[Fix 3.1] Handle NRE on Azure federated authentication

Porting dotnet#1625 to 3.1-servicing.
David-Engel · Aug 5, 2022 · 739697d · 739697d
1 parent db1c825
commit 739697d
Show file tree

Hide file tree

Showing 5 changed files with 77 additions and 30 deletions.
diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Common/src/Microsoft/Data/Common/AdapterUtil.cs b/src/Microsoft.Data.SqlClient/netcore/src/Common/src/Microsoft/Data/Common/AdapterUtil.cs
@@ -15,6 +15,7 @@
 using System.Threading.Tasks;
 using System.Transactions;
 using Microsoft.Data.SqlClient;
+using Microsoft.Identity.Client;
 
 namespace Microsoft.Data.Common
 {
@@ -321,6 +322,38 @@ static internal InvalidOperationException InvalidDataDirectory()
  InvalidOperationException e = new InvalidOperationException(Strings.ADP_InvalidDataDirectory);
  return e;
  }
+ internal static TimeoutException TimeoutException(string error, Exception inner = null)
+ {
+ TimeoutException e = new(error, inner);
+ TraceExceptionAsReturnValue(e);
+ return e;
+ }
+
+ internal static Exception CreateSqlException(MsalException msalException, SqlConnectionString connectionOptions, SqlInternalConnectionTds sender, string username)
+ {
+ // Error[0]
+ SqlErrorCollection sqlErs = new();
+
+ sqlErs.Add(new SqlError(0, (byte)0x00, (byte)TdsEnums.MIN_ERROR_CLASS,
+ connectionOptions.DataSource,
+ StringsHelper.GetString(Strings.SQL_MSALFailure, username, connectionOptions.Authentication.ToString("G")),
+ ActiveDirectoryAuthentication.MSALGetAccessTokenFunctionName, 0));
+
+ // Error[1]
+ string errorMessage1 = StringsHelper.GetString(Strings.SQL_MSALInnerException, msalException.ErrorCode);
+ sqlErs.Add(new SqlError(0, (byte)0x00, (byte)TdsEnums.MIN_ERROR_CLASS,
+ connectionOptions.DataSource, errorMessage1,
+ ActiveDirectoryAuthentication.MSALGetAccessTokenFunctionName, 0));
+
+ // Error[2]
+ if (!string.IsNullOrEmpty(msalException.Message))
+ {
+ sqlErs.Add(new SqlError(0, (byte)0x00, (byte)TdsEnums.MIN_ERROR_CLASS,
+ connectionOptions.DataSource, msalException.Message,
+ ActiveDirectoryAuthentication.MSALGetAccessTokenFunctionName, 0));
+ }
+ return SqlException.CreateException(sqlErs, "", sender);
+ }
 
  //
  // Generic Data Provider Collection

diff --git a/...Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlInternalConnectionTds.cs b/...Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlInternalConnectionTds.cs
@@ -103,6 +103,9 @@ public void AssertUnrecoverableStateCountIsCorrect()
 
  internal sealed class SqlInternalConnectionTds : SqlInternalConnection, IDisposable
  {
+ // https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/retry-after#simple-retry-for-errors-with-http-error-codes-500-600
+ internal const int MsalHttpRetryStatusCode = 429;
+
  // CONNECTION AND STATE VARIABLES
  private readonly SqlConnectionPoolGroupProviderInfo _poolGroupProviderInfo; // will only be null when called for ChangePassword, or creating SSE User Instance
  private TdsParser _parser;
@@ -2421,7 +2424,7 @@ internal SqlFedAuthToken GetFedAuthToken(SqlFedAuthInfo fedAuthInfo)
  // Deal with Msal service exceptions first, retry if 429 received.
  catch (MsalServiceException serviceException)
  {
- if (429 == serviceException.StatusCode)
+ if (serviceException.StatusCode == MsalHttpRetryStatusCode)
  {
  RetryConditionHeaderValue retryAfter = serviceException.Headers.RetryAfter;
  if (retryAfter.Delta.HasValue)
@@ -2440,9 +2443,15 @@ internal SqlFedAuthToken GetFedAuthToken(SqlFedAuthInfo fedAuthInfo)
  }
  else
  {
- break;
+ SqlClientEventSource.Log.TryTraceEvent("<sc.SqlInternalConnectionTds.GetFedAuthToken.MsalServiceException error:> Timeout: {0}", serviceException.ErrorCode);
+ throw SQL.ActiveDirectoryTokenRetrievingTimeout(Enum.GetName(typeof(SqlAuthenticationMethod), ConnectionOptions.Authentication), serviceException.ErrorCode, serviceException);
  }
  }
+ else
+ {
+ SqlClientEventSource.Log.TryTraceEvent("<sc.SqlInternalConnectionTds.GetFedAuthToken.MsalServiceException error:> {0}", serviceException.ErrorCode);
+ throw ADP.CreateSqlException(serviceException, ConnectionOptions, this, username);
+ }
  }
  // Deal with normal MsalExceptions.
  catch (MsalException msalException)
@@ -2453,21 +2462,7 @@ internal SqlFedAuthToken GetFedAuthToken(SqlFedAuthInfo fedAuthInfo)
  {
  SqlClientEventSource.Log.TryTraceEvent("<sc.SqlInternalConnectionTds.GetFedAuthToken.MSALException error:> {0}", msalException.ErrorCode);
 
- // Error[0]
- SqlErrorCollection sqlErs = new();
- sqlErs.Add(new SqlError(0, (byte)0x00, (byte)TdsEnums.MIN_ERROR_CLASS, ConnectionOptions.DataSource, StringsHelper.GetString(Strings.SQL_MSALFailure, username, ConnectionOptions.Authentication.ToString("G")), ActiveDirectoryAuthentication.MSALGetAccessTokenFunctionName, 0));
-
- // Error[1]
- string errorMessage1 = StringsHelper.GetString(Strings.SQL_MSALInnerException, msalException.ErrorCode);
- sqlErs.Add(new SqlError(0, (byte)0x00, (byte)TdsEnums.MIN_ERROR_CLASS, ConnectionOptions.DataSource, errorMessage1, ActiveDirectoryAuthentication.MSALGetAccessTokenFunctionName, 0));
-
- // Error[2]
- if (!string.IsNullOrEmpty(msalException.Message))
- {
- sqlErs.Add(new SqlError(0, (byte)0x00, (byte)TdsEnums.MIN_ERROR_CLASS, ConnectionOptions.DataSource, msalException.Message, ActiveDirectoryAuthentication.MSALGetAccessTokenFunctionName, 0));
- }
- SqlException exc = SqlException.CreateException(sqlErs, "", this);
- throw exc;
+ throw ADP.CreateSqlException(msalException, ConnectionOptions, this, username);
  }
 
  SqlClientEventSource.Log.TryAdvancedTraceEvent("<sc.SqlInternalConnectionTds.GetFedAuthToken|ADV> {0}, sleeping {1}[Milliseconds]", ObjectID, sleepInterval);

diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlUtil.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlUtil.cs
@@ -486,6 +486,10 @@ internal static Exception ActiveDirectoryDeviceFlowTimeout()
  return ADP.TimeoutException(Strings.SQL_Timeout_Active_Directory_DeviceFlow_Authentication);
  }
 
+ internal static Exception ActiveDirectoryTokenRetrievingTimeout(string authenticaton, string errorCode, Exception exception)
+ {
+ return ADP.TimeoutException(StringsHelper.GetString(Strings.AAD_Token_Retrieving_Timeout, authenticaton, errorCode, exception?.Message), exception);
+ }
 
  //
  // SQL.DataCommand

diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Resources/Strings.Designer.cs b/src/Microsoft.Data.SqlClient/netcore/src/Resources/Strings.Designer.cs
diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Resources/Strings.resx b/src/Microsoft.Data.SqlClient/netcore/src/Resources/Strings.resx
@@ -1932,4 +1932,7 @@
  <data name="SqlRetryLogic_InvalidMinMaxPair" xml:space="preserve">
  <value>'{0}' is not less than '{1}'; '{2}' cannot be greater than '{3}'.</value>
  </data>
+ <data name="AAD_Token_Retrieving_Timeout" xml:space="preserve">
+ <value>Connection timed out while retrieving an access token using '{0}' authentication method. Last error: {1}: {2}</value>
+ </data>
 </root>