IMDSv2 mTLS PoP: add best‑effort persisted binding‑cert cache (Windows CurrentUser\My) layered over in‑memory cache; per‑alias mutex; tests #5566
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System; | ||
|
|
||
| namespace Microsoft.Identity.Client.ManagedIdentity.V2 | ||
| { | ||
| /// <summary> | ||
| /// Encodes/decodes the persisted X.509 FriendlyName for MSAL mTLS certs. | ||
| /// Format: "MSAL|alias=cacheKey|ep=endpointBase" | ||
|
There was a problem hiding this comment. what is alias, cachekey, ep and endpoint base? |
||
| /// Open the cert store and look at FriendlyName to see examples. | ||
| /// Wish we could paste a screenshot here... Maybe I can show it in code walkthroughs. | ||
|
|
||
| /// </summary> | ||
| internal static class FriendlyNameCodec | ||
|
There was a problem hiding this comment. naming: MsiCertificateFriendlyNameEncoder ? |
||
| { | ||
| public const string Prefix = "MSAL|"; | ||
| public const string TagAlias = "alias"; | ||
| public const string TagEp = "ep"; | ||
|
|
||
| /// <summary> | ||
| /// Encodes alias and endpointBase into friendly name. | ||
| /// </summary> | ||
| /// <param name="alias"></param> | ||
| /// <param name="endpointBase"></param> | ||
| /// <param name="friendlyName"></param> | ||
| /// <returns></returns> | ||
| public static bool TryEncode(string alias, string endpointBase, out string friendlyName) | ||
|
There was a problem hiding this comment. nit: Avoid using these |
||
| { | ||
| friendlyName = null; | ||
|
|
||
| if (string.IsNullOrWhiteSpace(alias) || string.IsNullOrWhiteSpace(endpointBase)) | ||
| return false; | ||
|
|
||
| alias = alias.Trim(); | ||
| endpointBase = endpointBase.Trim(); | ||
|
|
||
| // Forbid characters that would break our simple delimiter-based grammar. | ||
| if (ContainsIllegal(alias) || ContainsIllegal(endpointBase)) | ||
| return false; | ||
|
|
||
| friendlyName = Prefix + TagAlias + "=" + alias + "|" + TagEp + "=" + endpointBase; | ||
| return true; | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Decodes friendly name into alias and endpointBase. | ||
| /// </summary> | ||
| /// <param name="friendlyName"></param> | ||
| /// <param name="alias"></param> | ||
| /// <param name="endpointBase"></param> | ||
| /// <returns></returns> | ||
| public static bool TryDecode(string friendlyName, out string alias, out string endpointBase) | ||
| { | ||
| alias = null; | ||
| endpointBase = null; | ||
|
|
||
| if (string.IsNullOrEmpty(friendlyName) || | ||
| !friendlyName.StartsWith(Prefix, StringComparison.Ordinal)) | ||
| { | ||
| return false; | ||
| } | ||
|
|
||
| // Example: MSAL|alias=<cacheKey>|ep=<endpointBase> | ||
| var payload = friendlyName.Substring(Prefix.Length); | ||
| var parts = payload.Split(new[] { '|' }, StringSplitOptions.RemoveEmptyEntries); | ||
|
|
||
| // Parse key-value pairs | ||
| foreach (var part in parts) | ||
| { | ||
| var kv = part.Split(new[] { '=' }, 2); | ||
| if (kv.Length != 2) | ||
| continue; | ||
|
|
||
| var k = kv[0].Trim(); | ||
| var v = kv[1].Trim(); | ||
|
|
||
| if (k.Equals(TagAlias, StringComparison.Ordinal)) | ||
| { | ||
| alias = v; // minimal: last-wins | ||
| } | ||
| else if (k.Equals(TagEp, StringComparison.Ordinal)) | ||
| { | ||
| endpointBase = v; | ||
| } | ||
| } | ||
|
|
||
| return !string.IsNullOrWhiteSpace(alias) && !string.IsNullOrWhiteSpace(endpointBase); | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Checks for illegal characters in alias/endpointBase. | ||
| /// Endpoint itself comes from IMDS and is well-formed, but we still validate. | ||
|
|
||
| /// </summary> | ||
| /// <param name="value"></param> | ||
| /// <returns></returns> | ||
| private static bool ContainsIllegal(string value) | ||
| { | ||
| for (int i = 0; i < value.Length; i++) | ||
| { | ||
| char c = value[i]; | ||
| if (c == '|' || c == '\r' || c == '\n' || c == '\0') | ||
| return true; | ||
| } | ||
| return false; | ||
| } | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System; | ||
| using System.Security.Cryptography; | ||
| using System.Text; | ||
| using System.Threading; | ||
| using Microsoft.Identity.Client.PlatformsCommon.Shared; | ||
|
|
||
| namespace Microsoft.Identity.Client.ManagedIdentity.V2 | ||
| { | ||
| /// <summary> | ||
| /// Cross-process lock based on a per-alias named mutex. | ||
|
|
||
| /// </summary> | ||
| internal static class InterprocessLock | ||
| { | ||
| public static bool TryWithAliasLock( | ||
| string alias, | ||
| TimeSpan timeout, | ||
| Action action, | ||
| Action<string> logVerbose = null) | ||
| { | ||
| var nameGlobal = GetMutexNameForAlias(alias, preferGlobal: true); | ||
| var nameLocal = GetMutexNameForAlias(alias, preferGlobal: false); | ||
|
There was a problem hiding this comment. Explain in comment why you need 2 mutexes |
||
|
|
||
| foreach (var name in new[] { nameGlobal, nameLocal }) | ||
| { | ||
| try | ||
| { | ||
| using var m = new Mutex(false, name); | ||
| bool entered; | ||
| try | ||
| { | ||
| entered = m.WaitOne(timeout); | ||
| } | ||
| catch (AbandonedMutexException) | ||
| { | ||
| entered = true; // prior holder crashed | ||
| } | ||
|
|
||
| if (!entered) | ||
| { | ||
| logVerbose?.Invoke($"[PersistentCert] Skip persist (lock busy '{name}')."); | ||
| return false; | ||
| } | ||
|
|
||
| try | ||
| { action(); } | ||
| finally | ||
| { | ||
| try | ||
| { m.ReleaseMutex(); } | ||
| catch { /* best-effort */ } | ||
| } | ||
|
|
||
| return true; | ||
| } | ||
| catch (UnauthorizedAccessException) | ||
| { | ||
| logVerbose?.Invoke($"[PersistentCert] No access to mutex scope '{name}', trying next."); | ||
| continue; // try Local if Global blocked | ||
| } | ||
| catch (Exception ex) | ||
| { | ||
| logVerbose?.Invoke($"[PersistentCert] Lock failure '{name}': {ex.Message}"); | ||
| return false; | ||
| } | ||
| } | ||
|
|
||
| return false; | ||
| } | ||
|
|
||
| public static string GetMutexNameForAlias(string alias, bool preferGlobal = true) | ||
| { | ||
| string suffix = HashAlias(Canonicalize(alias)); | ||
|
There was a problem hiding this comment. Do you need to hash? How long are the aliases? Maybe you can avoid hashing here. |
||
| return (preferGlobal ? @"Global\" : @"Local\") + "MSAL_MI_P_" + suffix; | ||
| } | ||
|
|
||
| private static string Canonicalize(string alias) => (alias ?? string.Empty).Trim().ToUpperInvariant(); | ||
|
|
||
| private static string HashAlias(string s) | ||
| { | ||
| try | ||
| { | ||
| var hex = new CommonCryptographyManager().CreateSha256HashHex(s); | ||
| // Truncate to 32 chars to fit mutex name length limits | ||
| return string.IsNullOrEmpty(hex) ? "0" : (hex.Length > 32 ? hex.Substring(0, 32) : hex); | ||
| } | ||
| catch | ||
| { | ||
| return "0"; | ||
| } | ||
| } | ||
| } | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you give more examples here? This format is not clear.