Add initial support for custom certificate trust #11889
Conversation
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 11889Or
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 11889" |
github-actions
bot
added
the
area-app-model
There was a problem hiding this comment.
Pull Request Overview
This PR implements initial support for custom certificate trust in Aspire, allowing users to configure certificate authorities for resources. The feature includes implicit trust for ASP.NET developer certificates by default, with override capabilities through configuration and explicit resource-level settings.
Key Changes
- Added certificate trust framework with new resource types and annotations for managing certificate authorities
- Integrated developer certificate service for automatic detection and trust of ASP.NET Core development certificates
- Extended DCP executor to handle certificate trust configuration for both executable and container resources
Reviewed Changes
Copilot reviewed 16 out of 17 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| X509Certificate2Extensions.cs | New utility for identifying and validating ASP.NET Core development certificates |
| ResourceBuilderExtensions.cs | Added extension methods for configuring certificate trust on resources |
| IDeveloperCertificateService.cs | Service interface for accessing development certificate information |
| DeveloperCertificateService.cs | Implementation of certificate discovery and validation service |
| DcpOptions.cs | Added configuration option for developer certificate trust |
| DcpExecutor.cs | Core logic for applying certificate trust to executables and containers |
| ContainerResourceBuilderExtensions.cs | Minor refactoring to use consistent annotation behavior |
| Certificate annotation classes | New annotation types for managing certificate trust callbacks and collections |
| CertificateAuthorityCollection classes | Resource type and extensions for managing certificate collections |
| YarpResourceExtensions.cs | Updated to use developer certificate service for conditional configuration |
| Python/NodeJs extensions | Added certificate trust support for respective runtimes |
src/Aspire.Hosting/ApplicationModel/CertificateAuthorityCollectionAnnotation.cs
Outdated
Show resolved
Hide resolved
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
|
Marking this as ready to review; there's likely some tweaks to be made to the APIs and a few additional test cases, but the core functionality is working. There's additional work to be done to implement support for this in individual resources (such as Python projects) and I need to figure out the best way to demonstrate this feature in a playground. |
| /// <param name="certificateAuthorityCollections">Additional certificate authority collections to include.</param> | ||
| /// <param name="trustDeveloperCertificates">A value indicating whether platform developer certificates should be considered trusted.</param> | ||
| /// <param name="scope">The <see cref="CustomCertificateAuthoritiesScope"/> of the custom certificate authorities.</param> | ||
| public sealed class CertificateAuthorityCollectionAnnotation(CertificateAuthorityCollection[]? certificateAuthorityCollections = null, bool? trustDeveloperCertificates = null, CustomCertificateAuthoritiesScope? scope = null) : IResourceAnnotation |
There was a problem hiding this comment.
Change this to use init only properties and get rid of the constructor. This feels like something that will grow over time.
| /// <param name="builder">The <see cref="IResourceBuilder{CertificateAuthorityCollection}"/>.</param> | ||
| /// <param name="filePath">The path to the PEM file.</param> | ||
| /// <returns>The updated <see cref="IResourceBuilder{CertificateAuthorityCollection}"/>.</returns> | ||
| public static IResourceBuilder<CertificateAuthorityCollection> WithCertificatesFromFile(this IResourceBuilder<CertificateAuthorityCollection> builder, string filePath) |
| /// <param name="resourceEnvironment">The existing list of executable environment variables.</param> | ||
| /// <param name="cancellationToken">A <see cref="CancellationToken"/> that can be used to cancel the operation.</param> | ||
| /// <returns>A tuple containing additional command line arguments and environment variables, as well as a boolean indicating whether the operation was successful.</returns> | ||
| private async Task<(List<string>, List<EnvVar>, bool)> BuildExecutableCertificateAuthorityTrustAsync(IResource modelResource, List<string> resourceArguments, List<EnvVar> resourceEnvironment, CancellationToken cancellationToken) |
There was a problem hiding this comment.
Any reason to do this at the DCP level rather than the apphost level? Do we care about users being able to observe manipulate these or observe these as container files/env vars/args?
| /// Whether to attempt to implicitly add trust for developer certificates (currently the ASP.NET developer certificate) | ||
| /// by default. | ||
| /// </summary> | ||
| public bool TrustDeveloperCertificate { get; set; } = true; |
There was a problem hiding this comment.
Should this go to the DistributedApplicationOptions instead?
|
|
||
| public DeveloperCertificateService() | ||
| { | ||
| _certificates = new Lazy<ImmutableList<X509Certificate2>>(() => |
There was a problem hiding this comment.
Make sure this does not throw. Also should this log anything?
| Directory.CreateDirectory(Path.Join(_locations.DcpSessionDir, modelResource.Name)); | ||
| File.WriteAllText(caBundlePath, caBundleBuilder.ToString()); |
There was a problem hiding this comment.
Hmm, unsure if this should be in the dcp session dir. Where do we store other temp files (we really need a single place..._
2 participants
Description
This PR implements custom certificate trust support (including implicit trust for the ASP.NET developer certificate). Users can override the default dev cert trust via configuration (
"DcpPublisher:TrustDeveloperCertificate": false) and explicit trust per-resource can be configured via.WithDeveloperCertificateTrust(true/false).Additionally, users can create custom certificate collections via
.AddCertificateAuthorityCollectionand load their ownX509Certificate2certificates into it via.WithCertificateand.WithCertificates, then assign these CertificateAuthorityCollection resources to Executables and Containers with.WithCertificateAuthorityCollection. Resources will be initialized with the union of all theCertificateAuthorityCollections that were passed to them. Additionally, you can use.WithCustomCertificateAuthoritiesScopeto indicate how you want custom certificates applied to the resource. Setting the scope to the default value ofCustomCertificateAuthoritiesScope.Appendwill indicate that you want to append any custom trusted certificates to the default certificate trust behavior for the resource.CustomCertificateAuthoritiesScope.Overrideindicates you want to only trust the provided certificates.Integrations can configure how certificate trust is applied using
.WithExecutableCertificateTrustCallbackand.WithContainerCertificateTrustCallback, each of which take a callback that receives a context object that can be used to configure the command line arguments and environment variables required to implement trust for the given resource.This PR is a work in progress; core functionality and support for OpenSSL based containerized resources has been implemented, but additional test coverage and support for other app integrations is still in progress.
Fixes #11679
Checklist
<remarks />and<code />elements on your triple slash comments?doc-ideatemplatebreaking-changetemplatediagnostictemplate