Merge pull request dotnet#60880 from vseanreesermsft/internal-merge-9.0-2025-03-11-1249

Merging internal commits for release/9.0

Author: wtgodbe

.azure/pipelines/ci.yml

@@ -97,14 +97,14 @@ variables:
   - name: WindowsArm64InstallersLogArgs
     value: /bl:artifacts/log/Release/Build.Installers.Arm64.binlog
 - name: _InternalRuntimeDownloadArgs
-  value: -RuntimeSourceFeed https://dotnetbuilds.blob.core.windows.net/internal
+  value: -RuntimeSourceFeed https://ci.dot.net/internal
          -RuntimeSourceFeedKey $(dotnetbuilds-internal-container-read-token-base64)
          /p:DotNetAssetRootAccessTokenSuffix='$(dotnetbuilds-internal-container-read-token-base64)'
 # The code signing doesn't use the aspnet build scripts, so the msbuild parameters have to be passed directly. This
 # is awkward but necessary because the eng/common/ build scripts don't add the msbuild properties automatically.
 - name: _InternalRuntimeDownloadCodeSignArgs
   value: $(_InternalRuntimeDownloadArgs)
-         /p:DotNetRuntimeSourceFeed=https://dotnetbuilds.blob.core.windows.net/internal
+         /p:DotNetRuntimeSourceFeed=https://ci.dot.net/internal
          /p:DotNetRuntimeSourceFeedKey=$(dotnetbuilds-internal-container-read-token-base64)
 - group: DotNet-HelixApi-Access
 - ${{ if notin(variables['Build.Reason'], 'PullRequest') }}:

NuGet.config

@@ -4,8 +4,10 @@
     <clear />
     <!--Begin: Package sources managed by Dependency Flow automation. Do not edit the sources below.-->
     <!--  Begin: Package sources from dotnet-runtime -->
+    <add key="darc-int-dotnet-runtime-831d23e" value="https://pkgs.dev.azure.com/dnceng/internal/_packaging/darc-int-dotnet-runtime-831d23e5/nuget/v3/index.json" />
     <!--  End: Package sources from dotnet-runtime -->
     <!--  Begin: Package sources from dotnet-efcore -->
+    <add key="darc-int-dotnet-efcore-68c7e19" value="https://pkgs.dev.azure.com/dnceng/internal/_packaging/darc-int-dotnet-efcore-68c7e194/nuget/v3/index.json" />
     <!--  End: Package sources from dotnet-efcore -->
     <!--End: Package sources managed by Dependency Flow automation. Do not edit the sources above.-->
     <add key="dotnet-eng" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json" />
@@ -28,8 +30,10 @@
     <clear />
     <!--Begin: Package sources managed by Dependency Flow automation. Do not edit the sources below.-->
     <!--  Begin: Package sources from dotnet-efcore -->
+    <add key="darc-int-dotnet-efcore-68c7e19" value="true" />
     <!--  End: Package sources from dotnet-efcore -->
     <!--  Begin: Package sources from dotnet-runtime -->
+    <add key="darc-int-dotnet-runtime-831d23e" value="true" />
     <!--  End: Package sources from dotnet-runtime -->
     <!--End: Package sources managed by Dependency Flow automation. Do not edit the sources above.-->
   </disabledPackageSources>

eng/Version.Details.xml

@@ -58,12 +58,12 @@
       <PackageType>runtime</PackageType>
     </AdditionalDotNetPackage>
 
-    <AdditionalDotNetPackageFeed Include="https://dotnetbuilds.blob.core.windows.net/internal"
+    <AdditionalDotNetPackageFeed Include="https://ci.dot.net/internal"
                                  Condition="'$(SYSTEM_TEAMPROJECT)' == 'internal'">
       <SasToken>$([System.Environment]::GetEnvironmentVariable('DotNetBuildsInternalReadSasToken'))</SasToken>
     </AdditionalDotNetPackageFeed>
 
-    <AdditionalDotNetPackageFeed Include="https://dotnetbuilds.blob.core.windows.net/internal"
+    <AdditionalDotNetPackageFeed Include="https://ci.dot.net/internal"
                                  Condition="'$(SYSTEM_TEAMPROJECT)' == 'internal'">
       <SasToken>$([System.Environment]::GetEnvironmentVariable('DotNetBuildsInternalReadSasToken'))</SasToken>
     </AdditionalDotNetPackageFeed>

eng/Versions.props

@@ -560,9 +560,9 @@ This package is an internal implementation of the .NET Core SDK and is not meant
     <!-- Try various places to find the runtime. It's either released (use official version),
          public but un-released (use dotnetbuilds/public), or internal and unreleased (use dotnetbuilds/internal) -->
     <ItemGroup>
-      <UrisToDownload Include="https://dotnetcli.azureedge.net/dotnet/$(DotNetRuntimeDownloadPath)" />
-      <UrisToDownload Include="https://dotnetbuilds.azureedge.net/public/$(DotNetRuntimeDownloadPath)" />
-      <UrisToDownload Include="https://dotnetbuilds.azureedge.net/internal/$(DotNetRuntimeDownloadPath)"
+      <UrisToDownload Include="https://builds.dotnet.microsoft.com/dotnet/$(DotNetRuntimeDownloadPath)" />
+      <UrisToDownload Include="https://ci.dot.net/public/$(DotNetRuntimeDownloadPath)" />
+      <UrisToDownload Include="https://ci.dot.net/internal/$(DotNetRuntimeDownloadPath)"
           Condition=" '$(DotnetRuntimeSourceFeedKey)' != '' ">
         <token>$(DotnetRuntimeSourceFeedKey)</token>
       </UrisToDownload>

eng/helix/helix.proj

@@ -162,8 +162,21 @@ public virtual async Task<bool> CanSignInAsync(TUser user)
     public virtual async Task RefreshSignInAsync(TUser user)
     {
         var auth = await Context.AuthenticateAsync(AuthenticationScheme);
-        IList<Claim> claims = Array.Empty<Claim>();
+        if (!auth.Succeeded || auth.Principal?.Identity?.IsAuthenticated != true)
+        {
+            Logger.LogError("RefreshSignInAsync prevented because the user is not currently authenticated. Use SignInAsync instead for initial sign in.");
+            return;
+        }
 
+        var authenticatedUserId = UserManager.GetUserId(auth.Principal);
+        var newUserId = await UserManager.GetUserIdAsync(user);
+        if (authenticatedUserId == null || authenticatedUserId != newUserId)
+        {
+            Logger.LogError("RefreshSignInAsync prevented because currently authenticated user has a different UserId. Use SignInAsync instead to change users.");
+            return;
+        }
+
+        IList<Claim> claims = Array.Empty<Claim>();
         var authenticationMethod = auth?.Principal?.FindFirst(ClaimTypes.AuthenticationMethod);
         var amr = auth?.Principal?.FindFirst("amr");
 

src/Framework/App.Runtime/src/Microsoft.AspNetCore.App.Runtime.csproj

@@ -592,38 +592,38 @@ public async Task CanExternalSignIn(bool isPersistent, bool supportsLockout)
     [InlineData(true, false)]
     [InlineData(false, true)]
     [InlineData(false, false)]
-    public async Task CanResignIn(
-        // Suppress warning that says theory methods should use all of their parameters.
-        // See comments below about why this isn't used.
-#pragma warning disable xUnit1026
-        bool isPersistent,
-#pragma warning restore xUnit1026
-        bool externalLogin)
+    public async Task CanResignIn(bool isPersistent, bool externalLogin)
     {
         // Setup
         var user = new PocoUser { UserName = "Foo" };
         var context = new DefaultHttpContext();
         var auth = MockAuth(context);
         var loginProvider = "loginprovider";
-        var id = new ClaimsIdentity();
+        var id = new ClaimsIdentity("authscheme");
         if (externalLogin)
         {
             id.AddClaim(new Claim(ClaimTypes.AuthenticationMethod, loginProvider));
         }
-        // REVIEW: auth changes we lost the ability to mock is persistent
-        //var properties = new AuthenticationProperties { IsPersistent = isPersistent };
-        var authResult = AuthenticateResult.NoResult();
+
+        var claimsPrincipal = new ClaimsPrincipal(id);
+        var properties = new AuthenticationProperties { IsPersistent = isPersistent };
+        var authResult = AuthenticateResult.Success(new AuthenticationTicket(claimsPrincipal, properties, "authscheme"));
         auth.Setup(a => a.AuthenticateAsync(context, IdentityConstants.ApplicationScheme))
             .Returns(Task.FromResult(authResult)).Verifiable();
         var manager = SetupUserManager(user);
+        manager.Setup(m => m.GetUserId(claimsPrincipal)).Returns(user.Id.ToString());
         var signInManager = new Mock<SignInManager<PocoUser>>(manager.Object,
             new HttpContextAccessor { HttpContext = context },
             new Mock<IUserClaimsPrincipalFactory<PocoUser>>().Object,
             null, null, new Mock<IAuthenticationSchemeProvider>().Object, null)
         { CallBase = true };
-        //signInManager.Setup(s => s.SignInAsync(user, It.Is<AuthenticationProperties>(p => p.IsPersistent == isPersistent),
-        //externalLogin? loginProvider : null)).Returns(Task.FromResult(0)).Verifiable();
-        signInManager.Setup(s => s.SignInWithClaimsAsync(user, It.IsAny<AuthenticationProperties>(), It.IsAny<IEnumerable<Claim>>())).Returns(Task.FromResult(0)).Verifiable();
+
+        signInManager.Setup(s => s.SignInWithClaimsAsync(user,
+                It.Is<AuthenticationProperties>(properties => properties.IsPersistent == isPersistent),
+                It.Is<IEnumerable<Claim>>(claims => !externalLogin ||
+                    claims.Any(claim => claim.Type == ClaimTypes.AuthenticationMethod && claim.Value == loginProvider))))
+            .Returns(Task.FromResult(0)).Verifiable();
+
         signInManager.Object.Context = context;
 
         // Act
@@ -634,6 +634,58 @@ public async Task CanResignIn(
         signInManager.Verify();
     }
 
+    [Fact]
+    public async Task ResignInNoOpsAndLogsErrorIfNotAuthenticated()
+    {
+        var user = new PocoUser { UserName = "Foo" };
+        var context = new DefaultHttpContext();
+        var auth = MockAuth(context);
+        var manager = SetupUserManager(user);
+        var logger = new TestLogger<SignInManager<PocoUser>>();
+        var signInManager = new Mock<SignInManager<PocoUser>>(manager.Object,
+            new HttpContextAccessor { HttpContext = context },
+            new Mock<IUserClaimsPrincipalFactory<PocoUser>>().Object,
+            null, logger, new Mock<IAuthenticationSchemeProvider>().Object, null)
+        { CallBase = true };
+        auth.Setup(a => a.AuthenticateAsync(context, IdentityConstants.ApplicationScheme))
+            .Returns(Task.FromResult(AuthenticateResult.NoResult())).Verifiable();
+
+        await signInManager.Object.RefreshSignInAsync(user);
+
+        Assert.Contains("RefreshSignInAsync prevented because the user is not currently authenticated. Use SignInAsync instead for initial sign in.", logger.LogMessages);
+        auth.Verify();
+        signInManager.Verify(s => s.SignInWithClaimsAsync(It.IsAny<PocoUser>(), It.IsAny<AuthenticationProperties>(), It.IsAny<IEnumerable<Claim>>()),
+            Times.Never());
+    }
+
+    [Fact]
+    public async Task ResignInNoOpsAndLogsErrorIfAuthenticatedWithDifferentUser()
+    {
+        var user = new PocoUser { UserName = "Foo" };
+        var context = new DefaultHttpContext();
+        var auth = MockAuth(context);
+        var manager = SetupUserManager(user);
+        var logger = new TestLogger<SignInManager<PocoUser>>();
+        var signInManager = new Mock<SignInManager<PocoUser>>(manager.Object,
+            new HttpContextAccessor { HttpContext = context },
+            new Mock<IUserClaimsPrincipalFactory<PocoUser>>().Object,
+            null, logger, new Mock<IAuthenticationSchemeProvider>().Object, null)
+        { CallBase = true };
+        var id = new ClaimsIdentity("authscheme");
+        var claimsPrincipal = new ClaimsPrincipal(id);
+        var authResult = AuthenticateResult.Success(new AuthenticationTicket(claimsPrincipal, new AuthenticationProperties(), "authscheme"));
+        auth.Setup(a => a.AuthenticateAsync(context, IdentityConstants.ApplicationScheme))
+            .Returns(Task.FromResult(authResult)).Verifiable();
+        manager.Setup(m => m.GetUserId(claimsPrincipal)).Returns("different");
+
+        await signInManager.Object.RefreshSignInAsync(user);
+
+        Assert.Contains("RefreshSignInAsync prevented because currently authenticated user has a different UserId. Use SignInAsync instead to change users.", logger.LogMessages);
+        auth.Verify();
+        signInManager.Verify(s => s.SignInWithClaimsAsync(It.IsAny<PocoUser>(), It.IsAny<AuthenticationProperties>(), It.IsAny<IEnumerable<Claim>>()),
+            Times.Never());
+    }
+
     [Theory]
     [InlineData(true, true, true, true)]
     [InlineData(true, true, false, true)]

src/Identity/Core/src/SignInManager.cs

@@ -83,9 +83,9 @@
     -->
     <ItemGroup>
       <UrisToDownload Remove="@(UrisToDownload)" />
-      <UrisToDownload Include="https://dotnetcli.azureedge.net/dotnet/Runtime/%(RemoteAsset.Identity)" />
-      <UrisToDownload Include="https://dotnetbuilds.azureedge.net/public/Runtime/%(RemoteAsset.Identity)" />
-      <UrisToDownload Include="https://dotnetbuilds.azureedge.net/internal/Runtime/%(RemoteAsset.Identity)"
+      <UrisToDownload Include="https://builds.dotnet.microsoft.com/dotnet/Runtime/%(RemoteAsset.Identity)" />
+      <UrisToDownload Include="https://ci.dot.net/public/Runtime/%(RemoteAsset.Identity)" />
+      <UrisToDownload Include="https://ci.dot.net/internal/Runtime/%(RemoteAsset.Identity)"
           Condition=" '$(DotnetRuntimeSourceFeedKey)' != '' ">
         <token>$(DotnetRuntimeSourceFeedKey)</token>
       </UrisToDownload>