dotnet · baronfel · Oct 7, 2024 · Sep 17, 2024 · Sep 18, 2024 · Sep 18, 2024
diff --git a/src/Containers/Microsoft.NET.Build.Containers/AuthHandshakeMessageHandler.cs b/src/Containers/Microsoft.NET.Build.Containers/AuthHandshakeMessageHandler.cs
@@ -71,18 +71,19 @@ private static bool TryParseAuthenticationInfo(HttpResponseMessage msg, [NotNull
         if (header.Scheme is not null)
         {
             scheme = header.Scheme;
-            var keyValues = ParseBearerArgs(header.Parameter);
-            if (keyValues is null)
-            {
-                return false;
-            }
 
             if (header.Scheme.Equals(BasicAuthScheme, StringComparison.OrdinalIgnoreCase))
             {
-                return TryParseBasicAuthInfo(keyValues, msg.RequestMessage!.RequestUri!, out bearerAuthInfo);
+                bearerAuthInfo = null;
+                return true;
             }
             else if (header.Scheme.Equals(BearerAuthScheme, StringComparison.OrdinalIgnoreCase))
             {
+                var keyValues = ParseBearerArgs(header.Parameter);
+                if (keyValues is null)
+                {
+                    return false;
+                }
                 return TryParseBearerAuthInfo(keyValues, out bearerAuthInfo);
             }
             else
@@ -110,12 +111,6 @@ static bool TryParseBearerAuthInfo(Dictionary<string, string> authValues, [NotNu
             }
         }
 
-        static bool TryParseBasicAuthInfo(Dictionary<string, string> authValues, Uri requestUri, out AuthInfo? authInfo)
-        {
-            authInfo = null;
-            return true;
-        }
-
         static Dictionary<string, string>? ParseBearerArgs(string? bearerHeaderArgs)
         {
             if (bearerHeaderArgs is null)
@@ -159,7 +154,6 @@ public DateTimeOffset ResolvedExpiration
     /// </summary>
     private async Task<(AuthenticationHeaderValue, DateTimeOffset)?> GetAuthenticationAsync(string registry, string scheme, AuthInfo? bearerAuthInfo, CancellationToken cancellationToken)
     {
-
         DockerCredentials? privateRepoCreds;
         // Allow overrides for auth via environment variables
         if (GetDockerCredentialsFromEnvironment(_registryMode) is (string credU, string credP))
@@ -180,14 +174,20 @@ public DateTimeOffset ResolvedExpiration
         {
             Debug.Assert(bearerAuthInfo is not null);
 
-            var authenticationValueAndDuration = await TryOAuthPostAsync(privateRepoCreds, bearerAuthInfo, cancellationToken).ConfigureAwait(false);
-            if (authenticationValueAndDuration is not null)
+            // Obtain a Bearer token, when the credentials are:
+            // - an identity token: use it for OAuth
+            // - a username/password: use them for Basic auth, and fall back to OAuth
+
+            if (string.IsNullOrWhiteSpace(privateRepoCreds.IdentityToken))
             {
-                return authenticationValueAndDuration;
+                var authenticationValueAndDuration = await TryTokenGetAsync(privateRepoCreds, bearerAuthInfo, cancellationToken).ConfigureAwait(false);
+                if (authenticationValueAndDuration is not null)
+                {
+                    return authenticationValueAndDuration;
+                }
             }
 
-            authenticationValueAndDuration = await TryTokenGetAsync(privateRepoCreds, bearerAuthInfo, cancellationToken).ConfigureAwait(false);
-            return authenticationValueAndDuration;
+            return await TryOAuthPostAsync(privateRepoCreds, bearerAuthInfo, cancellationToken).ConfigureAwait(false);
         }
         else
         {
@@ -293,8 +293,7 @@ internal static (string credU, string credP)? GetDockerCredentialsFromEnvironmen
         if (!postResponse.IsSuccessStatusCode)
         {
             await postResponse.LogHttpResponseAsync(_logger, cancellationToken).ConfigureAwait(false);
-            //return null to try HTTP GET instead
-            return null;
+            return null; // try next method
         }
         _logger.LogTrace("Received '{statuscode}'.", postResponse.StatusCode);
         TokenResponse? tokenResponse = JsonSerializer.Deserialize<TokenResponse>(postResponse.Content.ReadAsStream(cancellationToken));
@@ -306,8 +305,7 @@ internal static (string credU, string credP)? GetDockerCredentialsFromEnvironmen
         else
         {
             _logger.LogTrace(Resource.GetString(nameof(Strings.CouldntDeserializeJsonToken)));
-            // logging and returning null to try HTTP GET instead
-            return null;
+            return null; // try next method
         }
     }
 
@@ -318,9 +316,7 @@ internal static (string credU, string credP)? GetDockerCredentialsFromEnvironmen
     {
         // this doesn't seem to be called out in the spec, but actual username/password auth information should be converted into Basic auth here,
         // even though the overall Scheme we're authenticating for is Bearer
-        var header = privateRepoCreds.Username == "<token>"
-                        ? new AuthenticationHeaderValue(BearerAuthScheme, privateRepoCreds.Password)
-                        : new AuthenticationHeaderValue(BasicAuthScheme, Convert.ToBase64String(Encoding.ASCII.GetBytes($"{privateRepoCreds.Username}:{privateRepoCreds.Password}")));
+        var header = new AuthenticationHeaderValue(BasicAuthScheme, Convert.ToBase64String(Encoding.ASCII.GetBytes($"{privateRepoCreds.Username}:{privateRepoCreds.Password}")));
         var builder = new UriBuilder(new Uri(bearerAuthInfo.Realm));
 
         _logger.LogTrace("Attempting to authenticate on {uri} using GET.", bearerAuthInfo.Realm);
@@ -340,7 +336,8 @@ internal static (string credU, string credP)? GetDockerCredentialsFromEnvironmen
         using var tokenResponse = await base.SendAsync(message, cancellationToken).ConfigureAwait(false);
         if (!tokenResponse.IsSuccessStatusCode)
         {
-            throw new UnableToAccessRepositoryException(_registryName);
+            await tokenResponse.LogHttpResponseAsync(_logger, cancellationToken).ConfigureAwait(false);
+            return null; // try next method
         }
 
         TokenResponse? token = JsonSerializer.Deserialize<TokenResponse>(tokenResponse.Content.ReadAsStream(cancellationToken));
@@ -412,7 +409,8 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
                         request.Headers.Authorization = authHeader;
                         return await base.SendAsync(request, cancellationToken).ConfigureAwait(false);
                     }
-                    return response;
+
+                    throw new UnableToAccessRepositoryException(_registryName);
                 }
                 else
                 {