From 49ca302ea08a39ca72dcc7fb79ce23b6f2600682 Mon Sep 17 00:00:00 2001
From: Matthew John Cheetham <mjcheetham@outlook.com>
Date: Wed, 10 Mar 2021 13:59:37 +0000
Subject: [PATCH] msauth: include better warning message on Keychain errors

Sometimes the login Keychain is not accessible and the MSAL.Extensions
library cannot read/write the token cache. The specific error
encountered internally is `errSecAuthFailed` - neither we nor the MSAL
team know why this happens sometimes.

Locking and then unlocking the login Keychain manually, or simply
restarting the computer appears to fix the problem.

Include the lock+unlock/restart remedy in the warning message on macOS.
---
 .../Authentication/MicrosoftAuthentication.cs    | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/shared/Microsoft.Git.CredentialManager/Authentication/MicrosoftAuthentication.cs b/src/shared/Microsoft.Git.CredentialManager/Authentication/MicrosoftAuthentication.cs
index 4435a506e..e001be3c3 100644
--- a/src/shared/Microsoft.Git.CredentialManager/Authentication/MicrosoftAuthentication.cs
+++ b/src/shared/Microsoft.Git.CredentialManager/Authentication/MicrosoftAuthentication.cs
@@ -236,13 +236,23 @@ private async Task RegisterTokenCacheAsync(IPublicClientApplication app)
             }
             catch (MsalCachePersistenceException ex)
             {
-                Context.Streams.Error.WriteLine("warning: cannot persist Microsoft Authentication data securely!");
+                Context.Streams.Error.WriteLine("warning: cannot persist Microsoft authentication token cache securely!");
                 Context.Trace.WriteLine("Cannot persist Microsoft Authentication data securely!");
                 Context.Trace.WriteException(ex);
 
-                // On Linux the SecretService/keyring might not be available so we must fall-back to a plaintext file.
-                if (PlatformUtils.IsLinux())
+                if (PlatformUtils.IsMacOS())
                 {
+                    // On macOS sometimes the Keychain returns the "errSecAuthFailed" error - we don't know why
+                    // but it appears to be something to do with not being able to access the keychain.
+                    // Locking and unlocking (or restarting) often fixes this.
+                    Context.Streams.Error.WriteLine(
+                        "warning: there is a problem accessing the login Keychain - either manually lock and unlock the " +
+                        "login Keychain, or restart the computer to remedy this");
+                }
+                else if (PlatformUtils.IsLinux())
+                {
+                    // On Linux the SecretService/keyring might not be available so we must fall-back to a plaintext file.
+                    Context.Streams.Error.WriteLine("warning: using plain-text fallback token cache");
                     Context.Trace.WriteLine("Using fall-back plaintext token cache on Linux.");
                     var storageProps = CreateTokenCacheProps(clientId, useLinuxFallback: true);
                     helper = await MsalCacheHelper.CreateAsync(storageProps);