Add support for sending X5C when using a service principal with certificate for authentication

VERSION

@@ -1 +1 @@
-2.5.1.0
+2.5.1.1

src/shared/Core/Authentication/MicrosoftAuthentication.cs

@@ -92,6 +92,11 @@ public class ServicePrincipalIdentity
         /// If both <see cref="Certificate"/> and <see cref="ClientSecret"/> are set, the certificate will be used.
         /// </remarks>
         public string ClientSecret { get; set; }
+
+        /// <summary>
+        /// Whether the authentication should send X5C
+        /// </summary>
+        public bool SendX5C { get; set; }
     }
 
     public interface IMicrosoftAuthenticationResult
@@ -269,12 +274,14 @@ public async Task<IMicrosoftAuthenticationResult> GetTokenForServicePrincipalAsy
 
             try
             {
-                AuthenticationResult result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
+                Context.Trace.WriteLine($"Sending with X5C: '{sp.SendX5C}'.");
+                AuthenticationResult result = await app.AcquireTokenForClient(scopes).WithSendX5C(sp.SendX5C).ExecuteAsync();;
+
                 return new MsalResult(result);
             }
             catch (Exception ex)
             {
-                Context.Trace.WriteLine($"Failed to acquire token for service principal '{sp.TenantId}/{sp.TenantId}'.");
+                Context.Trace.WriteLine($"Failed to acquire token for service principal '{sp.TenantId}/{sp.Id}'.");
                 Context.Trace.WriteException(ex);
                 throw;
             }

src/shared/Microsoft.AzureRepos/AzureDevOpsConstants.cs

@@ -44,6 +44,7 @@ public static class EnvironmentVariables
             public const string ServicePrincipalId = "GCM_AZREPOS_SERVICE_PRINCIPAL";
             public const string ServicePrincipalSecret = "GCM_AZREPOS_SP_SECRET";
             public const string ServicePrincipalCertificateThumbprint = "GCM_AZREPOS_SP_CERT_THUMBPRINT";
+            public const string ServicePrincipalCertificateSendX5C = "GCM_AZREPOS_SP_CERT_SEND_X5C";
             public const string ManagedIdentity = "GCM_AZREPOS_MANAGEDIDENTITY";
         }
 
@@ -59,6 +60,7 @@ public static class Credential
                 public const string ServicePrincipal = "azreposServicePrincipal";
                 public const string ServicePrincipalSecret = "azreposServicePrincipalSecret";
                 public const string ServicePrincipalCertificateThumbprint = "azreposServicePrincipalCertificateThumbprint";
+                public const string ServicePrincipalCertificateSendX5C = "azreposServicePrincipalCertificateSendX5C";
                 public const string ManagedIdentity = "azreposManagedIdentity";
             }
         }

src/shared/Microsoft.AzureRepos/AzureReposHostProvider.cs

@@ -549,6 +549,14 @@ private bool UseServicePrincipal(out ServicePrincipalIdentity sp)
 
             if (hasCertThumbprint)
             {
+                bool hasX5CSetting = _context.Settings.TryGetSetting(
+                    AzureDevOpsConstants.EnvironmentVariables.ServicePrincipalCertificateSendX5C,
+                    Constants.GitConfiguration.Credential.SectionName,
+                    AzureDevOpsConstants.GitConfiguration.Credential.ServicePrincipalCertificateSendX5C,
+                    out string certHasX5C);
+
+                sp.SendX5C = !hasX5CSetting || certHasX5C != "false";
+
                 X509Certificate2 cert = X509Utils.GetCertificateByThumbprint(certThumbprint);
                 if (cert is null)
                 {