fix NTLM auth and add some manually enabled tests (#27958)

Author: geoffkizer

src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs

@@ -57,17 +57,13 @@ private static async Task<HttpResponseMessage> SendWithNtAuthAsync(HttpRequestMe
                         while (true)
                         {
                             string challengeResponse = authContext.GetOutgoingBlob(challengeData);
-                            if (authContext.IsCompleted)
-                            {
-                                break;
-                            }
 
                             await connection.DrainResponseAsync(response).ConfigureAwait(false);
 
                             SetRequestAuthenticationHeaderValue(request, new AuthenticationHeaderValue(challenge.SchemeName, challengeResponse), isProxyAuth);
 
                             response = await InnerSendAsync(request, isProxyAuth, connection, cancellationToken).ConfigureAwait(false);
-                            if (!TryGetRepeatedChallenge(response, challenge.SchemeName, isProxyAuth, out challengeData))
+                            if (authContext.IsCompleted || !TryGetRepeatedChallenge(response, challenge.SchemeName, isProxyAuth, out challengeData))
                             {
                                 break;
                             }

src/System.Net.Http/tests/FunctionalTests/DefaultCredentialsTest.cs

@@ -2,6 +2,7 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
+using System.Collections.Generic;
 using System.Security.Principal;
 using System.Threading.Tasks;
 
@@ -17,80 +18,74 @@ namespace System.Net.Http.Functional.Tests
     [PlatformSpecific(TestPlatforms.Windows)]
     public class DefaultCredentialsTest : HttpClientTestBase
     {
-        private static string DomainJoinedTestServer => Configuration.Http.DomainJoinedHttpHost;
-        private static bool DomainJoinedTestsEnabled => !string.IsNullOrEmpty(DomainJoinedTestServer);
-        private static bool DomainProxyTestsEnabled => (!string.IsNullOrEmpty(Configuration.Http.DomainJoinedProxyHost)) && DomainJoinedTestsEnabled;
+        private static bool DomainJoinedTestsEnabled => !string.IsNullOrEmpty(Configuration.Http.DomainJoinedHttpHost);
+
+        private static bool DomainProxyTestsEnabled => !string.IsNullOrEmpty(Configuration.Http.DomainJoinedProxyHost);
+
+        // Enable this to test against local HttpListener over loopback
+        // Note this doesn't work as expected with WinHttpHandler, because WinHttpHandler will always authenticate the 
+        // current user against a loopback server using NTLM or Negotiate.
+        private static bool LocalHttpListenerTestsEnabled = false;
+
+        public static bool ServerAuthenticationTestsEnabled => (LocalHttpListenerTestsEnabled || DomainJoinedTestsEnabled);
 
         private static string s_specificUserName = Configuration.Security.ActiveDirectoryUserName;
         private static string s_specificPassword = Configuration.Security.ActiveDirectoryUserPassword;
         private static string s_specificDomain = Configuration.Security.ActiveDirectoryName;
-        private static Uri s_authenticatedServer =
-            new Uri($"http://{DomainJoinedTestServer}/test/auth/negotiate/showidentity.ashx");
-            
-        // This test endpoint offers multiple schemes, Basic and NTLM, in that specific order. This endpoint
-        // helps test that the client will use the stronger of the server proposed auth schemes and
-        // not the first auth scheme.
-        private static Uri s_multipleSchemesAuthenticatedServer =
-            new Uri($"http://{DomainJoinedTestServer}/test/auth/multipleschemes/showidentity.ashx");
-
-        private readonly ITestOutputHelper _output;
         private readonly NetworkCredential _specificCredential =
             new NetworkCredential(s_specificUserName, s_specificPassword, s_specificDomain);
+        private static Uri s_authenticatedServer = DomainJoinedTestsEnabled ? 
+            new Uri($"http://{Configuration.Http.DomainJoinedHttpHost}/test/auth/negotiate/showidentity.ashx") : null;
+
+        private readonly ITestOutputHelper _output;
 
         public DefaultCredentialsTest(ITestOutputHelper output)
         {
             _output = output;
-            _output.WriteLine(s_authenticatedServer.ToString());
         }
 
         [OuterLoop] // TODO: Issue #11345
-        [ActiveIssue(10041)]
-        [ConditionalTheory(nameof(DomainJoinedTestsEnabled))]
-        [InlineData(false)]
-        [InlineData(true)]
-        public async Task UseDefaultCredentials_DefaultValue_Unauthorized(bool useProxy)
+        [ConditionalTheory(nameof(ServerAuthenticationTestsEnabled))]
+        [MemberData(nameof(AuthenticatedServers))]
+        public async Task UseDefaultCredentials_DefaultValue_Unauthorized(string uri, bool useProxy)
         {
             HttpClientHandler handler = CreateHttpClientHandler();
             handler.UseProxy = useProxy;
 
             using (var client = new HttpClient(handler))
-            using (HttpResponseMessage response = await client.GetAsync(s_authenticatedServer))
+            using (HttpResponseMessage response = await client.GetAsync(uri))
             {
                 Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
             }
         }
 
         [OuterLoop] // TODO: Issue #11345
-        [ActiveIssue(10041)]
-        [ConditionalTheory(nameof(DomainJoinedTestsEnabled))]
-        [InlineData(false)]
-        [InlineData(true)]
-        public async Task UseDefaultCredentials_SetFalse_Unauthorized(bool useProxy)
+        [ConditionalTheory(nameof(ServerAuthenticationTestsEnabled))]
+        [MemberData(nameof(AuthenticatedServers))]
+        public async Task UseDefaultCredentials_SetFalse_Unauthorized(string uri, bool useProxy)
         {
             HttpClientHandler handler = CreateHttpClientHandler();
             handler.UseProxy = useProxy;
             handler.UseDefaultCredentials = false;
 
             using (var client = new HttpClient(handler))
-            using (HttpResponseMessage response = await client.GetAsync(s_authenticatedServer))
+            using (HttpResponseMessage response = await client.GetAsync(uri))
             {
                 Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
             }
         }
 
         [OuterLoop] // TODO: Issue #11345
-        [ActiveIssue(10041)]
-        [ConditionalTheory(nameof(DomainJoinedTestsEnabled))]
-        [InlineData(false)]
-        [InlineData(true)]
-        public async Task UseDefaultCredentials_SetTrue_ConnectAsCurrentIdentity(bool useProxy)
+        [ConditionalTheory(nameof(ServerAuthenticationTestsEnabled))]
+        [MemberData(nameof(AuthenticatedServers))]
+        public async Task UseDefaultCredentials_SetTrue_ConnectAsCurrentIdentity(string uri, bool useProxy)
         {
             HttpClientHandler handler = CreateHttpClientHandler();
             handler.UseProxy = useProxy;
             handler.UseDefaultCredentials = true;
 
             using (var client = new HttpClient(handler))
-            using (HttpResponseMessage response = await client.GetAsync(s_authenticatedServer))
+            using (HttpResponseMessage response = await client.GetAsync(uri))
             {
                 Assert.Equal(HttpStatusCode.OK, response.StatusCode);
 
@@ -102,18 +97,19 @@ public async Task UseDefaultCredentials_SetTrue_ConnectAsCurrentIdentity(bool us
         }
 
         [OuterLoop] // TODO: Issue #11345
-        [ActiveIssue(10041)]
-        [ConditionalTheory(nameof(DomainJoinedTestsEnabled))]
-        [InlineData(false)]
-        [InlineData(true)]
-        public async Task UseDefaultCredentials_SetTrueAndServerOffersMultipleSchemes_Ok(bool useProxy)
+        [ConditionalTheory(nameof(ServerAuthenticationTestsEnabled))]
+        [MemberData(nameof(AuthenticatedServers))]
+        public async Task Credentials_SetToWrappedDefaultCredential_ConnectAsCurrentIdentity(string uri, bool useProxy)
         {
             HttpClientHandler handler = CreateHttpClientHandler();
             handler.UseProxy = useProxy;
-            handler.UseDefaultCredentials = true;
+            handler.Credentials = new CredentialWrapper
+            {
+                InnerCredentials = CredentialCache.DefaultCredentials
+            };
 
             using (var client = new HttpClient(handler))
-            using (HttpResponseMessage response = await client.GetAsync(s_multipleSchemesAuthenticatedServer))
+            using (HttpResponseMessage response = await client.GetAsync(uri))
             {
                 Assert.Equal(HttpStatusCode.OK, response.StatusCode);
 
@@ -125,24 +121,18 @@ public async Task UseDefaultCredentials_SetTrueAndServerOffersMultipleSchemes_Ok
         }
 
         [OuterLoop] // TODO: Issue #11345
-        [ActiveIssue(10041)]
-        [ConditionalTheory(nameof(DomainJoinedTestsEnabled))]
-        [InlineData(false)]
-        [InlineData(true)]
-        public async Task Credentials_SetToSpecificCredential_ConnectAsSpecificIdentity(bool useProxy)
+        [ConditionalTheory(nameof(ServerAuthenticationTestsEnabled))]
+        [MemberData(nameof(AuthenticatedServers))]
+        public async Task Credentials_SetToBadCredential_Unauthorized(string uri, bool useProxy)
         {
             HttpClientHandler handler = CreateHttpClientHandler();
             handler.UseProxy = useProxy;
-            handler.UseDefaultCredentials = false;
-            handler.Credentials = _specificCredential;
+            handler.Credentials = new NetworkCredential("notarealuser", "123456");
 
             using (var client = new HttpClient(handler))
-            using (HttpResponseMessage response = await client.GetAsync(s_authenticatedServer))
+            using (HttpResponseMessage response = await client.GetAsync(uri))
             {
-                Assert.Equal(HttpStatusCode.OK, response.StatusCode);
-                
-                string responseBody = await response.Content.ReadAsStringAsync();
-                VerifyAuthentication(responseBody, true, s_specificDomain + "\\" + s_specificUserName);
+                Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
             }
         }
 
@@ -151,24 +141,20 @@ public async Task Credentials_SetToSpecificCredential_ConnectAsSpecificIdentity(
         [ConditionalTheory(nameof(DomainJoinedTestsEnabled))]
         [InlineData(false)]
         [InlineData(true)]
-        public async Task Credentials_SetToWrappedDefaultCredential_ConnectAsCurrentIdentity(bool useProxy)
+        public async Task Credentials_SetToSpecificCredential_ConnectAsSpecificIdentity(bool useProxy)
         {
             HttpClientHandler handler = CreateHttpClientHandler();
             handler.UseProxy = useProxy;
-            handler.Credentials = new CredentialWrapper
-            {
-                InnerCredentials = CredentialCache.DefaultCredentials
-            };
+            handler.UseDefaultCredentials = false;
+            handler.Credentials = _specificCredential;
 
             using (var client = new HttpClient(handler))
             using (HttpResponseMessage response = await client.GetAsync(s_authenticatedServer))
             {
                 Assert.Equal(HttpStatusCode.OK, response.StatusCode);
-
+                
                 string responseBody = await response.Content.ReadAsStringAsync();
-                WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent();
-                _output.WriteLine("currentIdentity={0}", currentIdentity.Name);
-                VerifyAuthentication(responseBody, true, currentIdentity.Name);
+                VerifyAuthentication(responseBody, true, s_specificDomain + "\\" + s_specificUserName);
             }
         }
 
@@ -221,6 +207,27 @@ public async Task Proxy_UseAuthenticatedProxyWithWrappedDefaultCredentials_OK()
             }
         }
 
+        public static IEnumerable<object[]> AuthenticatedServers()
+        {
+            // Note that localhost will not actually use the proxy, but there's no harm in testing it.
+            foreach (bool b in new bool[] { true, false })
+            {
+                if (LocalHttpListenerTestsEnabled)
+                {
+                    yield return new object[] { HttpListenerAuthenticatedLoopbackServer.NtlmOnly.Uri, b };
+                    yield return new object[] { HttpListenerAuthenticatedLoopbackServer.NegotiateOnly.Uri, b };
+                    yield return new object[] { HttpListenerAuthenticatedLoopbackServer.NegotiateAndNtlm.Uri, b };
+                    yield return new object[] { HttpListenerAuthenticatedLoopbackServer.BasicAndNtlm.Uri, b };
+                }
+
+                if (!string.IsNullOrEmpty(Configuration.Http.DomainJoinedHttpHost))
+                {
+                    yield return new object[] { $"http://{Configuration.Http.DomainJoinedHttpHost}/test/auth/negotiate/showidentity.ashx", b };
+                    yield return new object[] { $"http://{Configuration.Http.DomainJoinedHttpHost}/test/auth/multipleschemes/showidentity.ashx", b };
+                }
+            }
+        }
+
         private void VerifyAuthentication(string response, bool authenticated, string user)
         {
             // Convert all strings to lowercase to compare. Windows treats domain and username as case-insensitive.
@@ -296,6 +303,46 @@ public bool IsBypassed(Uri host)
             {
                 return false;
             }
-        }        
+        }
+
+        private sealed class HttpListenerAuthenticatedLoopbackServer
+        {
+            private readonly HttpListener _listener;
+            private readonly string _uri;
+
+            public static readonly HttpListenerAuthenticatedLoopbackServer NtlmOnly = new HttpListenerAuthenticatedLoopbackServer("http://localhost:8080/", AuthenticationSchemes.Ntlm);
+            public static readonly HttpListenerAuthenticatedLoopbackServer NegotiateOnly = new HttpListenerAuthenticatedLoopbackServer("http://localhost:8081/", AuthenticationSchemes.Negotiate);
+            public static readonly HttpListenerAuthenticatedLoopbackServer NegotiateAndNtlm = new HttpListenerAuthenticatedLoopbackServer("http://localhost:8082/", AuthenticationSchemes.Negotiate | AuthenticationSchemes.Ntlm);
+            public static readonly HttpListenerAuthenticatedLoopbackServer BasicAndNtlm = new HttpListenerAuthenticatedLoopbackServer("http://localhost:8083/", AuthenticationSchemes.Basic | AuthenticationSchemes.Ntlm);
+
+            // Don't construct directly, use instances above
+            private HttpListenerAuthenticatedLoopbackServer(string uri, AuthenticationSchemes authenticationSchemes)
+            {
+                _uri = uri;
+
+                _listener = new HttpListener();
+                _listener.Prefixes.Add(uri);
+                _listener.AuthenticationSchemes = authenticationSchemes;
+                _listener.Start();
+
+                Task.Run(() => ProcessRequests());
+            }
+
+            public string Uri => _uri;
+
+            private async void ProcessRequests()
+            {
+                while (true)
+                {
+                    var context = await _listener.GetContextAsync();
+
+                    // Send a response in the JSON format that the client expects
+                    string username = context.User.Identity.Name;
+                    await context.Response.OutputStream.WriteAsync(System.Text.Encoding.UTF8.GetBytes($"{{\"authenticated\": \"true\", \"user\": \"{username}\" }}"));
+
+                    context.Response.Close();
+                }
+            }
+        }
     }
 }