Skip to content

http.sys: Allow configuring HTTP_AUTH_EX_FLAGs as options #51833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Feb 9, 2024
Merged

http.sys: Allow configuring HTTP_AUTH_EX_FLAGs as options #51833

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
bf884dc
http.sys: Allow configuring HTTP_AUTH_EX_FLAGs as options
evgenykotkov Nov 2, 2023
39edd84
http.sys: Rename: CaptureCredential → CaptureCredentials
evgenykotkov Nov 10, 2023
db5b580
http.sys: Clarify description for `EnableKerberosCredentialCaching`
evgenykotkov Nov 10, 2023
e2a327a
http.sys: Further clarify description for `EnableKerberosCredentialCa…
evgenykotkov Nov 10, 2023
5db6406
http.sys: Further clarify documentation for new options
evgenykotkov Feb 5, 2024
dac4840
Merge branch 'dotnet:main' into httpsys-auth-ex-flags
evgenykotkov Feb 5, 2024
a2885d9
http.sys: Tweak documentation for `CaptureCredentials`
evgenykotkov Feb 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 44 additions & 4 deletions src/Servers/HttpSys/src/AuthenticationManager.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
using System.Runtime.InteropServices;
using Microsoft.Extensions.Primitives;
using Microsoft.Net.Http.Headers;
using Windows.Win32;
using Windows.Win32.Networking.HttpServer;

namespace Microsoft.AspNetCore.Server.HttpSys;
Expand Down Expand Up @@ -63,6 +64,24 @@ public bool AllowAnonymous
/// </summary>
public string? AuthenticationDisplayName { get; set; }

/// <summary>
/// If true, the Kerberos authentication credentials are persisted per connection
/// and re-used for subsequent anonymous requests on the same connection.
/// Kerberos or Negotiate authentication must be enabled. The default is false.
/// This option maps to the native HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING flag.
/// <see href="https://learn.microsoft.com/en-us/windows/win32/api/http/ns-http-http_server_authentication_info"/>
/// </summary>
public bool EnableKerberosCredentialCaching { get; set; }

/// <summary>
/// If true, the server captures user credentials from the thread that starts the
/// host and impersonates that user during Kerberos or Negotiate authentication.
/// Kerberos or Negotiate authentication must be enabled. The default is false.
/// This option maps to the native HTTP_AUTH_EX_FLAG_CAPTURE_CREDENTIAL flag.
/// <see href="https://learn.microsoft.com/en-us/windows/win32/api/http/ns-http-http_server_authentication_info"/>
/// </summary>
public bool CaptureCredentials { get; set; }

internal void SetUrlGroupSecurity(UrlGroup urlGroup)
{
Debug.Assert(_urlGroup == null, "SetUrlGroupSecurity called more than once.");
Expand All @@ -85,18 +104,39 @@ private unsafe void SetUrlGroupSecurity()
{
authInfo.AuthSchemes = (uint)_authSchemes;

authInfo.ExFlags = 0;

if (EnableKerberosCredentialCaching)
{
authInfo.ExFlags |= (byte)PInvoke.HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING;
}

if (CaptureCredentials)
{
authInfo.ExFlags |= (byte)PInvoke.HTTP_AUTH_EX_FLAG_CAPTURE_CREDENTIAL;
}

// TODO:
// NTLM auth sharing (on by default?) DisableNTLMCredentialCaching
// Kerberos auth sharing (off by default?) HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING
// Mutual Auth - ReceiveMutualAuth
// Digest domain and realm - HTTP_SERVER_AUTHENTICATION_DIGEST_PARAMS
// Basic realm - HTTP_SERVER_AUTHENTICATION_BASIC_PARAMS

HTTP_SERVER_PROPERTY property;
if (authInfo.ExFlags != 0)
{
// We need to modify extended fields such as ExFlags, set the extended auth property.
property = HTTP_SERVER_PROPERTY.HttpServerExtendedAuthenticationProperty;
}
else
{
// Otherwise set the regular auth property.
property = HTTP_SERVER_PROPERTY.HttpServerAuthenticationProperty;
}

IntPtr infoptr = new IntPtr(&authInfo);

_urlGroup.SetProperty(
HTTP_SERVER_PROPERTY.HttpServerAuthenticationProperty,
infoptr, (uint)AuthInfoSize);
_urlGroup.SetProperty(property, infoptr, (uint)AuthInfoSize);
}
}

Expand Down
1 change: 1 addition & 0 deletions src/Servers/HttpSys/src/NativeMethods.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
CloseHandle
FILE_SKIP_COMPLETION_PORT_ON_SUCCESS
FILE_SKIP_SET_EVENT_ON_HANDLE
HTTP_AUTH_EX_FLAG_*
HTTP_AUTH_STATUS
HTTP_BINDING_INFO
HTTP_CACHE_POLICY
Expand Down
4 changes: 4 additions & 0 deletions src/Servers/HttpSys/src/PublicAPI.Unshipped.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,5 @@
#nullable enable
Microsoft.AspNetCore.Server.HttpSys.AuthenticationManager.CaptureCredentials.get -> bool
Microsoft.AspNetCore.Server.HttpSys.AuthenticationManager.CaptureCredentials.set -> void
Microsoft.AspNetCore.Server.HttpSys.AuthenticationManager.EnableKerberosCredentialCaching.get -> bool
Microsoft.AspNetCore.Server.HttpSys.AuthenticationManager.EnableKerberosCredentialCaching.set -> void
54 changes: 54 additions & 0 deletions src/Servers/HttpSys/test/FunctionalTests/AuthenticationTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -400,6 +400,60 @@ public async Task AuthTypes_DisableAutomaticAuthentication(AuthenticationSchemes
}
}

[ConditionalTheory]
[InlineData(AuthenticationSchemes.Negotiate)]
[InlineData(AuthenticationSchemes.NTLM)]
[InlineData(AuthenticationSchemes.Negotiate | AuthenticationSchemes.NTLM)]
public async Task AuthTypes_EnableKerberosCredentialCaching(AuthenticationSchemes authType)
{
using (var server = Utilities.CreateDynamicHost(out var address, options =>
{
options.Authentication.Schemes = authType;
options.Authentication.AllowAnonymous = DenyAnoymous;
options.Authentication.EnableKerberosCredentialCaching = true;
},
httpContext =>
{
// There doesn't seem to be a simple way of testing the `EnableKerberosCredentialCaching`
// setting, but at least check that the server works.
Assert.NotNull(httpContext.User);
Assert.NotNull(httpContext.User.Identity);
Assert.True(httpContext.User.Identity.IsAuthenticated);
return Task.FromResult(0);
}, LoggerFactory))
{
var response = await SendRequestAsync(address, useDefaultCredentials: true);
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}

[ConditionalTheory]
[InlineData(AuthenticationSchemes.Negotiate)]
[InlineData(AuthenticationSchemes.NTLM)]
[InlineData(AuthenticationSchemes.Negotiate | AuthenticationSchemes.NTLM)]
public async Task AuthTypes_CaptureCredentials(AuthenticationSchemes authType)
{
using (var server = Utilities.CreateDynamicHost(out var address, options =>
{
options.Authentication.Schemes = authType;
options.Authentication.AllowAnonymous = DenyAnoymous;
options.Authentication.CaptureCredentials = true;
},
httpContext =>
{
// There doesn't seem to be a simple way of testing the `CaptureCredentials`
// setting, but at least check that the server works.
Assert.NotNull(httpContext.User);
Assert.NotNull(httpContext.User.Identity);
Assert.True(httpContext.User.Identity.IsAuthenticated);
return Task.FromResult(0);
}, LoggerFactory))
{
var response = await SendRequestAsync(address, useDefaultCredentials: true);
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}

private async Task<HttpResponseMessage> SendRequestAsync(string uri, bool useDefaultCredentials = false)
{
HttpClientHandler handler = new HttpClientHandler();
Expand Down