Merge pull request #31 from docker/add-user-identity

simonferquel · web-flow · commit 5a97b59e3e3c · 2020-02-13T10:58:33.000+01:00
Add user identity in Owin context - merging with authority :)
diff --git a/src/HttpOverStream.NamedPipe/NamedPipeDialer.cs b/src/HttpOverStream.NamedPipe/NamedPipeDialer.cs
@@ -2,6 +2,7 @@
 using System.IO;
 using System.IO.Pipes;
 using System.Net.Http;
+using System.Security.Principal;
 using System.Threading;
 using System.Threading.Tasks;
 
@@ -13,6 +14,7 @@ public class NamedPipeDialer : IDial
         private readonly string _serverName;
         private readonly PipeOptions _pipeOptions;
         private readonly int _timeoutMs;
+        private readonly TokenImpersonationLevel _impersonationLevel;
 
         public NamedPipeDialer(string pipeName)
             : this(pipeName, ".", PipeOptions.Asynchronous, 0)
@@ -24,17 +26,18 @@ public NamedPipeDialer(string pipeName, int timeoutMs)
         {
         }
 
-        public NamedPipeDialer(string pipeName, string serverName, PipeOptions pipeOptions, int timeoutMs)
+        public NamedPipeDialer(string pipeName, string serverName, PipeOptions pipeOptions, int timeoutMs, TokenImpersonationLevel impersonationLevel = TokenImpersonationLevel.Identification)
         {
             _pipeName = pipeName;
             _serverName = serverName;
             _pipeOptions = pipeOptions;
             _timeoutMs = timeoutMs;
+            _impersonationLevel = impersonationLevel;
         }
 
         public async ValueTask<Stream> DialAsync(HttpRequestMessage request, CancellationToken cancellationToken)
         {
-            var pipeStream = new NamedPipeClientStream(_serverName, _pipeName, PipeDirection.InOut, _pipeOptions);
+            var pipeStream = new NamedPipeClientStream(_serverName, _pipeName, PipeDirection.InOut, _pipeOptions, _impersonationLevel);
             await pipeStream.ConnectAsync(_timeoutMs, cancellationToken).ConfigureAwait(false);
             if (cancellationToken.CanBeCanceled)
             {
diff --git a/src/HttpOverStream.NamedPipe/NamedPipeHttpClientBuilder.cs b/src/HttpOverStream.NamedPipe/NamedPipeHttpClientBuilder.cs
@@ -1,5 +1,6 @@
 ﻿using System;
 using System.Net.Http;
+using System.Security.Principal;
 using HttpOverStream.Client;
 using HttpOverStream.Logging;
 
@@ -13,6 +14,7 @@ public class NamedPipeHttpClientBuilder
         private TimeSpan? _perRequestTimeout;
         private Version _httpVersion;
         private TimeSpan? _namedPipeConnectionTimeout;
+        private TokenImpersonationLevel _impersonationLevel = TokenImpersonationLevel.Identification;
 
         public NamedPipeHttpClientBuilder(string pipeName)
         {
@@ -49,11 +51,21 @@ public NamedPipeHttpClientBuilder WithNamedPipeConnectionTimeout(TimeSpan timeSp
             return this;
         }
 
+        public NamedPipeHttpClientBuilder WithImpersonationLevel(TokenImpersonationLevel impersonationLevel)
+        {
+            _impersonationLevel = impersonationLevel;
+            return this;
+        }
+
         public HttpClient Build()
         {
-            var dialer = _namedPipeConnectionTimeout == null
-                ? new NamedPipeDialer(_pipeName)
-                : new NamedPipeDialer(_pipeName, (int)_namedPipeConnectionTimeout.Value.TotalMilliseconds);
+            var connectionTimeout = 0;
+            if (_namedPipeConnectionTimeout.HasValue)
+            {
+                connectionTimeout = (int)_namedPipeConnectionTimeout.Value.TotalMilliseconds;
+            }
+
+            var dialer = new NamedPipeDialer(_pipeName, ".", System.IO.Pipes.PipeOptions.Asynchronous, connectionTimeout, _impersonationLevel);
 
             var innerHandler = new DialMessageHandler(dialer, _logger, _httpVersion);
             HttpClient httpClient;
diff --git a/src/HttpOverStream.NamedPipe/NamedPipeListener.cs b/src/HttpOverStream.NamedPipe/NamedPipeListener.cs
@@ -4,6 +4,7 @@
 using System.IO;
 using System.IO.Pipes;
 using System.Linq;
+using System.Security.Principal;
 using System.Threading;
 using System.Threading.Tasks;
 using HttpOverStream.Logging;
@@ -188,6 +189,31 @@ private async Task DisposeWhenCancelled(IDisposable disposable, string threadNam
                 _logger.LogError($"Exception disposing dummy {threadName} stream: {e}");
             }
         }
+
+        public IPrincipal GetTransportIdentity(Stream connection)
+        {
+            var serverStream = connection as NamedPipeServerStream;
+            if (serverStream == null)
+            {
+                throw new InvalidOperationException("connection should be a NamedPipeServerStream");
+            }
+
+            WindowsPrincipal principal = null;
+            try
+            {
+                serverStream.RunAsClient(() =>
+                {
+                    principal = new WindowsPrincipal(WindowsIdentity.GetCurrent());
+                });
+            }
+            catch
+            {
+                // this can fail if client explicitly connected with ImpersonationLevel.None.
+                // default is ImpersonationLevel.Identify which runs fine.
+            }
+
+            return principal;
+        }
     }
 
     internal static class CancellationTokenExtensions
diff --git a/src/HttpOverStream.Server.Owin/CustomListenerHost.cs b/src/HttpOverStream.Server.Owin/CustomListenerHost.cs
@@ -53,6 +53,12 @@ private async void OnAccept(Stream stream)
 
                     _logger.WriteVerbose("Server: reading message..");
                     await PopulateRequestAsync(stream, owinContext.Request, CancellationToken.None).ConfigureAwait(false);
+
+                    // some transports (shuch as Named Pipes) may require the server to read some data before being able to get the
+                    // client identity. So we get the client identity after reading the request headers
+                    var transportIdentity = _listener.GetTransportIdentity(stream);
+                    owinContext.Request.User = transportIdentity;
+
                     _logger.WriteVerbose("Server: finished reading message");
                     Func<Task> sendHeadersAsync = async () =>
                     {
diff --git a/src/HttpOverStream/IListen.cs b/src/HttpOverStream/IListen.cs
@@ -1,5 +1,6 @@
 ﻿using System;
 using System.IO;
+using System.Security.Principal;
 using System.Threading;
 using System.Threading.Tasks;
 
@@ -9,5 +10,6 @@ public interface IListen
     {
         Task StartAsync(Action<Stream> onConnection, CancellationToken cancellationToken);
         Task StopAsync(CancellationToken cancellationToken);
+        IPrincipal GetTransportIdentity(Stream connection);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`	`using System.IO;`
`3`	`3`	`using System.IO.Pipes;`
`4`	`4`	`using System.Net.Http;`
	`5`	`+using System.Security.Principal;`
`5`	`6`	`using System.Threading;`
`6`	`7`	`using System.Threading.Tasks;`
`7`	`8`
`@@ -13,6 +14,7 @@ public class NamedPipeDialer : IDial`
`13`	`14`	`private readonly string _serverName;`
`14`	`15`	`private readonly PipeOptions _pipeOptions;`
`15`	`16`	`private readonly int _timeoutMs;`
	`17`	`+ private readonly TokenImpersonationLevel _impersonationLevel;`
`16`	`18`
`17`	`19`	`public NamedPipeDialer(string pipeName)`
`18`	`20`	`: this(pipeName, ".", PipeOptions.Asynchronous, 0)`
`@@ -24,17 +26,18 @@ public NamedPipeDialer(string pipeName, int timeoutMs)`
`24`	`26`	`{`
`25`	`27`	`}`
`26`	`28`
`27`		`- public NamedPipeDialer(string pipeName, string serverName, PipeOptions pipeOptions, int timeoutMs)`
	`29`	`+ public NamedPipeDialer(string pipeName, string serverName, PipeOptions pipeOptions, int timeoutMs, TokenImpersonationLevel impersonationLevel = TokenImpersonationLevel.Identification)`
`28`	`30`	`{`
`29`	`31`	`_pipeName = pipeName;`
`30`	`32`	`_serverName = serverName;`
`31`	`33`	`_pipeOptions = pipeOptions;`
`32`	`34`	`_timeoutMs = timeoutMs;`
	`35`	`+ _impersonationLevel = impersonationLevel;`
`33`	`36`	`}`
`34`	`37`
`35`	`38`	`public async ValueTask<Stream> DialAsync(HttpRequestMessage request, CancellationToken cancellationToken)`
`36`	`39`	`{`
`37`		`- var pipeStream = new NamedPipeClientStream(_serverName, _pipeName, PipeDirection.InOut, _pipeOptions);`
	`40`	`+ var pipeStream = new NamedPipeClientStream(_serverName, _pipeName, PipeDirection.InOut, _pipeOptions, _impersonationLevel);`
`38`	`41`	`await pipeStream.ConnectAsync(_timeoutMs, cancellationToken).ConfigureAwait(false);`
`39`	`42`	`if (cancellationToken.CanBeCanceled)`
`40`	`43`	`{`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`using System;`
`2`	`2`	`using System.IO;`
	`3`	`+using System.Security.Principal;`
`3`	`4`	`using System.Threading;`
`4`	`5`	`using System.Threading.Tasks;`
`5`	`6`
`@@ -9,5 +10,6 @@ public interface IListen`
`9`	`10`	`{`
`10`	`11`	`Task StartAsync(Action<Stream> onConnection, CancellationToken cancellationToken);`
`11`	`12`	`Task StopAsync(CancellationToken cancellationToken);`
	`13`	`+ IPrincipal GetTransportIdentity(Stream connection);`
`12`	`14`	`}`
`13`	`15`	`}`