feat: add custom SSL root certificate support (#153)

* feat: add custom SSL root certificate support

* fix: lint errors

* fix: tests

* test: add temporary debug info

* feat: add DisableCertificateRevocationListCheck

* feat: add DisableCertificateRevocationListCheck

* fix: disable revocation errors if disabled

* test: more debug info

* test: more debug info

* test: remove debug info

* test: add more tests

* test: add more tests

* doc: update CHANGELOG.md

* fix: warnings

* docs: format doc-comments to render options as list in ClientConfig.cs

---------

Co-authored-by: karel rehor <[email protected]>

Author: jansimonb

CHANGELOG.md

@@ -1,5 +1,16 @@
 ## 1.1.0 [unreleased]
 
+### Features
+
+1. [#153](https://github.com/InfluxCommunity/influxdb3-csharp/pull/153): Add custom SSL root certificate support.
+   - New configuration items:
+      - `SslRootsFilePath`
+      - `DisableCertificateRevocationListCheck`
+   - **Disclaimer:** Using custom SSL root certificate configurations is recommended for development and testing
+     purposes
+     only. For production deployments, ensure custom certificates are added to the operating system's trusted
+     certificate store.
+
 ## 1.0.0 [2025-01-22]
 
 ### Features

Client.Test/Client.Test.csproj

@@ -28,4 +28,25 @@
       <ProjectReference Include="..\Client\Client.csproj" />
     </ItemGroup>
 
+    <ItemGroup>
+        <None Update="TestData\ServerCert\server.p12">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
+        <None Update="TestData\ServerCert\server.pem">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
+        <None Update="TestData\ServerCert\rootCA.pem">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
+        <None Update="TestData\OtherCerts\otherCA.pem">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
+        <None Update="TestData\OtherCerts\empty.pem">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
+        <None Update="TestData\OtherCerts\invalid.pem">
+          <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
+    </ItemGroup>
+
 </Project>

Client.Test/InfluxDBClientHttpsTest.cs

@@ -0,0 +1,256 @@
+using System;
+using System.Linq;
+using System.Net.Http;
+using System.Threading.Tasks;
+using Grpc.Core;
+using InfluxDB3.Client.Config;
+using WireMock.RequestBuilders;
+using WireMock.ResponseBuilders;
+
+namespace InfluxDB3.Client.Test;
+
+public class InfluxDBClientHttpsTest : MockHttpsServerTest
+{
+    private InfluxDBClient _client;
+
+    [TearDown]
+    public new void TearDown()
+    {
+        _client?.Dispose();
+    }
+
+    [Test]
+    public Task NonExistingCertificateFile()
+    {
+        var ae = Assert.ThrowsAsync<ArgumentException>(() =>
+        {
+            _client = new InfluxDBClient(new ClientConfig
+            {
+                Host = MockHttpsServerUrl,
+                Token = "my-token",
+                Organization = "my-org",
+                Database = "my-database",
+                DisableServerCertificateValidation = false,
+                DisableCertificateRevocationListCheck = true,
+                SslRootsFilePath = "./not-existing.pem"
+            });
+            return null;
+        });
+
+        Assert.That(ae, Is.Not.Null);
+        Assert.That(ae.Message, Does.Match("Certificate file '.*' not found"));
+        return Task.CompletedTask;
+    }
+
+    [Test]
+    public Task EmptyCertificateFile()
+    {
+        var ae = Assert.ThrowsAsync<ArgumentException>(() =>
+        {
+            _client = new InfluxDBClient(new ClientConfig
+            {
+                Host = MockHttpsServerUrl,
+                Token = "my-token",
+                Organization = "my-org",
+                Database = "my-database",
+                DisableServerCertificateValidation = false,
+                DisableCertificateRevocationListCheck = true,
+                SslRootsFilePath = "./TestData/OtherCerts/empty.pem"
+            });
+            return null;
+        });
+
+        Assert.That(ae, Is.Not.Null);
+        Assert.That(ae.Message, Does.Match("Certificate file '.*' is empty"));
+        return Task.CompletedTask;
+    }
+
+    [Test]
+    public Task InvalidCertificateFile()
+    {
+        try
+        {
+            _client = new InfluxDBClient(new ClientConfig
+            {
+                Host = MockHttpsServerUrl,
+                Token = "my-token",
+                Organization = "my-org",
+                Database = "my-database",
+                DisableServerCertificateValidation = false,
+                DisableCertificateRevocationListCheck = true,
+                SslRootsFilePath = "./TestData/OtherCerts/invalid.pem"
+            });
+        }
+        catch (Exception e)
+        {
+            Assert.That(e, Is.Not.Null);
+            Assert.That(e.Message, Does.Match("Failed to import custom certificates"));
+        }
+
+        return Task.CompletedTask;
+    }
+
+    [Test]
+    public async Task WriteWithValidSslRootCertificate()
+    {
+        _client = new InfluxDBClient(new ClientConfig
+        {
+            Host = MockHttpsServerUrl,
+            Token = "my-token",
+            Organization = "my-org",
+            Database = "my-database",
+            DisableServerCertificateValidation = false,
+            DisableCertificateRevocationListCheck = true,
+            SslRootsFilePath = "./TestData/ServerCert/rootCA.pem"
+        });
+
+        await WriteData();
+
+        var requests = MockHttpsServer.LogEntries.ToList();
+        Assert.That(requests[0].RequestMessage.BodyData?.BodyAsString, Is.EqualTo("mem,tag=a field=1"));
+    }
+
+    [Test]
+    public async Task WriteWithDisabledCertificates()
+    {
+        _client = new InfluxDBClient(new ClientConfig
+        {
+            Host = MockHttpsServerUrl,
+            Token = "my-token",
+            Organization = "my-org",
+            Database = "my-database",
+            DisableServerCertificateValidation = true,
+        });
+
+        await WriteData();
+
+        var requests = MockHttpsServer.LogEntries.ToList();
+        Assert.That(requests[0].RequestMessage.BodyData?.BodyAsString, Is.EqualTo("mem,tag=a field=1"));
+    }
+
+    [Test]
+    public Task WriteWithOtherSslRootCertificate()
+    {
+        _client = new InfluxDBClient(new ClientConfig
+        {
+            Host = MockHttpsServerUrl,
+            Token = "my-token",
+            Organization = "my-org",
+            Database = "my-database",
+            DisableServerCertificateValidation = false,
+            DisableCertificateRevocationListCheck = true,
+            SslRootsFilePath = "./TestData/OtherCerts/otherCA.pem"
+        });
+
+        var ae = Assert.ThrowsAsync<HttpRequestException>(async () =>
+        {
+            await _client.WriteRecordAsync("mem,tag=a field=1");
+        });
+
+        Assert.That(ae, Is.Not.Null);
+        Assert.That(ae.Message, Does.Contain("The SSL connection could not be established"));
+        Assert.That(ae.InnerException?.Message,
+            Does.Contain("The remote certificate was rejected by the provided RemoteCertificateValidationCallback"));
+        return Task.CompletedTask;
+    }
+
+    [Test]
+    public Task QueryWithValidSslRootCertificate()
+    {
+        _client = new InfluxDBClient(new ClientConfig
+        {
+            Host = MockHttpsServerUrl,
+            Token = "my-token",
+            Organization = "my-org",
+            Database = "my-database",
+            DisableServerCertificateValidation = false,
+            DisableCertificateRevocationListCheck = true,
+            SslRootsFilePath = "./TestData/ServerCert/rootCA.pem"
+        });
+
+        var ae = Assert.ThrowsAsync<RpcException>(async () => { await QueryData(); });
+
+        // Verify: server successfully sent back the configured 404 status 
+        Assert.That(ae, Is.Not.Null);
+        Assert.That(ae.Message, Does.Contain("Bad gRPC response. HTTP status code: 404"));
+
+        // Verify: the request reached the server
+        var requests = MockHttpsServer.LogEntries.ToList();
+        Assert.That(requests[0].RequestMessage.BodyData?.BodyAsString, Does.Contain("SELECT 1"));
+        return Task.CompletedTask;
+    }
+
+    [Test]
+    public Task QueryWithDisabledCertificates()
+    {
+        _client = new InfluxDBClient(new ClientConfig
+        {
+            Host = MockHttpsServerUrl,
+            Token = "my-token",
+            Organization = "my-org",
+            Database = "my-database",
+            DisableServerCertificateValidation = true,
+        });
+
+        var ae = Assert.ThrowsAsync<RpcException>(async () => { await QueryData(); });
+
+        // Verify: server successfully sent back the configured 404 status 
+        Assert.That(ae, Is.Not.Null);
+        Assert.That(ae.Message, Does.Contain("Bad gRPC response. HTTP status code: 404"));
+
+        // Verify: the request reached the server
+        var requests = MockHttpsServer.LogEntries.ToList();
+        Assert.That(requests[0].RequestMessage.BodyData?.BodyAsString, Does.Contain("SELECT 1"));
+        return Task.CompletedTask;
+    }
+
+    [Test]
+    public Task QueryWithOtherSslRootCertificate()
+    {
+        _client = new InfluxDBClient(new ClientConfig
+        {
+            Host = MockHttpsServerUrl,
+            Token = "my-token",
+            Organization = "my-org",
+            Database = "my-database",
+            DisableServerCertificateValidation = false,
+            DisableCertificateRevocationListCheck = true,
+            SslRootsFilePath = "./TestData/OtherCerts/otherCA.pem"
+        });
+
+        var ae = Assert.ThrowsAsync<RpcException>(async () => { await QueryData(); });
+
+        // Verify: the SSL connection was not established 
+        Assert.That(ae, Is.Not.Null);
+        Assert.That(ae.Message, Does.Contain("The SSL connection could not be established"));
+
+        // Verify: the request did not reach the server
+        var requests = MockHttpsServer.LogEntries.ToList();
+        Assert.That(requests, Is.Empty);
+        return Task.CompletedTask;
+    }
+
+    private async Task WriteData()
+    {
+        MockHttpsServer
+            .Given(Request.Create().WithPath("/api/v2/write").UsingPost())
+            .RespondWith(Response.Create().WithStatusCode(204));
+
+        await _client.WriteRecordAsync("mem,tag=a field=1");
+    }
+
+
+    private async Task QueryData()
+    {
+        // Setup mock server: return 404 for simplicity, so we don't have to implement a valid response.
+        MockHttpsServer
+            .Given(Request.Create().WithPath("/arrow.flight.protocol.FlightService/DoGet").UsingPost())
+            .RespondWith(Response.Create()
+                .WithStatusCode(404)
+            );
+
+        // Query data.
+        var query = "SELECT 1";
+        await _client.Query(query).ToListAsync();
+    }
+}