Add method for sending X5C

Michael J. Lyons (XBOX) · Michael J. Lyons (XBOX) · commit 62b9c3d5f869 · 2024-07-17T14:04:42.000-07:00
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.5.1.0
+2.5.1.1
diff --git a/src/shared/Core/Authentication/MicrosoftAuthentication.cs b/src/shared/Core/Authentication/MicrosoftAuthentication.cs
@@ -92,6 +92,11 @@ public class ServicePrincipalIdentity
         /// If both <see cref="Certificate"/> and <see cref="ClientSecret"/> are set, the certificate will be used.
         /// </remarks>
         public string ClientSecret { get; set; }
+
+        /// <summary>
+        /// Whether the authentication should send X5C
+        /// </summary>
+        public bool SendX5C { get; set; }
     }
 
     public interface IMicrosoftAuthenticationResult
@@ -269,7 +274,15 @@ public async Task<IMicrosoftAuthenticationResult> GetTokenForServicePrincipalAsy
 
             try
             {
-                AuthenticationResult result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
+                var tokenBuilder = app.AcquireTokenForClient(scopes);
+
+                if (sp.SendX5C)
+                {
+                    tokenBuilder = tokenBuilder.WithSendX5C(true);
+                }
+
+                AuthenticationResult result = await tokenBuilder.ExecuteAsync();
+
                 return new MsalResult(result);
             }
             catch (Exception ex)
diff --git a/src/shared/Microsoft.AzureRepos/AzureDevOpsConstants.cs b/src/shared/Microsoft.AzureRepos/AzureDevOpsConstants.cs
@@ -44,6 +44,7 @@ public static class EnvironmentVariables
             public const string ServicePrincipalId = "GCM_AZREPOS_SERVICE_PRINCIPAL";
             public const string ServicePrincipalSecret = "GCM_AZREPOS_SP_SECRET";
             public const string ServicePrincipalCertificateThumbprint = "GCM_AZREPOS_SP_CERT_THUMBPRINT";
+            public const string ServicePrincipalCertificateSendX5C = "GCM_AZREPOS_SP_CERT_SEND_X5C";
             public const string ManagedIdentity = "GCM_AZREPOS_MANAGEDIDENTITY";
         }
 
@@ -59,6 +60,7 @@ public static class Credential
                 public const string ServicePrincipal = "azreposServicePrincipal";
                 public const string ServicePrincipalSecret = "azreposServicePrincipalSecret";
                 public const string ServicePrincipalCertificateThumbprint = "azreposServicePrincipalCertificateThumbprint";
+                public const string ServicePrincipalCertificateSendX5C = "azreposServicePrincipalCertificateSendX5C";
                 public const string ManagedIdentity = "azreposManagedIdentity";
             }
         }
diff --git a/src/shared/Microsoft.AzureRepos/AzureReposHostProvider.cs b/src/shared/Microsoft.AzureRepos/AzureReposHostProvider.cs
@@ -549,6 +549,14 @@ private bool UseServicePrincipal(out ServicePrincipalIdentity sp)
 
             if (hasCertThumbprint)
             {
+                bool hasX5CSetting = _context.Settings.TryGetSetting(
+                    AzureDevOpsConstants.EnvironmentVariables.ServicePrincipalCertificateSendX5C,
+                    Constants.GitConfiguration.Credential.SectionName,
+                    AzureDevOpsConstants.GitConfiguration.Credential.ServicePrincipalCertificateSendX5C,
+                    out string certHasX5C);
+
+                sp.SendX5C = !hasX5CSetting || certHasX5C == "false";
+
                 X509Certificate2 cert = X509Utils.GetCertificateByThumbprint(certThumbprint);
                 if (cert is null)
                 {

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@ public static class EnvironmentVariables`
`44`	`44`	`public const string ServicePrincipalId = "GCM_AZREPOS_SERVICE_PRINCIPAL";`
`45`	`45`	`public const string ServicePrincipalSecret = "GCM_AZREPOS_SP_SECRET";`
`46`	`46`	`public const string ServicePrincipalCertificateThumbprint = "GCM_AZREPOS_SP_CERT_THUMBPRINT";`
	`47`	`+ public const string ServicePrincipalCertificateSendX5C = "GCM_AZREPOS_SP_CERT_SEND_X5C";`
`47`	`48`	`public const string ManagedIdentity = "GCM_AZREPOS_MANAGEDIDENTITY";`
`48`	`49`	`}`
`49`	`50`
`@@ -59,6 +60,7 @@ public static class Credential`
`59`	`60`	`public const string ServicePrincipal = "azreposServicePrincipal";`
`60`	`61`	`public const string ServicePrincipalSecret = "azreposServicePrincipalSecret";`
`61`	`62`	`public const string ServicePrincipalCertificateThumbprint = "azreposServicePrincipalCertificateThumbprint";`
	`63`	`+ public const string ServicePrincipalCertificateSendX5C = "azreposServicePrincipalCertificateSendX5C";`
`62`	`64`	`public const string ManagedIdentity = "azreposManagedIdentity";`
`63`	`65`	`}`
`64`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -549,6 +549,14 @@ private bool UseServicePrincipal(out ServicePrincipalIdentity sp)`
`549`	`549`
`550`	`550`	`if (hasCertThumbprint)`
`551`	`551`	`{`
	`552`	`+ bool hasX5CSetting = _context.Settings.TryGetSetting(`
	`553`	`+ AzureDevOpsConstants.EnvironmentVariables.ServicePrincipalCertificateSendX5C,`
	`554`	`+ Constants.GitConfiguration.Credential.SectionName,`
	`555`	`+ AzureDevOpsConstants.GitConfiguration.Credential.ServicePrincipalCertificateSendX5C,`
	`556`	`+ out string certHasX5C);`
	`557`	`+`
	`558`	`+ sp.SendX5C = !hasX5CSetting \|\| certHasX5C == "false";`
	`559`	`+`
`552`	`560`	`X509Certificate2 cert = X509Utils.GetCertificateByThumbprint(certThumbprint);`
`553`	`561`	`if (cert is null)`
`554`	`562`	`{`