Merge pull request #31039 from AfsanehR/AccessToken2.2

[release/2.2] Added AAD Authentication using Access Token

Author: Keerat Singh

src/System.Data.SqlClient/ref/System.Data.SqlClient.cs

@@ -495,6 +495,7 @@ public void ResetStatistics() { }
         public System.Collections.IDictionary RetrieveStatistics() { throw null; }
         public static void ChangePassword(string connectionString, string newPassword) { throw null; }
         public static void ChangePassword(string connectionString, System.Data.SqlClient.SqlCredential credential, System.Security.SecureString newPassword) { throw null; }
+        public string AccessToken { get { throw null; } set { } }
 
     }
     public sealed partial class SqlConnectionStringBuilder : System.Data.Common.DbConnectionStringBuilder

src/System.Data.SqlClient/src/Resources/Strings.resx

@@ -1296,4 +1296,25 @@
   <data name="SQL_ChangePasswordUseOfUnallowedKey" xml:space="preserve">
     <value>The keyword '{0}' must not be specified in the connectionString argument to ChangePassword.</value>
   </data>
+  <data name="SQL_ParsingErrorWithState" xml:space="preserve">
+    <value>Internal connection fatal error. Error state: {0}.</value>
+  </data>
+  <data name="SQL_ParsingErrorValue" xml:space="preserve">
+    <value>Internal connection fatal error. Error state: {0}, Value: {1}.</value>
+  </data>
+  <data name="ADP_InvalidMixedUsageOfAccessTokenAndIntegratedSecurity" xml:space="preserve">
+    <value>Cannot set the AccessToken property if the 'Integrated Security' connection string keyword has been set to 'true' or 'SSPI'.</value>
+  </data>
+  <data name="ADP_InvalidMixedUsageOfAccessTokenAndUserIDPassword" xml:space="preserve">
+    <value>Cannot set the AccessToken property if 'UserID', 'UID', 'Password', or 'PWD' has been specified in connection string.</value>
+  </data>
+  <data name="ADP_InvalidMixedUsageOfCredentialAndAccessToken" xml:space="preserve">
+    <value>Cannot set the Credential property if the AccessToken property is already set.</value>
+  </data>
+ <data name="SQL_ParsingErrorFeatureId" xml:space="preserve"> 
+    <value>Internal connection fatal error. Error state: {0}, Feature Id: {1}.</value>
+  </data>
+  <data name="SQL_ParsingErrorAuthLibraryType" xml:space="preserve"> 
+    <value>Internal connection fatal error. Error state: {0}, Authentication Library Type: {1}.</value>
+  </data>
 </root>

src/System.Data.SqlClient/src/System/Data/Common/AdapterUtil.SqlClient.cs

@@ -910,5 +910,17 @@ internal static ArgumentException InvalidMixedArgumentOfSecureCredentialAndInteg
         {
             return Argument(SR.GetString(SR.ADP_InvalidMixedUsageOfSecureCredentialAndIntegratedSecurity));
         }
+        internal static InvalidOperationException InvalidMixedUsageOfAccessTokenAndIntegratedSecurity()
+        {
+            return ADP.InvalidOperation(SR.GetString(SR.ADP_InvalidMixedUsageOfAccessTokenAndIntegratedSecurity));
+        }
+        internal static InvalidOperationException InvalidMixedUsageOfAccessTokenAndUserIDPassword()
+        {
+            return ADP.InvalidOperation(SR.GetString(SR.ADP_InvalidMixedUsageOfAccessTokenAndUserIDPassword));
+        }
+        internal static Exception InvalidMixedUsageOfCredentialAndAccessToken()
+        {
+            return ADP.InvalidOperation(SR.GetString(SR.ADP_InvalidMixedUsageOfCredentialAndAccessToken));
+        }
     }
 }

src/System.Data.SqlClient/src/System/Data/SqlClient/SqlConnection.cs

@@ -34,6 +34,7 @@ public sealed partial class SqlConnection : DbConnection, ICloneable
         private SqlCredential _credential;
         private string _connectionString;
         private int _connectRetryCount;
+        private string _accessToken; // Access Token to be used for token based authentication
 
         // connection resiliency
         private object _reconnectLock = new object();
@@ -97,6 +98,7 @@ private SqlConnection(SqlConnection connection)
                 _credential = new SqlCredential(connection._credential.UserId, password);
             }
 
+            _accessToken = connection._accessToken;
             CacheConnectionStringProperties();
         }
 
@@ -222,12 +224,19 @@ public override string ConnectionString
             }
             set
             {
-                if (_credential != null)
+                if (_credential != null || _accessToken != null)
                 {
                     SqlConnectionString connectionOptions = new SqlConnectionString(value);
-                    CheckAndThrowOnInvalidCombinationOfConnectionStringAndSqlCredential(connectionOptions);
+                    if (_credential != null)
+                    {
+                        CheckAndThrowOnInvalidCombinationOfConnectionStringAndSqlCredential(connectionOptions);
+                    }
+                    else
+                    {
+                        CheckAndThrowOnInvalidCombinationOfConnectionOptionAndAccessToken(connectionOptions);
+                    }
                 }
-                ConnectionString_Set(new SqlConnectionPoolKey(value, _credential));
+                ConnectionString_Set(new SqlConnectionPoolKey(value, _credential, _accessToken));
                 _connectionString = value;  // Change _connectionString value only after value is validated
                 CacheConnectionStringProperties();
             }
@@ -242,6 +251,37 @@ public override int ConnectionTimeout
             }
         }
 
+        // AccessToken: To be used for token based authentication
+        public string AccessToken
+        {
+            get
+            {
+                string result = _accessToken;
+                // When a connection is connecting or is ever opened, make AccessToken available only if "Persist Security Info" is set to true
+                // otherwise, return null
+                SqlConnectionString connectionOptions = (SqlConnectionString)UserConnectionOptions;
+                return InnerConnection.ShouldHidePassword && connectionOptions != null && !connectionOptions.PersistSecurityInfo ? null : _accessToken;
+            }
+            set
+            {
+                // If a connection is connecting or is ever opened, AccessToken cannot be set
+                if (!InnerConnection.AllowSetConnectionString)
+                {
+                    throw ADP.OpenConnectionPropertySet(nameof(AccessToken), InnerConnection.State);
+                }
+
+                if (value != null)
+                {
+                    // Check if the usage of AccessToken has any conflict with the keys used in connection string and credential
+                    CheckAndThrowOnInvalidCombinationOfConnectionOptionAndAccessToken((SqlConnectionString)ConnectionOptions);
+                }
+
+                // Need to call ConnectionString_Set to do proper pool group check
+                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, credential: _credential, accessToken: value));
+                _accessToken = value;
+            }
+        }
+
         public override string Database
         {
             // if the connection is open, we need to ask the inner connection what it's
@@ -396,12 +436,16 @@ public SqlCredential Credential
                 if (value != null)
                 {
                     CheckAndThrowOnInvalidCombinationOfConnectionStringAndSqlCredential((SqlConnectionString)ConnectionOptions);
+                    if (_accessToken != null)
+                    {
+                        throw ADP.InvalidMixedUsageOfCredentialAndAccessToken();
+                    }
                 }
 
                 _credential = value;
 
                 // Need to call ConnectionString_Set to do proper pool group check
-                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential));
+                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, accessToken: _accessToken));
             }
         }
 
@@ -422,6 +466,29 @@ private void CheckAndThrowOnInvalidCombinationOfConnectionStringAndSqlCredential
             }
         }
 
+        // CheckAndThrowOnInvalidCombinationOfConnectionOptionAndAccessToken: check if the usage of AccessToken has any conflict
+        //  with the keys used in connection string and credential
+        //  If there is any conflict, it throws InvalidOperationException
+        //  This is to be used setter of ConnectionString and AccessToken properties
+        private void CheckAndThrowOnInvalidCombinationOfConnectionOptionAndAccessToken(SqlConnectionString connectionOptions)
+        {
+            if (UsesClearUserIdOrPassword(connectionOptions))
+            {
+                throw ADP.InvalidMixedUsageOfAccessTokenAndUserIDPassword();
+            }
+
+            if (UsesIntegratedSecurity(connectionOptions))
+            {
+                throw ADP.InvalidMixedUsageOfAccessTokenAndIntegratedSecurity();
+            }
+
+            // Check if the usage of AccessToken has the conflict with credential
+            if (_credential != null)
+            {
+                throw ADP.InvalidMixedUsageOfCredentialAndAccessToken();
+            }
+        }
+
         protected override DbProviderFactory DbProviderFactory
         {
             get => SqlClientFactory.Instance;
@@ -654,6 +721,7 @@ public override void Close()
         private void DisposeMe(bool disposing)
         {
             _credential = null;
+            _accessToken = null;
 
             if (!disposing)
             {
@@ -1360,7 +1428,7 @@ public static void ChangePassword(string connectionString, string newPassword)
                 throw ADP.InvalidArgumentLength(nameof(newPassword), TdsEnums.MAXLEN_NEWPASSWORD);
             }
 
-            SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential: null);
+            SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential: null, accessToken: null);
 
             SqlConnectionString connectionOptions = SqlConnectionFactory.FindSqlConnectionOptions(key);
             if (connectionOptions.IntegratedSecurity)
@@ -1403,7 +1471,7 @@ public static void ChangePassword(string connectionString, SqlCredential credent
                 throw ADP.InvalidArgumentLength(nameof(newSecurePassword), TdsEnums.MAXLEN_NEWPASSWORD);
             }
 
-            SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential);
+            SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential: null, accessToken: null);
 
             SqlConnectionString connectionOptions = SqlConnectionFactory.FindSqlConnectionOptions(key);
 
@@ -1441,7 +1509,7 @@ private static void ChangePassword(string connectionString, SqlConnectionString
                 if (con != null)
                     con.Dispose();
             }
-            SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential);
+            SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential: null, accessToken: null);
 
             SqlConnectionFactory.SingletonInstance.ClearPool(key);
         }

src/System.Data.SqlClient/src/System/Data/SqlClient/SqlConnectionFactory.cs

@@ -132,7 +132,7 @@ override protected DbConnectionInternal CreateConnection(DbConnectionOptions opt
                 opt = new SqlConnectionString(opt, instanceName, userInstance: false, setEnlistValue: null);
                 poolGroupProviderInfo = null; // null so we do not pass to constructor below...
             }
-            result = new SqlInternalConnectionTds(identity, opt, key.Credential, poolGroupProviderInfo, "", null, redirectedUserInstance, userOpt, recoverySessionData, applyTransientFaultHandling: applyTransientFaultHandling);
+            result = new SqlInternalConnectionTds(identity, opt, key.Credential, poolGroupProviderInfo, "", null, redirectedUserInstance, userOpt, recoverySessionData, applyTransientFaultHandling: applyTransientFaultHandling, key.AccessToken);
             return result;
         }
 

src/System.Data.SqlClient/src/System/Data/SqlClient/SqlConnectionPoolKey.cs

@@ -7,6 +7,7 @@
 //------------------------------------------------------------------------------
 
 using System.Data.Common;
+using System.Diagnostics;
 
 namespace System.Data.SqlClient
 {
@@ -16,16 +17,20 @@ internal class SqlConnectionPoolKey : DbConnectionPoolKey
     {
         private int _hashValue;
         private SqlCredential _credential;
+        private readonly string _accessToken;
 
-        internal SqlConnectionPoolKey(string connectionString, SqlCredential credential) : base(connectionString)
+        internal SqlConnectionPoolKey(string connectionString, SqlCredential credential, string accessToken) : base(connectionString)
         {
+            Debug.Assert(_credential == null || _accessToken == null, "Credential and AccessToken can't have the value at the same time.");
             _credential = credential;
+            _accessToken = accessToken;
             CalculateHashCode();
         }
 
         private SqlConnectionPoolKey(SqlConnectionPoolKey key) : base(key)
         {
             _credential = key.Credential;
+            _accessToken = key.AccessToken;
             CalculateHashCode();
         }
 
@@ -50,12 +55,12 @@ internal override string ConnectionString
 
         internal SqlCredential Credential => _credential;
 
+        internal string AccessToken => _accessToken;
+
         public override bool Equals(object obj)
         {
             SqlConnectionPoolKey key = obj as SqlConnectionPoolKey;
-            return (key != null &&
-                ConnectionString == key.ConnectionString &&
-                Credential == key.Credential);
+            return (key != null && _credential == key._credential && ConnectionString == key.ConnectionString && Object.ReferenceEquals(_accessToken, key._accessToken));
         }
 
         public override int GetHashCode()
@@ -74,6 +79,13 @@ private void CalculateHashCode()
                     _hashValue = _hashValue * 17 + _credential.GetHashCode();
                 }
             }
+            else if (_accessToken != null)
+            {
+                unchecked
+                {
+                    _hashValue = _hashValue * 17 + _accessToken.GetHashCode();
+                }
+            }
         }
     }
 }