Custom validation of server certificate for WebSockets (#103)

* Improve SSL customisation for WebSockets

#102

* First test for exec-in-pod over WebSockets.

Also, implement basic mock server for testing WebSockets.

#102

* Attempt to handle raciness of Watcher tests.

#102

* Attempt to handle raciness of ByteBuffer test.

#102

Author: tintoy

.travis.yml

@@ -1,10 +1,19 @@
 language: csharp
-sudo: false 
+sudo: false
 matrix:
   include:
-    - dotnet: 2.0.0
-      mono: none
+    - mono: none
       dist: trusty
+      # We need the .NET Core 2.1 (preview 1) SDK to build. Travis doesn't know how to install this yet.
+      before_install:
+      - echo 'Installing .NET Core...'
+      - export DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1
+      - export DOTNET_CLI_TELEMETRY_OPTOUT=1
+      - curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
+      - sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg
+      - sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-trusty-prod trusty main" > /etc/apt/sources.list.d/dotnetdev.list'
+      - sudo apt-get -qq update
+      - sudo apt-get install -y dotnet-sdk-2.1.300-preview1-008174
 
 script:
   - ./ci.sh

ci.sh

@@ -4,9 +4,12 @@
 set -e
 
 # Ensure no compile errors in all projects
-find . -name *.csproj -exec dotnet build {} \;
+dotnet restore
+dotnet build --no-restore
 
 # Execute Unit tests
 cd tests
-dotnet restore
-dotnet test
+dotnet test --no-restore --no-build
+if [[ $? != 0 ]]; then
+    exit 1
+fi

kubernetes-client.sln

@@ -1,4 +1,3 @@
-
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 15
 VisualStudioVersion = 15.0.26430.16
@@ -25,4 +24,7 @@ Global
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
 	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {049A763A-C891-4E8D-80CF-89DD3E22ADC7}
+	EndGlobalSection
 EndGlobal

src/CoreFX.cs

@@ -0,0 +1,46 @@
+namespace k8s
+{
+    /// <summary>
+    ///     Well-known WebSocket sub-protocols used by the Kubernetes API.
+    /// </summary>
+    public static class K8sProtocol
+    {
+        /// <summary>
+        ///     Version 1 of the Kubernetes channel WebSocket protocol.
+        /// </summary>
+        /// <remarks>
+        ///     This protocol prepends each binary message with a byte indicating the channel number (zero indexed) that the message was sent on.
+        ///     Messages in both directions should prefix their messages with this channel byte.
+        ///
+        ///     When used for remote execution, the channel numbers are by convention defined to match the POSIX file-descriptors assigned to STDIN, STDOUT, and STDERR (0, 1, and 2).
+        ///     No other conversion is performed on the raw subprotocol - writes are sent as they are received by the server.
+        ///
+        ///     Example client session:
+        ///
+        ///        CONNECT http://server.com with subprotocol "channel.k8s.io"
+        ///        WRITE []byte{0, 102, 111, 111, 10} # send "foo\n" on channel 0 (STDIN)
+        ///        READ  []byte{1, 10}                # receive "\n" on channel 1 (STDOUT)
+        ///        CLOSE
+        /// </remarks>
+        public static readonly string ChannelV1 = "channel.k8s.io";
+
+        /// <summary>
+        ///     Version 1 of the Kubernetes Base64-encoded channel WebSocket protocol.
+        /// </summary>
+        /// <remarks>
+        ///     This protocol base64 encodes each message with a character representing the channel number (zero indexed) the message was sent on (if the channel number is 1, then the character is '1', i.e. a byte value of 49).
+        ///     Messages in both directions should prefix their messages with this character.
+        ///
+        ///     When used for remote execution, the channel numbers are by convention defined to match the POSIX file-descriptors assigned to STDIN, STDOUT, and STDERR ('0', '1', and '2').
+        ///     The data received on the server is base64 decoded (and must be be valid) and data written by the server to the client is base64 encoded.
+        ///
+        ///     Example client session:
+        ///
+        ///        CONNECT http://server.com with subprotocol "base64.channel.k8s.io"
+        ///        WRITE []byte{48, 90, 109, 57, 118, 67, 103, 111, 61} # send "foo\n" (base64: "Zm9vCgo=") on channel '0' (STDIN)
+        ///        READ  []byte{49, 67, 103, 61, 61} # receive "\n" (base64: "Cg==") on channel '1' (STDOUT)
+        ///        CLOSE
+        /// </remarks>
+        public static readonly string ChannelBase64V1 = "base64.channel.k8s.io";
+    }
+}

src/K8sProtocol.cs

@@ -2,8 +2,10 @@
 using Microsoft.Rest;
 using System;
 using System.Collections.Generic;
+using System.Linq;
 using System.Net.Http;
 using System.Net.WebSockets;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
 
@@ -204,11 +206,11 @@ public partial class Kubernetes
                 }
             }
 
-                // Set Credentials
+            // Set Credentials
 #if NET452
-            foreach (var cert in ((WebRequestHandler)this.HttpClientHandler).ClientCertificates)
+            foreach (var cert in ((WebRequestHandler)this.HttpClientHandler).ClientCertificates.OfType<X509Certificate2>())
 #else
-            foreach (var cert in this.HttpClientHandler.ClientCertificates)
+            foreach (var cert in this.HttpClientHandler.ClientCertificates.OfType<X509Certificate2>())
 #endif
             {
                 webSocketBuilder.AddClientCertificate(cert);
@@ -222,6 +224,15 @@ public partial class Kubernetes
                 webSocketBuilder.SetRequestHeader(_header.Key, string.Join(" ", _header.Value));
             }
 
+#if NETCOREAPP2_1
+            if (this.CaCert != null)
+                webSocketBuilder.ExpectServerCertificate(this.CaCert);
+            else
+                webSocketBuilder.SkipServerCertificateValidation();
+
+            webSocketBuilder.Options.RequestedSubProtocols.Add(K8sProtocol.ChannelV1);
+#endif // NETCOREAPP2_1
+
             // Send Request
             cancellationToken.ThrowIfCancellationRequested();
 

src/Kubernetes.WebSocket.cs

@@ -9,8 +9,8 @@
     <PackageProjectUrl>https://github.com/kubernetes-client/csharp</PackageProjectUrl>
     <PackageTags>kubernetes;docker;containers;</PackageTags>
 
-    <TargetFrameworks>netstandard1.4;net452</TargetFrameworks>
-    <TargetFrameworks Condition="'$(OS)' != 'Windows_NT'">netstandard1.4</TargetFrameworks>
+    <TargetFrameworks>netstandard1.4;net452;netcoreapp2.1</TargetFrameworks>
+    <TargetFrameworks Condition="'$(OS)' != 'Windows_NT'">netstandard1.4;netcoreapp2.1</TargetFrameworks>
     <RootNamespace>k8s</RootNamespace>
   </PropertyGroup>
 

src/KubernetesClient.csproj

@@ -0,0 +1,143 @@
+#if NETCOREAPP2_1
+
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Net.Security;
+using System.Net.WebSockets;
+using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace k8s
+{
+    /// <summary>
+    /// The <see cref="WebSocketBuilder"/> creates a new <see cref="WebSocket"/> object which connects to a remote WebSocket.
+    /// </summary>
+    public sealed class WebSocketBuilder
+    {
+        public KubernetesWebSocketOptions Options { get; } = new KubernetesWebSocketOptions();
+
+        public WebSocketBuilder()
+        {
+        }
+
+        public WebSocketBuilder SetRequestHeader(string headerName, string headerValue)
+        {
+            Options.RequestHeaders[headerName] = headerValue;
+
+            return this;
+        }
+
+        public WebSocketBuilder AddClientCertificate(X509Certificate2 certificate)
+        {
+            Options.ClientCertificates.Add(certificate);
+
+            return this;
+        }
+
+        public WebSocketBuilder ExpectServerCertificate(X509Certificate2 serverCertificate)
+        {
+            Options.ServerCertificateCustomValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
+            {
+                if (sslPolicyErrors != SslPolicyErrors.RemoteCertificateChainErrors)
+                    return false;
+
+                try
+                {
+                    using (X509Chain certificateChain = new X509Chain())
+                    {
+                        certificateChain.ChainPolicy.ExtraStore.Add(serverCertificate);
+                        certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
+                        certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
+
+                        return certificateChain.Build(
+                            (X509Certificate2)certificate
+                        );
+                    }
+                }
+                catch (Exception chainException)
+                {
+                    Debug.WriteLine(chainException);
+
+                    return false;
+                }
+            };
+
+            return this;
+        }
+
+        public WebSocketBuilder SkipServerCertificateValidation()
+        {
+            Options.ServerCertificateCustomValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
+
+            return this;
+        }
+
+        public async Task<WebSocket> BuildAndConnectAsync(Uri uri, CancellationToken cancellationToken)
+        {
+            return await CoreFX.K8sWebSocket.ConnectAsync(uri, Options, cancellationToken).ConfigureAwait(false);
+        }
+    }
+
+    /// <summary>
+    ///     Options for connecting to Kubernetes web sockets.
+    /// </summary>
+    public class KubernetesWebSocketOptions
+    {
+        /// <summary>
+        ///     The default size (in bytes) for WebSocket send / receive buffers.
+        /// </summary>
+        public static readonly int DefaultBufferSize = 2048;
+
+        /// <summary>
+        ///     Create new <see cref="KubernetesWebSocketOptions"/>.
+        /// </summary>
+        public KubernetesWebSocketOptions()
+        {
+        }
+
+        /// <summary>
+        ///     The requested size (in bytes) of the WebSocket send buffer.
+        /// </summary>
+        public int SendBufferSize { get; set; } = 2048;
+
+        /// <summary>
+        ///     The requested size (in bytes) of the WebSocket receive buffer.
+        /// </summary>
+        public int ReceiveBufferSize { get; set; } = 2048;
+
+        /// <summary>
+        ///     Custom request headers (if any).
+        /// </summary>
+        public Dictionary<string, string> RequestHeaders { get; } = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+
+        /// <summary>
+        ///     Requested sub-protocols (if any).
+        /// </summary>
+        public List<string> RequestedSubProtocols { get; } = new List<string>();
+
+        /// <summary>
+        ///     Client certificates (if any) to use for authentication.
+        /// </summary>
+        public List<X509Certificate2> ClientCertificates = new List<X509Certificate2>();
+
+        /// <summary>
+        ///     An optional delegate to use for authenticating the remote server certificate.
+        /// </summary>
+        public RemoteCertificateValidationCallback ServerCertificateCustomValidationCallback { get; set; }
+
+        /// <summary>
+        ///     An <see cref="SslProtocols"/> value representing the SSL protocols that the client supports.
+        /// </summary>
+        public SslProtocols EnabledSslProtocols { get; set; } = SslProtocols.Tls;
+
+        /// <summary>
+        ///     The WebSocket keep-alive interval.
+        /// </summary>
+        public TimeSpan KeepAliveInterval { get; set; } = TimeSpan.FromSeconds(5);
+    }
+}
+
+#endif // NETCOREAPP2_1

src/WebSocketBuilder.NetCoreApp2.1.cs

@@ -1,3 +1,5 @@
+#if !NETCOREAPP2_1
+
 using System;
 using System.Net.WebSockets;
 using System.Security.Cryptography.X509Certificates;
@@ -19,7 +21,6 @@ public class WebSocketBuilder
 
         public WebSocketBuilder()
         {
-            this.WebSocket = new ClientWebSocket();
         }
 
         public virtual WebSocketBuilder SetRequestHeader(string headerName, string headerValue)
@@ -28,7 +29,7 @@ public virtual WebSocketBuilder SetRequestHeader(string headerName, string heade
             return this;
         }
 
-        public virtual WebSocketBuilder AddClientCertificate(X509Certificate certificate)
+        public virtual WebSocketBuilder AddClientCertificate(X509Certificate2 certificate)
         {
             this.WebSocket.Options.ClientCertificates.Add(certificate);
             return this;
@@ -41,3 +42,5 @@ public virtual async Task<WebSocket> BuildAndConnectAsync(Uri uri, CancellationT
         }
     }
 }
+
+#endif // !NETCOREAPP2_1

src/WebSocketBuilder.cs

@@ -12,11 +12,17 @@
 using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.Rest;
 using Xunit;
+using Xunit.Abstractions;
 
 namespace k8s.Tests
 {
-    public class AuthTests
-    {
+    public class AuthTests
+        : TestBase
+    {
+        public AuthTests(ITestOutputHelper testOutput) : base(testOutput)
+        {
+        }
+
         private static HttpOperationResponse<V1PodList> ExecuteListPods(IKubernetes client)
         {
             return client.ListNamespacedPodWithHttpMessagesAsync("default").Result;
@@ -25,7 +31,7 @@ private static HttpOperationResponse<V1PodList> ExecuteListPods(IKubernetes clie
         [Fact]
         public void Anonymous()
         {
-            using (var server = new MockKubeApiServer())
+            using (var server = new MockKubeApiServer(TestOutput))
             {
                 var client = new Kubernetes(new KubernetesClientConfiguration
                 {
@@ -38,7 +44,7 @@ public void Anonymous()
                 Assert.Equal(1, listTask.Body.Items.Count);
             }
 
-            using (var server = new MockKubeApiServer(cxt =>
+            using (var server = new MockKubeApiServer(TestOutput, cxt =>
             {
                 cxt.Response.StatusCode = (int) HttpStatusCode.Unauthorized;
                 return Task.FromResult(false);
@@ -61,7 +67,7 @@ public void BasicAuth()
             const string testName = "test_name";
             const string testPassword = "test_password";
 
-            using (var server = new MockKubeApiServer(cxt =>
+            using (var server = new MockKubeApiServer(TestOutput, cxt =>
             {
                 var header = cxt.Request.Headers["Authorization"].FirstOrDefault();
 
@@ -167,7 +173,7 @@ public void Cert()
 
             var clientCertificateValidationCalled = false;
 
-            using (var server = new MockKubeApiServer(listenConfigure: options =>
+            using (var server = new MockKubeApiServer(TestOutput, listenConfigure: options =>
             {
                 options.UseHttps(new HttpsConnectionAdapterOptions
                 {
@@ -249,7 +255,7 @@ public void Token()
         {
             const string token = "testingtoken";
 
-            using (var server = new MockKubeApiServer(cxt =>
+            using (var server = new MockKubeApiServer(TestOutput, cxt =>
             {
                 var header = cxt.Request.Headers["Authorization"].FirstOrDefault();