Add MultiCredentialSecurityTokenManager to handle CoreWCF service certificates

src/System.Private.ServiceModel/tests/Common/Scenarios/ScenarioTestHelpers.cs

@@ -210,6 +210,12 @@ public static void CloseCommunicationObjects(params ICommunicationObject[] objec
             {
                 comObj.Abort();
             }
+            catch (System.Net.WebSockets.WebSocketException)
+            {
+                // WCF Client has a bug which throws WebSocketException when the server closes the connection.
+                // The remote party closed the WebSocket connection without completing the close handshake.
+                comObj.Abort();
+            }
         }
     }
 

src/System.Private.ServiceModel/tests/Scenarios/Binding/Http/NetHttpBindingTests.4.0.0.cs

@@ -10,7 +10,6 @@
 public class Binding_Http_NetHttpBindingTests : ConditionalWcfTest
 {
     [WcfTheory]
-    [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [InlineData(NetHttpMessageEncoding.Binary)]
     [InlineData(NetHttpMessageEncoding.Text)]
     [InlineData(NetHttpMessageEncoding.Mtom)]

src/System.Private.ServiceModel/tests/Scenarios/Binding/Http/NetHttpsBindingTests.4.1.0.cs

@@ -15,8 +15,7 @@ public class Binding_Http_NetHttpsBindingTests : ConditionalWcfTest
     [InlineData(NetHttpMessageEncoding.Mtom)]
     [Issue(3572, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
-               nameof(SSL_Available),
-               nameof(Skip_CoreWCFService_FailedTest))]
+               nameof(SSL_Available))]
     [OuterLoop]
     public static void DefaultCtor_NetHttps_Echo_RoundTrips_String(NetHttpMessageEncoding messageEncoding)
     {
@@ -83,8 +82,7 @@ public static void TransportWithMessageCredential_NotSupported_NetHttps()
     [WcfFact]
     [Issue(3572, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
-               nameof(SSL_Available),
-               nameof(Skip_CoreWCFService_FailedTest))]
+               nameof(SSL_Available))]
     [OuterLoop]
     public static void NonDefaultCtor_NetHttps_Echo_RoundTrips_String()
     {

src/System.Private.ServiceModel/tests/Scenarios/Client/ExpectedExceptions/ExpectedExceptionTests.4.1.0.cs

@@ -328,7 +328,6 @@ public static void DuplexCallback_Throws_FaultException_ReturnsFaultedTask()
     }
 
     [WcfFact]
-    [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [OuterLoop]
     // Verify product throws MessageSecurityException when the Dns identity from the server does not match the expectation
     public static void TCP_ServiceCertExpired_Throw_MessageSecurityException()
@@ -372,7 +371,6 @@ public static void TCP_ServiceCertExpired_Throw_MessageSecurityException()
     }
 
     [WcfFact]
-    [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [OuterLoop]
     // Verify product throws SecurityNegotiationException when the service cert is revoked
     public static void TCP_ServiceCertRevoked_Throw_SecurityNegotiationException()
@@ -420,7 +418,6 @@ public static void TCP_ServiceCertRevoked_Throw_SecurityNegotiationException()
     }
 
     [WcfFact]
-    [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [OuterLoop]
     // Verify product throws SecurityNegotiationException when the service cert only has the ClientAuth usage
     public static void TCP_ServiceCertInvalidEKU_Throw_SecurityNegotiationException()

src/System.Private.ServiceModel/tests/Scenarios/Extensibility/WebSockets/WebSocketTests.4.1.0.cs

@@ -168,8 +168,12 @@ public static void WebSocket_Http_Duplex_Buffered(NetHttpMessageEncoding message
                 "The logging done by the Server was not returned via the Callback.");
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -236,8 +240,12 @@ public static void WebSocket_Http_Duplex_Buffered_KeepAlive(NetHttpMessageEncodi
                 "The logging done by the Server was not returned via the Callback.");
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -416,7 +424,6 @@ public static void WebSocket_Https_Duplex_Buffered(NetHttpMessageEncoding messag
     }
 
     [WcfTheory]
-    [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [InlineData(NetHttpMessageEncoding.Binary)]
     [InlineData(NetHttpMessageEncoding.Text)]
     [InlineData(NetHttpMessageEncoding.Mtom)]
@@ -472,8 +479,12 @@ public static void WebSocket_Http_RequestReply_Streamed(NetHttpMessageEncoding m
             }
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -487,7 +498,6 @@ public static void WebSocket_Http_RequestReply_Streamed(NetHttpMessageEncoding m
     [InlineData(NetHttpMessageEncoding.Text)]
     [InlineData(NetHttpMessageEncoding.Mtom)]
     [Issue(1438, OS = OSID.Windows_7)]  // not supported on Win7
-    [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [OuterLoop]
     public static void WebSocket_Http_RequestReply_Buffered(NetHttpMessageEncoding messageEncoding)
     {
@@ -527,8 +537,12 @@ public static void WebSocket_Http_RequestReply_Buffered(NetHttpMessageEncoding m
             }
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -541,7 +555,6 @@ public static void WebSocket_Http_RequestReply_Buffered(NetHttpMessageEncoding m
     [InlineData(NetHttpMessageEncoding.Binary)]
     [InlineData(NetHttpMessageEncoding.Text)]
     [InlineData(NetHttpMessageEncoding.Mtom)]
-    [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [Issue(1438, OS = OSID.Windows_7)]  // not supported on Win7
     [OuterLoop]
     public static void WebSocket_Http_RequestReply_Buffered_KeepAlive(NetHttpMessageEncoding messageEncoding)
@@ -582,8 +595,12 @@ public static void WebSocket_Http_RequestReply_Buffered_KeepAlive(NetHttpMessage
             }
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -596,8 +613,7 @@ public static void WebSocket_Http_RequestReply_Buffered_KeepAlive(NetHttpMessage
     [InlineData(NetHttpMessageEncoding.Binary)]
     [InlineData(NetHttpMessageEncoding.Text)]
     [InlineData(NetHttpMessageEncoding.Mtom)]
-    [Condition(nameof(Root_Certificate_Installed),
-               nameof(Skip_CoreWCFService_FailedTest))]
+    [Condition(nameof(Root_Certificate_Installed))]
     [Issue(3572, OS = OSID.OSX)]
     [Issue(1438, OS = OSID.Windows_7)]  // not supported on Win7
     [OuterLoop]
@@ -638,8 +654,12 @@ public static void WebSocket_Https_RequestReply_Buffered(NetHttpMessageEncoding
             }
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -652,8 +672,7 @@ public static void WebSocket_Https_RequestReply_Buffered(NetHttpMessageEncoding
     [InlineData(NetHttpMessageEncoding.Binary)]
     [InlineData(NetHttpMessageEncoding.Text)]
     [InlineData(NetHttpMessageEncoding.Mtom)]
-    [Condition(nameof(Root_Certificate_Installed),
-               nameof(Skip_CoreWCFService_FailedTest))]
+    [Condition(nameof(Root_Certificate_Installed))]
     [Issue(3572, OS = OSID.OSX)]
     [Issue(1438, OS = OSID.Windows_7)]  // not supported on Win7
     [OuterLoop]
@@ -696,8 +715,12 @@ public static void WebSocket_Https_RequestReply_Buffered_KeepAlive(NetHttpMessag
             }
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {
@@ -862,8 +885,12 @@ public static void WebSocket_Http_VerifyWebSocketsUsed()
             Assert.True(responseFromService, String.Format("Response from the service was not expected. Expected: 'True' but got {0}", responseFromService));
 
             // *** CLEANUP *** \\
-            ((ICommunicationObject)client).Close();
-            channelFactory.Close();
+            // Close the client and channel factory if not running on localhost. CoreWCF has a bug in Close method (on Linux).
+            if (!ScenarioTestHelpers.IsLocalHost())
+            {
+                ((ICommunicationObject)client).Close();
+                channelFactory.Close();
+            }
         }
         finally
         {

src/System.Private.ServiceModel/tests/Scenarios/Security/TransportSecurity/Https/HttpsTests.4.1.1.cs

@@ -125,8 +125,7 @@ public static void Https_SecModeTrans_CertValMode_PeerTrust_Fails_Not_In_Trusted
     [WcfFact]
     [Condition(nameof(Root_Certificate_Installed),
                nameof(Client_Certificate_Installed),
-               nameof(SSL_Available),
-               nameof(Skip_CoreWCFService_FailedTest))]
+               nameof(SSL_Available))]
     [Issue(1945, OS = OSID.OSX)] // OSX doesn't support the TrustedPeople certificate store
     [OuterLoop]
     // Asking for PeerOrChainTrust should succeed if the certificate is
@@ -175,8 +174,7 @@ public static void Https_SecModeTrans_CertValMode_PeerOrChainTrust_Succeeds_Chai
     [Issue(2870, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
                nameof(Client_Certificate_Installed),
-               nameof(SSL_Available),
-               nameof(Skip_CoreWCFService_FailedTest))]
+               nameof(SSL_Available))]
     [OuterLoop]
     // Asking for ChainTrust should succeed if the certificate is
     // chain-trusted.

src/System.Private.ServiceModel/tests/Scenarios/Security/TransportSecurity/Tcp/ClientCredentialTypeCertificateCanonicalNameTests.4.1.0.cs

@@ -26,8 +26,7 @@ public class Tcp_ClientCredentialTypeCertificateCanonicalNameTests : Conditional
 
     [WcfFact]
     [Issue(3572, OS = OSID.OSX)]
-    [Condition(nameof(Root_Certificate_Installed),
-               nameof(Skip_CoreWCFService_FailedTest))]
+    [Condition(nameof(Root_Certificate_Installed))]
     [OuterLoop]
     public static void Certificate_With_CanonicalName_Localhost_Address_EchoString()
     {

src/System.Private.ServiceModel/tests/Scenarios/Security/TransportSecurity/Tcp/ClientCredentialTypeTests.4.1.1.cs

@@ -18,8 +18,7 @@ public partial class Tcp_ClientCredentialTypeTests : ConditionalWcfTest
     [Condition(nameof(Root_Certificate_Installed),
                nameof(Client_Certificate_Installed),
                nameof(Peer_Certificate_Installed),
-               nameof(SSL_Available),
-               nameof(Skip_CoreWCFService_FailedTest))]
+               nameof(SSL_Available))]
     [OuterLoop]
     // Asking for PeerTrust alone should succeed
     // if the certificate is in the TrustedPeople store.  For this test
@@ -125,8 +124,7 @@ public static void NetTcp_SecModeTrans_CertValMode_PeerTrust_Fails_Not_In_Truste
     [Issue(1945, OS = OSID.OSX)]
     [Condition(nameof(Root_Certificate_Installed),
                nameof(Client_Certificate_Installed),
-               nameof(SSL_Available),
-               nameof(Skip_CoreWCFService_FailedTest))]
+               nameof(SSL_Available))]
     [OuterLoop]
     // Asking for PeerOrChainTrust should succeed if the certificate is
     // chain-trusted, even though it is not in the TrustedPeople store.

src/System.Private.ServiceModel/tools/IISHostedWcfService/App_code/CoreWCF/MultiCredentialSecurityTokenManager.cs

@@ -0,0 +1,55 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+#if NET
+using CoreWCF.Description;
+using CoreWCF.IdentityModel.Selectors;
+using CoreWCF.Security;
+using CoreWCF.Security.Tokens;
+
+namespace WcfService
+{
+    public class MultiCredentialSecurityTokenManager : ServiceCredentialsSecurityTokenManager
+    {
+        private readonly MultiCredentialServiceCredentials _parent;
+        private readonly Dictionary<string, ServiceCredentials> _map;
+
+        public MultiCredentialSecurityTokenManager(
+            MultiCredentialServiceCredentials parent,
+            Dictionary<string, ServiceCredentials> map)
+            : base(parent)
+        {
+            _parent = parent;
+            _map = map;
+        }
+
+        public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
+        {
+            if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement recipientRequirement)
+            {
+                var uri = recipientRequirement.ListenUri?.AbsolutePath;
+                if (!string.IsNullOrEmpty(uri) && _map.TryGetValue(uri, out var creds))
+                {
+                    return creds.CreateSecurityTokenManager().CreateSecurityTokenProvider(tokenRequirement);
+                }
+            }
+            return _parent.CreateOriginalSecurityTokenManager().CreateSecurityTokenProvider(tokenRequirement);
+        }
+
+        public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
+        {
+            if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement recipientRequirement)
+            {
+                var uri = recipientRequirement.ListenUri?.AbsolutePath;
+                if (!string.IsNullOrEmpty(uri) && _map.TryGetValue(uri, out var creds))
+                {
+                    return creds.CreateSecurityTokenManager().CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
+                }
+            }
+
+            return _parent.CreateOriginalSecurityTokenManager().CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
+        }
+    }
+}
+#endif

src/System.Private.ServiceModel/tools/IISHostedWcfService/App_code/CoreWCF/MultiCredentialServiceCredentials.cs

@@ -0,0 +1,43 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+#if NET
+using CoreWCF.Description;
+using CoreWCF.IdentityModel.Selectors;
+
+namespace WcfService
+{
+    public class MultiCredentialServiceCredentials : ServiceCredentials
+    {
+        private readonly Dictionary<string, ServiceCredentials> _serviceCredentialsMap = new();
+
+        public void AddServiceCredentials(string path, ServiceCredentials credentials)
+        {
+            _serviceCredentialsMap[path] = credentials;
+        }
+
+        public IReadOnlyDictionary<string, ServiceCredentials> ServiceCredentialsMap => _serviceCredentialsMap;
+
+        public override SecurityTokenManager CreateSecurityTokenManager()
+        {
+            return new MultiCredentialSecurityTokenManager(this, _serviceCredentialsMap);
+        }
+
+        internal SecurityTokenManager CreateOriginalSecurityTokenManager()
+        {
+            return base.CreateSecurityTokenManager();
+        }
+
+        protected override ServiceCredentials CloneCore()
+        {
+            var clone = new MultiCredentialServiceCredentials();
+            foreach (var kvp in _serviceCredentialsMap)
+            {
+                clone.AddServiceCredentials(kvp.Key, kvp.Value.Clone());
+            }
+            return clone;
+        }
+    }
+}
+#endif