releases/2.0.0 Mac/Linux MSAL Broker support, entra token opt-in, and testing (#604)

Catches releases/2.0.0 up to master

- Add support of Mac and Linux broker
- Add entra token opt-in
- Add updated testing files and cross platform testing script

---------

Co-authored-by: Patrick Woo-Sam <[email protected]>
Co-authored-by: Emily Bettencourt <[email protected]>
Co-authored-by: Patrick Woo-Sam <[email protected]>
Co-authored-by: embetten <[email protected]>

Author: 4 people

.vscode/launch.json

@@ -2,15 +2,18 @@
     "version": "0.2.0",
     "configurations": [
         {
-            "name": ".NET Core Launch (console)",
+            "name": "CredentialProvider.Microsoft (stand-alone)",
             "type": "coreclr",
             "request": "launch",
             "preLaunchTask": "build",
             "program": "${workspaceFolder}/CredentialProvider.Microsoft/bin/Debug/net6.0/CredentialProvider.Microsoft.dll",
             "args": [
-                "-Uri", "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/artifacts-credprovider/nuget/v3/index.json",
-                "-Verbosity", "Debug"
+                "-Uri",
+                "${input:packageFeedUri}",
+                "-Verbosity",
+                "Debug"
             ],
+            "env": {},
             "cwd": "${workspaceFolder}/CredentialProvider.Microsoft",
             "console": "integratedTerminal",
             "stopAtEntry": false
@@ -20,5 +23,13 @@
             "type": "coreclr",
             "request": "attach"
         }
+    ],
+    "inputs": [
+        {
+            "id": "packageFeedUri",
+            "description": "Package feed URI",
+            "default": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/artifacts-credprovider/nuget/v3/index.json",
+            "type": "promptString"
+        }
     ]
 }

CredentialProvider.Microsoft/CredentialProviders/Vsts/MsalTokenProvidersFactory.cs

@@ -7,6 +7,7 @@
 using System.Threading.Tasks;
 using Microsoft.Artifacts.Authentication;
 using Microsoft.Extensions.Logging;
+using Microsoft.Identity.Client;
 using Microsoft.Identity.Client.Extensions.Msal;
 using NuGetCredentialProvider.Util;
 
@@ -30,7 +31,6 @@ public async Task<IEnumerable<ITokenProvider>> GetAsync(Uri authority)
             }
 
             var app = AzureArtifacts.CreateDefaultBuilder(authority)
-                .WithBroker(EnvUtil.MsalAllowBrokerEnabled(), EnvUtil.GetMsalBrokerWindowHandle(), logger)
                 .WithHttpClientFactory(HttpClientFactory.Default)
                 .WithLogging(
                     (Microsoft.Identity.Client.LogLevel level, string message, bool containsPii) =>
@@ -42,9 +42,33 @@ public async Task<IEnumerable<ITokenProvider>> GetAsync(Uri authority)
                 )
                 .Build();
 
+            var brokerEnabled = EnvUtil.MsalAllowBrokerEnabled();
+            #nullable enable
+            IPublicClientApplication? appInteractiveBroker = null;
+            #nullable disable
+            if (brokerEnabled)
+            {
+                appInteractiveBroker = AzureArtifacts.CreateDefaultBuilder(authority)
+                    .WithHttpClientFactory(HttpClientFactory.Default)
+                    .WithLogging(
+                        (Microsoft.Identity.Client.LogLevel level, string message, bool containsPii) =>
+                        {
+                            // We ignore containsPii param because we are passing in enablePiiLogging below.
+                            logger.LogTrace("MSAL Log ({level}): {message}", level, message);
+                        },
+                        enablePiiLogging: EnvUtil.GetLogPIIEnabled()
+                    )
+                    .WithBroker(brokerEnabled, EnvUtil.GetMsalBrokerWindowHandle(), logger)
+                    .Build();
+            }
+
             cache?.RegisterCache(app.UserTokenCache);
+            if (appInteractiveBroker != null)
+            {
+                cache?.RegisterCache(appInteractiveBroker.UserTokenCache);
+            }
 
-            return MsalTokenProviders.Get(app, logger);
+            return MsalTokenProviders.Get(app, logger, appInteractiveBroker: appInteractiveBroker);
         }
     }
 }

CredentialProvider.Microsoft/CredentialProviders/Vsts/VstsCredentialProvider.cs

@@ -155,6 +155,16 @@ public override async Task<GetAuthenticationCredentialsResponse> HandleRequestAs
                 }
 
                 Info(string.Format(Resources.AcquireBearerTokenSuccess, tokenProvider.Name));
+                if (EnvUtil.EntraTokenOptInEnabled())
+                {
+                    return new GetAuthenticationCredentialsResponse(
+                        "EntraToken",
+                        bearerToken,
+                        message: null,
+                        authenticationTypes: ["Basic"],
+                        responseCode: MessageResponseCode.Success);
+                }
+
                 Info(Resources.ExchangingBearerTokenForSessionToken);
                 try
                 {
@@ -167,7 +177,7 @@ public override async Task<GetAuthenticationCredentialsResponse> HandleRequestAs
                             Username,
                             sessionToken,
                             message: null,
-                            authenticationTypes: new List<string>() { "Basic" },
+                            authenticationTypes: ["Basic"],
                             responseCode: MessageResponseCode.Success);
                     }
                 }

CredentialProvider.Microsoft/Program.cs

@@ -9,6 +9,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Artifacts.Authentication;
+using Microsoft.Identity.Client.Utils;
 using NuGet.Common;
 using NuGet.Protocol.Plugins;
 using NuGetCredentialProvider.CredentialProviders;
@@ -28,7 +29,27 @@ public static class Program
         private static bool shuttingDown = false;
         public static bool IsShuttingDown => Volatile.Read(ref shuttingDown);
 
-        public static async Task<int> Main(string[] args)
+        public static int Main(string[] args)
+        {
+            var scheduler = MacMainThreadScheduler.Instance();
+
+            int returnCode = -1;
+            _ = Task.Run(async () => {
+                try
+                {
+                    returnCode = await BackgroundWork(args);
+                }
+                finally
+                {
+                    scheduler.Stop();
+                }
+            });
+
+            scheduler.StartMessageLoop();
+            return returnCode;
+        }
+
+        public static async Task<int> BackgroundWork(string[] args)
         {
             CancellationTokenSource tokenSource = new CancellationTokenSource();
             var parsedArgs = await Args.ParseAsync<CredentialProviderArgs>(args);

CredentialProvider.Microsoft/RequestHandlers/GetAuthenticationCredentialsRequestHandler.cs

@@ -73,7 +73,7 @@ public override async Task<GetAuthenticationCredentialsResponse> HandleRequestAs
                         username: "VssSessionToken",
                         password: cachedToken,
                         message: null,
-                        authenticationTypes: new List<string> { "Basic" },
+                        authenticationTypes: ["Basic"],
                         responseCode: MessageResponseCode.Success);
                 }
 
@@ -125,14 +125,21 @@ protected override AutomaticProgressReporter GetProgressReporter(IConnection con
 
         private static ICache<Uri, string> GetSessionTokenCache(ILogger logger, CancellationToken cancellationToken)
         {
-            if (EnvUtil.SessionTokenCacheEnabled())
+            if (!EnvUtil.SessionTokenCacheEnabled())
             {
-                logger.Verbose(string.Format(Resources.SessionTokenCacheLocation, EnvUtil.SessionTokenCacheLocation));
-                return new SessionTokenCache(EnvUtil.SessionTokenCacheLocation, logger, cancellationToken);
+                logger.Verbose(Resources.SessionTokenCacheDisabled);
+                return new NoOpCache<Uri, string>();
             }
 
-            logger.Verbose(Resources.SessionTokenCacheDisabled);
-            return new NoOpCache<Uri, string>();
+            // Disable session token cache when Entra token opt-in is enabled. Entra tokens are cached by the MSAL cache instead.
+            if (EnvUtil.EntraTokenOptInEnabled())
+            {
+                logger.Verbose(Resources.SessionTokenCacheDisabledByEntraTokenOptIn);
+                return new NoOpCache<Uri, string>();
+            }
+
+            logger.Verbose(string.Format(Resources.SessionTokenCacheLocation, EnvUtil.SessionTokenCacheLocation));
+            return new SessionTokenCache(EnvUtil.SessionTokenCacheLocation, logger, cancellationToken);
         }
 
         private bool TryCache(GetAuthenticationCredentialsRequest request, out string cachedToken)