Pass ILoggerFactory to Unobtanium ProxyServer for internal logging (#1448)

* Initial plan

* Pass ILoggerFactory to Unobtanium ProxyServer for logging integration

Co-authored-by: waldekmastykarz <11164679+waldekmastykarz@users.noreply.github.com>

* Refactor certificate management for macOS: implement MacCertificateHelper and remove shell scripts

* Update DevProxy/Proxy/ProxyEngine.cs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update DevProxy/Proxy/MacCertificateHelper.cs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: waldekmastykarz <11164679+waldekmastykarz@users.noreply.github.com>
Co-authored-by: waldekmastykarz <waldek@mastykarz.nl>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

DevProxy/ApiControllers/ProxyController.cs

@@ -14,11 +14,12 @@ namespace DevProxy.ApiControllers;
 [ApiController]
 [Route("[controller]")]
 #pragma warning disable CA1515 // required for the API controller
-public sealed class ProxyController(IProxyStateController proxyStateController, IProxyConfiguration proxyConfiguration) : ControllerBase
+public sealed class ProxyController(IProxyStateController proxyStateController, IProxyConfiguration proxyConfiguration, ILoggerFactory loggerFactory) : ControllerBase
 #pragma warning restore CA1515
 {
     private readonly IProxyStateController _proxyStateController = proxyStateController;
     private readonly IProxyConfiguration _proxyConfiguration = proxyConfiguration;
+    private readonly ILoggerFactory _loggerFactory = loggerFactory;
 
     [HttpGet]
     public ProxyInfo Get() => ProxyInfo.From(_proxyStateController.ProxyState, _proxyConfiguration);
@@ -114,6 +115,9 @@ public IActionResult GetRootCertificate([FromQuery][Required] string format)
             return ValidationProblem(ModelState);
         }
 
+        // Ensure ProxyServer is initialized with LoggerFactory for Unobtanium logging
+        ProxyEngine.EnsureProxyServerInitialized(_loggerFactory);
+
         var certificate = ProxyEngine.ProxyServer.CertificateManager.RootCertificate;
         if (certificate == null)
         {

DevProxy/Commands/CertCommand.cs

@@ -2,27 +2,27 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
-using DevProxy.Abstractions.Utils;
 using DevProxy.Proxy;
 using System.CommandLine;
 using System.CommandLine.Parsing;
-using System.Diagnostics;
 using Titanium.Web.Proxy.Helpers;
 
 namespace DevProxy.Commands;
 
 sealed class CertCommand : Command
 {
     private readonly ILogger _logger;
+    private readonly ILoggerFactory _loggerFactory;
     private readonly Option<bool> _forceOption = new("--force", "-f")
     {
         Description = "Don't prompt for confirmation when removing the certificate"
     };
 
-    public CertCommand(ILogger<CertCommand> logger) :
+    public CertCommand(ILogger<CertCommand> logger, ILoggerFactory loggerFactory) :
         base("cert", "Manage the Dev Proxy certificate")
     {
         _logger = logger;
+        _loggerFactory = loggerFactory;
 
         ConfigureCommand();
     }
@@ -49,8 +49,21 @@ private async Task EnsureCertAsync()
 
         try
         {
+            // Ensure ProxyServer is initialized with LoggerFactory for Unobtanium logging
+            ProxyEngine.EnsureProxyServerInitialized(_loggerFactory);
+
             _logger.LogInformation("Ensuring certificate exists and is trusted...");
             await ProxyEngine.ProxyServer.CertificateManager.EnsureRootCertificateAsync();
+
+            if (RunTime.IsMac)
+            {
+                var certificate = ProxyEngine.ProxyServer.CertificateManager.RootCertificate;
+                if (certificate is not null)
+                {
+                    MacCertificateHelper.TrustCertificate(certificate, _logger);
+                }
+            }
+
             _logger.LogInformation("DONE");
         }
         catch (Exception ex)
@@ -79,8 +92,23 @@ public void RemoveCert(ParseResult parseResult)
 
             _logger.LogInformation("Uninstalling the root certificate...");
 
-            RemoveTrustedCertificateOnMac();
-            ProxyEngine.ProxyServer.CertificateManager.RemoveTrustedRootCertificate(machineTrusted: false);
+            // Ensure ProxyServer is initialized with LoggerFactory for Unobtanium logging
+            ProxyEngine.EnsureProxyServerInitialized(_loggerFactory);
+
+            if (RunTime.IsMac)
+            {
+                var certificate = ProxyEngine.ProxyServer.CertificateManager.RootCertificate;
+                if (certificate is not null)
+                {
+                    MacCertificateHelper.RemoveTrustedCertificate(certificate, _logger);
+                }
+
+                HasRunFlag.Remove();
+            }
+            else
+            {
+                ProxyEngine.ProxyServer.CertificateManager.RemoveTrustedRootCertificate(machineTrusted: false);
+            }
 
             _logger.LogInformation("DONE");
         }
@@ -115,27 +143,4 @@ private static bool PromptConfirmation(string message, bool acceptByDefault)
             }
         }
     }
-
-    private static void RemoveTrustedCertificateOnMac()
-    {
-        if (!RunTime.IsMac)
-        {
-            return;
-        }
-
-        var bashScriptPath = Path.Join(ProxyUtils.AppFolder, "remove-cert.sh");
-        var startInfo = new ProcessStartInfo()
-        {
-            FileName = "/bin/bash",
-            Arguments = bashScriptPath,
-            UseShellExecute = false,
-            CreateNoWindow = true,
-        };
-
-        using var process = new Process() { StartInfo = startInfo };
-        _ = process.Start();
-        process.WaitForExit();
-
-        HasRunFlag.Remove();
-    }
 }

DevProxy/DevProxy.csproj

@@ -60,15 +60,9 @@
     <None Update="devproxy-errors.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
-    <None Update="remove-cert.sh">
-      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-    </None>
     <None Update="toggle-proxy.sh">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
-    <None Update="trust-cert.sh">
-      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-    </None>
     <None Update="config\m365.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>

DevProxy/Proxy/MacCertificateHelper.cs

@@ -0,0 +1,117 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System.Diagnostics;
+using System.Security.Cryptography.X509Certificates;
+
+namespace DevProxy.Proxy;
+
+internal static class MacCertificateHelper
+{
+    internal static void TrustCertificate(X509Certificate2 certificate, ILogger logger)
+    {
+        var pemFilePath = ExportCertificateToPem(certificate, logger);
+        if (pemFilePath is null)
+        {
+            return;
+        }
+
+        try
+        {
+            var keychainPath = Path.Combine(
+                Environment.GetFolderPath(Environment.SpecialFolder.UserProfile),
+                "Library", "Keychains", "login.keychain-db");
+            RunSecurityCommand(
+                $"add-trusted-cert -r trustRoot -k \"{keychainPath}\" \"{pemFilePath}\"",
+                "trust",
+                logger);
+        }
+        finally
+        {
+            CleanupFile(pemFilePath);
+        }
+    }
+
+    internal static void RemoveTrustedCertificate(X509Certificate2 certificate, ILogger logger)
+    {
+        var pemFilePath = ExportCertificateToPem(certificate, logger);
+        if (pemFilePath is null)
+        {
+            return;
+        }
+
+        try
+        {
+            RunSecurityCommand(
+                $"remove-trusted-cert \"{pemFilePath}\"",
+                "remove trust for",
+                logger);
+        }
+        finally
+        {
+            CleanupFile(pemFilePath);
+        }
+    }
+
+    private static string? ExportCertificateToPem(X509Certificate2 certificate, ILogger logger)
+    {
+        try
+        {
+            var certBytes = certificate.Export(X509ContentType.Cert);
+            var base64Cert = Convert.ToBase64String(certBytes, Base64FormattingOptions.InsertLineBreaks);
+            var pem = $"-----BEGIN CERTIFICATE-----\n{base64Cert}\n-----END CERTIFICATE-----";
+
+            var configDir = Path.Combine(
+                Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
+                "dev-proxy");
+            _ = Directory.CreateDirectory(configDir);
+            var pemFilePath = Path.Combine(configDir, "dev-proxy-ca.pem");
+            File.WriteAllText(pemFilePath, pem);
+            return pemFilePath;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to export certificate to PEM");
+            return null;
+        }
+    }
+
+    private static void RunSecurityCommand(string arguments, string action, ILogger logger)
+    {
+        var startInfo = new ProcessStartInfo
+        {
+            FileName = "/usr/bin/security",
+            Arguments = arguments,
+            UseShellExecute = false,
+            CreateNoWindow = true,
+            RedirectStandardError = true,
+        };
+
+        using var process = new Process { StartInfo = startInfo };
+        _ = process.Start();
+        var stderr = process.StandardError.ReadToEnd();
+        process.WaitForExit();
+
+        if (process.ExitCode != 0)
+        {
+            logger.LogError("Failed to {Action} certificate: {Error}", action, stderr);
+        }
+        else
+        {
+            logger.LogInformation("Successfully completed {Action} certificate operation.", action);
+        }
+    }
+
+    private static void CleanupFile(string filePath)
+    {
+        try
+        {
+            File.Delete(filePath);
+        }
+        catch
+        {
+            // ignore cleanup failures
+        }
+    }
+}

DevProxy/Proxy/ProxyEngine.cs

@@ -30,13 +30,16 @@ sealed class ProxyEngine(
     IProxyConfiguration proxyConfiguration,
     ISet<UrlToWatch> urlsToWatch,
     IProxyStateController proxyController,
-    ILogger<ProxyEngine> logger) : BackgroundService, IDisposable
+    ILogger<ProxyEngine> logger,
+    ILoggerFactory loggerFactory) : BackgroundService, IDisposable
 {
     private readonly IEnumerable<IPlugin> _plugins = plugins;
     private readonly ILogger _logger = logger;
     private readonly IProxyConfiguration _config = proxyConfiguration;
 
-    internal static ProxyServer ProxyServer { get; private set; }
+    internal static ProxyServer ProxyServer { get; private set; } = null!;
+    private static bool _isProxyServerInitialized;
+    private static readonly object _initLock = new();
     private ExplicitProxyEndPoint? _explicitEndPoint;
     // lists of URLs to watch, used for intercepting requests
     private readonly ISet<UrlToWatch> _urlsToWatch = urlsToWatch;
@@ -56,23 +59,53 @@ sealed class ProxyEngine(
 
     static ProxyEngine()
     {
-        ProxyServer = new();
-        ProxyServer.CertificateManager.PfxFilePath = Environment.GetEnvironmentVariable("DEV_PROXY_CERT_PATH") ?? string.Empty;
-        ProxyServer.CertificateManager.RootCertificateName = "Dev Proxy CA";
-        ProxyServer.CertificateManager.CertificateStorage = new CertificateDiskCache();
-        // we need to change this to a value lower than 397
-        // to avoid the ERR_CERT_VALIDITY_TOO_LONG error in Edge
-        ProxyServer.CertificateManager.CertificateValidDays = 365;
-
-        using var joinableTaskContext = new JoinableTaskContext();
-        var joinableTaskFactory = new JoinableTaskFactory(joinableTaskContext);
-        _ = joinableTaskFactory.Run(async () => await ProxyServer.CertificateManager.LoadOrCreateRootCertificateAsync());
+        // ProxyServer initialization moved to EnsureProxyServerInitialized
+        // to enable passing ILoggerFactory for Unobtanium logging
+    }
+
+    // Ensure ProxyServer is initialized with the given ILoggerFactory
+    // This method can be called from multiple places (ProxyEngine, CertCommand, etc.)
+    internal static void EnsureProxyServerInitialized(ILoggerFactory? loggerFactory = null)
+    {
+        if (_isProxyServerInitialized)
+        {
+            return;
+        }
+
+        lock (_initLock)
+        {
+            if (_isProxyServerInitialized)
+            {
+                return;
+            }
+
+            // On macOS/Linux, don't let Unobtanium try to install the cert
+            // in the Root store via .NET's X509Store API — it requires admin
+            // privileges and fails with "Access is denied".
+            // On macOS, Dev Proxy handles trust via MacCertificateHelper instead.
+            ProxyServer = new(userTrustRootCertificate: RunTime.IsWindows, loggerFactory: loggerFactory);
+            ProxyServer.CertificateManager.PfxFilePath = Environment.GetEnvironmentVariable("DEV_PROXY_CERT_PATH") ?? string.Empty;
+            ProxyServer.CertificateManager.RootCertificateName = "Dev Proxy CA";
+            ProxyServer.CertificateManager.CertificateStorage = new CertificateDiskCache();
+            // we need to change this to a value lower than 397
+            // to avoid the ERR_CERT_VALIDITY_TOO_LONG error in Edge
+            ProxyServer.CertificateManager.CertificateValidDays = 365;
+
+            using var joinableTaskContext = new JoinableTaskContext();
+            var joinableTaskFactory = new JoinableTaskFactory(joinableTaskContext);
+            _ = joinableTaskFactory.Run(async () => await ProxyServer.CertificateManager.LoadOrCreateRootCertificateAsync());
+
+            _isProxyServerInitialized = true;
+        }
     }
 
     protected override async Task ExecuteAsync(CancellationToken stoppingToken)
     {
         _cancellationToken = stoppingToken;
 
+        // Initialize ProxyServer with LoggerFactory for Unobtanium logging
+        EnsureProxyServerInitialized(loggerFactory);
+
         Debug.Assert(ProxyServer is not null, "Proxy server is not initialized");
 
         if (!_urlsToWatch.Any())
@@ -188,18 +221,26 @@ private void FirstRunSetup()
             return;
         }
 
-        var bashScriptPath = Path.Join(ProxyUtils.AppFolder, "trust-cert.sh");
-        ProcessStartInfo startInfo = new()
+        Console.WriteLine();
+        Console.WriteLine("Dev Proxy uses a self-signed certificate to intercept and inspect HTTPS traffic.");
+        Console.Write("Update the certificate in your Keychain so that it's trusted by your browser? (Y/n): ");
+        var answer = Console.ReadLine()?.Trim();
+
+        if (string.Equals(answer, "n", StringComparison.OrdinalIgnoreCase))
         {
-            FileName = "/bin/bash",
-            Arguments = bashScriptPath,
-            UseShellExecute = true,
-            CreateNoWindow = false
-        };
+            _logger.LogWarning("Trust the certificate in your Keychain manually to avoid errors.");
+            return;
+        }
 
-        using var process = new Process() { StartInfo = startInfo };
-        _ = process.Start();
-        process.WaitForExit();
+        var certificate = ProxyServer.CertificateManager.RootCertificate;
+        if (certificate is null)
+        {
+            _logger.LogError("Root certificate not found. Cannot trust certificate.");
+            return;
+        }
+
+        MacCertificateHelper.TrustCertificate(certificate, _logger);
+        _logger.LogInformation("Certificate trusted successfully.");
     }
 
     private async Task ReadKeysAsync(CancellationToken cancellationToken)