open-telemetry · alanwest · Oct 17, 2024 · Sep 9, 2024 · Sep 9, 2024 · Sep 12, 2024
@@ -1,3 +1,7 @@
 # Self-signed cert generated by integration test
 otel-collector.crt
 otel-collector.key
+otel-client.crt
+otel-client.key
+otel-untrusted-collector.crt
+otel-untrusted-collector.key
@@ -5,26 +5,20 @@
 version: '3.7'
 
 services:
-  create-cert:
-    image: mcr.microsoft.com/dotnet/sdk:7.0
-    volumes:
-      - ./test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/IntegrationTest:/cfg
-    command: /cfg/create-cert.sh
-
   otel-collector:
     image: otel/opentelemetry-collector
     volumes:
       - ./test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/IntegrationTest:/cfg
+      - ./test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/obj:/obj
     command: --config=/cfg/otel-collector-config.yaml
-    depends_on:
-      - create-cert
 
   tests:
     build:
       context: .
       dockerfile: ./test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/IntegrationTest/Dockerfile
     volumes:
       - ./test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/IntegrationTest:/cfg
+      - ./test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/obj:/obj
     command: /cfg/run-test.sh
     environment:
       - OTEL_COLLECTOR_HOSTNAME=otel-collector

@@ -16,13 +16,39 @@ receivers:
       grpc:
         endpoint: 0.0.0.0:5317
         tls:
-          cert_file: /cfg/otel-collector.crt
-          key_file: /cfg/otel-collector.key
+          cert_file: /obj/Debug/otel-test-server-cert.pem
+          key_file: /obj/Debug/otel-test-server-key.pem
       http:
         endpoint: 0.0.0.0:5318
         tls:
-          cert_file: /cfg/otel-collector.crt
-          key_file: /cfg/otel-collector.key
+          cert_file: /obj/Debug/otel-test-server-cert.pem
+          key_file: /obj/Debug/otel-test-server-key.pem
+  otlp/untrustedtls:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:6317
+        tls:
+          cert_file: /obj/Debug/otel-untrusted-collector-cert.pem
+          key_file: /obj/Debug/otel-untrusted-collector-key.pem
+      http:
+        endpoint: 0.0.0.0:6318
+        tls:
+          cert_file: /obj/Debug/otel-untrusted-collector-cert.pem
+          key_file: /obj/Debug/otel-untrusted-collector-key.pem
+  otlp/mtls:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:7317
+        tls:
+          cert_file: /obj/Debug/otel-test-server-cert.pem
+          key_file: /obj/Debug/otel-test-server-key.pem
+          client_ca_file: /obj/Debug/otel-test-ca-cert.pem
+      http:
+        endpoint: 0.0.0.0:7318
+        tls:
+          cert_file: /obj/Debug/otel-test-server-cert.pem
+          key_file: /obj/Debug/otel-test-server-key.pem
+          client_ca_file: /obj/Debug/otel-test-ca-cert.pem
 
 exporters:
   debug:
@@ -31,11 +57,11 @@ exporters:
 service:
   pipelines:
     traces:
-      receivers: [otlp, otlp/tls]
+      receivers: [otlp, otlp/tls, otlp/untrustedtls, otlp/mtls]
       exporters: [debug]
     metrics:
-      receivers: [otlp, otlp/tls]
+      receivers: [otlp, otlp/tls, otlp/untrustedtls, otlp/mtls]
       exporters: [debug]
     logs:
-      receivers: [otlp, otlp/tls]
+      receivers: [otlp, otlp/tls, otlp/untrustedtls, otlp/mtls]
       exporters: [debug]
@@ -2,7 +2,7 @@
 set -e
 
 # Trust the self-signed certificated used by the collector
-cp /cfg/otel-collector.crt /usr/local/share/ca-certificates/
+cp /obj/Debug/otel-test-ca-cert.pem /usr/local/share/ca-certificates/
 update-ca-certificates --verbose
 
 dotnet test OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests.dll --TestCaseFilter:CategoryName=CollectorIntegrationTests --logger "console;verbosity=detailed"
@@ -4,6 +4,25 @@
     <TargetFrameworks>$(TargetFrameworksForTests)</TargetFrameworks>
   </PropertyGroup>
 
+  <!-- Add MSBuild Task to Generate Certificates -->
+  <Target Name="GenerateTestCertificates" BeforeTargets="Build">
+    <Exec Condition="$(OS) == 'Unix'"
+      Command="/bin/bash gen_test_cert.sh $(IntermediateOutputPath)"
+      ConsoleToMsBuild="true"
+      WorkingDirectory="$(ProjectDir)" />
+
+    <Exec Condition="$(OS) == 'Windows_NT'"
+      Command="pwsh -NonInteractive -executionpolicy Unrestricted -command &quot;&amp; { ./gen_test_cert.ps1 -OutDir $(IntermediateOutputPath) } &quot;"
+      ConsoleToMsBuild="true"
+      WorkingDirectory="$(ProjectDir)" />
+
+    <ItemGroup>
+      <TestCertificates Include="$(IntermediateOutputPath)*.pem"/>
+    </ItemGroup>
+
+    <Copy SourceFiles="@(TestCertificates)" DestinationFolder="$(OutputPath)\%(RecursiveDir)"/>
+  </Target>
+
   <ItemGroup>
     <PackageReference Include="Grpc.AspNetCore.Server" Condition="'$(TargetFrameworkIdentifier)' == '.NETCoreApp'" />
     <PackageReference Include="Microsoft.AspNetCore.TestHost" Condition="'$(TargetFrameworkIdentifier)' == '.NETCoreApp'" />

@@ -0,0 +1,119 @@
+using namespace System.Security.Cryptography;
+using namespace System.Security.Cryptography.X509Certificates;
+
+param (
+  [string] $OutDir
+)
+
+function Write-Certificate {
+  param (
+    [X509Certificate2] $Cert,
+    [string] $Name,
+    [string] $Dir
+  )
+
+  # write cert content
+  $certPem = $Cert.ExportCertificatePem();
+  $certPemPath = Join-Path $Dir -ChildPath "$Name-cert.pem";
+  [System.IO.File]::WriteAllText($certPemPath, $certPem);
+
+  # write pkey
+  [AsymmetricAlgorithm] $pkey = [RSACertificateExtensions]::GetRSAPrivateKey($Cert);
+  [string] $pkeyPem = $null;
+
+  if ($null -ne $pkey) {
+    $pkeyPem = $pkey.ExportRSAPrivateKeyPem();
+  }
+
+  if ($null -eq $pkey) {
+    $pkey = [ECDsaCertificateExtensions]::GetECDsaPrivateKey($Cert);
+    $pkeyPem = $pkey.ExportECPrivateKeyPem();
+  }
+
+  if ($null -eq $pkeyPem) {
+    return;
+  }
+
+
+  $pKeyPath = Join-Path $Dir -ChildPath "$Name-key.pem";
+  [System.IO.File]::WriteAllText($pKeyPath, $pkeyPem);
+}
+
+# Generate CA certificate (Certificate Authority)
+$ca = New-SelfSignedCertificate -CertStoreLocation 'Cert:\CurrentUser\My' `
+  -DnsName "otel-test-ca" `
+  -NotAfter (Get-Date).AddYears(20) `
+  -FriendlyName "otel-test-ca" `
+  -KeyAlgorithm ECDSA_nistP256 `
+  -KeyExportPolicy Exportable `
+  -KeyUsageProperty All -KeyUsage CertSign, CRLSign, DigitalSignature;
+
+
+try {
+  # Write the CA cert
+  Write-Certificate -Cert $ca -Name "otel-test-ca" -Dir $OutDir;
+
+  # Generate server certificate (otel-test-server)
+  $serverCert = New-SelfSignedCertificate -CertStoreLocation 'Cert:\CurrentUser\My' `
+    -DnsName "otel-test-server" `
+    -Signer $ca `
+    -NotAfter (Get-Date).AddYears(20) `
+    -FriendlyName "otel-test-server" `
+    -KeyAlgorithm ECDSA_nistP256 `
+    -KeyUsageProperty All `
+    -KeyExportPolicy Exportable `
+    -KeyUsage CertSign, CRLSign, DigitalSignature `
+    -TextExtension @("2.5.29.19={text}CA=1&pathlength=1", "2.5.29.37={text}1.3.6.1.5.5.7.3.1");
+
+  try {
+    # Write the server cert
+    Write-Certificate -Cert $serverCert -Name "otel-test-server" -Dir $OutDir;
+
+    # Generate client certificate (otel-test-client) for mTLS
+    $clientCert = New-SelfSignedCertificate -CertStoreLocation 'Cert:\CurrentUser\My' `
+      -DnsName "otel-test-client" `
+      -Signer $serverCert `
+      -NotAfter (Get-Date).AddYears(20) `
+      -FriendlyName "otel-test-client" `
+      -KeyAlgorithm ECDSA_nistP256 `
+      -KeyUsageProperty All `
+      -KeyExportPolicy Exportable `
+      -KeyUsage CertSign, CRLSign, DigitalSignature `
+      -TextExtension @("2.5.29.19={text}CA=1&pathlength=1", "2.5.29.37={text}1.3.6.1.5.5.7.3.2");
+
+    try {
+      # Write the client cert
+      Write-Certificate -Cert $clientCert -Name "otel-test-client" -Dir $OutDir;
+    }
+    finally {
+      Get-Item -Path "Cert:\CurrentUser\My\$($clientCert.Thumbprint)" | Remove-Item;
+    }
+
+    # Generate untrusted collector certificate
+    $untrustedCollectorCert = New-SelfSignedCertificate -CertStoreLocation 'Cert:\CurrentUser\My' `
+      -DnsName "otel-untrusted-collector" `
+      -NotAfter (Get-Date).AddYears(1) `
+      -FriendlyName "otel-untrusted-collector" `
+      -KeyAlgorithm ECDSA_nistP256 `
+      -KeyUsageProperty All `
+      -KeyExportPolicy Exportable `
+      -KeyUsage CertSign, CRLSign, DigitalSignature `
+      -TextExtension @("2.5.29.19={text}CA=0", "2.5.29.37={text}1.3.6.1.5.5.7.3.1");
+
+    try {
+      # Write the untrusted collector cert
+      Write-Certificate -Cert $untrustedCollectorCert -Name "otel-untrusted-collector" -Dir $OutDir;
+    }
+    finally {
+      Get-Item -Path "Cert:\CurrentUser\My\$($untrustedCollectorCert.Thumbprint)" | Remove-Item;
+    }
+
+  }
+  finally {
+    Get-Item -Path "Cert:\CurrentUser\My\$($serverCert.Thumbprint)" | Remove-Item;
+  }
+
+}
+finally {
+  Get-Item -Path "Cert:\CurrentUser\My\$($ca.Thumbprint)" | Remove-Item;
+}
@@ -0,0 +1,50 @@
+# ca
+openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
+    -subj "/CN=otel-test-ca" \
+    -keyout $1/otel-test-ca-key.pem  -out $1/otel-test-ca-cert.pem
+
+# server cert
+echo "\
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
+" > $1/server_cert_ext.cnf;
+
+openssl req -new -newkey rsa:2048 -sha256 \
+    -keyout $1/otel-test-server-key.pem -out $1/otel-test-server-csr.pem -nodes \
+    -subj "/CN=otel-test-server"
+
+openssl x509 -req -in $1/otel-test-server-csr.pem \
+    -extfile $1/server_cert_ext.cnf \
+    -CA $1/otel-test-ca-cert.pem -CAkey $1/otel-test-ca-key.pem -CAcreateserial \
+    -out $1/otel-test-server-cert.pem \
+    -days 3650 -sha256
+
+# client cert
+echo "\
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+" > $1/client_cert_ext.cnf;
+
+openssl req -new -newkey rsa:2048 -sha256 \
+    -keyout $1/otel-test-client-key.pem -out $1/otel-test-client-csr.pem -nodes \
+    -subj "/CN=otel-test-client"
+
+openssl x509 -req -in $1/otel-test-client-csr.pem \
+    -extfile $1/client_cert_ext.cnf \
+    -CA $1/otel-test-server-cert.pem -CAkey $1/otel-test-server-key.pem -CAcreateserial \
+    -out $1/otel-test-client-cert.pem \
+    -days 3650 -sha256
+
+openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
+    -subj "/CN=otel-untrusted-collector" \
+    -keyout $1/otel-untrusted-collector-key.pem  -out $1/otel-untrusted-collector-cert.pem