Fix bug with managing redirection and keepAuthorization in Web cmdlets

[CarloToso]

PR Summary

The current behaviour of if (keepAuthorization && IsRedirectCode(response.StatusCode) && response.Headers.Location is not null) is wrong, I tested it by setting keepAuthorization = true --> this sets handleRetirect = true --> and then sets handler.AllowAutoRedirect = false. Without sessionRedirect (we can choose a better name) it ignores the MaximumRedirection parameter.

Test: maunally set keepAuthorization = true before the if, then
Invoke-WebRequest "http://mockbin.org/redirect/308?to=https://mockbin.org/redirect/302?to=https://mockbin.org/status/200" -MaximumRedirection 0 -SkipHttpErrorCheck --> expected 308, result 200

Proposed fix -->

bool sessionRedirect = WebSession.MaximumRedirection > 0 || WebSession.MaximumRedirection == -1;
if (keepAuthorization  && sessionRedirect && IsRedirectCode(response.StatusCode) && response.Headers.Location is not null)

PR Context

Fix Bug, merge before #18546 and #18894

[iSazonov]

@CarloToso Can you enhance our helper test tool - WebListener - to cover the scenario? Currently it supports redirection but not take into account authorization header (I guess we could use -Authentication Bear?). WebListener could return the auth token as-is and we could add tests to check that the header is removed by default and isn't removed with PreserveAuthorizationOnRedirect.

I see only reason we do custom redirection processing is that we want to keep the auth header. So I suggest rename keepAuthorization and handleRedirect parameters to keepAuthorizationOnRedirect. This simplify understanding the code.

[CarloToso]

@iSazonov we also need to handle redirection for #18546 and #18894, I can change keepAuthorization to keepAuthorizationOnRedirect but i think handleRedirect should stay as it is.

I don't know much about the helper tool test but I can look into it

[iSazonov]

but i think handleRedirect should stay as it is.

It is the same as keepAuthorization - we assign keepAuthorization to handleRedirect - this mislead.

[CarloToso]

If we change it handleRedirect to keepAuthorization, it will be misleading after we add -PreserveHTTPMethodOnRedirect or -AllowInsicureRedirect. We could add something like this bool handleRedirect = keepAuthorizationOnRedirect || AllowInsicureRedirect || PreserveHTTPMethodOnRedirect

[iSazonov]

If we change it handleRedirect to keepAuthorization, it will be misleading after we add -PreserveHTTPMethodOnRedirect or -AllowInsicureRedirect. We could add something like this bool handleRedirect = keepAuthorizationOnRedirect || AllowInsicureRedirect || PreserveHTTPMethodOnRedirect

I don't see a problem here. As I said only reason we do manual redirect processing is that we want to keep auth header. So variable names should reflect to our intention. And comments could be updated too.

[iSazonov]

This reduces readability. 😕

[CarloToso]

reverted

[CarloToso]

@iSazonov It looks like there already are some tests that cover -PreserveAuthorizationOnRedirect

[iSazonov]

@iSazonov It looks like there already are some tests that cover -PreserveAuthorizationOnRedirect

Can you point these tests? I see there is Authorization controller but it doesn't cover redirection scenario.

[CarloToso]

@iSazonov I found the -PreserveAuthorizationOnRedirect parameter in WebCmdlet.Tests.ps1 and I think it covers this case

[iSazonov]

If the test is passed before the PR it is a broken test.

[CarloToso]

I think the tests are not broken, they just never checked for -MaximumRedirection + -PreserveAuthorizationOnRedirect

[iSazonov]

Please confirm that the new tests fail before the PR.

[iSazonov]

@CarloToso Please resolve merge conflicts.

[iSazonov]

@CarloToso Please resolve merge conflict again.

[iSazonov]

It seems PreserveAuthorizationOnRedirect.IsPresent should be on first place.

[iSazonov]

Why is AllowInsecureRedirect removed?

We merged #18546 without tests. Time to add tests for AllowInsecureRedirect

[CarloToso]

Added some tests #18939, AllowInsecureRedirect is in handleRedirect after this PR (line 1422)

[iSazonov]

/rebase

[iSazonov]

@CarloToso Please rebase to get tests.

[pull-request-quantifier-deprecated]

This PR has 47 quantified lines of changes. In general, a change size of upto 200 lines is ideal for the best PR experience!

---

Quantification details

Label      : Extra Small
Size       : +28 -19
Percentile : 18.8%

Total files changed: 2

Change summary by file extension:
.cs : +16 -17
.ps1 : +12 -2

Change counts above are quantified counts, based on the PullRequestQuantifier customizations.

Why proper sizing of changes matters

Optimal pull request sizes drive a better predictable PR flow as they strike a
balance between between PR complexity and PR review overhead. PRs within the
optimal size (typical small, or medium sized PRs) mean:

• Fast and predictable releases to production:
  • Optimal size changes are more likely to be reviewed faster with fewer
    iterations.
  • Similarity in low PR complexity drives similar review times.
• Review quality is likely higher as complexity is lower:
  • Bugs are more likely to be detected.
  • Code inconsistencies are more likely to be detected.
• Knowledge sharing is improved within the participants:
  • Small portions can be assimilated better.
• Better engineering practices are exercised:
  • Solving big problems by dividing them in well contained, smaller problems.
  • Exercising separation of concerns within the code changes.

What can I do to optimize my changes

• Use the PullRequestQuantifier to quantify your PR accurately
  • Create a context profile for your repo using the context generator
  • Exclude files that are not necessary to be reviewed or do not increase the review complexity. Example: Autogenerated code, docs, project IDE setting files, binaries, etc. Check out the Excluded section from your prquantifier.yaml context profile.
  • Understand your typical change complexity, drive towards the desired complexity by adjusting the label mapping in your prquantifier.yaml context profile.
  • Only use the labels that matter to you, see context specification to customize your prquantifier.yaml context profile.
• Change your engineering behaviors
  • For PRs that fall outside of the desired spectrum, review the details and check if:
    • Your PR could be split in smaller, self-contained PRs instead
    • Your PR only solves one particular issue. (For example, don't refactor and code new features in the same PR).

How to interpret the change counts in git diff output

• One line was added: +1 -0
• One line was deleted: +0 -1
• One line was modified: +1 -1 (git diff doesn't know about modified, it will
  interpret that line like one addition plus one deletion)
• Change percentiles: Change characteristics (addition, deletion, modification)
  of this PR in relation to all other PRs within the repository.

---

Was this comment helpful? 👍  :ok_hand:  :thumbsdown: (Email)
Customize PullRequestQuantifier for this repository.

[ghost]

🎉v7.4.0-preview.2 has been released which incorporates this pull request.:tada:

Handy links:

• Release Notes