Address PR feedback

Author: halter73

src/Servers/Kestrel/Core/src/CoreStrings.resx

@@ -621,9 +621,12 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l
     <value>Unknown algorithm for certificate with public key type '{0}'.</value>
   </data>
   <data name="SniNotConfiguredForServerName" xml:space="preserve">
-    <value>Connection refused because no SNI configuration was found for '{serverName}' in '{endpointName}'. To allow all connections, add a wildcard ('*') SNI section.</value>
+    <value>Connection refused because no SNI configuration section was found for '{serverName}' in '{endpointName}'. To allow all connections, add a wildcard ('*') SNI section.</value>
   </data>
   <data name="SniNotConfiguredToAllowNoServerName" xml:space="preserve">
-    <value>Connection refused because the client did not specify a server name, and no wildcard ('*') SNI configuration was found in '{endpointName}'.</value>
+    <value>Connection refused because the client did not specify a server name, and no wildcard ('*') SNI configuration section was found in '{endpointName}'.</value>
   </data>
-</root>
+  <data name="SniNameCannotBeEmpty" xml:space="preserve">
+    <value>The endpoint {endpointName} is invalid because an SNI configuration section has an empty string as its key. Use a wildcard ('*') SNI section to match all server names.</value>
+  </data>
+</root>

src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs

@@ -99,7 +99,7 @@ private IEnumerable<EndpointConfig> ReadEndpoints()
                     Certificate = new CertificateConfig(endpointConfig.GetSection(CertificateKey)),
                     SslProtocols = ParseSslProcotols(endpointConfig.GetSection(SslProtocolsKey)),
                     ClientCertificateMode = ParseClientCertificateMode(endpointConfig[ClientCertificateModeKey]),
-                    Sni = ReadSni(endpointConfig.GetSection(SniKey)),
+                    Sni = ReadSni(endpointConfig.GetSection(SniKey), endpointConfig.Key),
                 };
 
                 endpoints.Add(endpoint);
@@ -108,7 +108,7 @@ private IEnumerable<EndpointConfig> ReadEndpoints()
             return endpoints;
         }
 
-        private Dictionary<string, SniConfig> ReadSni(IConfigurationSection sniConfig)
+        private Dictionary<string, SniConfig> ReadSni(IConfigurationSection sniConfig, string endpointName)
         {
             var sniDictionary = new Dictionary<string, SniConfig>(0, StringComparer.OrdinalIgnoreCase);
 
@@ -132,6 +132,11 @@ private Dictionary<string, SniConfig> ReadSni(IConfigurationSection sniConfig)
                 //     }
                 // }
 
+                if (string.IsNullOrEmpty(sniChild.Key))
+                {
+                    throw new InvalidOperationException(CoreStrings.FormatSniNameCannotBeEmpty(endpointName));
+                }
+
                 var sni = new SniConfig
                 {
                     Protocols = ParseProtocols(sniChild[ProtocolsKey]),
@@ -140,7 +145,7 @@ private Dictionary<string, SniConfig> ReadSni(IConfigurationSection sniConfig)
                     ClientCertificateMode = ParseClientCertificateMode(sniChild[ClientCertificateModeKey])
                 };
 
-                sniDictionary[sniChild.Key] = sni;
+                sniDictionary.Add(sniChild.Key, sni);
             }
 
             return sniDictionary;

src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs

@@ -18,17 +18,17 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal
 {
     internal class SniOptionsSelector
     {
-        private const string wildcardHost = "*";
-        private const string wildcardPrefix = "*.";
+        private const string WildcardHost = "*";
+        private const string WildcardPrefix = "*.";
 
         private readonly string _endpointName;
 
         private readonly Func<ConnectionContext, string, X509Certificate2> _fallbackServerCertificateSelector;
         private readonly Action<ConnectionContext, SslServerAuthenticationOptions> _onAuthenticateCallback;
 
-        private readonly Dictionary<string, SniOptions> _fullNameOptions = new Dictionary<string, SniOptions>(StringComparer.OrdinalIgnoreCase);
+        private readonly Dictionary<string, SniOptions> _exactNameOptions = new Dictionary<string, SniOptions>(StringComparer.OrdinalIgnoreCase);
         private readonly SortedList<string, SniOptions> _wildcardPrefixOptions = new SortedList<string, SniOptions>(LongestStringFirstComparer.Instance);
-        private readonly SniOptions _wildcardHostOptions = null;
+        private readonly SniOptions _wildcardOptions = null;
 
         public SniOptionsSelector(
             ICertificateConfigLoader certifcateConfigLoader,
@@ -85,17 +85,18 @@ public SniOptionsSelector(
                     HttpProtocols = httpProtocols,
                 };
 
-                if (name.Equals(wildcardHost, StringComparison.Ordinal))
+                if (name.Equals(WildcardHost, StringComparison.Ordinal))
                 {
-                    _wildcardHostOptions = sniOptions;
+                    _wildcardOptions = sniOptions;
                 }
-                else if (name.StartsWith(wildcardPrefix, StringComparison.Ordinal))
+                else if (name.StartsWith(WildcardPrefix, StringComparison.Ordinal))
                 {
-                    _wildcardPrefixOptions.Add(name, sniOptions);
+                    // Only slice off 1 character, the `*`. We want to match the leading `.` also.
+                    _wildcardPrefixOptions.Add(name.Substring(1), sniOptions);
                 }
                 else
                 {
-                    _fullNameOptions[name] = sniOptions;
+                    _exactNameOptions.Add(name, sniOptions);
                 }
             }
         }
@@ -104,13 +105,20 @@ public SslServerAuthenticationOptions GetOptions(ConnectionContext connection, s
         {
             SniOptions sniOptions = null;
 
-            if (!string.IsNullOrEmpty(serverName) && !_fullNameOptions.TryGetValue(serverName, out sniOptions))
+            if (!string.IsNullOrEmpty(serverName) && !_exactNameOptions.TryGetValue(serverName, out sniOptions))
             {
-                TryGetWildcardPrefixedOptions(serverName, out sniOptions);
+                foreach (var (suffix, options) in _wildcardPrefixOptions)
+                {
+                    if (serverName.EndsWith(suffix, StringComparison.OrdinalIgnoreCase))
+                    {
+                        sniOptions = options;
+                        break;
+                    }
+                }
             }
 
             // Fully wildcarded ("*") options can be used even when given an empty server name.
-            sniOptions ??= _wildcardHostOptions;
+            sniOptions ??= _wildcardOptions;
 
             if (sniOptions is null)
             {
@@ -149,27 +157,6 @@ public SslServerAuthenticationOptions GetOptions(ConnectionContext connection, s
             return sslOptions;
         }
 
-        private bool TryGetWildcardPrefixedOptions(string serverName, out SniOptions sniOptions)
-        {
-            sniOptions = null;
-
-            ReadOnlySpan<char> serverNameSpan = serverName;
-
-            foreach (var (nameCandidate, optionsCandidate) in _wildcardPrefixOptions)
-            {
-                ReadOnlySpan<char> nameCandidateSpan = nameCandidate;
-
-                // Only slice off 1 character, the `*`. We want to match the leading `.` also.
-                if (serverNameSpan.EndsWith(nameCandidateSpan.Slice(1), StringComparison.OrdinalIgnoreCase))
-                {
-                    sniOptions = optionsCandidate;
-                    return true;
-                }
-            }
-
-            return false;
-        }
-
         // TODO: Reflection based test to ensure we clone everything!
         // This won't catch issues related to mutable subproperties, but the existing subproperties look like they're mostly immutable.
         // The exception are the ApplicationProtocols list which we clone and the ServerCertificate because of methods like Import() and Reset() :(

src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs

@@ -30,7 +30,7 @@ internal class HttpsConnectionMiddleware
     {
         private const string EnableWindows81Http2 = "Microsoft.AspNetCore.Server.Kestrel.EnableWindows81Http2";
 
-        private static readonly bool _isWindowsVersionIncompatible = IsWindowsVersionIncompatible();
+        private static readonly bool _isWindowsVersionIncompatibleWithHttp2 = IsWindowsVersionIncompatibleWithHttp2();
 
         private readonly ConnectionDelegate _next;
         private readonly TimeSpan _handshakeTimeout;
@@ -369,12 +369,12 @@ internal static HttpProtocols ValidateAndNormalizeHttpProtocols(HttpProtocols ht
                 {
                     throw new NotSupportedException(CoreStrings.Http2NoTlsOsx);
                 }
-                else if (_isWindowsVersionIncompatible)
+                else if (_isWindowsVersionIncompatibleWithHttp2)
                 {
                     throw new NotSupportedException(CoreStrings.Http2NoTlsWin81);
                 }
             }
-            else if (httpProtocols == HttpProtocols.Http1AndHttp2 && _isWindowsVersionIncompatible)
+            else if (httpProtocols == HttpProtocols.Http1AndHttp2 && _isWindowsVersionIncompatibleWithHttp2)
             {
                 logger.Http2DefaultCiphersInsufficient();
                 return HttpProtocols.Http1;
@@ -383,7 +383,7 @@ internal static HttpProtocols ValidateAndNormalizeHttpProtocols(HttpProtocols ht
             return httpProtocols;
         }
 
-        private static bool IsWindowsVersionIncompatible()
+        private static bool IsWindowsVersionIncompatibleWithHttp2()
         {
             if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
             {

src/Servers/Kestrel/Core/test/KestrelServerTests.cs

@@ -16,6 +16,7 @@
 using Microsoft.AspNetCore.Testing;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
@@ -495,6 +496,7 @@ public async Task ReloadsOnConfigurationChangeWhenOptedIn()
             var serviceCollection = new ServiceCollection();
             serviceCollection.AddSingleton(mockLoggerFactory.Object);
             serviceCollection.AddSingleton(Mock.Of<ILogger<KestrelServer>>());
+            serviceCollection.AddSingleton(Mock.Of<IHostEnvironment>());
 
             var options = new KestrelServerOptions
             {
@@ -631,6 +633,7 @@ public async Task DoesNotReloadOnConfigurationChangeByDefault()
             var serviceCollection = new ServiceCollection();
             serviceCollection.AddSingleton(mockLoggerFactory.Object);
             serviceCollection.AddSingleton(Mock.Of<ILogger<KestrelServer>>());
+            serviceCollection.AddSingleton(Mock.Of<IHostEnvironment>());
 
             var options = new KestrelServerOptions
             {

src/Servers/Kestrel/Kestrel/test/ConfigurationReaderTests.cs

@@ -288,6 +288,21 @@ public void ReadEndpointWithoutSniConfigured_ReturnsEmptyCollection()
             Assert.False(endpoint.Sni.Any());
         }
 
+        [Fact]
+        public void ReadEndpointWithEmptySniKey_Throws()
+        {
+            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string>("Endpoints:End1:Url", "http://*:5001"),
+                new KeyValuePair<string, string>("Endpoints:End1:Sni::Protocols", "Http1"),
+            }).Build();
+
+            var reader = new ConfigurationReader(config);
+            var ex = Assert.Throws<InvalidOperationException>(() => reader.Endpoints);
+
+            Assert.Equal(CoreStrings.FormatSniNameCannotBeEmpty("End1"), ex.Message);
+        }
+
         [Fact]
         public void ReadEndpointWithSniConfigured_ReturnsCorrectValue()
         {