Skip to content

Expose SspiAuthenticationParameters on SspiContextProvider #2454

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Expose SspiAuthenticationParameters on SspiContextProvider #2454

wants to merge 11 commits into from

Conversation

twsouthwick
Copy link
Member

@twsouthwick twsouthwick commented Apr 8, 2024
edited
Loading

This change updates the SSPI context provider to surface information to implementers via SqlAuthenticationParameters.

This also expands #2559 to loop through all SPNs in the base SSPIContextProvider rather than just a specific implementation.

Part of #2253

@twsouthwick twsouthwick mentioned this pull request Apr 8, 2024
Open
6 tasks
@twsouthwick twsouthwick force-pushed the auth-params branch 3 times, most recently from 4f6c051 to 80e90cd Compare April 10, 2024 19:50
@codecov Codecov
Copy link

codecov bot commented May 8, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 79.31034% with 12 lines in your changes missing coverage. Please review.

Project coverage is 59.50%. Comparing base (b64db0e) to head (a813d22).

Files with missing lines Patch % Lines
...crosoft/Data/SqlClient/SSPI/SspiContextProvider.cs 75.00% 8 Missing ⚠️
...nt/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs 0.00% 1 Missing ⚠️
...t/Data/SqlClient/SSPI/NativeSspiContextProvider.cs 66.66% 1 Missing ⚠️
...ata/SqlClient/SSPI/NegotiateSspiContextProvider.cs 88.88% 1 Missing ⚠️
...ata/SqlClient/SSPI/SspiAuthenticationParameters.cs 88.88% 1 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (b64db0e) and HEAD (a813d22). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (b64db0e) HEAD (a813d22)
addons 1 0
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2454      +/-   ##
==========================================
- Coverage   65.08%   59.50%   -5.58%     
==========================================
  Files         298      293       -5     
  Lines       65535    65245     -290     
==========================================
- Hits        42651    38825    -3826     
- Misses      22884    26420    +3536
Flag Coverage Δ
addons ?
netcore 62.78% <75.00%> (-5.55%) ⬇️
netfx 60.61% <63.04%> (-5.59%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@twsouthwick twsouthwick mentioned this pull request May 8, 2024
Draft
@twsouthwick twsouthwick force-pushed the auth-params branch 3 times, most recently from 86512cb to ff9a983 Compare February 3, 2025 19:29
@twsouthwick twsouthwick force-pushed the auth-params branch 3 times, most recently from 96b5fb5 to 2f6ddef Compare March 3, 2025 19:19
@twsouthwick twsouthwick requested a review from mdaigle March 3, 2025 19:21
@twsouthwick
Copy link
Member Author

@mdaigle next step for sspi :)

@twsouthwick twsouthwick marked this pull request as ready for review March 3, 2025 19:28
@twsouthwick
Pass SqlAuthenticationParameters in GenerateSspiClientContext
8adfef4 
As part of this change, the SSPIContextProvider base class now iterates through all the server names similar to what NegotiateSSPIContextProvider did.
@cheenamalhotra cheenamalhotra requested a review from a team March 6, 2025 16:03
@twsouthwick
Copy link
Member Author

ping @mdaigle @cheenamalhotra

@mdaigle
Copy link
Contributor

mdaigle commented Mar 13, 2025

Hey @twsouthwick, I'll try to take a look at this today!

@twsouthwick
Copy link
Member Author

The errors appear to also be on main and are an "Access denied" for something related to certificates. It doesn't appear to be caused by my change, but let me know if you believe it is.

mdaigle
mdaigle reviewed Mar 14, 2025
View reviewed changes
Copy link
Contributor

@mdaigle mdaigle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this all makes sense to me. I'll take another look tomorrow and also see why the tests are failing.

mdaigle
mdaigle reviewed Mar 14, 2025
View reviewed changes
Copy link
Contributor

@mdaigle mdaigle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests should be green now. We had a build agent issue that was resolved yesterday.

src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SSPI/SSPIContextProvider.cs Outdated
{
var auth = new SqlAuthenticationParameters.Builder(
authenticationMethod: connection.ConnectionOptions.Authentication,
resource: null,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm trying to think of the best way to populate this. In other usage, I see serverSpn getting set as the resource and dataSource getting set as the serverName. I think it makes sense to continue that pattern here given that serverName and server SPN may be different.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SqlClient/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlInternalConnectionTds.cs

Line 2437 in e0fa87b

var authParamsBuilder = new SqlAuthenticationParameters.Builder(

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm also not sure how to feel about authority. In federated auth, it's assumed that authority will be present, but here we don't set a value.

Let me chat with the team to see if we'd prefer to create a new type to better represent this set of credentials.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good. I refactored the builder so that the same pattern can be had wherever it's used if we want to use the existing SqlAuthenticationParameters

@paulmedynski paulmedynski self-assigned this Apr 2, 2025
@twsouthwick twsouthwick changed the title Expose SqlAuthenticationParameters on SSPIContextProvider Expose SspiAuthenticationParameters on SSPIContextProvider May 1, 2025
@twsouthwick twsouthwick changed the title Expose SspiAuthenticationParameters on SSPIContextProvider Expose SspiAuthenticationParameters on SspiContextProvider May 1, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@paulmedynski paulmedynski Awaiting requested review from paulmedynski

@David-Engel David-Engel Awaiting requested review from David-Engel

@mdaigle mdaigle Awaiting requested review from mdaigle

@benrr101 benrr101 Awaiting requested review from benrr101

Requested changes must be addressed to merge this pull request.

Assignees

@paulmedynski paulmedynski

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@twsouthwick @mdaigle @benrr101 @David-Engel @paulmedynski