CosmosClientOptions: Adds validation to check DisableServerCertificat…

…eValidation and ServerCertificateCustomValidationCallback are set together (#4283) * Added validation to check HttpFactory and ServerCallback are set together * fix validation
Azure · Jan 30, 2024 · 1bbe101 · 1bbe101
1 parent 0633389
commit 1bbe101
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/Microsoft.Azure.Cosmos/src/CosmosClientOptions.cs b/Microsoft.Azure.Cosmos/src/CosmosClientOptions.cs
@@ -731,6 +731,11 @@ internal Protocol ConnectionProtocol
         /// Flag that controls whether CPU monitoring thread is created to enrich timeout exceptions with additional diagnostic. Default value is true.
         /// </summary>
         internal bool? EnableCpuMonitor { get; set; }
+
+        /// <summary>
+        /// Flag indicates the value of DisableServerCertificateValidation flag set at connection string level.Default it is false.
+        /// </summary>
+        internal bool DisableServerCertificateValidation { get; set; }
 
         /// <summary>
         /// Gets or sets Client Telemetry Options like feature flags and corresponding options
@@ -758,6 +763,7 @@ internal virtual ConnectionPolicy GetConnectionPolicy(int clientId)
             this.ValidateDirectTCPSettings();
             this.ValidateLimitToEndpointSettings();
             this.ValidatePartitionLevelFailoverSettings();
+            this.ValidateAndSetServerCallbackSettings();
 
             ConnectionPolicy connectionPolicy = new ConnectionPolicy()
             {
@@ -866,7 +872,7 @@ internal static CosmosClientOptions GetCosmosClientOptionsWithCertificateFlag(st
             clientOptions ??= new CosmosClientOptions();
             if (CosmosClientOptions.IsConnectionStringDisableServerCertificateValidationFlag(connectionString))
             {
-                clientOptions.ServerCertificateCustomValidationCallback = (_, _, _) => true;
+                clientOptions.DisableServerCertificateValidation = true;
             }
 
             return clientOptions;
@@ -929,6 +935,19 @@ private void ValidatePartitionLevelFailoverSettings()
             {
                 throw new ArgumentException($"{nameof(this.ApplicationPreferredRegions)} is required when {nameof(this.EnablePartitionLevelFailover)} is enabled.");
             }
+        }
+
+        private void ValidateAndSetServerCallbackSettings()
+        {
+            if (this.DisableServerCertificateValidation && this.ServerCertificateCustomValidationCallback != null)
+            {
+                throw new ArgumentException($"Cannot specify {nameof(this.DisableServerCertificateValidation)} flag in Connection String and {nameof(this.ServerCertificateCustomValidationCallback)}. Only one can be set.");
+            }
+
+            if (this.DisableServerCertificateValidation)
+            {
+                this.ServerCertificateCustomValidationCallback = (_, _, _) => true;
+            }
         }
 
         private void ValidateDirectTCPSettings()

diff --git a/Microsoft.Azure.Cosmos/tests/Microsoft.Azure.Cosmos.Tests/CosmosClientOptionsUnitTests.cs b/Microsoft.Azure.Cosmos/tests/Microsoft.Azure.Cosmos.Tests/CosmosClientOptionsUnitTests.cs
@@ -892,6 +892,7 @@ public void InvalidApplicationNameCatchTest()
         [TestMethod]
         [DataRow(ConnectionString, false)]
         [DataRow(ConnectionString + "DisableServerCertificateValidation=true;", true)]
+        [DataRow(ConnectionString + "DisableServerCertificateValidation=false;", false)]
         public void TestServerCertificatesValidationCallback(string connStr, bool expectedIgnoreCertificateFlag)
         {
             //Arrange
@@ -913,6 +914,18 @@ public void TestServerCertificatesValidationCallback(string connStr, bool expect
                 Assert.IsNull(cosmosClient.ClientOptions.ServerCertificateCustomValidationCallback);
             }
         }
+
+        [TestMethod]
+        [DataRow(ConnectionString + "DisableServerCertificateValidation=true;")]
+        [ExpectedException(typeof(ArgumentException))]
+        public void TestServerCertificatesValidationWithDisableSSLFlagTrue(string connStr)
+        {
+            CosmosClientOptions options = new CosmosClientOptions
+            {
+               ServerCertificateCustomValidationCallback = (certificate, chain, sslPolicyErrors) => true
+            };
+            CosmosClient cosmosClient = new CosmosClient(connStr, options);
+        }
 
         private class TestWebProxy : IWebProxy
         {