Update Java Script Api Exposure, Fixes AB#3385083 (#2773)

This PR will move the code that exposes the java script api from
handleUrl on pageStarted. This will make it so we use the url that we
are actually planning to load in the webview to validate whether or not
to exposue the JS interface. previously, most pages were being validated
correctly in handleUrl, but in certain redirects, we may have been
missing some urls that should have had the url exposed. This change
addresses those gaps by checking every url the webview is about to load.


[AB#3385083](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3385083)

Author: fadidurah

common/src/main/java/com/microsoft/identity/common/adal/internal/AuthenticationConstants.java

@@ -1223,14 +1223,24 @@ public static String computeMaxHostBrokerProtocol() {
         public static final String REDIRECT_PREFIX = "msauth";
 
         /**
-         * Prefix for AAD urls
+         * Suffix for global AAD urls
          */
-        public static final String AAD_URL_HOST_PREFIX = "login.microsoftonline.";
+        public static final String AAD_GLOBAL_URL_HOST_SUFFIX = ".microsoftonline.com";
 
         /**
-         * Prefix for MSA urls
+         * Suffix for China AAD urls
          */
-        public static final String MSA_URL_HOST_PREFIX = "login.live.";
+        public static final String AAD_CHINA_URL_HOST_SUFFIX = ".microsoftonline.cn";
+
+        /**
+         * Suffix for US AAD urls
+         */
+        public static final String AAD_US_URL_HOST_SUFFIX = ".microsoftonline.us";
+
+        /**
+         * Suffix for Intune MDM urls
+         */
+        public static final String AAD_INTUNE_MDM_URL_HOST_SUFFIX = ".microsoft.com";
 
         /**
          * Encoded delimiter for redirect.

common/src/main/java/com/microsoft/identity/common/internal/broker/AuthUxJavaScriptInterface.kt

@@ -32,8 +32,8 @@ import com.microsoft.identity.common.internal.numberMatch.NumberMatchHelper
 import com.microsoft.identity.common.java.opentelemetry.AttributeName
 import com.microsoft.identity.common.java.opentelemetry.SpanExtension
 import com.microsoft.identity.common.logging.Logger
-import java.net.MalformedURLException
-import java.net.URL
+import java.net.URI
+import java.net.URISyntaxException
 
 /**
  * JavaScript API to receive JSON string payloads from AuthUX in order to facilitate calling various
@@ -53,32 +53,32 @@ class AuthUxJavaScriptInterface {
         }
 
         /**
-         * Helper method to determine if url is a valid Url for the JS Interface
-         * @param url url being loaded
-         * @return true if url is a valid, safe url, false otherwise
+         * Helper method to determine if uri is a valid Uri for the JS Interface
+         * @param uriString uri being loaded
+         * @return true if uri is a valid, safe uri, false otherwise
          */
-        fun isValidUrlForInterface(urlString: String?): Boolean {
-            // If url is null, return false
-            if (urlString.isNullOrEmpty()) {
+        fun isValidUriForInterface(uriString: String?): Boolean {
+            // If uri is null or empty, return false
+            if (uriString.isNullOrEmpty()) {
                 return false
             }
 
-            val url: URL
+            val uri: URI
             try {
-                url = URL(urlString)
-            } catch (e: MalformedURLException) {
-                // If url is not a valid URL, return false
-                Logger.warn(TAG, "Malformed URL passed.")
+                uri = URI(uriString)
+            } catch (e: URISyntaxException) {
+                Logger.warn(TAG, "URISyntaxException received. uri: $uriString, Message: ${e.message}")
                 return false
-
             }
 
-            val host = url.host
+            val host = uri.host
 
-            // Otherwise, make sure url is a valid url
-            // We only want to allow URLs that have the AAD or MSA url hosts
-            return host.startsWith(AuthenticationConstants.Broker.AAD_URL_HOST_PREFIX) ||
-                    host.startsWith(AuthenticationConstants.Broker.MSA_URL_HOST_PREFIX)
+            // Otherwise, make sure uri is a valid uri
+            // We only want to allow URIs that have the AAD or MSA uri hosts
+            return host.endsWith(AuthenticationConstants.Broker.AAD_GLOBAL_URL_HOST_SUFFIX) ||
+                    host.endsWith(AuthenticationConstants.Broker.AAD_INTUNE_MDM_URL_HOST_SUFFIX) ||
+                    host.endsWith(AuthenticationConstants.Broker.AAD_US_URL_HOST_SUFFIX) ||
+                    host.endsWith(AuthenticationConstants.Broker.AAD_CHINA_URL_HOST_SUFFIX)
         }
     }
 

common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java

@@ -134,7 +134,6 @@ public class AzureActiveDirectoryWebViewClient extends OAuth2WebViewClient {
     private final SwitchBrowserRequestHandler mSwitchBrowserRequestHandler;
     private HashMap<String, String> mRequestHeaders;
     private String mRequestUrl;
-    private boolean mAuthUxJavaScriptInterfaceAdded = false;
     private boolean mInWebCpFlow = false;
 
     private final String mUtid;
@@ -166,12 +165,6 @@ public void initializeAuthUxJavaScriptApi(@NonNull final WebView view, final Str
         }
     }
 
-    private boolean shouldExposeJavaScriptInterface(final String url) {
-        return ProcessUtil.isRunningOnAuthService(getActivity().getApplicationContext())
-                && AuthUxJavaScriptInterface.Companion.isValidUrlForInterface(url)
-                && CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.ENABLE_JS_API_FOR_AUTHUX);
-    }
-
     @Override
     public void onPageFinished(final WebView view,
                                final String url) {
@@ -249,19 +242,6 @@ private boolean handleUrl(final WebView view, final String url) {
         final String methodTag = TAG + ":handleUrl";
         final String formattedURL = url.toLowerCase(Locale.US);
 
-        // Re-evaluate adding AuthUx JavaScript Interface
-        if (shouldExposeJavaScriptInterface(url)) {
-            // If broker request, and a valid url, expose JavaScript API
-            Logger.info(methodTag, "Adding AuthUx JavaScript Interface");
-            view.addJavascriptInterface(new AuthUxJavaScriptInterface(), AuthUxJavaScriptInterface.Companion.getInterfaceName());
-            mAuthUxJavaScriptInterfaceAdded = true;
-        } else if (mAuthUxJavaScriptInterfaceAdded) {
-            // Remove AuthUx JavaScript Interface
-            Logger.info(methodTag, "Removing AuthUx JavaScript Interface");
-            view.removeJavascriptInterface(AuthUxJavaScriptInterface.Companion.getInterfaceName());
-            mAuthUxJavaScriptInterfaceAdded = false;
-        }
-
         try {
             if (isPkeyAuthUrl(formattedURL)) {
                 Logger.info(methodTag,"WebView detected request for pkeyauth challenge.");

common/src/main/java/com/microsoft/identity/common/internal/ui/webview/OAuth2WebViewClient.java

@@ -42,6 +42,7 @@
 import androidx.annotation.VisibleForTesting;
 
 import com.microsoft.identity.common.adal.internal.AuthenticationConstants;
+import com.microsoft.identity.common.internal.broker.AuthUxJavaScriptInterface;
 import com.microsoft.identity.common.internal.ui.webview.challengehandlers.ChallengeFactory;
 import com.microsoft.identity.common.internal.ui.webview.challengehandlers.IChallengeHandler;
 import com.microsoft.identity.common.internal.ui.webview.challengehandlers.NtlmChallenge;
@@ -50,7 +51,6 @@
 import com.microsoft.identity.common.java.exception.ClientException;
 import com.microsoft.identity.common.java.flighting.CommonFlight;
 import com.microsoft.identity.common.java.flighting.CommonFlightsManager;
-import com.microsoft.identity.common.java.logging.DiagnosticContext;
 import com.microsoft.identity.common.java.opentelemetry.AttributeName;
 import com.microsoft.identity.common.java.opentelemetry.OTelUtility;
 import com.microsoft.identity.common.java.providers.RawAuthorizationResult;
@@ -78,6 +78,8 @@ public abstract class OAuth2WebViewClient extends WebViewClient {
     @VisibleForTesting
     public static ExpectedPage mExpectedPage = null;
 
+    protected boolean mAuthUxJavaScriptInterfaceAdded = false;
+
     /**
      * @return context
      */
@@ -222,6 +224,20 @@ public void onPageStarted(final WebView view,
                               final Bitmap favicon) {
         final String methodTag = TAG + ":onPageStarted";
         checkStartUrl(url);
+
+        // Re-evaluate adding AuthUx JavaScript Interface
+        if (shouldExposeJavaScriptInterface(url)) {
+            // If broker request, and a valid url, expose JavaScript API
+            Logger.info(methodTag, "Adding AuthUx JavaScript Interface");
+            view.addJavascriptInterface(new AuthUxJavaScriptInterface(), AuthUxJavaScriptInterface.Companion.getInterfaceName());
+            mAuthUxJavaScriptInterfaceAdded = true;
+        } else if (mAuthUxJavaScriptInterfaceAdded) {
+            // Remove AuthUx JavaScript Interface
+            Logger.info(methodTag, "Removing AuthUx JavaScript Interface");
+            view.removeJavascriptInterface(AuthUxJavaScriptInterface.Companion.getInterfaceName());
+            mAuthUxJavaScriptInterfaceAdded = false;
+        }
+
         Logger.info(methodTag,"WebView starts loading.");
         super.onPageStarted(view, url, favicon);
     }
@@ -248,4 +264,10 @@ private void checkStartUrl(final String url) {
                     + " Path: " + uri.getPath());
         }
     }
+
+    protected boolean shouldExposeJavaScriptInterface(final String url) {
+        return ProcessUtil.isRunningOnAuthService(getActivity().getApplicationContext())
+                && AuthUxJavaScriptInterface.Companion.isValidUriForInterface(url)
+                && CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.ENABLE_JS_API_FOR_AUTHUX);
+    }
 }

common/src/test/java/com/microsoft/identity/common/internal/broker/AuthUxJavaScriptInterfaceTest.kt

@@ -86,32 +86,38 @@ class AuthUxJavaScriptInterfaceTest {
     }
 
     @Test
-    fun `test isValidUrlForInterface with valid AAD URL`() {
+    fun `test isValidUrlForInterface with valid AAD Global URL`() {
         val validUrl = "https://login.microsoftonline.com/common/oauth2/authorize"
-        Assert.assertTrue(AuthUxJavaScriptInterface.isValidUrlForInterface(validUrl))
+        Assert.assertTrue(AuthUxJavaScriptInterface.isValidUriForInterface(validUrl))
     }
 
     @Test
-    fun `test isValidUrlForInterface with valid MSA URL`() {
-        val validUrl = "https://login.live.com/oauth20_authorize.srf"
-        Assert.assertTrue(AuthUxJavaScriptInterface.isValidUrlForInterface(validUrl))
+    fun `test isValidUrlForInterface with valid AAD US URL`() {
+        val validUrl = "https://login.microsoftonline.us/common/oauth2/authorize"
+        Assert.assertTrue(AuthUxJavaScriptInterface.isValidUriForInterface(validUrl))
+    }
+
+    @Test
+    fun `test isValidUrlForInterface with valid AAD China URL`() {
+        val validUrl = "https://login.microsoftonline.cn/common/oauth2/authorize"
+        Assert.assertTrue(AuthUxJavaScriptInterface.isValidUriForInterface(validUrl))
     }
 
     @Test
     fun `test isValidUrlForInterface with null URL`() {
         val nullUrl: String? = null
-        Assert.assertFalse(AuthUxJavaScriptInterface.isValidUrlForInterface(nullUrl))
+        Assert.assertFalse(AuthUxJavaScriptInterface.isValidUriForInterface(nullUrl))
     }
 
     @Test
     fun `test isValidUrlForInterface with invalid URL`() {
         val invalidUrl = "https://example.com"
-        Assert.assertFalse(AuthUxJavaScriptInterface.isValidUrlForInterface(invalidUrl))
+        Assert.assertFalse(AuthUxJavaScriptInterface.isValidUriForInterface(invalidUrl))
     }
 
     @Test
     fun `test isValidUrlForInterface with empty URL`() {
         val emptyUrl = ""
-        Assert.assertFalse(AuthUxJavaScriptInterface.isValidUrlForInterface(emptyUrl))
+        Assert.assertFalse(AuthUxJavaScriptInterface.isValidUriForInterface(emptyUrl))
     }
 }