git-ecosystem
diff --git a/‎docs/configuration.md
Lines changed: 23 additions & 0 deletions b/‎docs/configuration.md
Lines changed: 23 additions & 0 deletions
diff --git a/‎docs/environment.md
Lines changed: 29 additions & 0 deletions b/‎docs/environment.md
Lines changed: 29 additions & 0 deletions
diff --git a/‎src/shared/GitHub.Tests/GitHubAuthChallengeTests.cs
Lines changed: 153 additions & 0 deletions b/‎src/shared/GitHub.Tests/GitHubAuthChallengeTests.cs
Lines changed: 153 additions & 0 deletions
@@ -434,6 +434,27 @@ Defaults to undefined.
 
 ---
 
+### credential.gitHubAccountFiltering
+
+Enable or disable automatic account filtering for GitHub based on server hints
+when there are multiple available accounts. This setting is only applicable to
+GitHub.com with [Enterprise Managed Users][github-emu].
+
+Value|Description
+-|-
+`true` _(default)_|Filter available accounts based on server hints.
+`false`|Show all available accounts.
+
+#### Example
+
+```shell
+git config --global credential.gitHubAccountFiltering "false"
+```
+
+**Also see: [GCM_GITHUB_ACCOUNTFILTERING][gcm-github-accountfiltering]**
+
+---
+
 ### credential.gitHubAuthModes
 
 Override the available authentication modes presented during GitHub
@@ -863,6 +884,7 @@ Defaults to disabled.
 [gcm-credential-store]: environment.md#GCM_CREDENTIAL_STORE
 [gcm-debug]: environment.md#GCM_DEBUG
 [gcm-dpapi-store-path]: environment.md#GCM_DPAPI_STORE_PATH
+[gcm-github-accountfiltering]: environment.md#GCM_GITHUB_ACCOUNTFILTERING
 [gcm-github-authmodes]: environment.md#GCM_GITHUB_AUTHMODES
 [gcm-gitlab-authmodes]:environment.md#GCM_GITLAB_AUTHMODES
 [gcm-gui-prompt]: environment.md#GCM_GUI_PROMPT
@@ -877,6 +899,7 @@ Defaults to disabled.
 [gcm-trace]: environment.md#GCM_TRACE
 [gcm-trace-secrets]: environment.md#GCM_TRACE_SECRETS
 [gcm-trace-msauth]: environment.md#GCM_TRACE_MSAUTH
+[github-emu]: https://docs.github.com/en/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users
 [usage]: usage.md
 [git-config-http-proxy]: https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpproxy
 [http-proxy]: netconfig.md#http-proxy
 
@@ -525,6 +525,33 @@ Defaults to undefined.
 
 ---
 
+### GCM_GITHUB_ACCOUNTFILTERING
+
+Enable or disable automatic account filtering for GitHub based on server hints
+when there are multiple available accounts. This setting is only applicable to
+GitHub.com with [Enterprise Managed Users][github-emu].
+
+Value|Description
+-|-
+`true` _(default)_|Filter available accounts based on server hints.
+`false`|Show all available accounts.
+
+#### Windows
+
+```batch
+SET GCM_GITHUB_ACCOUNTFILTERING=false
+```
+
+#### macOS/Linux
+
+```bash
+export GCM_GITHUB_ACCOUNTFILTERING=false
+```
+
+**Also see: [credential.gitHubAccountFiltering][credential-githubaccountfiltering]**
+
+---
+
 ### GCM_GITHUB_AUTHMODES
 
 Override the available authentication modes presented during GitHub
@@ -964,6 +991,7 @@ Defaults to disabled.
 [credential-credentialstore]: configuration.md#credentialcredentialstore
 [credential-debug]: configuration.md#credentialdebug
 [credential-dpapi-store-path]: configuration.md#credentialdpapistorepath
+[credential-githubaccountfiltering]: configuration.md#credentialgitHubAccountFiltering
 [credential-githubauthmodes]: configuration.md#credentialgitHubAuthModes
 [credential-gitlabauthmodes]: configuration.md#credentialgitLabAuthModes
 [credential-guiprompt]: configuration.md#credentialguiprompt
@@ -991,6 +1019,7 @@ Defaults to disabled.
 [git-cache-options]: https://git-scm.com/docs/git-credential-cache#_options
 [git-credential-cache]: https://git-scm.com/docs/git-credential-cache
 [git-httpproxy]: https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpproxy
+[github-emu]: https://docs.github.com/en/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users
 [network-http-proxy]: netconfig.md#http-proxy
 [libsecret]: https://wiki.gnome.org/Projects/Libsecret
 [migration-guide]: migration.md#gcm_authority
 
@@ -0,0 +1,153 @@
+using System;
+using System.Collections.Generic;
+using Xunit;
+
+namespace GitHub.Tests;
+
+public class GitHubAuthChallengeTests
+{
+    [Fact]
+    public void GitHubAuthChallenge_FromHeaders_CaseInsensitive()
+    {
+        var headers = new[]
+        {
+            "BASIC REALM=\"GITHUB\"",
+            "basic realm=\"github\"",
+            "bAsIc ReAlM=\"gItHuB\"",
+        };
+
+        IList<GitHubAuthChallenge> challenges = GitHubAuthChallenge.FromHeaders(headers);
+        Assert.Equal(3, challenges.Count);
+
+        foreach (var challenge in challenges)
+        {
+            Assert.Null(challenge.Domain);
+            Assert.Null(challenge.Enterprise);
+        }
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_FromHeaders_MultipleRealms_ReturnsGitHubOnly()
+    {
+        var headers = new[]
+        {
+            "Basic realm=\"contoso\"",
+            "Basic realm=\"GitHub\"",
+            "Basic realm=\"fabrikam\"",
+        };
+
+        IList<GitHubAuthChallenge> challenges = GitHubAuthChallenge.FromHeaders(headers);
+        Assert.Single(challenges);
+
+        Assert.Null(challenges[0].Domain);
+        Assert.Null(challenges[0].Enterprise);
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_FromHeaders_NoMatchingRealms_ReturnsEmpty()
+    {
+        var headers = new[]
+        {
+            "Basic realm=\"contoso\"",
+            "Basic realm=\"fabrikam\"",
+            "Basic realm=\"example\"",
+        };
+
+        IList<GitHubAuthChallenge> challenges = GitHubAuthChallenge.FromHeaders(headers);
+        Assert.Empty(challenges);
+    }
+
+    [Theory]
+    [InlineData("Basic realm=\"GitHub\" enterprise_hint=\"contoso-corp\" domain_hint=\"contoso\"", "contoso", "contoso-corp")]
+    [InlineData("Basic realm=\"GitHub\" domain_hint=\"contoso\"", "contoso", null)]
+    [InlineData("Basic realm=\"GitHub\" enterprise_hint=\"contoso-corp\"", null, "contoso-corp")]
+    [InlineData("Basic realm=\"GitHub\" domain_hint=\"fab\" enterprise_hint=\"fabirkamopensource\"", "fab", "fabirkamopensource")]
+    [InlineData("Basic enterprise_hint=\"iana\" realm=\"GitHub\" domain_hint=\"example\"", "example", "iana")]
+    [InlineData("Basic domain_hint=\"test\" enterprise_hint=\"test-inc\" realm=\"GitHub\"", "test", "test-inc")]
+    public void GitHubAuthChallenge_FromHeaders_Hints_ReturnsWithHints(string header, string domain, string enterprise)
+    {
+        IList<GitHubAuthChallenge> challenges = GitHubAuthChallenge.FromHeaders(new[] { header });
+        Assert.Single(challenges);
+
+        Assert.Equal(domain, challenges[0].Domain);
+        Assert.Equal(enterprise, challenges[0].Enterprise);
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_FromHeaders_EmptyHeaders_ReturnsEmpty()
+    {
+        string[] headers = Array.Empty<string>();
+        IList<GitHubAuthChallenge> challenges = GitHubAuthChallenge.FromHeaders(headers);
+        Assert.Empty(challenges);
+    }
+
+    [Theory]
+    [InlineData(null, false)]
+    [InlineData("", false)]
+    [InlineData(" ", false)]
+    [InlineData("alice", true)]
+    [InlineData("alice_contoso", false)]
+    [InlineData("alice_CONTOSO", false)]
+    [InlineData("alice_contoso_alt", false)]
+    [InlineData("pj_nitin", true)]
+    [InlineData("up_the_irons", true)]
+    public void GitHubAuthChallenge_IsDomainMember_NoHint(string userName, bool expected)
+    {
+        var challenge = new GitHubAuthChallenge();
+        Assert.Equal(expected, challenge.IsDomainMember(userName));
+    }
+
+    [Theory]
+    [InlineData(null, false)]
+    [InlineData("", false)]
+    [InlineData(" ", false)]
+    [InlineData("alice", false)]
+    [InlineData("alice_contoso", true)]
+    [InlineData("alice_CONTOSO", true)]
+    [InlineData("alice_contoso_alt", false)]
+    [InlineData("pj_nitin", false)]
+    [InlineData("up_the_irons", false)]
+    public void GitHubAuthChallenge_IsDomainMember_DomainHint(string userName, bool expected)
+    {
+        var realm = new GitHubAuthChallenge("contoso", "contoso-corp");
+        Assert.Equal(expected, realm.IsDomainMember(userName));
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_Equals_Null_ReturnsFalse()
+    {
+        var challenge = new GitHubAuthChallenge("contoso", "contoso-corp");
+        Assert.False(challenge.Equals(null));
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_Equals_SameInstance_ReturnsTrue()
+    {
+        var challenge = new GitHubAuthChallenge("contoso", "contoso-corp");
+        Assert.True(challenge.Equals(challenge));
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_Equals_DifferentInstance_ReturnsTrue()
+    {
+        var challenge1 = new GitHubAuthChallenge("contoso", "constoso-corp");
+        var challenge2 = new GitHubAuthChallenge("contoso", "constoso-corp");
+        Assert.True(challenge1.Equals(challenge2));
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_Equals_DifferentCase_ReturnsTrue()
+    {
+        var challenge1 = new GitHubAuthChallenge("contoso", "contoso-corp");
+        var challenge2 = new GitHubAuthChallenge("CONTOSO", "CONTOSO-CORP");
+        Assert.True(challenge1.Equals(challenge2));
+    }
+
+    [Fact]
+    public void GitHubAuthChallenge_Equals_DifferentShortCode_ReturnsFalse()
+    {
+        var challenge1 = new GitHubAuthChallenge("contoso", "constoso-corp");
+        var challenge2 = new GitHubAuthChallenge("fab", "fabrikamopensource");
+        Assert.False(challenge1.Equals(challenge2));
+    }
+}