[BUG]: CargoAuthenticate task has incorrect Uri validation when using cargoServiceConnections input

[LWSimpkins]

New issue checklist

• I searched for existing GitHub issues
• I read pipeline troubleshooting guide
• I checked how to collect logs

Task name

CargoAuthenticate

Task version

0

Issue Description

Expected:

• When using the CargoAuthenticate@0 task with the cargoServiceConnections input, it will use the cargo service connection to the external feed in a different Azure DevOps organization

Actual:

• There is a Uri validation step that compares the host from my organization (where the pipeline is) against the external feed in a different Azure DevOps organization (from the config.toml file). These may not match, and the validation fails. The external feed is not authenticated.

---

Snippet from: https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/CargoAuthenticateV0/cargoauthenticatemain.ts#L45-L60

        let packagingLocation: pkgLocationUtils.PackagingLocation;
        try {
            packagingLocation = await pkgLocationUtils.getPackagingUris(pkgLocationUtils.ProtocolType.Cargo);
            ...
        }

        const collectionHosts = packagingLocation.PackagingUris.map((pkgUrl: string) => { ... });

Specifically, pkgLocationUtils.getPackagingUris gets the System.TeamFoundationCollectionUri of my organization:

Log: ##[debug]System.TeamFoundationCollectionUri=https://dev.azure.com/ORG_A/

and generates a list of packaging Uris for that collection:

Log: ##[debug]{"PackagingUris":["https://dev.azure.com/ORG_A/","https://pkgs.dev.azure.com/ORG_A/","https://pkgsprodcus1.pkgs.visualstudio.com/","https://pkgs.dev.azure.com/ORG_A/","https://ORG_A.pkgs.visualstudio.com/","https://pkgs.dev.azure.com/ORG_A/"],"DefaultPackagingUri":"https://pkgs.dev.azure.com/ORG_A/"}

Then the hosts are extracted into array collectionHosts. This is used in https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/CargoAuthenticateV0/cargoauthenticatemain.ts#L127-L131 where isValidRegistry compares the hosts of the registries in config.toml file against collectionHosts.

        for (let registry of Object.keys(result.registries)) {
            const registryUrlStr = url.parse(result.registries[registry].index.replace("sparse+", "")).href;
            const [registryUrl, tokenName, credProviderName, connectionType] = setRegistryVars(registryUrlStr, registry);

            if (isValidRegistry(registryUrl, collectionHosts, connectionType)) {
              ...

I am using cargoServiceConnections task input since the registries are in different organizations. For example, the config.toml file might be:

[registries]
FEED_NAME = { index = "sparse+https://ORG_B.pkgs.visualstudio.com/PROJECT/_packaging/FEED_NAME/Cargo/index/" }

[source.crates-io]
replace-with = "FEED_NAME"

Which means host ORG_B.pkgs.visualstudio.com does not match host ORG_A.pkgs.visualstudio.com from collectionHosts, so isValidRegistry is false, and the CargoAuthenticate@0 task fails to connect to the external feed even though everything is configured properly in terms of the service connection.

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Ubuntu 22.04.5

Relevant log output

Adding authentication for registry listed in this config.toml file at /mnt/vss/_work/1/s/analyze-directory/.cargo/config.toml
##[debug]System.TeamFoundationCollectionUri=https://dev.azure.com/ORG_A/
##[debug]{"PackagingUris":["https://dev.azure.com/ORG_A/","https://pkgs.dev.azure.com/ORG_A/","https://pkgsprodcus1.pkgs.visualstudio.com/","https://pkgs.dev.azure.com/ORG_A/","https://ORG_A.pkgs.visualstudio.com/","https://pkgs.dev.azure.com/ORG_A/"],"DefaultPackagingUri":"https://pkgs.dev.azure.com/ORG_A/"}
Authenticated 0 internal feeds, 0 external repos, and 0 federated service connections

Full task logs with system.debug enabled

 2024-12-30T05:05:17.8289254Z ##[debug]Evaluating condition for step: 'Authenticate with Azure Artifacts'
2024-12-30T05:05:17.8290108Z ##[debug]Evaluating: eq(variables['RUST_EXISTS'], True)
2024-12-30T05:05:17.8290381Z ##[debug]Evaluating eq:
2024-12-30T05:05:17.8290591Z ##[debug]..Evaluating indexer:
2024-12-30T05:05:17.8290801Z ##[debug]....Evaluating variables:
2024-12-30T05:05:17.8291211Z ##[debug]....=> Object
2024-12-30T05:05:17.8291404Z ##[debug]....Evaluating String:
2024-12-30T05:05:17.8291623Z ##[debug]....=> 'RUST_EXISTS'
2024-12-30T05:05:17.8291913Z ##[debug]..=> 'true'
2024-12-30T05:05:17.8292110Z ##[debug]..Evaluating Boolean:
2024-12-30T05:05:17.8292275Z ##[debug]..=> True
2024-12-30T05:05:17.8292458Z ##[debug]..=> 'True'
2024-12-30T05:05:17.8292597Z ##[debug]=> True
2024-12-30T05:05:17.8292936Z ##[debug]Expanded: eq('true', True)
2024-12-30T05:05:17.8293194Z ##[debug]Result: True
2024-12-30T05:05:17.8293444Z ##[section]Starting: Authenticate with Azure Artifacts
2024-12-30T05:05:17.8297176Z ==============================================================================
2024-12-30T05:05:17.8297315Z Task         : Cargo authenticate (for task runners)
2024-12-30T05:05:17.8297400Z Description  : Authentication task for the cargo client used for installing Cargo crates distribution
2024-12-30T05:05:17.8297656Z Version      : 0.247.4
2024-12-30T05:05:17.8297723Z Author       : Microsoft Corporation
2024-12-30T05:05:17.8297791Z Help         : 
2024-12-30T05:05:17.8297850Z ==============================================================================
2024-12-30T05:05:17.8720186Z ##[debug]Using node path: /usr/local/vss-agent/3.248.0/externals/node20_1/bin/node
2024-12-30T05:05:17.9244752Z ##[debug]system.debug=true
2024-12-30T05:05:17.9246065Z ##[debug]DistributedTask.Tasks.Node.SkipDebugLogsWhenDebugModeOff=True
2024-12-30T05:05:17.9280397Z ##[debug]agent.TempDirectory=/mnt/vss/_work/_temp
2024-12-30T05:05:17.9285992Z ##[debug]loading inputs and endpoints
2024-12-30T05:05:17.9289317Z ##[debug]loading INPUT_CONFIGFILE
2024-12-30T05:05:17.9301998Z ##[debug]loading INPUT_CARGOSERVICECONNECTIONS
2024-12-30T05:05:17.9303244Z ##[debug]loading ENDPOINT_AUTH_service-connection1-redacted
2024-12-30T05:05:17.9304422Z ##[debug]loading ENDPOINT_AUTH_SCHEME_service-connection1-redacted
2024-12-30T05:05:17.9305533Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_service-connection1-redacted_USERNAME
2024-12-30T05:05:17.9306896Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_service-connection1-redacted_PASSWORD
2024-12-30T05:05:17.9308075Z ##[debug]loading ENDPOINT_AUTH_service-connection2-redacted
2024-12-30T05:05:17.9310007Z ##[debug]loading ENDPOINT_AUTH_SCHEME_service-connection2-redacted
2024-12-30T05:05:17.9310969Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_service-connection2-redacted_USERNAME
2024-12-30T05:05:17.9313604Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_service-connection2-redacted_PASSWORD
2024-12-30T05:05:17.9314905Z ##[debug]loading ENDPOINT_AUTH_service-connection3-redacted
2024-12-30T05:05:17.9317286Z ##[debug]loading ENDPOINT_AUTH_SCHEME_service-connection3-redacted
2024-12-30T05:05:17.9318569Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_service-connection3-redacted_USERNAME
2024-12-30T05:05:17.9320573Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_service-connection3-redacted_PASSWORD
2024-12-30T05:05:17.9322117Z ##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
2024-12-30T05:05:17.9323611Z ##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
2024-12-30T05:05:17.9325294Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
2024-12-30T05:05:17.9331202Z ##[debug]loading SECRET_CONNECTION_STRING
2024-12-30T05:05:17.9333997Z ##[debug]loading SECRET_NEW_***
2024-12-30T05:05:17.9335263Z ##[debug]loading SECRET_SYSTEM_ACCESSTOKEN
2024-12-30T05:05:17.9336647Z ##[debug]loading SECRET_INSTRUMENTATION_KEY
2024-12-30T05:05:17.9339088Z ##[debug]loaded 21
2024-12-30T05:05:17.9343204Z ##[debug]Agent.ProxyUrl=undefined
2024-12-30T05:05:17.9343933Z ##[debug]Agent.CAInfo=undefined
2024-12-30T05:05:17.9344905Z ##[debug]Agent.ClientCert=undefined
2024-12-30T05:05:17.9345569Z ##[debug]Agent.SkipCertValidation=undefined
2024-12-30T05:05:18.0058752Z ##[debug]check path : /mnt/vss/_work/_tasks/CargoAuthenticate_d1d75615-084d-4b9b-91a5-068b5f8c95a9/0.247.4/node_modules/azure-pipelines-tasks-packaging-common/module.json
2024-12-30T05:05:18.0060309Z ##[debug]adding resource file: /mnt/vss/_work/_tasks/CargoAuthenticate_d1d75615-084d-4b9b-91a5-068b5f8c95a9/0.247.4/node_modules/azure-pipelines-tasks-packaging-common/module.json
2024-12-30T05:05:18.0061217Z ##[debug]system.culture=en-US
2024-12-30T05:05:18.0079938Z ##[debug]check path : /mnt/vss/_work/_tasks/CargoAuthenticate_d1d75615-084d-4b9b-91a5-068b5f8c95a9/0.247.4/node_modules/azure-pipelines-tasks-artifacts-common/module.json
2024-12-30T05:05:18.0080791Z ##[debug]adding resource file: /mnt/vss/_work/_tasks/CargoAuthenticate_d1d75615-084d-4b9b-91a5-068b5f8c95a9/0.247.4/node_modules/azure-pipelines-tasks-artifacts-common/module.json
2024-12-30T05:05:18.0081259Z ##[debug]system.culture=en-US
2024-12-30T05:05:18.0105369Z ##[debug]check path : /mnt/vss/_work/_tasks/CargoAuthenticate_d1d75615-084d-4b9b-91a5-068b5f8c95a9/0.247.4/task.json
2024-12-30T05:05:18.0106416Z ##[debug]adding resource file: /mnt/vss/_work/_tasks/CargoAuthenticate_d1d75615-084d-4b9b-91a5-068b5f8c95a9/0.247.4/task.json
2024-12-30T05:05:18.0106894Z ##[debug]system.culture=en-US
2024-12-30T05:05:18.0113408Z ##[debug]configFile=/mnt/vss/_work/1/s/analyze-directory/.cargo/config.toml
2024-12-30T05:05:18.0122177Z Adding authentication for registry listed in this config.toml file at /mnt/vss/_work/1/s/analyze-directory/.cargo/config.toml
2024-12-30T05:05:18.0170946Z ##[debug]Getting Packaging service access points
2024-12-30T05:05:18.0171772Z ##[debug]System.TeamFoundationCollectionUri=https://dev.azure.com/ORG_A/
2024-12-30T05:05:18.0172538Z ##[debug]System.ServerType=Hosted
2024-12-30T05:05:18.0173105Z ##[debug]Getting credentials for local feeds
2024-12-30T05:05:18.0173820Z ##[debug]SYSTEMVSSCONNECTION exists true
2024-12-30T05:05:18.0174540Z ##[debug]Got auth token, setting it as secret so it does not print in console log
2024-12-30T05:05:18.0177325Z ##[debug]Processed: ##vso[task.setsecret]***
2024-12-30T05:05:18.0177884Z ##[debug]System.ServerType=Hosted
2024-12-30T05:05:18.0178231Z ##[debug]Agent.ProxyUrl=undefined
2024-12-30T05:05:18.0188735Z ##[debug]Created webApi client for https://dev.azure.com/ORG_A/; options: {"proxy":null,"allowRetries":true,"maxRetries":5,"ignoreSslError":false}
2024-12-30T05:05:18.0195370Z ##[debug]Getting URI for area ID REDACTED from https://dev.azure.com/ORG_A/
2024-12-30T05:05:18.2595124Z ##[debug]Found resource area with locationUrl: https://pkgs.dev.azure.com/ORG_A/
2024-12-30T05:05:18.2595944Z ##[debug]Found serviceUri: https://pkgs.dev.azure.com/ORG_A/
2024-12-30T05:05:18.2596671Z ##[debug]Getting credentials for local feeds
2024-12-30T05:05:18.2597399Z ##[debug]SYSTEMVSSCONNECTION exists true
2024-12-30T05:05:18.2598162Z ##[debug]Got auth token, setting it as secret so it does not print in console log
2024-12-30T05:05:18.2600790Z ##[debug]Processed: ##vso[task.setsecret]***
2024-12-30T05:05:18.2601186Z ##[debug]Agent.ProxyUrl=undefined
2024-12-30T05:05:18.2601657Z ##[debug]Created webApi client for https://pkgs.dev.azure.com/ORG_A/; options: {"proxy":null,"allowRetries":true,"maxRetries":5,"ignoreSslError":false}
2024-12-30T05:05:18.2602083Z ##[debug]Acquiring Packaging endpoints...
2024-12-30T05:05:18.4061368Z ##[debug]Successfully acquired the connection data
2024-12-30T05:05:18.4062016Z ##[debug]Acquired location
2024-12-30T05:05:18.4062833Z ##[debug]{"PackagingUris":["https://dev.azure.com/ORG_A/","https://pkgs.dev.azure.com/ORG_A/","https://pkgsprodcus1.pkgs.visualstudio.com/","https://pkgs.dev.azure.com/ORG_A/","https://ORG_A.pkgs.visualstudio.com/","https://pkgs.dev.azure.com/ORG_A/"],"DefaultPackagingUri":"https://pkgs.dev.azure.com/ORG_A/"}
2024-12-30T05:05:18.4066439Z ##[debug]System.AccessToken=***
2024-12-30T05:05:18.4067372Z ##[debug]cargoServiceConnections=service-connection1-redacted,service-connection2-redacted,service-connection3-redacted
2024-12-30T05:05:18.4068457Z ##[debug]service-connection1-redacted=https://pkgs.dev.azure.com/ORG_B/project-redacted/_packaging/feed-redacted/Cargo/index/
2024-12-30T05:05:18.4069422Z ##[debug]service-connection1-redacted exists true
2024-12-30T05:05:18.4070977Z ##[debug]service-connection1-redacted auth scheme = UsernamePassword
2024-12-30T05:05:18.4071924Z ##[debug]Found username/password service connection for package source https://pkgs.dev.azure.com/ORG_B/project-redacted/_packaging/feed-redacted/Cargo/index/
2024-12-30T05:05:18.4072855Z ##[debug]service-connection2-redacted=https://ORG_B.pkgs.visualstudio.com/project-redacted/_packaging/feed-redacted/Cargo/index/
2024-12-30T05:05:18.4073543Z ##[debug]service-connection2-redacted exists true
2024-12-30T05:05:18.4074491Z ##[debug]service-connection2-redacted auth scheme = UsernamePassword
2024-12-30T05:05:18.4075254Z ##[debug]Found username/password service connection for package source https://ORG_B.pkgs.visualstudio.com/project-redacted/_packaging/feed-redacted/Cargo/index/
2024-12-30T05:05:18.4076046Z ##[debug]service-connection3-redacted=https://ORG_B.pkgs.visualstudio.com/project-redacted/_packaging/feed-redacted/Cargo/index/
2024-12-30T05:05:18.4076809Z ##[debug]service-connection3-redacted exists true
2024-12-30T05:05:18.4077538Z ##[debug]service-connection3-redacted auth scheme = UsernamePassword
2024-12-30T05:05:18.4078282Z ##[debug]Found username/password service connection for package source https://ORG_B.pkgs.visualstudio.com/project-redacted/_packaging/feed-redacted/Cargo/index/
2024-12-30T05:05:18.4079530Z ##[debug]CARGO_REGISTRIES_feed-redacted_TOKEN=undefined
2024-12-30T05:05:18.4081589Z Authenticated 0 internal feeds, 0 external repos, and 0 federated service connections
2024-12-30T05:05:18.4082912Z ##[debug]Agent.Version=3.248.0
2024-12-30T05:05:18.4085491Z ##[debug]SYSTEM_TASKINSTANCEID=REDACTED
2024-12-30T05:05:18.4086120Z ##[debug]SYSTEM_JOBID=REDACTED
2024-12-30T05:05:18.4086692Z ##[debug]SYSTEM_PLANID=REDACTED
2024-12-30T05:05:18.4087269Z ##[debug]SYSTEM_COLLECTIONID=REDACTED
2024-12-30T05:05:18.4087864Z ##[debug]SYSTEM_PULLREQUEST_ISFORK=False
2024-12-30T05:05:18.4088351Z ##[debug]AGENT_ID=103
2024-12-30T05:05:18.4088682Z ##[debug]AGENT_MACHINENAME=1fc8dacec000000
2024-12-30T05:05:18.4089011Z ##[debug]AGENT_NAME=redacted 2
2024-12-30T05:05:18.4089321Z ##[debug]AGENT_JOBSTATUS=Succeeded
2024-12-30T05:05:18.4089623Z ##[debug]AGENT_OS=Linux
2024-12-30T05:05:18.4089928Z ##[debug]AGENT_OSARCHITECTURE=X64
2024-12-30T05:05:18.4090230Z ##[debug]AGENT_VERSION=3.248.0
2024-12-30T05:05:18.4090522Z ##[debug]BUILD_BUILDID=65611
2024-12-30T05:05:18.4090835Z ##[debug]BUILD_BUILDNUMBER=20241230.5
2024-12-30T05:05:18.4091145Z ##[debug]BUILD_BUILDURI=vstfs:///Build/Build/65611
2024-12-30T05:05:18.4091464Z ##[debug]BUILD_CONTAINERID=31944809
2024-12-30T05:05:18.4091780Z ##[debug]BUILD_DEFINITIONNAME=REDACTED
2024-12-30T05:05:18.4092095Z ##[debug]BUILD_DEFINITIONVERSION=15
2024-12-30T05:05:18.4092400Z ##[debug]BUILD_REASON=Manual
2024-12-30T05:05:18.4246489Z ##[debug]Processed: ##vso[telemetry.publish area=Packaging;feature=CargoAuthenticateV0]{"SYSTEM_TASKINSTANCEID":"REDACTED","SYSTEM_JOBID":"REDACTED","SYSTEM_PLANID":"REDACTED","SYSTEM_COLLECTIONID":"REDACTED","SYSTEM_PULLREQUEST_ISFORK":"False","AGENT_ID":"103","AGENT_MACHINENAME":"1fc8dacec000000","AGENT_NAME":"redacted","AGENT_JOBSTATUS":"Succeeded","AGENT_OS":"Linux","AGENT_OSARCHITECTURE":"X64","AGENT_VERSION":"3.248.0","BUILD_BUILDID":"65611","BUILD_BUILDNUMBER":"20241230.5","BUILD_BUILDURI":"vstfs:///Build/Build/65611","BUILD_CONTAINERID":"31944809","BUILD_DEFINITIONNAME":"REDACTED","BUILD_DEFINITIONVERSION":"15","BUILD_REASON":"Manual","InternalFeedAuthCount":0,"ExternalFeedAuthCount":0,"FederatedConnectionAuthCount":0}
2024-12-30T05:05:18.4249382Z ##[section]Finishing: Authenticate with Azure Artifacts 

Repro steps

trigger: none

resources:
  repositories:
  - repository: repo1
    type: git
    name: Project1/Repo1
    endpoint: ORG_B_ServiceConnection
  - repository: repo2
    type: git
    name: Project1/Repo2
    endpoint: ORG_B_ServiceConnection
  - repository: repo3
    type: git
    name: Project2/Repo3
    endpoint: ORG_C_ServiceConnection

jobs:
- job: job1
  pool:
    vmImage: ubuntu-latest
  strategy:
    matrix:
      repo1:
        repository_name: 'repo1'
      repo2:
        repository_name: 'repo2'
      repo3:
        repository_name: 'repo3'
  steps:
  - checkout: self
  - checkout: $(repository_name)
    path: analyze-directory
  # task to install rust
  - task: CargoAuthenticate@0
    inputs:
      configFile: 'analyze-directory/.cargo/config.toml'
      cargoServiceConnections: 'service-connection1-redacted, service-connection2-redacted, service-connection3-redacted'
    displayName: Authenticate with Azure Artifacts

[github-actions]

In order to consolidate to fewer feedback channels, we've moved suggestions and issue reporting to Developer Community.