Introduce KestrelServerOptions.HasDefaultOrDevelopmentCertificate

amcasey · amcasey · commit 9eff630a1a1f · 2023-05-03T17:14:23.000-07:00
...as a way to determine whether a certificate is available before invoking `KestrelServerOptions.Listen` and possibly failing in `ListenOptions.UseHttps`. Fixes dotnet#28120
diff --git a/src/Servers/Kestrel/Core/src/CoreStrings.resx b/src/Servers/Kestrel/Core/src/CoreStrings.resx
@@ -734,4 +734,7 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l
   <data name="NeedHttpsConfigurationToBindHttpsAddresses" xml:space="preserve">
     <value>Call UseKestrelHttpsConfiguration() on IWebHostBuilder to automatically enable HTTPS when an https:// address is used.</value>
   </data>
+  <data name="NeedConfigurationToRetrieveServerCertificate" xml:space="preserve">
+    <value>Call KestrelConfigurationLoader.Load() before retrieving the server certificate.</value>
+  </data>
 </root>
diff --git a/src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs b/src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs
@@ -18,7 +18,7 @@ public class KestrelConfigurationLoader
 {
     private readonly IHttpsConfigurationService _httpsConfigurationService;
 
-    private bool _loaded;
+    internal bool IsLoaded { get; private set; }
 
     internal KestrelConfigurationLoader(
         KestrelServerOptions options,
@@ -234,12 +234,12 @@ internal void ApplyHttpsDefaults(HttpsConnectionAdapterOptions httpsOptions)
     /// </summary>
     public void Load()
     {
-        if (_loaded)
+        if (IsLoaded)
         {
             // The loader has already been run.
             return;
         }
-        _loaded = true;
+        IsLoaded = true;
 
         Reload();
 
diff --git a/src/Servers/Kestrel/Core/src/KestrelServerOptions.cs b/src/Servers/Kestrel/Core/src/KestrelServerOptions.cs
@@ -585,4 +585,30 @@ public void ListenNamedPipe(string pipeName, Action<ListenOptions> configure)
         configure(listenOptions);
         CodeBackedListenOptions.Add(listenOptions);
     }
+
+    /// <summary>
+    /// Return true if there is a default or development server certificate.
+    /// Should not be called before the configuration is loaded, if there is one.
+    /// </summary>
+    /// <returns>True if there is a default or development server certificate, false otherwise.</returns>
+    /// <exception cref="InvalidOperationException">If there is a configuration and it has not been loaded.</exception>
+    public bool HasDefaultOrDevelopmentCertificate
+    {
+        get
+        {
+            if (ConfigurationLoader is { IsLoaded: false })
+            {
+                throw new InvalidOperationException(CoreStrings.NeedConfigurationToRetrieveServerCertificate);
+            }
+
+            // We consider calls to `GetServerCertificate` to be a clear expression of user intent to pull in HTTPS configuration support
+            EnableHttpsConfiguration();
+
+            var httpsOptions = new HttpsConnectionAdapterOptions();
+            ApplyHttpsDefaults(httpsOptions);
+            ApplyDefaultCertificate(httpsOptions);
+
+            return httpsOptions.ServerCertificate is not null;
+        }
+    }
 }
diff --git a/src/Servers/Kestrel/Core/src/PublicAPI.Unshipped.txt b/src/Servers/Kestrel/Core/src/PublicAPI.Unshipped.txt
@@ -1,6 +1,7 @@
 #nullable enable
 Microsoft.AspNetCore.Server.Kestrel.Core.Features.ISslStreamFeature
 Microsoft.AspNetCore.Server.Kestrel.Core.Features.ISslStreamFeature.SslStream.get -> System.Net.Security.SslStream!
+Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerOptions.HasDefaultOrDevelopmentCertificate.get -> bool
 Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerOptions.ListenNamedPipe(string! pipeName) -> void
 Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerOptions.ListenNamedPipe(string! pipeName, System.Action<Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions!>! configure) -> void
-Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.PipeName.get -> string?
+Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.PipeName.get -> string?
diff --git a/src/Servers/Kestrel/Kestrel/test/HttpsConfigurationTests.cs b/src/Servers/Kestrel/Kestrel/test/HttpsConfigurationTests.cs
@@ -183,6 +183,29 @@ public async Task LoadEndpointCertificate(string address, bool useKestrelHttpsCo
         }
     }
 
+    [Fact]
+    public async Task HasDefaultOrDevelopmentCertificateJustWorks()
+    {
+        var hostBuilder = new WebHostBuilder()
+            .UseKestrelCore()
+            .ConfigureKestrel(serverOptions =>
+            {
+                var testCertificate = new X509Certificate2(Path.Combine("shared", "TestCertificates", "aspnetdevcert.pfx"), "testPassword");
+                serverOptions.TestOverrideDefaultCertificate = testCertificate;
+
+                Assert.True(serverOptions.HasDefaultOrDevelopmentCertificate);
+            })
+            .Configure(app => { });
+
+        var host = hostBuilder.Build();
+
+        // Binding succeeds
+        await host.StartAsync();
+        await host.StopAsync();
+
+        Assert.True(host.Services.GetRequiredService<IHttpsConfigurationService>().IsInitialized);
+    }
+
     [Fact]
     public async Task UseHttpsJustWorks()
     {
diff --git a/src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs b/src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs
@@ -384,6 +384,56 @@ void CheckListenOptions(X509Certificate2 expectedCert)
         }
     }
 
+    [Fact]
+    public void HasDefaultOrDevelopmentCertificate_DevelopmentCertificate()
+    {
+        try
+        {
+            var serverOptions = CreateServerOptions();
+            var certificate = new X509Certificate2(TestResources.GetCertPath("aspnetdevcert.pfx"), "testPassword", X509KeyStorageFlags.Exportable);
+            var bytes = certificate.Export(X509ContentType.Pkcs12, "1234");
+            var path = GetCertificatePath();
+            Directory.CreateDirectory(Path.GetDirectoryName(path));
+            File.WriteAllBytes(path, bytes);
+
+            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string>("Certificates:Development:Password", "1234"),
+            }).Build();
+
+            serverOptions.Configure(config);
+            serverOptions.ConfigurationLoader.Load();
+
+            Assert.True(serverOptions.HasDefaultOrDevelopmentCertificate);
+        }
+        finally
+        {
+            if (File.Exists(GetCertificatePath()))
+            {
+                File.Delete(GetCertificatePath());
+            }
+        }
+    }
+
+    [Fact]
+    public void HasDefaultOrDevelopmentCertificate_DefaultCertificate()
+    {
+        var certificate = new X509Certificate2(TestResources.TestCertificatePath, "testPassword", X509KeyStorageFlags.Exportable);
+
+        var serverOptions = CreateServerOptions();
+
+        var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+        {
+            new KeyValuePair<string, string>("Certificates:Default:Path", TestResources.TestCertificatePath),
+            new KeyValuePair<string, string>("Certificates:Default:Password", "testPassword")
+        }).Build();
+
+        serverOptions.Configure(config);
+        serverOptions.ConfigurationLoader.Load();
+
+        Assert.True(serverOptions.HasDefaultOrDevelopmentCertificate);
+    }
+
     [Fact]
     public void ConfigureEndpoint_ThrowsWhen_The_PasswordIsMissing()
     {
diff --git a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs
@@ -775,6 +775,59 @@ await sslStream.AuthenticateAsClientAsync("127.0.0.1", clientCertificates: null,
         Assert.True(onAuthenticateCalled, "onAuthenticateCalled");
     }
 
+    [Fact]
+    public void HasDefaultOrDevelopmentCertificate_ConfigurationNotLoaded()
+    {
+        var serverOptions = CreateServerOptions();
+        serverOptions.TestOverrideDefaultCertificate = _x509Certificate2;
+
+        serverOptions.Configure();
+
+        Assert.Throws<InvalidOperationException>(() => serverOptions.HasDefaultOrDevelopmentCertificate);
+    }
+
+    [Fact]
+    public void HasDefaultOrDevelopmentCertificate_ConfigurationLoaded()
+    {
+        var serverOptions = CreateServerOptions();
+        serverOptions.TestOverrideDefaultCertificate = _x509Certificate2;
+
+        serverOptions.Configure();
+        serverOptions.ConfigurationLoader.Load();
+
+        Assert.True(serverOptions.HasDefaultOrDevelopmentCertificate);
+    }
+
+    [Fact]
+    public void HasDefaultOrDevelopmentCertificate_NoConfiguration()
+    {
+        var serverOptions = CreateServerOptions();
+        serverOptions.TestOverrideDefaultCertificate = _x509Certificate2;
+
+        Assert.True(serverOptions.HasDefaultOrDevelopmentCertificate);
+    }
+
+    [Fact]
+    public void HasDefaultOrDevelopmentCertificate_NoCertificate()
+    {
+        var serverOptions = CreateServerOptions();
+        serverOptions.IsDevelopmentCertificateLoaded = true; // Prevent the system default from being loaded
+
+        Assert.False(serverOptions.HasDefaultOrDevelopmentCertificate);
+    }
+
+    [Fact]
+    public void HasDefaultOrDevelopmentCertificate_FromHttpsDefaults()
+    {
+        var serverOptions = CreateServerOptions();
+        serverOptions.ConfigureHttpsDefaults(httpsOptions =>
+        {
+            httpsOptions.ServerCertificate = _x509Certificate2;
+        });
+
+        Assert.True(serverOptions.HasDefaultOrDevelopmentCertificate);
+    }
+
     private class HandshakeErrorLoggerProvider : ILoggerProvider
     {
         public HttpsConnectionFilterLogger FilterLogger { get; set; } = new HttpsConnectionFilterLogger();

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ public class KestrelConfigurationLoader`
`18`	`18`	`{`
`19`	`19`	`private readonly IHttpsConfigurationService _httpsConfigurationService;`
`20`	`20`
`21`		`- private bool _loaded;`
	`21`	`+ internal bool IsLoaded { get; private set; }`
`22`	`22`
`23`	`23`	`internal KestrelConfigurationLoader(`
`24`	`24`	`KestrelServerOptions options,`
`@@ -234,12 +234,12 @@ internal void ApplyHttpsDefaults(HttpsConnectionAdapterOptions httpsOptions)`
`234`	`234`	`/// </summary>`
`235`	`235`	`public void Load()`
`236`	`236`	`{`
`237`		`- if (_loaded)`
	`237`	`+ if (IsLoaded)`
`238`	`238`	`{`
`239`	`239`	`// The loader has already been run.`
`240`	`240`	`return;`
`241`	`241`	`}`
`242`		`- _loaded = true;`
	`242`	`+ IsLoaded = true;`
`243`	`243`
`244`	`244`	`Reload();`
`245`	`245`