Add tests.

Author: tmds

src/Containers/Microsoft.NET.Build.Containers/FallbackToHttpMessageHandler.cs

@@ -30,7 +30,7 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
         }
 
         bool canFallback = request.RequestUri.Host == _host && request.RequestUri.Port == _port && request.RequestUri.Scheme == "https";
-        bool canRetry = true;
+        bool canRetry = canFallback;
         do
         {
             try
@@ -45,7 +45,7 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
 
                 return await base.SendAsync(request, cancellationToken).ConfigureAwait(false);
             }
-            catch (HttpRequestException re) when (canFallback && canRetry && re.HttpRequestError == HttpRequestError.SecureConnectionError)
+            catch (HttpRequestException re) when (canRetry && re.HttpRequestError == HttpRequestError.SecureConnectionError)
             {
                 _fallbackToHttp = true;
             }

src/Containers/Microsoft.NET.Build.Containers/Registry/Registry.cs

@@ -86,9 +86,8 @@ internal Registry(Uri baseUri, ILogger logger, IRegistryAPI? registryAPI = null,
         BaseUri = baseUri;
 
         _logger = logger;
-        _settings = settings ?? new RegistrySettings();
-        bool isInsecureRegistry = IsInsecureRegistry(RegistryName);
-        _registryAPI = registryAPI ?? new DefaultRegistryAPI(RegistryName, BaseUri, isInsecureRegistry, logger);
+        _settings = settings ?? new RegistrySettings(RegistryName);
+        _registryAPI = registryAPI ?? new DefaultRegistryAPI(RegistryName, BaseUri, _settings.IsInsecure, logger);
     }
 
     private static string DeriveRegistryName(Uri baseUri)
@@ -106,29 +105,6 @@ private static string DeriveRegistryName(Uri baseUri)
         }
     }
 
-    private static bool IsInsecureRegistry(string registryName)
-    {
-        // Allow insecure access to 'localhost'.
-        if (registryName.StartsWith("localhost:", StringComparison.OrdinalIgnoreCase) ||
-            registryName.Equals("localhost:", StringComparison.OrdinalIgnoreCase))
-        {
-            return true;
-        }
-
-        // SDK_CONTAINER_INSECURE_REGISTRIES is a semicolon separated list of insecure registry names.
-        string? insecureRegistriesEnv = Environment.GetEnvironmentVariable("SDK_CONTAINER_INSECURE_REGISTRIES");
-        if (insecureRegistriesEnv is not null)
-        {
-            string[] insecureRegistries = insecureRegistriesEnv.Split(';', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
-            if (Array.Exists(insecureRegistries, registry => registryName.Equals(registry, StringComparison.OrdinalIgnoreCase)))
-            {
-                return true;
-            }
-        }
-
-        return DockerCli.IsInsecureRegistry(registryName);
-    }
-
     public Uri BaseUri { get; }
 
     /// <summary>

src/Containers/Microsoft.NET.Build.Containers/Registry/RegistrySettings.cs

@@ -8,6 +8,20 @@ namespace Microsoft.NET.Build.Containers;
 
 internal class RegistrySettings
 {
+    public RegistrySettings(string? registryName = null, IEnvironmentProvider? environment = null)
+    {
+        environment ??= new EnvironmentProvider();
+
+        ChunkedUploadSizeBytes = environment.GetEnvironmentVariableAsNullableInt(EnvVariables.ChunkedUploadSizeBytes);
+        ForceChunkedUpload = environment.GetEnvironmentVariableAsBool(EnvVariables.ForceChunkedUpload, defaultValue: false);
+        ParallelUploadEnabled = environment.GetEnvironmentVariableAsBool(EnvVariables.ParallelUploadEnabled, defaultValue: true);
+
+        if (registryName is not null)
+        {
+            IsInsecure = IsInsecureRegistry(environment, registryName);
+        }
+    }
+
     private const int DefaultChunkSizeBytes = 1024 * 64;
     private const int FiveMegs = 5_242_880;
 
@@ -17,26 +31,56 @@ internal class RegistrySettings
     /// <remarks>
     /// Our default of 64KB is very conservative, so raising this to 1MB or more can speed up layer uploads reasonably well.
     /// </remarks>
-    internal int? ChunkedUploadSizeBytes { get; init; } = Env.GetEnvironmentVariableAsNullableInt(EnvVariables.ChunkedUploadSizeBytes);
+    internal int? ChunkedUploadSizeBytes { get; init; }
 
     /// <summary>
     /// Allows to force chunked upload for debugging purposes.
     /// </summary>
-    internal bool ForceChunkedUpload { get; init; } = Env.GetEnvironmentVariableAsBool(EnvVariables.ForceChunkedUpload, defaultValue: false);
+    internal bool ForceChunkedUpload { get; init; }
 
     /// <summary>
     /// Whether we should upload blobs in parallel (enabled by default, but disabled for certain registries in conjunction with the explicit support check below).
     /// </summary>
     /// <remarks>
     /// Enabling this can swamp some registries, so this is an escape hatch.
     /// </remarks>
-    internal bool ParallelUploadEnabled { get; init; } = Env.GetEnvironmentVariableAsBool(EnvVariables.ParallelUploadEnabled, defaultValue: true);
+    internal bool ParallelUploadEnabled { get; init; }
+
+    /// <summary>
+    /// Allows ignoring https certificate errors and changing to http when the endpoint is not an https endpoint.
+    /// </summary>
+    internal bool IsInsecure { get; init; }
 
     internal struct EnvVariables
     {
         internal const string ChunkedUploadSizeBytes = "SDK_CONTAINER_REGISTRY_CHUNKED_UPLOAD_SIZE_BYTES";
 
         internal const string ForceChunkedUpload = "SDK_CONTAINER_DEBUG_REGISTRY_FORCE_CHUNKED_UPLOAD";
         internal const string ParallelUploadEnabled = "SDK_CONTAINER_REGISTRY_PARALLEL_UPLOAD";
+
+        internal const string InsecureRegistries = "SDK_CONTAINER_INSECURE_REGISTRIES";
+    }
+
+    private static bool IsInsecureRegistry(IEnvironmentProvider environment, string registryName)
+    {
+        // Always allow insecure access to 'localhost'.
+        if (registryName.StartsWith("localhost:", StringComparison.OrdinalIgnoreCase) ||
+            registryName.Equals("localhost", StringComparison.OrdinalIgnoreCase))
+        {
+            return true;
+        }
+
+        // SDK_CONTAINER_INSECURE_REGISTRIES is a semicolon separated list of insecure registry names.
+        string? insecureRegistriesEnv = environment.GetEnvironmentVariable(EnvVariables.InsecureRegistries);
+        if (insecureRegistriesEnv is not null)
+        {
+            string[] insecureRegistries = insecureRegistriesEnv.Split(';', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
+            if (Array.Exists(insecureRegistries, registry => registryName.Equals(registry, StringComparison.OrdinalIgnoreCase)))
+            {
+                return true;
+            }
+        }
+
+        return DockerCli.IsInsecureRegistry(registryName);
     }
 }

test/Microsoft.NET.Build.Containers.UnitTests/RegistryTests.cs

@@ -2,8 +2,13 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Net;
+using System.Net.Security;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.DotNet.Cli.Utils;
 using Microsoft.Extensions.Logging;
 using Microsoft.NET.Build.Containers.Resources;
+using System.Net.Sockets;
 using Moq;
 
 namespace Microsoft.NET.Build.Containers.UnitTests;
@@ -390,11 +395,166 @@ public async Task UploadBlobChunkedAsync_Failure()
         api.Verify(api => api.Blob.Upload.UploadChunkAsync(It.IsIn(absoluteUploadUri, uploadPath), It.IsAny<HttpContent>(), It.IsAny<CancellationToken>()), Times.Exactly(1));
     }
 
+    [InlineData(true, true)]
+    [InlineData(true, false)]
+    [InlineData(false, true)]
+    [InlineData(false, false)]
+    [Theory]
+    public async Task InsecureRegistry(bool serverIsHttps, bool isInsecureRegistry)
+    {
+        ILogger logger = _loggerFactory.CreateLogger(nameof(InsecureRegistry));
+
+        // Start a dummy HTTP server that response with 200 OK.
+        using TcpListener listener = new TcpListener(IPAddress.Loopback, 0);
+        listener.Start();
+        IPEndPoint endpoint = (listener.LocalEndpoint as IPEndPoint)!;
+        Uri registryUri = new Uri($"https://{endpoint.Address}:{endpoint.Port}");
+        SslServerAuthenticationOptions? sslOptions = null!;
+        if (serverIsHttps)
+        {
+            var key = RSA.Create(2048);
+            var request = new CertificateRequest("CN=localhost", key, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+            X509Certificate2 serverCertificate = request.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(1));
+            sslOptions = new SslServerAuthenticationOptions()
+            {
+                ServerCertificate = serverCertificate,
+                ClientCertificateRequired = false
+            };
+        }
+        _ = Task.Run(async () =>
+        {
+            while (true)
+            {
+                using TcpClient client = await listener.AcceptTcpClientAsync();
+                try
+                {
+                    using Stream stream = serverIsHttps ? new SslStream(client.GetStream(), leaveInnerStreamOpen: false) : client.GetStream();
+                    if (stream is SslStream sslStream)
+                    {
+                        await sslStream.AuthenticateAsServerAsync(sslOptions!, default(CancellationToken));
+                    }
+                    await stream.WriteAsync("HTTP/1.0 200 OK\r\nContent-Length: 0\r\n\r\n"u8.ToArray());
+                }
+                catch
+                { }
+            }
+        });
+
+        RegistrySettings settings = new()
+        {
+            IsInsecure = isInsecureRegistry
+        };
+        Registry registry = new(registryUri, logger, settings: settings);
+
+        // Make a request.
+        Task getManifest = registry.GetImageManifestAsync(repositoryName: "dotnet/runtime", reference: "latest", runtimeIdentifier: "linux-x64", manifestPicker: null!, cancellationToken: default!);
+
+        if (isInsecureRegistry)
+        {
+            // Falls back to http (when serverIsHttps is false) or ignores https certificate errors (when serverIsHttps is true).
+            // Results in throwing: CONTAINER2003: The manifest for dotnet/runtime:latest from registry hwas an unknown type.
+            await Assert.ThrowsAsync<NotImplementedException>(() => getManifest);
+        }
+        else
+        {
+            // Does not fall back and throws HttpRequestException.
+            var requestException = await Assert.ThrowsAsync<HttpRequestException>(() => getManifest);
+            Assert.Equal(HttpRequestError.SecureConnectionError, requestException.HttpRequestError);
+        }
+    }
+
+    [InlineData("localhost", null, true)]
+    [InlineData("localhost:5000", null, true)]
+    [InlineData("public.ecr.aws", null, false)]
+    [InlineData("public.ecr.aws", "public.ecr.aws", true)]
+    [InlineData("public.ecr.aws", "Public.ecr.aws", true)] // ignore case
+    [InlineData("public.ecr.aws", "public.ecr.aws;docker.io", true)] // multiple registries
+    [InlineData("public.ecr.aws", ";public.ecr.aws ;  docker.io ", true)] // ignore whitespace
+    [InlineData("public.ecr.aws", "public.ecr.aws2;docker.io ", false)] // full name match
+    [Theory]
+    public void IsRegistryInsecure(string registryName, string? insecureRegistriesEnvvar, bool expectedInsecure)
+    {
+        var environment = new Dictionary<string, string>();
+        if (insecureRegistriesEnvvar is not null)
+        {
+            environment["SDK_CONTAINER_INSECURE_REGISTRIES"] = insecureRegistriesEnvvar;
+        }
 
+        var registrySettings = new RegistrySettings(registryName, new MockEnvironmentProvider(environment));
+
+        Assert.Equal(expectedInsecure, registrySettings.IsInsecure);
+    }
 
     private static NextChunkUploadInformation ChunkUploadSuccessful(Uri requestUri, Uri uploadUrl, int? contentLength, HttpStatusCode code = HttpStatusCode.Accepted)
     {
         return new(uploadUrl);
     }
 
+    private class MockEnvironmentProvider : IEnvironmentProvider
+    {
+        private readonly IDictionary<string, string> _environmentVariables;
+
+        public MockEnvironmentProvider(IDictionary<string, string> environmentVariables)
+        {
+            _environmentVariables = environmentVariables;
+        }
+
+        public bool GetEnvironmentVariableAsBool(string name, bool defaultValue)
+        {
+            var str = Environment.GetEnvironmentVariable(name);
+            if (string.IsNullOrEmpty(str))
+            {
+                return defaultValue;
+            }
+
+            switch (str.ToLowerInvariant())
+            {
+                case "true":
+                case "1":
+                case "yes":
+                    return true;
+                case "false":
+                case "0":
+                case "no":
+                    return false;
+                default:
+                    return defaultValue;
+            }
+        }
+
+        public string? GetEnvironmentVariable(string name)
+        {
+            string? value;
+            _environmentVariables.TryGetValue(name, out value);
+            return value;
+        }
+
+        public string? GetEnvironmentVariable(string variable, EnvironmentVariableTarget target)
+            => GetEnvironmentVariable(variable);
+
+        public int? GetEnvironmentVariableAsNullableInt(string variable)
+        {
+            if (GetEnvironmentVariable(variable) is string strValue && int.TryParse(strValue, out int intValue))
+            {
+                return intValue;
+            }
+
+            return null;
+        }
+
+        public void SetEnvironmentVariable(string variable, string value, EnvironmentVariableTarget target)
+            => throw new NotImplementedException();
+
+        public IEnumerable<string> ExecutableExtensions
+            => throw new NotImplementedException();
+
+        public string GetCommandPath(string commandName, params string[] extensions)
+            => throw new NotImplementedException();
+
+        public string GetCommandPathFromRootPath(string rootPath, string commandName, params string[] extensions)
+            => throw new NotImplementedException();
+
+        public string GetCommandPathFromRootPath(string rootPath, string commandName, IEnumerable<string> extensions)
+            => throw new NotImplementedException();
+    }
 }