GetResponseWithRedirects only adds credentials to cache for matching schemes

Dylan Lerch · Dylan Lerch · commit 0eb7b9416b89 · 2021-07-13T09:46:53.000+10:00
The previous implementation of `ManagedHttpSmartSubtransportStream.GetResponseWithRedirects` was not checking that the scheme matched the provided credentials before adding to the credential cache (instead defaulting to the scheme of the first value in the WWW-Authenticate header).

That could cause issues in some cases where the first challenge contained an unsupported scheme (such as Bearer). In this case, the old implemenation would add the credentials to the cache with Bearer scheme - regardless of the credential type - and all additional (potentially valid) schemes in the header would be discarded.

Credentials are now added to the cache for every supported scheme that matches the given credential type.

The new implementation copies the one used in the libgit2 library: Default credentials are used for the Negotiate scheme, username/password credentials are used for the NTLM and Basic schemes, and all others are ignored.

The error in the current implementation can be reproduced when attempting to connect to a repository in an Azure AD-backed Azure DevOps organisation.
diff --git a/LibGit2Sharp/Core/ManagedHttpSmartSubtransport.cs b/LibGit2Sharp/Core/ManagedHttpSmartSubtransport.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Net;
@@ -47,6 +48,13 @@ private class ManagedHttpSmartSubtransportStream : SmartSubtransportStream
         {
             private static int MAX_REDIRECTS = 7;
 
+            private static readonly IReadOnlyDictionary<Type, string[]> SUPPORTED_SCHEMES_FOR_CREDENTIALS =
+                new Dictionary<Type, string[]>
+                {
+                    { typeof(DefaultCredentials), new[] { "Negotiate" } },
+                    { typeof(UsernamePasswordCredentials), new[] { "NTLM", "Basic" } }
+                };
+
 #if NETCOREAPP
             private static readonly SocketsHttpHandler httpHandler;
 #else
@@ -189,20 +197,14 @@ private HttpResponseMessage GetResponseWithRedirects()
                                 throw new InvalidOperationException("authentication cancelled");
                             }
 
-                            var scheme = response.Headers.WwwAuthenticate.First().Scheme;
-
-                            if (cred is DefaultCredentials)
-                            {
-                                lock (credentialCache)
-                                {
-                                    credentialCache.Add(url, scheme, CredentialCache.DefaultNetworkCredentials);
-                                }
-                            }
-                            else if (cred is UsernamePasswordCredentials userpass)
+                            foreach (var authenticationHeader in response.Headers.WwwAuthenticate)
                             {
-                                lock (credentialCache)
+                                if (CredentialsAreValidForScheme(cred, authenticationHeader.Scheme, out var networkCredential))
                                 {
-                                    credentialCache.Add(url, scheme, new NetworkCredential(userpass.Username, userpass.Password));
+                                    lock (credentialCache)
+                                    {
+                                        credentialCache.Add(url, authenticationHeader.Scheme, networkCredential);
+                                    }
                                 }
                             }
 
@@ -221,6 +223,35 @@ private HttpResponseMessage GetResponseWithRedirects()
                 throw new Exception("too many redirects or authentication replays");
             }
 
+            bool IsSupportedAuth<T>(Credentials credentials, string scheme, out T typedCredentials) where T : Credentials
+            {
+                if (credentials is T innerTypedCredentials && SUPPORTED_SCHEMES_FOR_CREDENTIALS.TryGetValue(typeof(T), out var schemes) &&
+                    schemes.Contains(scheme, StringComparer.InvariantCultureIgnoreCase))
+                {
+                    typedCredentials = innerTypedCredentials;
+                    return true;
+                }
+
+                typedCredentials = null;
+                return false;
+            }
+
+            bool CredentialsAreValidForScheme(Credentials credentials, string scheme, out NetworkCredential networkCredential)
+            {
+                networkCredential = null;
+
+                if (IsSupportedAuth<DefaultCredentials>(credentials, scheme, out _))
+                {
+                    networkCredential = CredentialCache.DefaultNetworkCredentials;
+                }
+                else if (IsSupportedAuth<UsernamePasswordCredentials>(credentials, scheme, out var usernamePasswordCredentials))
+                {
+                    networkCredential = new NetworkCredential(usernamePasswordCredentials.Username, usernamePasswordCredentials.Password);
+                }
+
+                return networkCredential != null;
+            }
+
             public override int Read(Stream dataStream, long length, out long readTotal)
             {
                 byte[] buffer = new byte[4096];
