Refactoring GitSslSettings to be GitSsl and handle all the certificate loading. Extracting interaction with GitSsl from HttpRequestor to GitAuthentication

Author: Tomas Urbonaitis

GVFS/GVFS.Common/Git/GitAuthentication.cs

@@ -1,7 +1,10 @@
 using GVFS.Common.Http;
 using GVFS.Common.Tracing;
 using System;
+using System.Collections.Generic;
 using System.Net;
+using System.Net.Http;
+using System.Security.Cryptography.X509Certificates;
 using System.Text;
 
 namespace GVFS.Common.Git
@@ -26,18 +29,16 @@ public GitAuthentication(GitProcess git, string repoUrl)
             this.git = git;
             this.repoUrl = repoUrl;
 
-            if (git.TryGetConfigUrlMatch("http", this.repoUrl, out var configSettings))
+            if (git.TryGetConfigUrlMatch("http", this.repoUrl, out Dictionary<string, GitConfigSetting> configSettings))
             {
-                this.GitSslSettings = new GitSslSettings(configSettings);
+                this.GitSsl = new GitSsl(configSettings);
             }
             else
             {
-                this.GitSslSettings = new GitSslSettings();
+                this.GitSsl = new GitSsl();
             }
         }
 
-        public GitSslSettings GitSslSettings { get; }
-
         public bool IsBackingOff
         {
             get
@@ -48,6 +49,8 @@ public bool IsBackingOff
 
         public bool IsAnonymous { get; private set; } = true;
 
+        private GitSsl GitSsl { get; }
+
         public void ConfirmCredentialsWorked(string usedCredential)
         {
             lock (this.gitAuthLock)
@@ -163,6 +166,44 @@ public bool TryInitializeAndRequireAuth(ITracer tracer, out string errorMessage)
             return false;
         }
 
+        public void SetupSslIfNeeded(ITracer tracer, HttpClientHandler httpClientHandler, GitProcess gitProcess)
+        {
+            if (!string.IsNullOrEmpty(this.GitSsl.SslCertificate))
+            {
+                string certificatePassword = null;
+                if (this.GitSsl.SslCertPasswordProtected)
+                {
+                    certificatePassword = this.GitSsl.GetCertificatePassword(tracer, gitProcess);
+
+                    if (string.IsNullOrEmpty(certificatePassword))
+                    {
+                        tracer.RelatedWarning(
+                            new EventMetadata
+                            {
+                                { "SslCertificate", this.GitSsl.SslCertificate }
+                            },
+                            "Git config indicates, that certificate is password protected, but retrieved password was null or empty!");
+                    }
+                }
+
+                X509Certificate2 cert = this.GitSsl.LoadCertificate(tracer, certificatePassword, this.GitSsl.SslVerify);
+                if (cert != null)
+                {
+                    if (!this.GitSsl.SslVerify)
+                    {
+                        httpClientHandler.ServerCertificateCustomValidationCallback =
+                            (httpRequestMessage, c, cetChain, policyErrors) =>
+                            {
+                                return true;
+                            };
+                    }
+
+                    httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
+                    httpClientHandler.ClientCertificates.Add(cert);
+                }
+            }
+        }
+
         private bool TryAnonymousQuery(ITracer tracer, Enlistment enlistment, out bool isAnonymous)
         {
             bool querySucceeded;

GVFS/GVFS.Common/Git/GitSsl.cs

@@ -0,0 +1,119 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using GVFS.Common.Tracing;
+
+namespace GVFS.Common.Git
+{
+    public class GitSsl : IDisposable
+    {
+        public readonly string SslCertificate;
+        public readonly bool SslCertPasswordProtected;
+        public readonly bool SslVerify;
+
+        private readonly Lazy<X509Store> store = new Lazy<X509Store>(() =>
+        {
+            X509Store s = new X509Store();
+            s.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);
+            return s;
+        });
+
+        public GitSsl()
+        {
+            this.SslCertificate = null;
+            this.SslCertPasswordProtected = false;
+            this.SslVerify = true;
+        }
+
+        public GitSsl(IDictionary<string, GitConfigSetting> configSettings) : this()
+        {
+            if (configSettings != null)
+            {
+                if (configSettings.TryGetValue(GitConfigSetting.HttpSslCert, out GitConfigSetting sslCerts))
+                {
+                    this.SslCertificate = sslCerts.Values.Single();
+                }
+
+                if (configSettings.TryGetValue(GitConfigSetting.HttpSslCertPasswordProtected, out GitConfigSetting isSslCertPasswordProtected))
+                {
+                    this.SslCertPasswordProtected = isSslCertPasswordProtected.Values.Select(bool.Parse).Single();
+                }
+
+                if (configSettings.TryGetValue(GitConfigSetting.HttpSslVerify, out GitConfigSetting sslVerify))
+                {
+                    this.SslVerify = sslVerify.Values.Select(bool.Parse).Single();
+                }
+            }
+        }
+
+        public string LoadCertificatePassword(ITracer tracer, GitProcess git)
+        {
+            if (git.TryGetCertificatePassword(tracer, this.SslCertificate, out string password, out string error))
+            {
+                return password;
+            }
+
+            return null;
+        }
+
+        public X509Certificate2 LoadCertificate(ITracer tracer, string certificatePassword, bool onlyLoadValidCertificateFromStore)
+        {
+            EventMetadata metadata = new EventMetadata
+            {
+                { "certId", this.SslCertificate },
+                { "isPasswordSpecified", string.IsNullOrEmpty(certificatePassword) },
+                { "shouldVerify", onlyLoadValidCertificateFromStore }
+            };
+
+            if (File.Exists(this.SslCertificate))
+            {
+                try
+                {
+                    X509Certificate2 cert = new X509Certificate2(this.SslCertificate, certificatePassword);
+                    if (onlyLoadValidCertificateFromStore && cert != null && !cert.Verify())
+                    {
+                        tracer.RelatedWarning(metadata, "Certficate was found, but is invalid.");
+                        return null;
+                    }
+
+                    return cert;
+                }
+                catch (CryptographicException cryptEx)
+                {
+                    metadata.Add("Exception", cryptEx);
+                    tracer.RelatedError(metadata, "Error, while loading certificate from disk");
+                    return null;
+                }
+            }
+
+            try
+            {
+                X509Certificate2Collection findResults = this.store.Value.Certificates.Find(X509FindType.FindBySubjectName, this.SslCertificate, onlyLoadValidCertificateFromStore);
+                if (findResults?.Count > 0)
+                {
+                    return findResults[0];
+                }
+            }
+            catch (CryptographicException cryptEx)
+            {
+                metadata.Add("Exception", cryptEx);
+                tracer.RelatedError(metadata, "Error, while searching for certificate in store");
+                return null;
+            }
+
+            tracer.RelatedError("Certificate {0} not found", this.SslCertificate);
+            return null;
+        }
+
+        public void Dispose()
+        {
+            if (this.store.IsValueCreated)
+            {
+                this.store.Value.Dispose();
+            }
+        }
+    }
+}

GVFS/GVFS.Common/Git/GitSslSettings.cs

@@ -8,9 +8,6 @@
 using System.Net;
 using System.Net.Http;
 using System.Net.Http.Headers;
-using System.Security;
-using System.Security.Cryptography;
-using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
@@ -26,13 +23,6 @@ public abstract class HttpRequestor : IDisposable
 
         private readonly GitAuthentication authentication;
 
-        private readonly Lazy<X509Store> store = new Lazy<X509Store>(() =>
-        {
-            X509Store s = new X509Store();
-            s.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);
-            return s;
-        });
-
         private HttpClient client;
 
         static HttpRequestor()
@@ -50,42 +40,9 @@ protected HttpRequestor(ITracer tracer, RetryConfig retryConfig, Enlistment enli
 
             this.Tracer = tracer;
 
-            var httpClientHandler = new HttpClientHandler() { UseDefaultCredentials = true };
-
-            if (!this.authentication.GitSslSettings.SslVerify)
-            {
-                httpClientHandler.ServerCertificateCustomValidationCallback =
-                    (httpRequestMessage, cert, cetChain, policyErrors) =>
-                    {
-                        return true;
-                    };
-            }
-
-            if (!string.IsNullOrEmpty(this.authentication.GitSslSettings.SslCertificate))
-            {
-                string certificatePassword = null;
-                if (this.authentication.GitSslSettings.SslCertPasswordProtected)
-                {
-                    certificatePassword = this.LoadCertificatePassword(this.authentication.GitSslSettings.SslCertificate, enlistment.CreateGitProcess());
-
-                    if (string.IsNullOrEmpty(certificatePassword))
-                    {
-                        this.Tracer.RelatedWarning(
-                            new EventMetadata
-                            {
-                                { "SslCertificate", this.authentication.GitSslSettings.SslCertificate }
-                            },
-                            "Git config indicates, that certificate is password protected, but retrieved password was null or empty!");
-                    }
-                }
+            HttpClientHandler httpClientHandler = new HttpClientHandler() { UseDefaultCredentials = true };
 
-                var cert = this.LoadCertificate(this.authentication.GitSslSettings.SslCertificate, certificatePassword, this.authentication.GitSslSettings.SslVerify);
-                if (cert != null)
-                {
-                    httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
-                    httpClientHandler.ClientCertificates.Add(cert);
-                }
-            }
+            this.authentication.SetupSslIfNeeded(this.Tracer, httpClientHandler, enlistment.CreateGitProcess());
 
             this.client = new HttpClient(httpClientHandler)
             {
@@ -111,11 +68,6 @@ public void Dispose()
                 this.client.Dispose();
                 this.client = null;
             }
-
-            if (this.store.IsValueCreated)
-            {
-                this.store.Value.Close();
-            }
         }
 
         protected GitEndPointResponseData SendRequest(
@@ -321,64 +273,5 @@ private static string GetSingleHeaderOrEmpty(HttpHeaders headers, string headerN
 
             return string.Empty;
         }
-
-        private string LoadCertificatePassword(string certId, GitProcess git)
-        {
-            if (git.TryGetCertificatePassword(this.Tracer, certId, out var password, out var error))
-            {
-                return password;
-            }
-
-            return null;
-        }
-
-        private X509Certificate2 LoadCertificate(string certId, string certificatePassword, bool onlyLoadValidCertificateFromStore)
-        {
-            EventMetadata metadata = new EventMetadata
-            {
-                { "certId", certId },
-                { "isPasswordSpecified", string.IsNullOrEmpty(certificatePassword) },
-                { "shouldVerify", onlyLoadValidCertificateFromStore }
-            };
-
-            if (File.Exists(certId))
-            {
-                try
-                {
-                    var cert = new X509Certificate2(certId, certificatePassword);
-                    if (onlyLoadValidCertificateFromStore && cert != null && !cert.Verify())
-                    {
-                        this.Tracer.RelatedWarning(metadata, "Certficate was found, but is invalid.");
-                        return null;
-                    }
-
-                    return cert;
-                }
-                catch (CryptographicException cryptEx)
-                {
-                    metadata.Add("Exception", cryptEx);
-                    this.Tracer.RelatedError(metadata, "Error, while loading certificate from disk");
-                    return null;
-                }
-            }
-
-            try
-            {
-                var findResults = this.store.Value.Certificates.Find(X509FindType.FindBySubjectName, certId, onlyLoadValidCertificateFromStore);
-                if (findResults?.Count > 0)
-                {
-                    return findResults[0];
-                }
-            }
-            catch (CryptographicException cryptEx)
-            {
-                metadata.Add("Exception", cryptEx);
-                this.Tracer.RelatedError(metadata, "Error, while searching for certificate in store");
-                return null;
-            }
-
-            this.Tracer.RelatedError("Certificate {0} not found", certId);
-            return null;
-        }
     }
 }