Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix SendAsync from impersonated context with default credentials #58922

Merged
merged 5 commits into from
Sep 15, 2021

Conversation

wfurt
Copy link
Member

@wfurt wfurt commented Sep 10, 2021

As @geoffkizer suggested, this fails because the connection setting is updated only in constructor. Even if options are passed to HttpHandler constructor, we actually create HttpConnectionSettings first and then we updated it.
I was originally thinking about updating relevant setters in HttpHandler but I end up updating the CloneAndNormalize and that seems sufficient. That has benefit that all the logic is still encapsulated in HttpConnectionSettings.
This is pretty trivial two line change.

Now, the trouble is testing. Some existing NTLM tests use HttpListener and that is problematic because of lack of fine control and general reliance. And we do not have any impersonation tests for HTTP.

To solve the first issue, I used NTLM code from Common and I added (duplicate?) NTLM/Negotiate test using standard Loopback pattern. If that proves to be stable and working we can possibly remove reliance HttpListener and clean up rest of the tests. (and get some more coverage for code Kestrel use via reflection (or make that finally public)).

To solve the second problem, I moved existing WindowsIdentityFixture to TestUtilities. That essentially creates ad hoc account and use that for testing. That seems to require some level of privilege. The existing tests in System.Security did not have any guard and they seems to run fine in CI. We can possibly update CanRunImpersonatedTests if this becomes nuisance. Certainly running tests from elevated shell seems to work fine but I don't know if that is really needed.

With that, I added new test to verify that HttpClient will open new connection for the impersonated context.
And it also verifies that the authenticated identity is different.

Fixes #58033

@wfurt wfurt requested review from stephentoub, geoffkizer and a team September 10, 2021 06:15
@wfurt wfurt self-assigned this Sep 10, 2021
@ghost
Copy link

ghost commented Sep 10, 2021

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

As @geoffkizer suggested, this brown because the connection setting is updated only in constructor. Even if options are passed to HttpHandler constructor, we actually create HttpConnectionSettings first and then we updated it.
I was originally thinking about updating relevant setters in HttpHandler but I end up updating the CloneAndNormalize and that seems sufficient. That has benefit that all the logic is still encapsulated in HttpConnectionSettings.
This is pretty trivial two lone change.

Now, the trouble is testing. Some existing NTLM tests use HttpListener and that is problematic because of lack of fine control and general reliance. And we do not have any inpersonification tests for HTTP.

To solve the first issue I used NTLM code from Common and I added (duplicate?) NTLM/Negotiate test using standard Loopback pattern. If that proves to be stable and working we can possibly remove reliance HttpListener and clean up rest of the tests. (and get some more coverage for code Kestrel use via reflection (or make that finally public))

To solve the second problem I moved existing WindowsIdentityFixture to TestUtilities. That essentially creates ad hoc account and use that for testing. That seems to require some level of privilege. The existing tests in System.Security did not have any guard and they seems to run fine in CI. We can possibly update CanRunInpersonificatedTests if this becomes nuisance. Certainly running tests from elevated shell seems to work fine but I don't know if that is really needed.

With that, I added new test to verify that HttpClient will open new connection for the inpersonioficated context.
And it also verifies that the authenticated identity is different.

fixes #58033

Author: wfurt
Assignees: wfurt
Labels:

area-System.Net.Http

Milestone: -

@wfurt
Copy link
Member Author

wfurt commented Sep 10, 2021

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

Copy link
Contributor

@geoffkizer geoffkizer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple small issues above, generally looks good.

@wfurt
Copy link
Member Author

wfurt commented Sep 13, 2021

Test failures seems unrelated. I did not see any failure related to authentication.

@wfurt
Copy link
Member Author

wfurt commented Sep 13, 2021

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

Copy link
Contributor

@geoffkizer geoffkizer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please find and replace Impersonificated => Impersonated

Other than that, LGTM

@wfurt
Copy link
Member Author

wfurt commented Sep 15, 2021

test failures looks unrelated. Mostly infrastructure & #58927.

@wfurt wfurt merged commit 27536d5 into dotnet:main Sep 15, 2021
@wfurt wfurt deleted the inperson_58033 branch September 15, 2021 03:12
@wfurt wfurt changed the title fix SendAsync from inpersonificated context with default credentials fix SendAsync from impersonificated context with default credentials Sep 15, 2021
@danmoseley
Copy link
Member

Does this need 6.0 port..

@danmoseley
Copy link
Member

/backport to release/6.0

@github-actions
Copy link
Contributor

@karelz karelz added this to the 7.0.0 milestone Sep 16, 2021
@karelz karelz changed the title fix SendAsync from impersonificated context with default credentials Fix SendAsync from impersonated context with default credentials Sep 16, 2021
@ghost ghost locked as resolved and limited conversation to collaborators Nov 3, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

WindowsIdentity.RunImpersonated sending wrong credentials
4 participants