Refactor ChallengeBasedAuthPolicy to extend BearerTokenChallengeAuthPolicy (Azure#18504)

* Refactor ChallengeBasedAuthenticationPolicy onto BearerTokenChallengeAuthenticationPolicy

Author: christothes

sdk/core/Azure.Core/api/Azure.Core.net461.cs

@@ -269,6 +269,7 @@ public static partial class Names
             public static string Range { get { throw null; } }
             public static string Referer { get { throw null; } }
             public static string UserAgent { get { throw null; } }
+            public static string WWWAuthenticate { get { throw null; } }
             public static string XMsDate { get { throw null; } }
             public static string XMsRange { get { throw null; } }
             public static string XMsRequestId { get { throw null; } }

sdk/core/Azure.Core/api/Azure.Core.net5.0.cs

@@ -269,6 +269,7 @@ public static partial class Names
             public static string Range { get { throw null; } }
             public static string Referer { get { throw null; } }
             public static string UserAgent { get { throw null; } }
+            public static string WWWAuthenticate { get { throw null; } }
             public static string XMsDate { get { throw null; } }
             public static string XMsRange { get { throw null; } }
             public static string XMsRequestId { get { throw null; } }

sdk/core/Azure.Core/api/Azure.Core.netstandard2.0.cs

@@ -269,6 +269,7 @@ public static partial class Names
             public static string Range { get { throw null; } }
             public static string Referer { get { throw null; } }
             public static string UserAgent { get { throw null; } }
+            public static string WWWAuthenticate { get { throw null; } }
             public static string XMsDate { get { throw null; } }
             public static string XMsRange { get { throw null; } }
             public static string XMsRequestId { get { throw null; } }

sdk/core/Azure.Core/src/Azure.Core.csproj

@@ -26,6 +26,7 @@
   <ItemGroup>
     <Compile Remove="Shared\**\*.cs" />
     <Compile Include="Shared\Argument.cs" />
+    <Compile Include="Shared\AuthorizationChallengeParser.cs" />
     <Compile Include="Shared\AzureKeyCredentialPolicy.cs" />
     <Compile Include="Shared\AzureSasCredentialSynchronousPolicy.cs" />
     <Compile Include="Shared\Base64Url.cs" />

sdk/core/Azure.Core/src/HttpHeader.cs

@@ -141,9 +141,14 @@ public static class Names
             public static string Host => "Host";
 
             /// <summary>
-            /// Returns <code>"Content-Disposition"</code>
+            /// Returns <code>"Content-Disposition"</code>.
             /// </summary>
             public static string ContentDisposition => "Content-Disposition";
+
+            /// <summary>
+            /// Returns <code>"WWW-Authenticate"</code>.
+            /// </summary>
+            public static string WWWAuthenticate => "WWW-Authenticate";
         }
 
 #pragma warning disable CA1034 // Nested types should not be visible

sdk/core/Azure.Core/src/Shared/ARMChallengeAuthenticationPolicy.cs

@@ -0,0 +1,54 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+
+#nullable enable
+
+namespace Azure.Core.Pipeline
+{
+    /// <summary>
+    /// A policy that sends an <see cref="AccessToken"/> provided by a <see cref="TokenCredential"/> as an Authentication header.
+    /// Note: This class is currently in preview and is therefore subject to possible future breaking changes.
+    /// </summary>
+    internal class ARMChallengeAuthenticationPolicy : BearerTokenChallengeAuthenticationPolicy
+    {
+        /// <summary>
+        /// Creates a new instance of <see cref="ARMChallengeAuthenticationPolicy"/> using provided token credential and scope to authenticate for.
+        /// </summary>
+        /// <param name="credential">The token credential to use for authentication.</param>
+        /// <param name="scope">The scope to authenticate for.</param>
+        public ARMChallengeAuthenticationPolicy(TokenCredential credential, string scope) : base(credential, new[] { scope }) { }
+
+        /// <summary>
+        /// Creates a new instance of <see cref="ARMChallengeAuthenticationPolicy"/> using provided token credential and scopes to authenticate for.
+        /// </summary>
+        /// <param name="credential">The token credential to use for authentication.</param>
+        /// <param name="scopes">Scopes to authenticate for.</param>
+        public ARMChallengeAuthenticationPolicy(TokenCredential credential, IEnumerable<string> scopes)
+            : base(credential, scopes, TimeSpan.FromMinutes(5), TimeSpan.FromSeconds(30)) { }
+
+        /// <summary>
+        /// Executed in the event a 401 response with a WWW-Authenticate authentication challenge header is received after the initial request.
+        /// </summary>
+        /// <remarks>Handles claims authentication challenges.</remarks>
+        /// <param name="message">The <see cref="HttpMessage"/> to be authenticated.</param>
+        /// <param name="context">If the return value is <c>true</c>, a <see cref="TokenRequestContext"/>.</param>
+        /// <returns>A boolean indicated whether the request contained a valid challenge and a <see cref="TokenRequestContext"/> was successfully initialized with it.</returns>
+        protected override bool TryGetTokenRequestContextFromChallenge(HttpMessage message, out TokenRequestContext context)
+        {
+            context = default;
+
+            var challenge = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims");
+            if (challenge == null)
+            {
+                return false;
+            }
+
+            string claimsChallenge = Base64Url.DecodeString(challenge.ToString());
+           context = new TokenRequestContext(Scopes, message.Request.ClientRequestId, claimsChallenge);
+            return true;
+        }
+    }
+}

sdk/core/Azure.Core/src/Shared/AuthorizationChallengeParser.cs

@@ -0,0 +1,152 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Net;
+
+#nullable enable
+
+namespace Azure.Core
+{
+    /// <summary>
+    /// A helper class for parsing Authorization challenge headers.
+    /// </summary>
+    internal static class AuthorizationChallengeParser
+    {
+        /// <summary>
+        /// Parses the specified parameter from a challenge hearder found in the specified <see cref="Response"/>.
+        /// </summary>
+        /// <param name="response">The <see cref="Response"/> to parse.</param>
+        /// <param name="challengeScheme">The challenge scheme containing the <paramref name="challengeParameter"/>. For example: "Bearer"</param>
+        /// <param name="challengeParameter">The parameter key name containing the value to return.</param>
+        /// <returns>The value of the parameter name specified in <paramref name="challengeParameter"/> if it is found in the specified <paramref name="challengeScheme"/>.</returns>
+        public static string? GetChallengeParameterFromResponse(Response response, string challengeScheme, string challengeParameter)
+        {
+            if (response.Status != (int)HttpStatusCode.Unauthorized || !response.Headers.TryGetValue(HttpHeader.Names.WWWAuthenticate, out string? headerValue))
+            {
+                return null;
+            }
+
+            ReadOnlySpan<char> bearer = challengeScheme.AsSpan();
+            ReadOnlySpan<char> claims = challengeParameter.AsSpan();
+            ReadOnlySpan<char> headerSpan = headerValue.AsSpan();
+
+            // Iterate through each challenge value.
+            while (TryGetNextChallenge(ref headerSpan, out var challengeKey))
+            {
+                // Enumerate each key=value parameter until we find the 'claims' key on the 'Bearer' challenge.
+                while (TryGetNextParameter(ref headerSpan, out var key, out var value))
+                {
+                    if (challengeKey.Equals(bearer, StringComparison.OrdinalIgnoreCase) && key.Equals(claims, StringComparison.OrdinalIgnoreCase))
+                    {
+                        return value.ToString();
+                    }
+                }
+            }
+
+            return null;
+        }
+
+        /// <summary>
+        /// Iterates through the challenge schemes present in a challenge header.
+        /// </summary>
+        /// <param name="headerValue">
+        /// The header value which will be sliced to remove the first parsed <paramref name="challengeKey"/>.
+        /// </param>
+        /// <param name="challengeKey">The parsed challenge scheme.</param>
+        /// <returns>
+        /// <c>true</c> if a challenge scheme was successfully parsed.
+        /// The value of <paramref name="headerValue"/> should be passed to <see cref="TryGetNextParameter"/> to parse the challenge parameters if <c>true</c>.
+        /// </returns>
+        internal static bool TryGetNextChallenge(ref ReadOnlySpan<char> headerValue, out ReadOnlySpan<char> challengeKey)
+        {
+            challengeKey = default;
+
+            headerValue = headerValue.TrimStart(' ');
+            int endOfChallengeKey = headerValue.IndexOf(' ');
+
+            if (endOfChallengeKey < 0)
+            {
+                return false;
+            }
+
+            challengeKey = headerValue.Slice(0, endOfChallengeKey);
+
+            // Slice the challenge key from the headerValue
+            headerValue = headerValue.Slice(endOfChallengeKey + 1);
+
+            return true;
+        }
+
+        /// <summary>
+        /// Iterates through a challenge header value after being parsed by <see cref="TryGetNextChallenge"/>.
+        /// </summary>
+        /// <param name="headerValue">The header value after being parsed by <see cref="TryGetNextChallenge"/>.</param>
+        /// <param name="paramKey">The parsed challenge parameter key.</param>
+        /// <param name="paramValue">The parsed challenge parameter value.</param>
+        /// <param name="separator">The challenge parameter key / value pair separator. The default is '='.</param>
+        /// <returns>
+        /// <c>true</c> if the next available challenge parameter was successfully parsed.
+        /// <c>false</c> if there are no more parameters for the current challenge scheme or an additional challenge scheme was encountered in the <paramref name="headerValue"/>.
+        /// The value of <paramref name="headerValue"/> should be passed again to <see cref="TryGetNextChallenge"/> to attempt to parse any additional challenge schemes if <c>false</c>.
+        /// </returns>
+        internal static bool TryGetNextParameter(ref ReadOnlySpan<char> headerValue, out ReadOnlySpan<char> paramKey, out ReadOnlySpan<char> paramValue, char separator = '=')
+        {
+            paramKey = default;
+            paramValue = default;
+            var spaceOrComma = " ,".AsSpan();
+
+            // Trim any separater prefixes.
+            headerValue = headerValue.TrimStart(spaceOrComma);
+
+            int nextSpace = headerValue.IndexOf(' ');
+            int nextSeparator = headerValue.IndexOf(separator);
+
+            if (nextSpace < nextSeparator && nextSpace != -1)
+            {
+                // we encountered another challenge value.
+                return false;
+            }
+
+            if (nextSeparator < 0)
+                return false;
+
+            // Get the paramKey.
+            paramKey = headerValue.Slice(0, nextSeparator).Trim();
+
+            // Slice to remove the 'paramKey=' from the parameters.
+            headerValue = headerValue.Slice(nextSeparator + 1);
+
+            // The start of paramValue will usually be a quoted string. Find the first quote.
+            int quoteIndex = headerValue.IndexOf('\"');
+
+            // Get the paramValue, which is delimited by the trailing quote.
+            headerValue = headerValue.Slice(quoteIndex + 1);
+            if (quoteIndex >= 0)
+            {
+                // The values are quote wrapped
+                paramValue = headerValue.Slice(0, headerValue.IndexOf('\"'));
+            }
+            else
+            {
+                //the values are not quote wrapped (storage is one example of this)
+                // either find the next space indicating the delimiter to the next value, or go to the end since this is the last value.
+                int trailingDelimiterIndex = headerValue.IndexOfAny(spaceOrComma);
+                if (trailingDelimiterIndex >= 0)
+                {
+                    paramValue = headerValue.Slice(0, trailingDelimiterIndex);
+                }
+                else
+                {
+                    paramValue = headerValue;
+                }
+            }
+
+            // Slice to remove the '"paramValue"' from the parameters.
+            if (headerValue != paramValue)
+                headerValue = headerValue.Slice(paramValue.Length + 1);
+
+            return true;
+        }
+    }
+}