dohertj2/mxaccessgw
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(gateway): detect Certificate:Thumbprint and cover more KestrelTlsInspector cases

Browse Source
This commit is contained in:
Joseph Doherty
2026-06-01 07:22:24 -04:00
parent ba82afe669
commit 192607ab8c
2 changed files with 36 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/ZB.MOM.WW.MxGateway.Server/Security/Tls/KestrelTlsInspector.cs
+9 -1
View File
@@ -9,6 +9,13 @@ namespace ZB.MOM.WW.MxGateway.Server.Security.Tls;
/// </summary> /// </summary>
public static class KestrelTlsInspector public static class KestrelTlsInspector
{ {
/// <summary>
/// Returns <see langword="true"/> when at least one HTTPS endpoint in
/// <c>Kestrel:Endpoints</c> has no certificate of its own (no
/// <c>Certificate:Path</c>, <c>Certificate:Subject</c>, or
/// <c>Certificate:Thumbprint</c>), meaning the gateway must supply a
/// generated fallback certificate.
/// </summary>
public static bool RequiresGeneratedCertificate(IConfiguration configuration) public static bool RequiresGeneratedCertificate(IConfiguration configuration)
{ {
IConfigurationSection endpoints = configuration.GetSection("Kestrel:Endpoints"); IConfigurationSection endpoints = configuration.GetSection("Kestrel:Endpoints");
@@ -24,7 +31,8 @@ public static class KestrelTlsInspector
IConfigurationSection certificate = endpoint.GetSection("Certificate"); IConfigurationSection certificate = endpoint.GetSection("Certificate");
bool hasOwnCertificate = bool hasOwnCertificate =
!string.IsNullOrWhiteSpace(certificate["Path"]) || !string.IsNullOrWhiteSpace(certificate["Path"]) ||
!string.IsNullOrWhiteSpace(certificate["Subject"]); !string.IsNullOrWhiteSpace(certificate["Subject"]) ||
!string.IsNullOrWhiteSpace(certificate["Thumbprint"]);
if (!hasOwnCertificate) if (!hasOwnCertificate)
{ {
src/ZB.MOM.WW.MxGateway.Tests/Security/Tls/KestrelTlsInspectorTests.cs
+27
View File
@@ -31,4 +31,31 @@ public sealed class KestrelTlsInspectorTests
[Fact] [Fact]
public void RequiresGeneratedCertificate_False_WhenNoEndpointsConfigured() public void RequiresGeneratedCertificate_False_WhenNoEndpointsConfigured()
=> Assert.False(KestrelTlsInspector.RequiresGeneratedCertificate(Config())); => Assert.False(KestrelTlsInspector.RequiresGeneratedCertificate(Config()));
[Fact]
public void RequiresGeneratedCertificate_False_WhenHttpsEndpointHasThumbprintOnly()
=> Assert.False(KestrelTlsInspector.RequiresGeneratedCertificate(
Config(
("Kestrel:Endpoints:Https:Url", "https://0.0.0.0:5120"),
("Kestrel:Endpoints:Https:Certificate:Thumbprint", "AABBCCDDEEFF00112233445566778899AABBCCDD"))));
[Fact]
public void RequiresGeneratedCertificate_False_WhenHttpsEndpointHasSubjectOnly()
=> Assert.False(KestrelTlsInspector.RequiresGeneratedCertificate(
Config(
("Kestrel:Endpoints:Https:Url", "https://0.0.0.0:5120"),
("Kestrel:Endpoints:Https:Certificate:Subject", "CN=myserver"))));
[Fact]
public void RequiresGeneratedCertificate_True_WhenHttpsUrlIsUppercase()
=> Assert.True(KestrelTlsInspector.RequiresGeneratedCertificate(
Config(("Kestrel:Endpoints:Https:Url", "HTTPS://0.0.0.0:5120"))));
[Fact]
public void RequiresGeneratedCertificate_True_WhenMixedEndpointsAndOneHttpsHasNoCert()
=> Assert.True(KestrelTlsInspector.RequiresGeneratedCertificate(
Config(
("Kestrel:Endpoints:Grpc:Url", "https://0.0.0.0:5120"),
("Kestrel:Endpoints:Grpc:Certificate:Thumbprint", "AABBCCDDEEFF00112233445566778899AABBCCDD"),
("Kestrel:Endpoints:Dashboard:Url", "https://0.0.0.0:5130"))));
} }