Enable dynamic whitelisting of dSTS endpoints to support new buildouts (#215)

jmstimso · rayluo · commit a4366c5e81a2 · 2019-11-14T15:16:04.000-08:00
* Whitelisting dsts endpoints.

* adding whitespace

* changing back WORLD_WIDE_AUTHORITY

* add whitelist function

add whitelist function so dsts hosts pass validation.

* Adding unit tests

Adding unit test to test static instance discovery of dsts enpoints and validating of a dsts endpoint in AuthenticationContext.

* fixed whitespace

* fix syntax error

* Fix whitespace

* fix more spaces

* Respond to PR comments

Remove unnecessary white space, add documentation to whitelist, use self.fail in unit test.

* Enable endpoint discovery

Change dSTS host whitelisting to dynamic discovery of endpoints containing dsts.

* Fix whitespace

Fix whitespace

* Update test_authority.py

Fix dSTS test endpoint value to correct format.

* Update test_authority.py

Fix dsts test endpoint.

* Update authority.py

Update whitelist funtion to only check for ".dsts." in url.
diff --git a/adal/authority.py b/adal/authority.py
@@ -63,10 +63,9 @@ def url(self):
         return self._url.geturl()
 
     def _whitelisted(self): # testing if self._url.hostname is a dsts whitelisted domain
-        for domain in AADConstants.WHITELISTED_DOMAINS:
-            if self._url.hostname.endswith(domain):
-                return True
-        return False
+        # Add dSTS domains to whitelist based on based on domain
+        # https://microsoft.sharepoint.com/teams/AzureSecurityCompliance/Security/SitePages/dSTS%20Fundamentals.aspx
+        return ".dsts." in self._url.hostname
 
     def _validate_authority_url(self):
 
diff --git a/adal/constants.py b/adal/constants.py
@@ -217,15 +217,6 @@ class AADConstants(object):
         'login.microsoftonline.us',
         'login.microsoftonline.de',
         ]
-    WHITELISTED_DOMAINS = [
-        # Define dSTS domains whitelist based on its Supported Environments & National Clouds list here
-        # https://microsoft.sharepoint.com/teams/AzureSecurityCompliance/Security/SitePages/dSTS%20Fundamentals.aspx
-        'dsts.core.windows.net',
-        'dsts.core.chinacloudapi.cn',  
-        'dsts.core.cloudapi.de', 
-        'dsts.core.usgovcloudapi.net',  
-        'dsts.core.azure-test.net',
-        ]
     INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE = 'https://{authorize_host}/common/discovery/instance?authorization_endpoint={authorize_endpoint}&api-version=1.0' # pylint: disable=invalid-name
     AUTHORIZE_ENDPOINT_PATH = '/oauth2/authorize'
     TOKEN_ENDPOINT_PATH = '/oauth2/token'
diff --git a/tests/test_authority.py b/tests/test_authority.py
@@ -60,7 +60,7 @@ class TestAuthority(unittest.TestCase):
     # discovery.
     nonHardCodedAuthority = 'https://login.doesntexist.com/' + cp['tenant']
     nonHardCodedAuthorizeEndpoint = nonHardCodedAuthority + '/oauth2/authorize'
-    dstsTestEndpoint = 'https://test-dsts.core.azure-test.net/dstsv2/common'
+    dstsTestEndpoint = 'https://test-dsts.dsts.core.azure-test.net/dstsv2/common'
 
 
     def setUp(self):
@@ -130,7 +130,7 @@ def test_success_static_instance_discovery(self):
         self.performStaticInstanceDiscovery('test-dsts.dsts.core.chinacloudapi.cn')
         self.performStaticInstanceDiscovery('test-dsts.dsts.core.cloudapi.de')
         self.performStaticInstanceDiscovery('test-dsts.dsts.core.usgovcloudapi.net')
-        self.performStaticInstanceDiscovery('test-dsts.core.azure-test.net')
+        self.performStaticInstanceDiscovery('test-dsts.dsts.core.azure-test.net')
 
 
     @httpretty.activate
