feat(auth): add certificate provider for dev environments

- Add new ICertificateProvider implementation for development environments
- Update dependency injection to use the new provider in dev environments
- Add logging for existing DopplerCertificateProvider.

Author: PabloStarOk

src/Openlysis.Authentication.API/Infrastructure/DependencyInjection.cs

@@ -34,13 +34,15 @@ internal static class DependencyInjection
     /// </summary>
     /// <param name="services">The service collection to add services to.</param>
     /// <param name="configuration">The application configuration instance.</param>
+    /// <param name="environment">The host environment instance.</param>
     public static void AddInfrastructure(
         this IServiceCollection services,
-        IConfiguration configuration)
+        IConfiguration configuration,
+        IHostEnvironment environment)
     {
         AddRepositories(services, configuration);
         AddPasswordHasher(services, configuration);
-        AddCertificateProvider(services, configuration);
+        AddCertificateProvider(services, configuration, environment);
         AddSigningCertificateManager(services);
         AddTokenGenerator(services, configuration);
         AddTokenHasher(services);
@@ -101,8 +103,17 @@ private static void AddPasswordHasher(
 
     private static void AddCertificateProvider(
         IServiceCollection services,
-        IConfiguration configuration)
+        IConfiguration configuration,
+        IHostEnvironment environment)
     {
+        if (environment.IsDevelopment())
+        {
+            services.AddSingleton<DevelopmentCertificateProvider>();
+            services.AddHostedService(sp => sp.GetRequiredService<DevelopmentCertificateProvider>());
+            services.AddSingleton<ICertificateProvider>(sp => sp.GetRequiredService<DevelopmentCertificateProvider>());
+            return;
+        }
+
         var certificateOptionsSection = configuration
             .GetRequiredSection(DopplerCertificateOptions.SectionName);
 

src/Openlysis.Authentication.API/Infrastructure/Services/DevelopmentCertificateProvider.cs

@@ -0,0 +1,89 @@
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Openlysis.Authentication.API.Infrastructure.Services;
+
+/// <summary>
+/// Provides a X509 certificate for authentication purposes in development environments.
+/// </summary>
+internal sealed class DevelopmentCertificateProvider : ICertificateProvider, IHostedService, IDisposable
+{
+    private const string EcCurveFriendlyName = "nistP256";
+    private const string X500DistinguishedName = "CN=OpenlysisAuth";
+    private const int CertificateYearsValidity = 1;
+    private const string CertFileName = "dev_x509_certificate.pem";
+    private const string PrivateKeyFileName = "dev_ecdsa_key.pem";
+
+    /// <inheritdoc/>
+    public X509Certificate2 Certificate
+    {
+        get
+        {
+            return _selfSignedCertificate ?? throw new InvalidOperationException("Certificate has not been set.");
+        }
+    }
+
+    private readonly ILogger<DevelopmentCertificateProvider> _logger;
+    private X509Certificate2? _selfSignedCertificate;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="DevelopmentCertificateProvider"/> class.
+    /// </summary>
+    /// <param name="logger">The logger instance for logging certificate provider events.</param>
+    public DevelopmentCertificateProvider(ILogger<DevelopmentCertificateProvider> logger)
+    {
+        _logger = logger;
+    }
+
+    /// <inheritdoc/>
+    public void Dispose()
+    {
+        _selfSignedCertificate?.Dispose();
+    }
+
+    /// <inheritdoc/>
+    public async Task StartAsync(CancellationToken cancellationToken)
+    {
+        string certFilePath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, CertFileName);
+        string privateKeyFilePath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, PrivateKeyFileName);
+
+        if (File.Exists(certFilePath) && File.Exists(privateKeyFilePath))
+        {
+            _selfSignedCertificate = X509Certificate2.CreateFromPemFile(certFilePath, privateKeyFilePath);
+            if (_selfSignedCertificate.NotAfter.ToUniversalTime() > DateTime.UtcNow)
+            {
+                _logger.LogInformation("X509 certificate for development has been loaded successfully from existing certificate.");
+                return;
+            }
+        }
+
+        using var ecDsaKeys = ECDsa.Create(ECCurve.CreateFromFriendlyName(EcCurveFriendlyName));
+        _selfSignedCertificate = CreateCertificate(ecDsaKeys);
+
+        string certPem = _selfSignedCertificate.ExportCertificatePem();
+        string privateKeyPem = ecDsaKeys.ExportECPrivateKeyPem();
+
+        await File.WriteAllTextAsync(certFilePath, certPem, cancellationToken);
+        await File.WriteAllTextAsync(privateKeyFilePath, privateKeyPem, cancellationToken);
+
+        _logger.LogInformation("X509 certificate for development has been created and loaded successfully.");
+    }
+
+    /// <inheritdoc/>
+    public Task StopAsync(CancellationToken cancellationToken)
+    {
+        return Task.CompletedTask;
+    }
+
+    private static X509Certificate2 CreateCertificate(ECDsa ecDsaKeys)
+    {
+        var subjectName = new X500DistinguishedName(X500DistinguishedName);
+        var request = new CertificateRequest(subjectName, ecDsaKeys, HashAlgorithmName.SHA256);
+
+        request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true));
+
+        DateTimeOffset notBefore = DateTimeOffset.UtcNow;
+        DateTimeOffset notAfter = notBefore.AddYears(CertificateYearsValidity);
+        return request.CreateSelfSigned(notBefore, notAfter);
+    }
+}

src/Openlysis.Authentication.API/Infrastructure/Services/DopplerCertificateProvider.cs

@@ -15,6 +15,7 @@ namespace Openlysis.Authentication.API.Infrastructure.Services;
 /// </summary>
 internal sealed class DopplerCertificateProvider : ICertificateProvider, IHostedService, IDisposable
 {
+    private readonly ILogger<DopplerCertificateProvider> _logger;
     private readonly IOptions<DopplerCertificateOptions> _certificateOptions;
     private readonly IDopplerClient _dopplerClient;
     private X509Certificate2? _certificate;
@@ -36,12 +37,15 @@ public X509Certificate2 Certificate
     /// <summary>
     /// Initializes a new instance of the <see cref="DopplerCertificateProvider"/> class.
     /// </summary>
+    /// <param name="logger">The logger instance for logging operations.</param>
     /// <param name="certificateOptions">The options containing Doppler certificate configuration.</param>
     /// <param name="dopplerClient">The Doppler client used to fetch secrets.</param>
     public DopplerCertificateProvider(
+        ILogger<DopplerCertificateProvider> logger,
         IOptions<DopplerCertificateOptions> certificateOptions,
         IDopplerClient dopplerClient)
     {
+        _logger = logger;
         _certificateOptions = certificateOptions;
         _dopplerClient = dopplerClient;
     }
@@ -69,6 +73,7 @@ public async Task StartAsync(CancellationToken cancellationToken)
         }
 
         _certificate = CreateCertificate(certSecret, passwdSecret);
+        _logger.LogInformation("X509 certificate from Doppler has been loaded successfully.");
     }
 
     /// <inheritdoc/>

src/Openlysis.Authentication.API/Program.cs

@@ -3,7 +3,7 @@
 using Openlysis.Authentication.API.Infrastructure;
 
 var builder = WebApplication.CreateSlimBuilder(args);
-builder.Services.AddInfrastructure(builder.Configuration);
+builder.Services.AddInfrastructure(builder.Configuration, builder.Environment);
 builder.Services.AddApplication();
 builder.Services.AddApi(builder.Configuration);
 var app = builder.Build();