Use managed ntlm on linux-bionic (#95274)

rzikm · am11 · web-flow · commit c0dfcfd466aa · 2023-11-29T18:12:25.000+01:00
* Use managed ntlm on linux-bionic * Fix failing unit test * Fix compilation * Enable more tests on ubuntu-bionic * Change runtime identifier check to regex * Revert "Change runtime identifier check to regex" This reverts commit 82c1136. * add hyphen to startswith * Update src/libraries/Common/tests/System/Net/Capability.Security.Unix.cs Co-authored-by: Adeel Mujahid <3840695+am11@users.noreply.github.com> --------- Co-authored-by: Adeel Mujahid <3840695+am11@users.noreply.github.com>
diff --git a/src/libraries/Common/src/Interop/Unix/System.Net.Security.Native/Interop.GssApiException.cs b/src/libraries/Common/src/Interop/Unix/System.Net.Security.Native/Interop.GssApiException.cs
@@ -71,13 +71,19 @@ private static string GetGssApiDisplayStatus(Status majorStatus, Status minorSta
 
             private static string? GetGssApiDisplayStatus(Status status, bool isMinor)
             {
+                if (!System.Net.NegotiateAuthenticationPal.HasSystemNetSecurityNative)
+                {
+                    // avoid calling into libSystem.Net.Security.Native.
+                    return null;
+                }
+
                 GssBuffer displayBuffer = default(GssBuffer);
 
                 try
                 {
                     Interop.NetSecurityNative.Status minStat;
                     Interop.NetSecurityNative.Status displayCallStatus = isMinor ?
-                        DisplayMinorStatus(out minStat, status, ref displayBuffer):
+                        DisplayMinorStatus(out minStat, status, ref displayBuffer) :
                         DisplayMajorStatus(out minStat, status, ref displayBuffer);
                     return (Status.GSS_S_COMPLETE != displayCallStatus) ? null : Marshal.PtrToStringUTF8(displayBuffer._data);
                 }
diff --git a/src/libraries/Common/tests/System/Net/Capability.Security.Unix.cs b/src/libraries/Common/tests/System/Net/Capability.Security.Unix.cs
@@ -1,15 +1,20 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Runtime.InteropServices;
+
 namespace System.Net.Test.Common
 {
     public static partial class Capability
     {
         public static bool IsNtlmInstalled()
         {
-            // GSS on Linux does not work with OpenSSL 3.0. Fix was submitted to gss-ntlm but it will take a while to make to
-            // all supported distributions. The second part of the check should be removed when it does.
-            return Interop.NetSecurityNative.IsNtlmInstalled() && (!PlatformDetection.IsOpenSslSupported || PlatformDetection.OpenSslVersion.Major < 3);
+            return
+                // Linux bionic uses managed NTLM implementation
+                (OperatingSystem.IsLinux() && RuntimeInformation.RuntimeIdentifier.StartsWith("linux-bionic-", StringComparison.Ordinal)) ||
+                // GSS on Linux does not work with OpenSSL 3.0. Fix was submitted to gss-ntlm but it will take a while to make to
+                // all supported distributions. The second part of the check should be removed when it does.
+                Interop.NetSecurityNative.IsNtlmInstalled() && (!PlatformDetection.IsOpenSslSupported || PlatformDetection.OpenSslVersion.Major < 3);
         }
     }
 }
diff --git a/src/libraries/System.Net.Security/src/System/Net/NegotiateAuthenticationPal.Unix.cs b/src/libraries/System.Net.Security/src/System/Net/NegotiateAuthenticationPal.Unix.cs
@@ -19,10 +19,13 @@ namespace System.Net
 {
     internal partial class NegotiateAuthenticationPal
     {
+        private static readonly Lazy<bool> _hasSystemNetSecurityNative = new Lazy<bool>(CheckHasSystemNetSecurityNative);
+        internal static bool HasSystemNetSecurityNative => _hasSystemNetSecurityNative.Value;
         private static bool UseManagedNtlm { get; } =
             AppContext.TryGetSwitch("System.Net.Security.UseManagedNtlm", out bool useManagedNtlm) ?
             useManagedNtlm :
-            OperatingSystem.IsMacOS() || OperatingSystem.IsIOS() || OperatingSystem.IsMacCatalyst();
+            OperatingSystem.IsMacOS() || OperatingSystem.IsIOS() || OperatingSystem.IsMacCatalyst() ||
+            (OperatingSystem.IsLinux() && RuntimeInformation.RuntimeIdentifier.StartsWith("linux-bionic-", StringComparison.OrdinalIgnoreCase));
 
         public static NegotiateAuthenticationPal Create(NegotiateAuthenticationClientOptions clientOptions)
         {
@@ -34,7 +37,7 @@ public static NegotiateAuthenticationPal Create(NegotiateAuthenticationClientOpt
                         return ManagedNtlmNegotiateAuthenticationPal.Create(clientOptions);
 
                     case NegotiationInfoClass.Negotiate:
-                        return new ManagedSpnegoNegotiateAuthenticationPal(clientOptions, supportKerberos: true);
+                        return new ManagedSpnegoNegotiateAuthenticationPal(clientOptions, supportKerberos: HasSystemNetSecurityNative);
                 }
             }
 
@@ -559,7 +562,8 @@ private NegotiateAuthenticationStatusCode InitializeSecurityContext(
                 {
                     if (NetEventSource.Log.IsEnabled())
                     {
-                        string protocol = _packageType switch {
+                        string protocol = _packageType switch
+                        {
                             Interop.NetSecurityNative.PackageType.NTLM => "NTLM",
                             Interop.NetSecurityNative.PackageType.Kerberos => "Kerberos",
                             _ => "SPNEGO"
@@ -635,7 +639,8 @@ private NegotiateAuthenticationStatusCode InitializeSecurityContext(
                     {
                         if (NetEventSource.Log.IsEnabled())
                         {
-                            string protocol = _packageType switch {
+                            string protocol = _packageType switch
+                            {
                                 Interop.NetSecurityNative.PackageType.NTLM => "NTLM",
                                 Interop.NetSecurityNative.PackageType.Kerberos => "Kerberos",
                                 _ => isNtlmUsed ? "SPNEGO-NTLM" : "SPNEGO-Kerberos"
@@ -764,5 +769,18 @@ internal static NegotiateAuthenticationStatusCode GetErrorCode(Interop.NetSecuri
                 }
             }
         }
+
+        public static bool CheckHasSystemNetSecurityNative()
+        {
+            try
+            {
+                return Interop.NetSecurityNative.IsNtlmInstalled();
+            }
+            catch (Exception e) when (e is EntryPointNotFoundException || e is DllNotFoundException || e is TypeInitializationException)
+            {
+                // libSystem.Net.Security.Native is not available
+                return false;
+            }
+        }
     }
 }
diff --git a/src/libraries/System.Net.Security/tests/UnitTests/NegotiateAuthenticationTests.cs b/src/libraries/System.Net.Security/tests/UnitTests/NegotiateAuthenticationTests.cs
@@ -32,7 +32,6 @@ public void Constructor_Overloads_Validation()
         }
 
         [Fact]
-        [SkipOnPlatform(TestPlatforms.LinuxBionic, "https://github.com/dotnet/runtime/issues/93104")]
         public void RemoteIdentity_ThrowsOnUnauthenticated()
         {
             NegotiateAuthenticationClientOptions clientOptions = new NegotiateAuthenticationClientOptions { Credential = s_testCredentialRight, TargetName = "HTTP/foo" };
@@ -66,7 +65,6 @@ public void RemoteIdentity_ThrowsOnDisposed()
         }
 
         [Fact]
-        [SkipOnPlatform(TestPlatforms.LinuxBionic, "https://github.com/dotnet/runtime/issues/93104")]
         public void Package_Unsupported()
         {
             NegotiateAuthenticationClientOptions clientOptions = new NegotiateAuthenticationClientOptions { Package = "INVALID", Credential = s_testCredentialRight, TargetName = "HTTP/foo" };
@@ -98,7 +96,6 @@ public void Package_Unsupported_NTLM()
 
         [Fact]
         [SkipOnPlatform(TestPlatforms.Windows, "The test is specific to GSSAPI / Managed implementations of NegotiateAuthentication")]
-        [SkipOnPlatform(TestPlatforms.LinuxBionic, "https://github.com/dotnet/runtime/issues/93104")]
         public void DefaultNetworkCredentials_NTLM_DoesNotThrow()
         {
             NegotiateAuthenticationClientOptions clientOptions = new NegotiateAuthenticationClientOptions { Package = "NTLM", Credential = CredentialCache.DefaultNetworkCredentials, TargetName = "HTTP/foo" };
@@ -169,7 +166,7 @@ public static IEnumerable<object[]> TestCredentials()
             yield return new object[] { new NetworkCredential("rightusername", "rightpassword") };
             yield return new object[] { new NetworkCredential("rightusername", "rightpassword", "rightdomain") };
             yield return new object[] { new NetworkCredential("rightusername@rightdomain.com", "rightpassword") };
-        } 
+        }
 
         [ConditionalTheory(nameof(IsNtlmAvailable))]
         [MemberData(nameof(TestCredentials))]

Original file line number	Diff line number	Diff line change
`@@ -71,13 +71,19 @@ private static string GetGssApiDisplayStatus(Status majorStatus, Status minorSta`
`71`	`71`
`72`	`72`	`private static string? GetGssApiDisplayStatus(Status status, bool isMinor)`
`73`	`73`	`{`
	`74`	`+ if (!System.Net.NegotiateAuthenticationPal.HasSystemNetSecurityNative)`
	`75`	`+ {`
	`76`	`+ // avoid calling into libSystem.Net.Security.Native.`
	`77`	`+ return null;`
	`78`	`+ }`
	`79`	`+`
`74`	`80`	`GssBuffer displayBuffer = default(GssBuffer);`
`75`	`81`
`76`	`82`	`try`
`77`	`83`	`{`
`78`	`84`	`Interop.NetSecurityNative.Status minStat;`
`79`	`85`	`Interop.NetSecurityNative.Status displayCallStatus = isMinor ?`
`80`		`- DisplayMinorStatus(out minStat, status, ref displayBuffer):`
	`86`	`+ DisplayMinorStatus(out minStat, status, ref displayBuffer) :`
`81`	`87`	`DisplayMajorStatus(out minStat, status, ref displayBuffer);`
`82`	`88`	`return (Status.GSS_S_COMPLETE != displayCallStatus) ? null : Marshal.PtrToStringUTF8(displayBuffer._data);`
`83`	`89`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,15 +1,20 @@`
`1`	`1`	`// Licensed to the .NET Foundation under one or more agreements.`
`2`	`2`	`// The .NET Foundation licenses this file to you under the MIT license.`
`3`	`3`
	`4`	`+using System.Runtime.InteropServices;`
	`5`	`+`
`4`	`6`	`namespace System.Net.Test.Common`
`5`	`7`	`{`
`6`	`8`	`public static partial class Capability`
`7`	`9`	`{`
`8`	`10`	`public static bool IsNtlmInstalled()`
`9`	`11`	`{`
`10`		`- // GSS on Linux does not work with OpenSSL 3.0. Fix was submitted to gss-ntlm but it will take a while to make to`
`11`		`- // all supported distributions. The second part of the check should be removed when it does.`
`12`		`- return Interop.NetSecurityNative.IsNtlmInstalled() && (!PlatformDetection.IsOpenSslSupported \|\| PlatformDetection.OpenSslVersion.Major < 3);`
	`12`	`+ return`
	`13`	`+ // Linux bionic uses managed NTLM implementation`
	`14`	`+ (OperatingSystem.IsLinux() && RuntimeInformation.RuntimeIdentifier.StartsWith("linux-bionic-", StringComparison.Ordinal)) \|\|`
	`15`	`+ // GSS on Linux does not work with OpenSSL 3.0. Fix was submitted to gss-ntlm but it will take a while to make to`
	`16`	`+ // all supported distributions. The second part of the check should be removed when it does.`
	`17`	`+ Interop.NetSecurityNative.IsNtlmInstalled() && (!PlatformDetection.IsOpenSslSupported \|\| PlatformDetection.OpenSslVersion.Major < 3);`
`13`	`18`	`}`
`14`	`19`	`}`
`15`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,10 +19,13 @@ namespace System.Net`
`19`	`19`	`{`
`20`	`20`	`internal partial class NegotiateAuthenticationPal`
`21`	`21`	`{`
	`22`	`+ private static readonly Lazy<bool> _hasSystemNetSecurityNative = new Lazy<bool>(CheckHasSystemNetSecurityNative);`
	`23`	`+ internal static bool HasSystemNetSecurityNative => _hasSystemNetSecurityNative.Value;`
`22`	`24`	`private static bool UseManagedNtlm { get; } =`
`23`	`25`	`AppContext.TryGetSwitch("System.Net.Security.UseManagedNtlm", out bool useManagedNtlm) ?`
`24`	`26`	`useManagedNtlm :`
`25`		`- OperatingSystem.IsMacOS() \|\| OperatingSystem.IsIOS() \|\| OperatingSystem.IsMacCatalyst();`
	`27`	`+ OperatingSystem.IsMacOS() \|\| OperatingSystem.IsIOS() \|\| OperatingSystem.IsMacCatalyst() \|\|`
	`28`	`+ (OperatingSystem.IsLinux() && RuntimeInformation.RuntimeIdentifier.StartsWith("linux-bionic-", StringComparison.OrdinalIgnoreCase));`
`26`	`29`
`27`	`30`	`public static NegotiateAuthenticationPal Create(NegotiateAuthenticationClientOptions clientOptions)`
`28`	`31`	`{`
`@@ -34,7 +37,7 @@ public static NegotiateAuthenticationPal Create(NegotiateAuthenticationClientOpt`
`34`	`37`	`return ManagedNtlmNegotiateAuthenticationPal.Create(clientOptions);`
`35`	`38`
`36`	`39`	`case NegotiationInfoClass.Negotiate:`
`37`		`- return new ManagedSpnegoNegotiateAuthenticationPal(clientOptions, supportKerberos: true);`
	`40`	`+ return new ManagedSpnegoNegotiateAuthenticationPal(clientOptions, supportKerberos: HasSystemNetSecurityNative);`
`38`	`41`	`}`
`39`	`42`	`}`
`40`	`43`
`@@ -559,7 +562,8 @@ private NegotiateAuthenticationStatusCode InitializeSecurityContext(`
`559`	`562`	`{`
`560`	`563`	`if (NetEventSource.Log.IsEnabled())`
`561`	`564`	`{`
`562`		`- string protocol = _packageType switch {`
	`565`	`+ string protocol = _packageType switch`
	`566`	`+ {`
`563`	`567`	`Interop.NetSecurityNative.PackageType.NTLM => "NTLM",`
`564`	`568`	`Interop.NetSecurityNative.PackageType.Kerberos => "Kerberos",`
`565`	`569`	`_ => "SPNEGO"`
`@@ -635,7 +639,8 @@ private NegotiateAuthenticationStatusCode InitializeSecurityContext(`
`635`	`639`	`{`
`636`	`640`	`if (NetEventSource.Log.IsEnabled())`
`637`	`641`	`{`
`638`		`- string protocol = _packageType switch {`
	`642`	`+ string protocol = _packageType switch`
	`643`	`+ {`
`639`	`644`	`Interop.NetSecurityNative.PackageType.NTLM => "NTLM",`
`640`	`645`	`Interop.NetSecurityNative.PackageType.Kerberos => "Kerberos",`
`641`	`646`	`_ => isNtlmUsed ? "SPNEGO-NTLM" : "SPNEGO-Kerberos"`
`@@ -764,5 +769,18 @@ internal static NegotiateAuthenticationStatusCode GetErrorCode(Interop.NetSecuri`
`764`	`769`	`}`
`765`	`770`	`}`
`766`	`771`	`}`
	`772`	`+`
	`773`	`+ public static bool CheckHasSystemNetSecurityNative()`
	`774`	`+ {`
	`775`	`+ try`
	`776`	`+ {`
	`777`	`+ return Interop.NetSecurityNative.IsNtlmInstalled();`
	`778`	`+ }`
	`779`	`+ catch (Exception e) when (e is EntryPointNotFoundException \|\| e is DllNotFoundException \|\| e is TypeInitializationException)`
	`780`	`+ {`
	`781`	`+ // libSystem.Net.Security.Native is not available`
	`782`	`+ return false;`
	`783`	`+ }`
	`784`	`+ }`
`767`	`785`	`}`
`768`	`786`	`}`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,6 @@ public void Constructor_Overloads_Validation()`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`[Fact]`
`35`		`- [SkipOnPlatform(TestPlatforms.LinuxBionic, "https://github.com/dotnet/runtime/issues/93104")]`
`36`	`35`	`public void RemoteIdentity_ThrowsOnUnauthenticated()`
`37`	`36`	`{`
`38`	`37`	`NegotiateAuthenticationClientOptions clientOptions = new NegotiateAuthenticationClientOptions { Credential = s_testCredentialRight, TargetName = "HTTP/foo" };`
`@@ -66,7 +65,6 @@ public void RemoteIdentity_ThrowsOnDisposed()`
`66`	`65`	`}`
`67`	`66`
`68`	`67`	`[Fact]`
`69`		`- [SkipOnPlatform(TestPlatforms.LinuxBionic, "https://github.com/dotnet/runtime/issues/93104")]`
`70`	`68`	`public void Package_Unsupported()`
`71`	`69`	`{`
`72`	`70`	`NegotiateAuthenticationClientOptions clientOptions = new NegotiateAuthenticationClientOptions { Package = "INVALID", Credential = s_testCredentialRight, TargetName = "HTTP/foo" };`
`@@ -98,7 +96,6 @@ public void Package_Unsupported_NTLM()`
`98`	`96`
`99`	`97`	`[Fact]`
`100`	`98`	`[SkipOnPlatform(TestPlatforms.Windows, "The test is specific to GSSAPI / Managed implementations of NegotiateAuthentication")]`
`101`		`- [SkipOnPlatform(TestPlatforms.LinuxBionic, "https://github.com/dotnet/runtime/issues/93104")]`
`102`	`99`	`public void DefaultNetworkCredentials_NTLM_DoesNotThrow()`
`103`	`100`	`{`
`104`	`101`	`NegotiateAuthenticationClientOptions clientOptions = new NegotiateAuthenticationClientOptions { Package = "NTLM", Credential = CredentialCache.DefaultNetworkCredentials, TargetName = "HTTP/foo" };`
`@@ -169,7 +166,7 @@ public static IEnumerable<object[]> TestCredentials()`
`169`	`166`	`yield return new object[] { new NetworkCredential("rightusername", "rightpassword") };`
`170`	`167`	`yield return new object[] { new NetworkCredential("rightusername", "rightpassword", "rightdomain") };`
`171`	`168`	`yield return new object[] { new NetworkCredential("[email protected]", "rightpassword") };`
`172`		`- }`
	`169`	`+ }`
`173`	`170`
`174`	`171`	`[ConditionalTheory(nameof(IsNtlmAvailable))]`
`175`	`172`	`[MemberData(nameof(TestCredentials))]`