Improve Common.Certificates internals and tests

src/Common/src/Certificates/CertificateConfigurationExtensions.cs

@@ -10,49 +10,6 @@ public static class CertificateConfigurationExtensions
 {
     internal const string AppInstanceIdentityCertificateName = "AppInstanceIdentity";
 
-    /// <summary>
-    /// Adds file path information for a certificate and (optional) private key to configuration, for use with <see cref="CertificateOptions" />.
-    /// </summary>
-    /// <param name="builder">
-    /// The <see cref="IConfigurationBuilder" /> to add configuration to.
-    /// </param>
-    /// <param name="certificateName">
-    /// Name of the certificate, or <see cref="string.Empty" /> for an unnamed certificate.
-    /// </param>
-    /// <param name="certificateFilePath">
-    /// The path on disk to locate a valid certificate file.
-    /// </param>
-    /// <param name="privateKeyFilePath">
-    /// The path on disk to locate a valid PEM-encoded RSA key file.
-    /// </param>
-    /// <returns>
-    /// The incoming <paramref name="builder" /> so that additional calls can be chained.
-    /// </returns>
-    internal static IConfigurationBuilder AddCertificate(this IConfigurationBuilder builder, string certificateName, string certificateFilePath,
-        string? privateKeyFilePath = null)
-    {
-        ArgumentNullException.ThrowIfNull(builder);
-        ArgumentNullException.ThrowIfNull(certificateName);
-        ArgumentException.ThrowIfNullOrEmpty(certificateFilePath);
-
-        string keyPrefix = certificateName.Length == 0
-            ? $"{CertificateOptions.ConfigurationKeyPrefix}{ConfigurationPath.KeyDelimiter}"
-            : $"{CertificateOptions.ConfigurationKeyPrefix}{ConfigurationPath.KeyDelimiter}{certificateName}{ConfigurationPath.KeyDelimiter}";
-
-        var keys = new Dictionary<string, string?>
-        {
-            [$"{keyPrefix}CertificateFilePath"] = certificateFilePath
-        };
-
-        if (!string.IsNullOrEmpty(privateKeyFilePath))
-        {
-            keys[$"{keyPrefix}PrivateKeyFilePath"] = privateKeyFilePath;
-        }
-
-        builder.AddInMemoryCollection(keys);
-        return builder;
-    }
-
     /// <summary>
     /// Adds PEM certificate files representing application identity to the application configuration. When running outside of Cloud Foundry-based platforms,
     /// this method will create certificates resembling those found on the platform.
@@ -152,7 +109,15 @@ public static IConfigurationBuilder AddAppInstanceIdentityCertificate(this IConf
 
         if (certificateFile != null && keyFile != null)
         {
-            builder.AddCertificate(AppInstanceIdentityCertificateName, certificateFile, keyFile);
+            const string keyPrefix = $"{CertificateOptions.ConfigurationKeyPrefix}:{AppInstanceIdentityCertificateName}:";
+
+            var keys = new Dictionary<string, string?>
+            {
+                [$"{keyPrefix}CertificateFilePath"] = certificateFile,
+                [$"{keyPrefix}PrivateKeyFilePath"] = keyFile
+            };
+
+            builder.AddInMemoryCollection(keys);
         }
 
         return builder;

src/Common/src/Certificates/CertificateServiceCollectionExtensions.cs

@@ -32,9 +32,9 @@ public static IServiceCollection ConfigureCertificateOptions(this IServiceCollec
             ? CertificateOptions.ConfigurationKeyPrefix
             : ConfigurationPath.Combine(CertificateOptions.ConfigurationKeyPrefix, certificateName);
 
-        services.AddOptions<CertificateOptions>().BindConfiguration(configurationKey);
-        services.WatchFilePathInOptions<CertificateOptions>(configurationKey, certificateName, "CertificateFileName");
-        services.WatchFilePathInOptions<CertificateOptions>(configurationKey, certificateName, "PrivateKeyFileName");
+        services.AddOptions<CertificateOptions>(certificateName).BindConfiguration(configurationKey);
+        services.WatchFilePathInOptions<CertificateOptions>(CertificateOptions.ConfigurationKeyPrefix, certificateName, "CertificateFilePath");
+        services.WatchFilePathInOptions<CertificateOptions>(CertificateOptions.ConfigurationKeyPrefix, certificateName, "PrivateKeyFilePath");
 
         services.TryAddEnumerable(ServiceDescriptor.Singleton<IConfigureOptions<CertificateOptions>, ConfigureCertificateOptions>());
         return services;

src/Common/src/Certificates/ConfigureCertificateOptions.cs

@@ -2,10 +2,13 @@
 // The .NET Foundation licenses this file to you under the Apache 2.0 License.
 // See the LICENSE file in the project root for more information.
 
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Text.RegularExpressions;
 using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 
 namespace Steeltoe.Common.Certificates;
@@ -16,12 +19,14 @@ internal sealed class ConfigureCertificateOptions : IConfigureNamedOptions<Certi
         TimeSpan.FromSeconds(1));
 
     private readonly IConfiguration _configuration;
+    private readonly ILogger<ConfigureCertificateOptions> _logger;
 
-    public ConfigureCertificateOptions(IConfiguration configuration)
+    public ConfigureCertificateOptions(IConfiguration configuration, ILogger<ConfigureCertificateOptions>? logger = null)
     {
         ArgumentNullException.ThrowIfNull(configuration);
 
         _configuration = configuration;
+        _logger = logger ?? NullLogger<ConfigureCertificateOptions>.Instance;
     }
 
     public void Configure(CertificateOptions options)
@@ -42,16 +47,29 @@ public void Configure(string? name, CertificateOptions options)
 
         string? privateKeyFilePath = _configuration.GetValue<string>(GetConfigurationKey(name, "PrivateKeyFilePath"));
 
-        options.Certificate = privateKeyFilePath != null && File.Exists(privateKeyFilePath)
-            ? X509Certificate2.CreateFromPemFile(certificateFilePath, privateKeyFilePath)
-            : new X509Certificate2(certificateFilePath);
+        try
+        {
+            options.Certificate = privateKeyFilePath != null && File.Exists(privateKeyFilePath)
+                ? X509Certificate2.CreateFromPemFile(certificateFilePath, privateKeyFilePath)
+                : new X509Certificate2(certificateFilePath);
 
-        X509Certificate2[] certificateChain = CertificateRegex.Matches(File.ReadAllText(certificateFilePath))
-            .Select(x => new X509Certificate2(Encoding.ASCII.GetBytes(x.Value))).ToArray();
+            X509Certificate2[] certificateChain = CertificateRegex.Matches(File.ReadAllText(certificateFilePath))
+                .Select(x => new X509Certificate2(Encoding.ASCII.GetBytes(x.Value))).ToArray();
 
-        foreach (X509Certificate2 issuer in certificateChain.Skip(1))
+            foreach (X509Certificate2 issuer in certificateChain.Skip(1))
+            {
+                options.IssuerChain.Add(issuer);
+            }
+        }
+        catch (IOException ex)
+        {
+            _logger.LogDebug(ex, "IOException while loading certificate for '{CertificateName}' from '{Path}'. Will retry on next reload.", name,
+                certificateFilePath);
+        }
+        catch (CryptographicException ex)
         {
-            options.IssuerChain.Add(issuer);
+            _logger.LogDebug(ex, "CryptographicException while parsing certificate for '{CertificateName}' from '{Path}'. Will retry on next reload.", name,
+                certificateFilePath);
         }
     }
 

src/Common/test/Certificates.Test/CertificateConfigurationExtensionsTest.cs

@@ -3,18 +3,32 @@
 // See the LICENSE file in the project root for more information.
 
 using Microsoft.Extensions.Configuration;
+using Steeltoe.Common.TestResources;
 
 namespace Steeltoe.Common.Certificates.Test;
 
 public sealed class CertificateConfigurationExtensionsTest
 {
-    private const string CertificateName = "test";
+    [Fact]
+    public void AddAppInstanceIdentityCertificate_SetsPaths_RunningLocal()
+    {
+        IConfiguration configuration = new ConfigurationBuilder().AddAppInstanceIdentityCertificate().Build();
+
+        configuration[$"Certificates:{CertificateConfigurationExtensions.AppInstanceIdentityCertificateName}:certificateFilePath"].Should()
+            .EndWith($"{LocalCertificateWriter.CertificateFilenamePrefix}Cert.pem");
+
+        configuration[$"Certificates:{CertificateConfigurationExtensions.AppInstanceIdentityCertificateName}:privateKeyFilePath"].Should()
+            .EndWith($"{LocalCertificateWriter.CertificateFilenamePrefix}Key.pem");
+    }
 
     [Fact]
-    public void AddCertificate_SetsPaths()
+    public void AddAppInstanceIdentityCertificate_SetsPaths_RunningOnCloudFoundry()
     {
-        IConfigurationRoot configurationRoot = new ConfigurationBuilder().AddCertificate(CertificateName, "instance.crt", "instance.key").Build();
-        configurationRoot[$"Certificates:{CertificateName}:certificateFilePath"].Should().Be("instance.crt");
-        configurationRoot[$"Certificates:{CertificateName}:privateKeyFilePath"].Should().Be("instance.key");
+        using var vcapScope = new EnvironmentVariableScope("VCAP_APPLICATION", "{}");
+        using var certificateScope = new EnvironmentVariableScope("CF_INSTANCE_CERT", "instance.crt");
+        using var privateKeyScope = new EnvironmentVariableScope("CF_INSTANCE_KEY", "instance.key");
+        IConfiguration configuration = new ConfigurationBuilder().AddAppInstanceIdentityCertificate().Build();
+        configuration[$"Certificates:{CertificateConfigurationExtensions.AppInstanceIdentityCertificateName}:certificateFilePath"].Should().Be("instance.crt");
+        configuration[$"Certificates:{CertificateConfigurationExtensions.AppInstanceIdentityCertificateName}:privateKeyFilePath"].Should().Be("instance.key");
     }
 }