azrepos: look at wwwauth[] for authority in first instance

Use the new `wwwauth[]` header information from Git to determine the
Azure authority for Azure Repos, before needing to resort to a cached
value, or making a HEAD call.

Author: mjcheetham

src/shared/Microsoft.AzureRepos.Tests/AzureReposHostProviderTests.cs

@@ -643,6 +643,42 @@ public async Task AzureReposHostProvider_UnconfigureAsync_User_Windows_UseHttpPa
             Assert.False(context.Git.Configuration.Global.TryGetValue(AzDevUseHttpPathKey, out _));
         }
 
+        [Theory]
+        [InlineData(false, null, "")]
+        [InlineData(false, null, "   ")]
+        [InlineData(false, null, null)]
+        [InlineData(false, null, "Basic realm=\"test\"")]
+        [InlineData(false, null, "Basic realm=\"https://tfsprodwcus0.app.visualstudio.com/\"")]
+        [InlineData(false, null, "TFS-Federated")]
+        [InlineData(true, "https://login.microsoftonline.com/79c4d065-d599-442e-b0ea-c4ab36ad63c3",
+            "Bearer authorization_uri=https://login.microsoftonline.com/79c4d065-d599-442e-b0ea-c4ab36ad63c3")]
+        [InlineData(true, "https://login.microsoftonline.com/79c4d065-d599-442e-b0ea-c4ab36ad63c3",
+            "bEArEr auThORizAtIoN_uRi=https://login.microsoftonline.com/79c4d065-d599-442e-b0ea-c4ab36ad63c3")]
+        [InlineData(true, "https://login.microsoftonline.com/79c4d065-d599-442e-b0ea-c4ab36ad63c3",
+            "\"Bearer authorization_uri=https://login.microsoftonline.com/79c4d065-d599-442e-b0ea-c4ab36ad63c3\"")]
+        [InlineData(true, "https://login.microsoftonline.com/79c4d065-d599-442e-b0ea-c4ab36ad63c3",
+            "'Bearer authorization_uri=https://login.microsoftonline.com/79c4d065-d599-442e-b0ea-c4ab36ad63c3'")]
+        [InlineData(true, "https://login.microsoftonline.com/tenant1",
+            "Bearer authorization_uri=https://login.microsoftonline.com/tenant1",
+            "Bearer authorization_uri=https://login.microsoftonline.com/tenant2",
+            "Bearer authorization_uri=https://login.microsoftonline.com/tenant3")]
+        [InlineData(true, "https://login.microsoftonline.com/79c4d065-d599-442e-b0ea-c4ab36ad63c3",
+            "Bearer authorization_uri=https://login.microsoftonline.com/79c4d065-d599-442e-b0ea-c4ab36ad63c3",
+            "Basic realm=\"https://tfsprodwcus0.app.visualstudio.com/\"",
+            "TFS-Federated")]
+        [InlineData(true, "https://login.microsoftonline.com/79c4d065-d599-442e-b0ea-c4ab36ad63c3",
+            "TFS-Federated",
+            "Basic realm=\"https://tfsprodwcus0.app.visualstudio.com/\"",
+            "Bearer authorization_uri=https://login.microsoftonline.com/79c4d065-d599-442e-b0ea-c4ab36ad63c3")]
+        public void AzureReposHostProvider_TryGetAuthorityFromHeaders(
+            bool expectedResult, string expectedAuthority, params string[] headers)
+        {
+            bool actualResult = AzureReposHostProvider.TryGetAuthorityFromHeaders(headers, out string actualAuthority);
+
+            Assert.Equal(expectedResult, actualResult);
+            Assert.Equal(expectedAuthority, actualAuthority);
+        }
+
         private static IMicrosoftAuthenticationResult CreateAuthResult(string upn, string token)
         {
             return new MockMsAuthResult

src/shared/Microsoft.AzureRepos/AzureReposHostProvider.cs

@@ -3,6 +3,7 @@
 using System.CommandLine;
 using System.Linq;
 using System.Net.Http;
+using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using GitCredentialManager;
 using GitCredentialManager.Authentication;
@@ -74,10 +75,9 @@ public bool IsSupported(HttpResponseMessage response)
 
         public async Task<ICredential> GetCredentialAsync(InputArguments input)
         {
-            Uri remoteUri = input.GetRemoteUri();
-
             if (UsePersonalAccessTokens())
             {
+                Uri remoteUri = input.GetRemoteUri();
                 string service = GetServiceName(remoteUri);
                 string account = GetAccountNameForCredentialQuery(input);
 
@@ -104,7 +104,7 @@ public async Task<ICredential> GetCredentialAsync(InputArguments input)
             {
                 // Include the username request here so that we may use it as an override
                 // for user account lookups when getting Azure Access Tokens.
-                var azureResult = await GetAzureAccessTokenAsync(remoteUri, input.UserName);
+                var azureResult = await GetAzureAccessTokenAsync(input);
                 return new GitCredential(azureResult.AccountUpn, azureResult.AccessToken);
             }
         }
@@ -222,8 +222,11 @@ private async Task<ICredential> GeneratePersonalAccessTokenAsync(InputArguments
             return new GitCredential(result.AccountUpn, pat);
         }
 
-        private async Task<IMicrosoftAuthenticationResult> GetAzureAccessTokenAsync(Uri remoteUri, string userName)
+        private async Task<IMicrosoftAuthenticationResult> GetAzureAccessTokenAsync(InputArguments input)
         {
+            Uri remoteUri = input.GetRemoteUri();
+            string userName = input.UserName;
+
             // We should not allow unencrypted communication and should inform the user
             if (StringComparer.OrdinalIgnoreCase.Equals(remoteUri.Scheme, "http"))
             {
@@ -234,14 +237,27 @@ private async Task<IMicrosoftAuthenticationResult> GetAzureAccessTokenAsync(Uri
             Uri orgUri = UriHelpers.CreateOrganizationUri(remoteUri, out string orgName);
 
             _context.Trace.WriteLine($"Determining Microsoft Authentication authority for Azure DevOps organization '{orgName}'...");
-            string authAuthority = _authorityCache.GetAuthority(orgName);
-            if (authAuthority is null)
+            if (TryGetAuthorityFromHeaders(input.WwwAuth, out string authAuthority))
+            {
+                _context.Trace.WriteLine("Authority was found in WWW-Authenticate headers from Git input.");
+            }
+            else
             {
-                // If there is no cached value we must query for it and cache it for future use
-                _context.Trace.WriteLine($"No cached authority value - querying {orgUri} for authority...");
-                authAuthority = await _azDevOps.GetAuthorityAsync(orgUri);
-                _authorityCache.UpdateAuthority(orgName, authAuthority);
+                // Try to get the authority from the cache
+                authAuthority = _authorityCache.GetAuthority(orgName);
+                if (authAuthority is null)
+                {
+                    // If there is no cached value we must query for it and cache it for future use
+                    _context.Trace.WriteLine($"No cached authority value - querying {orgUri} for authority...");
+                    authAuthority = await _azDevOps.GetAuthorityAsync(orgUri);
+                    _authorityCache.UpdateAuthority(orgName, authAuthority);
+                }
+                else
+                {
+                    _context.Trace.WriteLine("Authority was found in cache.");
+                }
             }
+
             _context.Trace.WriteLine($"Authority is '{authAuthority}'.");
 
             //
@@ -284,6 +300,30 @@ private async Task<IMicrosoftAuthenticationResult> GetAzureAccessTokenAsync(Uri
             return result;
         }
 
+        internal /* for testing purposes */ static bool TryGetAuthorityFromHeaders(IEnumerable<string> headers, out string authority)
+        {
+            authority = null;
+
+            if (headers is null)
+            {
+                return false;
+            }
+
+            var regex = new Regex(@"authorization_uri=""?(?<authority>.+)""?", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
+            foreach (string header in headers)
+            {
+                Match match = regex.Match(header);
+                if (match.Success)
+                {
+                    authority = match.Groups["authority"].Value.Trim(new[] { '"', '\'' });
+                    return true;
+                }
+            }
+
+            return false;
+        }
+
         private string GetClientId()
         {
             // Check for developer override value