Quirk for ACR 401 on ".../blobs/uploads/"

Adding auth caching per-URL works well for GitHub Container Registry and
Azure Container Registry, _except_ that ACR failed in a confusing way
when initiating blob uploads--if presented with a bad token at that
point, it failed outright with a 401 (that did not provide enough
information for the existing reauthentication flow to do its thing). To
avoid this problem, I'm adding a cache exception for that URL pattern.
That shouldn't be too costly, since it's called only once per blob
upload, so even when doing chunked uploads the bulk of requests should
be cacheable.

Author: rainersigwald

Microsoft.NET.Build.Containers/AuthHeaderCache.cs

@@ -16,6 +16,17 @@ internal static class AuthHeaderCache
 
     public static bool TryGet(Uri uri, [NotNullWhen(true)] out AuthenticationHeaderValue? header)
     {
+        header = null;
+
+        // observed quirk in Azure Container Registry: if you present a token to blobs/uploads and it's wrong,
+        // it won't give back a www-authenticate header for the reauth mechanism to work. So never return
+        // a cache for that URI pattern
+        string[] segments = uri.Segments;
+        if (segments is [.., "blobs/", "uploads/"])
+        {
+            return false;
+        }
+
         return HostAuthenticationCache.TryGetValue(GetCacheKey(uri), out header);
     }