IMDSv2 mTLS PoP: add best‑effort persisted binding‑cert cache (Windows CurrentUser\My) layered over in‑memory cache; per‑alias mutex; tests (#5566)

* peristed cert

* more tests

* pr comments

* address pr comments

* pr comments

Author: gladjohn

src/client/Microsoft.Identity.Client/ManagedIdentity/V2/IMtlsCertificateCache.cs

@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Identity.Client.Core;
+
+namespace Microsoft.Identity.Client.ManagedIdentity.V2
+{
+    /// <summary>
+    /// Abstraction over the in-memory + persisted cache for IMDSv2 mTLS binding certificates.
+    /// </summary>
+    internal interface IMtlsCertificateCache
+    {
+        /// <summary>
+        /// Returns a cached binding certificate for the given <paramref name="cacheKey"/>,
+        /// or uses <paramref name="factory"/> to create, persist and return one when needed.
+        /// </summary>
+        Task<MtlsBindingInfo> GetOrCreateAsync(
+            string cacheKey,
+            Func<Task<MtlsBindingInfo>> factory,
+            CancellationToken cancellationToken,
+            ILoggerAdapter logger);
+    }
+}

src/client/Microsoft.Identity.Client/ManagedIdentity/V2/IPersistentCertificateCache.cs

@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Identity.Client.Core;
+
+namespace Microsoft.Identity.Client.ManagedIdentity.V2
+{
+    /// <summary>
+    /// Persistence interface for IMDSv2 mTLS binding certificates.
+    /// Implementations must be best-effort and non-throwing so that
+    /// certificate persistence never blocks authentication.
+    /// </summary>
+    internal interface IPersistentCertificateCache
+    {
+        /// <summary>
+        /// Reads the newest valid (≥24h remaining, has private key) entry for the alias.
+        /// Returns <c>true</c> on cache hit, <c>false</c> otherwise.
+        /// </summary>
+        bool Read(string alias, out CertificateCacheValue value, ILoggerAdapter logger);
+
+        /// <summary>
+        /// Persists the certificate for the alias (best-effort).
+        /// Implementations should log failures but must not throw; callers do not
+        /// depend on persistence succeeding and fall back to in-memory cache only.
+        /// </summary>
+        void Write(string alias, X509Certificate2 cert, string endpointBase, ILoggerAdapter logger);
+
+        /// <summary>
+        /// Prunes expired entries for the alias (best-effort).
+        /// Implementations should remove stale/expired entries while leaving the
+        /// latest valid binding for the alias in place.
+        /// </summary>
+        void Delete(string alias, ILoggerAdapter logger);
+    }
+}

src/client/Microsoft.Identity.Client/ManagedIdentity/V2/ImdsV2ManagedIdentitySource.cs

@@ -26,9 +26,7 @@ internal class ImdsV2ManagedIdentitySource : AbstractManagedIdentity
         // Central, process-local cache for mTLS binding (cert + endpoint + canonical client_id).
         internal static readonly ICertificateCache s_mtlsCertificateCache = new InMemoryCertificateCache();
 
-        // Per-key async de-duplication so concurrent callers don’t double-mint.
-        internal static readonly ConcurrentDictionary<string, SemaphoreSlim> s_perKeyGates =
-            new ConcurrentDictionary<string, SemaphoreSlim>(StringComparer.Ordinal);
+        private readonly IMtlsCertificateCache _mtlsCache;
 
         // used in unit tests
         public const string ImdsV2ApiVersion = "2.0";
@@ -193,9 +191,20 @@ public static AbstractManagedIdentity Create(RequestContext requestContext)
             return new ImdsV2ManagedIdentitySource(requestContext);
         }
 
-        internal ImdsV2ManagedIdentitySource(RequestContext requestContext) :
-            base(requestContext, ManagedIdentitySource.ImdsV2)
-        { }
+        internal ImdsV2ManagedIdentitySource(RequestContext requestContext) 
+            : this(requestContext,  
+                  new MtlsBindingCache(s_mtlsCertificateCache, PersistentCertificateCacheFactory
+                      .Create(requestContext.Logger)))
+        {
+        }
+
+        internal ImdsV2ManagedIdentitySource(
+            RequestContext requestContext,
+            IMtlsCertificateCache mtlsCache)
+            : base(requestContext, ManagedIdentitySource.ImdsV2)
+        {
+            _mtlsCache = mtlsCache ?? throw new ArgumentNullException(nameof(mtlsCache));
+        }
 
         private async Task<CertificateRequestResponse> ExecuteCertificateRequestAsync(
             string clientId,
@@ -291,11 +300,11 @@ private async Task<CertificateRequestResponse> ExecuteCertificateRequestAsync(
 
         protected override async Task<ManagedIdentityRequest> CreateRequestAsync(string resource)
         {
-            var csrMetadata = await GetCsrMetadataAsync(_requestContext, false).ConfigureAwait(false);
+            CsrMetadata csrMetadata = await GetCsrMetadataAsync(_requestContext, false).ConfigureAwait(false);
 
             string certCacheKey = _requestContext.ServiceBundle.Config.ClientId;
 
-            var certEndpointAndClientId = await GetOrCreateMtlsBindingAsync(
+            MtlsBindingInfo mtlsBinding = await GetOrCreateMtlsBindingAsync(
                 cacheKey: certCacheKey,
                 async () =>
                 {
@@ -333,15 +342,16 @@ protected override async Task<ManagedIdentityRequest> CreateRequestAsync(string
                     // Canonical GUID to use as client_id in the token call
                     string clientIdGuid = certificateRequestResponse.ClientId;
 
-                    return Tuple.Create(mtlsCertificate, endpointBase, clientIdGuid);
+                    return new MtlsBindingInfo(mtlsCertificate, endpointBase, clientIdGuid);
+
                 },
-                _requestContext.UserCancellationToken, 
+                _requestContext.UserCancellationToken,
                 _requestContext.Logger)
                 .ConfigureAwait(false);
 
-            X509Certificate2 bindingCertificate = certEndpointAndClientId.Item1;
-            string endpointBaseForToken = certEndpointAndClientId.Item2;
-            string clientIdForToken = certEndpointAndClientId.Item3;
+            X509Certificate2 bindingCertificate = mtlsBinding.Certificate;
+            string endpointBaseForToken = mtlsBinding.Endpoint;
+            string clientIdForToken = mtlsBinding.ClientId;
 
             ManagedIdentityRequest request = new ManagedIdentityRequest(
                 HttpMethod.Post,
@@ -440,65 +450,13 @@ private async Task<string> GetAttestationJwtAsync(
             return response.AttestationToken;
         }
 
-        // ...unchanged usings and class header...
-
-        /// <summary>
-        /// Read-through cache: try cache; if missing, run async factory once (per key),
-        /// store the result, and return it. Thread-safe for the given cacheKey.
-        /// </summary>
-        private static async Task<Tuple<X509Certificate2, string, string>> GetOrCreateMtlsBindingAsync(
+        private Task<MtlsBindingInfo> GetOrCreateMtlsBindingAsync(
             string cacheKey,
-            Func<Task<Tuple<X509Certificate2, string, string>>> factory,
+            Func<Task<MtlsBindingInfo>> factory,
             CancellationToken cancellationToken,
             ILoggerAdapter logger)
         {
-            if (string.IsNullOrWhiteSpace(cacheKey))
-                throw new ArgumentException("cacheKey must be non-empty.", nameof(cacheKey));
-            if (factory is null)
-                throw new ArgumentNullException(nameof(factory));
-
-            X509Certificate2 cachedCertificate;
-            string cachedEndpointBase;
-            string cachedClientId;
-
-            // 1) Only lookup by cacheKey
-            if (s_mtlsCertificateCache.TryGet(cacheKey, out var cached, logger))
-            {
-                cachedCertificate = cached.Certificate;
-                cachedEndpointBase = cached.Endpoint;
-                cachedClientId = cached.ClientId;
-
-                return Tuple.Create(cachedCertificate, cachedEndpointBase, cachedClientId);
-            }
-
-            // 2) Gate per cacheKey
-            var gate = s_perKeyGates.GetOrAdd(cacheKey, _ => new SemaphoreSlim(1, 1));
-            await gate.WaitAsync(cancellationToken).ConfigureAwait(false);
-
-            try
-            {
-                // Re-check after acquiring the gate
-                if (s_mtlsCertificateCache.TryGet(cacheKey, out cached, logger))
-                {
-                    cachedCertificate = cached.Certificate;
-                    cachedEndpointBase = cached.Endpoint;
-                    cachedClientId = cached.ClientId;
-                    return Tuple.Create(cachedCertificate, cachedEndpointBase, cachedClientId);
-                }
-
-                // 3) Mint + cache under the provided cacheKey
-                var created = await factory().ConfigureAwait(false);
-
-                s_mtlsCertificateCache.Set(cacheKey,
-                    new CertificateCacheValue(created.Item1, created.Item2, created.Item3),
-                    logger);
-
-                return created;
-            }
-            finally
-            {
-                gate.Release();
-            }
+            return _mtlsCache.GetOrCreateAsync(cacheKey, factory, cancellationToken, logger);
         }
 
         internal static void ResetCertCacheForTest()
@@ -508,14 +466,6 @@ internal static void ResetCertCacheForTest()
             {
                 s_mtlsCertificateCache.Clear();
             }
-
-            foreach (var gate in s_perKeyGates.Values)
-            {
-                try
-                { gate.Dispose(); }
-                catch { }
-            }
-            s_perKeyGates.Clear();
         }
     }
 }

src/client/Microsoft.Identity.Client/ManagedIdentity/V2/InterprocessLock.cs

@@ -0,0 +1,149 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Diagnostics;
+using System.Threading;
+using Microsoft.Identity.Client.PlatformsCommon.Shared;
+
+namespace Microsoft.Identity.Client.ManagedIdentity.V2
+{
+    /// <summary>
+    /// Executes paramref name="action"/ under a cross-process, per-alias mutex.
+    /// We attempt 2 namespaces, in order:
+    /// 1) <c>Global\</c> — preferred so we dedupe across all sessions on the machine
+    ///    (e.g., service + user session). This can be denied by OS policy or missing
+    ///    SeCreateGlobalPrivilege in some contexts.
+    /// 2) <c>Local\</c> — fallback to still dedupe within the current session when
+    ///    <c>Global\</c> is not permitted.
+    /// Using both ensures we never throw (persistence is best-effort) while getting
+    /// machine-wide dedupe when allowed and session-local dedupe otherwise.
+    /// Notes:
+    /// - The mutex name is derived from <c>alias</c> (= cacheKey) via SHA-256 hex (truncated)
+    ///   to avoid invalid characters / length issues.
+    /// - On non-Windows runtimes the Global/Local prefixes are treated as part of the name;
+    ///   behavior remains correct but dedupe scope is platform-defined.
+    /// - Abandoned mutexes are treated as acquired to avoid blocking after a crash.
+    /// </summary>
+    internal static class InterprocessLock
+    {
+        // Prefer Global\ for cross-session dedupe; fall back to Local\
+        // if ACLs block Global\ to remain non-throwing.
+        public static bool TryWithAliasLock(
+            string alias,
+            TimeSpan timeout,
+            Action action,
+            Action<string> logVerbose)
+        {
+            var globalName = GetMutexNameForAlias(alias, preferGlobal: true);
+            var localName = GetMutexNameForAlias(alias, preferGlobal: false);
+
+            // Try to acquire and run under the named mutex scope.
+            // Returns true if action ran, false if lock busy or failure.
+            // first try Global\, then Local\ if Global\ unauthorized.
+            bool TryScope(string name, out bool unauthorized)
+            {
+                unauthorized = false;
+                try
+                {
+                    using var mutex = new Mutex(initiallyOwned: false, name);
+
+                    bool entered;
+                    var waitTimer = Stopwatch.StartNew();
+                    try
+                    {
+                        entered = mutex.WaitOne(timeout);
+                    }
+                    catch (AbandonedMutexException ex)
+                    {
+                        entered = true;
+                        logVerbose.Invoke($"[PersistentCert] Abandoned mutex '{name}', treating as acquired. {ex.Message}");
+                    }
+                    finally
+                    {
+                        waitTimer.Stop();
+                    }
+
+                    if (!entered)
+                    {
+                        logVerbose.Invoke(
+                            $"[PersistentCert] Skip persist (lock busy '{name}', waited {waitTimer.Elapsed.TotalMilliseconds:F0} ms).");
+                        return false;
+                    }
+
+                    try
+                    {
+                        action();
+                    }
+                    catch (Exception ex)
+                    {
+                        logVerbose.Invoke($"[PersistentCert] Action failed under '{name}': {ex.Message}");
+                        return false;
+                    }
+                    finally
+                    {
+                        try
+                        { mutex.ReleaseMutex(); }
+                        catch { /* best-effort */ }
+                    }
+
+                    return true;
+                }
+                catch (UnauthorizedAccessException)
+                {
+                    logVerbose.Invoke($"[PersistentCert] No access to mutex scope '{name}', trying next.");
+                    unauthorized = true;
+                    return false;
+                }
+                catch (Exception ex)
+                {
+                    logVerbose.Invoke($"[PersistentCert] Lock failure '{name}': {ex.Message}");
+                    return false;
+                }
+            }
+
+            // Try Global\ first; only fallback to Local\ if Global\ is unauthorized
+            if (TryScope(globalName, out var unauthorizedGlobal))
+            {
+                return true;
+            }
+
+            // Fallback is only appropriate when Global\ is disallowed by ACLs.
+            // If Global\ was just busy or the action failed, do not try Local
+            if (unauthorizedGlobal)
+            {
+                if (TryScope(localName, out _))
+                {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+
+        public static string GetMutexNameForAlias(string alias, bool preferGlobal = true)
+        {
+            string suffix = HashAlias(Canonicalize(alias));
+            return (preferGlobal ? @"Global\" : @"Local\") + "MSAL_MI_P_" + suffix;
+        }
+
+        private static string Canonicalize(string alias) =>
+            (alias ?? string.Empty).Trim().ToUpperInvariant();
+
+        private static string HashAlias(string s)
+        {
+            try
+            {
+                var hex = new CommonCryptographyManager().CreateSha256HashHex(s);
+                // Truncate to 32 chars to fit mutex name length limits
+                return string.IsNullOrEmpty(hex)
+                    ? "0"
+                    : (hex.Length > 32 ? hex.Substring(0, 32) : hex);
+            }
+            catch
+            {
+                return "0";
+            }
+        }
+    }
+}