Skip to content

fix(azure): add azure devops http header (git clone & git fetch) #533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(azure): add azure devops http header (git clone & git fetch) #533

wants to merge 1 commit into from

Conversation

Shaoqi-Cen
Copy link

Close #522
This PR updates git clone and git fetch commands to support Azure DevOps repositories requiring http.extraHeader authentication. Testing confirms successful cloning and fetching of Azure DevOps repositories using this header-based authentication method.

@msukkari
Copy link
Contributor

Thanks @Shaoqi-Cen will take a look. Out of curiosity could you help me understand which scenarios this is required vs. the current PAT system? In my testing I was able to clone and fetch repos from ADO cloud with the current implementation

@Shaoqi-Cen
Copy link
Author

Thanks @Shaoqi-Cen will take a look. Out of curiosity could you help me understand which scenarios this is required vs. the current PAT system? In my testing I was able to clone and fetch repos from ADO cloud with the current implementation

Thanks for confirming it works on ADO Cloud. After digging into our environment, we found the issue is environment-specific: our target Azure DevOps (behind IIS/with Windows auth enabled) advertises multiple auth schemes (WWW-Authenticate: Bearer, Basic, Negotiate, NTLM). When the PAT is embedded in the URL, Git/libcurl prefers NTLM over Basic; since PATs only work with Basic, the NTLM handshake fails and auth is rejected. Forcing Basic (by sending an explicit Authorization: Basic header) resolves the issue on our side.

So this change is required in environments where NTLM/Negotiate are enabled and prioritized (common on-prem or behind certain reverse proxies). In ADO Cloud, where Basic is effectively used, the current PAT flow continues to work. Thanks again for taking a look!

@msukkari
Copy link
Contributor

Sorry just to be clear, I tested the released version on ADO cloud and it worked. I haven't tested the implementation in this PR on ADO cloud yet.

Thanks for digging into the underlying reason why this is necessary in your case @Shaoqi-Cen . This is definitely something we should get merged in. However, I think the general approach should be a bit different to align better with how we like to handle url's across the different platforms. My recommendation:

  • modify getCloneCredentialsForRepo to read the deploymentType in the AzureDevOpsConnectionConfig object. If the deploymentType is server then return null so the PAT doesn't get embedded in the url
  • add a new param to fetchRepository and cloneRepository for the auth header. If this is null then go through the existing path. If the authHeader is non null, pass that into the call

Should be the same functionality but slightly cleaner to prevent the git helpers from needing to know the underlying code host platforms. If my explanation isn't clear let me know - happy to make the change myself

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msukkari msukkari Awaiting requested review from msukkari

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Azure DevOps repository cloning fails due to incorrect authentication method Description
2 participants
@Shaoqi-Cen @msukkari