Managed Identity and Service Principal Support

CredentialProvider.Microsoft.Tests/CredentialProvider.Microsoft.Tests.csproj

@@ -4,6 +4,8 @@
  <PropertyGroup>
  <LangVersion>latest</LangVersion>
  <IsPackable>false</IsPackable>
+ <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
+ <GenerateBindingRedirectsOutputType>true</GenerateBindingRedirectsOutputType>
  </PropertyGroup>
 
  <ItemGroup>
@@ -18,5 +20,4 @@
  <ProjectReference Include="..\CredentialProvider.Microsoft\CredentialProvider.Microsoft.csproj" />
  <ProjectReference Include="..\src\Authentication\Microsoft.Artifacts.Authentication.csproj" />
  </ItemGroup>
-
 </Project>

CredentialProvider.Microsoft.Tests/Util/FeedEndpointCredentialParserTests.cs

@@ -0,0 +1,183 @@
+using System;
+using CredentialProvider.Microsoft.Tests.CredentialProviders.Vsts;
+using FluentAssertions;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+using Moq;
+using NuGetCredentialProvider.Util;
+using ILogger = NuGetCredentialProvider.Logging.ILogger;
+
+namespace CredentialProvider.Microsoft.Tests.Util;
+
+[TestClass]
+public class FeedEndpointCredentialParserTests
+{
+ private IDisposable environmentLock;
+ private Mock<ILogger> loggerMock;
+
+ public FeedEndpointCredentialParserTests()
+ {
+ environmentLock = EnvironmentLock.WaitAsync().Result;
+ loggerMock = new Mock<ILogger>();
+ }
+
+ [TestCleanup]
+ public virtual void TestCleanup()
+ {
+ Environment.SetEnvironmentVariable(EnvUtil.BuildTaskExternalEndpoints, null);
+ Environment.SetEnvironmentVariable(EnvUtil.EndpointCredentials, null);
+ environmentLock?.Dispose();
+ }
+
+ [TestMethod]
+ public void ParseFeedEndpointsJsonToDictionary_ReturnsCredentials()
+ {
+ string feedEndPointJson = "{\"endpointCredentials\":[{\"endpoint\":\"http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json\", \"clientId\": \"testClientId\"}]}";
+ Environment.SetEnvironmentVariable(EnvUtil.EndpointCredentials, feedEndPointJson);
+
+ var result = FeedEndpointCredentialsParser.ParseFeedEndpointsJsonToDictionary(loggerMock.Object);
+
+ result.Count.Should().Be(1);
+ result["http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"].ClientId.Should().Be("testClientId");
+ }
+
+ [DataTestMethod]
+ [DataRow(null)]
+ [DataRow("")]
+ [DataRow(" ")]
+ [DataRow("invalid json")]
+ public void ParseFeedEndpointsJsonToDictionary_WhenInputInvalid_ReturnsEmpty(string invalidInput)
+ {
+ Environment.SetEnvironmentVariable(EnvUtil.EndpointCredentials, invalidInput);
+
+ var result = FeedEndpointCredentialsParser.ParseFeedEndpointsJsonToDictionary(loggerMock.Object);
+
+ result.Should().BeEmpty();
+ }
+
+ [TestMethod]
+ public void ParseFeedEndpointsJsonToDictionary_WithNoClientId_ReturnsEmpty()
+ {
+ string feedEndPointJson = "{\"endpointCredentials\":[{\"endpoint\":\"http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json\"}]}";
+ Environment.SetEnvironmentVariable(EnvUtil.EndpointCredentials, feedEndPointJson);
+
+ var result = FeedEndpointCredentialsParser.ParseFeedEndpointsJsonToDictionary(loggerMock.Object);
+
+ result.Should().BeEmpty();
+ }
+
+ [TestMethod]
+ public void ParseFeedEndpointsJsonToDictionary_WithCertificateFilePath_ReturnsCredentials()
+ {
+ string feedEndPointJson = @"{""endpointCredentials"":[{""endpoint"":""http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"", ""clientId"": ""testClientId"", ""clientCertificateFilePath"": ""test\\file\\path""}]}";
+ Environment.SetEnvironmentVariable(EnvUtil.EndpointCredentials, feedEndPointJson);
+
+ var result = FeedEndpointCredentialsParser.ParseFeedEndpointsJsonToDictionary(loggerMock.Object);
+
+ result.Count.Should().Be(1);
+ result["http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"].ClientId.Should().Be("testClientId");
+ result["http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"].CertificateFilePath.Should().Be("test\\file\\path");
+ }
+
+
+ [TestMethod]
+ public void ParseFeedEndpointsJsonToDictionary_WithCertificateUnixFilePath_ReturnsCredentials()
+ {
+ string feedEndPointJson = @"{""endpointCredentials"":[{""endpoint"":""http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"", ""clientId"": ""testClientId"", ""clientCertificateFilePath"": ""test/file/path""}]}";
+ Environment.SetEnvironmentVariable(EnvUtil.EndpointCredentials, feedEndPointJson);
+
+ var result = FeedEndpointCredentialsParser.ParseFeedEndpointsJsonToDictionary(loggerMock.Object);
+
+ result.Should().NotBeNull();
+ result.Count.Should().Be(1);
+ result["http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"].ClientId.Should().Be("testClientId");
+ result["http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"].CertificateFilePath.Should().Be("test/file/path");
+ }
+
+ [TestMethod]
+ public void ParseFeedEndpointsJsonToDictionary_WithSubjectName_ReturnsCredentials()
+ {
+ string feedEndPointJson = @"{""endpointCredentials"":[{""endpoint"":""http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"", ""clientId"": ""testClientId"", ""clientCertificateSubjectName"": ""someSubjectName""}]}";
+ Environment.SetEnvironmentVariable(EnvUtil.EndpointCredentials, feedEndPointJson);
+
+ var result = FeedEndpointCredentialsParser.ParseFeedEndpointsJsonToDictionary(loggerMock.Object);
+
+ result.Count.Should().Be(1);
+ result["http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"].ClientId.Should().Be("testClientId");
+ result["http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"].CertificateSubjectName.Should().Be("someSubjectName");
+ }
+
+ [TestMethod]
+ public void ParseFeedEndpointsJsonToDictionary_WithCertificateUnixFilePathAndSubjectName_ReturnsEmpty()
+ {
+ string feedEndPointJson = @"{""endpointCredentials"":[{""endpoint"":""http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"", ""clientId"": ""testClientId"", ""clientCertificateFilePath"": ""test/file/path"", , ""clientCertificateSubjectName"": ""someSubjectName""}]}";
+ Environment.SetEnvironmentVariable(EnvUtil.EndpointCredentials, feedEndPointJson);
+
+ var result = FeedEndpointCredentialsParser.ParseFeedEndpointsJsonToDictionary(loggerMock.Object);
+
+ result.Should().BeEmpty();
+ }
+
+ [TestMethod]
+ public void ParseFeedEndpointsJsonToDictionary_WhenSingleQuotePresent_ReturnsEmpty()
+ {
+ string feedEndPointJson = "{'endpointCredentials':['endpoint':'http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json', 'clientId': 'testClientId'}]}";
+ Environment.SetEnvironmentVariable(EnvUtil.EndpointCredentials, feedEndPointJson);
+
+ var result = FeedEndpointCredentialsParser.ParseFeedEndpointsJsonToDictionary(loggerMock.Object);
+
+ result.Should().BeEmpty();
+ }
+
+ [TestMethod]
+ public void ParseExternalFeedEndpointsJsonToDictionary_ReturnsCredentials()
+ {
+ string feedEndPointJson = "{\"endpointCredentials\":[{\"endpoint\":\"http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json\", \"username\": \"testuser\", \"password\": \"testPassword\"}]}";
+ Environment.SetEnvironmentVariable(EnvUtil.BuildTaskExternalEndpoints, feedEndPointJson);
+
+ var result = FeedEndpointCredentialsParser.ParseExternalFeedEndpointsJsonToDictionary(loggerMock.Object);
+
+ result.Count.Should().Be(1);
+ result["http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"].Username.Should().Be("testuser");
+ result["http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"].Password.Should().Be("testPassword");
+ }
+
+ [TestMethod]
+ public void ParseExternalFeedEndpointsJsonToDictionary_WithoutUserName_ReturnsCredentials()
+ {
+ string feedEndPointJson = "{\"endpointCredentials\":[{\"endpoint\":\"http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json\", \"password\": \"testPassword\"}]}";
+ Environment.SetEnvironmentVariable(EnvUtil.BuildTaskExternalEndpoints, feedEndPointJson);
+
+ var result = FeedEndpointCredentialsParser.ParseExternalFeedEndpointsJsonToDictionary(loggerMock.Object);
+
+ result.Count.Should().Be(1);
+ result["http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"].Username.Should().Be("VssSessionToken");
+ result["http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"].Password.Should().Be("testPassword");
+ }
+
+ [TestMethod]
+ public void ParseExternalFeedEndpointsJsonToDictionary_WithSingleQuotes_ReturnsCredentials()
+ {
+ string feedEndPointJson = "{\'endpointCredentials\':[{\'endpoint\':\'http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json\', \'username\': \'testuser\', \'password\': \'testPassword\'}]}";
+ Environment.SetEnvironmentVariable(EnvUtil.BuildTaskExternalEndpoints, feedEndPointJson);
+
+ var result = FeedEndpointCredentialsParser.ParseExternalFeedEndpointsJsonToDictionary(loggerMock.Object);
+
+ result.Count.Should().Be(1);
+ result["http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"].Username.Should().Be("testuser");
+ result["http://example.pkgs.vsts.me/_packaging/TestFeed/nuget/v3/index.json"].Password.Should().Be("testPassword");
+ }
+
+ [DataTestMethod]
+ [DataRow(null)]
+ [DataRow("")]
+ [DataRow(" ")]
+ [DataRow("invalid json")]
+ public void ParseFeedEndpointsJsonToDictionary_WhenInvalidInput_ReturnsEmpty(string input)
+ {
+ Environment.SetEnvironmentVariable(EnvUtil.BuildTaskExternalEndpoints, input);
+
+ var result = FeedEndpointCredentialsParser.ParseExternalFeedEndpointsJsonToDictionary(loggerMock.Object);
+
+ result.Should().BeEmpty();
+ }
+}

CredentialProvider.Microsoft/CredentialProviders/Vsts/IAuthUtil.cs

@@ -21,6 +21,8 @@ public interface IAuthUtil
  Task<AzDevDeploymentType> GetAzDevDeploymentType(Uri uri);
 
  Task<Uri> GetAuthorizationEndpoint(Uri uri, CancellationToken cancellationToken);
+
+ Task<string> GetTenantIdAsync(Uri uri, CancellationToken cancellationToken);
  }
 
  public enum AzDevDeploymentType
@@ -44,6 +46,19 @@ public AuthUtil(ILogger logger)
  this.logger = logger;
  }
 
+ public async Task<string> GetTenantIdAsync(Uri uri, CancellationToken cancellationToken) 
+ {
+ var responseHeaders = await GetResponseHeadersAsync(uri, cancellationToken);
+
+ if (responseHeaders.Contains(VssResourceTenant))
+ {
+ responseHeaders.TryGetValues(VssResourceTenant, out var tenantId);
+ return tenantId.FirstOrDefault();
+ }
+
+ return null;
+ }
+
  public async Task<Uri> GetAadAuthorityUriAsync(Uri uri, CancellationToken cancellationToken)
  {
  var environmentAuthority = EnvUtil.GetAuthorityFromEnvironment(logger);

CredentialProvider.Microsoft/CredentialProviders/Vsts/VstsCredentialProvider.cs

@@ -41,11 +41,15 @@ public override async Task<bool> CanProvideCredentialsAsync(Uri uri)
  {
  // If for any reason we reach this point and any of the three build task env vars are set,
  // we should not try get credentials with this cred provider.
- string feedEndPointsJsonEnvVar = Environment.GetEnvironmentVariable(EnvUtil.BuildTaskExternalEndpoints);
+ string feedEndPointsJsonEnvVar = Environment.GetEnvironmentVariable(EnvUtil.EndpointCredentials);
+ string externalFeedEndPointsJsonEnvVar = Environment.GetEnvironmentVariable(EnvUtil.BuildTaskExternalEndpoints);
  string uriPrefixesStringEnvVar = Environment.GetEnvironmentVariable(EnvUtil.BuildTaskUriPrefixes);
  string accessTokenEnvVar = Environment.GetEnvironmentVariable(EnvUtil.BuildTaskAccessToken);
 
- if (string.IsNullOrWhiteSpace(feedEndPointsJsonEnvVar) == false || string.IsNullOrWhiteSpace(uriPrefixesStringEnvVar) == false || string.IsNullOrWhiteSpace(accessTokenEnvVar) == false)
+ if (string.IsNullOrWhiteSpace(feedEndPointsJsonEnvVar) == false 
+ || string.IsNullOrWhiteSpace(externalFeedEndPointsJsonEnvVar) == false 
+ || string.IsNullOrWhiteSpace(uriPrefixesStringEnvVar) == false
+ || string.IsNullOrWhiteSpace(accessTokenEnvVar) == false)
  {
  Verbose(Resources.BuildTaskCredProviderIsUsedError);
  return false;
@@ -116,7 +120,7 @@ public override async Task<GetAuthenticationCredentialsResponse> HandleRequestAs
  Logger.Minimal(string.Format(Resources.DeviceFlowMessage, deviceCodeResult.VerificationUrl, deviceCodeResult.UserCode));
 
  return Task.CompletedTask;
- }
+ },
  };
 
  // Try each bearer token provider (e.g. cache, WIA, UI, DeviceCode) in order.

CredentialProvider.Microsoft/CredentialProviders/Vsts/VstsSessionTokenClient.cs

@@ -6,9 +6,9 @@
 using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Text;
+using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
-using Newtonsoft.Json;
 using NuGetCredentialProvider.Logging;
 using NuGetCredentialProvider.Util;
 
@@ -18,6 +18,12 @@ public class VstsSessionTokenClient : IVstsSessionTokenClient
  {
  private const string TokenScope = "vso.packaging_write vso.drop_write";
 
+ private static readonly JsonSerializerOptions options = new JsonSerializerOptions
+ {
+ PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+ PropertyNameCaseInsensitive = true
+ };
+
  private readonly Uri vstsUri;
  private readonly string bearerToken;
  private readonly IAuthUtil authUtil;
@@ -45,7 +51,7 @@ private HttpRequestMessage CreateRequest(Uri uri, DateTime? validTo)
  };
 
  request.Content = new StringContent(
- JsonConvert.SerializeObject(tokenRequest),
+ JsonSerializer.Serialize(tokenRequest, options),
  Encoding.UTF8,
  "application/json");
 
@@ -77,7 +83,6 @@ public async Task<string> CreateSessionTokenAsync(VstsTokenType tokenType, DateT
  string serializedResponse;
  if (response.StatusCode == System.Net.HttpStatusCode.BadRequest)
  {
-
  request.Dispose();
  response.Dispose();
 
@@ -97,7 +102,7 @@ public async Task<string> CreateSessionTokenAsync(VstsTokenType tokenType, DateT
  serializedResponse = await response.Content.ReadAsStringAsync();
  }
 
- var responseToken = JsonConvert.DeserializeObject<VstsSessionToken>(serializedResponse);
+ var responseToken = JsonSerializer.Deserialize<VstsSessionToken>(serializedResponse, options);
 
  if (validTo.Subtract(responseToken.ValidTo.Value).TotalHours > 1.0)
  {