Add test for mutual TLS authentication

Author: justcoding121

src/Titanium.Web.Proxy/CertificateHandler.cs

@@ -56,13 +56,6 @@ internal bool ValidateServerCertificate(object sender, SessionEventArgsBase sess
         {
             X509Certificate? clientCertificate = null;
 
-            //TODO: Can we use client certificate from client socket's Sslstream.RemoteCertificate?
-            //Because only the client can provide the correct certificate.
-            //Proxy has no idea about client certificate when its running on a remote machine.
-            //That would mean we need to delay AuthenticateAsServer call with client until we reach this method
-            //and decide right here if we should set SslServerAuthenticationOptions.ClientCertificateRequired = true for clientStream.AuthenticateAsServer call.
-            //Sounds like a very complicated change, but technically possible.
-
             //fallback to the first client certificate from proxy machine certificate store
             if (acceptableIssuers != null && acceptableIssuers.Length > 0 && localCertificates != null &&
                 localCertificates.Count > 0)
@@ -92,7 +85,7 @@ internal bool ValidateServerCertificate(object sender, SessionEventArgsBase sess
                     ClientCertificate = clientCertificate
                 };
 
-                // why is the sender null?
+               
                 ClientCertificateSelectionCallback.InvokeAsync(this, args, ExceptionFunc).Wait();
                 return args.ClientCertificate;
             }

tests/Titanium.Web.Proxy.IntegrationTests/HttpsTests.cs

@@ -1,6 +1,8 @@
 using System;
+using System.IO;
 using System.Net;
 using System.Net.Http;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.VisualStudio.TestTools.UnitTesting;
@@ -62,5 +64,36 @@ public async Task Can_Handle_Https_Fake_Tunnel_Request()
             Assert.AreEqual("I am server. I received your greetings.", body);
         }
 
+        [TestMethod]
+        public async Task Can_Handle_Https_Mutual_Tls_Request()
+        {
+            var testSuite = new TestSuite(true);
+
+            var server = testSuite.GetServer();
+            server.HandleRequest((context) =>
+            {
+                return context.Response.WriteAsync("I am server. I received your greetings.");
+            });
+
+            var proxy = testSuite.GetProxy();
+            var clientCert = proxy.CertificateManager.CreateCertificate("client.com", false);
+       
+            proxy.ClientCertificateSelectionCallback += async (sender, e) =>
+            {        
+                e.ClientCertificate = clientCert;
+                await Task.CompletedTask;
+            };
+
+            var client = testSuite.GetClient(proxy);
+
+            var response = await client.PostAsync(new Uri(server.ListeningHttpsUrl),
+                                        new StringContent("hello server. I am a client."));
+
+            Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
+            var body = await response.Content.ReadAsStringAsync();
+
+            Assert.AreEqual("I am server. I received your greetings.", body);
+        }
+
     }
 }

tests/Titanium.Web.Proxy.IntegrationTests/Setup/TestServer.cs

@@ -4,12 +4,18 @@
 using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore;
+using Microsoft.AspNetCore.Authentication.Certificate;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Connections;
 using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Hosting.Server;
 using Microsoft.AspNetCore.Hosting.Server.Features;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Features;
+using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
 
 namespace Titanium.Web.Proxy.IntegrationTests.Setup
 {
@@ -24,42 +30,57 @@ public class TestServer : IDisposable
         public int HttpsListeningPort { get; private set; }
         public int TcpListeningPort { get; private set; }
 
-        private IWebHost host;
-        public TestServer(X509Certificate2 serverCertificate)
+        private readonly IHost host;
+        public TestServer(X509Certificate2 serverCertificate, bool requireMutualTls)
         {
-            var startUp = new Startup(() => requestHandler);
-
-            host = WebHost.CreateDefaultBuilder()
-                         .ConfigureServices(s =>
+            host = Host.CreateDefaultBuilder()
+                         .ConfigureLogging(logging =>
+                         {
+                             logging.ClearProviders();
+                             logging.AddDebug();
+                             logging.SetMinimumLevel(LogLevel.Trace);
+                         })
+                         .ConfigureWebHostDefaults(webBuilder =>
                          {
-                             s.AddSingleton<IStartup>(startUp);
+                             webBuilder.UseStartup(x => new Startup(() => requestHandler));
+                             webBuilder.ConfigureKestrel(options =>
+                             {
+                                 options.Listen(IPAddress.Loopback, 0);
+                                 if (requireMutualTls)
+                                 {
+                                     options.ConfigureHttpsDefaults(options =>
+                                     {
+                                         options.ClientCertificateValidation = (certificate, chain, errors) =>
+                                         {
+                                             return true;
+                                         };
+                                         options.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
+                                     });
+                                 }
+                                 options.Listen(IPAddress.Loopback, 0, listenOptions =>
+                                 {
+                                     listenOptions.UseHttps(serverCertificate);
+                                 });
+                                 options.Listen(IPAddress.Loopback, 0, listenOptions =>
+                                 {
+                                     listenOptions.Run(context =>
+                                     {
+                                         if (tcpRequestHandler == null)
+                                         {
+                                             throw new Exception("Test server not configured to handle tcp request.");
+                                         }
+
+                                         return tcpRequestHandler(context);
+                                     });
+                                 });
+                             });
                          })
-                          .UseKestrel(options =>
-                          {
-                              options.Listen(IPAddress.Loopback, 0);
-                              options.Listen(IPAddress.Loopback, 0, listenOptions =>
-                              {
-                                  listenOptions.UseHttps(serverCertificate);
-                              });
-                              options.Listen(IPAddress.Loopback, 0, listenOptions =>
-                              {
-                                  listenOptions.Run(context =>
-                                  {
-                                      if (tcpRequestHandler == null)
-                                      {
-                                          throw new Exception("Test server not configured to handle tcp request.");
-                                      }
-
-                                      return tcpRequestHandler(context);
-                                  });
-                              });
-                          })
                         .Build();
 
             host.Start();
 
-            var addresses = host.ServerFeatures
-                        .Get<IServerAddressesFeature>()
+            var addresses = host.Services.GetRequiredService<IServer>()
+                         .Features.Get<IServerAddressesFeature>()
                         .Addresses.ToArray();
 
             HttpListeningPort = new Uri(addresses[0]).Port;
@@ -86,7 +107,7 @@ public void Dispose()
             host.Dispose();
         }
 
-        private class Startup : IStartup
+        private class Startup
         {
             Func<Func<HttpContext, Task>> requestHandler;
             public Startup(Func<Func<HttpContext, Task>> requestHandler)
@@ -108,9 +129,9 @@ public void Configure(IApplicationBuilder app)
 
             }
 
-            public IServiceProvider ConfigureServices(IServiceCollection services)
+            public void ConfigureServices(IServiceCollection services)
             {
-                return services.BuildServiceProvider();
+
             }
         }
     }

tests/Titanium.Web.Proxy.IntegrationTests/Setup/TestSuite.cs

@@ -8,11 +8,11 @@ public class TestSuite
     {
         private TestServer server;
 
-        public TestSuite()
+        public TestSuite(bool requireMutualTls = false)
         {
             var dummyProxy = new ProxyServer();
             var serverCertificate = dummyProxy.CertificateManager.CreateServerCertificate("localhost").Result;
-            server = new TestServer(serverCertificate);
+            server = new TestServer(serverCertificate, requireMutualTls);
         }
 
         public TestServer GetServer()

tests/Titanium.Web.Proxy.IntegrationTests/Titanium.Web.Proxy.IntegrationTests.csproj

@@ -14,6 +14,7 @@
 
   <ItemGroup>
     <FrameworkReference Include="Microsoft.AspNetCore.App" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.Certificate" Version="5.0.7" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="5.0.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.8.0" />
     <PackageReference Include="MSTest.TestAdapter" Version="2.1.2" />