From 5d9296e0b9ce5dbd503871f7d9ca5a8cca4eab83 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20B=C3=A4urle?= <simonbaeurle@outlook.de>
Date: Tue, 31 Oct 2023 17:15:18 +0100
Subject: [PATCH] fix(manager/nuget): Enforce basic authentication for NuGet
 restore command (#25502)

---
 docs/usage/nuget.md                                |  1 +
 lib/modules/manager/nuget/config-formatter.spec.ts | 14 ++++++++++++++
 lib/modules/manager/nuget/config-formatter.ts      |  2 ++
 3 files changed, 17 insertions(+)

diff --git a/docs/usage/nuget.md b/docs/usage/nuget.md
index 26c954ef22..49a4b0c2ea 100644
--- a/docs/usage/nuget.md
+++ b/docs/usage/nuget.md
@@ -113,6 +113,7 @@ If you're using Azure DevOps, you can set `matchHost` to `pkgs.dev.azure.com`.
 !!! note
     Only Basic HTTP authentication (via username and password) is supported.
     For Azure DevOps, you can use a PAT with `read` permissions on `Packaging` plus an empty username.
+    The generated `nuget.config` enforces basic authentication and cannot be overridden externally!
 
 ## Future work
 
diff --git a/lib/modules/manager/nuget/config-formatter.spec.ts b/lib/modules/manager/nuget/config-formatter.spec.ts
index 1912efab47..edd1bcb01b 100644
--- a/lib/modules/manager/nuget/config-formatter.spec.ts
+++ b/lib/modules/manager/nuget/config-formatter.spec.ts
@@ -112,6 +112,13 @@ describe('modules/manager/nuget/config-formatter', () => {
           ?.attr['value']
       ).toBe('some-password');
 
+      expect(
+        myRegistryCredentials?.childWithAttribute(
+          'key',
+          'ValidAuthenticationTypes'
+        )?.attr['value']
+      ).toBe('basic');
+
       const myRegistry2Credentials = xmlDocument.descendantWithPath(
         'packageSourceCredentials.myRegistry2'
       );
@@ -122,6 +129,13 @@ describe('modules/manager/nuget/config-formatter', () => {
         myRegistry2Credentials?.childWithAttribute('key', 'ClearTextPassword')
           ?.attr['value']
       ).toBe('some-password');
+
+      expect(
+        myRegistry2Credentials?.childWithAttribute(
+          'key',
+          'ValidAuthenticationTypes'
+        )?.attr['value']
+      ).toBe('basic');
     });
 
     it('escapes registry credential names containing special characters', () => {
diff --git a/lib/modules/manager/nuget/config-formatter.ts b/lib/modules/manager/nuget/config-formatter.ts
index 0027775884..9f5355fc77 100644
--- a/lib/modules/manager/nuget/config-formatter.ts
+++ b/lib/modules/manager/nuget/config-formatter.ts
@@ -98,6 +98,8 @@ function formatPackageSourceCredentialElement(
     packageSourceCredential += `<add key="ClearTextPassword" value="${credential.password}" />\n`;
   }
 
+  packageSourceCredential += `<add key="ValidAuthenticationTypes" value="basic" />`;
+
   packageSourceCredential += `</${escapedName}>\n`;
 
   return packageSourceCredential;
-- 
GitLab