Support disablement of SSL validation for development purposes

[philnach]

This pull request introduces two new configuration options to the Cosmos data transfer extension: DisableSslValidation for development scenarios and AllowBulkExecution for performance optimization. The changes include updates to the main settings class, client creation logic, documentation, and comprehensive unit tests to ensure correct behavior and safe usage.

Fixes: #213

New Configuration Options

• Added DisableSslValidation and AllowBulkExecution properties to CosmosSettingsBase, with detailed XML documentation explaining their purpose, usage, and warnings. (Extensions/Cosmos/Cosmos.DataTransfer.CosmosExtension/CosmosSettingsBase.cs)

Client Creation Logic

• Updated CosmosExtensionServices.CreateClient to accept a ILogger parameter and log a warning when DisableSslValidation is enabled; sets a custom certificate validation callback for development scenarios. (Extensions/Cosmos/Cosmos.DataTransfer.CosmosExtension/CosmosExtensionServices.cs) [1] [2]
• Refactored usages of CreateClient in source and sink extensions to pass the logger and support the new signature. (Extensions/Cosmos/Cosmos.DataTransfer.CosmosExtension/CosmosDataSourceExtension.cs, Extensions/Cosmos/Cosmos.DataTransfer.CosmosExtension/CosmosDataSinkExtension.cs) [1] [2]

Documentation Updates

• Expanded the README to document the new settings, provide configuration examples, and add strong warnings about disabling SSL validation in production. (Extensions/Cosmos/README.md) [1] [2] [3] [4]

Unit Tests

• Added CertificateConfigurationTests to verify validation and logging behavior for the new DisableSslValidation property, including checks for warning logs and client creation. (Extensions/Cosmos/Cosmos.DataTransfer.CosmosExtension.UnitTests/CertificateConfigurationTests.cs)
• Added CosmosSettingsBaseTests to confirm correct set/get behavior for the AllowBulkExecution property. (Extensions/Cosmos/Cosmos.DataTransfer.CosmosExtension.UnitTests/CosmosSettingsBaseTests.cs)

[Copilot]

Pull Request Overview

This PR introduces comprehensive SSL/TLS certificate configuration options for Cosmos DB connections, enabling support for custom certificates, PFX/P12 client authentication, and SSL validation control for development scenarios.

Key Changes:

• Added three new configuration properties: CertificatePath, CertificatePassword, and DisableSslValidation to support various certificate scenarios
• Implemented custom certificate validation logic with support for multiple certificate formats (.cer, .crt, .pem, .pfx, .p12)
• Added comprehensive unit tests and documentation for certificate configuration use cases

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
Extensions/Cosmos/README.md	Added certificate configuration documentation with examples and security warnings
Extensions/Cosmos/Cosmos.DataTransfer.CosmosExtension/CosmosSettingsBase.cs	Added certificate-related properties and validation logic
Extensions/Cosmos/Cosmos.DataTransfer.CosmosExtension/CosmosExtensionServices.cs	Implemented custom certificate validation callback with support for multiple certificate types
Extensions/Cosmos/Cosmos.DataTransfer.CosmosExtension.UnitTests/CertificateConfigurationTests.cs	Added comprehensive unit tests for certificate configuration validation
Extensions/Cosmos/CERTIFICATE_EXAMPLES.md	Created detailed documentation with certificate configuration examples and security guidance

Comments suppressed due to low confidence (3)

Extensions/Cosmos/Cosmos.DataTransfer.CosmosExtension/CosmosExtensionServices.cs:166

• Disposable 'X509Chain' is created but not disposed.

                                    var certChain = new X509Chain();

Extensions/Cosmos/Cosmos.DataTransfer.CosmosExtension/CosmosExtensionServices.cs:199

• Generic catch clause.

                    catch (Exception)
                    {
                        // If we can't load the certificate, fail validation
                        return false;
                    }

Extensions/Cosmos/Cosmos.DataTransfer.CosmosExtension/CosmosExtensionServices.cs:182

• Generic catch clause.

                                catch
                                {
                                    // Fallback to subject and issuer comparison
                                    bool subjectMatch = cert.Subject.Equals(trustedCert.Subject, StringComparison.OrdinalIgnoreCase);
                                    bool issuerMatch = cert.Issuer.Equals(trustedCert.Issuer, StringComparison.OrdinalIgnoreCase);
                                    return subjectMatch && issuerMatch;
                                }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 10 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 9 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[philnach]

@markjbrown, this is now ready for review. I've simplified the fix to just Disabling SSL when specified and added the AllowBulkExecution setting per the issue.

[philnach]

@markjbrown / @bowencode, this is ready for review.

[philnach]

@markjbrown , this is ready whenever you get a chance.

[markjbrown]

Overall this looks good. With regards to bulk mode here, I can't believe we didn't already have that setting. There is another setting too that can drastically help with performance called, EnableContentReponseOnWrite. This gets set on insert/update operations. It essentially bypasses sending the response body back to the client which can drastically reduce network io.

I'm not sure if you want to also include that here in this PR as well. It's implemented in a different place. But if you want, go ahead. I'll approve this anyway.

var options = new ItemRequestOptions
{
EnableContentResponseOnWrite = false
};

[philnach]

@markjbrown, I opened another issue to add the EnableContentResponseOnWrite setting. This change has gotten large enough and separating it out will make it easier to track changes.