feat(#370): Added support docker TLS endpoint

testcontainers · Oct 9, 2022 · 9dd775f · 9dd775f
1 parent d57eda3
commit 9dd775f
Show file tree

Hide file tree

Showing 6 changed files with 147 additions and 5 deletions.
diff --git a/src/Testcontainers/Builders/TlsEndpointAuthenticationProvider.cs b/src/Testcontainers/Builders/TlsEndpointAuthenticationProvider.cs
@@ -0,0 +1,86 @@
+namespace DotNet.Testcontainers.Builders
+{
+  using System;
+  using System.IO;
+  using System.Linq;
+  using System.Net.Security;
+  using System.Security.Cryptography.X509Certificates;
+  using DotNet.Testcontainers.Configurations;
+  using DotNet.Testcontainers.Configurations.Credentials;
+
+  /// <inheritdoc cref="IDockerRegistryAuthenticationProvider" />
+  internal sealed class TlsEndpointAuthenticationProvider : DockerEndpointAuthenticationProvider
+  {
+    private const string DefaultUserDockerFolderName = ".docker";
+    private const string DefaultCaCertFileName = "ca.pem";
+    private static readonly Uri DefaultTlsDockerEndpoint = new Uri("tcp://localhost:2376");
+    private static readonly string DefaultCertPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), DefaultUserDockerFolderName);
+
+    private readonly Lazy<X509Certificate2> caCertificate;
+    private readonly Uri dockerEngine;
+    private readonly bool dockerTlsEnabled;
+
+    /// <summary>
+    ///   Initializes a new instance of the <see cref="TlsEndpointAuthenticationProvider" /> class.
+    /// </summary>
+    public TlsEndpointAuthenticationProvider()
+      : this(PropertiesFileConfiguration.Instance, EnvironmentConfiguration.Instance)
+    {
+    }
+
+    /// <summary>
+    ///   Initializes a new instance of the <see cref="TlsEndpointAuthenticationProvider" /> class.
+    /// </summary>
+    /// <param name="customConfigurations">A list of custom configurations.</param>
+    public TlsEndpointAuthenticationProvider(params ICustomConfiguration[] customConfigurations)
+    {
+      var dockerCertPath = customConfigurations
+        .Select(customConfiguration => customConfiguration.GetDockerCertPath())
+        .FirstOrDefault(value => value != null) ?? DefaultCertPath;
+      var dockerCaCertFile = Path.Combine(dockerCertPath, DefaultCaCertFileName);
+
+      this.dockerEngine = customConfigurations
+        .Select(customConfiguration => customConfiguration.GetDockerHost())
+        .FirstOrDefault(value => value != null) ?? DefaultTlsDockerEndpoint;
+      this.dockerTlsEnabled = customConfigurations
+        .Select(customConfiguration => customConfiguration.GetDockerTls())
+        .Aggregate(false, (x, y) => x || y);
+      this.caCertificate = new Lazy<X509Certificate2>(() => new X509Certificate2(dockerCaCertFile));
+    }
+
+    /// <inheritdoc />
+    public override bool IsApplicable()
+    {
+      return this.dockerTlsEnabled;
+    }
+
+    /// <inheritdoc />
+    public override IDockerEndpointAuthenticationConfiguration GetAuthConfig()
+    {
+      return new DockerEndpointAuthenticationConfiguration(this.dockerEngine, new TlsCredentials(this.ServerCertificateValidationCallback));
+    }
+
+    private bool ServerCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
+    {
+      switch (sslPolicyErrors)
+      {
+        case SslPolicyErrors.None:
+          return true;
+        case SslPolicyErrors.RemoteCertificateNotAvailable:
+        case SslPolicyErrors.RemoteCertificateNameMismatch:
+          return false;
+        case SslPolicyErrors.RemoteCertificateChainErrors:
+        default:
+          var validationChain = new X509Chain();
+          validationChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
+          validationChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
+          validationChain.ChainPolicy.ExtraStore.Add(this.caCertificate.Value);
+          validationChain.ChainPolicy.ExtraStore.AddRange(chain.ChainElements.OfType<X509ChainElement>().Select(element => element.Certificate).ToArray());
+          var isVerified = validationChain.Build(certificate as X509Certificate2 ?? new X509Certificate2(certificate));
+          var isSignedByExpectedRoot = validationChain.ChainElements[validationChain.ChainElements.Count - 1].Certificate.RawData.SequenceEqual(this.caCertificate.Value.RawData);
+          var isSuccess = isVerified && isSignedByExpectedRoot;
+          return isSuccess;
+      }
+    }
+  }
+}
diff --git a/src/Testcontainers/Configurations/Credentials/TlsCredentials.cs b/src/Testcontainers/Configurations/Credentials/TlsCredentials.cs
@@ -0,0 +1,31 @@
+namespace DotNet.Testcontainers.Configurations.Credentials
+{
+  using System.Net;
+  using System.Net.Http;
+  using System.Net.Security;
+  using Docker.DotNet;
+  using JetBrains.Annotations;
+  using Microsoft.Net.Http.Client;
+
+  public class TlsCredentials : Credentials
+  {
+    public TlsCredentials([CanBeNull] RemoteCertificateValidationCallback serverCertificateValidationCallback)
+    {
+      this.ServerCertificateValidationCallback = serverCertificateValidationCallback;
+    }
+
+    public RemoteCertificateValidationCallback ServerCertificateValidationCallback { get; set; }
+
+    public override bool IsTlsCredentials()
+    {
+      return true;
+    }
+
+    public override HttpMessageHandler GetHandler(HttpMessageHandler innerHandler)
+    {
+      var handler = (ManagedHandler)innerHandler;
+      handler.ServerCertificateValidationCallback = this.ServerCertificateValidationCallback ?? ServicePointManager.ServerCertificateValidationCallback;
+      return handler;
+    }
+  }
+}
diff --git a/src/Testcontainers/Configurations/DockerEndpointAuthenticationConfiguration.cs b/src/Testcontainers/Configurations/DockerEndpointAuthenticationConfiguration.cs
@@ -12,19 +12,24 @@
     /// Initializes a new instance of the <see cref="DockerEndpointAuthenticationConfiguration" /> struct.
     /// </summary>
     /// <param name="endpoint">The Docker API endpoint.</param>
-    public DockerEndpointAuthenticationConfiguration(Uri endpoint)
+    /// <param name="credentials">The Docker API authentication credentials.</param>
+    public DockerEndpointAuthenticationConfiguration(Uri endpoint, Docker.DotNet.Credentials credentials = null)
     {
+      this.Credentials = credentials;
       this.Endpoint = endpoint;
     }
 
+    /// <inheritdoc />
+    public Docker.DotNet.Credentials Credentials { get; }
+
     /// <inheritdoc />
     public Uri Endpoint { get; }
 
     /// <inheritdoc />
     public DockerClientConfiguration GetDockerClientConfiguration(Guid sessionId = default)
     {
       var defaultHttpRequestHeaders = new ReadOnlyDictionary<string, string>(new Dictionary<string, string> { { "x-tc-sid", sessionId.ToString("D") } });
-      return new DockerClientConfiguration(this.Endpoint, defaultHttpRequestHeaders: defaultHttpRequestHeaders);
+      return new DockerClientConfiguration(this.Endpoint, this.Credentials, defaultHttpRequestHeaders: defaultHttpRequestHeaders);
     }
   }
 }
diff --git a/src/Testcontainers/Configurations/IDockerEndpointAuthenticationConfiguration.cs b/src/Testcontainers/Configurations/IDockerEndpointAuthenticationConfiguration.cs
@@ -15,6 +15,12 @@ public interface IDockerEndpointAuthenticationConfiguration
     [NotNull]
     Uri Endpoint { get; }
 
+    /// <summary>
+    /// Gets the Docker API authentication credentials.
+    /// </summary>
+    [CanBeNull]
+    Docker.DotNet.Credentials Credentials { get; }
+
     /// <summary>
     /// Gets the Docker client configuration.
     /// </summary>

diff --git a/src/Testcontainers/Configurations/TestcontainersSettings.cs b/src/Testcontainers/Configurations/TestcontainersSettings.cs
@@ -21,7 +21,13 @@ public static class TestcontainersSettings
     private static readonly IDockerImage RyukContainerImage = new DockerImage("testcontainers/ryuk:0.3.4");
 
     private static readonly IDockerEndpointAuthenticationConfiguration DockerEndpointAuthConfig =
-      new IDockerEndpointAuthenticationProvider[] { new EnvironmentEndpointAuthenticationProvider(), new NpipeEndpointAuthenticationProvider(), new UnixEndpointAuthenticationProvider() }
+      new IDockerEndpointAuthenticationProvider[]
+        {
+          new TlsEndpointAuthenticationProvider(),
+          new EnvironmentEndpointAuthenticationProvider(),
+          new NpipeEndpointAuthenticationProvider(),
+          new UnixEndpointAuthenticationProvider(),
+        }
         .AsParallel()
         .Where(authProvider => authProvider.IsApplicable())
         .Where(authProvider => authProvider.IsAvailable())

diff --git a/tests/Testcontainers.Tests/Unit/Configurations/DockerEndpointAuthenticationProviderTest.cs b/tests/Testcontainers.Tests/Unit/Configurations/DockerEndpointAuthenticationProviderTest.cs
@@ -10,6 +10,7 @@ namespace DotNet.Testcontainers.Tests.Unit
   public sealed class DockerEndpointAuthenticationProviderTest
   {
     private const string DockerHost = "tcp://127.0.0.1:2375";
+    private const string DockerTlsHost = "tcp://127.0.0.1:2376";
 
     [Theory]
     [ClassData(typeof(AuthProviderTestData))]
@@ -35,7 +36,12 @@ public AuthProviderTestData()
       {
         var isWindows = RuntimeInformation.IsOSPlatform(OSPlatform.Windows);
         var defaultConfiguration = new PropertiesFileConfiguration(Array.Empty<string>());
-        var dockerHostConfiguration = new PropertiesFileConfiguration(new[] { "docker.host=" + DockerHost });
+        var dockerHostConfiguration = new PropertiesFileConfiguration(new[] { $"docker.host={DockerHost}" });
+        var dockerTlsConfiguration = new PropertiesFileConfiguration(new[] { "docker.tls=true" });
+        this.Add(new object[] { new TlsEndpointAuthenticationProvider(defaultConfiguration), false });
+        this.Add(new object[] { new TlsEndpointAuthenticationProvider(dockerTlsConfiguration), true });
+        this.Add(new object[] { new TlsEndpointAuthenticationProvider(Array.Empty<ICustomConfiguration>()), false });
+        this.Add(new object[] { new TlsEndpointAuthenticationProvider(defaultConfiguration, dockerTlsConfiguration), true });
         this.Add(new object[] { new EnvironmentEndpointAuthenticationProvider(defaultConfiguration), false });
         this.Add(new object[] { new EnvironmentEndpointAuthenticationProvider(dockerHostConfiguration), true });
         this.Add(new object[] { new EnvironmentEndpointAuthenticationProvider(Array.Empty<ICustomConfiguration>()), false });
@@ -49,7 +55,9 @@ private sealed class AuthConfigTestData : List<object[]>
     {
       public AuthConfigTestData()
       {
-        var dockerHostConfiguration = new PropertiesFileConfiguration(new[] { "docker.host=" + DockerHost });
+        var dockerHostConfiguration = new PropertiesFileConfiguration(new[] { $"docker.host={DockerHost}" });
+        var dockerTlsHostConfiguration = new PropertiesFileConfiguration(new[] { $"docker.host={DockerTlsHost}" });
+        this.Add(new object[] { new TlsEndpointAuthenticationProvider(dockerTlsHostConfiguration).GetAuthConfig(), new Uri(DockerTlsHost) });
         this.Add(new object[] { new EnvironmentEndpointAuthenticationProvider(dockerHostConfiguration).GetAuthConfig(), new Uri(DockerHost) });
         this.Add(new object[] { new NpipeEndpointAuthenticationProvider().GetAuthConfig(), new Uri("npipe://./pipe/docker_engine") });
         this.Add(new object[] { new UnixEndpointAuthenticationProvider().GetAuthConfig(), new Uri("unix:/var/run/docker.sock") });