Fix issue binding config involving certificates

Author: smbecker

src/DotPulsar.Extensions.DependencyInjection/Internal/PulsarClientCertificate.cs

@@ -0,0 +1,115 @@
+using System.Globalization;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+
+// ReSharper disable UnusedAutoPropertyAccessor.Global
+
+namespace DotPulsar.Internal;
+
+// Inspired from https://github.com/dotnet/aspnetcore/blob/449abac6f1ca12fa0ad557a872c219fcdfae09f3/src/Servers/Kestrel/Core/src/Internal/Certificates/CertificateConfigLoader.cs#L13
+
+/// <summary>
+/// Represents a client certificate.
+/// </summary>
+public sealed class PulsarClientCertificate
+{
+	/// <summary>
+	/// The path to the certificate file.
+	/// </summary>
+	public string? Path {
+		get;
+		set;
+	}
+
+	/// <summary>
+	/// The path to the certificate key file.
+	/// </summary>
+	public string? KeyPath {
+		get;
+		set;
+	}
+
+	/// <summary>
+	/// The password for the certificate key file.
+	/// </summary>
+	public string? Password {
+		get;
+		init;
+	}
+
+	public X509Certificate2? Load() {
+		if (!string.IsNullOrEmpty(Path)) {
+			var fullChain = new X509Certificate2Collection();
+			fullChain.ImportFromPemFile(Path);
+
+			if (KeyPath != null) {
+#pragma warning disable CA2000
+				var certificate = new X509Certificate2(Path);
+#pragma warning restore CA2000
+				try {
+					certificate = LoadCertificateKey(certificate, KeyPath, Password);
+				} catch {
+					certificate.Dispose();
+					throw;
+				}
+
+				if (OperatingSystem.IsWindows()) {
+					try {
+						certificate = PersistKey(certificate);
+					} catch {
+						certificate.Dispose();
+						throw;
+					}
+				}
+
+				return certificate;
+			}
+
+			return new X509Certificate2(Path, Password);
+		}
+
+		return null;
+
+		static X509Certificate2 LoadCertificateKey(X509Certificate2 certificate, string keyPath, string? password) {
+			const string RSAOid = "1.2.840.113549.1.1.1";
+			const string DSAOid = "1.2.840.10040.4.1";
+			const string ECDsaOid = "1.2.840.10045.2.1";
+
+			var keyText = File.ReadAllText(keyPath);
+			switch (certificate.PublicKey.Oid.Value) {
+				case RSAOid: {
+					using var rsa = RSA.Create();
+					ImportKeyFromFile(rsa, keyText, password);
+					return certificate.CopyWithPrivateKey(rsa);
+				}
+				case ECDsaOid: {
+					using var ecdsa = ECDsa.Create();
+					ImportKeyFromFile(ecdsa, keyText, password);
+					return certificate.CopyWithPrivateKey(ecdsa);
+				}
+				case DSAOid: {
+					using var dsa = DSA.Create();
+					ImportKeyFromFile(dsa, keyText, password);
+					return certificate.CopyWithPrivateKey(dsa);
+				}
+				default:
+					throw new InvalidOperationException(string.Format(CultureInfo.InvariantCulture, "Unknown algorithm for certificate with public key type '{0}'", certificate.PublicKey.Oid.Value));
+			}
+		}
+
+		static void ImportKeyFromFile(AsymmetricAlgorithm asymmetricAlgorithm, string keyText, string? password) {
+			if (password == null) {
+				asymmetricAlgorithm.ImportFromPem(keyText);
+			} else {
+				asymmetricAlgorithm.ImportFromEncryptedPem(keyText, password);
+			}
+		}
+
+		static X509Certificate2 PersistKey(X509Certificate2 fullCertificate) {
+			// We need to force the key to be persisted.
+			// See https://github.com/dotnet/runtime/issues/23749
+			var certificateBytes = fullCertificate.Export(X509ContentType.Pkcs12, "");
+			return new X509Certificate2(certificateBytes, "", X509KeyStorageFlags.DefaultKeySet);
+		}
+	}
+}

src/DotPulsar.Extensions.DependencyInjection/PulsarClientOptions.cs

@@ -1,11 +1,14 @@
-using System.Security.Cryptography.X509Certificates;
 using DotPulsar.Abstractions;
+using DotPulsar.Internal;
+
 // ReSharper disable UnusedAutoPropertyAccessor.Global
 
 namespace DotPulsar;
 
 public class PulsarClientOptions
 {
+	internal const string SectionName = "Pulsar";
+
 	/// <summary>
 	/// The service URL for the Pulsar cluster. The default is "pulsar://localhost:6650".
 	/// </summary>
@@ -17,7 +20,7 @@ public Uri? ServiceUrl {
 	/// <summary>
 	/// Authenticate using a client certificate. This is optional.
 	/// </summary>
-	public X509Certificate2? AuthenticateUsingClientCertificate {
+	public PulsarClientCertificate? AuthenticateUsingClientCertificate {
 		get;
 		set;
 	}
@@ -73,7 +76,7 @@ public TimeSpan? RetryInterval {
 	/// <summary>
 	/// Add a trusted certificate authority. This is optional.
 	/// </summary>
-	public X509Certificate2? TrustedCertificateAuthority {
+	public PulsarClientCertificate? TrustedCertificateAuthority {
 		get;
 		set;
 	}
@@ -109,8 +112,11 @@ public void Apply(IPulsarClientBuilder builder) {
 			builder.ServiceUrl(ServiceUrl);
 		}
 
-		if (AuthenticateUsingClientCertificate != null) {
-			builder.AuthenticateUsingClientCertificate(AuthenticateUsingClientCertificate);
+#pragma warning disable CA2000
+		var authenticateUsingClientCertificate = AuthenticateUsingClientCertificate?.Load();
+#pragma warning restore CA2000
+		if (authenticateUsingClientCertificate != null) {
+			builder.AuthenticateUsingClientCertificate(authenticateUsingClientCertificate);
 			builder.ConnectionSecurity(EncryptionPolicy.PreferEncrypted);
 		}
 
@@ -139,8 +145,11 @@ public void Apply(IPulsarClientBuilder builder) {
 			builder.RetryInterval(RetryInterval.Value);
 		}
 
-		if (TrustedCertificateAuthority != null) {
-			builder.TrustedCertificateAuthority(TrustedCertificateAuthority);
+#pragma warning disable CA2000
+		var trustedCertificateAuthority = TrustedCertificateAuthority?.Load();
+#pragma warning restore CA2000
+		if (trustedCertificateAuthority != null) {
+			builder.TrustedCertificateAuthority(trustedCertificateAuthority);
 		}
 
 		if (VerifyCertificateAuthority != null) {

src/DotPulsar.Extensions.DependencyInjection/PulsarServiceCollectionExtensions.cs

@@ -1,6 +1,3 @@
-using System.Globalization;
-using System.Security.Cryptography;
-using System.Security.Cryptography.X509Certificates;
 using DotPulsar;
 using DotPulsar.Abstractions;
 using Microsoft.Extensions.Configuration;
@@ -12,6 +9,16 @@ namespace Microsoft.Extensions.DependencyInjection;
 
 public static class PulsarServiceCollectionExtensions
 {
+	public static IServiceCollection AddPulsarOptions(this IServiceCollection services, string sectionName = PulsarClientOptions.SectionName) {
+		services.AddOptions<PulsarClientOptions>().BindConfiguration(sectionName);
+		return services;
+	}
+
+	public static IServiceCollection AddPulsarOptions(this IServiceCollection services, IConfigurationSection pulsarSection) {
+		services.AddOptions<PulsarClientOptions>().Bind(pulsarSection);
+		return services;
+	}
+
 	public static IServiceCollection AddPulsarClient(this IServiceCollection services, IPulsarClient pulsarClient) {
 		services.TryAddSingleton(pulsarClient);
 		return services;
@@ -22,29 +29,18 @@ public static IServiceCollection AddPulsarClient(this IServiceCollection service
 		return services;
 	}
 
-	public static IServiceCollection AddPulsarClient(this IServiceCollection services, IPulsarClientBuilder pulsarClientBuilder) {
-		ArgumentNullException.ThrowIfNull(pulsarClientBuilder);
-		return AddPulsarClient(services, pulsarClientBuilder.Build());
-	}
-
-	public static IServiceCollection AddPulsarClient(this IServiceCollection services) {
-		services.AddOptions<PulsarClientOptions>().Configure<IConfiguration>(static (opts, config) => BindOptions(opts, config.GetSection("Pulsar")));
-		return AddPulsarClient(services, static (sp, builder) => {
-			var options = sp.GetRequiredService<IOptions<PulsarClientOptions>>().Value;
-			options.Apply(builder);
+	public static IServiceCollection AddPulsarClient(this IServiceCollection services, PulsarClientOptions? options = null) {
+		return AddPulsarClient(services, (sp, builder) => {
+			if (options == null) {
+				options = sp.GetService<IOptions<PulsarClientOptions>>()?.Value;
+			}
+			builder.Configure(options);
 		});
 	}
 
-	public static IServiceCollection AddPulsarClient(this IServiceCollection services, IConfigurationSection pulsarSection) {
-		return AddPulsarClient(services, opts => BindOptions(opts, pulsarSection));
-	}
-
 	public static IServiceCollection AddPulsarClient(this IServiceCollection services, Action<PulsarClientOptions> configure) {
 		services.AddOptions<PulsarClientOptions>().Configure(configure);
-		return AddPulsarClient(services, static (sp, builder) => {
-			var options = sp.GetRequiredService<IOptions<PulsarClientOptions>>().Value;
-			options.Apply(builder);
-		});
+		return AddPulsarClient(services);
 	}
 
 	public static IServiceCollection AddPulsarClient(this IServiceCollection services, Action<IPulsarClientBuilder> configure) {
@@ -60,112 +56,9 @@ public static IServiceCollection AddPulsarClient(this IServiceCollection service
 		});
 	}
 
-	private static void BindOptions(this PulsarClientOptions options, IConfiguration configuration) {
-		configuration.Bind(options);
-
-		options.AuthenticateUsingClientCertificate = BindCertificate(configuration.GetSection(nameof(PulsarClientOptions.AuthenticateUsingClientCertificate)));
-		options.TrustedCertificateAuthority = BindCertificate(configuration.GetSection(nameof(PulsarClientOptions.TrustedCertificateAuthority)));
-
-		static X509Certificate2? BindCertificate(IConfigurationSection configSection) => new CertificateConfig(configSection).LoadCertificate();
-	}
-
-	// Inspired from https://github.com/dotnet/aspnetcore/blob/449abac6f1ca12fa0ad557a872c219fcdfae09f3/src/Servers/Kestrel/Core/src/Internal/Certificates/CertificateConfigLoader.cs#L13
-	private sealed class CertificateConfig
-	{
-		public CertificateConfig(IConfiguration configSection) {
-			Path = configSection[nameof(Path)];
-			KeyPath = configSection[nameof(KeyPath)];
-			Password = configSection[nameof(Password)];
-		}
-
-		public string? Path {
-			get;
-			init;
-		}
-
-		public string? KeyPath {
-			get;
-			init;
-		}
-
-		public string? Password {
-			get;
-			init;
-		}
-
-		public X509Certificate2? LoadCertificate() {
-			if (!string.IsNullOrEmpty(Path)) {
-				var fullChain = new X509Certificate2Collection();
-				fullChain.ImportFromPemFile(Path);
-
-				if (KeyPath != null) {
-#pragma warning disable CA2000
-					var certificate = new X509Certificate2(Path);
-#pragma warning restore CA2000
-					try {
-						certificate = LoadCertificateKey(certificate, KeyPath, Password);
-					} catch {
-						certificate.Dispose();
-						throw;
-					}
-
-					if (OperatingSystem.IsWindows()) {
-						try {
-							certificate = PersistKey(certificate);
-						} catch {
-							certificate.Dispose();
-							throw;
-						}
-					}
-					return certificate;
-				}
-
-				return new X509Certificate2(Path, Password);
-			}
-
-			return null;
-
-			static X509Certificate2 LoadCertificateKey(X509Certificate2 certificate, string keyPath, string? password) {
-				const string RSAOid = "1.2.840.113549.1.1.1";
-				const string DSAOid = "1.2.840.10040.4.1";
-				const string ECDsaOid = "1.2.840.10045.2.1";
-
-				var keyText = File.ReadAllText(keyPath);
-				switch (certificate.PublicKey.Oid.Value) {
-					case RSAOid: {
-						using var rsa = RSA.Create();
-						ImportKeyFromFile(rsa, keyText, password);
-						return certificate.CopyWithPrivateKey(rsa);
-					}
-					case ECDsaOid: {
-						using var ecdsa = ECDsa.Create();
-						ImportKeyFromFile(ecdsa, keyText, password);
-						return certificate.CopyWithPrivateKey(ecdsa);
-					}
-					case DSAOid: {
-						using var dsa = DSA.Create();
-						ImportKeyFromFile(dsa, keyText, password);
-						return certificate.CopyWithPrivateKey(dsa);
-					}
-					default:
-						throw new InvalidOperationException(string.Format(CultureInfo.InvariantCulture, "Unknown algorithm for certificate with public key type '{0}'", certificate.PublicKey.Oid.Value));
-				}
-			}
-
-			static void ImportKeyFromFile(AsymmetricAlgorithm asymmetricAlgorithm, string keyText, string? password) {
-				if (password == null) {
-					asymmetricAlgorithm.ImportFromPem(keyText);
-				} else {
-					asymmetricAlgorithm.ImportFromEncryptedPem(keyText, password);
-				}
-			}
-
-			static X509Certificate2 PersistKey(X509Certificate2 fullCertificate) {
-				// We need to force the key to be persisted.
-				// See https://github.com/dotnet/runtime/issues/23749
-				var certificateBytes = fullCertificate.Export(X509ContentType.Pkcs12, "");
-				return new X509Certificate2(certificateBytes, "", X509KeyStorageFlags.DefaultKeySet);
-			}
-		}
+	public static IPulsarClientBuilder Configure(this IPulsarClientBuilder pulsarClientBuilder, PulsarClientOptions? options) {
+		ArgumentNullException.ThrowIfNull(pulsarClientBuilder);
+		options?.Apply(pulsarClientBuilder);
+		return pulsarClientBuilder;
 	}
 }

src/DotPulsar.Extensions.DependencyInjection/README.md

@@ -14,7 +14,7 @@ dotnet add package DotPulsar.Extensions.DependencyInjection
 ## Usage
 
 ```c#
-services.AddPulsarClient();
+services.AddPulsarOptions().AddPulsarClient();
 ```
 
 This will register the `IPulsarClient` as a singleton in the service collection with the default settings. The settings can be configured using the standard `appSettings.json` file with the following configuration keys supported.

test/DotPulsar.Extensions.DependencyInjection.Tests/PulsarServiceCollectionExtensionsTests.cs

@@ -1,5 +1,3 @@
-using System.ComponentModel;
-using System.Security.Cryptography.X509Certificates;
 using DotPulsar.Abstractions;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
@@ -16,6 +14,7 @@ public async Task can_configure_pulsar_client() {
 				.AddInMemoryCollection(new[] {
 					new KeyValuePair<string, string?>("Pulsar:ServiceUrl", serviceUrl.ToString())
 				}).Build())
+			.AddPulsarOptions()
 			.AddPulsarClient()
 			.BuildServiceProvider();
 		var client = services.GetRequiredService<IPulsarClient>();