githubauth: add wwwauth header parsing

Add parsing of GitHub.com's WWW-Authenticate header, with the upcoming
enterprise_hint and domain_hint properties that can be used to indicate
when a resource (repository) requires a specific EMU account.

Author: mjcheetham

src/shared/GitHub.Tests/GitHubAuthChallengeTests.cs

@@ -0,0 +1,153 @@
+using System;
+using System.Collections.Generic;
+using Xunit;
+
+namespace GitHub.Tests;
+
+public class GitHubAuthChallengeTests
+{
+    [Fact]
+    public void GitHubAuthChallenge_FromHeaders_CaseInsensitive()
+    {
+        var headers = new[]
+        {
+            "BASIC REALM=\"GITHUB\"",
+            "basic realm=\"github\"",
+            "bAsIc ReAlM=\"gItHuB\"",
+        };
+
+        IList<GitHubAuthChallenge> challenges = GitHubAuthChallenge.FromHeaders(headers);
+        Assert.Equal(3, challenges.Count);
+
+        foreach (var challenge in challenges)
+        {
+            Assert.Null(challenge.Domain);
+            Assert.Null(challenge.Enterprise);
+        }
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_FromHeaders_MultipleRealms_ReturnsGitHubOnly()
+    {
+        var headers = new[]
+        {
+            "Basic realm=\"contoso\"",
+            "Basic realm=\"GitHub\"",
+            "Basic realm=\"fabrikam\"",
+        };
+
+        IList<GitHubAuthChallenge> challenges = GitHubAuthChallenge.FromHeaders(headers);
+        Assert.Single(challenges);
+
+        Assert.Null(challenges[0].Domain);
+        Assert.Null(challenges[0].Enterprise);
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_FromHeaders_NoMatchingRealms_ReturnsEmpty()
+    {
+        var headers = new[]
+        {
+            "Basic realm=\"contoso\"",
+            "Basic realm=\"fabrikam\"",
+            "Basic realm=\"example\"",
+        };
+
+        IList<GitHubAuthChallenge> challenges = GitHubAuthChallenge.FromHeaders(headers);
+        Assert.Empty(challenges);
+    }
+
+    [Theory]
+    [InlineData("Basic realm=\"GitHub\" enterprise_hint=\"contoso-corp\" domain_hint=\"contoso\"", "contoso", "contoso-corp")]
+    [InlineData("Basic realm=\"GitHub\" domain_hint=\"contoso\"", "contoso", null)]
+    [InlineData("Basic realm=\"GitHub\" enterprise_hint=\"contoso-corp\"", null, "contoso-corp")]
+    [InlineData("Basic realm=\"GitHub\" domain_hint=\"fab\" enterprise_hint=\"fabirkamopensource\"", "fab", "fabirkamopensource")]
+    [InlineData("Basic enterprise_hint=\"iana\" realm=\"GitHub\" domain_hint=\"example\"", "example", "iana")]
+    [InlineData("Basic domain_hint=\"test\" enterprise_hint=\"test-inc\" realm=\"GitHub\"", "test", "test-inc")]
+    public void GitHubAuthChallenge_FromHeaders_Hints_ReturnsWithHints(string header, string domain, string enterprise)
+    {
+        IList<GitHubAuthChallenge> challenges = GitHubAuthChallenge.FromHeaders(new[] { header });
+        Assert.Single(challenges);
+
+        Assert.Equal(domain, challenges[0].Domain);
+        Assert.Equal(enterprise, challenges[0].Enterprise);
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_FromHeaders_EmptyHeaders_ReturnsEmpty()
+    {
+        string[] headers = Array.Empty<string>();
+        IList<GitHubAuthChallenge> challenges = GitHubAuthChallenge.FromHeaders(headers);
+        Assert.Empty(challenges);
+    }
+
+    [Theory]
+    [InlineData(null, false)]
+    [InlineData("", false)]
+    [InlineData(" ", false)]
+    [InlineData("alice", true)]
+    [InlineData("alice_contoso", false)]
+    [InlineData("alice_CONTOSO", false)]
+    [InlineData("alice_contoso_alt", false)]
+    [InlineData("pj_nitin", true)]
+    [InlineData("up_the_irons", true)]
+    public void GitHubAuthChallenge_IsDomainMember_NoHint(string userName, bool expected)
+    {
+        var challenge = new GitHubAuthChallenge();
+        Assert.Equal(expected, challenge.IsDomainMember(userName));
+    }
+
+    [Theory]
+    [InlineData(null, false)]
+    [InlineData("", false)]
+    [InlineData(" ", false)]
+    [InlineData("alice", false)]
+    [InlineData("alice_contoso", true)]
+    [InlineData("alice_CONTOSO", true)]
+    [InlineData("alice_contoso_alt", false)]
+    [InlineData("pj_nitin", false)]
+    [InlineData("up_the_irons", false)]
+    public void GitHubAuthChallenge_IsDomainMember_DomainHint(string userName, bool expected)
+    {
+        var realm = new GitHubAuthChallenge("contoso", "contoso-corp");
+        Assert.Equal(expected, realm.IsDomainMember(userName));
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_Equals_Null_ReturnsFalse()
+    {
+        var challenge = new GitHubAuthChallenge("contoso", "contoso-corp");
+        Assert.False(challenge.Equals(null));
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_Equals_SameInstance_ReturnsTrue()
+    {
+        var challenge = new GitHubAuthChallenge("contoso", "contoso-corp");
+        Assert.True(challenge.Equals(challenge));
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_Equals_DifferentInstance_ReturnsTrue()
+    {
+        var challenge1 = new GitHubAuthChallenge("contoso", "constoso-corp");
+        var challenge2 = new GitHubAuthChallenge("contoso", "constoso-corp");
+        Assert.True(challenge1.Equals(challenge2));
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_Equals_DifferentCase_ReturnsTrue()
+    {
+        var challenge1 = new GitHubAuthChallenge("contoso", "contoso-corp");
+        var challenge2 = new GitHubAuthChallenge("CONTOSO", "CONTOSO-CORP");
+        Assert.True(challenge1.Equals(challenge2));
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_Equals_DifferentShortCode_ReturnsFalse()
+    {
+        var challenge1 = new GitHubAuthChallenge("contoso", "constoso-corp");
+        var challenge2 = new GitHubAuthChallenge("fab", "fabrikamopensource");
+        Assert.False(challenge1.Equals(challenge2));
+    }
+}

src/shared/GitHub/GitHubAuthChallenge.cs

@@ -0,0 +1,113 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text.RegularExpressions;
+
+namespace GitHub;
+
+public class GitHubAuthChallenge : IEquatable<GitHubAuthChallenge>
+{
+    private static readonly Regex BasicRegex = new(@"Basic\s+(?'props1'.*)realm=""GitHub""(?'props2'.*)",
+        RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
+    public static IList<GitHubAuthChallenge> FromHeaders(IEnumerable<string> headers)
+    {
+        var challenges = new List<GitHubAuthChallenge>();
+        foreach (string header in headers)
+        {
+            var match = BasicRegex.Match(header);
+            if (match.Success)
+            {
+                IDictionary<string, string> props = ParseProperties(match.Groups["props1"].Value + match.Groups["props2"]);
+
+                // The enterprise shortcode is provided in the `domain_hint` property, whereas the
+                // enterprise name/slug is provided in the `enterprise_hint` property.
+                props.TryGetValue("domain_hint", out string domain);
+                props.TryGetValue("enterprise_hint", out string enterprise);
+
+                var challenge = new GitHubAuthChallenge(domain, enterprise);
+
+                challenges.Add(challenge);
+            }
+        }
+
+        return challenges;
+    }
+
+    private static IDictionary<string, string> ParseProperties(string str)
+    {
+        var props = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+        foreach (string prop in str.Split(' '))
+        {
+            int delim = prop.IndexOf('=');
+            if (delim < 0)
+            {
+                continue;
+            }
+
+            string key = prop.Substring(0, delim).Trim();
+            string value = prop.Substring(delim + 1).Trim('"');
+
+            props[key] = value;
+        }
+
+        return props;
+    }
+
+    public GitHubAuthChallenge() { }
+
+    public GitHubAuthChallenge(string domain, string enterprise)
+    {
+        Domain = domain;
+        Enterprise = enterprise;
+    }
+
+    public string Domain { get; }
+
+    public string Enterprise { get; }
+
+    public bool IsDomainMember(string userName)
+    {
+        if (string.IsNullOrWhiteSpace(userName))
+        {
+            return false;
+        }
+
+        int delim = userName.LastIndexOf('_');
+        if (delim < 0)
+        {
+            return string.IsNullOrWhiteSpace(Domain);
+        }
+
+        // Check for users that contain underscores but are not EMU logins
+        if (GitHubConstants.InvalidUnderscoreLogins.Contains(userName, StringComparer.OrdinalIgnoreCase))
+        {
+            return string.IsNullOrWhiteSpace(Domain);
+        }
+
+        string shortCode = userName.Substring(delim + 1);
+        return StringComparer.OrdinalIgnoreCase.Equals(Domain, shortCode);
+    }
+
+    public bool Equals(GitHubAuthChallenge other)
+    {
+        if (ReferenceEquals(null, other)) return false;
+        if (ReferenceEquals(this, other)) return true;
+        return string.Equals(Domain, other.Domain, StringComparison.OrdinalIgnoreCase) &&
+               string.Equals(Enterprise, other.Enterprise, StringComparison.OrdinalIgnoreCase);
+    }
+
+    public override bool Equals(object obj)
+    {
+        if (ReferenceEquals(null, obj)) return false;
+        if (ReferenceEquals(this, obj)) return true;
+        if (obj.GetType() != GetType()) return false;
+        return Equals((GitHubAuthChallenge)obj);
+    }
+
+    public override int GetHashCode()
+    {
+        return Domain.GetHashCode() * 1019 ^
+               Enterprise.GetHashCode() * 337;
+    }
+}

src/shared/GitHub/GitHubConstants.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 
 namespace GitHub
 {
@@ -19,6 +20,11 @@ public static class GitHubConstants
         public static readonly Uri OAuthTokenEndpointRelativeUri = new Uri("/login/oauth/access_token", UriKind.Relative);
         public static readonly Uri OAuthDeviceEndpointRelativeUri = new Uri("/login/device/code", UriKind.Relative);
 
+        /// <summary>
+        /// GitHub user names that contain underscores but are not EMU logins.
+        /// </summary>
+        public static readonly IReadOnlyList<string> InvalidUnderscoreLogins = new[] { "pj_nitin", "up_the_irons" };
+
         /// <summary>
         /// The GitHub required HTTP accepts header value
         /// </summary>
@@ -59,6 +65,7 @@ public static class EnvironmentVariables
             public const string DevOAuthClientId = "GCM_DEV_GITHUB_CLIENTID";
             public const string DevOAuthClientSecret = "GCM_DEV_GITHUB_CLIENTSECRET";
             public const string DevOAuthRedirectUri = "GCM_DEV_GITHUB_REDIRECTURI";
+            public const string AccountFiltering = "GCM_GITHUB_ACCOUNTFILTERING";
         }
 
         public static class GitConfiguration
@@ -70,6 +77,7 @@ public static class Credential
                 public const string DevOAuthClientId = "gitHubDevClientId";
                 public const string DevOAuthClientSecret = "gitHubDevClientSecret";
                 public const string DevOAuthRedirectUri = "gitHubDevRedirectUri";
+                public const string AccountFiltering = "githubAccountFiltering";
             }
         }
     }