Certificate Based Authentication (#133)

* Working CBA changes

* working changes

* Changes for CBA

* remove cert password arg

* refactor to new user args method

* revert changes on create_connection

* Revert pythonPath local change

* Update SettingsFile.md for new setting

* Additional spacing

* tooltip update

* add tests for client_certificate_path

* forgot comma

* escape slashes, forward slash to back slash

* matching urls

* Revisions/refactors

* missing quote, revision

* Option type the value parse

Co-authored-by: landenblackmsft <[email protected]>

Author: landenblackmsft

.vscode/launch.json

@@ -186,7 +186,7 @@
             "name": "Python: All debug Options",
             "type": "python",
             "request": "launch",
-            "pythonPath": "${command:python.interpreterPath}",
+            "python": "${command:python.interpreterPath}",
             "program": "${file}",
             "module": "module.name",
             "env": {

docs/user-guide/SettingsFile.md

@@ -27,6 +27,11 @@ Checkers' Friendly Names:
 * PayloadBody
 * Examples
 
+### client_certificate_path: str (default None)
+Path to your X.509 certificate file in PEM format.
+
+If provided and valid, RESTler will attempt to use it during the SSL handshake.
+
 ### custom_bug_codes: list(str)
 List of status codes that will be flagged as bugs.
 

restler/engine/transport_layer/messaging.py

@@ -53,6 +53,10 @@ def __init__(self, connection_settings):
                     context = ssl._create_unverified_context()
                 else:
                     context = ssl.create_default_context()
+                if Settings().client_certificate_path:
+                    context.load_cert_chain(
+                        certfile=Settings().client_certificate_path
+                    )
                 with socket.create_connection((target_ip, target_port or 443)) as sock:
                     self._sock = context.wrap_socket(sock, server_hostname=host)
             else:

restler/restler.py

@@ -246,6 +246,10 @@ def signal_handler(sig, frame):
                         help='The cmd to execute in order to refresh the authentication token'
                             ' (default: None)',
                        type=str, default=None, required=False)
+    parser.add_argument('--client_certificate_path',
+                        help='Path to your X.509 certificate in PEM format. Provide for Certificate Based Authentication'
+                            ' (default: None)',
+                       type=str, default=None, required=False)
     parser.add_argument('--producer_timing_delay',
                         help='The time interval to wait after a resource-generating '
                              'producer is executed (in seconds)'

restler/restler_settings.py

@@ -362,6 +362,8 @@ def convert_wildcards_to_regex(str_value):
             self._checker_args.val = { checker_name.lower(): arg
                 for checker_name, arg in self._checker_args.val.items() }
 
+        ## Path to Client Cert for Certificate Based Authentication
+        self._client_certificate_path = SettingsArg('client_certificate_path', str, None, user_args)
         ## List of endpoints whose resource is to be created only once - Will be set with other per_resource settings
         self._create_once_endpoints = SettingsListArg('create_once', str, None, val_convert=str_to_hex_def)
         ## List of status codes that will be flagged as bugs
@@ -458,6 +460,10 @@ def __deepcopy__(self, memo):
         """ Don't deepcopy this object, just return its reference """
         return self
 
+    @property
+    def client_certificate_path(self):
+        return self._client_certificate_path.val
+
     @property
     def connection_settings(self):
         return self._connection_settings

restler/unit_tests/restler_user_settings.json

@@ -1,4 +1,5 @@
 {
+    "client_certificate_path": "\\path\\to\\file.pem",
     "max_combinations": 20,
     "max_request_execution_time": 90,
     "global_producer_timing_delay": 2,

restler/unit_tests/test_restler_settings.py

@@ -345,6 +345,7 @@ def test_valid_option_validation(self):
                      'target_ip': '192.168.0.1',
                      'token_refresh_cmd': 'some command',
                      'token_refresh_interval': 30,
+                     'client_certificate_path': '\\path\\to\\file.pem',
                      'fuzzing_mode': 'random-walk',
                      'ignore_decoding_failures': True}
         try:
@@ -468,6 +469,7 @@ def test_settings_file_upload(self):
         self.assertEqual(True, hex_def(request1) in settings.create_once_endpoints)
         self.assertNotEqual(True, hex_def(request2) in settings.create_once_endpoints)
 
+        self.assertEqual("\\path\\to\\file.pem", settings.client_certificate_path)
         self.assertEqual(200, settings.dyn_objects_cache_size)
         self.assertEqual(2, settings.fuzzing_jobs)
         self.assertEqual('directed-smoke-test', settings.fuzzing_mode)

src/driver/Program.fs

@@ -209,6 +209,10 @@ module Fuzz =
             sprintf "--custom_mutations \"%s\"" parameters.mutationsFilePath
             sprintf "--set_version %s" CurrentVersion
 
+            (match parameters.certFilePath with
+             | None -> ""
+             | Some cfPath -> sprintf "--client_certificate_path \"%s\"" cfPath
+            )
             (match parameters.refreshableTokenOptions with
                 | None -> ""
                 | Some options ->
@@ -515,6 +519,11 @@ let rec parseEngineArgs task (args:EngineParameters) = function
         parseEngineArgs task { args with checkerOptions = args.checkerOptions @ [(checkerAction, specifiedCheckers |> String.concat " ")] } rest
     | "--no_results_analyzer"::rest ->
         parseEngineArgs task { args with runResultsAnalyzer = false } rest
+    | "--client_certificate_path"::certFilePath::rest ->
+        if not (File.Exists certFilePath) then
+            Logging.logError <| sprintf "The Client Certificate Path %s does not exist." certFilePath
+            usage()
+        parseEngineArgs task  { args with certFilePath = Some (Path.GetFullPath(certFilePath)) } rest
     | invalidArgument::rest ->
         Logging.logError <| sprintf "Invalid argument: %s" invalidArgument
         usage()

src/driver/Types.fs

@@ -65,6 +65,8 @@ type EngineParameters =
         /// Specifies whether to run results analyzer.
         runResultsAnalyzer : bool
 
+        /// File path to the client certificate.
+        certFilePath : string option
     }
 
 let DefaultEngineParameters =
@@ -83,6 +85,7 @@ let DefaultEngineParameters =
         pathRegex = None
         replayLogFilePath = None
         runResultsAnalyzer = true
+        certFilePath = None
     }
 
 /// Restler tasks that may be specified by the user