Listen on https by default if the cert is present

Tratcher · Tratcher · commit 37b20c2dca81 · 2017-11-30T16:25:23.000-08:00
diff --git a/src/Kestrel.Core/CoreStrings.resx b/src/Kestrel.Core/CoreStrings.resx
@@ -465,4 +465,7 @@
   <data name="UnableToConfigureHttpsBindings" xml:space="preserve">
     <value>Unable to configure default https bindings because no IDefaultHttpsProvider service was provided.</value>
   </data>
+  <data name="BindingToDefaultAddresses" xml:space="preserve">
+    <value>No listening endpoints were configured. Binding to {address0} and {address1} by default.</value>
+  </data>
 </root>
diff --git a/src/Kestrel.Core/Internal/AddressBinder.cs b/src/Kestrel.Core/Internal/AddressBinder.cs
@@ -6,6 +6,7 @@
 using System.IO;
 using System.Linq;
 using System.Net;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting.Server.Features;
@@ -163,12 +164,33 @@ private class DefaultAddressStrategy : IStrategy
         {
             public async Task BindAsync(AddressBindContext context)
             {
-                context.Logger.LogDebug(CoreStrings.BindingToDefaultAddress, Constants.DefaultServerAddress);
-
                 var options = ParseAddress(Constants.DefaultServerAddress, out var https);
                 options.KestrelServerOptions = context.ServerOptions;
                 context.ServerOptions.EndpointDefaults(options);
                 await options.BindAsync(context).ConfigureAwait(false);
+
+                // Conditional https default, only if a cert is available
+                options = ParseAddress(Constants.DefaultServerHttpsAddress, out https);
+                options.KestrelServerOptions = context.ServerOptions;
+                context.ServerOptions.EndpointDefaults(options);
+
+                if (!options.ConnectionAdapters.Any(f => f.IsHttps))
+                {
+                    try
+                    {
+                        context.DefaultHttpsProvider.ConfigureHttps(options);
+                    }
+                    catch (Exception)
+                    {
+                        // No default cert is available
+                        context.Logger.LogDebug(CoreStrings.BindingToDefaultAddress, Constants.DefaultServerAddress);
+                        return;
+                    }
+                }
+
+                context.Logger.LogDebug(CoreStrings.BindingToDefaultAddresses,
+                    Constants.DefaultServerAddress, Constants.DefaultServerHttpsAddress);
+                await options.BindAsync(context).ConfigureAwait(false);
             }
         }
 
@@ -260,6 +282,8 @@ private UnconfiguredDefaultHttpsProvider()
             {
             }
 
+            public X509Certificate2 Certificate => null;
+
             public void ConfigureHttps(ListenOptions listenOptions)
             {
                 // We have to throw here. If this is called, it's because the user asked for "https" binding but for some
diff --git a/src/Kestrel.Core/Internal/IDefaultHttpsProvider.cs b/src/Kestrel.Core/Internal/IDefaultHttpsProvider.cs
@@ -1,10 +1,21 @@
 ﻿// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System.Security.Cryptography.X509Certificates;
+
 namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal
 {
     public interface IDefaultHttpsProvider
     {
+        /// <summary>
+        /// Returns the default certificate, if available, otherwise null.
+        /// </summary>
+        X509Certificate2 Certificate { get; }
+
+        /// <summary>
+        /// Adds the https connection adapter using the default certificate. This throws if the certificate is not available.
+        /// </summary>
+        /// <param name="listenOptions"></param>
         void ConfigureHttps(ListenOptions listenOptions);
     }
 }
diff --git a/src/Kestrel.Core/Internal/Infrastructure/Constants.cs b/src/Kestrel.Core/Internal/Infrastructure/Constants.cs
@@ -13,6 +13,7 @@ internal static class Constants
         /// The IPEndPoint Kestrel will bind to if nothing else is specified.
         /// </summary>
         public static readonly string DefaultServerAddress = "http://localhost:5000";
+        public static readonly string DefaultServerHttpsAddress = "https://localhost:5001";
 
         /// <summary>
         /// Prefix of host name used to specify Unix sockets in the configuration.
diff --git a/src/Kestrel.Core/Properties/CoreStrings.Designer.cs b/src/Kestrel.Core/Properties/CoreStrings.Designer.cs
diff --git a/src/Kestrel/Internal/DefaultHttpsProvider.cs b/src/Kestrel/Internal/DefaultHttpsProvider.cs
@@ -23,25 +23,37 @@ public DefaultHttpsProvider(ILogger<DefaultHttpsProvider> logger)
             _logger = logger;
         }
 
+        public X509Certificate2 Certificate => GetDefaultCert();
+
         public void ConfigureHttps(ListenOptions listenOptions)
         {
-            var certificate = GetDefaultCert();
+            listenOptions.UseHttps(options =>
+            {
+                // ConfigureHttpsDefaults may have set the default cert.
+                if (options.ServerCertificate == null)
+                {
+                    options.ServerCertificate = GetDefaultCert();
+                    if (options.ServerCertificate == null)
+                    {
+                        throw new InvalidOperationException(KestrelStrings.HttpsUrlProvidedButNoDevelopmentCertificateFound);
+                    }
+                }
+            });
+        }
+
+        private X509Certificate2 GetDefaultCert()
+        {
+            var certificate = _certificateManager.ListCertificates(CertificatePurpose.HTTPS, StoreName.My, StoreLocation.CurrentUser, isValid: true)
+                .FirstOrDefault();
             if (certificate != null)
             {
                 _logger.LocatedDevelopmentCertificate(certificate);
-                listenOptions.UseHttps(certificate);
             }
             else
             {
                 _logger.UnableToLocateDevelopmentCertificate();
-                throw new InvalidOperationException(KestrelStrings.HttpsUrlProvidedButNoDevelopmentCertificateFound);
             }
-        }
-
-        internal static X509Certificate2 GetDefaultCert()
-        {
-            return _certificateManager.ListCertificates(CertificatePurpose.HTTPS, StoreName.My, StoreLocation.CurrentUser, isValid: true)
-                .FirstOrDefault();
+            return certificate;
         }
     }
 }
diff --git a/src/Kestrel/KestrelConfigBuilder.cs b/src/Kestrel/KestrelConfigBuilder.cs
@@ -79,11 +79,13 @@ public void Build()
                     }
                     else if (certInfo.IsStoreCert)
                     {
+                        // TODO: Throw if the cert cannot be loaded, FileCert does.
                         httpsOptions.ServerCertificate = LoadFromStoreCert(certInfo);
                     }
                     else if (httpsOptions.ServerCertificate == null)
                     {
-                        httpsOptions.ServerCertificate = DefaultHttpsProvider.GetDefaultCert();
+                        var provider = Options.ApplicationServices.GetRequiredService<IDefaultHttpsProvider>();
+                        httpsOptions.ServerCertificate = provider.Certificate; // May be null
                     }
                 }
 

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,21 @@`
`1`	`1`	`// Copyright (c) .NET Foundation. All rights reserved.`
`2`	`2`	`// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.`
`3`	`3`
	`4`	`+using System.Security.Cryptography.X509Certificates;`
	`5`	`+`
`4`	`6`	`namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal`
`5`	`7`	`{`
`6`	`8`	`public interface IDefaultHttpsProvider`
`7`	`9`	`{`
	`10`	`+ /// <summary>`
	`11`	`+ /// Returns the default certificate, if available, otherwise null.`
	`12`	`+ /// </summary>`
	`13`	`+ X509Certificate2 Certificate { get; }`
	`14`	`+`
	`15`	`+ /// <summary>`
	`16`	`+ /// Adds the https connection adapter using the default certificate. This throws if the certificate is not available.`
	`17`	`+ /// </summary>`
	`18`	`+ /// <param name="listenOptions"></param>`
`8`	`19`	`void ConfigureHttps(ListenOptions listenOptions);`
`9`	`20`	`}`
`10`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,25 +23,37 @@ public DefaultHttpsProvider(ILogger<DefaultHttpsProvider> logger)`
`23`	`23`	`_logger = logger;`
`24`	`24`	`}`
`25`	`25`
	`26`	`+ public X509Certificate2 Certificate => GetDefaultCert();`
	`27`	`+`
`26`	`28`	`public void ConfigureHttps(ListenOptions listenOptions)`
`27`	`29`	`{`
`28`		`- var certificate = GetDefaultCert();`
	`30`	`+ listenOptions.UseHttps(options =>`
	`31`	`+ {`
	`32`	`+ // ConfigureHttpsDefaults may have set the default cert.`
	`33`	`+ if (options.ServerCertificate == null)`
	`34`	`+ {`
	`35`	`+ options.ServerCertificate = GetDefaultCert();`
	`36`	`+ if (options.ServerCertificate == null)`
	`37`	`+ {`
	`38`	`+ throw new InvalidOperationException(KestrelStrings.HttpsUrlProvidedButNoDevelopmentCertificateFound);`
	`39`	`+ }`
	`40`	`+ }`
	`41`	`+ });`
	`42`	`+ }`
	`43`	`+`
	`44`	`+ private X509Certificate2 GetDefaultCert()`
	`45`	`+ {`
	`46`	`+ var certificate = _certificateManager.ListCertificates(CertificatePurpose.HTTPS, StoreName.My, StoreLocation.CurrentUser, isValid: true)`
	`47`	`+ .FirstOrDefault();`
`29`	`48`	`if (certificate != null)`
`30`	`49`	`{`
`31`	`50`	`_logger.LocatedDevelopmentCertificate(certificate);`
`32`		`- listenOptions.UseHttps(certificate);`
`33`	`51`	`}`
`34`	`52`	`else`
`35`	`53`	`{`
`36`	`54`	`_logger.UnableToLocateDevelopmentCertificate();`
`37`		`- throw new InvalidOperationException(KestrelStrings.HttpsUrlProvidedButNoDevelopmentCertificateFound);`
`38`	`55`	`}`
`39`		`- }`
`40`		`-`
`41`		`- internal static X509Certificate2 GetDefaultCert()`
`42`		`- {`
`43`		`- return _certificateManager.ListCertificates(CertificatePurpose.HTTPS, StoreName.My, StoreLocation.CurrentUser, isValid: true)`
`44`		`- .FirstOrDefault();`
	`56`	`+ return certificate;`
`45`	`57`	`}`
`46`	`58`	`}`
`47`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -79,11 +79,13 @@ public void Build()`
`79`	`79`	`}`
`80`	`80`	`else if (certInfo.IsStoreCert)`
`81`	`81`	`{`
	`82`	`+ // TODO: Throw if the cert cannot be loaded, FileCert does.`
`82`	`83`	`httpsOptions.ServerCertificate = LoadFromStoreCert(certInfo);`
`83`	`84`	`}`
`84`	`85`	`else if (httpsOptions.ServerCertificate == null)`
`85`	`86`	`{`
`86`		`- httpsOptions.ServerCertificate = DefaultHttpsProvider.GetDefaultCert();`
	`87`	`+ var provider = Options.ApplicationServices.GetRequiredService<IDefaultHttpsProvider>();`
	`88`	`+ httpsOptions.ServerCertificate = provider.Certificate; // May be null`
`87`	`89`	`}`
`88`	`90`	`}`
`89`	`91`