Refactor Kerberos and make state Runspace

CHANGELOG.md

@@ -7,6 +7,7 @@
 + Ensure a failure in a DNS lookup does not stop the module from importing but only errors when the value is used.
 + Use a case insensitive lookup for requested properties and the returned LDAP attributes
 + Add fallback for Linux/macOS default realm lookup to use the ccache principal realm if present
++ Properly store AD sessions in a Runspace specific storage allowing multiple runspaces to run in parallel without affecting each other
 
 ## v0.5.0 - 2024-03-21
 

src/PSOpenAD.Module/Commands/OpenADAuthSupport.cs

@@ -10,7 +10,7 @@ public class GetOpenADAuthSupport : PSCmdlet
 {
     protected override void EndProcessing()
     {
-        foreach (AuthenticationProvider provider in GlobalState.Providers.Values)
+        foreach (AuthenticationProvider provider in GlobalState.GetFromTLS().Providers.Values)
             WriteObject(provider);
     }
 }

src/PSOpenAD.Module/Commands/OpenADSession.cs

@@ -13,7 +13,7 @@ protected override void EndProcessing()
     {
         // Ensure the sessions are their own collection to avoid something further down the line mutating the same
         // list during an enumeration, e.g. 'Get-OpenADSession | Remove-OpenADSession'
-        WriteObject(GlobalState.Sessions.ToArray(), true);
+        WriteObject(GlobalState.GetFromTLS().Sessions.ToArray(), true);
     }
 }
 

src/PSOpenAD.Module/Completer.cs

@@ -16,7 +16,7 @@ public IEnumerable<CompletionResult> CompleteArgument(string commandName, string
             wordToComplete = "";
 
         HashSet<Uri> emitted = new();
-        foreach (OpenADSession session in GlobalState.Sessions)
+        foreach (OpenADSession session in GlobalState.GetFromTLS().Sessions)
         {
             if ((session.Uri.ToString().StartsWith(wordToComplete, true, CultureInfo.InvariantCulture) ||
                 session.Uri.Host.StartsWith(wordToComplete, true, CultureInfo.InvariantCulture)) &&
@@ -38,7 +38,7 @@ public IEnumerable<CompletionResult> CompleteArgument(string commandName, string
 
         string className = GetClassNameForCommand(commandName);
 
-        HashSet<string>? classAttributes = GlobalState.SchemaMetadata?.GetClassAttributesInformation(className);
+        HashSet<string>? classAttributes = GlobalState.GetFromTLS().SchemaMetadata?.GetClassAttributesInformation(className);
         if (classAttributes != null)
         {
             foreach (string attribute in classAttributes)

src/PSOpenAD.Module/OnImportAndRemove.cs

@@ -3,6 +3,7 @@
 using System;
 using System.Collections.Generic;
 using System.ComponentModel;
+using System.Diagnostics.CodeAnalysis;
 using System.Linq;
 using System.Management.Automation;
 using System.Reflection;
@@ -89,23 +90,25 @@
     {
         Resolver = new NativeResolver();
 
+        GlobalState state = GlobalState.GetFromTLS();
+
         // While channel binding isn't technically done by both these methods an Active Directory implementation
         // doesn't validate it's presence so from the purpose of a client it does work even if it's enforced on the
         // server end.
-        GlobalState.Providers[AuthenticationMethod.Anonymous] = new(AuthenticationMethod.Anonymous, "ANONYMOUS",
+        state.Providers[AuthenticationMethod.Anonymous] = new(AuthenticationMethod.Anonymous, "ANONYMOUS",
             true, false, "");
-        GlobalState.Providers[AuthenticationMethod.Simple] = new(AuthenticationMethod.Simple, "PLAIN", true,
+        state.Providers[AuthenticationMethod.Simple] = new(AuthenticationMethod.Simple, "PLAIN", true,
             false, "");
-        GlobalState.Providers[AuthenticationMethod.Certificate] = new(AuthenticationMethod.Certificate, "EXTERNAL",
+        state.Providers[AuthenticationMethod.Certificate] = new(AuthenticationMethod.Certificate, "EXTERNAL",
             true, true, "");
 
         if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
         {
             // Windows always has SSPI available.
-            GlobalState.GssapiProvider = GssapiProvider.SSPI;
-            GlobalState.Providers[AuthenticationMethod.Kerberos] = new(AuthenticationMethod.Kerberos, "GSSAPI",
+            state.GssapiProvider = GssapiProvider.SSPI;
+            state.Providers[AuthenticationMethod.Kerberos] = new(AuthenticationMethod.Kerberos, "GSSAPI",
                 true, true, "");
-            GlobalState.Providers[AuthenticationMethod.Negotiate] = new(AuthenticationMethod.Negotiate,
+            state.Providers[AuthenticationMethod.Negotiate] = new(AuthenticationMethod.Negotiate,
                 "GSS-SPNEGO", true, true, "");
 
             const GetDcFlags getDcFlags = GetDcFlags.DS_IS_DNS_NAME | GetDcFlags.DS_ONLY_LDAP_NEEDED |
@@ -123,21 +126,21 @@
             }
             catch (Exception e)
             {
-                GlobalState.DefaultDCError = $"Failure calling DsGetDcName to get default DC: {e.Message}";
+                state.DefaultDCError = $"Failure calling DsGetDcName to get default DC: {e.Message}";
             }
 
             if (!string.IsNullOrWhiteSpace(dcName))
             {
-                GlobalState.DefaultDC = new($"ldap://{dcName}:389/");
+                state.DefaultDC = new($"ldap://{dcName}:389/");
             }
-            else if (string.IsNullOrEmpty(GlobalState.DefaultDCError))
+            else if (string.IsNullOrEmpty(state.DefaultDCError))
             {
-                GlobalState.DefaultDCError = "No configured default DC on host";
+                state.DefaultDCError = "No configured default DC on host";
             }
         }
         else
         {
-            GlobalState.GssapiProvider = GssapiProvider.None;
+            state.GssapiProvider = GssapiProvider.None;
             LibraryInfo? gssapiLib = Resolver.CacheLibrary(GSSAPI.LIB_GSSAPI, new[] {
                 MACOS_GSS_FRAMEWORK, // macOS GSS Framework (technically Heimdal)
                 "libgssapi_krb5.so.2", // MIT krb5
@@ -151,51 +154,40 @@
 
             if (gssapiLib == null)
             {
-                GlobalState.Providers[AuthenticationMethod.Kerberos] = new(AuthenticationMethod.Kerberos,
+                state.Providers[AuthenticationMethod.Kerberos] = new(AuthenticationMethod.Kerberos,
                     "GSSAPI", false, false, "GSSAPI library not found");
-                GlobalState.Providers[AuthenticationMethod.Negotiate] = new(AuthenticationMethod.Negotiate,
+                state.Providers[AuthenticationMethod.Negotiate] = new(AuthenticationMethod.Negotiate,
                     "GSS-SPNEGO", false, false, "GSSAPI library not found");
 
-                GlobalState.DefaultDCError = "Failed to find GSSAPI library";
+                state.DefaultDCError = "Failed to find GSSAPI library";
             }
             else
             {
-                GlobalState.Providers[AuthenticationMethod.Kerberos] = new(AuthenticationMethod.Kerberos,
+                state.Providers[AuthenticationMethod.Kerberos] = new(AuthenticationMethod.Kerberos,
                     "GSSAPI", true, true, "");
-                GlobalState.Providers[AuthenticationMethod.Negotiate] = new(AuthenticationMethod.Negotiate,
+                state.Providers[AuthenticationMethod.Negotiate] = new(AuthenticationMethod.Negotiate,
                     "GSS-SPNEGO", true, true, "");
 
                 if (gssapiLib.Path == MACOS_GSS_FRAMEWORK)
                 {
-                    GlobalState.GssapiProvider = GssapiProvider.GSSFramework;
+                    state.GssapiProvider = GssapiProvider.GSSFramework;
                 }
                 else if (NativeLibrary.TryGetExport(gssapiLib.Handle, "krb5_xfree", out var _))
                 {
                     // While technically exported by the krb5 lib the Heimdal GSSAPI lib depends on it so the same
                     // symbol will be exported there and we can use that to detect if Heimdal is in use.
-                    GlobalState.GssapiProvider = GssapiProvider.Heimdal;
+                    state.GssapiProvider = GssapiProvider.Heimdal;
                 }
                 else
                 {
-                    GlobalState.GssapiProvider = GssapiProvider.MIT;
+                    state.GssapiProvider = GssapiProvider.MIT;
                 }
 
                 // If the krb5 API is available, attempt to get the default realm used when creating an implicit
                 // session.
                 if (krb5Lib != null)
                 {
-                    string defaultRealm = "";
-                    using SafeKrb5Context ctx = Kerberos.InitContext();
-                    try
-                    {
-                        defaultRealm = Kerberos.GetDefaultRealm(ctx);
-                    }
-                    catch (KerberosException e)
-                    {
-                        GlobalState.DefaultDCError = $"Failed to lookup krb5 default_realm: {e.Message}";
-                    }
-
-                    if (!string.IsNullOrWhiteSpace(defaultRealm))
+                    if (TryGetDefaultKerberosRealm(out var defaultRealm, out var realmException))
                     {
                         // _ldap._tcp.dc._msdcs.domain.com
                         string baseDomain = $"dc._msdcs.{defaultRealm}";
@@ -208,37 +200,99 @@
                             ServiceHostEntry? first = res.OrderBy(r => r.Priority).ThenBy(r => r.Weight).FirstOrDefault();
                             if (first != null)
                             {
-                                GlobalState.DefaultDC = new($"ldap://{first.HostName}:{first.Port}/");
+                                state.DefaultDC = new($"ldap://{first.HostName}:{first.Port}/");
                             }
                             else
                             {
-                                GlobalState.DefaultDCError = $"No SRV records for _ldap._tcp.{baseDomain} found";
+                                state.DefaultDCError = $"No SRV records for _ldap._tcp.{baseDomain} found";
                             }
                         }
                         catch (DnsResponseException e)
                         {
-                            GlobalState.DefaultDCError = $"DNS Error looking up SRV records for _ldap._tcp.{baseDomain}: {e.Message}";
+                            state.DefaultDCError = $"DNS Error looking up SRV records for _ldap._tcp.{baseDomain}: {e.Message}";
                         }
                         catch (Exception e)
                         {
-                            GlobalState.DefaultDCError = $"Unknown error looking up SRV records for _ldap._tcp.{baseDomain}: {e.GetType().Name} - {e.Message}";
+                            state.DefaultDCError = $"Unknown error looking up SRV records for _ldap._tcp.{baseDomain}: {e.GetType().Name} - {e.Message}";
                         }
                     }
+                    else
+                    {
+                        state.DefaultDCError = $"Failed to lookup krb5 default realm: {realmException}";
+                    }
                 }
                 else
                 {
-                    GlobalState.DefaultDCError = "Failed to find Kerberos library";
+                    state.DefaultDCError = "Failed to find Kerberos library";
                 }
             }
         }
     }
 
     public void OnRemove(PSModuleInfo module)
     {
-        foreach (OpenADSession session in GlobalState.Sessions)
+        GlobalState state = GlobalState.GetFromTLS();
+        foreach (OpenADSession session in state.Sessions)
             session.Close();
 
-        GlobalState.Sessions = new();
+        state.Sessions = new();
         Resolver?.Dispose();
     }
+
+    /// <summary>
+    /// Attempt to get the default Kerberos realm from the system for the DC lookup.
+    /// </summary>
+    /// <param name="realm">The realm if the method returns true.</param>
+    /// <param name="errorMessage">The error details if the method returns false.</param>
+    /// <returns>True if the realm was successfully retrieved, otherwise false.</returns>
+    private static bool TryGetDefaultKerberosRealm(
+        [NotNullWhen(true)] out string? realm,
+        [NotNullWhen(false)] out string? errorMessage)
+    {
+        realm = null;
+        errorMessage = null;
+
+        using var ctx = Kerberos.InitContext();
+        if (Kerberos.TryGetDefaultRealm(ctx, out realm, out var defaultRealmException))
+        {
+            return true;
+        }
+
+        if (!Kerberos.TryGetDefaultCCache(ctx, out var ccache, out var defaultCCException))
+        {
+            errorMessage = $"{defaultRealmException.Message}, {defaultCCException.Message}";
+            return false;
+        }
+        using (ccache)
+        {
+            if (!Kerberos.TryGetCCachePrincipal(ctx, ccache, out var principal, out var defaultCCPrincipalException))
+            {
+                errorMessage = $"{defaultRealmException.Message}, {defaultCCPrincipalException.Message}";
+                return false;
+            }
+
+            using (principal)
+            {
+                if (Kerberos.TryUnparseName(ctx, principal, out var principalName, out var defaultUnparseException))
+                {
+                    int realmIdx = principalName.IndexOf('@');
+                    if (realmIdx != -1)
+                    {
+                        realm = principalName[(realmIdx + 1)..];
+                        return true;
+                    }
+                    else
+                    {
+                        errorMessage = $"{defaultRealmException.Message}, failed to find principal realm in name '{principalName}'";
+                        return false;
+                    }
+                }
+                else
+                {
+                    errorMessage = $"{defaultRealmException.Message}, {defaultUnparseException.Message}";
+                    return false;
+                }
+            }
+        }
+    }
 }

src/PSOpenAD.Module/OpenADSessionFactory.cs

@@ -23,14 +23,16 @@ internal sealed class OpenADSessionFactory
         PSCmdlet cmdlet, bool skipCache = false)
     {
         Uri ldapUri;
+        GlobalState state = GlobalState.GetFromTLS();
+
         if (string.IsNullOrEmpty(server))
         {
-            if (GlobalState.DefaultDC == null)
+            if (state.DefaultDC == null)
             {
                 string msg = "Cannot determine default realm for implicit domain controller.";
-                if (!string.IsNullOrEmpty(GlobalState.DefaultDCError))
+                if (!string.IsNullOrEmpty(state.DefaultDCError))
                 {
-                    msg += $" {GlobalState.DefaultDCError}";
+                    msg += $" {state.DefaultDCError}";
                 }
                 cmdlet.WriteError(new ErrorRecord(
                     new ArgumentException(msg),
@@ -40,7 +42,7 @@ internal sealed class OpenADSessionFactory
                 return null;
             }
 
-            ldapUri = GlobalState.DefaultDC;
+            ldapUri = state.DefaultDC;
         }
         else if (server.StartsWith("ldap://", true, CultureInfo.InvariantCulture) ||
             server.StartsWith("ldaps://", true, CultureInfo.InvariantCulture))
@@ -74,14 +76,14 @@ internal sealed class OpenADSessionFactory
         OpenADSession? session = null;
         if (!skipCache)
         {
-            session = GlobalState.Sessions.Find(s => s.Uri == ldapUri);
+            session = state.Sessions.Find(s => s.Uri == ldapUri);
         }
 
         if (session == null)
         {
             try
             {
-                return Create(ldapUri, credential, auth, startTls, sessionOptions, cancelToken, cmdlet: cmdlet);
+                return Create(ldapUri, credential, auth, startTls, sessionOptions, cancelToken, cmdlet: cmdlet, state: state);
             }
             catch (LDAPException e)
             {
@@ -112,9 +114,11 @@ internal static OpenADSession Create(
         bool startTls,
         OpenADSessionOptions sessionOptions,
         CancellationToken cancelToken,
-        PSCmdlet cmdlet
-    )
+        PSCmdlet cmdlet,
+        GlobalState? state = null)
     {
+        state ??= GlobalState.GetFromTLS();
+
         if (auth == AuthenticationMethod.Certificate && sessionOptions.ClientCertificate is null)
         {
             throw new ArgumentException(
@@ -149,6 +153,7 @@ PSCmdlet cmdlet
             }
 
             auth = Authenticate(
+                state,
                 connection,
                 uri,
                 auth,
@@ -200,7 +205,7 @@ out var authEncrypted
             // the required PowerShell type.
             SchemaMetadata schema = QuerySchema(connection, subschemaSubentry, sessionOptions, cancelToken, cmdlet);
 
-            return new OpenADSession(connection, uri, auth, transportIsTls || authSigned,
+            return new OpenADSession(state, connection, uri, auth, transportIsTls || authSigned,
                 transportIsTls || authEncrypted, sessionOptions.OperationTimeout, defaultNamingContext, schema,
                 supportedControls, dnsHostName);
         }
@@ -327,6 +332,7 @@ out var authEncrypted
     /// <param name="encrypted">Whether the auth context will encrypt the messages.</param>
     /// <returns>The authentication method used</returns>
     private static AuthenticationMethod Authenticate(
+        GlobalState state,
         IADConnection connection,
         Uri uri,
         AuthenticationMethod auth,
@@ -350,7 +356,7 @@ out bool encrypted
             // Use Certificate if a client certificate is specified, otherwise favour Negotiate auth if it is
             // available. Otherwise use Simple if both a credential and the exchange would be encrypted. If all else
             // fails use an anonymous bind.
-            AuthenticationProvider nego = GlobalState.Providers[AuthenticationMethod.Negotiate];
+            AuthenticationProvider nego = state.Providers[AuthenticationMethod.Negotiate];
             if (sessionOptions.ClientCertificate is not null && transportIsTls)
             {
                 auth = AuthenticationMethod.Certificate;
@@ -371,7 +377,7 @@ out bool encrypted
             cmdlet.WriteVerbose($"Default authentication mechanism has been set to {auth}");
         }
 
-        AuthenticationProvider selectedAuth = GlobalState.Providers[auth];
+        AuthenticationProvider selectedAuth = state.Providers[auth];
         if (!selectedAuth.Available)
         {
             string msg = $"Authentication {selectedAuth.Method} is not available";