Merge pull request #69 from Azure-Samples/bogavril/fix68

Fix issuer validatation bug 68 and introduce unit tests

Author: bgavrilMS

Microsoft.Identity.Web.Test/AadIssuerValidatorTests.cs

@@ -0,0 +1,140 @@
+using Microsoft.Identity.Web.Resource;
+using Microsoft.IdentityModel.Tokens;
+using System;
+using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using Xunit;
+
+namespace Microsoft.Identity.Web.Test
+{
+    public class AadIssuerValidatorTests
+    {
+        private const string Tid = "9188040d-6c67-4c5b-b112-36a304b66dad";
+        private static readonly string Iss = $"https://login.microsoftonline.com/{Tid}/v2.0";
+        private static readonly IEnumerable<string> s_aliases = new[] { "login.microsoftonline.com", "sts.windows.net" };
+
+        [Fact]
+        public void NullArg()
+        {
+            // Arrange
+            AadIssuerValidator validator = new AadIssuerValidator(s_aliases);
+            var jwtSecurityToken = new JwtSecurityToken();
+            var validationParams = new TokenValidationParameters();
+
+            // Act and Assert
+            Assert.Throws<ArgumentNullException>(() => validator.Validate(null, jwtSecurityToken, validationParams));
+            Assert.Throws<ArgumentNullException>(() => validator.Validate("", jwtSecurityToken, validationParams));
+            Assert.Throws<ArgumentNullException>(() => validator.Validate(Iss, null, validationParams));
+            Assert.Throws<ArgumentNullException>(() => validator.Validate(Iss, jwtSecurityToken, null));
+        }
+
+        [Fact]
+        public void PassingValidation()
+        {
+            // Arrange
+            AadIssuerValidator validator = new AadIssuerValidator(s_aliases);
+            Claim issClaim = new Claim("tid", Tid);
+            Claim tidClaim = new Claim("iss", Iss);
+            JwtSecurityToken jwtSecurityToken = new JwtSecurityToken(issuer: Iss, claims: new[] { issClaim, tidClaim });
+
+            // Act & Assert
+            validator.Validate(Iss, jwtSecurityToken,
+                new TokenValidationParameters() { ValidIssuers = new[] { "https://login.microsoftonline.com/{tenantid}/v2.0" } });
+        }
+
+
+        [Fact]
+        public void TokenValidationParameters_ValidIssuer()
+        {
+            // Arrange
+            AadIssuerValidator validator = new AadIssuerValidator(s_aliases);
+            Claim issClaim = new Claim("tid", Tid);
+            Claim tidClaim = new Claim("iss", Iss);
+            JwtSecurityToken jwtSecurityToken = new JwtSecurityToken(issuer: Iss, claims: new[] { issClaim, tidClaim });
+
+            // Act & Assert
+            validator.Validate(Iss, jwtSecurityToken,
+                new TokenValidationParameters() { ValidIssuer = "https://login.microsoftonline.com/{tenantid}/v2.0" });
+        }
+
+        [Fact]
+        public void ValidationFails_NoTidClaimInJwt()
+        {
+            // Arrange
+            AadIssuerValidator validator = new AadIssuerValidator(s_aliases);
+            Claim issClaim = new Claim("iss", Iss);
+
+            JwtSecurityToken noTidJwt = new JwtSecurityToken(issuer: Iss, claims: new[] { issClaim });
+
+            // Act & Assert
+            Assert.Throws<SecurityTokenInvalidIssuerException>(() =>
+                validator.Validate(
+                    Iss,
+                    noTidJwt,
+                    new TokenValidationParameters() { ValidIssuers = new[] { "https://login.microsoftonline.com/{tenantid}/v2.0" } }));
+        }
+
+        [Fact]
+        public void ValidationFails_BadTidClaimInJwt()
+        {
+            // Arrange
+            AadIssuerValidator validator = new AadIssuerValidator(s_aliases);
+            Claim issClaim = new Claim("iss", Iss);
+            Claim tidClaim = new Claim("tid", "9188040d-0000-4c5b-b112-36a304b66dad");
+
+            JwtSecurityToken noTidJwt = new JwtSecurityToken(issuer: Iss, claims: new[] { issClaim, tidClaim });
+
+            // Act & Assert
+            Assert.Throws<SecurityTokenInvalidIssuerException>(() =>
+                validator.Validate(
+                    Iss,
+                    noTidJwt,
+                    new TokenValidationParameters() { ValidIssuers = new[] { "https://login.microsoftonline.com/{tenantid}/v2.0" } }));
+        }
+
+        [Fact]
+        public void MultipleIssuers_NoneMatch()
+        {
+            // Arrange
+            AadIssuerValidator validator = new AadIssuerValidator(s_aliases);
+            Claim issClaim = new Claim("iss", Iss);
+            Claim tidClaim = new Claim("tid", Tid);
+
+            JwtSecurityToken noTidJwt = new JwtSecurityToken(issuer: Iss, claims: new[] { issClaim, tidClaim });
+
+            // Act & Assert
+            Assert.Throws<SecurityTokenInvalidIssuerException>(() =>
+                validator.Validate(
+                    Iss,
+                    noTidJwt,
+                    new TokenValidationParameters()
+                    {
+                        ValidIssuers = new[] {
+                        "https://host1/{tenantid}/v2.0",
+                        "https://host2/{tenantid}/v2.0"
+                        }
+                    }));
+        }
+
+
+        [Fact] // Regression test for https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/issues/68
+        public void ValidationFails_BadIssuerClaimInJwt()
+        {
+            // Arrange
+            string iss = $"https://badissuer/{Tid}/v2.0";
+            AadIssuerValidator validator = new AadIssuerValidator(s_aliases);
+            Claim issClaim = new Claim("iss", iss);
+            Claim tidClaim = new Claim("tid", Tid);
+
+            JwtSecurityToken noTidJwt = new JwtSecurityToken(issuer: Iss, claims: new[] { issClaim, tidClaim });
+
+            // Act & Assert
+            Assert.Throws<SecurityTokenInvalidIssuerException>(() =>
+                validator.Validate(
+                    iss,
+                    noTidJwt,
+                    new TokenValidationParameters() { ValidIssuers = new[] { "https://login.microsoftonline.com/{tenantid}/v2.0" } }));
+        }
+    }
+}

Microsoft.Identity.Web.Test/Microsoft.Identity.Web.Test.csproj

@@ -0,0 +1,19 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netcoreapp2.2</TargetFramework>
+
+    <IsPackable>false</IsPackable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.0.1" />
+    <PackageReference Include="xunit" Version="2.4.0" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.4.0" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Microsoft.Identity.Web\Microsoft.Identity.Web.csproj" />
+  </ItemGroup>
+
+</Project>

Microsoft.Identity.Web/InstanceDiscovery/IssuerConfigurationRetriever.cs

@@ -0,0 +1,58 @@
+/************************************************************************************************
+The MIT License (MIT)
+
+Copyright (c) 2015 Microsoft Corporation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+***********************************************************************************************/
+
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.IdentityModel.Protocols;
+using Newtonsoft.Json;
+
+namespace Microsoft.Identity.Web.InstanceDiscovery
+{
+    /// <summary>
+    /// An implementation of IConfigurationRetriever geared towards Azure AD issuers metadata />
+    /// </summary>
+    internal class IssuerConfigurationRetriever : IConfigurationRetriever<IssuerMetadata>
+    {
+        /// <summary>Retrieves a populated configuration given an address and an <see cref="T:Microsoft.IdentityModel.Protocols.IDocumentRetriever"/>.</summary>
+        /// <param name="address">Address of the discovery document.</param>
+        /// <param name="retriever">The <see cref="T:Microsoft.IdentityModel.Protocols.IDocumentRetriever"/> to use to read the discovery document.</param>
+        /// <param name="cancel">A cancellation token that can be used by other objects or threads to receive notice of cancellation. <see cref="T:System.Threading.CancellationToken"/>.</param>
+        /// <returns></returns>
+        /// <exception cref="ArgumentNullException">if <paramref name="address"/> is null or empty.
+        /// or
+        /// retriever - No metadata document retriever is provided</exception>
+        public async Task<IssuerMetadata> GetConfigurationAsync(string address, IDocumentRetriever retriever, CancellationToken cancel)
+        {
+            if (string.IsNullOrEmpty(address))
+                throw new ArgumentNullException(nameof(address), $"Azure AD Issuer metadata address url is required");
+
+            if (retriever == null)
+                throw new ArgumentNullException(nameof(retriever), $"No metadata document retriever is provided");
+
+            string doc = await retriever.GetDocumentAsync(address, cancel).ConfigureAwait(false);
+            return JsonConvert.DeserializeObject<IssuerMetadata>(doc);
+        }
+    }
+}

Microsoft.Identity.Web/InstanceDiscovery/IssuerMetadata.cs

@@ -0,0 +1,44 @@
+/************************************************************************************************
+The MIT License (MIT)
+
+Copyright (c) 2015 Microsoft Corporation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+***********************************************************************************************/
+
+using System.Collections.Generic;
+using Newtonsoft.Json;
+
+namespace Microsoft.Identity.Web.InstanceDiscovery
+{
+    /// <summary>
+    /// Model class to hold information parsed from the Azure AD issuer endpoint
+    /// </summary>
+    internal class IssuerMetadata
+    {
+        [JsonProperty(PropertyName = "tenant_discovery_endpoint")]
+        public string TenantDiscoveryEndpoint { get; set; }
+
+        [JsonProperty(PropertyName = "api-version")]
+        public string ApiVersion { get; set; }
+
+        [JsonProperty(PropertyName = "metadata")]
+        public List<Metadata> Metadata { get; set; }
+    }
+}

Microsoft.Identity.Web/InstanceDiscovery/Metadata.cs

@@ -0,0 +1,44 @@
+/************************************************************************************************
+The MIT License (MIT)
+
+Copyright (c) 2015 Microsoft Corporation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+***********************************************************************************************/
+
+using System.Collections.Generic;
+using Newtonsoft.Json;
+
+namespace Microsoft.Identity.Web.InstanceDiscovery
+{
+    /// <summary>
+    /// Model child class to hold alias information parsed from the Azure AD issuer endpoint.
+    /// </summary>
+    internal class Metadata
+    {
+        [JsonProperty(PropertyName = "preferred_network")]
+        public string PreferredNetwork { get; set; }
+
+        [JsonProperty(PropertyName = "preferred_cache")]
+        public string PreferredCache { get; set; }
+
+        [JsonProperty(PropertyName = "aliases")]
+        public List<string> Aliases { get; set; }
+    }
+}

Microsoft.Identity.Web/InternalsVisibleTo.cs

@@ -0,0 +1,6 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Runtime.CompilerServices;
+
+[assembly: InternalsVisibleTo("Microsoft.Identity.Web.Test")]

Microsoft.Identity.Web/Microsoft.Identity.Web.sln

@@ -1,10 +1,12 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 15
-VisualStudioVersion = 15.0.28307.539
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.29009.5
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Web", "Microsoft.Identity.Web.csproj", "{BD795319-75B8-4251-AE92-8DD5A807C28E}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Web.Test", "..\Microsoft.Identity.Web.Test\Microsoft.Identity.Web.Test.csproj", "{9CE9383E-76A1-4225-A160-447DA2645330}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -15,6 +17,10 @@ Global
 		{BD795319-75B8-4251-AE92-8DD5A807C28E}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{BD795319-75B8-4251-AE92-8DD5A807C28E}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{BD795319-75B8-4251-AE92-8DD5A807C28E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{9CE9383E-76A1-4225-A160-447DA2645330}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{9CE9383E-76A1-4225-A160-447DA2645330}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{9CE9383E-76A1-4225-A160-447DA2645330}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{9CE9383E-76A1-4225-A160-447DA2645330}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE