-
Notifications
You must be signed in to change notification settings - Fork 561
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unix domain socket binding on WCF Client #5172
Conversation
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
<value>The specified channel type {0} is not supported by this channel manager.</value> | ||
</data> | ||
<data name="TcpConnectError" xml:space="preserve"> | ||
<value>Could not connect to {0}. TCP error code {1}: {2}. </value> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are the string resources that start with Tcp used? If so, they should probably be renamed and the message modified.
public class UnixDomainSocketBinding : Binding | ||
{ | ||
//private OptionalReliableSession _reliableSession; | ||
// private BindingElements |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This binding is to provide similar capabilities to NetNamedPipe so won't ever support reliable sessions. Remove the commented out reliable sessions fields.
} | ||
|
||
public UnixDomainSocketBinding(string configurationName) | ||
: this() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this method. It's only in the other bindings for legacy reasons. This is a new type so no need to start with this unsupported constructor.
_transport = new UnixDomainSocketTransportBindingElement(); | ||
_encoding = new BinaryMessageEncodingBindingElement(); | ||
//_session = new ReliableSessionBindingElement(); | ||
// _reliableSession = new OptionalReliableSession(_session); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cleanup reliable sessions commented code
|
||
// add security (*optional) | ||
//SecurityBindingElement wsSecurity = CreateMessageSecurity(); | ||
//if (wsSecurity != null) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We likely won't ever want to support message security as NetNamedPipe doesn't.
|
||
/* | ||
private SecurityBindingElement CreateMessageSecurity() | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove
{ | ||
None, | ||
Default , | ||
Certificate , |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix formatting
} | ||
|
||
internal BindingElement CreateTransportProtectionOnly() | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This method should be used when SecurityMode is Transport and ClientCredentialType is None. We still need to secure the connection use TLS, we just don't provide a client certificate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return CreatePosixIdentityOnlyBinding(); | ||
} | ||
}else if (_clientCredentialType == UnixDomainSocketClientCredentialType.Certificate ) | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Formatting
} | ||
|
||
internal bool InternalShouldSerialize() | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove, this was used when writing out the binding to config and would be used to know if it was using defaults or not. If using defaults, no need to write it out to the xml. This is left over dead code.
if (!IsDefined(value)) | ||
{ | ||
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidEnumArgumentException("value", (int)value, | ||
typeof(SslProtocols))); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nameof(value)
internal static class ConnectionOrientedTransportDefaults | ||
{ | ||
//public const bool AllowNtlm = SspiSecurityTokenProvider.DefaultAllowNtlm; | ||
//public const int ConnectionBufferSize = 8192; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove unused commented members
using System.Runtime.CompilerServices; | ||
|
||
[assembly:TypeForwardedTo(typeof(System.ServiceModel.Channels.ConnectionOrientedTransportBindingElement))] | ||
[assembly:TypeForwardedTo(typeof(System.ServiceModel.Channels.SslStreamSecurityBindingElement))] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You don't need these. These were in nettcp to tell existing code that these types had been moved from nettcp to NetFramingBase, which is not for case for UDS
|
||
[DefaultValue(Net.Security.ProtectionLevel.EncryptAndSign)] | ||
public ProtectionLevel ProtectionLevel | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought we removed this from the service side? This binding element doesn't do any encryption or signing of the data transmitted so it doesn't make sense to have it. If it's still there on the service side, please open an issue to remove it there too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tracking here on the server side CoreWCF/CoreWCF#1214 (comment) and removing client
internal IdentityVerifier IdentityVerifier { get; private set; } | ||
|
||
public ProtectionLevel ProtectionLevel { get; } | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove
return null;; | ||
} | ||
public override string GetNextUpgrade() | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Formatting. Need a blank line between methods.
private class UnixPosixIdentitySecurityUpgradeInitiator : StreamSecurityUpgradeInitiator | ||
{ | ||
string upgradeString = UnixPosixUpgradeString; | ||
public UnixPosixIdentitySecurityUpgradeInitiator() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing acessor modifier (private). Naming convention should begin with _
internal static class UnsafeNativeMethods | ||
{ | ||
//public const int ERROR_SUCCESS = 0; | ||
//public const int ERROR_FILE_NOT_FOUND = 2; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove unused commented values
Now that CoreWCF UDS has been released, can you add a scenario test. The folder for them is under the System.Private.ServiceModel\tests\Scenario folder |
Feedback from our call, we need to introduce a new security mode similar to |
{ | ||
private UnixDomainSocketTransportBindingElement _transport; | ||
private BinaryMessageEncodingBindingElement _encoding; | ||
// private ReliableSessionBindingElement _session; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove commented line
{ | ||
internal const SecurityMode DefaultMode = SecurityMode.Transport; | ||
|
||
private SecurityMode _mode; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to create a UDS specific enum for this as we aren't supporting Message or TransportWithMessageCredentials. See NetNamedPipeSecurityMode Enum docs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This also goes with my comment here where we need TransportCredentialOnly for IdentityOnly
Certificate, | ||
Windows, | ||
IdentityOnly, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As we're making a change to add a TransportCredentialOnly security mode, I don't think Only needs to be on here now. Also as it's now clearly only for *nix based systems like mac and Linux, I think PosixIdentity would be clearer, or maybe just Posix as we have just "Windows"
private UnixDomainSocketSecurityMode _mode; | ||
|
||
public UnixDomainSocketSecurity() | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of doing this inline, make DefaultMode a private static field and use the original constructor. Then you can use the default mode in the exception message of the private constructor
if (_mode == UnixDomainSocketSecurityMode.Transport || _mode == UnixDomainSocketSecurityMode.TransportCredentialOnly) | ||
{ | ||
if(_mode == UnixDomainSocketSecurityMode.TransportCredentialOnly && Transport.ClientCredentialType != UnixDomainSocketClientCredentialType.PosixIdentity) | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also throw when _mode it Transport and credential type is PosixIdentity as it should only be used for TransportCredentialOnly
Phase 1 ensuring no auth and posix identity works