Improve Integration Test by Generating TLS/mTLS Certificates via MSBuild

test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/IntegrationTest/.gitignore

@@ -1,3 +1,7 @@
 # Self-signed cert generated by integration test
 otel-collector.crt
 otel-collector.key
+otel-client.crt
+otel-client.key
+otel-untrusted-collector.crt
+otel-untrusted-collector.key

test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/IntegrationTest/create-cert.sh

@@ -12,6 +12,38 @@ cp /otel-collector.crt /otel-collector.key /cfg
 
 chmod 644 /cfg/otel-collector.key
 
+# Generate client certificate for mTLS
+echo "\
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+" > /client_ext.cnf
+
+openssl req -new -newkey rsa:2048 -days 365 -nodes \
+    -subj "/CN=otel-client" \
+    -keyout /otel-client.key  -out /otel-client.csr
+
+openssl x509 -req -in /otel-client.csr \
+    -CA /otel-collector.crt -CAkey /otel-collector.key \
+    -out /otel-client.crt -CAcreateserial -days 365 -sha256 \
+    -extfile ./client_ext.cnf
+
+cp /otel-client.crt /otel-client.key /cfg
+chmod 644 /cfg/otel-client.key
+
+# Generate a self-signed certificate that is NOT included in the test runner's trust store
+# Generate self-signed certificate for the Collector
+openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
+    -subj "/CN=otel-collector" \
+    -keyout /otel-untrusted-collector.key  -out /otel-untrusted-collector.crt
+
+cp /otel-untrusted-collector.crt /otel-untrusted-collector.key /cfg
+chmod 644 /cfg/otel-untrusted-collector.key
+
 # The integration test is run via docker-compose with the --exit-code-from
 # option. The --exit-code-from option implies --abort-on-container-exit
 # which means when any container exits then all containers are stopped.

test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/IntegrationTest/otel-collector-config.yaml

@@ -23,6 +23,32 @@ receivers:
         tls:
           cert_file: /cfg/otel-collector.crt
           key_file: /cfg/otel-collector.key
+  otlp/untrustedtls:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:6317
+        tls:
+          cert_file: /cfg/otel-untrusted-collector.crt
+          key_file: /cfg/otel-untrusted-collector.key
+      http:
+        endpoint: 0.0.0.0:6318
+        tls:
+          cert_file: /cfg/otel-untrusted-collector.crt
+          key_file: /cfg/otel-untrusted-collector.key
+  otlp/mtls:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:7317
+        tls:
+          cert_file: /cfg/otel-collector.crt
+          key_file: /cfg/otel-collector.key
+          client_ca_file: /cfg/otel-collector.crt
+      http:
+        endpoint: 0.0.0.0:7318
+        tls:
+          cert_file: /cfg/otel-collector.crt
+          key_file: /cfg/otel-collector.key
+          client_ca_file: /cfg/otel-collector.crt
 
 exporters:
   debug:
@@ -31,11 +57,11 @@ exporters:
 service:
   pipelines:
     traces:
-      receivers: [otlp, otlp/tls]
+      receivers: [otlp, otlp/tls, otlp/untrustedtls, otlp/mtls]
       exporters: [debug]
     metrics:
-      receivers: [otlp, otlp/tls]
+      receivers: [otlp, otlp/tls, otlp/untrustedtls, otlp/mtls]
       exporters: [debug]
     logs:
-      receivers: [otlp, otlp/tls]
-      exporters: [debug]
+      receivers: [otlp, otlp/tls, otlp/untrustedtls, otlp/mtls]
+      exporters: [debug]

test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests.csproj

@@ -4,6 +4,25 @@
     <TargetFrameworks>$(TargetFrameworksForTests)</TargetFrameworks>
   </PropertyGroup>
 
+  <!-- Add MSBuild Task to Generate Certificates -->
+  <Target Name="GenerateTestCertificates" BeforeTargets="Build">
+    <Exec Condition="$(OS) == 'Unix'"
+      Command="/bin/bash gen_test_cert.sh $(IntermediateOutputPath)"
+      ConsoleToMsBuild="true"
+      WorkingDirectory="$(ProjectDir)" />
+
+    <Exec Condition="$(OS) == 'Windows_NT'"
+      Command="pwsh -NonInteractive -executionpolicy Unrestricted -command &quot;&amp; { ./gen_test_cert.ps1 -OutDir $(IntermediateOutputPath) } &quot;"
+      ConsoleToMsBuild="true"
+      WorkingDirectory="$(ProjectDir)" />
+
+    <ItemGroup>
+      <TestCertificates Include="$(IntermediateOutputPath)*.pem"/>
+    </ItemGroup>
+
+    <Copy SourceFiles="@(TestCertificates)" DestinationFolder="$(OutputPath)\%(RecursiveDir)"/>
+  </Target>
+
   <ItemGroup>
     <PackageReference Include="Grpc.AspNetCore.Server" Condition="'$(TargetFrameworkIdentifier)' == '.NETCoreApp'" />
     <PackageReference Include="Microsoft.AspNetCore.TestHost" Condition="'$(TargetFrameworkIdentifier)' == '.NETCoreApp'" />

test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/gen_test_cert.ps1

@@ -0,0 +1,90 @@
+using namespace System.Security.Cryptography;
+using namespace System.Security.Cryptography.X509Certificates;
+
+param (
+  [string] $OutDir
+)
+
+function Write-Certificate {
+  param (
+    [X509Certificate2] $Cert,
+    [string] $Name,
+    [string] $Dir
+  )
+
+  # write cert content
+  $certPem = $Cert.ExportCertificatePem();
+  $certPemPath = Join-Path $Dir -ChildPath "$Name-cert.pem";
+  [System.IO.File]::WriteAllText($certPemPath, $certPem);
+
+  # write pkey
+  [AsymmetricAlgorithm] $pkey = [RSACertificateExtensions]::GetRSAPrivateKey($Cert);
+  [string] $pkeyPem = $null;
+
+  if ($null -ne $pkey) {
+    $pkeyPem = $pkey.ExportRSAPrivateKeyPem();
+  }
+
+  if ($null -eq $pkey) {
+    $pkey = [ECDsaCertificateExtensions]::GetECDsaPrivateKey($Cert);
+    $pkeyPem = $pkey.ExportECPrivateKeyPem();
+  }
+
+  if ($null -eq $pkeyPem) {
+    return;
+  }
+
+
+  $pKeyPath = Join-Path $Dir -ChildPath "$Name-key.pem";
+  [System.IO.File]::WriteAllText($pKeyPath, $pkeyPem);
+}
+
+$ca = New-SelfSignedCertificate -CertStoreLocation 'Cert:\CurrentUser\My' `
+  -DnsName "otel-test-ca" `
+  -NotAfter (Get-Date).AddYears(20) `
+  -FriendlyName "otel-test-ca" `
+  -KeyAlgorithm ECDSA_nistP256 `
+  -KeyExportPolicy Exportable `
+  -KeyUsageProperty All -KeyUsage CertSign, CRLSign, DigitalSignature;
+
+
+try {
+  Write-Certificate -Cert $ca  -Name "otel-test-ca" -Dir $OutDir;
+  $serverCert = New-SelfSignedCertificate -CertStoreLocation 'Cert:\CurrentUser\My' `
+    -DnsName "otel-test-server" `
+    -Signer $ca `
+    -NotAfter (Get-Date).AddYears(20) `
+    -FriendlyName "otel-test-server" `
+    -KeyAlgorithm ECDSA_nistP256 `
+    -KeyUsageProperty All `
+    -KeyExportPolicy Exportable `
+    -KeyUsage CertSign, CRLSign, DigitalSignature `
+    -TextExtension @("2.5.29.19={text}CA=1&pathlength=1", "2.5.29.37={text}1.3.6.1.5.5.7.3.1");
+
+  try {
+    Write-Certificate -Cert $serverCert  -Name "otel-test-server" -Dir $OutDir;
+
+    $clientCert = New-SelfSignedCertificate -CertStoreLocation 'Cert:\CurrentUser\My' `
+      -DnsName "otel-test-client" `
+      -Signer $ca `
+      -NotAfter (Get-Date).AddYears(20) `
+      -FriendlyName "otel-test-client" `
+      -KeyAlgorithm ECDSA_nistP256 `
+      -KeyUsageProperty All `
+      -KeyExportPolicy Exportable `
+      -KeyUsage CertSign, CRLSign, DigitalSignature `
+      -TextExtension @("2.5.29.19={text}CA=1&pathlength=1", "2.5.29.37={text}1.3.6.1.5.5.7.3.2");
+    try {
+      Write-Certificate -Cert $clientCert  -Name "otel-test-client" -Dir $OutDir;
+    }
+    finally {
+      Get-Item -Path "Cert:\CurrentUser\My\$($clientCert.Thumbprint)" | Remove-Item;
+    }
+  }
+  finally {
+    Get-Item -Path "Cert:\CurrentUser\My\$($serverCert.Thumbprint)" | Remove-Item;
+  }
+}
+finally {
+  Get-Item -Path "Cert:\CurrentUser\My\$($ca.Thumbprint)" | Remove-Item;
+}

test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/gen_test_cert.sh

@@ -0,0 +1,46 @@
+# ca
+openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
+    -subj "/CN=otel-test-ca" \
+    -keyout $1/otel-test-ca-key.pem  -out $1/otel-test-ca-cert.pem
+
+# server cert
+echo "\
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
+" > $1/server_cert_ext.cnf;
+
+openssl req -new -newkey rsa:2048 -sha256 \
+    -keyout $1/otel-test-server-key.pem -out $1/otel-test-server-csr.pem -nodes \
+    -subj "/CN=otel-test-server"
+
+openssl x509 -req -in $1/otel-test-server-csr.pem \
+    -extfile $1/server_cert_ext.cnf \
+    -CA $1/otel-test-ca-cert.pem -CAkey $1/otel-test-ca-key.pem -CAcreateserial \
+    -out $1/otel-test-server-cert.pem \
+    -days 3650 -sha256
+
+# client cert
+echo "\
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+" > $1/client_cert_ext.cnf;
+
+openssl req -new -newkey rsa:2048 -sha256 \
+    -keyout $1/otel-test-client-key.pem -out $1/otel-test-client-csr.pem -nodes \
+    -subj "/CN=otel-test-client"
+
+openssl x509 -req -in $1/otel-test-client-csr.pem \
+    -extfile $1/client_cert_ext.cnf \
+    -CA $1/otel-test-server-cert.pem -CAkey $1/otel-test-server-key.pem -CAcreateserial \
+    -out $1/otel-test-client-cert.pem \
+    -days 3650 -sha256