Skip to content

Enable ExtendedProtectionPolicy in generic System.Net.Security build #88871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 17, 2023
Merged

Enable ExtendedProtectionPolicy in generic System.Net.Security build #88871

merged 2 commits into from
Jul 17, 2023

Conversation

@filipnavara
Copy link
Member

Fixes #77405

@ghost ghost added area-System.Net.Security community-contribution Indicates that the PR has been added by a community member labels Jul 13, 2023
@ghost
Copy link

ghost commented Jul 13, 2023

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Fixes #77405

Author: filipnavara
Assignees: -
Labels:

area-System.Net.Security
Milestone: -

filipnavara
filipnavara commented Jul 13, 2023
View reviewed changes
...t.Security/src/System/Security/Authentication/ExtendedProtection/ExtendedProtectionPolicy.cs
{
// .NET Core is supported only on Win7+ where ExtendedProtection is supported.
return true;
return OperatingSystem.IsWindows();
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is controversial. I can change it to !OperatingSystem.IsBrowser() to be on the safe side and behave like older .NET versions did. However, the reality is that it's not really implemented on Linux/macOS either. Some bits and pieces may have effect (eg. SPN validation for NTLM Negotiation) but others are blatantly ignored (https://github.com/dotnet/runtime/pull/87930/files#r1263108882).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's better to say it's not supported when there's known gaps than to say it's supported and have the consumer believe ExtendedProtection is being used when it's actually not. It's off by default, so if you explicitly turn it on, it should actually do the expected thing.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is OK. I feel it is better to claim false if the functionality is not clear or complete.

@filipnavara filipnavara requested a review from wfurt July 13, 2023 22:35
@filipnavara filipnavara mentioned this pull request Jul 13, 2023
Closed
@filipnavara filipnavara requested a review from mconnew July 13, 2023 22:40
This was referenced Jul 14, 2023
Closed
Closed
Closed
Closed
@filipnavara filipnavara marked this pull request as ready for review July 14, 2023 06:26
wfurt
wfurt reviewed Jul 16, 2023
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks good to me.

===========================================================================================================
/private/tmp/helix/working/ADA60906/w/A14A08D2/e /private/tmp/helix/working/ADA60906/w/A14A08D2/e
  Discovering: System.Net.Security.Unit.Tests (method display = ClassAndMethod, method display options = None)
  Discovered:  System.Net.Security.Unit.Tests (found 73 of 76 test cases)
  Starting:    System.Net.Security.Unit.Tests (parallel test collections = on, max threads = 6)
    System.Net.Security.Tests.ExtendedProtectionPolicyTest.ExtendedProtectionPolicy_OSSupportsExtendedProtection [FAIL]
      Assert.True() Failure
      Expected: True
      Actual:   False
      Stack Trace:
        /_/src/libraries/System.Net.Security/tests/UnitTests/System/Security/Authentication/ExtendedProtection/ExtendedProtectionPolicyTest.cs(62,0): at System.Net.Security.Tests.ExtendedProtectionPolicyTest.ExtendedProtectionPolicy_OSSupportsExtendedProtection()
        /_/src/mono/System.Private.CoreLib/src/System/Reflection/MethodInvoker.Mono.cs(30,0): at System.Reflection.MethodInvoker.InterpretedInvoke(Object obj, IntPtr* args)
        /_/src/libraries/System.Private.CoreLib/src/System/Reflection/MethodInvoker.cs(59,0): at System.Reflection.MethodInvoker.Invoke(Object obj, IntPtr* args, BindingFlags invokeAttr)
    System.Net.Security.Tests.NegotiateAuthenticationTests.Package_Unsupported_NTLM [SKIP]
      Condition(s) not met: "IsNtlmUnavailable"
  Finished:    System.Net.Security.Unit.Tests
=== TEST EXECUTION SUMMARY ===

seems like test failures are related - because of updated OSSupportsExtendedProtection

@filipnavara
Copy link
Member Author

I'll check. I missed it in all the test noise.

@filipnavara
Copy link
Member Author

Fixed.

@build-analysis build-analysis bot mentioned this pull request Jul 17, 2023
Closed
@wfurt
Copy link
Member

wfurt commented Jul 17, 2023

test failures unrelated.

@wfurt wfurt merged commit 15e9370 into dotnet:main Jul 17, 2023
@filipnavara filipnavara deleted the ExtendedProtectionPolicy branch July 17, 2023 17:38
@karelz karelz added this to the 8.0.0 milestone Aug 1, 2023
@ghost ghost locked as resolved and limited conversation to collaborators Aug 31, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@wfurt wfurt wfurt left review comments

@mconnew mconnew mconnew approved these changes

Assignees

No one assigned

Labels

area-System.Net.Security community-contribution Indicates that the PR has been added by a community member

Projects

None yet

Milestone

8.0.0

Development

Successfully merging this pull request may close these issues.

ExtendedProtectionPolicy constructor throws unnecessarily on WASM

4 participants

@filipnavara @wfurt @mconnew @karelz