Runtime: Non-support of PrincipalPermissionAttribute

Created on 23 Oct 2019  路  6Comments  路  Source: dotnet/runtime

As best I can determine from my own test code (against 3.0.0) and as mentioned in dotnet/runtime#17693, PrincipalPermissionAttribute exists as a type but has no effect. MSDN also states "This attribute has no effect in .NET Core."

This seems dangerous, as a user porting existing code might expect that, if the attribute compiles, that it also functions. Since the purpose of this attribute is security, the consequences of a false assumption could be significant.

Is it a well-considered opinion that the attribute should exist yet be non-functional (not even a compiler warning...) or is this a decision warranting review?

area-System.Security question untriaged
Source
picture ericjohannsen
👍2

Most helpful comment

This isn't about partial trust. The following is perfectly valid permission enforcement in a .NET Framework business class. It compiles just fine in .NET Core but fails the essential task of controlling access:

public class Foo
{
  [PrincipalPermission (SecurityAction.Demand, Role = "finance")]
  public IEnumerable<Salary> GetEmployeeSalaries() => ...;
}
picture ericjohannsen on 24 Oct 2019
👍2

All 6 comments

The methods for creating partial trust context throw or do not exist at all in .NET Core.

For example, PermissionSet.Deny() throws PlatformNotSupportedException in .NET Core: https://github.com/dotnet/corefx/blob/d58a51f911efb3c98beca21b6cf08cc703424fdf/src/Common/src/CoreLib/System/Security/PermissionSet.cs#L30

If your ported program depends on partial trust permissions, you will get an error much earlier, long before these permission attributes would come into play.

jkotas picture jkotas on 24 Oct 2019

This isn't about partial trust. The following is perfectly valid permission enforcement in a .NET Framework business class. It compiles just fine in .NET Core but fails the essential task of controlling access:

public class Foo
{
  [PrincipalPermission (SecurityAction.Demand, Role = "finance")]
  public IEnumerable<Salary> GetEmployeeSalaries() => ...;
}
ericjohannsen picture ericjohannsen on 24 Oct 2019
👍2

@jkotas This makes me think we should obsolete some types (like PrincipalPermissionAttribute) as error. Since we don't support the CAS infrastructure in Core we should fail at compilation when these types are involved, as otherwise they'll incorrectly give the illusion that they work properly.

GrabYourPitchforks picture GrabYourPitchforks on 14 Feb 2020
👍1

Quite possibly all of the CAS-related attributes, now that I think more on it. If you manually new up a permission object and call Demand you'll get PNSE as expected. But since the runtime isn't looking at the attributes at all there's nobody to trigger the PNSE.

GrabYourPitchforks picture GrabYourPitchforks on 14 Feb 2020
👍1

I fully support marking all CAS-related APIs as obsolete, once we get the more fine grained controls for obsolete warnings in place.

jkotas picture jkotas on 15 Feb 2020
👍1

Related: https://github.com/dotnet/runtime/issues/1698#issuecomment-573956351, which ponders the consequences of a "fail open" policy where developers don't expect it.

GrabYourPitchforks picture GrabYourPitchforks on 15 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jkotas picture jkotas  路  3Comments
EgorBo picture EgorBo  路  3Comments
matty-hall picture matty-hall  路  3Comments
omajid picture omajid  路  3Comments
v0l picture v0l  路  3Comments