Added support for basic auth for proxy setup (#5269)

* fix agent configuration behind flag --proxybasicauth

* Fix git configuration issue in pipeline

* Update on Review

* fix for proxybasicauth flag default value

* use cmdline proxybasicauth when proxy Knobs are set

* Update#2 on Review comments

* Update L0 tests

* Remove unneccessary JobExtension L0

* Env Var setup

* update#3 on review comments

* Update#4 on Reveiew Comments

* Update#5 on Reveiw Comments

* Update#6 on Review Comments

* SVN checkout fix

* Rename proxy flag to UseBasicAuthForProxy

* Revert "SVN checkout fix"

This reverts commit 08cb9fb.

Author: dassayantan24

src/Agent.Listener/CommandLine/ConfigureAgent.cs

@@ -102,6 +102,9 @@ public class ConfigureAgent : ConfigureOrRemoveBase
         [Option(Constants.Agent.CommandLine.Args.ProxyUrl)]
         public string ProxyUrl { get; set; }
 
+        [Option(Constants.Agent.CommandLine.Flags.UseBasicAuthForProxy)]
+        public bool UseBasicAuthForProxy { get; set; }
+
         [Option(Constants.Agent.CommandLine.Flags.Replace)]
         public bool Replace { get; set; }
 

src/Agent.Listener/CommandSettings.cs

@@ -512,6 +512,11 @@ public string GetProxyPassword()
             return GetArg(Configure?.ProxyPassword, Constants.Agent.CommandLine.Args.ProxyPassword);
         }
 
+        public bool GetUseBasicAuthForProxy()
+        {
+            return TestFlag(Configure?.UseBasicAuthForProxy, Constants.Agent.CommandLine.Flags.UseBasicAuthForProxy);
+        }
+
         public bool GetSkipCertificateValidation()
         {
             return TestFlag(Configure?.SslSkipCertValidation, Constants.Agent.CommandLine.Flags.SslSkipCertValidation);

src/Agent.Listener/Configuration/ConfigurationManager.cs

@@ -1019,6 +1019,8 @@ private bool SetupVstsProxySetting(IVstsAgentWebProxy vstsProxy, CommandSettings
 
             bool saveProxySetting = false;
             string proxyUrl = command.GetProxyUrl();
+            bool useBasicAuthForProxy = command.GetUseBasicAuthForProxy();
+            
             if (!string.IsNullOrEmpty(proxyUrl))
             {
                 if (!Uri.IsWellFormedUriString(proxyUrl, UriKind.Absolute))
@@ -1029,7 +1031,7 @@ private bool SetupVstsProxySetting(IVstsAgentWebProxy vstsProxy, CommandSettings
                 Trace.Info("Reset proxy base on commandline args.");
                 string proxyUserName = command.GetProxyUserName();
                 string proxyPassword = command.GetProxyPassword();
-                vstsProxy.SetupProxy(proxyUrl, proxyUserName, proxyPassword);
+                vstsProxy.SetupProxy(proxyUrl, proxyUserName, proxyPassword, useBasicAuthForProxy);
                 saveProxySetting = true;
             }
 

src/Agent.Plugins/GitSourceProvider.cs

@@ -191,6 +191,7 @@ public abstract class GitSourceProvider : ISourceProvider
         private const string _remoteRefsPrefix = "refs/remotes/origin/";
         private const string _pullRefsPrefix = "refs/pull/";
         private const string _remotePullRefsPrefix = "refs/remotes/pull/";
+        private const string _gitUseBasicAuthForProxyConfig = "-c http.proxyAuthMethod=basic";
 
         private const string _tenantId = "tenantid";
         private const string _clientId = "servicePrincipalId";
@@ -834,6 +835,14 @@ public async Task GetSourceAsync(
                     ArgUtil.NotNullOrEmpty(proxyUrlWithCredString, nameof(proxyUrlWithCredString));
                     additionalFetchArgs.Add($"-c http.proxy=\"{proxyUrlWithCredString}\"");
                     additionalLfsFetchArgs.Add($"-c http.proxy=\"{proxyUrlWithCredString}\"");
+                    
+                    // Add proxy authentication method if Basic auth is enabled
+                    if (agentProxy.UseBasicAuthForProxy)
+                    {
+                        executionContext.Debug("Config proxy to use Basic authentication for git fetch.");
+                        additionalFetchArgs.Add(_gitUseBasicAuthForProxyConfig);
+                        additionalLfsFetchArgs.Add(_gitUseBasicAuthForProxyConfig);
+                    }
                 }
 
                 // Prepare ignore ssl cert error config for fetch.
@@ -1077,6 +1086,13 @@ public async Task GetSourceAsync(
                         executionContext.Debug($"Config proxy server '{agentProxy.ProxyAddress}' for git submodule update.");
                         ArgUtil.NotNullOrEmpty(proxyUrlWithCredString, nameof(proxyUrlWithCredString));
                         additionalSubmoduleUpdateArgs.Add($"-c http.proxy=\"{proxyUrlWithCredString}\"");
+                        
+                        // Add proxy authentication method if Basic auth is enabled
+                        if (agentProxy.UseBasicAuthForProxy)
+                        {
+                            executionContext.Debug("Config proxy to use Basic authentication for git submodule update.");
+                            additionalSubmoduleUpdateArgs.Add(_gitUseBasicAuthForProxyConfig);
+                        }
                     }
 
                     // Prepare ignore ssl cert error config for fetch.
@@ -1176,6 +1192,21 @@ public async Task GetSourceAsync(
                         {
                             throw new InvalidOperationException($"Git config failed with exit code: {exitCode_proxyconfig}");
                         }
+                        
+                        // Add proxy authentication method if Basic auth is enabled
+                        if (agentProxy.UseBasicAuthForProxy)
+                        {
+                            executionContext.Debug("Save proxy authentication method 'basic' to git config.");
+                            string proxyAuthMethodKey = "http.proxyAuthMethod";
+                            string proxyAuthMethodValue = "basic";
+                            configModifications[proxyAuthMethodKey] = proxyAuthMethodValue;
+
+                            int exitCode_proxyauth = await gitCommandManager.GitConfig(executionContext, targetPath, proxyAuthMethodKey, proxyAuthMethodValue);
+                            if (exitCode_proxyauth != 0)
+                            {
+                                throw new InvalidOperationException($"Git config failed with exit code: {exitCode_proxyauth}");
+                            }
+                        }
                     }
 
                     // save ignore ssl cert error setting to git config.

src/Agent.Sdk/AgentWebProxy.cs

@@ -15,17 +15,20 @@ public class AgentWebProxySettings
         public static string AgentProxyUsernameKey = "Agent.ProxyUsername".ToLower();
         public static string AgentProxyPasswordKey = "Agent.ProxyPassword".ToLower();
         public static string AgentProxyBypassListKey = "Agent.ProxyBypassList".ToLower();
+        public static string AgentUseBasicAuthForProxyKey = "Agent.UseBasicAuthForProxy".ToLower();
         public string ProxyAddress { get; set; }
         public string ProxyUsername { get; set; }
         public string ProxyPassword { get; set; }
         public List<string> ProxyBypassList { get; set; }
+        public bool UseBasicAuthForProxy { get; set; }
         public IWebProxy WebProxy { get; set; }
     }
 
     public class AgentWebProxy : IWebProxy
     {
         private string _proxyAddress;
         private readonly List<Regex> _regExBypassList = new List<Regex>();
+        private bool _useBasicAuthForProxy = false; // Flag to control Basic auth usage
 
         public ICredentials Credentials { get; set; }
 
@@ -35,11 +38,17 @@ public AgentWebProxy()
 
         public AgentWebProxy(string proxyAddress, string proxyUsername, string proxyPassword, List<string> proxyBypassList)
         {
-            Update(proxyAddress, proxyUsername, proxyPassword, proxyBypassList);
+            Update(proxyAddress, proxyUsername, proxyPassword, proxyBypassList, false);
         }
 
-        public void Update(string proxyAddress, string proxyUsername, string proxyPassword, List<string> proxyBypassList)
+        public AgentWebProxy(string proxyAddress, string proxyUsername, string proxyPassword, List<string> proxyBypassList, bool useBasicAuthForProxy = false)
         {
+            Update(proxyAddress, proxyUsername, proxyPassword, proxyBypassList, useBasicAuthForProxy);
+        }
+
+        public void Update(string proxyAddress, string proxyUsername, string proxyPassword, List<string> proxyBypassList, bool useBasicAuthForProxy = false)
+        {
+            _useBasicAuthForProxy = useBasicAuthForProxy;
             _proxyAddress = proxyAddress?.Trim();
 
             if (string.IsNullOrEmpty(proxyUsername) || string.IsNullOrEmpty(proxyPassword))
@@ -48,7 +57,21 @@ public void Update(string proxyAddress, string proxyUsername, string proxyPasswo
             }
             else
             {
-                Credentials = new NetworkCredential(proxyUsername, proxyPassword);
+                if (_useBasicAuthForProxy)
+                {
+                    // Use CredentialCache to force Basic authentication and avoid NTLM negotiation issues
+                    // This fixes the 407 Proxy Authentication Required errors that occur when .NET
+                    // attempts NTLM authentication but fails to fall back to Basic authentication properly
+                    var credentialCache = new CredentialCache();
+                    var proxyUri = new Uri(_proxyAddress);
+                    credentialCache.Add(proxyUri, "Basic", new NetworkCredential(proxyUsername, proxyPassword));
+                    Credentials = credentialCache;
+                }
+                else
+                {
+                    // Default behavior: Use NetworkCredential (default logic for .NET)
+                    Credentials = new NetworkCredential(proxyUsername, proxyPassword);
+                }
             }
 
             if (proxyBypassList != null)

src/Agent.Sdk/CommandPlugin.cs

@@ -142,7 +142,7 @@ public VssConnection InitializeVssConnection()
             {
                 if (!string.IsNullOrEmpty(proxySetting.ProxyAddress))
                 {
-                    VssHttpMessageHandler.DefaultWebProxy = new AgentWebProxy(proxySetting.ProxyAddress, proxySetting.ProxyUsername, proxySetting.ProxyPassword, proxySetting.ProxyBypassList);
+                    VssHttpMessageHandler.DefaultWebProxy = new AgentWebProxy(proxySetting.ProxyAddress, proxySetting.ProxyUsername, proxySetting.ProxyPassword, proxySetting.ProxyBypassList, proxySetting.UseBasicAuthForProxy);
                 }
             }
 
@@ -195,12 +195,15 @@ private AgentWebProxySettings GetProxyConfiguration()
                 string proxyUsername = this.Variables.GetValueOrDefault(AgentWebProxySettings.AgentProxyUsernameKey)?.Value;
                 string proxyPassword = this.Variables.GetValueOrDefault(AgentWebProxySettings.AgentProxyPasswordKey)?.Value;
                 List<string> proxyBypassHosts = StringUtil.ConvertFromJson<List<string>>(this.Variables.GetValueOrDefault(AgentWebProxySettings.AgentProxyBypassListKey)?.Value ?? "[]");
+                bool useBasicAuthForProxy = StringUtil.ConvertToBoolean(this.Variables.GetValueOrDefault(AgentWebProxySettings.AgentUseBasicAuthForProxyKey)?.Value);
                 return new AgentWebProxySettings()
                 {
                     ProxyAddress = proxyUrl,
                     ProxyUsername = proxyUsername,
                     ProxyPassword = proxyPassword,
                     ProxyBypassList = proxyBypassHosts,
+                    UseBasicAuthForProxy = useBasicAuthForProxy,
+                    WebProxy = new AgentWebProxy(proxyUrl, proxyUsername, proxyPassword, proxyBypassHosts, useBasicAuthForProxy)
                 };
             }
             else

src/Agent.Sdk/Knob/AgentKnobs.cs

@@ -351,6 +351,12 @@ public class AgentKnobs
             new EnvironmentKnobSource("VSTS_HTTP_PROXY_USERNAME"),
             new BuiltInDefaultKnobSource(string.Empty));
 
+        public static readonly Knob UseBasicAuthForProxy = new Knob(
+            nameof(UseBasicAuthForProxy),
+            "Enable proxy basic authentication to avoid NTLM negotiation issues",
+            new EnvironmentKnobSource("VSTS_HTTP_PROXY_BASICAUTH"),
+            new BuiltInDefaultKnobSource("false"));
+
         // Secrets masking
         public static readonly Knob AllowUnsafeMultilineSecret = new Knob(
             nameof(AllowUnsafeMultilineSecret),

src/Agent.Sdk/LogPlugin.cs

@@ -193,7 +193,7 @@ private VssConnection InitializeVssConnection()
             {
                 if (!string.IsNullOrEmpty(WebProxySettings.ProxyAddress))
                 {
-                    VssHttpMessageHandler.DefaultWebProxy = new AgentWebProxy(WebProxySettings.ProxyAddress, WebProxySettings.ProxyUsername, WebProxySettings.ProxyPassword, WebProxySettings.ProxyBypassList);
+                    VssHttpMessageHandler.DefaultWebProxy = new AgentWebProxy(WebProxySettings.ProxyAddress, WebProxySettings.ProxyUsername, WebProxySettings.ProxyPassword, WebProxySettings.ProxyBypassList, WebProxySettings.UseBasicAuthForProxy);
                 }
             }
 
@@ -248,13 +248,15 @@ private AgentWebProxySettings GetProxyConfiguration()
                 string proxyUsername = this.Variables.GetValueOrDefault(AgentWebProxySettings.AgentProxyUsernameKey)?.Value;
                 string proxyPassword = this.Variables.GetValueOrDefault(AgentWebProxySettings.AgentProxyPasswordKey)?.Value;
                 List<string> proxyBypassHosts = StringUtil.ConvertFromJson<List<string>>(this.Variables.GetValueOrDefault(AgentWebProxySettings.AgentProxyBypassListKey)?.Value ?? "[]");
+                bool useBasicAuthForProxy = StringUtil.ConvertToBoolean(this.Variables.GetValueOrDefault(AgentWebProxySettings.AgentUseBasicAuthForProxyKey)?.Value);
                 return new AgentWebProxySettings()
                 {
                     ProxyAddress = proxyUrl,
                     ProxyUsername = proxyUsername,
                     ProxyPassword = proxyPassword,
                     ProxyBypassList = proxyBypassHosts,
-                    WebProxy = new AgentWebProxy(proxyUrl, proxyUsername, proxyPassword, proxyBypassHosts)
+                    UseBasicAuthForProxy = useBasicAuthForProxy,
+                    WebProxy = new AgentWebProxy(proxyUrl, proxyUsername, proxyPassword, proxyBypassHosts, useBasicAuthForProxy)
                 };
             }
             else

src/Agent.Sdk/TaskPlugin.cs

@@ -121,7 +121,7 @@ public VssConnection InitializeVssConnection()
             {
                 if (!string.IsNullOrEmpty(WebProxySettings.ProxyAddress))
                 {
-                    VssHttpMessageHandler.DefaultWebProxy = new AgentWebProxy(WebProxySettings.ProxyAddress, WebProxySettings.ProxyUsername, WebProxySettings.ProxyPassword, WebProxySettings.ProxyBypassList);
+                    VssHttpMessageHandler.DefaultWebProxy = new AgentWebProxy(WebProxySettings.ProxyAddress, WebProxySettings.ProxyUsername, WebProxySettings.ProxyPassword, WebProxySettings.ProxyBypassList, WebProxySettings.UseBasicAuthForProxy);
                 }
             }
 
@@ -330,13 +330,15 @@ public AgentWebProxySettings GetProxyConfiguration()
                 string proxyUsername = this.Variables.GetValueOrDefault(AgentWebProxySettings.AgentProxyUsernameKey)?.Value;
                 string proxyPassword = this.Variables.GetValueOrDefault(AgentWebProxySettings.AgentProxyPasswordKey)?.Value;
                 List<string> proxyBypassHosts = StringUtil.ConvertFromJson<List<string>>(this.Variables.GetValueOrDefault(AgentWebProxySettings.AgentProxyBypassListKey)?.Value ?? "[]");
+                bool useBasicAuthForProxy = StringUtil.ConvertToBoolean(this.Variables.GetValueOrDefault(AgentWebProxySettings.AgentUseBasicAuthForProxyKey)?.Value);
                 return new AgentWebProxySettings()
                 {
                     ProxyAddress = proxyUrl,
                     ProxyUsername = proxyUsername,
                     ProxyPassword = proxyPassword,
                     ProxyBypassList = proxyBypassHosts,
-                    WebProxy = new AgentWebProxy(proxyUrl, proxyUsername, proxyPassword, proxyBypassHosts)
+                    UseBasicAuthForProxy = useBasicAuthForProxy,
+                    WebProxy = new AgentWebProxy(proxyUrl, proxyUsername, proxyPassword, proxyBypassHosts, useBasicAuthForProxy)
                 };
             }
             // back-compat of proxy configuration via environment variables
@@ -346,12 +348,14 @@ public AgentWebProxySettings GetProxyConfiguration()
                 ProxyUrl = ProxyUrl.Trim();
                 var ProxyUsername = Environment.GetEnvironmentVariable("VSTS_HTTP_PROXY_USERNAME");
                 var ProxyPassword = Environment.GetEnvironmentVariable("VSTS_HTTP_PROXY_PASSWORD");
+                var UseBasicAuthForProxy = StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("VSTS_HTTP_PROXY_BASIC_AUTH"));
                 return new AgentWebProxySettings()
                 {
                     ProxyAddress = ProxyUrl,
                     ProxyUsername = ProxyUsername,
                     ProxyPassword = ProxyPassword,
-                    WebProxy = new AgentWebProxy(proxyUrl, ProxyUsername, ProxyPassword, null)
+                    UseBasicAuthForProxy = UseBasicAuthForProxy,
+                    WebProxy = new AgentWebProxy(ProxyUrl, ProxyUsername, ProxyPassword, null, UseBasicAuthForProxy)
                 };
             }
             else