feat(): add mtls configurations for certs

Author: sandy2008

src/OpenTelemetry.Exporter.OpenTelemetryProtocol/Implementation/OtlpMtlsCertificateManager.cs

@@ -7,6 +7,7 @@
 using System.Security.AccessControl;
 using System.Security.Cryptography.X509Certificates;
 using System.Security.Principal;
+using Microsoft.Extensions.Configuration;
 
 namespace OpenTelemetry.Exporter.OpenTelemetryProtocol.Implementation;
 
@@ -116,23 +117,44 @@ public static X509Certificate2 LoadClientCertificate(
     }
 
     /// <summary>
-    /// Validates a certificate chain and checks for any errors.
+    /// Validates the certificate chain for a given certificate.
     /// </summary>
     /// <param name="certificate">The certificate to validate.</param>
     /// <param name="certificateType">Type description for logging (e.g., "Client certificate").</param>
     /// <returns>True if the certificate chain is valid; otherwise, false.</returns>
     public static bool ValidateCertificateChain(
         X509Certificate2 certificate,
         string certificateType)
+    {
+        return ValidateCertificateChain(certificate, certificateType, null);
+    }
+
+    /// <summary>
+    /// Validates the certificate chain for a given certificate with optional configuration.
+    /// </summary>
+    /// <param name="certificate">The certificate to validate.</param>
+    /// <param name="certificateType">Type description for logging (e.g., "Client certificate").</param>
+    /// <param name="configuration">Optional configuration to read environment variables from.</param>
+    /// <returns>True if the certificate chain is valid; otherwise, false.</returns>
+    public static bool ValidateCertificateChain(
+        X509Certificate2 certificate,
+        string certificateType,
+        IConfiguration? configuration)
     {
         try
         {
             using var chain = new X509Chain();
 
             // Configure chain policy
             chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
-            chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
-            chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
+
+            // Configure RevocationMode from environment variable or use default
+            var revocationMode = GetRevocationModeFromConfiguration(configuration);
+            chain.ChainPolicy.RevocationMode = revocationMode;
+
+            // Configure RevocationFlag from environment variable or use default
+            var revocationFlag = GetRevocationFlagFromConfiguration(configuration);
+            chain.ChainPolicy.RevocationFlag = revocationFlag;
 
             bool isValid = chain.Build(certificate);
 
@@ -380,6 +402,60 @@ private static void ValidateUnixFilePermissions(string filePath, string fileType
             filePath,
             "Consider verifying that file permissions are set to 400 (read-only for owner) for enhanced security.");
     }
+
+    /// <summary>
+    /// Gets the X509RevocationMode from configuration or returns the default value.
+    /// </summary>
+    /// <param name="configuration">Configuration to read from.</param>
+    /// <returns>The configured revocation mode or default (Online).</returns>
+    private static X509RevocationMode GetRevocationModeFromConfiguration(IConfiguration? configuration)
+    {
+        if (configuration == null)
+        {
+            return X509RevocationMode.Online;
+        }
+
+        if (configuration.TryGetStringValue(OtlpSpecConfigDefinitions.CertificateRevocationModeEnvVarName, out var modeString))
+        {
+            if (Enum.TryParse<X509RevocationMode>(modeString, true, out var mode))
+            {
+                return mode;
+            }
+
+            ((IConfigurationExtensionsLogger)OpenTelemetryProtocolExporterEventSource.Log).LogInvalidConfigurationValue(
+                OtlpSpecConfigDefinitions.CertificateRevocationModeEnvVarName,
+                modeString);
+        }
+
+        return X509RevocationMode.Online;
+    }
+
+    /// <summary>
+    /// Gets the X509RevocationFlag from configuration or returns the default value.
+    /// </summary>
+    /// <param name="configuration">Configuration to read from.</param>
+    /// <returns>The configured revocation flag or default (ExcludeRoot).</returns>
+    private static X509RevocationFlag GetRevocationFlagFromConfiguration(IConfiguration? configuration)
+    {
+        if (configuration == null)
+        {
+            return X509RevocationFlag.ExcludeRoot;
+        }
+
+        if (configuration.TryGetStringValue(OtlpSpecConfigDefinitions.CertificateRevocationFlagEnvVarName, out var flagString))
+        {
+            if (Enum.TryParse<X509RevocationFlag>(flagString, true, out var flag))
+            {
+                return flag;
+            }
+
+            ((IConfigurationExtensionsLogger)OpenTelemetryProtocolExporterEventSource.Log).LogInvalidConfigurationValue(
+                OtlpSpecConfigDefinitions.CertificateRevocationFlagEnvVarName,
+                flagString);
+        }
+
+        return X509RevocationFlag.ExcludeRoot;
+    }
 }
 
 #endif

src/OpenTelemetry.Exporter.OpenTelemetryProtocol/Implementation/OtlpSpecConfigDefinitions.cs

@@ -36,4 +36,8 @@ internal static class OtlpSpecConfigDefinitions
     public const string CertificateEnvVarName = "OTEL_EXPORTER_OTLP_CERTIFICATE";
     public const string ClientKeyEnvVarName = "OTEL_EXPORTER_OTLP_CLIENT_KEY";
     public const string ClientCertificateEnvVarName = "OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE";
+
+    // Certificate validation environment variables
+    public const string CertificateRevocationModeEnvVarName = "OTEL_EXPORTER_OTLP_CERTIFICATE_REVOCATION_MODE";
+    public const string CertificateRevocationFlagEnvVarName = "OTEL_EXPORTER_OTLP_CERTIFICATE_REVOCATION_FLAG";
 }

src/OpenTelemetry.Exporter.OpenTelemetryProtocol/README.md

@@ -453,11 +453,13 @@ or reader
   The following environment variables can be used to configure mTLS
   (mutual TLS) authentication (.NET 8.0+ only):
 
-  | Environment variable                   | `OtlpMtlsOptions` property    | Description                           |
-  | ---------------------------------------| ------------------------------|---------------------------------------|
-  | `OTEL_EXPORTER_OTLP_CERTIFICATE`      | `CaCertificatePath`           | Path to CA certificate file (PEM)    |
-  | `OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE` | `ClientCertificatePath`      | Path to client certificate file (PEM)|
-  | `OTEL_EXPORTER_OTLP_CLIENT_KEY`       | `ClientKeyPath`               | Path to client private key file (PEM)|
+  | Environment variable                           | `OtlpMtlsOptions` property    | Description                           |
+  | -----------------------------------------------| ------------------------------|---------------------------------------|
+  | `OTEL_EXPORTER_OTLP_CERTIFICATE`              | `CaCertificatePath`           | Path to CA certificate file (PEM)    |
+  | `OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE`       | `ClientCertificatePath`       | Path to client certificate file (PEM)|
+  | `OTEL_EXPORTER_OTLP_CLIENT_KEY`               | `ClientKeyPath`               | Path to client private key file (PEM)|
+  | `OTEL_EXPORTER_OTLP_CERTIFICATE_REVOCATION_MODE` | N/A                        | Certificate revocation mode (`Online`, `Offline`, or `NoCheck`). Default: `Online` |
+  | `OTEL_EXPORTER_OTLP_CERTIFICATE_REVOCATION_FLAG` | N/A                        | Certificate revocation flag (`ExcludeRoot`, `EntireChain`, or `EndCertificateOnly`). Default: `ExcludeRoot` |
 
 * Logs:
 

test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/OtlpMtlsCertificateManagerTests.cs

@@ -3,6 +3,8 @@
 
 #if NET8_0_OR_GREATER
 
+using Microsoft.Extensions.Configuration;
+
 namespace OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests;
 
 public class OtlpMtlsCertificateManagerTests
@@ -157,6 +159,165 @@ public void ValidateCertificateChain_ReturnsResult_WithValidCertificate()
         Xunit.Assert.True(result || !result);
     }
 
+    [Xunit.Fact]
+    public void ValidateCertificateChain_UsesDefaultConfiguration_WhenConfigurationIsNull()
+    {
+        using var cert = CreateSelfSignedCertificate();
+
+        // Both overloads should work
+        var result1 = OpenTelemetryProtocol.Implementation.OtlpMtlsCertificateManager.ValidateCertificateChain(cert, "test certificate");
+        var result2 = OpenTelemetryProtocol.Implementation.OtlpMtlsCertificateManager.ValidateCertificateChain(cert, "test certificate", null);
+
+        // Results should be the same since both use defaults
+        Xunit.Assert.Equal(result1, result2);
+    }
+
+    [Xunit.Fact]
+    public void ValidateCertificateChain_UsesRevocationModeFromConfiguration()
+    {
+        using var cert = CreateSelfSignedCertificate();
+
+        var configuration = new ConfigurationBuilder()
+            .AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string?>(OtlpSpecConfigDefinitions.CertificateRevocationModeEnvVarName, "NoCheck"),
+            })
+            .Build();
+
+        // Should not throw when using NoCheck mode
+        var result = OpenTelemetryProtocol.Implementation.OtlpMtlsCertificateManager.ValidateCertificateChain(cert, "test certificate", configuration);
+
+        // The method should execute without throwing
+        Xunit.Assert.True(result || !result);
+    }
+
+    [Xunit.Fact]
+    public void ValidateCertificateChain_UsesRevocationFlagFromConfiguration()
+    {
+        using var cert = CreateSelfSignedCertificate();
+
+        var configuration = new ConfigurationBuilder()
+            .AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string?>(OtlpSpecConfigDefinitions.CertificateRevocationFlagEnvVarName, "EntireChain"),
+            })
+            .Build();
+
+        // Should not throw when using EntireChain flag
+        var result = OpenTelemetryProtocol.Implementation.OtlpMtlsCertificateManager.ValidateCertificateChain(cert, "test certificate", configuration);
+
+        // The method should execute without throwing
+        Xunit.Assert.True(result || !result);
+    }
+
+    [Xunit.Fact]
+    public void ValidateCertificateChain_UsesBothRevocationConfigurationValues()
+    {
+        using var cert = CreateSelfSignedCertificate();
+
+        var configuration = new ConfigurationBuilder()
+            .AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string?>(OtlpSpecConfigDefinitions.CertificateRevocationModeEnvVarName, "Offline"),
+                new KeyValuePair<string, string?>(OtlpSpecConfigDefinitions.CertificateRevocationFlagEnvVarName, "EndCertificateOnly"),
+            })
+            .Build();
+
+        // Should not throw when using both configuration values
+        var result = OpenTelemetryProtocol.Implementation.OtlpMtlsCertificateManager.ValidateCertificateChain(cert, "test certificate", configuration);
+
+        // The method should execute without throwing
+        Xunit.Assert.True(result || !result);
+    }
+
+    [Xunit.Fact]
+    public void ValidateCertificateChain_UsesDefaultsForInvalidRevocationMode()
+    {
+        using var cert = CreateSelfSignedCertificate();
+
+        var configuration = new ConfigurationBuilder()
+            .AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string?>(OtlpSpecConfigDefinitions.CertificateRevocationModeEnvVarName, "InvalidMode"),
+            })
+            .Build();
+
+        // Should not throw even with invalid configuration value (should use default)
+        var result = OpenTelemetryProtocol.Implementation.OtlpMtlsCertificateManager.ValidateCertificateChain(cert, "test certificate", configuration);
+
+        // The method should execute without throwing and use default Online mode
+        Xunit.Assert.True(result || !result);
+    }
+
+    [Xunit.Fact]
+    public void ValidateCertificateChain_UsesDefaultsForInvalidRevocationFlag()
+    {
+        using var cert = CreateSelfSignedCertificate();
+
+        var configuration = new ConfigurationBuilder()
+            .AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string?>(OtlpSpecConfigDefinitions.CertificateRevocationFlagEnvVarName, "InvalidFlag"),
+            })
+            .Build();
+
+        // Should not throw even with invalid configuration value (should use default)
+        var result = OpenTelemetryProtocol.Implementation.OtlpMtlsCertificateManager.ValidateCertificateChain(cert, "test certificate", configuration);
+
+        // The method should execute without throwing and use default ExcludeRoot flag
+        Xunit.Assert.True(result || !result);
+    }
+
+    [Xunit.Theory]
+    [Xunit.InlineData("Online")]
+    [Xunit.InlineData("Offline")]
+    [Xunit.InlineData("NoCheck")]
+    [Xunit.InlineData("online")]
+    [Xunit.InlineData("OFFLINE")]
+    [Xunit.InlineData("nocheck")]
+    public void ValidateCertificateChain_HandlesCaseInsensitiveRevocationMode(string revocationMode)
+    {
+        using var cert = CreateSelfSignedCertificate();
+
+        var configuration = new ConfigurationBuilder()
+            .AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string?>(OtlpSpecConfigDefinitions.CertificateRevocationModeEnvVarName, revocationMode),
+            })
+            .Build();
+
+        // Should handle case-insensitive enum parsing
+        var result = OpenTelemetryProtocol.Implementation.OtlpMtlsCertificateManager.ValidateCertificateChain(cert, "test certificate", configuration);
+
+        // The method should execute without throwing
+        Xunit.Assert.True(result || !result);
+    }
+
+    [Xunit.Theory]
+    [Xunit.InlineData("ExcludeRoot")]
+    [Xunit.InlineData("EntireChain")]
+    [Xunit.InlineData("EndCertificateOnly")]
+    [Xunit.InlineData("excluderoot")]
+    [Xunit.InlineData("ENTIRECHAIN")]
+    [Xunit.InlineData("endcertificateonly")]
+    public void ValidateCertificateChain_HandlesCaseInsensitiveRevocationFlag(string revocationFlag)
+    {
+        using var cert = CreateSelfSignedCertificate();
+
+        var configuration = new ConfigurationBuilder()
+            .AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string?>(OtlpSpecConfigDefinitions.CertificateRevocationFlagEnvVarName, revocationFlag),
+            })
+            .Build();
+
+        // Should handle case-insensitive enum parsing
+        var result = OpenTelemetryProtocol.Implementation.OtlpMtlsCertificateManager.ValidateCertificateChain(cert, "test certificate", configuration);
+
+        // The method should execute without throwing
+        Xunit.Assert.True(result || !result);
+    }
+
     private static System.Security.Cryptography.X509Certificates.X509Certificate2 CreateSelfSignedCertificate()
     {
         using var rsa = System.Security.Cryptography.RSA.Create(2048);

test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/OtlpSpecConfigDefinitionsTests.cs

@@ -0,0 +1,54 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+#if NET8_0_OR_GREATER
+
+using Xunit;
+
+namespace OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests;
+
+public class OtlpSpecConfigDefinitionsTests
+{
+    [Fact]
+    public void CertificateRevocationModeEnvVarName_HasCorrectValue()
+    {
+        Assert.Equal("OTEL_EXPORTER_OTLP_CERTIFICATE_REVOCATION_MODE", OtlpSpecConfigDefinitions.CertificateRevocationModeEnvVarName);
+    }
+
+    [Fact]
+    public void CertificateRevocationFlagEnvVarName_HasCorrectValue()
+    {
+        Assert.Equal("OTEL_EXPORTER_OTLP_CERTIFICATE_REVOCATION_FLAG", OtlpSpecConfigDefinitions.CertificateRevocationFlagEnvVarName);
+    }
+
+    [Fact]
+    public void AllEnvironmentVariableNames_AreUnique()
+    {
+        var envVars = new[]
+        {
+            OtlpSpecConfigDefinitions.DefaultEndpointEnvVarName,
+            OtlpSpecConfigDefinitions.DefaultHeadersEnvVarName,
+            OtlpSpecConfigDefinitions.DefaultTimeoutEnvVarName,
+            OtlpSpecConfigDefinitions.DefaultProtocolEnvVarName,
+            OtlpSpecConfigDefinitions.CertificateEnvVarName,
+            OtlpSpecConfigDefinitions.ClientKeyEnvVarName,
+            OtlpSpecConfigDefinitions.ClientCertificateEnvVarName,
+            OtlpSpecConfigDefinitions.CertificateRevocationModeEnvVarName,
+            OtlpSpecConfigDefinitions.CertificateRevocationFlagEnvVarName,
+        };
+
+        var uniqueVars = envVars.Distinct().ToArray();
+
+        Assert.Equal(envVars.Length, uniqueVars.Length);
+    }
+
+    [Fact]
+    public void CertificateRevocationEnvironmentVariables_FollowNamingConvention()
+    {
+        // All certificate-related environment variables should follow the OTEL_EXPORTER_OTLP_CERTIFICATE prefix
+        Assert.StartsWith("OTEL_EXPORTER_OTLP_CERTIFICATE", OtlpSpecConfigDefinitions.CertificateRevocationModeEnvVarName, StringComparison.Ordinal);
+        Assert.StartsWith("OTEL_EXPORTER_OTLP_CERTIFICATE", OtlpSpecConfigDefinitions.CertificateRevocationFlagEnvVarName, StringComparison.Ordinal);
+    }
+}
+
+#endif