Joseph Doherty
5e01ad9c22
Mirror MxGatewayClient's three-branch handler structure in GalaxyRepositoryClient (CA-pin / lenient accept-all / OS trust) so the Galaxy endpoint works against the gateway's self-signed cert under the default lenient posture. Expose an internal CreateHttpHandlerForTests seam for unit testing. Add RemoteCertificateNameMismatch rejection at the top of both CA-pinned callbacks so a pinned-CA connection truly verifies the host. Strengthen existing lenient test to invoke the callback and assert it returns true; add mirrored Galaxy-client handler tests.
86 lines
3.4 KiB
C#
86 lines
3.4 KiB
C#
using System.Net.Http;
|
|
using System.Net.Security;
|
|
using ZB.MOM.WW.MxGateway.Client;
|
|
|
|
namespace ZB.MOM.WW.MxGateway.Client.Tests;
|
|
|
|
public sealed class MxGatewayClientTlsHandlerTests
|
|
{
|
|
/// <summary>
|
|
/// Verifies that when TLS is used with no pinned CA and RequireCertificateValidation is false (default),
|
|
/// the handler installs an accept-all callback so the gateway's self-signed cert is trusted.
|
|
/// The callback must return true regardless of chain errors.
|
|
/// </summary>
|
|
[Fact]
|
|
public void Handler_SkipsVerification_WhenTlsAndNoCaPinned()
|
|
{
|
|
MxGatewayClientOptions options = new()
|
|
{
|
|
Endpoint = new Uri("https://localhost:5120"),
|
|
ApiKey = "k",
|
|
UseTls = true,
|
|
};
|
|
using SocketsHttpHandler handler = MxGatewayClient.CreateHttpHandlerForTests(options);
|
|
Assert.NotNull(handler.SslOptions.RemoteCertificateValidationCallback);
|
|
Assert.True(handler.SslOptions.RemoteCertificateValidationCallback!(null!, null!, null, SslPolicyErrors.RemoteCertificateChainErrors));
|
|
}
|
|
|
|
/// <summary>
|
|
/// Verifies that when RequireCertificateValidation is true, the callback is left null
|
|
/// so the OS trust store performs validation.
|
|
/// </summary>
|
|
[Fact]
|
|
public void Handler_KeepsDefaultVerification_WhenRequireCertificateValidation()
|
|
{
|
|
MxGatewayClientOptions options = new()
|
|
{
|
|
Endpoint = new Uri("https://localhost:5120"),
|
|
ApiKey = "k",
|
|
UseTls = true,
|
|
RequireCertificateValidation = true,
|
|
};
|
|
using SocketsHttpHandler handler = MxGatewayClient.CreateHttpHandlerForTests(options);
|
|
Assert.Null(handler.SslOptions.RemoteCertificateValidationCallback);
|
|
}
|
|
}
|
|
|
|
public sealed class GalaxyRepositoryClientTlsHandlerTests
|
|
{
|
|
/// <summary>
|
|
/// Verifies that when TLS is used with no pinned CA and RequireCertificateValidation is false (default),
|
|
/// the Galaxy client handler installs an accept-all callback so the gateway's self-signed cert is trusted.
|
|
/// The callback must return true regardless of chain errors.
|
|
/// </summary>
|
|
[Fact]
|
|
public void Handler_SkipsVerification_WhenTlsAndNoCaPinned()
|
|
{
|
|
MxGatewayClientOptions options = new()
|
|
{
|
|
Endpoint = new Uri("https://localhost:5120"),
|
|
ApiKey = "k",
|
|
UseTls = true,
|
|
};
|
|
using SocketsHttpHandler handler = GalaxyRepositoryClient.CreateHttpHandlerForTests(options);
|
|
Assert.NotNull(handler.SslOptions.RemoteCertificateValidationCallback);
|
|
Assert.True(handler.SslOptions.RemoteCertificateValidationCallback!(null!, null!, null, SslPolicyErrors.RemoteCertificateChainErrors));
|
|
}
|
|
|
|
/// <summary>
|
|
/// Verifies that when RequireCertificateValidation is true, the Galaxy client callback is left null
|
|
/// so the OS trust store performs validation.
|
|
/// </summary>
|
|
[Fact]
|
|
public void Handler_KeepsDefaultVerification_WhenRequireCertificateValidation()
|
|
{
|
|
MxGatewayClientOptions options = new()
|
|
{
|
|
Endpoint = new Uri("https://localhost:5120"),
|
|
ApiKey = "k",
|
|
UseTls = true,
|
|
RequireCertificateValidation = true,
|
|
};
|
|
using SocketsHttpHandler handler = GalaxyRepositoryClient.CreateHttpHandlerForTests(options);
|
|
Assert.Null(handler.SslOptions.RemoteCertificateValidationCallback);
|
|
}
|
|
}
|