From 1bbe101e2bef34e683949653388260e35082ca95 Mon Sep 17 00:00:00 2001
From: Sourabh Jain <sourabhjain@microsoft.com>
Date: Tue, 30 Jan 2024 06:50:08 +0530
Subject: [PATCH] CosmosClientOptions: Adds validation to check
 DisableServerCertificateValidation and
 ServerCertificateCustomValidationCallback are set together (#4283)

* Added validation to check HttpFactory and ServerCallback are set together

* fix validation
---
 .../src/CosmosClientOptions.cs                | 21 ++++++++++++++++++-
 .../CosmosClientOptionsUnitTests.cs           | 13 ++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/Microsoft.Azure.Cosmos/src/CosmosClientOptions.cs b/Microsoft.Azure.Cosmos/src/CosmosClientOptions.cs
index 1fd66c3169..8700f2e56e 100644
--- a/Microsoft.Azure.Cosmos/src/CosmosClientOptions.cs
+++ b/Microsoft.Azure.Cosmos/src/CosmosClientOptions.cs
@@ -731,6 +731,11 @@ internal Protocol ConnectionProtocol
         /// Flag that controls whether CPU monitoring thread is created to enrich timeout exceptions with additional diagnostic. Default value is true.
         /// </summary>
         internal bool? EnableCpuMonitor { get; set; }
+
+        /// <summary>
+        /// Flag indicates the value of DisableServerCertificateValidation flag set at connection string level.Default it is false.
+        /// </summary>
+        internal bool DisableServerCertificateValidation { get; set; }
 
         /// <summary>
         /// Gets or sets Client Telemetry Options like feature flags and corresponding options
@@ -758,6 +763,7 @@ internal virtual ConnectionPolicy GetConnectionPolicy(int clientId)
             this.ValidateDirectTCPSettings();
             this.ValidateLimitToEndpointSettings();
             this.ValidatePartitionLevelFailoverSettings();
+            this.ValidateAndSetServerCallbackSettings();
 
             ConnectionPolicy connectionPolicy = new ConnectionPolicy()
             {
@@ -866,7 +872,7 @@ internal static CosmosClientOptions GetCosmosClientOptionsWithCertificateFlag(st
             clientOptions ??= new CosmosClientOptions();
             if (CosmosClientOptions.IsConnectionStringDisableServerCertificateValidationFlag(connectionString))
             {
-                clientOptions.ServerCertificateCustomValidationCallback = (_, _, _) => true;
+                clientOptions.DisableServerCertificateValidation = true;
             }
 
             return clientOptions;
@@ -929,6 +935,19 @@ private void ValidatePartitionLevelFailoverSettings()
             {
                 throw new ArgumentException($"{nameof(this.ApplicationPreferredRegions)} is required when {nameof(this.EnablePartitionLevelFailover)} is enabled.");
             }
+        }
+
+        private void ValidateAndSetServerCallbackSettings()
+        {
+            if (this.DisableServerCertificateValidation && this.ServerCertificateCustomValidationCallback != null)
+            {
+                throw new ArgumentException($"Cannot specify {nameof(this.DisableServerCertificateValidation)} flag in Connection String and {nameof(this.ServerCertificateCustomValidationCallback)}. Only one can be set.");
+            }
+            
+            if (this.DisableServerCertificateValidation)
+            {
+                this.ServerCertificateCustomValidationCallback = (_, _, _) => true;
+            }
         }
 
         private void ValidateDirectTCPSettings()
diff --git a/Microsoft.Azure.Cosmos/tests/Microsoft.Azure.Cosmos.Tests/CosmosClientOptionsUnitTests.cs b/Microsoft.Azure.Cosmos/tests/Microsoft.Azure.Cosmos.Tests/CosmosClientOptionsUnitTests.cs
index 51aee132ae..b0b6b8be35 100644
--- a/Microsoft.Azure.Cosmos/tests/Microsoft.Azure.Cosmos.Tests/CosmosClientOptionsUnitTests.cs
+++ b/Microsoft.Azure.Cosmos/tests/Microsoft.Azure.Cosmos.Tests/CosmosClientOptionsUnitTests.cs
@@ -892,6 +892,7 @@ public void InvalidApplicationNameCatchTest()
         [TestMethod]
         [DataRow(ConnectionString, false)]
         [DataRow(ConnectionString + "DisableServerCertificateValidation=true;", true)]
+        [DataRow(ConnectionString + "DisableServerCertificateValidation=false;", false)]
         public void TestServerCertificatesValidationCallback(string connStr, bool expectedIgnoreCertificateFlag)
         {
             //Arrange
@@ -913,6 +914,18 @@ public void TestServerCertificatesValidationCallback(string connStr, bool expect
                 Assert.IsNull(cosmosClient.ClientOptions.ServerCertificateCustomValidationCallback);
             }
         }
+
+        [TestMethod]
+        [DataRow(ConnectionString + "DisableServerCertificateValidation=true;")]
+        [ExpectedException(typeof(ArgumentException))]
+        public void TestServerCertificatesValidationWithDisableSSLFlagTrue(string connStr)
+        {
+            CosmosClientOptions options = new CosmosClientOptions
+            {
+               ServerCertificateCustomValidationCallback = (certificate, chain, sslPolicyErrors) => true
+            };
+            CosmosClient cosmosClient = new CosmosClient(connStr, options);
+        }
 
         private class TestWebProxy : IWebProxy
         {