Merge pull request #3067 from warlof/disclose-sslissue

fix: enhance ps7 compatibility with ssl selfsigned
microsoft · May 27, 2023 · 2d16653 · 2d16653
2 parents 411b165 + 89f7648
commit 2d16653
Show file tree

Hide file tree

Showing 5 changed files with 1,197 additions and 1,204 deletions.
diff --git a/AppHandling/Compile-AppInNavContainer.ps1 b/AppHandling/Compile-AppInNavContainer.ps1
@@ -391,25 +391,8 @@ try {
             $devServerUrl = "$($protocol)$($containerName):$($customConfig.DeveloperServicesPort)/$ServerInstance"
         }
 
-        $sslVerificationDisabled = ($protocol -eq "https://")
-        if ($sslVerificationDisabled) {
-            if (-not ([System.Management.Automation.PSTypeName]"SslVerification").Type)
-            {
-                Add-Type -TypeDefinition "
-                    using System.Net.Security;
-                    using System.Security.Cryptography.X509Certificates;
-                    public static class SslVerification
-                    {
-                        private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; }
-                        public static void Disable() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
-                        public static void Enable()  { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
-                    }"
-            }
-            Write-Host "Disabling SSL Verification"
-            [SslVerification]::Disable()
-        }
-
         $timeout = 300000
+        $sslVerificationDisabled = ($protocol -eq "https://")    
         if ($customConfig.ClientServicesCredentialType -eq "Windows") {
             $useDefaultCredentials = $true
         }
@@ -467,7 +450,7 @@ try {
                 }
                 Write-Host "Url : $Url"
                 try {
-                    DownloadFileLow -sourceUrl $url -destinationFile $symbolsFile -timeout $timeout -useDefaultCredentials:$useDefaultCredentials -Headers $headers
+                    DownloadFileLow -sourceUrl $url -destinationFile $symbolsFile -timeout $timeout -useDefaultCredentials:$useDefaultCredentials -Headers $headers -skipCertificateCheck:$sslVerificationDisabled
                 }
                 catch {
                     $throw = $true
@@ -560,11 +543,6 @@ try {
         }
         $depidx++
     }
-
-    if ($sslverificationdisabled) {
-        Write-Host "Re-enabling SSL Verification"
-        [SslVerification]::Enable()
-    }
 
     $result = Invoke-ScriptInBcContainer -containerName $containerName -ScriptBlock { Param($appProjectFolder, $appSymbolsFolder, $appOutputFile, $EnableCodeCop, $EnableAppSourceCop, $EnablePerTenantExtensionCop, $EnableUICop, $CustomCodeCops, $rulesetFile, $assemblyProbingPaths, $nowarn, $GenerateCrossReferences, $ReportSuppressedDiagnostics, $generateReportLayoutParam, $features, $preProcessorSymbols, $platformversion, $updateDependencies )
 

diff --git a/AppHandling/Get-NavContainerApp.ps1 b/AppHandling/Get-NavContainerApp.ps1
@@ -64,23 +64,6 @@ try {
     }
 
     $sslVerificationDisabled = ($protocol -eq "https://")
-    if ($sslVerificationDisabled) {
-        if (-not ([System.Management.Automation.PSTypeName]"SslVerification").Type)
-        {
-            Add-Type -TypeDefinition "
-                using System.Net.Security;
-                using System.Security.Cryptography.X509Certificates;
-                public static class SslVerification
-                {
-                    private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; }
-                    public static void Disable() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
-                    public static void Enable()  { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
-                }"
-        }
-        Write-Host "Disabling SSL Verification"
-        [SslVerification]::Disable()
-    }
-
     $timeout = 300000
     $useDefaultCredentials = $false
     $headers = @{}
@@ -104,18 +87,13 @@ try {
     $url = "$devServerUrl/dev/packages?publisher=$([uri]::EscapeDataString($publisher))&appName=$([uri]::EscapeDataString($appName))&versionText=$($appVersion)&tenant=$tenant"
     Write-Host "Url : $Url"
     try {
-        DownloadFileLow -sourceUrl $url -destinationFile $appFile -timeout $timeout -useDefaultCredentials:$useDefaultCredentials -Headers $headers
+        DownloadFileLow -sourceUrl $url -destinationFile $appFile -timeout $timeout -useDefaultCredentials:$useDefaultCredentials -Headers $headers -skipCertificateCheck:$sslVerificationDisabled
     }
     catch [System.Net.WebException] {
         Write-Host "ERROR $($_.Exception.Message)"
         throw (GetExtendedErrorMessage $_)
     }
 
-    if ($sslverificationdisabled) {
-        Write-Host "Re-enabling SSL Verification"
-        [SslVerification]::Enable()
-    }
-
     $appFile
 }
 catch {

diff --git a/AppHandling/PsTestFunctions.ps1 b/AppHandling/PsTestFunctions.ps1
@@ -1243,16 +1243,18 @@ function Disable-SslVerification
 {
     if (-not ([System.Management.Automation.PSTypeName]"SslVerification").Type)
     {
-        Add-Type -TypeDefinition  @"
-using System.Net.Security;
-using System.Security.Cryptography.X509Certificates;
-public static class SslVerification
-{
-    private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; }
-    public static void Disable() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
-    public static void Enable()  { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
-}
+$sslCallbackCode = @"
+    using System.Net.Security;
+    using System.Security.Cryptography.X509Certificates;
+
+    public static class SslVerification
+    {
+        public static bool DisabledServerCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; }
+        public static void Disable() { System.Net.ServicePointManager.ServerCertificateValidationCallback = DisabledServerCertificateValidationCallback; }
+        public static void Enable()  { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
+    }
 "@
+        Add-Type -TypeDefinition $sslCallbackCode
     }
     [SslVerification]::Disable()
 }

diff --git a/AppHandling/Publish-NavContainerApp.ps1 b/AppHandling/Publish-NavContainerApp.ps1
@@ -189,6 +189,17 @@ try {
                 }
                 else {
                     $handler = New-Object System.Net.Http.HttpClientHandler
+                    if ($customConfig.DeveloperServicesSSLEnabled -eq "true") {
+                        $protocol = "https://"
+                    }
+                    else {
+                        $protocol = "http://"
+                    }
+                    $sslVerificationDisabled = ($protocol -eq "https://")
+                    if ($sslVerificationDisabled) {
+                        Write-Host "Disabling SSL Verification"
+                        $handler.ServerCertificateCustomValidationCallback = [SslVerification]::DisabledServerCertificateValidationCallback
+                    }
                     if ($customConfig.ClientServicesCredentialType -eq "Windows") {
                         $handler.UseDefaultCredentials = $true
                     }
@@ -204,13 +215,6 @@ try {
                     }
                     $HttpClient.Timeout = [System.Threading.Timeout]::InfiniteTimeSpan
                     $HttpClient.DefaultRequestHeaders.ExpectContinue = $false
-
-                    if ($customConfig.DeveloperServicesSSLEnabled -eq "true") {
-                        $protocol = "https://"
-                    }
-                    else {
-                        $protocol = "http://"
-                    }
 
                     $ip = Get-BcContainerIpAddress -containerName $containerName
                     if ($ip) {
@@ -219,24 +223,6 @@ try {
                     else {
                         $devServerUrl = "$($protocol)$($containerName):$($customConfig.DeveloperServicesPort)/$($customConfig.ServerInstance)"
                     }
-
-                    $sslVerificationDisabled = ($protocol -eq "https://")
-                    if ($sslVerificationDisabled) {
-                        if (-not ([System.Management.Automation.PSTypeName]"SslVerification").Type)
-                        {
-                            Add-Type -TypeDefinition "
-                                using System.Net.Security;
-                                using System.Security.Cryptography.X509Certificates;
-                                public static class SslVerification
-                                {
-                                    private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; }
-                                    public static void Disable() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
-                                    public static void Enable()  { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
-                                }"
-                        }
-                        Write-Host "Disabling SSL Verification"
-                        [SslVerification]::Disable()
-                    }
                 }
 
                 $schemaUpdateMode = "synchronize"
@@ -289,8 +275,7 @@ try {
                 }
 
                 if ($sslverificationdisabled) {
-                    Write-Host "Re-enablssing SSL Verification"
-                    [SslVerification]::Enable()
+                    Write-Host "Restoring SSL Verification" # no action required - only to enforce blocks consistency
                 }
                 if ($bcContainerHelperConfig.NoOfSecondsToSleepAfterPublishBcContainerApp -gt 0) {
                     # Avoid race condition