Add CertificateAuthentication

eng/ProjectReferences.props

@@ -57,6 +57,7 @@
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions" ProjectPath="$(RepoRoot)src\Servers\Kestrel\Transport.Abstractions\src\Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.csproj" RefProjectPath="$(RepoRoot)src\Servers\Kestrel\Transport.Abstractions\ref\Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv" ProjectPath="$(RepoRoot)src\Servers\Kestrel\Transport.Libuv\src\Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv.csproj" RefProjectPath="$(RepoRoot)src\Servers\Kestrel\Transport.Libuv\ref\Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets" ProjectPath="$(RepoRoot)src\Servers\Kestrel\Transport.Sockets\src\Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.csproj" RefProjectPath="$(RepoRoot)src\Servers\Kestrel\Transport.Sockets\ref\Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.csproj" />
+    <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authentication.Certificate" ProjectPath="$(RepoRoot)src\Security\Authentication\Certificate\src\Microsoft.AspNetCore.Authentication.Certificate.csproj" RefProjectPath="$(RepoRoot)src\Security\Authentication\Certificate\ref\Microsoft.AspNetCore.Authentication.Certificate.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authentication.Cookies" ProjectPath="$(RepoRoot)src\Security\Authentication\Cookies\src\Microsoft.AspNetCore.Authentication.Cookies.csproj" RefProjectPath="$(RepoRoot)src\Security\Authentication\Cookies\ref\Microsoft.AspNetCore.Authentication.Cookies.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authentication" ProjectPath="$(RepoRoot)src\Security\Authentication\Core\src\Microsoft.AspNetCore.Authentication.csproj" RefProjectPath="$(RepoRoot)src\Security\Authentication\Core\ref\Microsoft.AspNetCore.Authentication.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authentication.Facebook" ProjectPath="$(RepoRoot)src\Security\Authentication\Facebook\src\Microsoft.AspNetCore.Authentication.Facebook.csproj" RefProjectPath="$(RepoRoot)src\Security\Authentication\Facebook\ref\Microsoft.AspNetCore.Authentication.Facebook.csproj" />

src/Middleware/HttpOverrides/ref/Microsoft.AspNetCore.HttpOverrides.netcoreapp3.0.cs

@@ -3,6 +3,10 @@
 
 namespace Microsoft.AspNetCore.Builder
 {
+    public static partial class CertificateForwardingBuilderExtensions
+    {
+        public static Microsoft.AspNetCore.Builder.IApplicationBuilder UseCertificateForwarding(this Microsoft.AspNetCore.Builder.IApplicationBuilder app) { throw null; }
+    }
     public static partial class ForwardedHeadersExtensions
     {
         public static Microsoft.AspNetCore.Builder.IApplicationBuilder UseForwardedHeaders(this Microsoft.AspNetCore.Builder.IApplicationBuilder builder) { throw null; }
@@ -37,6 +41,17 @@ public HttpMethodOverrideOptions() { }
 }
 namespace Microsoft.AspNetCore.HttpOverrides
 {
+    public partial class CertificateForwardingMiddleware
+    {
+        public CertificateForwardingMiddleware(Microsoft.AspNetCore.Http.RequestDelegate next, Microsoft.Extensions.Logging.ILoggerFactory loggerFactory, Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.HttpOverrides.CertificateForwardingOptions> options) { }
+        public System.Threading.Tasks.Task Invoke(Microsoft.AspNetCore.Http.HttpContext httpContext) { throw null; }
+    }
+    public partial class CertificateForwardingOptions
+    {
+        public System.Func<string, System.Security.Cryptography.X509Certificates.X509Certificate2> HeaderConverter;
+        public CertificateForwardingOptions() { }
+        public string CertificateHeader { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute]set { } }
+    }
     [System.FlagsAttribute]
     public enum ForwardedHeaders
     {
@@ -75,3 +90,10 @@ public IPNetwork(System.Net.IPAddress prefix, int prefixLength) { }
         public bool Contains(System.Net.IPAddress address) { throw null; }
     }
 }
+namespace Microsoft.Extensions.DependencyInjection
+{
+    public static partial class CertificateForwardingServiceExtensions
+    {
+        public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddCertificateForwarding(this Microsoft.Extensions.DependencyInjection.IServiceCollection services, System.Action<Microsoft.AspNetCore.HttpOverrides.CertificateForwardingOptions> configure) { throw null; }
+    }
+}

src/Middleware/HttpOverrides/src/CertificateForwardingBuilderExtensions.cs

@@ -0,0 +1,30 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.HttpOverrides;
+
+namespace Microsoft.AspNetCore.Builder
+{
+    /// <summary>
+    /// Extension methods for using certificate fowarding.
+    /// </summary>
+    public static class CertificateForwardingBuilderExtensions
+    {
+        /// <summary>
+        /// Adds a middleware to the pipeline that will look for a certificate in a request header
+        /// decode it, and updates HttpContext.Connection.ClientCertificate.
+        /// </summary>
+        /// <param name="app"></param>
+        /// <returns></returns>
+        public static IApplicationBuilder UseCertificateForwarding(this IApplicationBuilder app)
+        {
+            if (app == null)
+            {
+                throw new ArgumentNullException(nameof(app));
+            }
+
+            return app.UseMiddleware<CertificateForwardingMiddleware>();
+        }
+    }
+}

src/Middleware/HttpOverrides/src/CertificateForwardingFeature.cs

@@ -0,0 +1,51 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http.Features;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Primitives;
+
+namespace Microsoft.AspNetCore.HttpOverrides
+{
+    internal class CertificateForwardingFeature : ITlsConnectionFeature
+    {
+        private ILogger _logger;
+        private StringValues _header;
+        private CertificateForwardingOptions _options;
+        private X509Certificate2 _certificate;
+
+        public CertificateForwardingFeature(ILogger logger, StringValues header, CertificateForwardingOptions options)
+        {
+            _logger = logger;
+            _options = options;
+            _header = header;
+        }
+
+        public X509Certificate2 ClientCertificate
+        {
+            get
+            {
+                if (_certificate == null)
+                {
+                    try
+                    {
+                        _certificate = _options.HeaderConverter(_header);
+                    }
+                    catch (Exception e)
+                    {
+                        _logger.NoCertificate(e);
+                    }
+                }
+                return _certificate;
+            }
+            set => _certificate = value;
+        }
+
+        public Task<X509Certificate2> GetClientCertificateAsync(CancellationToken cancellationToken)
+            => Task.FromResult(ClientCertificate);
+    }
+}

src/Middleware/HttpOverrides/src/CertificateForwardingMiddleware.cs

@@ -0,0 +1,66 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Features;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Primitives;
+
+namespace Microsoft.AspNetCore.HttpOverrides
+{
+    /// <summary>
+    /// Middleware that converts a forward header into a client certificate if found.
+    /// </summary>
+    public class CertificateForwardingMiddleware
+    {
+        private readonly RequestDelegate _next;
+        private readonly CertificateForwardingOptions _options;
+        private readonly ILogger _logger;
+
+        /// <summary>
+        /// Constructor.
+        /// </summary>
+        /// <param name="next"></param>
+        /// <param name="loggerFactory"></param>
+        /// <param name="options"></param>
+        public CertificateForwardingMiddleware(
+                RequestDelegate next,
+                ILoggerFactory loggerFactory,
+                IOptions<CertificateForwardingOptions> options)
+        {
+            _next = next ?? throw new ArgumentNullException(nameof(next));
+
+            if (loggerFactory == null)
+            {
+                throw new ArgumentNullException(nameof(loggerFactory));
+            }
+
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
+            _options = options.Value;
+            _logger = loggerFactory.CreateLogger<CertificateForwardingMiddleware>();
+        }
+
+        /// <summary>
+        /// Looks for the presence of a <see cref="CertificateForwardingOptions.CertificateHeader"/> header in the request,
+        /// if found, converts this header to a ClientCertificate set on the connection.
+        /// </summary>
+        /// <param name="httpContext">The <see cref="HttpContext"/>.</param>
+        /// <returns>A <see cref="Task"/>.</returns>
+        public Task Invoke(HttpContext httpContext)
+        {
+            var header = httpContext.Request.Headers[_options.CertificateHeader];
+            if (!StringValues.IsNullOrEmpty(header))
+            {
+                httpContext.Features.Set<ITlsConnectionFeature>(new CertificateForwardingFeature(_logger, header, _options));
+            }
+            return _next(httpContext);
+        }
+    }
+}

src/Middleware/HttpOverrides/src/CertificateForwardingOptions.cs

@@ -0,0 +1,30 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Microsoft.AspNetCore.HttpOverrides
+{
+    /// <summary>
+    /// Used to configure the <see cref="CertificateForwardingMiddleware"/>.
+    /// </summary>
+    public class CertificateForwardingOptions
+    {
+        /// <summary>
+        /// The name of the header containing the client certificate.
+        /// </summary>
+        /// <remarks>
+        /// This defaults to X-Client-Cert
+        /// </remarks>
+        public string CertificateHeader { get; set; } = "X-Client-Cert";
+
+        /// <summary>
+        /// The function used to convert the header to an instance of <see cref="X509Certificate2"/>.
+        /// </summary>
+        /// <remarks>
+        /// This defaults to a conversion from a base64 encoded string.
+        /// </remarks>
+        public Func<string, X509Certificate2> HeaderConverter = (headerValue) => new X509Certificate2(Convert.FromBase64String(headerValue));
+    }
+}

src/Middleware/HttpOverrides/src/CertificateForwardingServiceExtensions.cs

@@ -0,0 +1,38 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.HttpOverrides;
+
+namespace Microsoft.Extensions.DependencyInjection
+{
+    /// <summary>
+    /// Extension methods for using certificate fowarding.
+    /// </summary>
+    public static class CertificateForwardingServiceExtensions
+    {
+        /// <summary>
+        /// Adds certificate forwarding to the specified <see cref="IServiceCollection" />.
+        /// </summary>
+        /// <param name="services">The <see cref="IServiceCollection"/>.</param>
+        /// <param name="configure">An action delegate to configure the provided <see cref="CertificateForwardingOptions"/>.</param>
+        /// <returns>The <see cref="IServiceCollection"/> so that additional calls can be chained.</returns>
+        public static IServiceCollection AddCertificateForwarding(
+            this IServiceCollection services,
+            Action<CertificateForwardingOptions> configure)
+        {
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
+            if (configure == null)
+            {
+                throw new ArgumentNullException(nameof(configure));
+            }
+
+            services.AddOptions<CertificateForwardingOptions>().Validate(o => !string.IsNullOrEmpty(o.CertificateHeader), "CertificateForwarderOptions.CertificateHeader cannot be null or empty.");
+            return services.Configure(configure);
+        }
+    }
+}

src/Middleware/HttpOverrides/src/LoggingExtensions.cs

@@ -0,0 +1,25 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.Extensions.Logging
+{
+    internal static class LoggingExtensions
+    {
+        private static Action<ILogger, Exception> _noCertificate;
+
+        static LoggingExtensions()
+        {
+            _noCertificate = LoggerMessage.Define(
+                eventId: new EventId(0, "NoCertificate"),
+                logLevel: LogLevel.Warning,
+                formatString: "Could not read certificate from header.");
+        }
+
+        public static void NoCertificate(this ILogger logger, Exception exception)
+        {
+            _noCertificate(logger, exception);
+        }
+    }
+}