Skip to content

Expose SspiAuthenticationParameters on SspiContextProvider #2454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
May 13, 2025
Merged

Expose SspiAuthenticationParameters on SspiContextProvider #2454

merged 13 commits into from
May 13, 2025

Conversation

twsouthwick
Copy link
Member

@twsouthwick twsouthwick commented Apr 8, 2024
edited
Loading

This change updates the SSPI context provider to surface information to implementers via SqlAuthenticationParameters.

This also expands #2559 to loop through all SPNs in the base SSPIContextProvider rather than just a specific implementation.

Part of #2253

@twsouthwick twsouthwick mentioned this pull request Apr 8, 2024
Open
9 tasks
@twsouthwick twsouthwick force-pushed the auth-params branch 3 times, most recently from 4f6c051 to 80e90cd Compare April 10, 2024 19:50
@codecov Codecov
Copy link

codecov bot commented May 8, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 79.31034% with 12 lines in your changes missing coverage. Please review.

Project coverage is 61.43%. Comparing base (17621da) to head (f7c90b4).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
...crosoft/Data/SqlClient/SSPI/SspiContextProvider.cs 75.00% 8 Missing ⚠️
.../netcore/src/Microsoft/Data/SqlClient/TdsParser.cs 0.00% 1 Missing ⚠️
...t/Data/SqlClient/SSPI/NativeSspiContextProvider.cs 66.66% 1 Missing ⚠️
...ata/SqlClient/SSPI/NegotiateSspiContextProvider.cs 88.88% 1 Missing ⚠️
...ata/SqlClient/SSPI/SspiAuthenticationParameters.cs 88.88% 1 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (17621da) and HEAD (f7c90b4). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (17621da) HEAD (f7c90b4)
addons 1 0
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2454      +/-   ##
==========================================
- Coverage   67.03%   61.43%   -5.61%     
==========================================
  Files         299      294       -5     
  Lines       65497    65207     -290     
==========================================
- Hits        43907    40057    -3850     
- Misses      21590    25150    +3560
Flag Coverage Δ
addons ?
netcore 66.63% <73.21%> (-5.58%) ⬇️
netfx 59.57% <65.21%> (-5.55%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@twsouthwick twsouthwick mentioned this pull request May 8, 2024
Open
@twsouthwick twsouthwick force-pushed the auth-params branch 3 times, most recently from 86512cb to ff9a983 Compare February 3, 2025 19:29
@twsouthwick twsouthwick force-pushed the auth-params branch 3 times, most recently from 96b5fb5 to 2f6ddef Compare March 3, 2025 19:19
@twsouthwick twsouthwick requested a review from mdaigle March 3, 2025 19:21
@twsouthwick
Copy link
Member Author

@mdaigle next step for sspi :)

@twsouthwick twsouthwick marked this pull request as ready for review March 3, 2025 19:28
@twsouthwick
Pass SqlAuthenticationParameters in GenerateSspiClientContext
8adfef4 
As part of this change, the SSPIContextProvider base class now iterates through all the server names similar to what NegotiateSSPIContextProvider did.
@cheenamalhotra cheenamalhotra requested a review from a team March 6, 2025 16:03
@twsouthwick
Copy link
Member Author

ping @mdaigle @cheenamalhotra

@mdaigle
Copy link
Contributor

mdaigle commented Mar 13, 2025

Hey @twsouthwick, I'll try to take a look at this today!

@twsouthwick
Copy link
Member Author

The errors appear to also be on main and are an "Access denied" for something related to certificates. It doesn't appear to be caused by my change, but let me know if you believe it is.

mdaigle
mdaigle reviewed Mar 14, 2025
View reviewed changes
Copy link
Contributor

@mdaigle mdaigle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this all makes sense to me. I'll take another look tomorrow and also see why the tests are failing.

mdaigle
mdaigle reviewed Mar 14, 2025
View reviewed changes
Copy link
Contributor

@mdaigle mdaigle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests should be green now. We had a build agent issue that was resolved yesterday.

src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SSPI/SSPIContextProvider.cs Outdated
{
var auth = new SqlAuthenticationParameters.Builder(
authenticationMethod: connection.ConnectionOptions.Authentication,
resource: null,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm trying to think of the best way to populate this. In other usage, I see serverSpn getting set as the resource and dataSource getting set as the serverName. I think it makes sense to continue that pattern here given that serverName and server SPN may be different.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SqlClient/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlInternalConnectionTds.cs

Line 2437 in e0fa87b

var authParamsBuilder = new SqlAuthenticationParameters.Builder(

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm also not sure how to feel about authority. In federated auth, it's assumed that authority will be present, but here we don't set a value.

Let me chat with the team to see if we'd prefer to create a new type to better represent this set of credentials.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good. I refactored the builder so that the same pattern can be had wherever it's used if we want to use the existing SqlAuthenticationParameters

paulmedynski
paulmedynski requested changes Apr 2, 2025
View reviewed changes
@paulmedynski paulmedynski self-assigned this Apr 2, 2025
@twsouthwick twsouthwick changed the title Expose SqlAuthenticationParameters on SSPIContextProvider Expose SspiAuthenticationParameters on SSPIContextProvider May 1, 2025
@twsouthwick twsouthwick changed the title Expose SspiAuthenticationParameters on SSPIContextProvider Expose SspiAuthenticationParameters on SspiContextProvider May 1, 2025
@mdaigle mdaigle requested a review from a team May 12, 2025 22:44
@twsouthwick twsouthwick merged commit 46b88bf into dotnet:main May 13, 2025
237 checks passed
@twsouthwick twsouthwick deleted the auth-params branch May 13, 2025 14:31
vonzshik
vonzshik reviewed May 13, 2025
View reviewed changes
src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SSPI/NegotiateSspiContextProvider.cs
{
NegotiateAuthenticationStatusCode statusCode = NegotiateAuthenticationStatusCode.UnknownCredentials;

_negotiateAuth ??= new(new NegotiateAuthenticationClientOptions { Package = "Negotiate", TargetName = authParams.Resource });
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm probably missing something, but from my understanding SspiContextProvider attempts to generate sspi context by iterating over each serverSpns (which is passed via authParams.Resource). But because _negotiateAuth is cached here, if it fails for the first spn, it's also going to fail for the others since it's going to be the exact same spn.

Copy link
Contributor

@mdaigle mdaigle May 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, nice catch! The implementation used to reset _negotiateAuth to null if authentication failed, but that's missing now. @twsouthwick can we correct it in a follow up PR?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do - good catch. I'll open a separate PR for that.

The looping was added independently of the work I've been doing, so I'm not fully aware of how it's expected to work.

It opens a question as to the design I've moved this to - if we have a list of SPNs, what's the expected outcome? I think things will be just fine if it's the first SPN that completes the SSPI handshake. However if it's the second, on subsequent attempts it will be trying the first again. I can update the SspiContextProvider base to keep track of what was the successfull SPN to only submit that on subsequent calls.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's the PR to add that back: #3347

@twsouthwick twsouthwick mentioned this pull request May 14, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mdaigle mdaigle mdaigle approved these changes

@vonzshik vonzshik vonzshik left review comments

@paulmedynski paulmedynski paulmedynski approved these changes

@David-Engel David-Engel Awaiting requested review from David-Engel

@benrr101 benrr101 Awaiting requested review from benrr101

Assignees

@paulmedynski paulmedynski

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@twsouthwick @mdaigle @benrr101 @vonzshik @David-Engel @paulmedynski