Enable PublicApiAnalyzers (#3055)

* Enable PublicApiAnalyzers

* Add internal api tracking

* remove api files in tests
update global suppressions and null annotations
disable warnings where not appropriate
fix markshipped script

Author: westin-m

.editorconfig

@@ -54,7 +54,7 @@ dotnet_style_predefined_type_for_member_access = true:suggestion
 # name all constant fields using PascalCase
 dotnet_naming_rule.constant_fields_should_be_pascal_case.severity = suggestion
 dotnet_naming_rule.constant_fields_should_be_pascal_case.symbols  = constant_fields
-dotnet_naming_rule.constant_fields_should_be_pascal_case.style    = pascal_case_style
+dotnet_naming_rule.constant_fields_should_be_pascal_case.style = pascal_case_style
 
 dotnet_naming_symbols.constant_fields.applicable_kinds   = field
 dotnet_naming_symbols.constant_fields.required_modifiers = const
@@ -64,7 +64,7 @@ dotnet_naming_style.pascal_case_style.capitalization = pascal_case
 # static fields should have s_ prefix
 dotnet_naming_rule.static_fields_should_have_prefix.severity = suggestion
 dotnet_naming_rule.static_fields_should_have_prefix.symbols  = static_fields
-dotnet_naming_rule.static_fields_should_have_prefix.style    = static_prefix_style
+dotnet_naming_rule.static_fields_should_have_prefix.style = static_prefix_style
 
 dotnet_naming_symbols.static_fields.applicable_kinds   = field
 dotnet_naming_symbols.static_fields.required_modifiers = static
@@ -75,7 +75,7 @@ dotnet_naming_style.static_prefix_style.capitalization = camel_case
 # internal and private fields should be _camelCase
 dotnet_naming_rule.camel_case_for_private_internal_fields.severity = suggestion
 dotnet_naming_rule.camel_case_for_private_internal_fields.symbols  = private_internal_fields
-dotnet_naming_rule.camel_case_for_private_internal_fields.style    = camel_case_underscore_style
+dotnet_naming_rule.camel_case_for_private_internal_fields.style = camel_case_underscore_style
 
 dotnet_naming_symbols.private_internal_fields.applicable_kinds = field
 dotnet_naming_symbols.private_internal_fields.applicable_accessibilities = private, internal
@@ -141,6 +141,16 @@ csharp_space_between_square_brackets = false
 # RS0030: Do not used banned APIs
 dotnet_diagnostic.RS0030.severity = error
 
+# https://github.com/dotnet/roslyn-analyzers/blob/main/src/PublicApiAnalyzers/Microsoft.CodeAnalysis.PublicApiAnalyzers.md
+dotnet_diagnostic.RS0051.severity = error
+dotnet_diagnostic.RS0052.severity = error
+dotnet_diagnostic.RS0053.severity = error
+dotnet_diagnostic.RS0054.severity = error
+dotnet_diagnostic.RS0055.severity = error
+dotnet_diagnostic.RS0057.severity = error
+dotnet_diagnostic.RS0058.severity = error
+dotnet_diagnostic.RS0061.severity = error
+
 # CA1000: Do not declare static members on generic types
 dotnet_diagnostic.CA1000.severity = error
 

Directory.Build.props

@@ -95,6 +95,7 @@
     <!--CVE-2023-29331-->
     <SystemFormatsAsn1Version>8.0.1</SystemFormatsAsn1Version>
     <BannedApiAnalyzersVersion>3.3.4</BannedApiAnalyzersVersion>
+    <PublicApiAnalyzersVersion>3.3.4</PublicApiAnalyzersVersion>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(TargetFramework)' == 'net9.0'">
@@ -195,5 +196,9 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
     </PackageReference>
     <AdditionalFiles Include="$(MSBuildThisFileDirectory)\BannedSymbols.txt" />
+    <PackageReference Include="Microsoft.CodeAnalysis.PublicApiAnalyzers" Version="$(PublicApiAnalyzersVersion)">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+    </PackageReference>
   </ItemGroup>
 </Project>

benchmark/.editorconfig

@@ -0,0 +1,18 @@
+# NOTE: Requires **VS2019 16.3** or later
+
+# Rules for files in tests directory
+
+# Code files
+[*.{cs,txt}]
+
+# RS0016: Add public types and members to the declared API
+dotnet_diagnostic.RS0016.severity = none
+
+RS0037: Enable tracking of nullability of reference types in the declared API
+dotnet_diagnostic.RS0037.severity = none
+
+# RS0031: The list of banned symbols contains a duplicate
+dotnet_diagnostic.RS0031.severity = none
+
+# RS0051: Add internal types and members to the declared API
+dotnet_diagnostic.RS0051.severity = none

benchmark/Directory.Build.props

@@ -20,4 +20,11 @@
   <ItemGroup>
     <AdditionalFiles Include="$(MSBuildThisFileDirectory)..\BannedSymbols.txt" />
   </ItemGroup>
+
+  <PropertyGroup>
+    <!--RS0016: Add public types and members to the declared API-->
+    <NoWarn>RS0016</NoWarn>
+    <!--RS0031: The list of banned symbols contains a duplicate-->
+    <NoWarn>RS0031</NoWarn>
+  </PropertyGroup>
 </Project>

src/Microsoft.Identity.Web.Azure/PublicAPI.Shipped.txt

@@ -0,0 +1 @@
+#nullable enable

src/Microsoft.Identity.Web.Azure/PublicAPI.Unshipped.txt

@@ -0,0 +1,8 @@
+Microsoft.Identity.Web.TokenAcquirerAppTokenCredential
+Microsoft.Identity.Web.TokenAcquirerAppTokenCredential.TokenAcquirerAppTokenCredential(Microsoft.Identity.Abstractions.ITokenAcquirer! tokenAcquirer) -> void
+Microsoft.Identity.Web.TokenAcquirerTokenCredential
+Microsoft.Identity.Web.TokenAcquirerTokenCredential.TokenAcquirerTokenCredential(Microsoft.Identity.Abstractions.ITokenAcquirer! tokenAcquirer) -> void
+override Microsoft.Identity.Web.TokenAcquirerAppTokenCredential.GetToken(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken) -> Azure.Core.AccessToken
+override Microsoft.Identity.Web.TokenAcquirerAppTokenCredential.GetTokenAsync(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.ValueTask<Azure.Core.AccessToken>
+override Microsoft.Identity.Web.TokenAcquirerTokenCredential.GetToken(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken) -> Azure.Core.AccessToken
+override Microsoft.Identity.Web.TokenAcquirerTokenCredential.GetTokenAsync(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.ValueTask<Azure.Core.AccessToken>

src/Microsoft.Identity.Web.Azure/TokenAcquirerTokenCredential.cs

@@ -27,7 +27,7 @@ public TokenAcquirerTokenCredential(ITokenAcquirer tokenAcquirer)
         /// <inheritdoc/>
         public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
         {
-            AcquireTokenResult result = _tokenAcquirer.GetTokenForUserAsync(requestContext.Scopes, cancellationToken:cancellationToken)
+            AcquireTokenResult result = _tokenAcquirer.GetTokenForUserAsync(requestContext.Scopes, cancellationToken: cancellationToken)
                 .GetAwaiter()
                 .GetResult();
             return new AccessToken(result.AccessToken!, result.ExpiresOn);
@@ -36,7 +36,7 @@ public override AccessToken GetToken(TokenRequestContext requestContext, Cancell
         /// <inheritdoc/>
         public override async ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
         {
-            AcquireTokenResult result = await _tokenAcquirer.GetTokenForUserAsync(requestContext.Scopes, cancellationToken:cancellationToken).ConfigureAwait(false);
+            AcquireTokenResult result = await _tokenAcquirer.GetTokenForUserAsync(requestContext.Scopes, cancellationToken: cancellationToken).ConfigureAwait(false);
             return new AccessToken(result.AccessToken!, result.ExpiresOn);
         }
     }

src/Microsoft.Identity.Web.Certificate/CertificateErrorMessage.cs

@@ -9,7 +9,7 @@ namespace Microsoft.Identity.Web
     internal static class CertificateErrorMessage
     {
         // Configuration IDW10100 = "IDW10100:"
-        public const string ClientSecretAndCertficateNull =
+        public const string ClientSecretAndCertificateNull =
         "IDW10104: Both client secret and client certificate cannot be null or whitespace, " +
         "and only ONE must be included in the configuration of the web app when calling a web API. " +
         "For instance, in the appsettings.json file. ";
@@ -28,6 +28,6 @@ internal static class CertificateErrorMessage
             "StoreName must be empty or one of '{0}'. ";
 
         // Obsolete messages IDW10800 = "IDW10800:"
-        public const string FromStoreWithThumprintIsObsolete = "IDW10803: Use FromStoreWithThumbprint instead, due to spelling error. ";
+        public const string FromStoreWithThumbprintIsObsolete = "IDW10803: Use FromStoreWithThumbprint instead, due to spelling error. ";
     }
 }

src/Microsoft.Identity.Web.Certificate/InternalAPI.Shipped.txt

@@ -0,0 +1 @@
+#nullable enable

src/Microsoft.Identity.Web.Certificate/InternalAPI.Unshipped.txt

@@ -0,0 +1,56 @@
+#nullable enable
+const Microsoft.Identity.Web.CertificateConstants.MediaTypePksc12 = "application/x-pkcs12" -> string!
+const Microsoft.Identity.Web.CertificateConstants.PersonalUserCertificateStorePath = "CurrentUser/My" -> string!
+const Microsoft.Identity.Web.CertificateErrorMessage.BothClientSecretAndCertificateProvided = "IDW10105: Both client secret and client certificate, cannot be included in the configuration of the web app when calling a web API. " -> string!
+const Microsoft.Identity.Web.CertificateErrorMessage.ClientCertificatesHaveExpiredOrCannotBeLoaded = "IDW10109: All client certificates passed to the configuration have expired or can't be loaded. " -> string!
+const Microsoft.Identity.Web.CertificateErrorMessage.ClientSecretAndCertificateNull = "IDW10104: Both client secret and client certificate cannot be null or whitespace, and only ONE must be included in the configuration of the web app when calling a web API. For instance, in the appsettings.json file. " -> string!
+const Microsoft.Identity.Web.CertificateErrorMessage.FromStoreWithThumbprintIsObsolete = "IDW10803: Use FromStoreWithThumbprint instead, due to spelling error. " -> string!
+const Microsoft.Identity.Web.CertificateErrorMessage.IncorrectNumberOfUriSegments = "IDW10702: Number of URI segments is incorrect: {0}, URI: {1}. " -> string!
+const Microsoft.Identity.Web.CertificateErrorMessage.InvalidBase64UrlString = "IDW10601: Invalid Base64URL string. " -> string!
+const Microsoft.Identity.Web.CertificateErrorMessage.InvalidCertificateStorePath = "IDW10703: Certificate store path must be of the form 'StoreLocation/StoreName'. StoreLocation must be one of 'CurrentUser', 'LocalMachine'. StoreName must be empty or one of '{0}'. " -> string!
+const Microsoft.Identity.Web.CertificateErrorMessage.OnlyPkcs12IsSupported = "IDW10701: Only PKCS #12 content type is supported. Found Content-Type: {0}. " -> string!
+Microsoft.Identity.Web.Base64EncodedCertificateLoader
+Microsoft.Identity.Web.Base64EncodedCertificateLoader.Base64EncodedCertificateLoader() -> void
+Microsoft.Identity.Web.Base64EncodedCertificateLoader.CredentialSource.get -> Microsoft.Identity.Abstractions.CredentialSource
+Microsoft.Identity.Web.Base64EncodedCertificateLoader.LoadIfNeededAsync(Microsoft.Identity.Abstractions.CredentialDescription! credentialDescription, Microsoft.Identity.Abstractions.CredentialSourceLoaderParameters? credentialSourceLoaderParameters) -> System.Threading.Tasks.Task!
+Microsoft.Identity.Web.CertificateConstants
+Microsoft.Identity.Web.CertificateDescription.Container.get -> string?
+Microsoft.Identity.Web.CertificateDescription.Container.set -> void
+Microsoft.Identity.Web.CertificateDescription.ReferenceOrValue.get -> string?
+Microsoft.Identity.Web.CertificateDescription.ReferenceOrValue.set -> void
+Microsoft.Identity.Web.CertificateErrorMessage
+Microsoft.Identity.Web.CertificateLoaderHelper
+Microsoft.Identity.Web.CertificateLoaderHelper.CertificateLoaderHelper() -> void
+Microsoft.Identity.Web.FromPathCertificateLoader
+Microsoft.Identity.Web.FromPathCertificateLoader.CredentialSource.get -> Microsoft.Identity.Abstractions.CredentialSource
+Microsoft.Identity.Web.FromPathCertificateLoader.FromPathCertificateLoader() -> void
+Microsoft.Identity.Web.FromPathCertificateLoader.LoadIfNeededAsync(Microsoft.Identity.Abstractions.CredentialDescription! credentialDescription, Microsoft.Identity.Abstractions.CredentialSourceLoaderParameters? _) -> System.Threading.Tasks.Task!
+Microsoft.Identity.Web.KeyVaultCertificateLoader
+Microsoft.Identity.Web.KeyVaultCertificateLoader.CredentialSource.get -> Microsoft.Identity.Abstractions.CredentialSource
+Microsoft.Identity.Web.KeyVaultCertificateLoader.KeyVaultCertificateLoader() -> void
+Microsoft.Identity.Web.KeyVaultCertificateLoader.LoadIfNeededAsync(Microsoft.Identity.Abstractions.CredentialDescription! credentialDescription, Microsoft.Identity.Abstractions.CredentialSourceLoaderParameters? _) -> System.Threading.Tasks.Task!
+Microsoft.Identity.Web.SignedAssertionFilePathCredentialsLoader
+Microsoft.Identity.Web.SignedAssertionFilePathCredentialsLoader.CredentialSource.get -> Microsoft.Identity.Abstractions.CredentialSource
+Microsoft.Identity.Web.SignedAssertionFilePathCredentialsLoader.LoadIfNeededAsync(Microsoft.Identity.Abstractions.CredentialDescription! credentialDescription, Microsoft.Identity.Abstractions.CredentialSourceLoaderParameters? credentialSourceLoaderParameters) -> System.Threading.Tasks.Task!
+Microsoft.Identity.Web.SignedAssertionFilePathCredentialsLoader.SignedAssertionFilePathCredentialsLoader(Microsoft.Extensions.Logging.ILogger? logger) -> void
+Microsoft.Identity.Web.SignedAssertionFromManagedIdentityCredentialLoader
+Microsoft.Identity.Web.SignedAssertionFromManagedIdentityCredentialLoader.CredentialSource.get -> Microsoft.Identity.Abstractions.CredentialSource
+Microsoft.Identity.Web.SignedAssertionFromManagedIdentityCredentialLoader.LoadIfNeededAsync(Microsoft.Identity.Abstractions.CredentialDescription! credentialDescription, Microsoft.Identity.Abstractions.CredentialSourceLoaderParameters? credentialSourceLoaderParameters) -> System.Threading.Tasks.Task!
+Microsoft.Identity.Web.SignedAssertionFromManagedIdentityCredentialLoader.SignedAssertionFromManagedIdentityCredentialLoader(Microsoft.Extensions.Logging.ILogger<Microsoft.Identity.Web.DefaultCredentialsLoader!>! logger) -> void
+Microsoft.Identity.Web.StoreWithDistinguishedNameCertificateLoader
+Microsoft.Identity.Web.StoreWithDistinguishedNameCertificateLoader.CredentialSource.get -> Microsoft.Identity.Abstractions.CredentialSource
+Microsoft.Identity.Web.StoreWithDistinguishedNameCertificateLoader.LoadIfNeededAsync(Microsoft.Identity.Abstractions.CredentialDescription! credentialDescription, Microsoft.Identity.Abstractions.CredentialSourceLoaderParameters? _) -> System.Threading.Tasks.Task!
+Microsoft.Identity.Web.StoreWithDistinguishedNameCertificateLoader.StoreWithDistinguishedNameCertificateLoader() -> void
+Microsoft.Identity.Web.StoreWithThumbprintCertificateLoader
+Microsoft.Identity.Web.StoreWithThumbprintCertificateLoader.CredentialSource.get -> Microsoft.Identity.Abstractions.CredentialSource
+Microsoft.Identity.Web.StoreWithThumbprintCertificateLoader.LoadIfNeededAsync(Microsoft.Identity.Abstractions.CredentialDescription! credentialDescription, Microsoft.Identity.Abstractions.CredentialSourceLoaderParameters? _) -> System.Threading.Tasks.Task!
+Microsoft.Identity.Web.StoreWithThumbprintCertificateLoader.StoreWithThumbprintCertificateLoader() -> void
+static Microsoft.Identity.Web.Base64EncodedCertificateLoader.LoadFromBase64Encoded(string! certificateBase64, string! password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags x509KeyStorageFlags) -> System.Security.Cryptography.X509Certificates.X509Certificate2!
+static Microsoft.Identity.Web.Base64EncodedCertificateLoader.LoadFromBase64Encoded(string! certificateBase64, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags x509KeyStorageFlags) -> System.Security.Cryptography.X509Certificates.X509Certificate2!
+static Microsoft.Identity.Web.CertificateLoaderHelper.DetermineX509KeyStorageFlag() -> System.Security.Cryptography.X509Certificates.X509KeyStorageFlags
+static Microsoft.Identity.Web.CertificateLoaderHelper.DetermineX509KeyStorageFlag(Microsoft.Identity.Abstractions.CredentialDescription! credentialDescription) -> System.Security.Cryptography.X509Certificates.X509KeyStorageFlags
+static Microsoft.Identity.Web.CertificateLoaderHelper.FindCertificateByCriterium(System.Security.Cryptography.X509Certificates.X509Store! x509Store, System.Security.Cryptography.X509Certificates.X509FindType identifierCriterium, string! certificateIdentifier) -> System.Security.Cryptography.X509Certificates.X509Certificate2?
+static Microsoft.Identity.Web.CertificateLoaderHelper.ParseStoreLocationAndName(string! storeDescription, ref System.Security.Cryptography.X509Certificates.StoreLocation certificateStoreLocation, ref System.Security.Cryptography.X509Certificates.StoreName certificateStoreName) -> void
+static Microsoft.Identity.Web.KeyVaultCertificateLoader.LoadFromKeyVault(string! keyVaultUrl, string! certificateName, string? managedIdentityClientId, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags x509KeyStorageFlags) -> System.Threading.Tasks.Task<System.Security.Cryptography.X509Certificates.X509Certificate2?>!
+static Microsoft.Identity.Web.KeyVaultCertificateLoader.UserAssignedManagedIdentityClientId.get -> string?
+static Microsoft.Identity.Web.KeyVaultCertificateLoader.UserAssignedManagedIdentityClientId.set -> void