Fix authentication failures for inherited partial clone repositories during checkout (#5294)

raujaiswal · azure-pipelines-bot · web-flow · commit 9e21cafedb47 · 2025-08-25T11:10:26.000+05:30
* Add promisor remote detection for partial clone authentication

* Clean up excessive debug logging and verbose comments in GitSourceProvider

* Enhance partial clone detection with comprehensive config checks and improved debug logging

* Update partial clone detection

* Add enhanced partial clone detection with new feature flag while preserving legacy behavior

---------

Co-authored-by: azure-pipelines-bot &lt;azure-pipelines-bot@microsoft.com&gt;
diff --git a/src/Agent.Plugins/GitSourceProvider.cs b/src/Agent.Plugins/GitSourceProvider.cs
@@ -799,7 +799,39 @@ public async Task GetSourceAsync(
                     string args = ComposeGitArgs(executionContext, gitCommandManager, configKey, username, password, useBearerAuthType);
                     additionalFetchArgs.Add(args);
 
-                    if (additionalFetchFilterOptions.Any() && AgentKnobs.AddForceCredentialsToGitCheckout.GetValue(executionContext).AsBoolean())
+                    // Partial Clone Credential Handling:
+                    // Two feature flags control when credentials are added to git checkout for partial clones:
+                    // 1. AddForceCredentialsToGitCheckout (legacy): Only checks explicit fetch filters
+                    // 2. AddForceCredentialsToGitCheckoutEnhanced (new): Checks both explicit filters AND inherited partial clone config
+                    // The enhanced flag takes precedence when both are enabled.
+                    bool hasExplicitFetchFilter = additionalFetchFilterOptions.Any();
+                    bool forceCredentialsLegacyEnabled = AgentKnobs.AddForceCredentialsToGitCheckout.GetValue(executionContext).AsBoolean();
+                    bool forceCredentialsEnhancedEnabled = AgentKnobs.AddForceCredentialsToGitCheckoutEnhanced.GetValue(executionContext).AsBoolean();
+
+                    bool shouldAddCredentials = false;
+ 
+                    // Enhanced behavior takes precedence - checks both explicit filters and promisor remote configuration
+                    if (forceCredentialsEnhancedEnabled)
+                    {
+                        // Enhanced detection: check for inherited partial clone configuration via git config
+                        bool hasInheritedPartialCloneConfig = await IsPartialCloneRepository(executionContext, gitCommandManager, targetPath);
+                        executionContext.Debug($"Enhanced partial clone detection - ExplicitFilter: {hasExplicitFetchFilter}, InheritedConfig: {hasInheritedPartialCloneConfig}, ForceCredentialsEnhanced: {forceCredentialsEnhancedEnabled}");
+                        if (hasExplicitFetchFilter || hasInheritedPartialCloneConfig)
+                        {
+                            executionContext.Debug("Adding credentials to checkout due to enhanced partial clone detection");
+                            shouldAddCredentials = true;
+                        }
+                    }
+                    else if (forceCredentialsLegacyEnabled && hasExplicitFetchFilter)
+                    {
+                        // Legacy behavior: only check explicit fetch filter, used when enhanced flag is disabled
+                        executionContext.Debug($"Legacy partial clone detection - ExplicitFilter: {hasExplicitFetchFilter}, ForceCredentials: {forceCredentialsLegacyEnabled}");
+                        executionContext.Debug("Adding credentials to checkout due to explicit fetch filter and legacy force credentials knob");
+                        shouldAddCredentials = true;
+                    }
+
+                    // Apply credentials to checkout if either feature flag condition was satisfied
+                    if (shouldAddCredentials)
                     {
                         additionalCheckoutArgs.Add(args);
                     }
@@ -1530,6 +1562,41 @@ private IEnumerable<string> ParseFetchFilterOptions(AgentTaskPluginExecutionCont
             return filters;
         }
 
+        private async Task<bool> IsPartialCloneRepository(AgentTaskPluginExecutionContext executionContext, GitCliManager gitCommandManager, string targetPath)
+        {
+            try
+            {
+                // Skip check if .git directory doesn't exist (not a Git repository)
+                string gitDir = Path.Combine(targetPath, ".git");
+                if (!Directory.Exists(gitDir))
+                {
+                    executionContext.Debug("Not a Git repository: .git directory does not exist");
+                    return false;
+                }
+
+                // Check for promisor remote configuration (primary indicator)
+                if (await gitCommandManager.GitConfigExist(executionContext, targetPath, "remote.origin.promisor"))
+                {
+                    executionContext.Debug("Detected partial clone: remote.origin.promisor exists");
+                    return true;
+                }
+
+                // Check for partial clone filter configuration (secondary indicator)
+                if (await gitCommandManager.GitConfigExist(executionContext, targetPath, "remote.origin.partialclonefilter"))
+                {
+                    executionContext.Debug("Detected partial clone: remote.origin.partialclonefilter exists");
+                    return true;
+                }
+                return false;
+            }
+            catch (Exception ex)
+            {
+                // Default to false on detection failure to avoid breaking builds
+                executionContext.Debug($"Failed to detect partial clone state: {ex.Message}");
+                return false;
+            }
+        }
+
         private async Task RunGitStatusIfSystemDebug(AgentTaskPluginExecutionContext executionContext, GitCliManager gitCommandManager, string targetPath)
         {
             if (executionContext.IsSystemDebugTrue())
diff --git a/src/Agent.Sdk/Knob/AgentKnobs.cs b/src/Agent.Sdk/Knob/AgentKnobs.cs
@@ -800,6 +800,13 @@ public class AgentKnobs
             new PipelineFeatureSource(nameof(AddForceCredentialsToGitCheckout)),
             new BuiltInDefaultKnobSource("false"));
 
+        public static readonly Knob AddForceCredentialsToGitCheckoutEnhanced = new Knob(
+            nameof(AddForceCredentialsToGitCheckoutEnhanced),
+            "If true, the credentials will be added to Git checkout for partial clones with enhanced detection including promisor remote config.",
+            new RuntimeKnobSource("ADD_FORCE_CREDENTIALS_TO_GIT_CHECKOUT_ENHANCED"),
+            new PipelineFeatureSource(nameof(AddForceCredentialsToGitCheckoutEnhanced)),
+            new BuiltInDefaultKnobSource("false"));
+
         public static readonly Knob InstallLegacyTfExe = new Knob(
             nameof(InstallLegacyTfExe),
             "If true, the agent will install the legacy versions of TF, vstsom and vstshost",
