Add web client with support for client cert

Sustainsys.Saml2/CertificateUse.cs

@@ -1,12 +1,16 @@
-namespace Sustainsys.Saml2
+using System;
+
+namespace Sustainsys.Saml2
 {
     /// <summary>
     /// How is the certificate used?
     /// </summary>
+    [Flags]
     public enum CertificateUse
     {
         /// <summary>
-        /// The certificate is used for either signing or encryption, or both
+        /// The certificate is used for either signing or encryption, or both.
+        /// Equivalent to Signing | Encryption.
         /// </summary>
         Both = 0,
 
@@ -18,6 +22,12 @@ public enum CertificateUse
         /// <summary>
         /// The certificate is used for decrypting inbound assertions
         /// </summary>
-        Encryption = 2
+        Encryption = 2,
+
+        /// <summary>
+        /// The certificate is used as a Tls Client certificate for outbound
+        /// tls requests.
+        /// </summary>
+        TlsClient = 4
     }
 }

Sustainsys.Saml2/Configuration/ServiceCertificateCollection.cs

@@ -9,7 +9,8 @@
 namespace Sustainsys.Saml2.Configuration
 {
     /// <summary>
-    /// Certificates used by the service provider for signing or decryption.
+    /// Certificates used by the service provider for signing, decryption and
+    /// TLS client certificates for artifact resolve.
     /// </summary>
     public class ServiceCertificateCollection: Collection<ServiceCertificate>
     {
@@ -21,7 +22,7 @@ public class ServiceCertificateCollection: Collection<ServiceCertificate>
         public void Add(X509Certificate2 certificate)
         {
             if (certificate == null) throw new ArgumentNullException(nameof(certificate));
-            InsertItem(base.Count, new ServiceCertificate
+            InsertItem(Count, new ServiceCertificate
             {
                 Certificate = certificate
             });

Sustainsys.Saml2/Internal/ClientCertificateWebClient.cs

@@ -0,0 +1,43 @@
+using System;
+using System.Collections.Generic;
+using System.Net;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+
+namespace Sustainsys.Saml2.Internal
+{
+    /// <summary>
+    /// A WebClient implementation that will add a list of client 
+    /// certificates to the requests it makes.
+    /// </summary>
+    internal class ClientCertificateWebClient : WebClient
+    {
+        private readonly IEnumerable<X509Certificate2> certificates;
+        /// <summary>
+        /// Register the certificate to be used for this requets.
+        /// </summary>
+        /// <param name="certificates">Certificates to offer to server</param>
+        public ClientCertificateWebClient(IEnumerable<X509Certificate2> certificates)
+        {
+            this.certificates = certificates;
+        }
+        /// <summary>
+        /// Override the base class to add the certificate 
+        /// to the reuqest before returning it.
+        /// </summary>
+        /// <param name="address"></param>
+        /// <returns></returns>
+        protected override WebRequest GetWebRequest(Uri address)
+        {
+            var request = (HttpWebRequest)base.GetWebRequest(address);
+            if (certificates != null)
+            {
+                foreach(var c in certificates)
+                {
+                    request.ClientCertificates.Add(c);
+                }
+            }
+            return request;
+        }
+    }
+}

Tests/Tests.Shared/Internal/ClientCertificateWebclientTests.cs

@@ -0,0 +1,86 @@
+using System;
+using System.Linq;
+using System.Net;
+using System.Security.Cryptography.X509Certificates;
+using FluentAssertions;
+using Sustainsys.Saml2.Configuration;
+using Sustainsys.Saml2.Internal;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+using System.Collections.Generic;
+
+namespace Sustainsys.Saml2.Tests.Internal
+{
+    namespace Sustainsys.Saml2.Tests.Internal
+    {
+        [TestClass]
+        public class ClientCertificateWebClientTests
+        {
+            [TestMethod]
+            public void Create_WithoutCertificate_ShouldAddNothingToRequest()
+            {
+                var client = new TestableClientCertificateWebClient(null);
+                var payload = "Doesn't matter";
+                var destination = new Uri("https://localhost/Endpoint");
+                try
+                {
+                    client.UploadString(destination, payload);
+                }
+                catch (Exception)
+                {
+                    //Destination is not listening, but we should get an exception that shows it
+                    // at least tried to connect there.
+                }
+                client.HasCertificatesInRequest.Should().BeFalse();
+            }
+
+            [TestMethod]
+            public void Create_WithCertificate_ShouldAddCertificateToRequest()
+            {
+                var config = SustainsysSaml2Section.Current;
+                var options = new SPOptions(config);
+
+                var client = new TestableClientCertificateWebClient(
+                    options.ServiceCertificates
+                    .Where(sc => sc.Use.HasFlag(CertificateUse.TlsClient))
+                    .Select(sc => sc.Certificate));
+
+                var payload = "Doesn't matter";
+                var destination = new Uri("https://localhost/Endpoint");
+                try
+                {
+                    client.UploadString(destination, payload);
+                }
+                catch (Exception)
+                {
+                    //Destination is not listening, but we should get an exception that shows it
+                    // at least tried to connect there.
+                }
+                client.HasCertificatesInRequest.Should().BeTrue();
+            }
+
+            private class TestableClientCertificateWebClient : ClientCertificateWebClient
+            {
+                public bool HasCertificatesInRequest;
+                private readonly IList<X509Certificate2> expectedCertificates;
+                public TestableClientCertificateWebClient(IEnumerable<X509Certificate2> certificates) 
+                    : base(certificates)
+                {
+                    expectedCertificates = certificates?.ToList(); // Copy to not rely on shared ref that can be altered.
+                }
+                protected override WebRequest GetWebRequest(Uri address)
+                {
+                    var request = base.GetWebRequest(address);
+                    var httpWebRequest = (HttpWebRequest)request;
+                    if (httpWebRequest != null)
+                    {
+                        HasCertificatesInRequest = 
+                            expectedCertificates != null
+                            && expectedCertificates.Count == httpWebRequest.ClientCertificates.Count
+                            && expectedCertificates.All(ec => httpWebRequest.ClientCertificates.Contains(ec));
+                    }
+                    return request;
+                }
+            }
+        }
+    }
+}

Tests/Tests.Shared/Tests.Shared.projitems

@@ -37,6 +37,7 @@
     <Compile Include="$(MSBuildThisFileDirectory)Helpers\StubServer.cs" />
     <Compile Include="$(MSBuildThisFileDirectory)Helpers\XmlElementExtensions.cs" />
     <Compile Include="$(MSBuildThisFileDirectory)IdentityProviderTests.cs" />
+    <Compile Include="$(MSBuildThisFileDirectory)Internal\ClientCertificateWebclientTests.cs" />
     <Compile Include="$(MSBuildThisFileDirectory)Internal\CryptographyExtensionsTests.cs" />
     <Compile Include="$(MSBuildThisFileDirectory)Internal\DateTimeExtensionsTests.cs" />
     <Compile Include="$(MSBuildThisFileDirectory)Internal\DateTimeHelperTests.cs" />