policy != null)
+        {
+            return policy;
+        }
+
+        policy = new HeaderPolicyCollection()
             .AddFrameOptionsDeny()
-            .AddXssProtectionBlock()
             .AddContentTypeOptionsNoSniff()
             .AddReferrerPolicyStrictOriginWhenCrossOrigin()
+            .RemoveServerHeader()
             .AddCrossOriginOpenerPolicy(builder => builder.SameOrigin())
             .AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp())
             .AddCrossOriginResourcePolicy(builder => builder.SameOrigin())
@@ -17,41 +26,21 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
                 builder.AddObjectSrc().None();
                 builder.AddBlockAllMixedContent();
                 builder.AddImgSrc().Self().From("data:");
-                builder.AddFormAction().Self();
                 builder.AddFontSrc().Self();
+                builder.AddFormAction().Self();
                 builder.AddStyleSrc().Self().UnsafeInline();
                 builder.AddBaseUri().Self();
-                builder.AddScriptSrc().Self().UnsafeInline().WithNonce();
+                builder.AddScriptSrc().UnsafeInline().WithNonce();
                 builder.AddFrameAncestors().None();
-                //builder.AddCustomDirective("require-trusted-types-for", "'script'");
             })
-            .RemoveServerHeader()
-            .AddPermissionsPolicy(builder =>
-            {
-                builder.AddAccelerometer().None();
-                builder.AddAutoplay().None();
-                builder.AddCamera().None();
-                builder.AddEncryptedMedia().None();
-                builder.AddFullscreen().All();
-                builder.AddGeolocation().None();
-                builder.AddGyroscope().None();
-                builder.AddMagnetometer().None();
-                builder.AddMicrophone().None();
-                builder.AddMidi().None();
-                builder.AddPayment().None();
-                builder.AddPictureInPicture().None();
-                builder.AddSyncXHR().None();
-                builder.AddUsb().None();
-            });
+            .AddPermissionsPolicyWithDefaultSecureDirectives();
 
         if (!isDev)
         {
             // maxage = one year in seconds
             policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
         }
 
-        policy.ApplyDocumentHeadersToAllResponses();
-
         return policy;
     }
 }
diff --git a/IssuerDrivingLicense/Startup.cs b/IssuerDrivingLicense/Startup.cs
diff --git a/VerifierInsuranceCompany/Program.cs b/VerifierInsuranceCompany/Program.cs
@@ -1,16 +1,59 @@
-namespace VerifierInsuranceCompany;
+using System.Configuration;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Server.Kestrel.Core;
+using VerifierInsuranceCompany;
 
-public class Program
+var builder = WebApplication.CreateBuilder(args);
+
+builder.WebHost.ConfigureKestrel(serverOptions =>
+{
+    serverOptions.AddServerHeader = false;
+});
+
+var services = builder.Services;
+var configuration = builder.Configuration;
+
+services.Configure<KestrelServerOptions>(options =>
+{
+    options.AllowSynchronousIO = true;
+});
+
+services.AddSecurityHeaderPolicies()
+    .SetPolicySelector(ctx => SecurityHeadersDefinitions
+        .GetHeaderPolicyCollection(builder.Environment.IsDevelopment()));
+
+services.AddScoped<VerifierService>();
+services.Configure<KestrelServerOptions>(options =>
+{
+    options.AllowSynchronousIO = true;
+});
+
+services.Configure<CredentialSettings>(configuration.GetSection("CredentialSettings"));
+services.AddHttpClient();
+services.AddDistributedMemoryCache();
+
+services.AddRazorPages();
+
+var app = builder.Build();
+
+app.UseSecurityHeaders();
+
+if (app.Environment.IsDevelopment())
 {
-    public static void Main(string[] args)
-    {
-        CreateHostBuilder(args).Build().Run();
-    }
-
-    public static IHostBuilder CreateHostBuilder(string[] args) =>
-        Host.CreateDefaultBuilder(args)
-            .ConfigureWebHostDefaults(webBuilder =>
-            {
-                webBuilder.UseStartup<Startup>();
-            });
+    app.UseDeveloperExceptionPage();
 }
+else
+{
+    app.UseExceptionHandler("/Error");
+    app.UseHsts();
+}
+
+app.UseHttpsRedirection();
+app.UseStaticFiles();
+app.UseRouting();
+
+app.MapControllers();
+app.MapRazorPages();
+
+app.Run();
diff --git a/VerifierInsuranceCompany/SecurityHeadersDefinitions.cs b/VerifierInsuranceCompany/SecurityHeadersDefinitions.cs
@@ -1,14 +1,23 @@
-namespace IssuerDrivingLicense;
+namespace VerifierInsuranceCompany;
 
 public static class SecurityHeadersDefinitions
 {
+    private static HeaderPolicyCollection? policy;
+
     public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
     {
-        var policy = new HeaderPolicyCollection()
+        // Avoid building a new HeaderPolicyCollection on every request for performance reasons.
+        // Where possible, cache and reuse HeaderPolicyCollection instances.
+        if (policy != null)
+        {
+            return policy;
+        }
+
+        policy = new HeaderPolicyCollection()
             .AddFrameOptionsDeny()
-            .AddXssProtectionBlock()
             .AddContentTypeOptionsNoSniff()
             .AddReferrerPolicyStrictOriginWhenCrossOrigin()
+            .RemoveServerHeader()
             .AddCrossOriginOpenerPolicy(builder => builder.SameOrigin())
             .AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp())
             .AddCrossOriginResourcePolicy(builder => builder.SameOrigin())
@@ -17,41 +26,20 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
                 builder.AddObjectSrc().None();
                 builder.AddBlockAllMixedContent();
                 builder.AddImgSrc().Self().From("data:");
-                builder.AddFormAction().Self();
                 builder.AddFontSrc().Self();
-                builder.AddBaseUri().Self();
                 builder.AddStyleSrc().Self().UnsafeInline();
-                builder.AddScriptSrc().Self().UnsafeInline().WithNonce();
+                builder.AddBaseUri().Self();
+                builder.AddScriptSrc().UnsafeInline().WithNonce();
                 builder.AddFrameAncestors().None();
-                //builder.AddCustomDirective("require-trusted-types-for", "'script'");
             })
-            .RemoveServerHeader()
-            .AddPermissionsPolicy(builder =>
-            {
-                builder.AddAccelerometer().None();
-                builder.AddAutoplay().None();
-                builder.AddCamera().None();
-                builder.AddEncryptedMedia().None();
-                builder.AddFullscreen().All();
-                builder.AddGeolocation().None();
-                builder.AddGyroscope().None();
-                builder.AddMagnetometer().None();
-                builder.AddMicrophone().None();
-                builder.AddMidi().None();
-                builder.AddPayment().None();
-                builder.AddPictureInPicture().None();
-                builder.AddSyncXHR().None();
-                builder.AddUsb().None();
-            });
+            .AddPermissionsPolicyWithDefaultSecureDirectives();
 
         if (!isDev)
         {
             // maxage = one year in seconds
             policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
         }
 
-        policy.ApplyDocumentHeadersToAllResponses();
-
         return policy;
     }
 }