IMDSv2 mTLS PoP: add best‑effort persisted binding‑cert cache (Windows CurrentUser\My) layered over in‑memory cache; per‑alias mutex; tests #5566
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/FriendlyNameCodec.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/FriendlyNameCodec.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/FriendlyNameCodec.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/MsiCertificateFriendlyNameEncoder.cs
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/FriendlyNameCodec.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/MsiCertificateFriendlyNameEncoder.cs
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/ImdsV2ManagedIdentitySource.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/InterprocessLock.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/InterprocessLock.cs
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/InterprocessLock.cs
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
| /// - No throws; persistence must not block token acquisition. | ||
| /// - Windows-only; FriendlyName semantics are undefined elsewhere. | ||
| /// </summary> | ||
| internal static class PersistentCertificateStore |
Member
There was a problem hiding this comment.
Are you overusing static? Everything seems static in this design. Does this not need mocking? And a logger?
Contributor
Author
There was a problem hiding this comment.
we don't need mocking here, but made few changes.
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/PersistentCertificateStore.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/PersistentCertificateStore.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/PersistentCertificateStore.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/PersistentCertificateStore.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/PersistentCertificateStore.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/PersistentCertificateStore.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/PersistentCertificateStore.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/PersistentCertificateStore.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/PersistentCertificateStore.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Nov 4, 2025
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/StorePruner.cs
Outdated
Show resolved
Hide resolved
Robbie-Microsoft
requested changes
Nov 11, 2025
Comment on lines
198
to
201
| PersistentCertificateCacheFactory.Create(requestContext.Logger); | ||
|
|
||
| _mtlsCache = new MtlsBindingCache(s_mtlsCertificateCache, persisted); | ||
| } |
Contributor
There was a problem hiding this comment.
Can we use dependency injection instead of putting this in the constructor? This should enhance testability.
| { | ||
| internal interface IMtlsBindingCache | ||
| { | ||
| Task<Tuple<X509Certificate2, string /*endpoint*/, string /*clientId*/>> GetOrCreateAsync( |
Contributor
There was a problem hiding this comment.
Can you create a named tuple?
internal class MtlsBindingInfo
{
public X509Certificate2 Certificate { get; set; }
public string Endpoint { get; set; }
public string ClientId { get; set; }
}
| try | ||
| { | ||
| // Create or open existing | ||
| using var m = new Mutex(initiallyOwned: false, name); |
Contributor
There was a problem hiding this comment.
what if an exception occurs before the using block exposes?
| } | ||
| catch (AbandonedMutexException) | ||
| { | ||
| entered = true; // prior holder crashed |
Contributor
There was a problem hiding this comment.
can you add a log here?
|
|
||
| if (!entered) | ||
| { | ||
| logVerbose?.Invoke($"[PersistentCert] Skip persist (lock busy '{name}')."); |
Contributor
There was a problem hiding this comment.
should we log duration waited?
| if (string.IsNullOrEmpty(cn)) | ||
| return false; | ||
|
|
||
| // Unconditional CNs |
Contributor
There was a problem hiding this comment.
Why is there a difference in string comparison between conditional and unconditional CNs? (Ordinal vs. OrdinalIgnoreCase)
| @@ -0,0 +1,92 @@ | |||
| // Copyright (c) Microsoft Corporation. All rights reserved. | |||
Contributor
There was a problem hiding this comment.
can you add additional tests:
- Edge cases:
- Invalid or null alias values to ensure proper exception handling or fallback.
- Very long alias strings to check for buffer overflows or system limitations.
- Non-Windows platforms
- Multiple concurrent attempts
- Exception handling within action: Add tests where the action delegate throws an exception—confirm lock is released and exception bubbles as expected.
| { Assert.Inconclusive("Windows-only"); return; } | ||
|
|
||
| var aliasRaw = " my-alias "; | ||
| var g = InterprocessLock.GetMutexNameForAlias(aliasRaw, preferGlobal: true); |
Contributor
There was a problem hiding this comment.
please use global/local for readability
| @@ -0,0 +1,553 @@ | |||
| // Copyright (c) Microsoft Corporation. All rights reserved. | |||
Contributor
There was a problem hiding this comment.
can you add additional tests:
- for non-windows behavior, validate intended no-op/error/alternative behavior
- Add tests to validate behavior when mutex acquisition fails due to errors besides contention (e.g., invalid alias, OS failures), or when the action throws an exception—does the lock get released?
- Test that repeated calls for the same alias succeed serially—i.e., after the first lock is released, the second can acquire.
- Test boundary and edge cases for aliases: empty string, extremely long name, special characters, unicode, etc.
| @@ -0,0 +1,553 @@ | |||
| // Copyright (c) Microsoft Corporation. All rights reserved. | |||
| // Licensed under the MIT License. | |||
Contributor
There was a problem hiding this comment.
Use private helper methods to reduce repeated code for Windows checks or lock calls
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes - Adds MSI v2 cert to the store (persistent cache)
Changes proposed in this request
The IMDSv2 mTLS PoP flow currently relies only on a process‑local cache. That means new processes (or app restarts) must re‑mint the binding certificate even when a valid one already exists on the machine. This PR layers a best‑effort, cross‑process persisted cache on top of the existing in‑memory cache to reduce reminting, while keeping token acquisition robust (never blocked by persistence).
Testing
unit testing
Performance impact
none
Documentation