Add CertificateAuthentication

eng/ProjectReferences.props

@@ -57,6 +57,7 @@
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions" ProjectPath="$(RepoRoot)src\Servers\Kestrel\Transport.Abstractions\src\Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.csproj" RefProjectPath="$(RepoRoot)src\Servers\Kestrel\Transport.Abstractions\ref\Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv" ProjectPath="$(RepoRoot)src\Servers\Kestrel\Transport.Libuv\src\Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv.csproj" RefProjectPath="$(RepoRoot)src\Servers\Kestrel\Transport.Libuv\ref\Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets" ProjectPath="$(RepoRoot)src\Servers\Kestrel\Transport.Sockets\src\Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.csproj" RefProjectPath="$(RepoRoot)src\Servers\Kestrel\Transport.Sockets\ref\Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.csproj" />
+    <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authentication.Certificate" ProjectPath="$(RepoRoot)src\Security\Authentication\Certificate\src\Microsoft.AspNetCore.Authentication.Certificate.csproj" RefProjectPath="$(RepoRoot)src\Security\Authentication\Certificate\ref\Microsoft.AspNetCore.Authentication.Certificate.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authentication.Cookies" ProjectPath="$(RepoRoot)src\Security\Authentication\Cookies\src\Microsoft.AspNetCore.Authentication.Cookies.csproj" RefProjectPath="$(RepoRoot)src\Security\Authentication\Cookies\ref\Microsoft.AspNetCore.Authentication.Cookies.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authentication" ProjectPath="$(RepoRoot)src\Security\Authentication\Core\src\Microsoft.AspNetCore.Authentication.csproj" RefProjectPath="$(RepoRoot)src\Security\Authentication\Core\ref\Microsoft.AspNetCore.Authentication.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authentication.Facebook" ProjectPath="$(RepoRoot)src\Security\Authentication\Facebook\src\Microsoft.AspNetCore.Authentication.Facebook.csproj" RefProjectPath="$(RepoRoot)src\Security\Authentication\Facebook\ref\Microsoft.AspNetCore.Authentication.Facebook.csproj" />

src/Middleware/HttpOverrides/ref/Microsoft.AspNetCore.HttpOverrides.netcoreapp3.0.cs

@@ -3,6 +3,11 @@
 
 namespace Microsoft.AspNetCore.Builder
 {
+    public static partial class CertificateForwarderExtensions
+    {
+        public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddCertificateHeaderForwarding(this Microsoft.Extensions.DependencyInjection.IServiceCollection services, System.Action<Microsoft.AspNetCore.HttpOverrides.CertificateForwarderOptions> configure) { throw null; }
+        public static Microsoft.AspNetCore.Builder.IApplicationBuilder UseCertificateHeaderForwarding(this Microsoft.AspNetCore.Builder.IApplicationBuilder app) { throw null; }
+    }
     public static partial class ForwardedHeadersExtensions
     {
         public static Microsoft.AspNetCore.Builder.IApplicationBuilder UseForwardedHeaders(this Microsoft.AspNetCore.Builder.IApplicationBuilder builder) { throw null; }
@@ -37,6 +42,18 @@ public HttpMethodOverrideOptions() { }
 }
 namespace Microsoft.AspNetCore.HttpOverrides
 {
+    public partial class CertificateForwarderMiddleware
+    {
+        public CertificateForwarderMiddleware(Microsoft.AspNetCore.Http.RequestDelegate next, Microsoft.Extensions.Logging.ILoggerFactory loggerFactory, Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.HttpOverrides.CertificateForwarderOptions> options) { }
+        [System.Diagnostics.DebuggerStepThroughAttribute]
+        public System.Threading.Tasks.Task Invoke(Microsoft.AspNetCore.Http.HttpContext httpContext) { throw null; }
+    }
+    public partial class CertificateForwarderOptions
+    {
+        public System.Func<string, System.Security.Cryptography.X509Certificates.X509Certificate2> HeaderConverter;
+        public CertificateForwarderOptions() { }
+        public string CertificateHeader { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute]set { } }
+    }
     [System.FlagsAttribute]
     public enum ForwardedHeaders
     {

src/Middleware/HttpOverrides/src/CertificateForwarderExtensions.cs

@@ -0,0 +1,55 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.HttpOverrides;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Microsoft.AspNetCore.Builder
+{
+    /// <summary>
+    /// Extension methods for using the certificate fowarder.
+    /// </summary>
+    public static class CertificateForwarderExtensions
+    {
+        /// <summary>
+        /// Adds a middleware to the pipeline that will look for a certificate in a request header
+        /// decode it, and updates HttpContext.Connection.ClientCertificate.
+        /// </summary>
+        /// <param name="app"></param>
+        /// <returns></returns>
+        public static IApplicationBuilder UseCertificateHeaderForwarding(this IApplicationBuilder app)
+        {
+            if (app == null)
+            {
+                throw new ArgumentNullException(nameof(app));
+            }
+
+            return app.UseMiddleware<CertificateForwarderMiddleware>();
+        }
+
+        /// <summary>
+        /// Adds certificate forwarding to the specified <see cref="IServiceCollection" />.
+        /// </summary>
+        /// <param name="services">The <see cref="IServiceCollection"/>.</param>
+        /// <param name="configure">An action delegate to configure the provided <see cref="CertificateForwarderOptions"/>.</param>
+        /// <returns>The <see cref="IServiceCollection"/> so that additional calls can be chained.</returns>
+        public static IServiceCollection AddCertificateHeaderForwarding(
+            this IServiceCollection services,
+            Action<CertificateForwarderOptions> configure)
+        {
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
+            if (configure == null)
+            {
+                throw new ArgumentNullException(nameof(configure));
+            }
+
+            services.AddOptions<CertificateForwarderOptions>().Validate(o => !string.IsNullOrEmpty(o.CertificateHeader), "CertificateForwarderOptions.CertificateHeader cannot be null or empty.");
+            return services.Configure(configure);
+        }
+    }
+}

src/Middleware/HttpOverrides/src/CertificateForwarderFeature.cs

@@ -0,0 +1,51 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http.Features;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Primitives;
+
+namespace Microsoft.AspNetCore.HttpOverrides
+{
+    internal class CertificateForwarderFeature : ITlsConnectionFeature
+    {
+        private ILogger _logger;
+        private StringValues _header;
+        private CertificateForwarderOptions _options;
+        private X509Certificate2 _certificate;
+
+        public CertificateForwarderFeature(ILogger logger, StringValues header, CertificateForwarderOptions options)
+        {
+            _logger = logger;
+            _options = options;
+            _header = header;
+        }
+
+        public X509Certificate2 ClientCertificate
+        {
+            get
+            {
+                if (_certificate == null && _header != StringValues.Empty)
+                {
+                    try
+                    {
+                        _certificate = _options.HeaderConverter(_header);
+                    }
+                    catch (Exception e)
+                    {
+                        _logger.LogWarning(0, e, "Could not read certificate from header.");
+                    }
+                }
+                return _certificate;
+            }
+            set => _certificate = value;
+        }
+
+        public Task<X509Certificate2> GetClientCertificateAsync(CancellationToken cancellationToken)
+            => Task.FromResult(ClientCertificate);
+    }
+}

src/Middleware/HttpOverrides/src/CertificateForwarderMiddleware.cs

@@ -0,0 +1,70 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Features;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Primitives;
+
+namespace Microsoft.AspNetCore.HttpOverrides
+{
+    /// <summary>
+    /// Middleware that converts a forward header into a client certificate if found.
+    /// </summary>
+    public class CertificateForwarderMiddleware
+    {
+        private readonly RequestDelegate _next;
+        private readonly CertificateForwarderOptions _options;
+        private readonly ILogger _logger;
+
+        /// <summary>
+        /// Constructor.
+        /// </summary>
+        /// <param name="next"></param>
+        /// <param name="loggerFactory"></param>
+        /// <param name="options"></param>
+        public CertificateForwarderMiddleware(
+                RequestDelegate next,
+                ILoggerFactory loggerFactory,
+                IOptions<CertificateForwarderOptions> options)
+        {
+            _next = next ?? throw new ArgumentNullException(nameof(next));
+
+            if (loggerFactory == null)
+            {
+                throw new ArgumentNullException(nameof(loggerFactory));
+            }
+
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
+            _options = options.Value;
+            _logger = loggerFactory.CreateLogger<CertificateForwarderMiddleware>();
+        }
+
+        /// <summary>
+        /// Looks for the presence of a <see cref="CertificateForwarderOptions.CertificateHeader"/> header in the request,
+        /// if found, converts this header to a ClientCertificate set on the connection.
+        /// </summary>
+        /// <param name="httpContext">The <see cref="HttpContext"/>.</param>
+        /// <returns>A <see cref="Task"/>.</returns>
+        public async Task Invoke(HttpContext httpContext)
+        {
+            var clientCertificate = await httpContext.Connection.GetClientCertificateAsync();
+            if (clientCertificate == null)
+            {
+                var header = httpContext.Request.Headers[_options.CertificateHeader];
+                if (!StringValues.IsNullOrEmpty(header))
+                {
+                    httpContext.Features.Set<ITlsConnectionFeature>(new CertificateForwarderFeature(_logger, header, _options));
+                }
+            }
+            await _next(httpContext);
+        }
+    }
+}

src/Middleware/HttpOverrides/src/CertificateForwarderOptions.cs

@@ -0,0 +1,30 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Microsoft.AspNetCore.HttpOverrides
+{
+    /// <summary>
+    /// Used to configure the <see cref="CertificateForwarderMiddleware"/>.
+    /// </summary>
+    public class CertificateForwarderOptions
+    {
+        /// <summary>
+        /// The name of the header containing the client certificate.
+        /// </summary>
+        /// <remarks>
+        /// This defaults to X-ARR-ClientCert, which is the header Azure Web Apps uses.
+        /// </remarks>
+        public string CertificateHeader { get; set; } = "X-ARR-ClientCert";
+
+        /// <summary>
+        /// The function used to convert the header to an instance of <see cref="X509Certificate2"/>.
+        /// </summary>
+        /// <remarks>
+        /// This defaults to a conversion from a base64 encoded string.
+        /// </remarks>
+        public Func<string, X509Certificate2> HeaderConverter = (headerValue) => new X509Certificate2(Convert.FromBase64String(headerValue));
+    }
+}