search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
15.12k stars 4.7k forks source link

[API Proposal]: Provide a way to get delegated credentials handle (linux client -> linux server scenario) #104385

Open deryaza opened 3 months ago

deryaza commented 3 months ago

Background and motivation

From what I understand, the delegated credentials are retrieved in the last parameter of this invocation: https://github.com/dotnet/runtime/blob/main/src/native/libs/System.Net.Security.Native/pal_gssapi.c#L415C1-L426C1

So, as I can tell there is no way to use those since they are discarded.

API Proposal

Make RemoteIdentity property return something like:

namespace System.Security.Principal
{
    public class GssDelegatedIdentity : GenericIdentity
    {
        public GssDelegatedIdentity(string name, string type, SafeHandle credentialsHandle) : base(name, type)
        {
            CredentialsHandle = credentialsHandle;
        }

        public SafeHandle CredentialsHandle { get; }
    }
}

and options to accept:

namespace System.Net.Security
{
    public class NegotiateAuthenticationClientOptions
    {
+        public IIdentity? DelegatedIdentity { get; set; }
    }
}

API Usage


NegotiateAuthentication negotiateAuthentication = new(new NegotiateAuthenticationServerOptions()
{
    RequiredImpersonationLevel = TokenImpersonationLevel.Delegation,
});

// auth loop

IIdentity negotiateAuthenticationRemoteIdentity = negotiateAuthentication.RemoteIdentity;
if (negotiateAuthenticationRemoteIdentity is not GssDelegatedIdentity gssIdentity)
{
    throw new();
}

NegotiateAuthentication clientAuth = new(new NegotiateAuthenticationClientOptions()
{
    AllowedImpersonationLevel = TokenImpersonationLevel.Delegation,
    TargetName = "foo",
    DelegatedIdentity = gss
});

// auth loop

Alternative Designs

Probably instead of adding NegotiateAuthenticationClientOptions.DelegatedIdentity Thread.CurrentPrincipal could be used, but I think it's not as good probably.

Risks

No response

dotnet-policy-service[bot] commented 3 months ago

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones See info in area-owners.md if you want to be subscribed.

rzikm commented 3 months ago

Triage: we usually don't add features that are available only on particular platform unless we have a strong justification. I will tentatively put this to future for now, we might consider adding this if there are enough upvotes.

deryaza commented 3 months ago

This is sad :(

While this API is designed for a specific platform, it will still offer functionality similar to WindowsIdentity on other platforms which still provides a bit more consistent experience across different environments. Plus, if we are talking about delegation, this API (that can be changed) will provide an abstract way of using WindowsIdentity delegation functionality abstracting it to IIdentity (because no need to cast it to WindowsIdentity and calling RunImpersonated method, just assigning it to DelegatedIdentity in NegotiateAuthenticationClientOptions). @rzikm