From 62bdd91cf3095b1cb170cdd1007e1aa3d3145127 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Fri, 4 Apr 2025 15:02:21 -0400
Subject: [PATCH] Add HTTP Tests

---
 ...izationServiceCollectionExtensionsTests.cs | 104 +++++++++++++++++-
 1 file changed, 103 insertions(+), 1 deletion(-)

diff --git a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
index 703a37cc30..06ce513b51 100644
--- a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
+++ b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
@@ -1,7 +1,11 @@
-using System.Security.Cryptography;
+using System.Security.Authentication;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Bit.Core.Platform.X509ChainCustomization;
 using Bit.Core.Settings;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
@@ -182,6 +186,104 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
         );
     }
 
+    [Fact]
+    public async Task CallHttpWithSelfSignedCert_SelfSignedCertificateConfigured_Works()
+    {
+        var selfSignedCertificate = CreateSelfSignedCert("localhost");
+        await using var app = await CreateServerAsync(55555, options =>
+        {
+            options.ServerCertificate = selfSignedCertificate;
+        });
+
+        var services = CreateServices((gs, environment, config) => {}, services =>
+        {
+            services.Configure<X509ChainOptions>(options =>
+            {
+                options.AdditionalCustomTrustCertificates = [selfSignedCertificate];
+            });
+        });
+
+        var httpClient = services.GetRequiredService<IHttpClientFactory>().CreateClient();
+
+        var response = await httpClient.GetStringAsync("https://localhost:55555");
+        Assert.Equal("Hi", response);
+    }
+
+    [Fact]
+    public async Task CallHttpWithSelfSignedCert_SelfSignedCertificateNotConfigured_Throws()
+    {
+        var selfSignedCertificate = CreateSelfSignedCert("localhost");
+        await using var app = await CreateServerAsync(55556, options =>
+        {
+            options.ServerCertificate = selfSignedCertificate;
+        });
+
+        var services = CreateServices((gs, environment, config) => {}, services =>
+        {
+            services.Configure<X509ChainOptions>(options =>
+            {
+                options.AdditionalCustomTrustCertificates = [CreateSelfSignedCert("example.com")];
+            });
+        });
+
+        var httpClient = services.GetRequiredService<IHttpClientFactory>().CreateClient();
+
+        var requestException = await Assert.ThrowsAsync<HttpRequestException>(async () => await httpClient.GetStringAsync("https://localhost:55556"));
+        Assert.NotNull(requestException.InnerException);
+        var authenticationException = Assert.IsAssignableFrom<AuthenticationException>(requestException.InnerException);
+        Assert.Equal("The remote certificate was rejected by the provided RemoteCertificateValidationCallback.", authenticationException.Message);
+    }
+
+    [Fact]
+    public async Task CallHttpWithSelfSignedCert_SelfSignedCertificateConfigured_WithExtraCert_Works()
+    {
+        var selfSignedCertificate = CreateSelfSignedCert("localhost");
+        await using var app = await CreateServerAsync(55557, options =>
+        {
+            options.ServerCertificate = selfSignedCertificate;
+        });
+
+        var services = CreateServices((gs, environment, config) => {}, services =>
+        {
+            services.Configure<X509ChainOptions>(options =>
+            {
+                options.AdditionalCustomTrustCertificates = [selfSignedCertificate, CreateSelfSignedCert("example.com")];
+            });
+        });
+
+        var httpClient = services.GetRequiredService<IHttpClientFactory>().CreateClient();
+
+        var response = await httpClient.GetStringAsync("https://localhost:55557");
+        Assert.Equal("Hi", response);
+    }
+
+    private static async Task<IAsyncDisposable> CreateServerAsync(int port, Action<HttpsConnectionAdapterOptions> configure)
+    {
+        // Start HTTP Server with self signed cert
+        var builder = WebApplication.CreateSlimBuilder();
+        builder.Logging.AddFakeLogging();
+        builder.Services.AddRoutingCore();
+        builder.WebHost.UseKestrelCore()
+            .ConfigureKestrel(options =>
+            {
+                options.ListenLocalhost(port, listenOptions =>
+                {
+                    listenOptions.UseHttps(httpsOptions =>
+                    {
+                        configure(httpsOptions);
+                    });
+                });
+            });
+
+        var app = builder.Build();
+
+        app.MapGet("/", () => "Hi");
+
+        await app.StartAsync();
+
+        return app;
+    }
+
     private static X509ChainOptions CreateOptions(Action<GlobalSettings, IHostEnvironment, Dictionary<string, string>> configure, Action<IServiceCollection>? after = null)
     {
         var services = CreateServices(configure, after);