Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Linux: RBAC claims resolution hangs if nested groups have circular dependencies #37225

Closed
RoadTrain opened this issue Oct 2, 2021 · 1 comment · Fixed by #38817
Closed

Linux: RBAC claims resolution hangs if nested groups have circular dependencies #37225

RoadTrain opened this issue Oct 2, 2021 · 1 comment · Fixed by #38817
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer
Milestone
7.0-preview1

Comments

@RoadTrain
Copy link
Contributor

RoadTrain commented Oct 2, 2021
edited
Loading

Describe the bug

Real-world AD deployments can have groups circularly reference each other, e.g. GroupA -> GroupB -> GroupC -> GroupA.
In this case, when nested claims resolution is enabled, Linux clients will hang on recursive resolution at https://github.com/dotnet/aspnetcore/blob/main/src/Security/Authentication/Negotiate/src/Internal/LdapAdapter.cs#L123

To Reproduce

  1. Set up any AD server (contoso.com in the example).
  2. Add several AD groups so that they reference each other circularly, e.g. GroupA -> GroupB -> GroupC -> GroupA.
  3. Add user to any of these groups.
  4. Create a simple API project, set up RBAC claims resolution:
            services.AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate(options =>
            {
                if (!RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
                {
                    return;
                }

                options.EnableLdap(settings =>
                {
                    settings.Domain = "contoso.com";
                    settings.MachineAccountName = "someuser";
                    settings.MachineAccountPassword = "somepassword";
                });
            });

            services.AddAuthorization();
    [ApiController]
    [Route("api/[controller]")]
    [Authorize(Roles = "GroupA")]
    public class SomeController : Controller
    {
        [HttpGet]
        [Route("someMethod")]
        public async Task<ActionResult<int>> SomeMethod()
        {
            return 1;
        }
     }
  1. Run it inside docker container dotnet/aspnet:6.0

Exceptions (if any)

API call hangs, and eventually results in StackOverflowException.

Further technical details

  • ASP.NET Core 5.0, 6.0-preview5, via docker dotnet/aspnet:6.0
  • Visual Studio 2019
@RoadTrain
Copy link
Contributor Author

Proposed fix at bba75b7: basically to keep track of already processed groups via HashSet.

@RoadTrain RoadTrain mentioned this issue Oct 2, 2021
Closed
1 task
@Tratcher Tratcher self-assigned this Oct 3, 2021
@Tratcher Tratcher added the area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer label Oct 3, 2021
@Tratcher Tratcher removed their assignment Oct 4, 2021
@adityamandaleeka adityamandaleeka added this to the .NET 7 Planning milestone Oct 8, 2021
This was referenced Dec 3, 2021
Closed
Merged
@Tratcher Tratcher modified the milestones: .NET 7 Planning, 7.0-preview1 Dec 9, 2021
@ghost ghost locked as resolved and limited conversation to collaborators Jan 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer
Projects
None yet
Milestone
7.0-preview1
3 participants
@adityamandaleeka @Tratcher @RoadTrain