Skip to content

Add CertificateAuthentication#9756

Merged
HaoK merged 54 commits into
masterfrom
security-cert
Jun 1, 2019
Merged

Add CertificateAuthentication#9756
HaoK merged 54 commits into
masterfrom
security-cert

Conversation

@HaoK

@HaoK HaoK commented Apr 25, 2019

Copy link
Copy Markdown
Member

Initial port of the code with all unit tests passing and some stuff commented out so we can track diffs in git.

Take a look at the commented out changes i needed to make for tests @blowdart

Next steps will be to remove all the commented out code and move the headerforwarding into the existing middleware

Comment thread src/Security/Authentication/Certificate/src/README.md Outdated
Comment thread src/Security/Authentication/test/CertificateTests.cs Outdated
@blowdart

Copy link
Copy Markdown
Contributor

Couple of things to be deleted, but yea, fair enough

@HaoK

HaoK commented Apr 25, 2019

Copy link
Copy Markdown
Member Author

Ok I'll delete all the commented out stuff next so its easy for you to see what got removed in the next commit

Comment thread src/Security/Authentication/Certificate/src/X509CertificateExtensions.cs Outdated
@Eilon Eilon added the area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer label Apr 25, 2019
@Eilon

Eilon commented Apr 25, 2019

Copy link
Copy Markdown
Contributor

When this is non-draft, please tag @aspnet/build to review the package addition and other infra changes.

Comment thread src/Security/Authentication/Certificate/src/CertificateForwarderMiddleware.cs Outdated
Comment thread src/Security/Authentication/Certificate/src/CertificateValidator.cs Outdated
Comment thread src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs Outdated
Comment thread src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs Outdated
@HaoK HaoK force-pushed the security-cert branch from 36925f2 to 7ebf3fd Compare May 17, 2019 21:29
@HaoK HaoK marked this pull request as ready for review May 17, 2019 21:41
@HaoK HaoK requested review from a team and analogrelay as code owners May 17, 2019 21:41

@Tratcher Tratcher left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PM code 😢

Also get rid of the MessagePack submodule change.

Comment thread eng/SharedFramework.Local.props Outdated
Comment thread src/Middleware/HttpOverrides/src/CertificateForwarderExtensions.cs Outdated
Comment thread src/Middleware/HttpOverrides/src/CertificateForwarderExtensions.cs Outdated
Comment thread src/Middleware/HttpOverrides/src/CertificateForwarderMiddleware.cs Outdated
Comment thread src/Middleware/HttpOverrides/src/CertificateForwarderMiddleware.cs Outdated

protected override Task HandleChallengeAsync(AuthenticationProperties properties)
{
// Certificate authentication takes place at the connection level. We can't prompt once we're in

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's put an event here for the Identity auth selection case. For HttpSys a dev could call AuthenticateAsync (in the selection case it would not have been called) and it would trigger a browser prompt on the same request. If that failed then a 403 is warranted. If it succeeded they could redirect to the next stage of sign-in and the cert would be preserved in the server for the next request.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we file a separate issue/ask to add support for this later? This doesn't sound like something that needs to be in the initial chcekpoint, @blowdart thoughts?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But only http.sys. While that'd be nice, we can't make kestrel do it, so yes, nice to have only

Comment thread src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs Outdated
@@ -0,0 +1,239 @@
# Microsoft.AspNetCore.Authentication.Certificate

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move to a doc PR/bug?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah docs with this will come later, readme seems ok to leave in the meantime

Comment thread src/Security/Authentication/test/CertificateTests.cs Outdated
Comment thread src/Middleware/HttpOverrides/src/CertificateForwarderExtensions.cs Outdated
Comment thread src/Middleware/HttpOverrides/src/CertificateForwarderMiddleware.cs Outdated
Comment thread src/Middleware/HttpOverrides/src/CertificateForwarderOptions.cs Outdated
Comment thread src/Security/Authentication/Certificate/samples/Certificate.Sample/Startup.cs Outdated
Comment thread src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs Outdated
Comment thread src/Security/Authentication/Certificate/src/CertificateTypes.cs Outdated
Comment thread src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs Outdated
@HaoK HaoK mentioned this pull request May 22, 2019
@HaoK HaoK force-pushed the security-cert branch from 43033f5 to efa5ee6 Compare May 22, 2019 20:00
Comment thread src/Middleware/HttpOverrides/src/CertificateForwarderMiddleware.cs Outdated
@HaoK HaoK changed the title [WIP] Initial snapshot of CertAuth (tests pass) Add CertificateAuthentication May 30, 2019
@HaoK

HaoK commented May 30, 2019

Copy link
Copy Markdown
Member Author

@blowdart @Tratcher thinks the behavior for the certificate forwarder should pickup the header and use that as an override for any existing cert, which is the opposite of the behavior you had before (which would fallback to the header). For now I went with the override behavior, but you guys can discuss what's the ideal behavior

Comment thread src/Middleware/HttpOverrides/src/CertificateForwarderExtensions.cs Outdated
Comment thread src/Middleware/HttpOverrides/src/CertificateForwarderExtensions.cs Outdated
Comment thread src/Middleware/HttpOverrides/src/CertificateForwarderExtensions.cs Outdated
Comment thread src/Security/Authentication/Certificate/src/CertificateAuthenticationDefaults.cs Outdated
Comment thread src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs Outdated
Items =
{
{
CertificateAuthenticationDefaults.CertificateItemsKey, certificate.GetRawCertDataString()

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed?

HaoK and others added 2 commits May 30, 2019 20:53
…icationHandler.cs

Co-Authored-By: Chris Ross <Tratcher@Outlook.com>
@HaoK

HaoK commented May 31, 2019

Copy link
Copy Markdown
Member Author

@aspnet/build any ideas why I'm getting this error on ci builds only for this PR?

/.azure/pipelines/helix-test.yml: Could not find /.azure/pipelines/jobs/default-build.yml in repository self hosted on https://api.github.com using commit 5ff3b2aeadbc1775f718f2938171f96f5a9b3f84. GitHub reported the error, "Not Found"

@dougbu

dougbu commented May 31, 2019

Copy link
Copy Markdown
Contributor

any ideas why I'm getting this error on ci builds only for this PR?

It's not only your PR and it's not only this repo e.g. https://github.com/aspnet/EntityFrameworkCore/pull/15878/checks?check_run_id=139437341. It appears to be GitHub flakiness but I'm not sure.

@natemcmaster

Copy link
Copy Markdown
Contributor

@HaoK just sent mail about this problem, which is affecting everyone, not just this PR. AzDO + GitHub are investigating.

@natemcmaster

Copy link
Copy Markdown
Contributor

/azp run AspNetCore-ci

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

@HaoK

HaoK commented Jun 1, 2019

Copy link
Copy Markdown
Member Author

/azp run AspNetCore-ci

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants