Skip to content

Allow Basic Auth over HTTPS #6890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adityapatwardhan merged 5 commits into from
Jun 27, 2018
Merged

Allow Basic Auth over HTTPS #6890

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
95c76d3
[FEATURE] Allow Basic Auth over HTTPS
dantraMSFT May 17, 2018
40744b9
WSManTransportManager.cs: Simplify HTTPS check
dantraMSFT May 18, 2018
9bd40f6
Disable test until limi crash fo selected connection error paths is f…
dantraMSFT Jun 20, 2018
a6ccd69
Fix typo in comment about pending test.
dantraMSFT Jun 20, 2018
7857d27
Use Hex format for defining the expected HRESULT
dantraMSFT Jun 27, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/System.Management.Automation/engine/remoting/fanin/WSManTransportManager.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1529,7 +1529,7 @@ private void Initialize(Uri connectionUri, WSManConnectionInfo connectionInfo)

#if UNIX
// explicitly disallow Basic auth over HTTP on Unix.
if (connectionInfo.AuthenticationMechanism == AuthenticationMechanism.Basic && !isSSLSpecified)
if (connectionInfo.AuthenticationMechanism == AuthenticationMechanism.Basic && !isSSLSpecified && connectionUri.Scheme != Uri.UriSchemeHttps)
{
throw new PSRemotingTransportException(PSRemotingErrorId.ConnectFailed, RemotingErrorIdStrings.BasicAuthOverHttpNotSupported);
}
Expand Down
16 changes: 15 additions & 1 deletion test/powershell/engine/Remoting/RemoteSession.Basic.Tests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,24 @@ Describe "Basic Auth over HTTP not allowed on Unix" -Tag @("CI") {
$err = ({New-PSSession -ComputerName 'localhost' -Credential $credential -Authentication Basic} | Should -Throw -PassThru -ErrorId 'System.Management.Automation.Remoting.PSRemotingDataStructureException,Microsoft.PowerShell.Commands.NewPSSessionCommand')
$err.Exception | Should -BeOfType [System.Management.Automation.Remoting.PSRemotingTransportException]
# Should be PSRemotingErrorId.ConnectFailed
# Ensures we are looking at teh expected instance
# Ensures we are looking at the expected instance
$err.Exception.ErrorCode | Should -Be 801
}

# Marked as pending due to https://github.com/Microsoft/omi/issues/502
# It "New-PSSession should NOT throw a ConnectFailed exception when specifying Basic Auth over HTTPS on Unix" -skip:($IsWindows) {
It "New-PSSession should NOT throw a ConnectFailed exception when specifying Basic Auth over HTTPS on Unix" -Pending {
$password = ConvertTo-SecureString -String "password" -AsPlainText -Force
$credential = [PSCredential]::new('username', $password)

# use a Uri that specifies HTTPS to test Basic Auth logic.
# NOTE: The connection is expected to fail but not with a ConnectFailed exception
$uri = "https://localhost"
New-PSSession -Uri $uri -Credential $credential -Authentication Basic -ErrorVariable err
Copy link
Member

@adityapatwardhan adityapatwardhan Jun 20, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you use the pattern below?

{ New-PSSession -Uri $uri -Credential $credential -Authentication Basic -ErrorVariable err } | Should -Throw -ErrorId '1,PSSessionOpenFailed' -ExceptionType 'System.Management.Automation.Remoting.PSRemotingTransportException'
$err.Exception.HResult | Should -Be -2146233087

Copy link
Contributor Author

@dantraMSFT dantraMSFT Jun 20, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, when -ErrorVariable is used, pester doesn't have an exception to catch.

Copy link
Member

@adityapatwardhan adityapatwardhan Jun 20, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This cannot be done as when err is set no exception is thrown.

Copy link
Member

@SteveL-MSFT SteveL-MSFT Jun 22, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is a negative test case where you need to do more validation of the exception, you should use the pattern in our test guidance doc with -PassThru: https://github.com/PowerShell/PowerShell/blob/master/docs/testing-guidelines/WritingPesterTests.md#writing-pester-tests

Copy link
Contributor Author

@dantraMSFT dantraMSFT Jun 22, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SteveL-MSFT: new-pssession doesn't throw, it writes to the error stream.

Copy link
Contributor Author

@dantraMSFT dantraMSFT Jun 25, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SteveL-MSFT: do you have any additional feedback?

Copy link
Member

@SteveL-MSFT SteveL-MSFT Jun 27, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you should follow the convention for now to use -ErrorAction Stop and then use Pester's Should -ThrowErrorId -PassThru to do additional validation for consistency until we have capability to validate non-terminating errors

$err.Exception | Should -BeOfType [System.Management.Automation.Remoting.PSRemotingTransportException]
$err.FullyQualifiedErrorId | Should -Be '1,PSSessionOpenFailed'
$err.Exception.HResult | Should -Be 0x80131501
}
}

Describe "JEA session Transcript script test" -Tag @("Feature", 'RequireAdminOnWindows') {
Expand Down