Fspes 105

[MatteoDelOmbra]

Review Checklist

• Task version updated (x.x.0)
• CHANGELOG.md updated
• Solution builds
• Warnings resolved (if possible)
• Typos resolved
• Tests cover new code
• Description how to run tests locally added to README.md (if needed)
• All tests pass locally

---

Summary by CodeRabbit

Release Notes

• New Features

  • Added client certificate authentication support. Users can now specify a certificate file path and optional password in connection settings to authenticate GraphQL queries using client certificates.

• Tests

  • Added integration tests validating client certificate authentication scenarios, including valid certificates, password-protected certificates, and error handling for missing or invalid certificates.

[coderabbitai]

Warning

Rate limit exceeded

@MatteoDelOmbra has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 22 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 12 minutes and 22 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 09e65e90-a6ca-47a2-a38b-80c925a595b6

📥 Commits

Reviewing files that changed from the base of the PR and between bdd0622 and c4a53d7.

⛔ Files ignored due to path filters (4)

• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.Tests/docker/certs/client-cert.pem is excluded by !**/*.pem
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.Tests/docker/certs/client-key.pem is excluded by !**/*.pem
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.Tests/docker/certs/server-cert.pem is excluded by !**/*.pem
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.Tests/docker/certs/server-key.pem is excluded by !**/*.pem

📒 Files selected for processing (10)

• .gitignore
• Frends.GraphQl.ExecuteQuery/CHANGELOG.md
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.Tests/Frends.GraphQl.ExecuteQuery.Tests.csproj
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.Tests/IntegrationTests.cs
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.Tests/TestData.cs
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.Tests/docker/Dockerfile
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.Tests/docker/certs/client-cert.pfx
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.Tests/docker/index.js
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery/Definitions/Options.cs
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.csproj

Walkthrough

Added client certificate authentication support to GraphQL ExecuteQuery task. Introduced Authentication.ClientCertificate enum value, CertificatePath and CertificatePassword properties to Connection, implemented certificate loading in HTTP client setup, and added integration tests validating successful execution with valid and password-protected certificates, plus failure scenarios.

Changes

Cohort / File(s)	Summary
Authentication & Connection Definitions Definitions/Authentication.cs, Definitions/Connection.cs	Added ClientCertificate enum member to Authentication with XML doc. Added nullable CertificatePath and CertificatePassword properties to Connection annotated with UIHint for client certificate authentication context.
Certificate Handling Implementation Frends.GraphQl.ExecuteQuery.cs	Implemented certificate loading logic in CreateHttpClient to load X509 certificate from file path (with optional password) and add to HttpClientHandler.ClientCertificates. Added validation throwing ArgumentNullException when CertificatePath is empty for ClientCertificate auth. Updated header creation logic to treat ClientCertificate as headerless authentication.
Integration Tests IntegrationTests.cs	Added comprehensive integration tests for Authentication.ClientCertificate covering: valid certificate execution, password-protected certificate execution, empty certificate path failure, invalid certificate path failure, and incorrect certificate password failure. Includes private helper CreateTemporarySelfSignedCertificate that generates temporary PFX certificates with RSA keypairs and handles cleanup.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A cert came hopping down the wire,
Its PFX keys lighting graphql fire,
From rabbit to server, the trust was sealed,
With handlers and passwords, security revealed!
Client certificates now dance and play,
In GraphQL queries, hip-hip-hooray! 🎉

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Fspes 105' is a vague ticket reference that does not clearly describe the main change—adding ClientCertificate authentication support.	Revise the title to clearly summarize the primary change, such as 'Add ClientCertificate authentication method' or 'Implement X509 client certificate authentication for GraphQL queries'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fspes-105

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.Tests/IntegrationTests.cs`:
- Around line 355-404: The tests currently use Assert.ThrowsAsync<Exception>
which is too broad; update each test to assert the specific exception expected
when loading the certificate: in
ClientCertificateAuthenticationThrowsWhenCertificatePathIsEmpty replace
Assert.ThrowsAsync<Exception>(Action) with
Assert.ThrowsAsync<ArgumentNullException>(Action) (the empty path should throw
ArgumentNullException), in
ClientCertificateAuthenticationThrowsWhenCertificatePathIsInvalid replace it
with Assert.ThrowsAsync<FileNotFoundException>(Action) (nonexistent path should
surface a FileNotFoundException), and in
ClientCertificateAuthenticationThrowsWhenInvalidPasswordProvided replace it with
Assert.ThrowsAsync<CryptographicException>(Action) (wrong PFX password surfaces
a cryptographic error); keep the Action local function and calls to
GraphQl.ExecuteQuery as-is.
- Around line 311-348: The tests
ClientCertificateAuthenticationWorksWithValidCertificate and
ClientCertificateAuthenticationWorksWithPasswordProtectedCertificate only
exercise PFX loading and not mutual-TLS; either update the test harness to
exercise mTLS end-to-end or rename the tests to reflect they only verify
certificate loading. To exercise mTLS: modify the test server (index.js) to
serve HTTPS and require client certificates, install a test CA and server cert,
change TestData.InitialConnection() to use https://localhost:4000 and trust the
CA, and ensure the call path into GraphQl.ExecuteQuery uses the
CertificatePath/CertificatePassword when creating the client handler so the
client presents the cert. Alternatively, rename the two test methods and their
asserts to CertificateLoading... and add a new integration test that runs the
HTTPS mutual-TLS server to truly validate Authentication.ClientCertificate.

In
`@Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.cs`:
- Around line 72-80: The client-certificate branch (checking
connection.Authentication == Authentication.ClientCertificate) currently loads a
PFX even for non-TLS endpoints; add a fail-fast check that the target endpoint
uses TLS before loading the certificate: parse the request URI (the property
holding the endpoint on your Connection object) and if the scheme is not "https"
throw an ArgumentException (or similar) with a clear message; keep the existing
checks for connection.CertificatePath/connection.CertificatePassword and only
call handler.ClientCertificates.Add(certificate) after the HTTPS check passes so
client certificates are only used for TLS endpoints.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 85716895-02e4-4675-9131-12469e833ca3

📥 Commits

Reviewing files that changed from the base of the PR and between 17bee1f and bdd0622.

📒 Files selected for processing (4)

• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.Tests/IntegrationTests.cs
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery/Definitions/Authentication.cs
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery/Definitions/Connection.cs
• Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.cs

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Require HTTPS for client-certificate auth.

Client certificates are only sent during the TLS handshake. With an http:// endpoint this branch still loads the PFX, but no certificate is ever presented to the server, so the selected auth mode silently does nothing.

Suggested fail-fast check

         if (connection.Authentication == Authentication.ClientCertificate)
         {
+            if (!Uri.TryCreate(connection.EndpointUrl, UriKind.Absolute, out var endpointUri) ||
+                endpointUri.Scheme != Uri.UriSchemeHttps)
+                throw new ArgumentException("Client certificate authentication requires an HTTPS endpoint.", nameof(connection.EndpointUrl));
+
             if (string.IsNullOrEmpty(connection.CertificatePath))
                 throw new ArgumentNullException(nameof(connection.CertificatePath), "Certificate path cannot be empty when using ClientCertificate authentication.");
             var certificate = string.IsNullOrEmpty(connection.CertificatePassword)
                 ? new X509Certificate2(connection.CertificatePath)
                 : new X509Certificate2(connection.CertificatePath, connection.CertificatePassword);
             handler.ClientCertificates.Add(certificate);
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery/Frends.GraphQl.ExecuteQuery.cs`
around lines 72 - 80, The client-certificate branch (checking
connection.Authentication == Authentication.ClientCertificate) currently loads a
PFX even for non-TLS endpoints; add a fail-fast check that the target endpoint
uses TLS before loading the certificate: parse the request URI (the property
holding the endpoint on your Connection object) and if the scheme is not "https"
throw an ArgumentException (or similar) with a clear message; keep the existing
checks for connection.CertificatePath/connection.CertificatePassword and only
call handler.ClientCertificates.Add(certificate) after the HTTPS check passes so
client certificates are only used for TLS endpoints.

[MichalFrends1]

@MatteoDelOmbra Check code rabbit comments about client-certificate authentication