Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for setting security attributes on Http.Sys RequestQueue #61084

Open
BrennanConroy opened this issue Mar 21, 2025 · 2 comments · May be fixed by #61325
Open

Add support for setting security attributes on Http.Sys RequestQueue #61084

BrennanConroy opened this issue Mar 21, 2025 · 2 comments · May be fixed by #61325
Labels
api-approved API was approved in API review, it can be implemented area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions

Comments

@BrennanConroy
Copy link
Member

BrennanConroy commented Mar 21, 2025
edited
Loading

Background and Motivation

We've had a few asks about how to set permissions for the request queue created by Http.Sys. After helping one team manually do PInvoking and getting it working, we've distilled the needed API here so they can get rid of their code and let us continue setting up the request queue.

Proposed API

namespace Microsoft.AspNetCore.Server.HttpSys;

public class HttpSysOptions
{
     public string? RequestQueueName { get; set; }

+    public GenericSecurityDescriptor? RequestQueueSecurityDescriptor { get; set; }
}

GenericSecurityDescriptor

Usage Examples

CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, string.Empty);

DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 2);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Deny, new SecurityIdentifier(WellKnownSidType.BuiltinGuestsSid, null), -1, InheritanceFlags.None, PropagationFlags.None);

securityDescriptor.DiscretionaryAcl = dacl;

var builder = WebApplication.CreateBuilder(args);

builder.WebHost.UseHttpSys(options =>
{
    options.RequestQueueName = "SomeQueueName";
    options.RequestQueueSecurityDescriptor = securityDescriptor;
});

var app = builder.Build();

Alternative Designs

The only alternative is to create the request queue yourself in code, which involves PInvoking and native memory management, and then telling our Http.Sys server to attach to the queue that was created.

Risks

N/A
@BrennanConroy BrennanConroy added the api-suggestion Early API idea and discussion, it is NOT ready for implementation label Mar 21, 2025
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions label Mar 21, 2025
@BrennanConroy BrennanConroy added api-ready-for-review API is ready for formal API review - https://github.com/dotnet/apireviews and removed api-suggestion Early API idea and discussion, it is NOT ready for implementation labels Mar 25, 2025
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Thank you for submitting this for API review. This will be reviewed by @dotnet/aspnet-api-review at the next meeting of the ASP.NET Core API Review group. Please ensure you take a look at the API review process documentation and ensure that:

  • The PR contains changes to the reference-assembly that describe the API change. Or, you have included a snippet of reference-assembly-style code that illustrates the API change.
  • The PR describes the impact to users, both positive (useful new APIs) and negative (breaking changes).
  • Someone is assigned to "champion" this change in the meeting, and they understand the impact and design of the change.

@BrennanConroy
Copy link
Member Author

  • Seems good! No complaints.

API Approved!

namespace Microsoft.AspNetCore.Server.HttpSys;

public class HttpSysOptions
{
     public string? RequestQueueName { get; set; }

+    public GenericSecurityDescriptor? RequestQueueSecurityDescriptor { get; set; }
}

@BrennanConroy BrennanConroy added api-approved API was approved in API review, it can be implemented and removed api-ready-for-review API is ready for formal API review - https://github.com/dotnet/apireviews labels Apr 3, 2025
@BrennanConroy BrennanConroy linked a pull request Apr 4, 2025 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api-approved API was approved in API review, it can be implemented area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for setting security attributes on Http.Sys RequestQueue dotnet/aspnetcore
1 participant
@BrennanConroy