Support for adding client-cert via environment variable

01b1ba66 · Marc Gravell · c80675a8 · 01b1ba66 · 01b1ba66
Commit 01b1ba66 authored Jun 18, 2014 by Marc Gravell
Show whitespace changes
Inline Side-by-side

Showing with 89 additions and 7 deletions

SSL.cs StackExchange.Redis.Tests/SSL.cs +72 -6

PhysicalConnection.cs ...kExchange.Redis/StackExchange/Redis/PhysicalConnection.cs +17 -1

No files found.
--- a/StackExchange.Redis.Tests/SSL.cs
+++ b/StackExchange.Redis.Tests/SSL.cs
@@ -159,14 +159,15 @@ private static void TestConcurrent(IDatabase db, RedisKey key, int SyncLoop, int
        }


+
+        const string RedisLabsSslHostFile = @"d:\RedisLabsSslHost.txt";
+        const string RedisLabsPfxPath = @"d:\RedisLabsUser.pfx";
+
        [Test]
        public void RedisLabsSSL()
        {
-            const string path = @"d:\RedisLabsSslHost.txt";
-            const string pfxPath = @"d:\RedisLabsUser.pfx";
-
-            if (!File.Exists(path)) Assert.Inconclusive();
-            string hostAndPort = File.ReadAllText(path);
+            if (!File.Exists(RedisLabsSslHostFile)) Assert.Inconclusive();
+            string hostAndPort = File.ReadAllText(RedisLabsSslHostFile);
            int timeout = 5000;
            if (Debugger.IsAttached) timeout *= 100;
            var options = new ConfigurationOptions
@@ -184,7 +185,7 @@ public void RedisLabsSSL()
 #endif
            options.Ssl = true;
            options.CertificateSelection += delegate {
-                return new X509Certificate2(pfxPath, "");
+                return new X509Certificate2(RedisLabsPfxPath, "");
            };
            RedisKey key = Me();
            using(var conn = ConnectionMultiplexer.Connect(options))
@@ -207,5 +208,70 @@ public void RedisLabsSSL()
            }
        }

+        [Test]
+        [TestCase(false)]
+        [TestCase(true)]
+        public void RedisLabsEnvironmentVariableClientCertificate(bool setEnv)
+        {
+            try
+            {
+                if (setEnv)
+                {
+                    Environment.SetEnvironmentVariable("SERedis_ClientCertPfxPath", RedisLabsPfxPath);
+                }
+                if (!File.Exists(RedisLabsSslHostFile)) Assert.Inconclusive();
+                string hostAndPort = File.ReadAllText(RedisLabsSslHostFile);
+                int timeout = 5000;
+                if (Debugger.IsAttached) timeout *= 100;
+                var options = new ConfigurationOptions
+                {
+                    EndPoints = { hostAndPort },
+                    ConnectTimeout = timeout,
+                    AllowAdmin = true,
+                    CommandMap = CommandMap.Create(new HashSet<string> {
+                    "subscribe", "unsubscribe", "cluster"
+                }, false)
+                };
+                if (!Directory.Exists(Me())) Directory.CreateDirectory(Me());
+#if LOGOUTPUT
+            ConnectionMultiplexer.EchoPath = Me();
+#endif
+                options.Ssl = true;
+                RedisKey key = Me();
+                using (var conn = ConnectionMultiplexer.Connect(options))
+                {
+                    if (!setEnv) Assert.Fail();
+
+                    var db = conn.GetDatabase();
+                    db.KeyDelete(key);
+                    string s = db.StringGet(key);
+                    Assert.IsNull(s);
+                    db.StringSet(key, "abc");
+                    s = db.StringGet(key);
+                    Assert.AreEqual("abc", s);
+
+                    var latency = db.Ping();
+                    Console.WriteLine("RedisLabs latency: {0:###,##0.##}ms", latency.TotalMilliseconds);
+
+                    using (var file = File.Create("RedisLabs.zip"))
+                    {
+                        conn.ExportConfiguration(file);
+                    }
+                }
+            }
+            catch(RedisConnectionException ex)
+            {
+                if(setEnv || ex.FailureType != ConnectionFailureType.UnableToConnect)
+                {
+                    throw;
+                }
+            }
+            finally
+            {
+                Environment.SetEnvironmentVariable("SERedis_ClientCertPfxPath", null);
+            }
+
+        }
+
    }
 }
--- a/StackExchange.Redis/StackExchange/Redis/PhysicalConnection.cs
+++ b/StackExchange.Redis/StackExchange/Redis/PhysicalConnection.cs
@@ -7,6 +7,7 @@
 using System.Net.Sockets;
 using System.Runtime.CompilerServices;
 using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Threading;

@@ -543,6 +544,20 @@ internal int GetAvailableInboundBytes(out int activeReaders)
            return this.socketToken.Available;
        }

+        static LocalCertificateSelectionCallback GetAmbientCertificateCallback()
+        {
+            try
+            {
+                var pfxPath = Environment.GetEnvironmentVariable("SERedis_ClientCertPfxPath");
+                var pfxPassword = Environment.GetEnvironmentVariable("SERedis_ClientCertPassword");
+                if (!string.IsNullOrEmpty(pfxPath) && File.Exists(pfxPath))
+                {
+                    return delegate { return new X509Certificate2(pfxPath, pfxPassword ?? ""); };
+                }                
+            } catch
+            { }
+            return null;
+        }
        SocketMode ISocketCallback.Connected(Stream stream)
        {
            try
@@ -561,7 +576,8 @@ SocketMode ISocketCallback.Connected(Stream stream)
                    var host = config.SslHost;
                    if (string.IsNullOrWhiteSpace(host)) host = Format.ToStringHostOnly(bridge.ServerEndPoint.EndPoint);

-                    var ssl = new SslStream(stream, false, config.CertificateValidationCallback, config.CertificateSelectionCallback
+                    var ssl = new SslStream(stream, false, config.CertificateValidationCallback,
+                        config.CertificateSelectionCallback ?? GetAmbientCertificateCallback()
 #if !__MonoCS__
                        , EncryptionPolicy.RequireEncryption
 #endif