Fix SocketsHttpHandler.PreAuthenticate behavior

Previously SocketsHttpHandler.PreAuthenticate was causing SocketsHttpHandler to always add a basic auth header on every request if a basic credential could be retrieved from the supplied credentials.  This is not how PreAuthenticate is supposed to work.  Rather, the handler is supposed to track credentials that have previously been used to successfully authenticate, and then on subsequent requests use credentials from that successfully-authenticated cache.

Author: stephentoub

src/System.Net.Http/src/System.Net.Http.csproj

@@ -126,7 +126,6 @@
   <!-- SocketsHttpHandler implementation -->
   <ItemGroup Condition="'$(TargetGroup)' == 'netcoreapp'">
     <Compile Include="System\Net\Http\SocketsHttpHandler\AuthenticationHelper.cs" />
-    <Compile Include="System\Net\Http\SocketsHttpHandler\AuthenticationHelper.Basic.cs" />
     <Compile Include="System\Net\Http\SocketsHttpHandler\AuthenticationHelper.Digest.cs" />
     <Compile Include="System\Net\Http\SocketsHttpHandler\AuthenticationHelper.NtAuth.cs" />
     <Compile Include="System\Net\Http\SocketsHttpHandler\ChunkedEncodingReadStream.cs" />
@@ -634,8 +633,6 @@
     <Reference Include="System.Security.Cryptography.Encoding" />
     <Reference Include="System.Security.Cryptography.Primitives" />
   </ItemGroup>
-  <ItemGroup>
-    <Folder Include="Common\System\Threading\Tasks\" />
-  </ItemGroup>
+  <ItemGroup />
   <Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory), dir.targets))\dir.targets" />
 </Project>

src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.Basic.cs

@@ -2,7 +2,9 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
+using System.Diagnostics;
 using System.Net.Http.Headers;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 
@@ -79,25 +81,19 @@ private static bool TryGetValidAuthenticationChallengeForScheme(string scheme, A
 
         private static bool TryGetAuthenticationChallenge(HttpResponseMessage response, bool isProxyAuth, Uri authUri, ICredentials credentials, out AuthenticationChallenge challenge)
         {
-            challenge = default;
-
             if (!IsAuthenticationChallenge(response, isProxyAuth))
             {
+                challenge = default;
                 return false;
             }
 
-            HttpHeaderValueCollection<AuthenticationHeaderValue> authenticationHeaderValues = GetResponseAuthenticationHeaderValues(response, isProxyAuth);
-
             // Try to get a valid challenge for the schemes we support, in priority order.
-            if (!TryGetValidAuthenticationChallengeForScheme(NegotiateScheme, AuthenticationType.Negotiate, authUri, credentials, authenticationHeaderValues, out challenge) &&
-                !TryGetValidAuthenticationChallengeForScheme(NtlmScheme, AuthenticationType.Ntlm, authUri, credentials, authenticationHeaderValues, out challenge) &&
-                !TryGetValidAuthenticationChallengeForScheme(DigestScheme, AuthenticationType.Digest, authUri, credentials, authenticationHeaderValues, out challenge) &&
-                !TryGetValidAuthenticationChallengeForScheme(BasicScheme, AuthenticationType.Basic, authUri, credentials, authenticationHeaderValues, out challenge))
-            {
-                return false;
-            }
-
-            return true;
+            HttpHeaderValueCollection<AuthenticationHeaderValue> authenticationHeaderValues = GetResponseAuthenticationHeaderValues(response, isProxyAuth);
+            return
+                TryGetValidAuthenticationChallengeForScheme(NegotiateScheme, AuthenticationType.Negotiate, authUri, credentials, authenticationHeaderValues, out challenge) ||
+                TryGetValidAuthenticationChallengeForScheme(NtlmScheme, AuthenticationType.Ntlm, authUri, credentials, authenticationHeaderValues, out challenge) ||
+                TryGetValidAuthenticationChallengeForScheme(DigestScheme, AuthenticationType.Digest, authUri, credentials, authenticationHeaderValues, out challenge) ||
+                TryGetValidAuthenticationChallengeForScheme(BasicScheme, AuthenticationType.Basic, authUri, credentials, authenticationHeaderValues, out challenge);
         }
 
         private static bool TryGetRepeatedChallenge(HttpResponseMessage response, string scheme, bool isProxyAuth, out string challengeData)
@@ -147,7 +143,13 @@ private static void SetRequestAuthenticationHeaderValue(HttpRequestMessage reque
 
         private static void SetBasicAuthToken(HttpRequestMessage request, NetworkCredential credential, bool isProxyAuth)
         {
-            SetRequestAuthenticationHeaderValue(request, new AuthenticationHeaderValue(BasicScheme, GetBasicTokenForCredential(credential)), isProxyAuth);
+            string authString = !string.IsNullOrEmpty(credential.Domain) ?
+                credential.Domain + "\\" + credential.UserName + ":" + credential.Password :
+                credential.UserName + ":" + credential.Password;
+
+            string base64AuthString = Convert.ToBase64String(Encoding.UTF8.GetBytes(authString));
+
+            SetRequestAuthenticationHeaderValue(request, new AuthenticationHeaderValue(BasicScheme, base64AuthString), isProxyAuth);
         }
 
         private static async Task<bool> TrySetDigestAuthToken(HttpRequestMessage request, NetworkCredential credential, DigestResponse digestResponse, bool isProxyAuth)
@@ -174,49 +176,92 @@ private static Task<HttpResponseMessage> InnerSendAsync(HttpRequestMessage reque
 
         private static async Task<HttpResponseMessage> SendWithAuthAsync(HttpRequestMessage request, Uri authUri, ICredentials credentials, bool preAuthenticate, bool isProxyAuth, bool doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
         {
+            // If preauth is enabled and this isn't proxy auth, try to get a basic credential from the
+            // preauth credentials cache, and if successful, set an auth header for it onto the request.
+            // Currently we only support preauth for Basic.
+            bool performedBasicPreauth = false;
             if (preAuthenticate)
             {
-                NetworkCredential credential = credentials.GetCredential(authUri, BasicScheme);
+                Debug.Assert(pool.PreAuthCredentials != null);
+                NetworkCredential credential;
+                lock (pool.PreAuthCredentials) // TODO #28045: Get rid of this lock.
+                {
+                    // Just look for basic credentials.  If in the future we support preauth
+                    // for other schemes, this will need to search in order of precedence.
+                    Debug.Assert(pool.PreAuthCredentials.GetCredential(authUri, NegotiateScheme) == null);
+                    Debug.Assert(pool.PreAuthCredentials.GetCredential(authUri, NtlmScheme) == null);
+                    Debug.Assert(pool.PreAuthCredentials.GetCredential(authUri, DigestScheme) == null);
+                    credential = pool.PreAuthCredentials.GetCredential(authUri, BasicScheme);
+                }
+
                 if (credential != null)
                 {
                     SetBasicAuthToken(request, credential, isProxyAuth);
+                    performedBasicPreauth = true;
                 }
             }
 
             HttpResponseMessage response = await InnerSendAsync(request, isProxyAuth, doRequestAuth, pool, cancellationToken).ConfigureAwait(false);
 
             if (TryGetAuthenticationChallenge(response, isProxyAuth, authUri, credentials, out AuthenticationChallenge challenge))
             {
-                if (challenge.AuthenticationType == AuthenticationType.Digest)
+                switch (challenge.AuthenticationType)
                 {
-                    var digestResponse = new DigestResponse(challenge.ChallengeData);
-                    if (await TrySetDigestAuthToken(request, challenge.Credential, digestResponse, isProxyAuth).ConfigureAwait(false))
-                    {
-                        response.Dispose();
-                        response = await InnerSendAsync(request, isProxyAuth, doRequestAuth, pool, cancellationToken).ConfigureAwait(false);
-
-                        // Retry in case of nonce timeout in server.
-                        if (TryGetRepeatedChallenge(response, challenge.SchemeName, isProxyAuth, out string challengeData))
+                    case AuthenticationType.Digest:
+                        var digestResponse = new DigestResponse(challenge.ChallengeData);
+                        if (await TrySetDigestAuthToken(request, challenge.Credential, digestResponse, isProxyAuth).ConfigureAwait(false))
                         {
-                            digestResponse = new DigestResponse(challengeData);
-                            if (IsServerNonceStale(digestResponse) &&
-                                await TrySetDigestAuthToken(request, challenge.Credential, digestResponse, isProxyAuth).ConfigureAwait(false))
+                            response.Dispose();
+                            response = await InnerSendAsync(request, isProxyAuth, doRequestAuth, pool, cancellationToken).ConfigureAwait(false);
+
+                            // Retry in case of nonce timeout in server.
+                            if (TryGetRepeatedChallenge(response, challenge.SchemeName, isProxyAuth, out string challengeData))
                             {
-                                response.Dispose();
-                                response = await InnerSendAsync(request, isProxyAuth, doRequestAuth, pool, cancellationToken).ConfigureAwait(false);
+                                digestResponse = new DigestResponse(challengeData);
+                                if (IsServerNonceStale(digestResponse) &&
+                                    await TrySetDigestAuthToken(request, challenge.Credential, digestResponse, isProxyAuth).ConfigureAwait(false))
+                                {
+                                    response.Dispose();
+                                    response = await InnerSendAsync(request, isProxyAuth, doRequestAuth, pool, cancellationToken).ConfigureAwait(false);
+                                }
                             }
                         }
-                    }
-                }
-                else if (challenge.AuthenticationType == AuthenticationType.Basic)
-                {
-                    if (!preAuthenticate)
-                    {
-                        SetBasicAuthToken(request, challenge.Credential, isProxyAuth);
+                        break;
+
+                    case AuthenticationType.Basic:
+                        if (performedBasicPreauth)
+                        {
+                            break;
+                        }
 
                         response.Dispose();
+                        SetBasicAuthToken(request, challenge.Credential, isProxyAuth);
                         response = await InnerSendAsync(request, isProxyAuth, doRequestAuth, pool, cancellationToken).ConfigureAwait(false);
-                    }
+
+                        if (preAuthenticate)
+                        {
+                            switch (response.StatusCode)
+                            {
+                                case HttpStatusCode.ProxyAuthenticationRequired:
+                                case HttpStatusCode.Unauthorized:
+                                    break;
+
+                                default:
+                                    lock (pool.PreAuthCredentials) // TODO #28045: Get rid of this lock.
+                                    {
+                                        try
+                                        {
+                                            pool.PreAuthCredentials.Add(authUri, BasicScheme, challenge.Credential);
+                                        }
+                                        catch (ArgumentException)
+                                        {
+                                            // The credential already existed.
+                                        }
+                                    }
+                                    break;
+                            }
+                        }
+                        break;
                 }
             }
 
@@ -234,4 +279,3 @@ public static Task<HttpResponseMessage> SendWithRequestAuthAsync(HttpRequestMess
         }
     }
 }
-

src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.cs

@@ -120,6 +120,12 @@ public HttpConnectionPool(HttpConnectionPoolManager poolManager, HttpConnectionK
                 _hostHeaderValueBytes = Encoding.ASCII.GetBytes(hostHeader);
                 Debug.Assert(Encoding.ASCII.GetString(_hostHeaderValueBytes) == hostHeader);
             }
+            
+            // Set up for PreAuthenticate.  Access to this cache is guarded by a lock on the cache itself.
+            if (_poolManager.Settings._preAuthenticate)
+            {
+                PreAuthCredentials = new CredentialCache();
+            }
         }
 
         private static SslClientAuthenticationOptions ConstructSslOptions(HttpConnectionPoolManager poolManager, string sslHostName)
@@ -139,6 +145,7 @@ private static SslClientAuthenticationOptions ConstructSslOptions(HttpConnection
         public Uri ProxyUri => _proxyUri;
         public ICredentials ProxyCredentials => _poolManager.ProxyCredentials;
         public byte[] HostHeaderValueBytes => _hostHeaderValueBytes;
+        public CredentialCache PreAuthCredentials { get; }
 
         /// <summary>Object used to synchronize access to state in the pool.</summary>
         private object SyncObj => _idleConnections;

src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs

@@ -17,9 +17,9 @@ public class HttpClientHandler_Authentication_Test : HttpClientTestBase
         private const string Password = "testpassword";
         private const string Domain = "testdomain";
 
-        private NetworkCredential _credentials = new NetworkCredential(Username, Password, Domain);
+        private static readonly NetworkCredential s_credentials = new NetworkCredential(Username, Password, Domain);
 
-        private Func<HttpClientHandler, Uri, HttpStatusCode, NetworkCredential, Task> _createAndValidateRequest = async (handler, url, expectedStatusCode, credentials) =>
+        private static readonly Func<HttpClientHandler, Uri, HttpStatusCode, NetworkCredential, Task> s_createAndValidateRequest = async (handler, url, expectedStatusCode, credentials) =>
         {
             handler.Credentials = credentials;
 
@@ -50,7 +50,7 @@ await LoopbackServer.CreateServerAsync(async (server, url) =>
                     server.AcceptConnectionSendResponseAndCloseAsync(HttpStatusCode.Unauthorized, serverAuthenticateHeader);
 
                 await TestHelper.WhenAllCompletedOrAnyFailedWithTimeout(TestHelper.PassingTestTimeoutMilliseconds,
-                    _createAndValidateRequest(handler, url, result ? HttpStatusCode.OK : HttpStatusCode.Unauthorized, _credentials), serverTask);
+                    s_createAndValidateRequest(handler, url, result ? HttpStatusCode.OK : HttpStatusCode.Unauthorized, s_credentials), serverTask);
             }, options);
         }
 
@@ -86,7 +86,7 @@ await LoopbackServer.CreateServerAsync(async (server, url) =>
             {
                 HttpClientHandler handler = CreateHttpClientHandler();
                 Task serverTask = server.AcceptConnectionPerformAuthenticationAndCloseAsync(authenticateHeader);
-                await TestHelper.WhenAllCompletedOrAnyFailed(_createAndValidateRequest(handler, url, HttpStatusCode.OK, _credentials), serverTask);
+                await TestHelper.WhenAllCompletedOrAnyFailed(s_createAndValidateRequest(handler, url, HttpStatusCode.OK, s_credentials), serverTask);
             }, options);
         }
 
@@ -100,7 +100,7 @@ await LoopbackServer.CreateServerAsync(async (server, url) =>
             {
                 HttpClientHandler handler = CreateHttpClientHandler();
                 Task serverTask = server.AcceptConnectionPerformAuthenticationAndCloseAsync(authenticateHeader);
-                await TestHelper.WhenAllCompletedOrAnyFailed(_createAndValidateRequest(handler, url, HttpStatusCode.Unauthorized, new NetworkCredential("wronguser", "wrongpassword")), serverTask);
+                await TestHelper.WhenAllCompletedOrAnyFailed(s_createAndValidateRequest(handler, url, HttpStatusCode.Unauthorized, new NetworkCredential("wronguser", "wrongpassword")), serverTask);
             }, options);
         }
 
@@ -134,5 +134,180 @@ public static IEnumerable<object[]> Authentication_TestData()
                     $"Basic realm=\"testrealm\"", false };
             }
         }
+
+        [Theory]
+        [InlineData(null)]
+        [InlineData("Basic")]
+        [InlineData("Digest")]
+        [InlineData("NTLM")]
+        [InlineData("Kerberos")]
+        [InlineData("Negotiate")]
+        public async Task PreAuthenticate_NoPreviousAuthenticatedRequests_NoCredentialsSent(string credCacheScheme)
+        {
+            const int NumRequests = 3;
+            await LoopbackServer.CreateClientAndServerAsync(async uri =>
+            {
+                using (HttpClientHandler handler = CreateHttpClientHandler())
+                using (var client = new HttpClient(handler))
+                {
+                    client.DefaultRequestHeaders.ConnectionClose = true; // for simplicity of not needing to know every handler's pooling policy
+                    handler.PreAuthenticate = true;
+                    switch (credCacheScheme)
+                    {
+                        case null:
+                            handler.Credentials = s_credentials;
+                            break;
+
+                        default:
+                            var cc = new CredentialCache();
+                            cc.Add(uri, credCacheScheme, s_credentials);
+                            handler.Credentials = cc;
+                            break;
+                    }
+
+                    for (int i = 0; i < NumRequests; i++)
+                    {
+                        Assert.Equal("hello world", await client.GetStringAsync(uri));
+                    }
+                }
+            },
+            async server =>
+            {
+                for (int i = 0; i < NumRequests; i++)
+                {
+                    List<string> headers = await server.AcceptConnectionSendResponseAndCloseAsync(content: "hello world");
+                    Assert.All(headers, header => Assert.DoesNotContain("Authorization", header));
+                }
+            });
+        }
+
+        [Theory]
+        [InlineData(null, "WWW-Authenticate: Basic realm=\"hello\"\r\n")]
+        [InlineData("Basic", "WWW-Authenticate: Basic realm=\"hello\"\r\n")]
+        public async Task PreAuthenticate_FirstRequestNoHeaderAndAuthenticates_SecondRequestPreauthenticates(string credCacheScheme, string authResponse)
+        {
+            await LoopbackServer.CreateClientAndServerAsync(async uri =>
+            {
+                using (HttpClientHandler handler = CreateHttpClientHandler())
+                using (var client = new HttpClient(handler))
+                {
+                    client.DefaultRequestHeaders.ConnectionClose = true; // for simplicity of not needing to know every handler's pooling policy
+                    handler.PreAuthenticate = true;
+                    switch (credCacheScheme)
+                    {
+                        case null:
+                            handler.Credentials = s_credentials;
+                            break;
+
+                        default:
+                            var cc = new CredentialCache();
+                            cc.Add(uri, credCacheScheme, s_credentials);
+                            handler.Credentials = cc;
+                            break;
+                    }
+
+                    Assert.Equal("hello world", await client.GetStringAsync(uri));
+                    Assert.Equal("hello world", await client.GetStringAsync(uri));
+                }
+            },
+            async server =>
+            {
+                List<string> headers = headers = await server.AcceptConnectionSendResponseAndCloseAsync(HttpStatusCode.Unauthorized, authResponse);
+                Assert.All(headers, header => Assert.DoesNotContain("Authorization", header));
+
+                for (int i = 0; i < 2; i++)
+                {
+                    headers = await server.AcceptConnectionSendResponseAndCloseAsync(content: "hello world");
+                    Assert.Contains(headers, header => header.Contains("Authorization"));
+                }
+            });
+        }
+
+        [Fact]
+        public async Task PreAuthenticate_SuccessfulBasicButThenFails_DoesntLoopInfinitely()
+        {
+            await LoopbackServer.CreateClientAndServerAsync(async uri =>
+            {
+                using (HttpClientHandler handler = CreateHttpClientHandler())
+                using (var client = new HttpClient(handler))
+                {
+                    client.DefaultRequestHeaders.ConnectionClose = true; // for simplicity of not needing to know every handler's pooling policy
+                    handler.PreAuthenticate = true;
+                    handler.Credentials = s_credentials;
+
+                    // First two requests: initially without auth header, then with
+                    Assert.Equal("hello world", await client.GetStringAsync(uri));
+
+                    // Attempt preauth, and when that fails, give up.
+                    using (HttpResponseMessage resp = await client.GetAsync(uri))
+                    {
+                        Assert.Equal(HttpStatusCode.Unauthorized, resp.StatusCode);
+                    }
+                }
+            },
+            async server =>
+            {
+                // First request, no auth header, challenge Basic
+                List<string> headers = headers = await server.AcceptConnectionSendResponseAndCloseAsync(HttpStatusCode.Unauthorized, "WWW-Authenticate: Basic realm=\"hello\"\r\n");
+                Assert.All(headers, header => Assert.DoesNotContain("Authorization", header));
+
+                // Second request, contains Basic auth header
+                headers = await server.AcceptConnectionSendResponseAndCloseAsync(content: "hello world");
+                Assert.Contains(headers, header => header.Contains("Authorization"));
+
+                // Third request, contains Basic auth header but challenges anyway
+                headers = headers = await server.AcceptConnectionSendResponseAndCloseAsync(HttpStatusCode.Unauthorized, "WWW-Authenticate: Basic realm=\"hello\"\r\n");
+                Assert.Contains(headers, header => header.Contains("Authorization"));
+
+                if (IsNetfxHandler)
+                {
+                    // For some reason, netfx tries one more time.
+                    headers = headers = await server.AcceptConnectionSendResponseAndCloseAsync(HttpStatusCode.Unauthorized, "WWW-Authenticate: Basic realm=\"hello\"\r\n");
+                    Assert.Contains(headers, header => header.Contains("Authorization"));
+                }
+            });
+        }
+
+        [Fact]
+        public async Task PreAuthenticate_SuccessfulBasic_ThenDigestChallenged()
+        {
+            if (IsWinHttpHandler)
+            {
+                // WinHttpHandler fails with Unauthorized after the basic preauth fails.
+                return;
+            }
+
+            await LoopbackServer.CreateClientAndServerAsync(async uri =>
+            {
+                using (HttpClientHandler handler = CreateHttpClientHandler())
+                using (var client = new HttpClient(handler))
+                {
+                    client.DefaultRequestHeaders.ConnectionClose = true; // for simplicity of not needing to know every handler's pooling policy
+                    handler.PreAuthenticate = true;
+                    handler.Credentials = s_credentials;
+
+                    Assert.Equal("hello world", await client.GetStringAsync(uri));
+                    Assert.Equal("hello world", await client.GetStringAsync(uri));
+                }
+            },
+            async server =>
+            {
+                // First request, no auth header, challenge Basic
+                List<string> headers = headers = await server.AcceptConnectionSendResponseAndCloseAsync(HttpStatusCode.Unauthorized, "WWW-Authenticate: Basic realm=\"hello\"\r\n");
+                Assert.All(headers, header => Assert.DoesNotContain("Authorization", header));
+
+                // Second request, contains Basic auth header, success
+                headers = await server.AcceptConnectionSendResponseAndCloseAsync(content: "hello world");
+                Assert.Contains(headers, header => header.Contains("Authorization"));
+
+                // Third request, contains Basic auth header, challenge digest
+                headers = await server.AcceptConnectionSendResponseAndCloseAsync(HttpStatusCode.Unauthorized, "WWW-Authenticate: Digest realm=\"hello\", nonce=\"testnonce\"\r\n");
+                Assert.Contains(headers, header => header.Contains("Authorization: Basic"));
+
+                // Fourth request, contains Digest auth header, success
+                headers = await server.AcceptConnectionSendResponseAndCloseAsync(content: "hello world");
+                Assert.Contains(headers, header => header.Contains("Authorization: Digest"));
+            });
+        }
     }
 }