Allow Virtual Client to use a certificate to authenticate to the proxy API (#554)

Add certificate issuer and subject parameters to proxy API URI for authentication
---------

Co-authored-by: CJ Hillbrand <[email protected]>
Co-authored-by: Krystal Culp <[email protected]>

Author: 3 people

VERSION

@@ -1 +1 @@
-2.1.9
+2.1.10

src/VirtualClient/VirtualClient.Common/Rest/IRestClientBuilder.cs

@@ -4,6 +4,7 @@
 namespace VirtualClient.Common.Rest
 {
     using System;
+    using System.Security.Cryptography.X509Certificates;
 
     /// <summary>
     /// Interface for generic rest client builder.
@@ -30,9 +31,15 @@ public interface IRestClientBuilder : IDisposable
         /// <returns>The builder itself</returns>
         IRestClientBuilder AddAcceptedMediaType(MediaType mediaType);
 
+        /// <summary>
+        /// Add client certificate.
+        /// </summary>
+        /// <param name="certificate">The certificate to add.</param>
+        /// <returns>Builder itself.</returns>
+        IRestClientBuilder AddCertificate(X509Certificate2 certificate);
+
         /// <summary>
         /// Always trust the server certificate.
-        /// Note that this method override the underlying httpclient and previous builder methods, so this builder methods should be used first.
         /// </summary>
         /// <returns>Builder itself.</returns>
         IRestClientBuilder AlwaysTrustServerCertificate();

src/VirtualClient/VirtualClient.Common/Rest/RestClientBuilder.cs

@@ -7,53 +7,65 @@ namespace VirtualClient.Common.Rest
     using System.Collections.Generic;
     using System.Net.Http;
     using System.Net.Http.Headers;
+    using System.Security.Cryptography.X509Certificates;
     using VirtualClient.Common.Extensions;
 
     /// <summary>
     /// Builder for generic rest client
     /// </summary>
     public class RestClientBuilder : IRestClientBuilder
     {
-        private RestClient restClient;
         private TimeSpan? httpTimeout;
         private bool disposed = false;
 
+        private List<MediaTypeWithQualityHeaderValue> acceptedMediaTypes;
+        private AuthenticationHeaderValue authenticationHeader;
+
+#pragma warning disable CA2213 // We will reuse these single objects for the lifetime of virtual client execution
+        private HttpClientHandler handler;
+#pragma warning restore CA2213 // Disposable fields should be disposed
+
         /// <summary>
         /// Constructor for the rest client builder
         /// </summary>
         /// <param name="timeout">The HTTP timeout to apply.</param>
         public RestClientBuilder(TimeSpan? timeout = null)
         {
-            this.restClient = new RestClient();
             this.httpTimeout = timeout;
+            this.handler = new HttpClientHandler();
+            this.acceptedMediaTypes = new List<MediaTypeWithQualityHeaderValue>();
         }
 
         /// <inheritdoc/>
         public IRestClientBuilder AddAuthorizationHeader(string authToken, string headerName = "Bearer")
         {
-            this.restClient.SetAuthorizationHeader(new AuthenticationHeaderValue(headerName, authToken));
+            this.authenticationHeader = new AuthenticationHeaderValue(authToken, headerName);
             return this;
         }
 
         /// <inheritdoc/>
         public IRestClientBuilder AddAcceptedMediaType(MediaType mediaType)
         {
             mediaType.ThrowIfNull(nameof(mediaType));
-            this.restClient.AddAcceptedMediaTypeHeader(new MediaTypeWithQualityHeaderValue(mediaType.FieldName));
+            this.acceptedMediaTypes.Add(new MediaTypeWithQualityHeaderValue(mediaType.FieldName));
             return this;
         }
 
         /// <inheritdoc/>
         public IRestClientBuilder AlwaysTrustServerCertificate()
         {
-            HttpClientHandler handler = new HttpClientHandler();
-            handler.ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, cetChain, policyErrors) =>
+            this.handler.ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, cetChain, policyErrors) =>
             {
                 return true;
             };
 
-            HttpClient client = new HttpClient(handler);
-            this.restClient = new RestClient(client);
+            return this;
+        }
+
+        /// <inheritdoc/>
+        public IRestClientBuilder AddCertificate(X509Certificate2 certificate)
+        {
+            this.handler.ClientCertificates.Add(certificate);
             return this;
         }
 
@@ -63,15 +75,28 @@ public IRestClientBuilder AlwaysTrustServerCertificate()
         /// <returns>The built rest client.</returns>
         public IRestClient Build()
         {
-            RestClient output = this.restClient;
-            this.restClient = new RestClient();
+            HttpClient client = new HttpClient(this.handler);
+            RestClient restClient = new RestClient(client);
+
+            if (this.authenticationHeader != null)
+            {
+                restClient.SetAuthorizationHeader(this.authenticationHeader);
+            }
+
+            if (this.acceptedMediaTypes.Count > 0)
+            {
+                foreach (var mediaType in this.acceptedMediaTypes)
+                {
+                    restClient.AddAcceptedMediaTypeHeader(mediaType);
+                }
+            }
 
             if (this.httpTimeout != null)
             {
-                output.Client.Timeout = this.httpTimeout.Value;
+                restClient.Client.Timeout = this.httpTimeout.Value;
             }
 
-            return output;
+            return restClient;
         }
 
         /// <inheritdoc/>
@@ -88,7 +113,6 @@ protected virtual void Dispose(bool disposing)
             {
                 if (disposing)
                 {
-                    this.restClient.Dispose();
                 }
 
                 this.disposed = true;

src/VirtualClient/VirtualClient.Contracts/Proxy/VirtualClientProxyApiClient.cs

@@ -10,6 +10,7 @@ namespace VirtualClient.Contracts.Proxy
     using System.Net;
     using System.Net.Http;
     using System.Net.Http.Headers;
+    using System.Security.Cryptography.X509Certificates;
     using System.Text;
     using System.Text.RegularExpressions;
     using System.Threading;

src/VirtualClient/VirtualClient.Core/ApiClientManager.cs

@@ -7,6 +7,7 @@ namespace VirtualClient
     using System.Collections.Generic;
     using System.Linq;
     using System.Net;
+    using System.Security.Cryptography.X509Certificates;
     using VirtualClient.Common.Extensions;
     using VirtualClient.Contracts;
     using VirtualClient.Contracts.Proxy;
@@ -244,11 +245,12 @@ public IApiClient GetOrCreateApiClient(string id, Uri uri)
         /// </summary>
         /// <param name="id">The ID of the proxy API client to use for lookups.</param>
         /// <param name="uri">The URI of the target Virtual Client API service including the port (e.g. http://any.server.uri:4500).</param>
+        /// <param name="certificate">The certificate to authenticate to the proxy API</param>
         /// <returns>
         /// An <see cref="IProxyApiClient"/> that can be used to interface with a target
         /// Virtual Client API service.
         /// </returns>
-        public IProxyApiClient GetOrCreateProxyApiClient(string id, Uri uri)
+        public IProxyApiClient GetOrCreateProxyApiClient(string id, Uri uri, X509Certificate2 certificate = null)
         {
             IProxyApiClient apiClient = null;
 
@@ -257,7 +259,7 @@ public IProxyApiClient GetOrCreateProxyApiClient(string id, Uri uri)
                 apiClient = this.GetProxyApiClient(id);
                 if (apiClient == null)
                 {
-                    apiClient = DependencyFactory.CreateVirtualClientProxyApiClient(uri);
+                    apiClient = DependencyFactory.CreateVirtualClientProxyApiClient(uri, certificate: certificate);
                     this.proxyApiClients[id] = apiClient;
                 }
             }

src/VirtualClient/VirtualClient.Core/DependencyFactory.cs

@@ -9,6 +9,7 @@ namespace VirtualClient
     using System.IO.Abstractions;
     using System.Linq;
     using System.Net;
+    using System.Security.Cryptography.X509Certificates;
     using System.Threading.Tasks;
     using Azure.Core;
     using Azure.Messaging.EventHubs.Producer;
@@ -412,11 +413,12 @@ public static IFirewallManager CreateFirewallManager(PlatformID platform, Proces
         /// <param name="storeDescription">Describes the type of blob store (e.g. Content, Packages).</param>
         /// <param name="source">An explicit source to use for blob uploads/downloads through the proxy API.</param>
         /// <param name="logger">A logger to use for capturing information related to blob upload/download operations.</param>
-        public static IBlobManager CreateProxyBlobManager(DependencyProxyStore storeDescription, string source = null, Microsoft.Extensions.Logging.ILogger logger = null)
+        /// <param name="certificate">The certificate to authenticate to the proxy API</param>
+        public static IBlobManager CreateProxyBlobManager(DependencyProxyStore storeDescription, string source = null, Microsoft.Extensions.Logging.ILogger logger = null, X509Certificate2 certificate = null)
         {
             storeDescription.ThrowIfNull(nameof(storeDescription));
 
-            VirtualClientProxyApiClient proxyApiClient = DependencyFactory.CreateVirtualClientProxyApiClient(storeDescription.ProxyApiUri, TimeSpan.FromHours(6));
+            VirtualClientProxyApiClient proxyApiClient = DependencyFactory.CreateVirtualClientProxyApiClient(storeDescription.ProxyApiUri, TimeSpan.FromHours(6), certificate);
             ProxyBlobManager blobManager = new ProxyBlobManager(storeDescription, proxyApiClient, source);
 
             if (logger != null)
@@ -675,16 +677,29 @@ public static VirtualClientApiClient CreateVirtualClientApiClient(IPAddress ipAd
         /// </summary>
         /// <param name="proxyApiUri">The URI for the proxy API/service including its port (e.g. http://any.uri:5000).</param>
         /// <param name="timeout">A timeout to use for the underlying HTTP client.</param>
-        public static VirtualClientProxyApiClient CreateVirtualClientProxyApiClient(Uri proxyApiUri, TimeSpan? timeout = null)
+        /// <param name="certificate">The certificate to authenticate to the proxy API</param>
+        public static VirtualClientProxyApiClient CreateVirtualClientProxyApiClient(Uri proxyApiUri, TimeSpan? timeout = null, X509Certificate2 certificate = null)
         {
             proxyApiUri.ThrowIfNull(nameof(proxyApiUri));
 
-            IRestClient restClient = new RestClientBuilder(timeout)
+            if (!string.IsNullOrWhiteSpace(proxyApiUri.Query))
+            {
+                // e.g.
+                // https://any.service.azure.com/?miid=307591a4-abb2-4559-af59-b47177d140cf -> https://any.service.azure.com/
+
+                proxyApiUri = new Uri(proxyApiUri.OriginalString.Substring(0, proxyApiUri.OriginalString.IndexOf("?")));
+            }
+
+            IRestClientBuilder builder = new RestClientBuilder(timeout)
                 .AlwaysTrustServerCertificate()
-                .AddAcceptedMediaType(MediaType.Json)
-                .Build();
+                .AddAcceptedMediaType(MediaType.Json);
 
-            return new VirtualClientProxyApiClient(restClient, proxyApiUri);
+            if (certificate != null)
+            {
+                builder.AddCertificate(certificate);
+            }
+
+            return new VirtualClientProxyApiClient(builder.Build(), proxyApiUri);
         }
 
         /// <summary>
@@ -696,7 +711,7 @@ public static VirtualClientProxyApiClient CreateVirtualClientProxyApiClient(Uri
         public static void FlushTelemetry(TimeSpan? timeout = null)
         {
             Parallel.ForEach(DependencyFactory.telemetryChannels, channel => channel.Flush(timeout));
-         }
+        }
 
         /// <summary>
         /// Applies a filter to the logger generated by the provider that will handle the logging

src/VirtualClient/VirtualClient.Core/EndpointUtility.cs

@@ -377,6 +377,27 @@ public static bool IsPackageUri(Uri endpointUri, string storeName)
             return storeName == DependencyStore.Packages && packageUri;
         }
 
+        /// <summary>
+        /// Parses the subject name and issuer from the provided uri. If the uri does not contain the correctly formatted certificate subject name
+        /// and issuer information the method will return false, and keep the two out parameters as null.
+        /// Ex. https://vegaprod01proxyapi.azurewebsites.net?crti=issuerName&amp;crts=certSubject
+        /// </summary>
+        /// <param name="uri">The uri to attempt to parse the values from.</param>
+        /// <param name="issuer">The issuer of the certificate.</param>
+        /// <param name="subject">The subject of the certificate.</param>
+        /// <returns>True/False if the method was able to successfully parse both the subject name and the issuer of the certificate.</returns>
+        public static bool TryParseCertificateReference(Uri uri, out string issuer, out string subject)
+        {
+            string queryString = Uri.UnescapeDataString(uri.Query).Trim('?').Replace("&", ",,,");
+
+            IDictionary<string, string> queryParameters = TextParsingExtensions.ParseDelimitedValues(queryString)?.ToDictionary(
+                entry => entry.Key,
+                entry => entry.Value?.ToString(),
+                StringComparer.OrdinalIgnoreCase);
+
+            return TryGetCertificateReferenceForUri(queryParameters, out issuer, out subject);
+        }
+
         /// <summary>
         /// Returns the endpoint by verifying package uri checks.
         /// if the endpoint is a package uri without http or https protocols then append the protocol else return the endpoint value.
@@ -430,7 +451,7 @@ private static DependencyBlobStore CreateBlobStoreReference(string storeName, Ur
                 // Basic URI without any query parameters
                 // 1) If the given endpoint uri is a package uri (e.g. https://packages.virtualclient.microsoft.com ) then the package is retrieved from storage via CDN
                 // 2) If the given endpoint uri is a blob storage (e.g https://any.blob.core.windows.net) then the packages is retrieved from blob storage 
-                store = IsPackageUri(endpointUri, storeName) 
+                store = IsPackageUri(endpointUri, storeName)
                     ? new DependencyBlobStore(storeName, endpointUri, DependencyStore.StoreTypeAzureCDN)
                     : new DependencyBlobStore(storeName, endpointUri);
             }
@@ -947,9 +968,9 @@ private static async Task<TokenCredential> CreateIdentityTokenCredentialAsync(IC
             else
             {
                 certificate = await certificateManager.GetCertificateFromStoreAsync(
-                    certificateIssuer, 
-                    certificateSubject, 
-                    storeLocations, 
+                    certificateIssuer,
+                    certificateSubject,
+                    storeLocations,
                     storeName);
             }
 

src/VirtualClient/VirtualClient.Core/IApiClientManager.cs

@@ -6,7 +6,7 @@ namespace VirtualClient
     using System;
     using System.Collections.Generic;
     using System.Net;
-    using System.Threading.Tasks;
+    using System.Security.Cryptography.X509Certificates;
     using VirtualClient.Contracts;
     using VirtualClient.Contracts.Proxy;
 
@@ -104,11 +104,12 @@ public interface IApiClientManager
         /// </summary>
         /// <param name="id">The ID of the proxy API client to use for lookups.</param>
         /// <param name="uri">The URI of the target Virtual Client API service including the port (e.g. http://any.server.uri:4500).</param>
+        /// <param name="certificate">The certificate to authenticate to the proxy API</param>
         /// <returns>
         /// An <see cref="IProxyApiClient"/> that can be used to interface with a target
         /// Virtual Client proxy API service.
         /// </returns>
-        IProxyApiClient GetOrCreateProxyApiClient(string id, Uri uri);
+        IProxyApiClient GetOrCreateProxyApiClient(string id, Uri uri, X509Certificate2 certificate);
 
         /// <summary>
         /// Creates new API clients from the ones that are already cached.