Merge pull request #67 from mjcheetham/msauth-inproc

 Move Microsoft authentication in-proc

Author: mjcheetham

.azure-pipelines/templates/windows/pack.yml

@@ -1,7 +1,7 @@
 steps:
   - script: |
       xcopy "out\windows\Installer.Windows\bin\$(configuration)\net461"       "$(Build.StagingDirectory)\publish\"
-      xcopy "out\windows\Payload.Windows\bin\$(configuration)\net461\win-x86" "$(Build.StagingDirectory)\publish\payload\"
+      xcopy "out\windows\Payload.Windows\bin\$(configuration)\net461\win-x64" "$(Build.StagingDirectory)\publish\payload\"
       mkdir "$(Build.StagingDirectory)\publish\payload.sym\"
       move  "$(Build.StagingDirectory)\publish\payload\*.pdb"                 "$(Build.StagingDirectory)\publish\payload.sym\"
     displayName: Prepare final build artifact

Git-Credential-Manager.sln

@@ -21,10 +21,6 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TestInfrastructure", "src\s
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "GitHub", "src\shared\GitHub\GitHub.csproj", "{3C840B06-A595-4FD9-9A76-56CD45B14780}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Authentication.Helper.Windows", "src\windows\Microsoft.Authentication.Helper.Windows\Microsoft.Authentication.Helper.Windows.csproj", "{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Authentication.Helper.Windows.Tests", "src\windows\Microsoft.Authentication.Helper.Windows.Tests\Microsoft.Authentication.Helper.Windows.Tests.csproj", "{E0391B02-16D5-4B49-9C33-349B25717011}"
-EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "shared", "shared", "{D5277A0E-997E-453A-8CB9-4EFCC8B16A29}"
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GitHub.Tests", "src\shared\GitHub.Tests\GitHub.Tests.csproj", "{3E524EA8-D31A-4394-997C-14B522E3D6FD}"
@@ -160,22 +156,6 @@ Global
 		{3C840B06-A595-4FD9-9A76-56CD45B14780}.MacDebug|Any CPU.Build.0 = Debug|Any CPU
 		{3C840B06-A595-4FD9-9A76-56CD45B14780}.MacRelease|Any CPU.ActiveCfg = Release|Any CPU
 		{3C840B06-A595-4FD9-9A76-56CD45B14780}.MacRelease|Any CPU.Build.0 = Release|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.WindowsDebug|Any CPU.ActiveCfg = Debug|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.WindowsDebug|Any CPU.Build.0 = Debug|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.WindowsRelease|Any CPU.ActiveCfg = Release|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.WindowsRelease|Any CPU.Build.0 = Release|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.MacDebug|Any CPU.ActiveCfg = Debug|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.MacRelease|Any CPU.ActiveCfg = Release|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.WindowsDebug|Any CPU.ActiveCfg = Debug|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.WindowsDebug|Any CPU.Build.0 = Debug|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.WindowsRelease|Any CPU.ActiveCfg = Release|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.WindowsRelease|Any CPU.Build.0 = Release|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.MacDebug|Any CPU.ActiveCfg = Debug|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.MacRelease|Any CPU.ActiveCfg = Release|Any CPU
 		{3E524EA8-D31A-4394-997C-14B522E3D6FD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{3E524EA8-D31A-4394-997C-14B522E3D6FD}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{3E524EA8-D31A-4394-997C-14B522E3D6FD}.Release|Any CPU.ActiveCfg = Release|Any CPU
@@ -242,7 +222,6 @@ Global
 	EndGlobalSection
 	GlobalSection(NestedProjects) = preSolution
 		{66722747-1B61-40E4-A89B-1AC8E6D62EA9} = {A7FC1234-95E3-4496-B5F7-4306F41E6A0E}
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4} = {66722747-1B61-40E4-A89B-1AC8E6D62EA9}
 		{D5277A0E-997E-453A-8CB9-4EFCC8B16A29} = {A7FC1234-95E3-4496-B5F7-4306F41E6A0E}
 		{28F06D44-AB25-4CF5-93F9-978C23FAA9D6} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
 		{3C840B06-A595-4FD9-9A76-56CD45B14780} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
@@ -251,7 +230,6 @@ Global
 		{97DC6241-1240-4A85-8035-F8404A983A82} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
 		{AD41FA1E-51F5-4E4F-B7DA-32F921491313} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
 		{5A7D9E8B-C1D2-4C5C-BE98-648C41D1F8BD} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
-		{E0391B02-16D5-4B49-9C33-349B25717011} = {66722747-1B61-40E4-A89B-1AC8E6D62EA9}
 		{3E524EA8-D31A-4394-997C-14B522E3D6FD} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
 		{3D279E2D-E011-45CF-8EA8-3D71D1300443} = {A7FC1234-95E3-4496-B5F7-4306F41E6A0E}
 		{206430B1-CEED-4C84-8D49-D0A399632202} = {3D279E2D-E011-45CF-8EA8-3D71D1300443}

src/shared/Git-Credential-Manager/Git-Credential-Manager.csproj

@@ -2,9 +2,9 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>netcoreapp2.1</TargetFramework>
-    <TargetFramework Condition="'$(OSPlatform)'=='windows'">net461</TargetFramework>
-    <RuntimeIdentifiers>win-x86;osx-x64</RuntimeIdentifiers>
+    <TargetFrameworks>netcoreapp2.1</TargetFrameworks>
+    <TargetFrameworks Condition="'$(OSPlatform)'=='windows'">net461;netcoreapp2.1</TargetFrameworks>
+    <RuntimeIdentifiers>win-x64;osx-x64</RuntimeIdentifiers>
     <AssemblyName>git-credential-manager-core</AssemblyName>
     <RootNamespace>Microsoft.Git.CredentialManager</RootNamespace>
     <ApplicationIcon>$(RepoAssetsPath)gcmicon.ico</ApplicationIcon>
@@ -13,12 +13,6 @@
     <TargetLatestRuntimePatch>true</TargetLatestRuntimePatch>
   </PropertyGroup>
 
-  <!-- On Windows we target 32-bit because the WinForms authentication helpers are 32-bit
-       and also need to use the native libgit2 library (we use the 32-bit version on Windows) -->
-  <PropertyGroup Condition="'$(OSPlatform)'=='windows'">
-    <Prefer32Bit>true</Prefer32Bit>
-  </PropertyGroup>
-
   <ItemGroup>
     <ProjectReference Include="..\GitHub\GitHub.csproj" />
     <ProjectReference Include="..\Microsoft.AzureRepos\Microsoft.AzureRepos.csproj" />

src/shared/Microsoft.AzureRepos.Tests/AzureDevOpsApiTests.cs

@@ -9,8 +9,10 @@
 using System.Threading.Tasks;
 using Microsoft.Git.CredentialManager;
 using Microsoft.Git.CredentialManager.Tests.Objects;
+using Microsoft.IdentityModel.JsonWebTokens;
 using Newtonsoft.Json;
 using Xunit;
+using static Microsoft.Git.CredentialManager.Tests.TestHelpers;
 
 namespace Microsoft.AzureRepos.Tests
 {
@@ -223,7 +225,7 @@ public async Task AzureDevOpsRestApi_CreatePersonalAccessTokenAsync_ReturnsPAT()
             var orgUri = new Uri("https://dev.azure.com/org/");
 
             const string expectedPat = "PERSONAL-ACCESS-TOKEN";
-            const string accessToken = "ACCESS-TOKEN";
+            JsonWebToken accessToken = CreateJwt();
             IEnumerable<string> scopes = new[] {AzureDevOpsConstants.PersonalAccessTokenScopes.ReposWrite};
 
             var identityServiceUri = new Uri("https://identity.example.com/");
@@ -262,7 +264,7 @@ public async Task AzureDevOpsRestApi_CreatePersonalAccessTokenAsync_LocSvcReturn
             var context = new TestCommandContext();
             var orgUri = new Uri("https://dev.azure.com/org/");
 
-            const string accessToken = "ACCESS-TOKEN";
+            JsonWebToken accessToken = CreateJwt();
             IEnumerable<string> scopes = new[] {AzureDevOpsConstants.PersonalAccessTokenScopes.ReposWrite};
 
             var locSvcRequestUri = new Uri(orgUri, ExpectedLocationServicePath);
@@ -282,7 +284,7 @@ public async Task AzureDevOpsRestApi_CreatePersonalAccessTokenAsync_IdentSvcRetu
             var context = new TestCommandContext();
             var orgUri = new Uri("https://dev.azure.com/org/");
 
-            const string accessToken = "ACCESS-TOKEN";
+            JsonWebToken accessToken = CreateJwt();
             IEnumerable<string> scopes = new[] {AzureDevOpsConstants.PersonalAccessTokenScopes.ReposWrite};
 
             var identityServiceUri = new Uri("https://identity.example.com/");
@@ -315,7 +317,7 @@ public async Task AzureDevOpsRestApi_CreatePersonalAccessTokenAsync_IdentSvcRetu
             var context = new TestCommandContext();
             var orgUri = new Uri("https://dev.azure.com/org/");
 
-            const string accessToken = "ACCESS-TOKEN";
+            JsonWebToken accessToken = CreateJwt();
             IEnumerable<string> scopes = new[] {AzureDevOpsConstants.PersonalAccessTokenScopes.ReposWrite};
 
             var identityServiceUri = new Uri("https://identity.example.com/");
@@ -400,12 +402,12 @@ private static void AssertAcceptJson(HttpRequestMessage request)
             Assert.Contains(Constants.Http.MimeTypeJson, acceptMimeTypes);
         }
 
-        private static void AssertBearerToken(HttpRequestMessage request, string bearerToken)
+        private static void AssertBearerToken(HttpRequestMessage request, JsonWebToken bearerToken)
         {
             AuthenticationHeaderValue authHeader = request.Headers.Authorization;
             Assert.NotNull(authHeader);
             Assert.Equal("Bearer", authHeader.Scheme);
-            Assert.Equal(bearerToken, authHeader.Parameter);
+            Assert.Equal(bearerToken.EncodedToken, authHeader.Parameter);
         }
 
         private static HttpResponseMessage CreateLocationServiceResponse(Uri identityServiceUri)

src/shared/Microsoft.AzureRepos.Tests/AzureReposHostProviderTests.cs

@@ -8,6 +8,7 @@
 using Microsoft.Git.CredentialManager.Tests.Objects;
 using Moq;
 using Xunit;
+using static Microsoft.Git.CredentialManager.Tests.TestHelpers;
 
 namespace Microsoft.AzureRepos.Tests
 {
@@ -151,7 +152,7 @@ public async Task AzureReposProvider_GetCredentialAsync_ReturnsCredential()
             var expectedClientId = AzureDevOpsConstants.AadClientId;
             var expectedRedirectUri = AzureDevOpsConstants.AadRedirectUri;
             var expectedResource = AzureDevOpsConstants.AadResourceId;
-            var accessToken = "ACCESS-TOKEN";
+            var accessToken = CreateJwt("john.doe");
             var personalAccessToken = "PERSONAL-ACCESS-TOKEN";
 
             var context = new TestCommandContext();
@@ -163,7 +164,7 @@ public async Task AzureReposProvider_GetCredentialAsync_ReturnsCredential()
                         .ReturnsAsync(personalAccessToken);
 
             var msAuthMock = new Mock<IMicrosoftAuthentication>();
-            msAuthMock.Setup(x => x.GetAccessTokenAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedResource, remoteUri))
+            msAuthMock.Setup(x => x.GetAccessTokenAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedResource, remoteUri, null))
                       .ReturnsAsync(accessToken);
 
             var provider = new AzureReposHostProvider(context, azDevOpsMock.Object, msAuthMock.Object);

src/shared/Microsoft.AzureRepos/AzureDevOpsRestApi.cs

@@ -9,13 +9,14 @@
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using Microsoft.Git.CredentialManager;
+using Microsoft.IdentityModel.JsonWebTokens;
 
 namespace Microsoft.AzureRepos
 {
     public interface IAzureDevOpsRestApi : IDisposable
     {
         Task<string> GetAuthorityAsync(Uri organizationUri);
-        Task<string> CreatePersonalAccessTokenAsync(Uri organizationUri, string accessToken, IEnumerable<string> scopes);
+        Task<string> CreatePersonalAccessTokenAsync(Uri organizationUri, JsonWebToken accessToken, IEnumerable<string> scopes);
     }
 
     public class AzureDevOpsRestApi : IAzureDevOpsRestApi
@@ -84,7 +85,7 @@ public async Task<string> GetAuthorityAsync(Uri organizationUri)
             return commonAuthority;
         }
 
-        public async Task<string> CreatePersonalAccessTokenAsync(Uri organizationUri, string accessToken, IEnumerable<string> scopes)
+        public async Task<string> CreatePersonalAccessTokenAsync(Uri organizationUri, JsonWebToken accessToken, IEnumerable<string> scopes)
         {
             const string sessionTokenUrl = "_apis/token/sessiontokens?api-version=1.0&tokentype=compact";
 
@@ -93,7 +94,7 @@ public async Task<string> CreatePersonalAccessTokenAsync(Uri organizationUri, st
             {
                 throw new ArgumentException($"Provided URI '{organizationUri}' is not a valid Azure DevOps hostname", nameof(organizationUri));
             }
-            EnsureArgument.NotNullOrWhiteSpace(accessToken, nameof(accessToken));
+            EnsureArgument.NotNull(accessToken, nameof(accessToken));
 
             _context.Trace.WriteLine("Getting Azure DevOps Identity Service endpoint...");
             Uri identityServiceUri = await GetIdentityServiceUriAsync(organizationUri, accessToken);
@@ -134,7 +135,7 @@ public async Task<string> CreatePersonalAccessTokenAsync(Uri organizationUri, st
 
         #region Private Methods
 
-        private async Task<Uri> GetIdentityServiceUriAsync(Uri organizationUri, string accessToken)
+        private async Task<Uri> GetIdentityServiceUriAsync(Uri organizationUri, JsonWebToken accessToken)
         {
             const string locationServicePath = "_apis/ServiceDefinitions/LocationService2/951917AC-A960-4999-8464-E3F0AA25B381";
             const string locationServiceQuery = "api-version=1.0";
@@ -273,7 +274,7 @@ private static StringContent CreateAccessTokenRequestJson(Uri organizationUri, I
         /// <param name="content">Optional request content.</param>
         /// <param name="bearerToken">Optional bearer token for authorization.</param>
         /// <returns>HTTP request message.</returns>
-        private static HttpRequestMessage CreateRequestMessage(HttpMethod method, Uri uri, HttpContent content = null, string bearerToken = null)
+        private static HttpRequestMessage CreateRequestMessage(HttpMethod method, Uri uri, HttpContent content = null, JsonWebToken bearerToken = null)
         {
             var request = new HttpRequestMessage(method, uri);
 
@@ -282,9 +283,9 @@ private static HttpRequestMessage CreateRequestMessage(HttpMethod method, Uri ur
                 request.Content = content;
             }
 
-            if (!string.IsNullOrWhiteSpace(bearerToken))
+            if (bearerToken != null)
             {
-                request.Headers.Authorization = new AuthenticationHeaderValue(Constants.Http.WwwAuthenticateBearerScheme, bearerToken);
+                request.Headers.Authorization = new AuthenticationHeaderValue(Constants.Http.WwwAuthenticateBearerScheme, bearerToken.EncodedToken);
             }
 
             return request;

src/shared/Microsoft.AzureRepos/AzureReposHostProvider.cs

@@ -5,6 +5,7 @@
 using System.Threading.Tasks;
 using Microsoft.Git.CredentialManager;
 using Microsoft.Git.CredentialManager.Authentication;
+using Microsoft.IdentityModel.JsonWebTokens;
 using KnownGitCfg = Microsoft.Git.CredentialManager.Constants.GitConfiguration;
 
 namespace Microsoft.AzureRepos
@@ -73,13 +74,15 @@ public override async Task<ICredential> GenerateCredentialAsync(InputArguments i
 
             // Get an AAD access token for the Azure DevOps SPS
             Context.Trace.WriteLine("Getting Azure AD access token...");
-            string accessToken = await _msAuth.GetAccessTokenAsync(
+            JsonWebToken accessToken = await _msAuth.GetAccessTokenAsync(
                 authAuthority,
                 AzureDevOpsConstants.AadClientId,
                 AzureDevOpsConstants.AadRedirectUri,
                 AzureDevOpsConstants.AadResourceId,
-                remoteUri);
-            Context.Trace.WriteLineSecrets("Acquired access token. Token='{0}'", new object[] {accessToken});
+                remoteUri,
+                null);
+            string atUser = accessToken.GetAzureUserName();
+            Context.Trace.WriteLineSecrets($"Acquired Azure access token. User='{atUser}' Token='{{0}}'", new object[] {accessToken.EncodedToken});
 
             // Ask the Azure DevOps instance to create a new PAT
             var patScopes = new[]