System.Security.Policy.Evidence missing in .NET Platform Extensions for .net framework

[viktorgobbi]

Description

I'm trying to build a class library that targets .net Standard 2.0 which requires System.Security.Policy.Evidence and some other types from the System.Security.Policy namespace (it only needs to run on windows). I added the System.Security.Permissions nuget package to the class library project and it compiles as expected but when I try to unit test the library in a .net framework project (targeting net47) by passing a System.Security.Policy.Evidence instance to a type from the class library the compilation fails with a:

CS7069 Reference to type 'Evidence' claims it is defined in 'System.Security.AccessControl', but it could not be found

After some investigation I found out that the System.Security.Permissions assembly for .net standard 2.0 forwards the Evidence type from System.Security.AccessControl and the System.Security.AccessControl assembly for .net standard 2.0 contains a stub for the Evidence type but the System.Security.AccessControl assembly for .net framework does not contain a definition or forward the Evidence type.
I also saw that the System.Security.Permissions for .net framework would forward Evidence from mscorlib (what I assume is correct).
Other types like System.Security.Policy.Publisher seem to work with fine.

Reproduction Steps

Create a class library project that targets .net Standard 2.0 and add the System.Security.Permissions nuget package and a class using the System.Security.Policy.Evidence .

using System.Security.Policy;
namespace Lib
{
	public class ClassUsingEvidence
	{
		public ClassUsingEvidence(Evidence evidence)
		{
		}
	}
}

Create a 'NUnit test project' that targets .net framework 4.8 and add a project reference to the .net standard class library project and pass a Evidence instance to the ClassUsingEvidence in a test:

using NUnit.Framework;
using Lib;
using System.Security.Policy;
namespace Lib.Tests
{
	public class Tests
	{
		[Test]
		public void PassEvidence()
		{
			var foo = new ClassUsingEvidence(new Evidence());
		}
	}
}

Leads to compiler error:

CS7069 Reference to type 'Evidence' claims it is defined in 'System.Security.AccessControl', but it could not be found

Even when adding the System.Security.AccessControl or System.Security.Permissions packages to the unit test project the error persists.

Expected behavior

The solution should compile and the System.Security.Policy.Evidence type from mscorlib should be used in the .net framework project.

Actual behavior

The compilation fails with

CS7069 Reference to type 'Evidence' claims it is defined in 'System.Security.AccessControl', but it could not be found

when used in a .net framework project

Regression?

No response

Known Workarounds

No response

Configuration

• Microsoft Visual Studio Professional 2022 (64-bit) Version 17.9.2
• Windows 10 22H2
• System.Security.Permissions package version 8.0.0

Other information

I'm not sure if this is a bug in System.Security.AccessControl / System.Security.Permissions packages or if I am using it wrongly.
If this is not the right repository for this issue please let me know where I should report this, I couldn't anything better fitting.

[jkotas]

Related to #49411. cc @ericstj

[ericstj]

Indeed it looks like we're missing these type-forwards from the net461 build of the assembly. We should fix this in 6.0, since the package no longer exists in later releases. Let me see where this is missing and why API compat didn't catch it.

[ericstj]

The latest APICompat finds these problems:

API compatibility errors between 'c:\Users\ericstj\.nuget\packages\system.security.accesscontrol\6.0.0\lib\netstandard2.0\System.Security.AccessControl.dll' (left) and 'c:\Users\ericstj\.nuget\packages\system.security.accesscontrol\6.0.0\lib\net461\System.Security.AccessControl.dll' (right):
CP0002: Member 'System.Security.AccessControl.ObjectSecurity.SecurityDescriptor.get' exists on c:\Users\ericstj\.nuget\packages\system.security.accesscontrol\6.0.0\lib\netstandard2.0\System.Security.AccessControl.dll but not on c:\Users\ericstj\.nuget\packages\system.security.accesscontrol\6.0.0\lib\net461\System.Security.AccessControl.dll
CP0001: Type 'System.Security.Policy.Evidence' exists on c:\Users\ericstj\.nuget\packages\system.security.accesscontrol\6.0.0\lib\netstandard2.0\System.Security.AccessControl.dll but not on c:\Users\ericstj\.nuget\packages\system.security.accesscontrol\6.0.0\lib\net461\System.Security.AccessControl.dll
CP0001: Type 'System.Security.Policy.EvidenceBase' exists on c:\Users\ericstj\.nuget\packages\system.security.accesscontrol\6.0.0\lib\netstandard2.0\System.Security.AccessControl.dll but not on c:\Users\ericstj\.nuget\packages\system.security.accesscontrol\6.0.0\lib\net461\System.Security.AccessControl.dll
API breaking changes found. If those are intentional, the APICompat suppression file can be updated by specifying the '--generate-suppression-file' parameter.

I think in 6.0 it would have been missed because the old API compat never compared between netstandard2.0 and net4* (that was added in the new package-based API compat), and when we adopted the package-based APICompat later on in 6.0 it didn't follow references which would be required to type-forward testing.

That still doesn't explain how the net461 assembly was missing the type forwards. It should have been generating those from the netstandard2.0 reference assembly. This would have worked better if the package was still around in 8.0 where we got rid of that auto-generation and replaced it with hand-authored type forwards (and we had the better APICompat).

Looking into how the typeforwards were missed by the tool.

[ericstj]

I see what happened. This was correct in https://www.nuget.org/packages/System.Security.AccessControl/6.0.0-preview.3.21201.4 through https://www.nuget.org/packages/System.Security.AccessControl/6.0.0-preview.5.21301.5, but then the package was removed from the build.

It was later brought back in 56894f0 which included the hand-authored typeforwards but those were missing these types. Most likely because that was generated from the last stable assembly instead of the preview assembly that had the changes.

Fix here is to simply add them to https://github.com/dotnet/runtime/blob/release/6.0/src/libraries/System.Security.AccessControl/ref/System.Security.AccessControl.net461.cs

[carlossanlop]

Thanks for submitting the quick fix, @ericstj.

This was correct in https://www.nuget.org/packages/System.Security.AccessControl/6.0.0-preview.3.21201.4 through https://www.nuget.org/packages/System.Security.AccessControl/6.0.0-preview.5.21301.5

While we get the next 6.0 servicing version released with the fix included, would it be a reasonable workaround suggestion for @viktorgobbi to temporarily target one of those preview packages to get unblocked?

[viktorgobbi]

@carlossanlop Sure, that will work for me. I just changed System.Security.AccessControl to 6.0.0-preview.5.21301.5 and had to suppress NU1605 to use it with a System.Security.Permissions Version > 4.7.0 but it works now.
Thanks a lot for the quick reply and solution to everyone involved!

[ericstj]

The fix for this shipped in https://www.nuget.org/packages/System.Security.AccessControl/6.0.1