public static bool CanUseBroker(ICommandContext context)
{
#if NETFRAMEWORK
// We only support the broker on Windows 10+ and in an interactive session
if (!context.SessionManager.IsDesktopSession || !PlatformUtils.IsWindowsBrokerSupported())
{
return(false);
}
// Default to not using the OS broker
const bool defaultValue = false;
if (context.Settings.TryGetSetting(Constants.EnvironmentVariables.MsAuthUseBroker,
Constants.GitConfiguration.Credential.SectionName,
Constants.GitConfiguration.Credential.MsAuthUseBroker,
out string valueStr))
{
return(valueStr.ToBooleanyOrDefault(defaultValue));
}
return(defaultValue);
#else
// OS broker requires .NET Framework right now until we migrate to .NET 5.0 (net5.0-windows10.x.y.z)
return(false);
#endif
}
private async Task <IPublicClientApplication> CreatePublicClientApplicationAsync(
string authority, string clientId, Uri redirectUri, bool enableBroker)
{
var httpFactoryAdaptor = new MsalHttpClientFactoryAdaptor(Context.HttpClientFactory);
var appBuilder = PublicClientApplicationBuilder.Create(clientId)
.WithAuthority(authority)
.WithRedirectUri(redirectUri.ToString())
.WithHttpClientFactory(httpFactoryAdaptor);
// Listen to MSAL logs if GCM_TRACE_MSAUTH is set
if (Context.Settings.IsMsalTracingEnabled)
{
// If GCM secret tracing is enabled also enable "PII" logging in MSAL
bool enablePiiLogging = Context.Trace.IsSecretTracingEnabled;
appBuilder.WithLogging(OnMsalLogMessage, LogLevel.Verbose, enablePiiLogging, false);
}
// If we have a parent window ID we should tell MSAL about it so it can parent any authentication dialogs
// correctly. We only support this on Windows right now as MSAL only supports embedded/dialogs on Windows.
if (PlatformUtils.IsWindows() && !string.IsNullOrWhiteSpace(Context.Settings.ParentWindowId) &&
int.TryParse(Context.Settings.ParentWindowId, out int hWndInt) && hWndInt > 0)
{
appBuilder.WithParentActivityOrWindow(() => new IntPtr(hWndInt));
}
// On Windows 10+ & .NET Framework try and use the WAM broker
if (enableBroker && PlatformUtils.IsWindowsBrokerSupported())
{
#if NETFRAMEWORK
appBuilder.WithExperimentalFeatures();
appBuilder.WithWindowsBroker();
#endif
}
IPublicClientApplication app = appBuilder.Build();
// Register the application token cache
await RegisterTokenCacheAsync(app);
return(app);
}
public static void InitializeBroker()
{
if (IsBrokerInitialized)
{
return;
}
IsBrokerInitialized = true;
// Broker is only supported on Windows 10 and later
if (!PlatformUtils.IsWindowsBrokerSupported())
{
return;
}
// Nothing to do when not an elevated user
if (!PlatformUtils.IsElevatedUser())
{
return;
}
// Lower COM security so that MSAL can make the calls to WAM
int result = Interop.Windows.Native.Ole32.CoInitializeSecurity(
IntPtr.Zero,
-1,
IntPtr.Zero,
IntPtr.Zero,
Interop.Windows.Native.Ole32.RpcAuthnLevel.None,
Interop.Windows.Native.Ole32.RpcImpLevel.Impersonate,
IntPtr.Zero,
Interop.Windows.Native.Ole32.EoAuthnCap.None,
IntPtr.Zero
);
if (result != 0)
{
throw new Exception(
$"Failed to set COM process security to allow Windows broker from an elevated process (0x{result:x})." +
Environment.NewLine +
$"See {Constants.HelpUrls.GcmWamComSecurity} for more information.");
}
}
