Merge branch 'main' into marc/aa2

Author: mgravell

.github/workflows/CI.yml

@@ -7,6 +7,7 @@ on:
     paths:
       - '**'
       - '!/docs/*' # Don't run workflow when files are only in the /docs directory
+  workflow_dispatch:
 
 jobs:
   main:
@@ -22,14 +23,14 @@ jobs:
         fetch-depth: 0  # Fetch the full history
     - name: Start Redis Services (docker-compose)
       working-directory: ./tests/RedisConfigs
-      run: docker compose -f docker-compose.yml up -d --wait           
+      run: docker compose -f docker-compose.yml up -d --wait
     - name: Install .NET SDK
       uses: actions/setup-dotnet@v3
       with:
-        dotnet-version: | 
+        dotnet-version: |
           6.0.x
           8.0.x
-          9.0.x
+          10.0.x
     - name: .NET Build
       run: dotnet build Build.csproj -c Release /p:CI=true
     - name: StackExchange.Redis.Tests
@@ -144,8 +145,8 @@ jobs:
         reporter: dotnet-trx
     # Package and upload to MyGet only on pushes to main, not on PRs
     - name: .NET Pack
-      if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+      if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
       run: dotnet pack Build.csproj --no-build -c Release /p:PackageOutputPath=${env:GITHUB_WORKSPACE}\.nupkgs /p:CI=true
     - name: Upload to MyGet
-      if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-      run: dotnet nuget push ${env:GITHUB_WORKSPACE}\.nupkgs\*.nupkg -s https://www.myget.org/F/stackoverflow/api/v2/package -k ${{ secrets.MYGET_API_KEY }}
+      if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
+      run: dotnet nuget push ${env:GITHUB_WORKSPACE}\.nupkgs\*.nupkg -s https://www.myget.org/F/stackoverflow/api/v2/package -k ${{ secrets.MYGET_API_KEY }}

.github/workflows/codeql.yml

@@ -6,6 +6,8 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ 'main' ]
+  workflow_dispatch:
+    
   schedule:
     - cron: '8 9 * * 1'
 
@@ -40,7 +42,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -55,6 +57,6 @@ jobs:
       run: dotnet build Build.csproj -c Release /p:CI=true
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4
       with:
-        category: "/language:${{matrix.language}}"
+        category: "/language:${{matrix.language}}"

Directory.Build.props

@@ -10,12 +10,12 @@
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <CodeAnalysisRuleset>$(MSBuildThisFileDirectory)Shared.ruleset</CodeAnalysisRuleset>
     <MSBuildWarningsAsMessages>NETSDK1069</MSBuildWarningsAsMessages>
-    <NoWarn>$(NoWarn);NU5105;NU1507;SER001;SER002</NoWarn>
+    <NoWarn>$(NoWarn);NU5105;NU1507;SER001;SER002;SER003</NoWarn>
     <PackageReleaseNotes>https://stackexchange.github.io/StackExchange.Redis/ReleaseNotes</PackageReleaseNotes>
     <PackageProjectUrl>https://stackexchange.github.io/StackExchange.Redis/</PackageProjectUrl>
     <PackageLicenseExpression>MIT</PackageLicenseExpression>
 
-    <LangVersion>13</LangVersion>
+    <LangVersion>14</LangVersion>
     <RepositoryType>git</RepositoryType>
     <RepositoryUrl>https://github.com/StackExchange/StackExchange.Redis/</RepositoryUrl>
 

Directory.Packages.props

@@ -8,7 +8,8 @@
     <PackageVersion Include="System.Threading.Channels" Version="5.0.0" />
     <PackageVersion Include="System.Runtime.InteropServices.RuntimeInformation" Version="4.3.0" />
     <PackageVersion Include="System.IO.Compression" Version="4.3.0" />
-    <PackageVersion Include="System.IO.Hashing" Version="9.0.10" />
+    <!-- note that this bumps System.Buffers, so is pinned in down-level in SE csproj --> 
+    <PackageVersion Include="System.IO.Hashing" Version="10.0.2" />
 
     <!-- For analyzers, tied to the consumer's build SDK; at the moment, that means "us" -->
     <PackageVersion Include="Microsoft.CodeAnalysis.CSharp" Version="4.12.0" />

README.md

@@ -1,7 +1,7 @@
 StackExchange.Redis
 ===================
 
-StackExchange.Redis is a .NET client for communicating with RESP servers such as [Redis](https://redis.io/), [Garnet](https://microsoft.github.io/garnet/), [Valkey](https://valkey.io/), [Azure Cache for Redis](https://azure.microsoft.com/products/cache), [AWS ElastiCache](https://aws.amazon.com/elasticache/), and a wide range of other Redis-like servers. We do not maintain a list of compatible servers, but if the server has a Redis-like API: it will *probably* work fine. If not: log an issue with details!
+StackExchange.Redis is a .NET client for communicating with RESP servers such as [Redis](https://redis.io/), [Azure Managed Redis](https://azure.microsoft.com/products/managed-redis), [Garnet](https://microsoft.github.io/garnet/), [Valkey](https://valkey.io/), [AWS ElastiCache](https://aws.amazon.com/elasticache/), and a wide range of other Redis-like servers. We do not maintain a list of compatible servers, but if the server has a Redis-like API: it will *probably* work fine. If not: log an issue with details!
 
 For all documentation, [see here](https://stackexchange.github.io/StackExchange.Redis/).
 

StackExchange.Redis.sln.DotSettings

@@ -12,9 +12,12 @@
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=keepttl/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=lpush/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=lrange/@EntryIndexedValue">True</s:Boolean>
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=psubscribe/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=pubsub/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=rpush/@EntryIndexedValue">True</s:Boolean>
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=spublish/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=sscan/@EntryIndexedValue">True</s:Boolean>
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=ssubscribe/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=vectorset/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=xinfo/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=xpending/@EntryIndexedValue">True</s:Boolean>

docs/Authentication.md

@@ -0,0 +1,129 @@
+# Authentication
+
+There are multiple ways of connecting to a Redis server, depending on the authentication model. The simplest
+(but least secure) approach is to use the `default` user, with no authentication, and no transport security.
+This is as simple as:
+
+``` csharp
+var muxer = await ConnectionMultiplexer.ConnectAsync("myserver"); // or myserver:1241 to use a custom port
+```
+
+This approach is often used for local transient servers - it is simple, but insecure. But from there,
+we can get more complex!
+
+## TLS
+
+If your server has TLS enabled, SE.Redis can be instructed to use it. In some cases (Azure Managed Redis, etc), the
+library will recognize the endpoint address, meaning: *you do not need to do anything*. To
+*manually* enable TLS, the `ssl` token can be used:
+
+``` csharp
+var muxer = await ConnectionMultiplexer.ConnectAsync("myserver,ssl=true");
+```
+
+This will work fine if the server is using a server-certificate that is already trusted by the local
+machine. If this is *not* the case, we need to tell the library about the server. This requires
+the `ConfigurationOptions` type:
+
+``` csharp
+var options = ConfigurationOptions.Parse("myserver,ssl=true");
+// or: var options = new ConfigurationOptions { Endpoints = { "myserver" }, Ssl = true };
+// TODO configure
+var muxer = await ConnectionMultiplexer.ConnectAsync(options);
+```
+
+If we have a local *issuer* public certificate (commonly `ca.crt`), we can use:
+
+``` csharp
+options.TrustIssuer(caPath);
+```
+
+Alternatively, in advanced scenarios: to provide your own custom server validation, the `options.CertificateValidation` callback
+can be used; this uses the normal [`RemoteCertificateValidationCallback`](https://learn.microsoft.com/dotnet/api/system.net.security.remotecertificatevalidationcallback)
+API.
+
+## Usernames and Passwords
+
+Usernames and passwords can be specified with the `user` and `password` tokens, respectively:
+
+``` csharp
+var muxer = await ConnectionMultiplexer.ConnectAsync("myserver,ssl=true,user=myuser,password=mypassword");
+```
+
+If no `user` is provided, the `default` user is assumed. In some cases, an authentication-token can be
+used in place of a classic password.
+
+## Managed identities
+
+If the server is an Azure Managed Redis resource, connections can be secured using Microsoft Entra ID authentication. Use the [Microsoft.Azure.StackExchangeRedis](https://github.com/Azure/Microsoft.Azure.StackExchangeRedis) extension package to handle the authentication using tokens retrieved from Microsoft Entra. The package integrates via the ConfigurationOptions class, and can use various types of identities for token retrieval. For example with a user-assigned managed identity: 
+
+```csharp
+var options = ConfigurationOptions.Parse("mycache.region.redis.azure.net:10000");
+await options.ConfigureForAzureWithUserAssignedManagedIdentityAsync(managedIdentityClientId);
+```
+
+For details and samples see [https://github.com/Azure/Microsoft.Azure.StackExchangeRedis](https://github.com/Azure/Microsoft.Azure.StackExchangeRedis)
+
+## Client certificates
+
+If the server is configured to require a client certificate, this can be supplied in multiple ways.
+If you have a local public / private key pair (such as `MyUser2.crt` and `MyUser2.key`), the
+`options.SetUserPemCertificate(...)` method can be used:
+
+``` csharp
+options.SetUserPemCertificate(
+    userCertificatePath: userCrtPath,
+    userKeyPath: userKeyPath
+);
+```
+
+If you have a single `pfx` file that contains the public / private pair, the `options.SetUserPfxCertificate(...)`
+method can be used:
+
+``` csharp
+options.SetUserPfxCertificate(
+    userCertificatePath: userCrtPath,
+    password: filePassword // optional
+);
+```
+
+Alternatively, in advanced scenarios: to provide your own custom client-certificate lookup, the `options.CertificateSelection` callback
+can be used; this uses the normal
+[`LocalCertificateSelectionCallback`](https://learn.microsoft.com/dotnet/api/system.net.security.remotecertificatevalidationcallback)
+API.
+
+## User certificates with implicit user authentication
+
+Historically, the client certificate only provided access to the server, but as the `default` user. From 8.6,
+the server can be configured to use client certificates to provide user identity. This replaces the
+usage of passwords, and requires:
+
+- An 8.6+ server, configured to use TLS with client certificates mapped - typically using the `CN` of the certificate as the user.
+- A matching `ACL` user account configured on the server, that is enabled (`on`) - i.e. the `ACL LIST` command should
+  display something like `user MyUser2 on sanitize-payload ~* &* +@all` (the details will vary depending on the user permissions).
+- At the client: access to the client certificate pair.
+
+For example:
+
+``` csharp
+string certRoot = // some path to a folder with ca.crt, MyUser2.crt and MyUser2.key
+
+var options = ConfigurationOptions.Parse("myserver:6380");
+options.SetUserPemCertificate(// automatically enables TLS
+    userCertificatePath: Path.Combine(certRoot, "MyUser2.crt"),
+    userKeyPath: Path.Combine(certRoot, "MyUser2.key"));
+options.TrustIssuer(Path.Combine(certRoot, "ca.crt"));
+await using var conn = await ConnectionMultiplexer.ConnectAsync(options);
+
+// prove we are connected as MyUser2
+var user = (string?)await conn.GetDatabase().ExecuteAsync("acl", "whoami");
+Console.WriteLine(user); // writes "MyUser2"
+```
+
+## More info
+
+For more information:
+
+- [Redis Security](https://redis.io/docs/latest/operate/oss_and_stack/management/security/)
+  - [ACL](https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/)
+  - [TLS](https://redis.io/docs/latest/operate/oss_and_stack/management/security/encryption/)