Verify certificate format and add more tests

EventStore · Feb 6, 2024 · 7f3a7f2 · 7f3a7f2
1 parent 620f0cf
commit 7f3a7f2
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 14 deletions.
diff --git a/.github/workflows/base.yml b/.github/workflows/base.yml
@@ -45,7 +45,7 @@ jobs:
         env:
           ES_DOCKER_TAG: ${{ inputs.docker-tag }}
         run: |
-          ./gencert.sh
+          sudo ./gencert.sh
           dotnet test --configuration ${{ matrix.configuration }} --blame \
             --logger:"GitHubActions;report-warnings=false" --logger:"console;verbosity=normal" \
             --framework ${{ matrix.framework }} \

diff --git a/src/EventStore.Client/EventStoreClientSettings.ConnectionString.cs b/src/EventStore.Client/EventStoreClientSettings.ConnectionString.cs
@@ -5,6 +5,7 @@
 using System.Net.Http;
 using System.Net.Security;
 using System.Security.Authentication;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Timeout_ = System.Threading.Timeout;
 
@@ -220,12 +221,17 @@ private static EventStoreClientSettings CreateSettings(
 				}
 
 				if (typedOptions.TryGetValue(TlsCaFile, out var tlsCaFile)) {
-					var tlsCaFilePath = (string)tlsCaFile;
+					var tlsCaFilePath = Path.GetFullPath((string)tlsCaFile);
 					if (!string.IsNullOrEmpty(tlsCaFilePath) && !File.Exists(tlsCaFilePath)) {
-						throw new FileNotFoundException($"Failed to load certificate. File was not found");
+						throw new FileNotFoundException($"Failed to load certificate. File was not found.");
 					}
 
-					settings.ConnectivitySettings.TlsCaFile = (string)tlsCaFile;
+					try {
+						using var x509Certificate2 = new X509Certificate2(tlsCaFilePath);
+						settings.ConnectivitySettings.TlsCaFile = tlsCaFilePath;
+					} catch (CryptographicException) {
+						throw new Exception("Failed to load certificate. Invalid file format.");
+					}
 				}
 
 				settings.CreateHttpMessageHandler = CreateDefaultHandler;
@@ -351,4 +357,4 @@ private static (string, string) ParseKeyValuePair(string s) {
 			}
 		}
 	}
-}
+}
diff --git a/test/EventStore.Client.Streams.Tests/Append/append_to_stream_with_tls_ca_file.cs b/test/EventStore.Client.Streams.Tests/Append/append_to_stream_with_tls_ca_file.cs
@@ -2,24 +2,36 @@ namespace EventStore.Client.Streams.Tests.Append;
 
 [Trait("Category", "Target:Stream")]
 [Trait("Category", "Operation:Append")]
-public class append_to_stream_with_tls_ca_file(ITestOutputHelper output, EventStoreFixture fixture) : EventStoreTests<EventStoreFixture>(output, fixture) {
-	[Fact]
-	public async Task tls_ca_file_exists_and_append_succeeds() {
-		var certificateFilePath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "certs", "ca", "ca.crt");
-
+public class append_to_stream_with_tls_ca_file(ITestOutputHelper output, EventStoreFixture fixture)
+	: EventStoreTests<EventStoreFixture>(output, fixture) {
+	public static IEnumerable<object[]> CertPaths =>
+		new List<object[]> {
+			new object[] { Path.Combine("certs", "ca", "ca.crt") },
+			new object[] { Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "certs", "ca", "ca.crt") },
+		};
+
+	[Theory]
+	[MemberData(nameof(CertPaths))]
+	private async Task TestAppendWithCaFile(string certificateFilePath) {
 		Fixture.Log.Information($"Using certificate: {certificateFilePath}");
 
-		Assert.True(File.Exists(certificateFilePath), $"Certificate file not found at: {certificateFilePath}");
+		Assert.True(File.Exists(certificateFilePath));
 
-		var connectionString = $"esdb://admin:changeit@localhost:2113/?tls=true&tlsVerifyCert=true&tlsCAFile={certificateFilePath}";
+		var connectionString =
+			$"esdb://admin:changeit@localhost:2113/?tls=true&tlsVerifyCert=true&tlsCAFile={certificateFilePath}";
 
 		var settings = EventStoreClientSettings.Create(connectionString);
 
 		var client = new EventStoreClient(settings);
 
-		var appendResult = await client.AppendToStreamAsync("some-stream", StreamState.Any, new[] { new EventData(Uuid.NewUuid(), "some-event", default) });
+		var appendResult = await client.AppendToStreamAsync(
+			"some-stream",
+			StreamState.Any,
+			new[] { new EventData(Uuid.NewUuid(), "some-event", default) }
+		);
+
 		appendResult.ShouldNotBeNull();
 
 		await client.DisposeAsync();
 	}
-}
+}
diff --git a/test/EventStore.Client.Tests/ConnectionStringTests.cs b/test/EventStore.Client.Tests/ConnectionStringTests.cs
@@ -158,6 +158,27 @@ public void should_throw_error_when_tls_ca_file_does_not_exists() {
 		);
 
 		Assert.NotNull(exception);
+		Assert.Equal("Failed to load certificate. File was not found.", exception.Result.Message);
+	}
+
+	[Fact]
+	public void should_throw_exception_when_wrong_format_is_used_for_certificate_file_in_connection_string() {
+		var certificateFilePath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "unknownCertificate");
+
+		// Create a file with invalid certificate format
+		using var stream = File.Create(certificateFilePath);
+		var connectionString =
+			$"esdb://admin:changeit@localhost:2113/?tls=true&tlsVerifyCert=true&tlsCAFile={certificateFilePath}";
+
+		var exception = Assert.ThrowsAsync<Exception>(
+			() => {
+				EventStoreClientSettings.Create(connectionString);
+				return Task.CompletedTask;
+			}
+		);
+
+		Assert.NotNull(exception);
+		Assert.Equal("Failed to load certificate. Invalid file format.", exception.Result.Message);
 	}
 
 	[Fact]