CMS-Enterprise · talentedmrjones · Jun 10, 2024 · Jun 7, 2024 · Jun 7, 2024 · Jun 7, 2024
diff --git a/.github/workflows/orchestration.yml b/.github/workflows/orchestration.yml
@@ -51,7 +51,7 @@ jobs:
     needs: 
       - diff
       - backend
-    if: contains(needs.diff.outputs.infrastructure, 'infrastructure/') || needs.backend.result=='success'
+    if: contains(needs.diff.outputs.infrastructure, 'infrastructure/') && !cancelled()
     uses: ./.github/workflows/infrastructure.yml
     with:
       environment: DEV

diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -8,16 +8,17 @@ RUN update-ca-certificates && openssl req -x509 -newkey rsa:2048 -keyout key.pem
 
 COPY ./go.mod /src/
 COPY ./go.sum /src/
-COPY ./cmd/ /src/cmd/
+COPY ./cmd/api /src/cmd/api
 COPY ./internal/ /src/internal/
 
-RUN go install ./cmd/api/...
+# enable FIPS only crypto
+RUN go build ./cmd/api/...
 
 FROM --platform=linux/amd64 scratch
 
 WORKDIR /src
 
-COPY --from=builder /go/bin/api /usr/local/bin/ztmfapi
+COPY --from=builder /src/api /usr/local/bin/ztmfapi
 COPY --from=builder /src/*.pem /src/
 COPY --from=builder /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
 COPY --from=builder /usr/lib/x86_64-linux-gnu/libc.so.6 /usr/lib/x86_64-linux-gnu/libc.so.6

diff --git a/backend/cmd/api/handler.go b/backend/cmd/api/handler.go
@@ -1,17 +1,37 @@
 package main
 
 import (
+	"log"
+	"net/http"
+
 	"github.com/graph-gophers/graphql-go"
 	"github.com/graph-gophers/graphql-go/relay"
 )
 
 type rootResolver struct{}
 
-func HttpHandler() (*relay.Handler, error) {
+var tlsConstants = map[uint16]string{
+	0x1301: "TLS_AES_128_GCM_SHA256",
+	0x1302: "TLS_AES_256_GCM_SHA384",
+	0x1303: "TLS_CHACHA20_POLY1305_SHA256",
+	0x0301: "VersionTLS10",
+	0x0302: "VersionTLS11",
+	0x0303: "VersionTLS12",
+	0x0304: "VersionTLS13",
+}
+
+func HttpHandler() (http.Handler, error) {
 	schema, err := graphql.ParseSchema(schema, &rootResolver{})
 	if err != nil {
 		return nil, err
 	}
 
-	return &relay.Handler{Schema: schema}, nil
+	return logRequest(&relay.Handler{Schema: schema}), nil
+}
+
+func logRequest(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		log.Printf("%s %s\r", tlsConstants[r.TLS.Version], tlsConstants[r.TLS.CipherSuite])
+		next.ServeHTTP(w, r)
+	})
 }
diff --git a/backend/cmd/api/main.go b/backend/cmd/api/main.go
@@ -1,14 +1,15 @@
 package main
 
 import (
+	"crypto/tls"
 	"log"
 	"net/http"
 
 	"github.com/CMS-Enterprise/ztmf/backend/internal/config"
 )
 
 func main() {
-
+	log.SetFlags(0)
 	cfg := config.GetInstance()
 
 	handler, err := HttpHandler()
@@ -19,8 +20,33 @@ func main() {
 	http.Handle("/graphql", handler)
 
 	log.Printf("%s environment listening on %s\n", cfg.Env, cfg.Port)
+
 	if cfg.CertFile != "" && cfg.KeyFile != "" {
-		log.Fatal("could not listen and serve:", http.ListenAndServeTLS(":"+cfg.Port, cfg.CertFile, cfg.KeyFile, nil))
+		log.Print("Loading TLS configuration")
+		cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		tlsConfig := &tls.Config{
+			Certificates: []tls.Certificate{cert},
+			CipherSuites: []uint16{
+				tls.TLS_AES_128_GCM_SHA256,
+				tls.TLS_AES_256_GCM_SHA384,
+			},
+			MinVersion: tls.VersionTLS13,
+		}
+
+		server := &http.Server{
+			Addr:      ":" + cfg.Port,
+			Handler:   handler,
+			TLSConfig: tlsConfig,
+		}
+		err = server.ListenAndServeTLS("", "")
+		if err != nil {
+			log.Fatalf("Failed to start server: %v", err)
+		}
+
 	} else {
 		log.Fatal("could not listen and serve:", http.ListenAndServe(":"+cfg.Port, nil))
 	}

diff --git a/infrastructure/alb.tf b/infrastructure/alb.tf
@@ -84,7 +84,7 @@ resource "aws_lb_listener" "ztmf_alb_https" {
   load_balancer_arn = aws_lb.ztmf.arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
+  ssl_policy        = "ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04"
   certificate_arn   = data.aws_acm_certificate.ztmf.id
 
   default_action {