Add MultiCredentialSecurityTokenManager to handle CoreWCF service certificates

Author: afifi-ins

src/System.Private.ServiceModel/tests/Common/Scenarios/ScenarioTestHelpers.cs

@@ -210,6 +210,12 @@ public static void CloseCommunicationObjects(params ICommunicationObject[] objec
             {
                 comObj.Abort();
             }
+            catch (System.Net.WebSockets.WebSocketException)
+            {
+                // WCF Client has a bug which throws WebSocketException when the server closes the connection.
+                // The remote party closed the WebSocket connection without completing the close handshake.
+                comObj.Abort();
+            }
         }
     }
 

src/System.Private.ServiceModel/tests/Scenarios/Client/ExpectedExceptions/ExpectedExceptionTests.4.1.0.cs

@@ -328,7 +328,6 @@ public static void DuplexCallback_Throws_FaultException_ReturnsFaultedTask()
     }
 
     [WcfFact]
-    [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [OuterLoop]
     // Verify product throws MessageSecurityException when the Dns identity from the server does not match the expectation
     public static void TCP_ServiceCertExpired_Throw_MessageSecurityException()
@@ -372,7 +371,6 @@ public static void TCP_ServiceCertExpired_Throw_MessageSecurityException()
     }
 
     [WcfFact]
-    [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [OuterLoop]
     // Verify product throws SecurityNegotiationException when the service cert is revoked
     public static void TCP_ServiceCertRevoked_Throw_SecurityNegotiationException()
@@ -420,7 +418,6 @@ public static void TCP_ServiceCertRevoked_Throw_SecurityNegotiationException()
     }
 
     [WcfFact]
-    [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [OuterLoop]
     // Verify product throws SecurityNegotiationException when the service cert only has the ClientAuth usage
     public static void TCP_ServiceCertInvalidEKU_Throw_SecurityNegotiationException()

src/System.Private.ServiceModel/tests/Scenarios/Extensibility/WebSockets/WebSocketTests.4.1.0.cs

@@ -168,8 +168,12 @@ public static void WebSocket_Http_Duplex_Buffered(NetHttpMessageEncoding message
                 "The logging done by the Server was not returned via the Callback.");
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -236,8 +240,12 @@ public static void WebSocket_Http_Duplex_Buffered_KeepAlive(NetHttpMessageEncodi
                 "The logging done by the Server was not returned via the Callback.");
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -416,7 +424,6 @@ public static void WebSocket_Https_Duplex_Buffered(NetHttpMessageEncoding messag
     }
 
     [WcfTheory]
-    [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [InlineData(NetHttpMessageEncoding.Binary)]
     [InlineData(NetHttpMessageEncoding.Text)]
     [InlineData(NetHttpMessageEncoding.Mtom)]
@@ -472,8 +479,12 @@ public static void WebSocket_Http_RequestReply_Streamed(NetHttpMessageEncoding m
             }
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -487,7 +498,6 @@ public static void WebSocket_Http_RequestReply_Streamed(NetHttpMessageEncoding m
     [InlineData(NetHttpMessageEncoding.Text)]
     [InlineData(NetHttpMessageEncoding.Mtom)]
     [Issue(1438, OS = OSID.Windows_7)]  // not supported on Win7
-    [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [OuterLoop]
     public static void WebSocket_Http_RequestReply_Buffered(NetHttpMessageEncoding messageEncoding)
     {
@@ -527,8 +537,12 @@ public static void WebSocket_Http_RequestReply_Buffered(NetHttpMessageEncoding m
             }
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -541,7 +555,6 @@ public static void WebSocket_Http_RequestReply_Buffered(NetHttpMessageEncoding m
     [InlineData(NetHttpMessageEncoding.Binary)]
     [InlineData(NetHttpMessageEncoding.Text)]
     [InlineData(NetHttpMessageEncoding.Mtom)]
-    [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [Issue(1438, OS = OSID.Windows_7)]  // not supported on Win7
     [OuterLoop]
     public static void WebSocket_Http_RequestReply_Buffered_KeepAlive(NetHttpMessageEncoding messageEncoding)
@@ -582,8 +595,12 @@ public static void WebSocket_Http_RequestReply_Buffered_KeepAlive(NetHttpMessage
             }
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -596,8 +613,7 @@ public static void WebSocket_Http_RequestReply_Buffered_KeepAlive(NetHttpMessage
     [InlineData(NetHttpMessageEncoding.Binary)]
     [InlineData(NetHttpMessageEncoding.Text)]
     [InlineData(NetHttpMessageEncoding.Mtom)]
-    [Condition(nameof(Root_Certificate_Installed),
-               nameof(Skip_CoreWCFService_FailedTest))]
+    [Condition(nameof(Root_Certificate_Installed))]
     [Issue(3572, OS = OSID.OSX)]
     [Issue(1438, OS = OSID.Windows_7)]  // not supported on Win7
     [OuterLoop]
@@ -638,8 +654,12 @@ public static void WebSocket_Https_RequestReply_Buffered(NetHttpMessageEncoding
             }
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -652,8 +672,7 @@ public static void WebSocket_Https_RequestReply_Buffered(NetHttpMessageEncoding
     [InlineData(NetHttpMessageEncoding.Binary)]
     [InlineData(NetHttpMessageEncoding.Text)]
     [InlineData(NetHttpMessageEncoding.Mtom)]
-    [Condition(nameof(Root_Certificate_Installed),
-               nameof(Skip_CoreWCFService_FailedTest))]
+    [Condition(nameof(Root_Certificate_Installed))]
     [Issue(3572, OS = OSID.OSX)]
     [Issue(1438, OS = OSID.Windows_7)]  // not supported on Win7
     [OuterLoop]
@@ -696,8 +715,12 @@ public static void WebSocket_Https_RequestReply_Buffered_KeepAlive(NetHttpMessag
             }
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -862,8 +885,12 @@ public static void WebSocket_Http_VerifyWebSocketsUsed()
             Assert.True(responseFromService, String.Format("Response from the service was not expected. Expected: 'True' but got {0}", responseFromService));
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {

src/System.Private.ServiceModel/tools/IISHostedWcfService/App_code/CoreWCF/MultiCredentialSecurityTokenManager.cs

@@ -0,0 +1,55 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+#if NET
+using CoreWCF.Description;
+using CoreWCF.IdentityModel.Selectors;
+using CoreWCF.Security;
+using CoreWCF.Security.Tokens;
+
+namespace WcfService
+{
+    public class MultiCredentialSecurityTokenManager : ServiceCredentialsSecurityTokenManager
+    {
+        private readonly MultiCredentialServiceCredentials _parent;
+        private readonly Dictionary<string, ServiceCredentials> _map;
+
+        public MultiCredentialSecurityTokenManager(
+            MultiCredentialServiceCredentials parent,
+            Dictionary<string, ServiceCredentials> map)
+            : base(parent)
+        {
+            _parent = parent;
+            _map = map;
+        }
+
+        public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
+        {
+            if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement recipientRequirement)
+            {
+                var uri = recipientRequirement.ListenUri?.AbsolutePath;
+                if (!string.IsNullOrEmpty(uri) && _map.TryGetValue(uri, out var creds))
+                {
+                    return creds.CreateSecurityTokenManager().CreateSecurityTokenProvider(tokenRequirement);
+                }
+            }
+            return _parent.CreateOriginalSecurityTokenManager().CreateSecurityTokenProvider(tokenRequirement);
+        }
+
+        public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
+        {
+            if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement recipientRequirement)
+            {
+                var uri = recipientRequirement.ListenUri?.AbsolutePath;
+                if (!string.IsNullOrEmpty(uri) && _map.TryGetValue(uri, out var creds))
+                {
+                    return creds.CreateSecurityTokenManager().CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
+                }
+            }
+
+            return _parent.CreateOriginalSecurityTokenManager().CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
+        }
+    }
+}
+#endif

src/System.Private.ServiceModel/tools/IISHostedWcfService/App_code/CoreWCF/MultiCredentialServiceCredentials.cs

@@ -0,0 +1,43 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+#if NET
+using CoreWCF.Description;
+using CoreWCF.IdentityModel.Selectors;
+
+namespace WcfService
+{
+    public class MultiCredentialServiceCredentials : ServiceCredentials
+    {
+        private readonly Dictionary<string, ServiceCredentials> _serviceCredentialsMap = new();
+
+        public void AddServiceCredentials(string path, ServiceCredentials credentials)
+        {
+            _serviceCredentialsMap[path] = credentials;
+        }
+        
+        public IReadOnlyDictionary<string, ServiceCredentials> ServiceCredentialsMap => _serviceCredentialsMap;
+
+        public override SecurityTokenManager CreateSecurityTokenManager()
+        {
+            return new MultiCredentialSecurityTokenManager(this, _serviceCredentialsMap);
+        }
+
+        internal SecurityTokenManager CreateOriginalSecurityTokenManager()
+        {
+            return base.CreateSecurityTokenManager();
+        }
+
+        protected override ServiceCredentials CloneCore()
+        {
+            var clone = new MultiCredentialServiceCredentials();
+            foreach (var kvp in _serviceCredentialsMap)
+            {
+                clone.AddServiceCredentials(kvp.Key, kvp.Value.Clone());
+            }
+            return clone;
+        }
+    }
+}
+#endif

src/System.Private.ServiceModel/tools/IISHostedWcfService/App_code/CoreWCF/WcfServiceHost.cs

@@ -14,6 +14,7 @@ public class ServiceHost
         private ServiceHostBase _serviceHostBase = null;
         private readonly Type _serviceType;
         private readonly List<Endpoint> _endpoints = new List<Endpoint>();
+        private ServiceCredentials _localCredentials = null;
 
         public ServiceHost(Type serviceType, params Uri[] baseAddresses)
         {
@@ -50,7 +51,47 @@ public class Endpoint
 
         public Type ServiceType => _serviceHostBase != null ? _serviceHostBase.Description.ServiceType : _serviceType;
 
-        public ServiceCredentials Credentials => _serviceHostBase != null ? _serviceHostBase.Credentials : new ServiceCredentials();
+        public ServiceCredentials Credentials
+        {
+            get
+            {
+                if (_localCredentials != null)
+                {
+                    return _localCredentials;
+                }
+
+                _localCredentials = new ServiceCredentials();
+                var multiCreds = _serviceHostBase.Credentials as MultiCredentialServiceCredentials;
+                if (multiCreds == null)
+                {
+                    throw new Exception("Credentials should have been initialized with MultiCredentialServiceCredentials");
+                }
+                var attributes = this.GetType().GetCustomAttributes(typeof(TestServiceDefinitionAttribute), false);
+                if (attributes != null)
+                {
+                    foreach (var attribute in attributes)
+                    {
+                        var basePath = "/" + ((TestServiceDefinitionAttribute)attribute).BasePath;
+                        if (!string.IsNullOrEmpty(basePath))
+                        {
+                            foreach (var endpoint in _endpoints)
+                            {
+                                var path = string.IsNullOrEmpty(endpoint.Address) ? basePath : basePath + "/" + endpoint.Address;
+                                if (!multiCreds.ServiceCredentialsMap.TryGetValue(path, out var creds))
+                                {
+                                    multiCreds.AddServiceCredentials(path, _localCredentials);
+                                }
+                                else
+                                {
+                                    _localCredentials = creds;
+                                }
+                            }
+                        }
+                    }
+                }
+                return _localCredentials;
+            }
+        }
 
         public ServiceDescription Description => _serviceHostBase != null ? _serviceHostBase.Description : new ServiceDescription();
     }

src/System.Private.ServiceModel/tools/IISHostedWcfService/App_code/TestDefinitionHelper.cs

@@ -71,6 +71,7 @@ internal static async Task<IWebHost> StartHosts(bool useWebSocket)
         {
             bool success = true;
             var serviceTestHostOptionsDict = new Dictionary<string, ServiceTestHostOptions>();
+            var multiCreds = new MultiCredentialServiceCredentials();
 
             var webHostBuilder = new WebHostBuilder()
                 .ConfigureLogging((ILoggingBuilder logging) =>
@@ -256,7 +257,13 @@ internal static async Task<IWebHost> StartHosts(bool useWebSocket)
 
                                         smb.HttpGetEnabled = true;
                                     }
-                                    
+
+                                    var creds = serviceHostBase.Description.Behaviors.Find<ServiceCredentials>();
+                                    if (creds != null)
+                                    {
+                                        serviceHostBase.Description.Behaviors.Remove(creds);
+                                    }
+                                    serviceHostBase.Description.Behaviors.Add(multiCreds);
                                     serviceHost.ApplyConfig(serviceHostBase);
                                 });
                             }
@@ -272,8 +279,7 @@ internal static async Task<IWebHost> StartHosts(bool useWebSocket)
                             Console.BackgroundColor = bg;
                             Console.ForegroundColor = fg;
                         }
-                    }
-
+                    }                   
                 });
             });