Fix code and add Unit Tests for CertificateCache

Author: arontsang

Directory.Build.props

@@ -7,7 +7,7 @@
     <Copyright>© Microsoft Corporation. All rights reserved.</Copyright>
     <PackageIcon></PackageIcon>
     <PackageIconFullPath></PackageIconFullPath>
-    <LangVersion>12.0</LangVersion>
+    <LangVersion>13.0</LangVersion>
     <PackageLicenseExpression>MIT</PackageLicenseExpression>
     <StrongNameKeyId>Microsoft</StrongNameKeyId>
     <EmbedUntrackedSources>true</EmbedUntrackedSources>

src/Kubernetes.Controller/Certificates/ImmutableCertificateCache.cs

@@ -34,27 +34,9 @@ public ImmutableCertificateCache(IEnumerable<TCert> certificates, Func<TCert, IE
         _wildCardDomains.Sort(DomainNameComparer.Instance);
     }
 
-    public bool TryGetCertificateExact(string domain, [NotNullWhen(true)] out TCert? certificate) =>
-        _certificates.TryGetValue(domain, out certificate);
-
-    public bool TryGetWildcardCertificate(string domain, [NotNullWhen(true)] out TCert? certificate)
-    {
-        if (_wildCardDomains.BinarySearch(new WildCardDomain(domain, null!), DomainNameComparer.Instance) is { } index and < -1)
-        {
-            var candidate = _wildCardDomains[~index];
-            if (domain.EndsWith(candidate.Domain, true, CultureInfo.InvariantCulture))
-            {
-                certificate = candidate.Certificate;
-                return true;
-            }
-        }
 
-        certificate = null;
-        return false;
-    }
 
-    public TCert? GetDefaultCertificate() => _wildCardDomains.FirstOrDefault()?.Certificate
-                                                        ?? _certificates.Values.FirstOrDefault();
+    protected abstract TCert? GetDefaultCertificate();
 
     public TCert? GetCertificate(string domain)
     {
@@ -70,7 +52,35 @@ public bool TryGetWildcardCertificate(string domain, [NotNullWhen(true)] out TCe
         return GetDefaultCertificate();
     }
 
-    private record WildCardDomain(string Domain, TCert Certificate);
+    protected IReadOnlyList<WildCardDomain> WildcardCertificates => _wildCardDomains;
+
+    protected IReadOnlyDictionary<string, TCert> Certificates => _certificates;
+
+    protected record WildCardDomain(string Domain, TCert? Certificate);
+
+    private bool TryGetCertificateExact(string domain, [NotNullWhen(true)] out TCert? certificate) =>
+        _certificates.TryGetValue(domain, out certificate);
+
+    private bool TryGetWildcardCertificate(string domain, [NotNullWhen(true)] out TCert? certificate)
+    {
+        if (_wildCardDomains.BinarySearch(new WildCardDomain(domain, null!), DomainNameComparer.Instance) is { } index)
+        {
+            if (index > -1)
+            {
+                certificate = _wildCardDomains[index].Certificate!;
+                return true;
+            }
+            // var candidate = _wildCardDomains[~index];
+            // if (domain.EndsWith(candidate.Domain, true, CultureInfo.InvariantCulture))
+            // {
+            //     certificate = candidate.Certificate!;
+            //     return true;
+            // }
+        }
+
+        certificate = null;
+        return false;
+    }
 
     /// <summary>
     /// Sorts domain names right to left.
@@ -83,7 +93,21 @@ private class DomainNameComparer : IComparer<WildCardDomain>
 
         public int Compare(WildCardDomain? x, WildCardDomain? y)
         {
-            return Compare(x!.Domain.AsSpan(), y!.Domain.AsSpan());
+            var ret = Compare(x!.Domain.AsSpan(), y!.Domain.AsSpan());
+            if (ret != 0)
+            {
+                return ret;
+            }
+
+            switch (x!.Certificate, y!.Certificate)
+            {
+                case (null, {}) when x.Domain.Length > y.Domain.Length:
+                    return 0;
+                case ({}, null) when x.Domain.Length < y.Domain.Length:
+                    return 0;
+                default:
+                    return x.Domain.Length - y.Domain.Length;
+            }
         }
 
         private static int Compare(ReadOnlySpan<char> x, ReadOnlySpan<char> y)
@@ -93,8 +117,8 @@ private static int Compare(ReadOnlySpan<char> x, ReadOnlySpan<char> y)
 
             for (var i = 1; i <= length; i++)
             {
-                var charA = x[^i] & 0x3F;
-                var charB = y[^i] & 0x3F;
+                var charA = x[^i] & 0x5F;
+                var charB = y[^i] & 0x5F;
 
                 if (charA == charB)
                 {
@@ -104,7 +128,8 @@ private static int Compare(ReadOnlySpan<char> x, ReadOnlySpan<char> y)
                 return charB - charA;
             }
 
-            return x.Length - y.Length;
+            //return x.Length - y.Length;
+            return 0;
         }
     }
 }

src/Kubernetes.Controller/Certificates/ServerCertificateSelector.CertificateCache.cs

@@ -3,14 +3,25 @@
 #nullable enable
 using System.Collections.Generic;
 using System.Formats.Asn1;
+using System.Linq;
 using System.Security.Cryptography.X509Certificates;
 
 namespace Yarp.Kubernetes.Controller.Certificates;
 
 internal partial class ServerCertificateSelector
 {
     private class ImmutableX509CertificateCache(IEnumerable<X509Certificate2> certificates)
-        : ImmutableCertificateCache<X509Certificate2>(certificates, GetDomains);
+        : ImmutableCertificateCache<X509Certificate2>(certificates, GetDomains)
+    {
+        protected override X509Certificate2? GetDefaultCertificate()
+        {
+            if (WildcardCertificates.Count != 0)
+            {
+                return WildcardCertificates[0].Certificate;
+            }
+            return Certificates.Values.FirstOrDefault();
+        }
+    }
 
     private static IEnumerable<string> GetDomains(X509Certificate2 certificate)
     {

test/Kubernetes.Tests/Certificates/CertificateCacheTests.cs

@@ -1,9 +1,56 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Collections.Generic;
+using Xunit;
+#nullable enable
 namespace Yarp.Kubernetes.Controller.Certificates.Tests;
 
 public class CertificateCacheTests
 {
-    
+
+    private static readonly FakeCertificateCache Cache = new(
+        new FakeCertificate("Acme", "mail.acme.com", "www.acme.com"),
+        new FakeCertificate("Initech", "*.initech.com", "initech.com"),
+        new FakeCertificate("Northwind", "*.northwind.com")
+    );
+
+    [Theory]
+    [InlineData("www.acme.com", "Acme")]
+    [InlineData("www.ACME.com", "Acme")]
+    [InlineData("mail.acme.com", "Acme")]
+    [InlineData("acme.com", null)]
+    [InlineData("store.acme.com", null)]
+    [InlineData("www.northwind.com", "Northwind")]
+    [InlineData("mail.northwind.com", "Northwind")]
+    [InlineData("northwind.com", null)]
+    [InlineData("initech.com", "Initech")]
+    [InlineData("www.initech.com", "Initech")]
+    [InlineData("www.IniTech.coM", "Initech")]
+    public void CertificateConversionFromPem(string requestedDomain, string? expectedCompanyName)
+    {
+        var certificate = Cache.GetCertificate(requestedDomain);
+        if (expectedCompanyName != null)
+        {
+            Assert.Equal(expectedCompanyName, certificate?.Name);
+        }
+        else
+        {
+            Assert.Null(certificate?.Name);
+        }
+    }
+
+    private record FakeCertificate(string Name, params string[] Domains);
+
+    private class FakeCertificateCache(params IEnumerable<FakeCertificate> certificates)
+        : ImmutableCertificateCache<FakeCertificate>(certificates, static cert => cert.Domains)
+    {
+        protected override FakeCertificate? GetDefaultCertificate()
+        {
+            return null;
+        }
+    }
 }
+
+
+