Merge pull request #16580 from dotnet-maestro-bot/merge/release/3.1-to-master

[automated] Merge branch 'release/3.1' => 'master'

Author: BrennanConroy

.azure/pipelines/ci.yml

@@ -65,7 +65,10 @@ variables:
       valule: test
     - name: _PublishArgs
       value: ''
-
+  # used for post-build phases, internal builds only
+  - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
+    - group: DotNet-AspNet-SDLValidation-Params
+    
 stages:
 - stage: build
   displayName: Build
@@ -654,3 +657,17 @@ stages:
       enableSymbolValidation: false
       enableSigningValidation: false
       publishInstallersAndChecksums: true
+      # This is to enable SDL runs part of Post-Build Validation Stage
+      SDLValidationParameters:
+        enable: true
+        continueOnError: false
+        params: ' -SourceToolsList @("policheck","credscan")
+        -TsaInstanceURL $(_TsaInstanceURL)
+        -TsaProjectName $(_TsaProjectName)
+        -TsaNotificationEmail $(_TsaNotificationEmail)
+        -TsaCodebaseAdmin $(_TsaCodebaseAdmin)
+        -TsaBugAreaPath $(_TsaBugAreaPath)
+        -TsaIterationPath $(_TsaIterationPath)
+        -TsaRepositoryName "AspNetCore"
+        -TsaCodebaseName "AspNetCore"
+        -TsaPublish $True'

eng/Version.Details.xml

@@ -9,9 +9,9 @@
 -->
 <Dependencies>
   <ProductDependencies>
-    <Dependency Name="Microsoft.AspNetCore.Blazor.Mono" Version="5.0.0-alpha1.19528.2">
+    <Dependency Name="Microsoft.AspNetCore.Blazor.Mono" Version="5.0.0-alpha1.19531.2">
       <Uri>https://github.com/aspnet/Blazor</Uri>
-      <Sha>109766852cdedfd07babca70c56b18a508228e1d</Sha>
+      <Sha>67c011629f56585c6a561dc4bdca70efc43579dd</Sha>
     </Dependency>
     <Dependency Name="Microsoft.AspNetCore.Razor.Language" Version="5.0.0-alpha1.19531.8">
       <Uri>https://github.com/aspnet/AspNetCore-Tooling</Uri>

eng/Versions.props

@@ -94,7 +94,7 @@
     <!-- Only listed explicitly to workaround https://github.com/dotnet/cli/issues/10528 -->
     <MicrosoftNETCorePlatformsPackageVersion>5.0.0-alpha1.19520.7</MicrosoftNETCorePlatformsPackageVersion>
     <!-- Packages from aspnet/Blazor -->
-    <MicrosoftAspNetCoreBlazorMonoPackageVersion>5.0.0-alpha1.19528.2</MicrosoftAspNetCoreBlazorMonoPackageVersion>
+    <MicrosoftAspNetCoreBlazorMonoPackageVersion>5.0.0-alpha1.19531.2</MicrosoftAspNetCoreBlazorMonoPackageVersion>
     <!-- Packages from aspnet/Extensions -->
     <InternalAspNetCoreAnalyzersPackageVersion>5.0.0-alpha1.19530.2</InternalAspNetCoreAnalyzersPackageVersion>
     <MicrosoftAspNetCoreAnalyzerTestingPackageVersion>5.0.0-alpha1.19530.2</MicrosoftAspNetCoreAnalyzerTestingPackageVersion>

src/Analyzers/Analyzers/src/UseAuthorizationAnalyzer.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Diagnostics;
+using System.Linq;
 using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.Diagnostics;
 
@@ -27,6 +28,7 @@ public void AnalyzeSymbol(SymbolAnalysisContext context)
             {
                 MiddlewareItem? useAuthorizationItem = default;
                 MiddlewareItem? useRoutingItem = default;
+                MiddlewareItem? useEndpoint = default;
 
                 var length = middlewareAnalysis.Middleware.Length;
                 for (var i = length - 1; i >= 0; i-- )
@@ -70,9 +72,24 @@ public void AnalyzeSymbol(SymbolAnalysisContext context)
                                 useAuthorizationItem.Operation.Syntax.GetLocation(),
                                 middlewareItem.UseMethod.Name));
                         }
+
+                        useEndpoint = middlewareItem;
                     }
                     else if (middleware == "UseRouting")
                     {
+                        if (useEndpoint is null)
+                        {
+                            // We're likely here because the middleware uses an expression chain e.g.
+                            // app.UseRouting()
+                            //   .UseAuthorization()
+                            //   .UseEndpoints(..));
+                            // This analyzer expects MiddlewareItem instances to appear in the order in which they appear in source
+                            // which unfortunately isn't true for chained calls (the operations appear in reverse order).
+                            // We'll avoid doing any analysis in this event and rely on the runtime guardrails.
+                            // We'll use https://github.com/aspnet/AspNetCore/issues/16648 to track addressing this in a future milestone
+                            return;
+                        }
+
                         useRoutingItem = middlewareItem;
                     }
                 }

src/Analyzers/Analyzers/test/StartupAnalyzerTest.cs

@@ -244,6 +244,22 @@ public async Task StartupAnalyzer_UseAuthorizationConfiguredCorrectly_ReportsNoD
             Assert.Empty(diagnostics);
         }
 
+        [Fact]
+        public async Task StartupAnalyzer_UseAuthorizationConfiguredAsAChain_ReportsNoDiagnostics()
+        {
+            // Regression test for https://github.com/aspnet/AspNetCore/issues/15203
+            // Arrange
+            var source = Read(nameof(TestFiles.StartupAnalyzerTest.UseAuthConfiguredCorrectlyChained));
+
+            // Act
+            var diagnostics = await Runner.GetDiagnosticsAsync(source.Source);
+
+            // Assert
+            var middlewareAnalysis = Assert.Single(Analyses.OfType<MiddlewareAnalysis>());
+            Assert.NotEmpty(middlewareAnalysis.Middleware);
+            Assert.Empty(diagnostics);
+        }
+
         [Fact]
         public async Task StartupAnalyzer_UseAuthorizationInvokedMultipleTimesInEndpointRoutingBlock_ReportsNoDiagnostics()
         {
@@ -279,6 +295,23 @@ public async Task StartupAnalyzer_UseAuthorizationConfiguredBeforeUseRouting_Rep
                 });
         }
 
+        [Fact]
+        public async Task StartupAnalyzer_UseAuthorizationConfiguredBeforeUseRoutingChained_ReportsDiagnostics()
+        {
+            // This one asserts a false negative for https://github.com/aspnet/AspNetCore/issues/15203.
+            // We don't correctly identify chained calls, this test verifies the behavior.
+            // Arrange
+            var source = Read(nameof(TestFiles.StartupAnalyzerTest.UseAuthBeforeUseRoutingChained));
+
+            // Act
+            var diagnostics = await Runner.GetDiagnosticsAsync(source.Source);
+
+            // Assert
+            var middlewareAnalysis = Assert.Single(Analyses.OfType<MiddlewareAnalysis>());
+            Assert.NotEmpty(middlewareAnalysis.Middleware);
+            Assert.Empty(diagnostics);
+        }
+
         [Fact]
         public async Task StartupAnalyzer_UseAuthorizationConfiguredAfterUseEndpoints_ReportsDiagnostics()
         {

src/Analyzers/Analyzers/test/TestFiles/StartupAnalyzerTest/UseAuthBeforeUseRoutingChained.cs

@@ -0,0 +1,17 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.Builder;
+
+namespace Microsoft.AspNetCore.Analyzers.TestFiles.StartupAnalyzerTest {
+    public class UseAuthBeforeUseRoutingChained
+    {
+        public void Configure(IApplicationBuilder app)
+        {
+            app.UseFileServer()
+               .UseAuthorization()
+               .UseRouting()
+               .UseEndpoints(r => { });
+        }
+    }
+}

src/Analyzers/Analyzers/test/TestFiles/StartupAnalyzerTest/UseAuthConfiguredCorrectlyChained.cs

@@ -0,0 +1,16 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.Builder;
+
+namespace Microsoft.AspNetCore.Analyzers.TestFiles.StartupAnalyzerTest {
+    public class UseAuthConfiguredCorrectlyChained
+    {
+        public void Configure(IApplicationBuilder app)
+        {
+            app.UseRouting()
+               .UseAuthorization()
+               .UseEndpoints(r => { });
+        }
+    }
+}

src/Components/Blazor/Blazor/ref/Microsoft.AspNetCore.Blazor.netstandard2.0.cs

@@ -54,13 +54,9 @@ public enum FetchCredentialsOption
         SameOrigin = 1,
         Include = 2,
     }
-    public partial class WebAssemblyHttpMessageHandler : System.Net.Http.HttpMessageHandler
+    public static partial class WebAssemblyHttpMessageHandlerOptions
     {
-        public const string FetchArgs = "WebAssemblyHttpMessageHandler.FetchArgs";
-        public WebAssemblyHttpMessageHandler() { }
-        public static Microsoft.AspNetCore.Blazor.Http.FetchCredentialsOption DefaultCredentials { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
-        [System.Diagnostics.DebuggerStepThroughAttribute]
-        protected override System.Threading.Tasks.Task<System.Net.Http.HttpResponseMessage> SendAsync(System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) { throw null; }
+        public static Microsoft.AspNetCore.Blazor.Http.FetchCredentialsOption DefaultCredentials { get { throw null; } set { } }
     }
 }
 namespace Microsoft.AspNetCore.Blazor.Rendering

src/Components/Blazor/Blazor/src/Hosting/WebAssemblyHost.cs

@@ -2,11 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Net.Http;
-using System.Reflection;
 using System.Threading;
 using System.Threading.Tasks;
-using Microsoft.AspNetCore.Blazor.Http;
 using Microsoft.AspNetCore.Blazor.Rendering;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.JSInterop;
@@ -30,16 +27,6 @@ public WebAssemblyHost(IServiceProvider services, IJSRuntime runtime)
 
         public Task StartAsync(CancellationToken cancellationToken = default)
         {
-            // We need to do this as early as possible, it eliminates a bunch of problems. Note that what we do
-            // is a bit fragile. If you see things breaking because JSRuntime.Current isn't set, then it's likely
-            // that something on the startup path went wrong.
-            //
-            // We want to the JSRuntime created here to be the 'ambient' runtime when JS calls back into .NET. When
-            // this happens in the browser it will be a direct call from Mono. We effectively needs to set the
-            // JSRuntime in the 'root' execution context which implies that we want to do as part of a direct
-            // call from Program.Main, and before any 'awaits'.
-            SetBrowserHttpMessageHandlerAsDefault();
-
             return StartAsyncAwaited();
         }
 
@@ -102,35 +89,5 @@ public void Dispose()
         {
             (Services as IDisposable)?.Dispose();
         }
-
-        private static void SetBrowserHttpMessageHandlerAsDefault()
-        {
-            // Within the Mono WebAssembly BCL, this is a special private static field
-            // that can be assigned to override the default handler
-            const string getHttpMessageHandlerFieldName = "GetHttpMessageHandler";
-            var getHttpMessageHandlerField = typeof(HttpClient).GetField(
-                getHttpMessageHandlerFieldName,
-                BindingFlags.Static | BindingFlags.NonPublic);
-
-            // getHttpMessageHandlerField will be null in tests, but nonnull when actually
-            // running under Mono WebAssembly
-            if (getHttpMessageHandlerField != null)
-            {
-                // Just in case you're not actually using HttpClient, defer the construction
-                // of the WebAssemblyHttpMessageHandler
-                var handlerSingleton = new Lazy<HttpMessageHandler>(
-                    () => new WebAssemblyHttpMessageHandler());
-                Func<HttpMessageHandler> handlerFactory = () => handlerSingleton.Value;
-                getHttpMessageHandlerField.SetValue(null, handlerFactory);
-            }
-            else
-            {
-                // We log a warning in case this ever happens at runtime (even though there's
-                // no obvious way it could be possible), but don't actually throw because that
-                // would break unit tests
-                Console.WriteLine("WARNING: Could not set default HttpMessageHandler because " +
-                    $"'{getHttpMessageHandlerFieldName}' was not found on '{typeof(HttpClient).FullName}'.");
-            }
-        }
     }
 }