diff --git a/src/Testcontainers/Builders/TlsEndpointAuthenticationProvider.cs b/src/Testcontainers/Builders/TlsEndpointAuthenticationProvider.cs new file mode 100644 index 000000000..e8f5c9a80 --- /dev/null +++ b/src/Testcontainers/Builders/TlsEndpointAuthenticationProvider.cs @@ -0,0 +1,86 @@ +namespace DotNet.Testcontainers.Builders +{ + using System; + using System.IO; + using System.Linq; + using System.Net.Security; + using System.Security.Cryptography.X509Certificates; + using DotNet.Testcontainers.Configurations; + using DotNet.Testcontainers.Configurations.Credentials; + + /// + internal sealed class TlsEndpointAuthenticationProvider : DockerEndpointAuthenticationProvider + { + private const string DefaultUserDockerFolderName = ".docker"; + private const string DefaultCaCertFileName = "ca.pem"; + private static readonly Uri DefaultTlsDockerEndpoint = new Uri("tcp://localhost:2376"); + private static readonly string DefaultCertPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), DefaultUserDockerFolderName); + + private readonly Lazy caCertificate; + private readonly Uri dockerEngine; + private readonly bool dockerTlsEnabled; + + /// + /// Initializes a new instance of the class. + /// + public TlsEndpointAuthenticationProvider() + : this(PropertiesFileConfiguration.Instance, EnvironmentConfiguration.Instance) + { + } + + /// + /// Initializes a new instance of the class. + /// + /// A list of custom configurations. + public TlsEndpointAuthenticationProvider(params ICustomConfiguration[] customConfigurations) + { + var dockerCertPath = customConfigurations + .Select(customConfiguration => customConfiguration.GetDockerCertPath()) + .FirstOrDefault(value => value != null) ?? DefaultCertPath; + var dockerCaCertFile = Path.Combine(dockerCertPath, DefaultCaCertFileName); + + this.dockerEngine = customConfigurations + .Select(customConfiguration => customConfiguration.GetDockerHost()) + .FirstOrDefault(value => value != null) ?? DefaultTlsDockerEndpoint; + this.dockerTlsEnabled = customConfigurations + .Select(customConfiguration => customConfiguration.GetDockerTls()) + .Aggregate(false, (x, y) => x || y); + this.caCertificate = new Lazy(() => new X509Certificate2(dockerCaCertFile)); + } + + /// + public override bool IsApplicable() + { + return this.dockerTlsEnabled; + } + + /// + public override IDockerEndpointAuthenticationConfiguration GetAuthConfig() + { + return new DockerEndpointAuthenticationConfiguration(this.dockerEngine, new TlsCredentials(this.ServerCertificateValidationCallback)); + } + + private bool ServerCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) + { + switch (sslPolicyErrors) + { + case SslPolicyErrors.None: + return true; + case SslPolicyErrors.RemoteCertificateNotAvailable: + case SslPolicyErrors.RemoteCertificateNameMismatch: + return false; + case SslPolicyErrors.RemoteCertificateChainErrors: + default: + var validationChain = new X509Chain(); + validationChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; + validationChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; + validationChain.ChainPolicy.ExtraStore.Add(this.caCertificate.Value); + validationChain.ChainPolicy.ExtraStore.AddRange(chain.ChainElements.OfType().Select(element => element.Certificate).ToArray()); + var isVerified = validationChain.Build(certificate as X509Certificate2 ?? new X509Certificate2(certificate)); + var isSignedByExpectedRoot = validationChain.ChainElements[validationChain.ChainElements.Count - 1].Certificate.RawData.SequenceEqual(this.caCertificate.Value.RawData); + var isSuccess = isVerified && isSignedByExpectedRoot; + return isSuccess; + } + } + } +} diff --git a/src/Testcontainers/Configurations/Credentials/TlsCredentials.cs b/src/Testcontainers/Configurations/Credentials/TlsCredentials.cs new file mode 100644 index 000000000..cb8d90d7c --- /dev/null +++ b/src/Testcontainers/Configurations/Credentials/TlsCredentials.cs @@ -0,0 +1,31 @@ +namespace DotNet.Testcontainers.Configurations.Credentials +{ + using System.Net; + using System.Net.Http; + using System.Net.Security; + using Docker.DotNet; + using JetBrains.Annotations; + using Microsoft.Net.Http.Client; + + public class TlsCredentials : Credentials + { + public TlsCredentials([CanBeNull] RemoteCertificateValidationCallback serverCertificateValidationCallback) + { + this.ServerCertificateValidationCallback = serverCertificateValidationCallback; + } + + public RemoteCertificateValidationCallback ServerCertificateValidationCallback { get; set; } + + public override bool IsTlsCredentials() + { + return true; + } + + public override HttpMessageHandler GetHandler(HttpMessageHandler innerHandler) + { + var handler = (ManagedHandler)innerHandler; + handler.ServerCertificateValidationCallback = this.ServerCertificateValidationCallback ?? ServicePointManager.ServerCertificateValidationCallback; + return handler; + } + } +} diff --git a/src/Testcontainers/Configurations/DockerEndpointAuthenticationConfiguration.cs b/src/Testcontainers/Configurations/DockerEndpointAuthenticationConfiguration.cs index 10c63b35b..67767e6bb 100644 --- a/src/Testcontainers/Configurations/DockerEndpointAuthenticationConfiguration.cs +++ b/src/Testcontainers/Configurations/DockerEndpointAuthenticationConfiguration.cs @@ -12,11 +12,16 @@ /// Initializes a new instance of the struct. /// /// The Docker API endpoint. - public DockerEndpointAuthenticationConfiguration(Uri endpoint) + /// The Docker API authentication credentials. + public DockerEndpointAuthenticationConfiguration(Uri endpoint, Docker.DotNet.Credentials credentials = null) { + this.Credentials = credentials; this.Endpoint = endpoint; } + /// + public Docker.DotNet.Credentials Credentials { get; } + /// public Uri Endpoint { get; } @@ -24,7 +29,7 @@ public DockerEndpointAuthenticationConfiguration(Uri endpoint) public DockerClientConfiguration GetDockerClientConfiguration(Guid sessionId = default) { var defaultHttpRequestHeaders = new ReadOnlyDictionary(new Dictionary { { "x-tc-sid", sessionId.ToString("D") } }); - return new DockerClientConfiguration(this.Endpoint, defaultHttpRequestHeaders: defaultHttpRequestHeaders); + return new DockerClientConfiguration(this.Endpoint, this.Credentials, defaultHttpRequestHeaders: defaultHttpRequestHeaders); } } } diff --git a/src/Testcontainers/Configurations/IDockerEndpointAuthenticationConfiguration.cs b/src/Testcontainers/Configurations/IDockerEndpointAuthenticationConfiguration.cs index 3a8a48508..9f0b63f13 100644 --- a/src/Testcontainers/Configurations/IDockerEndpointAuthenticationConfiguration.cs +++ b/src/Testcontainers/Configurations/IDockerEndpointAuthenticationConfiguration.cs @@ -15,6 +15,12 @@ public interface IDockerEndpointAuthenticationConfiguration [NotNull] Uri Endpoint { get; } + /// + /// Gets the Docker API authentication credentials. + /// + [CanBeNull] + Docker.DotNet.Credentials Credentials { get; } + /// /// Gets the Docker client configuration. /// diff --git a/src/Testcontainers/Configurations/TestcontainersSettings.cs b/src/Testcontainers/Configurations/TestcontainersSettings.cs index 2a959bd7f..1f963fff5 100644 --- a/src/Testcontainers/Configurations/TestcontainersSettings.cs +++ b/src/Testcontainers/Configurations/TestcontainersSettings.cs @@ -21,7 +21,13 @@ public static class TestcontainersSettings private static readonly IDockerImage RyukContainerImage = new DockerImage("testcontainers/ryuk:0.3.4"); private static readonly IDockerEndpointAuthenticationConfiguration DockerEndpointAuthConfig = - new IDockerEndpointAuthenticationProvider[] { new EnvironmentEndpointAuthenticationProvider(), new NpipeEndpointAuthenticationProvider(), new UnixEndpointAuthenticationProvider() } + new IDockerEndpointAuthenticationProvider[] + { + new TlsEndpointAuthenticationProvider(), + new EnvironmentEndpointAuthenticationProvider(), + new NpipeEndpointAuthenticationProvider(), + new UnixEndpointAuthenticationProvider(), + } .AsParallel() .Where(authProvider => authProvider.IsApplicable()) .Where(authProvider => authProvider.IsAvailable()) diff --git a/tests/Testcontainers.Tests/Unit/Configurations/DockerEndpointAuthenticationProviderTest.cs b/tests/Testcontainers.Tests/Unit/Configurations/DockerEndpointAuthenticationProviderTest.cs index eeec3102d..ca0a3649a 100644 --- a/tests/Testcontainers.Tests/Unit/Configurations/DockerEndpointAuthenticationProviderTest.cs +++ b/tests/Testcontainers.Tests/Unit/Configurations/DockerEndpointAuthenticationProviderTest.cs @@ -10,6 +10,7 @@ namespace DotNet.Testcontainers.Tests.Unit public sealed class DockerEndpointAuthenticationProviderTest { private const string DockerHost = "tcp://127.0.0.1:2375"; + private const string DockerTlsHost = "tcp://127.0.0.1:2376"; [Theory] [ClassData(typeof(AuthProviderTestData))] @@ -35,7 +36,12 @@ public AuthProviderTestData() { var isWindows = RuntimeInformation.IsOSPlatform(OSPlatform.Windows); var defaultConfiguration = new PropertiesFileConfiguration(Array.Empty()); - var dockerHostConfiguration = new PropertiesFileConfiguration(new[] { "docker.host=" + DockerHost }); + var dockerHostConfiguration = new PropertiesFileConfiguration(new[] { $"docker.host={DockerHost}" }); + var dockerTlsConfiguration = new PropertiesFileConfiguration(new[] { "docker.tls=true" }); + this.Add(new object[] { new TlsEndpointAuthenticationProvider(defaultConfiguration), false }); + this.Add(new object[] { new TlsEndpointAuthenticationProvider(dockerTlsConfiguration), true }); + this.Add(new object[] { new TlsEndpointAuthenticationProvider(Array.Empty()), false }); + this.Add(new object[] { new TlsEndpointAuthenticationProvider(defaultConfiguration, dockerTlsConfiguration), true }); this.Add(new object[] { new EnvironmentEndpointAuthenticationProvider(defaultConfiguration), false }); this.Add(new object[] { new EnvironmentEndpointAuthenticationProvider(dockerHostConfiguration), true }); this.Add(new object[] { new EnvironmentEndpointAuthenticationProvider(Array.Empty()), false }); @@ -49,7 +55,9 @@ private sealed class AuthConfigTestData : List { public AuthConfigTestData() { - var dockerHostConfiguration = new PropertiesFileConfiguration(new[] { "docker.host=" + DockerHost }); + var dockerHostConfiguration = new PropertiesFileConfiguration(new[] { $"docker.host={DockerHost}" }); + var dockerTlsHostConfiguration = new PropertiesFileConfiguration(new[] { $"docker.host={DockerTlsHost}" }); + this.Add(new object[] { new TlsEndpointAuthenticationProvider(dockerTlsHostConfiguration).GetAuthConfig(), new Uri(DockerTlsHost) }); this.Add(new object[] { new EnvironmentEndpointAuthenticationProvider(dockerHostConfiguration).GetAuthConfig(), new Uri(DockerHost) }); this.Add(new object[] { new NpipeEndpointAuthenticationProvider().GetAuthConfig(), new Uri("npipe://./pipe/docker_engine") }); this.Add(new object[] { new UnixEndpointAuthenticationProvider().GetAuthConfig(), new Uri("unix:/var/run/docker.sock") });