Merge pull request #905 from AzureAD/release/1.6.0

Release 1.6.0

Author: oldalton

.travis.yml

@@ -11,6 +11,7 @@ before_script:
   - set -o pipefail
 
 script:  
+  - python ./scripts/update_xcode_config_cpp_checks.py
   - ./build.py --no-clean --show-build-settings
 
 after_failure:

IdentityCore/IdentityCore.xcodeproj/project.pbxproj

@@ -558,6 +558,7 @@
 		6E4F658F24D4883A0070CA36 /* MSIDSymmetricKey.m in Sources */ = {isa = PBXBuildFile; fileRef = 6E4F658D24D4883A0070CA36 /* MSIDSymmetricKey.m */; };
 		6E4F659324D48B630070CA36 /* MSIDSymmetricKeyTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 6E4F659024D48B120070CA36 /* MSIDSymmetricKeyTests.m */; };
 		6E4F659424D48B6D0070CA36 /* MSIDSymmetricKeyTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 6E4F659024D48B120070CA36 /* MSIDSymmetricKeyTests.m */; };
+		720AC2A72550D4FB00B2C7C8 /* MSIDAppExtensionUtil.m in Sources */ = {isa = PBXBuildFile; fileRef = 720AC2A62550D4FB00B2C7C8 /* MSIDAppExtensionUtil.m */; };
 		740340B92460E5C400DFCF27 /* MSIDCurrentRequestTelemetrySerializedItem.h in Headers */ = {isa = PBXBuildFile; fileRef = 740340B72460E5C400DFCF27 /* MSIDCurrentRequestTelemetrySerializedItem.h */; };
 		740340BA2460E5C400DFCF27 /* MSIDCurrentRequestTelemetrySerializedItem.m in Sources */ = {isa = PBXBuildFile; fileRef = 740340B82460E5C400DFCF27 /* MSIDCurrentRequestTelemetrySerializedItem.m */; };
 		740340BB2460E5C400DFCF27 /* MSIDCurrentRequestTelemetrySerializedItem.m in Sources */ = {isa = PBXBuildFile; fileRef = 740340B82460E5C400DFCF27 /* MSIDCurrentRequestTelemetrySerializedItem.m */; };
@@ -2171,6 +2172,7 @@
 		6E4F658B24D488010070CA36 /* MSIDSymmetricKey.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDSymmetricKey.h; sourceTree = "<group>"; };
 		6E4F658D24D4883A0070CA36 /* MSIDSymmetricKey.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDSymmetricKey.m; sourceTree = "<group>"; };
 		6E4F659024D48B120070CA36 /* MSIDSymmetricKeyTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDSymmetricKeyTests.m; sourceTree = "<group>"; };
+		720AC2A62550D4FB00B2C7C8 /* MSIDAppExtensionUtil.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDAppExtensionUtil.m; sourceTree = "<group>"; };
 		740340B72460E5C400DFCF27 /* MSIDCurrentRequestTelemetrySerializedItem.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDCurrentRequestTelemetrySerializedItem.h; sourceTree = "<group>"; };
 		740340B82460E5C400DFCF27 /* MSIDCurrentRequestTelemetrySerializedItem.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDCurrentRequestTelemetrySerializedItem.m; sourceTree = "<group>"; };
 		74043F7C245CC84B00D3E7C1 /* MSIDCurrentRequestTelemetryTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDCurrentRequestTelemetryTests.m; sourceTree = "<group>"; };
@@ -3002,6 +3004,7 @@
 				B28686C024065441004E83FC /* MSIDLoginKeychainUtil.m */,
 				B2AE0FDC2427E9FC00B8FAF1 /* MSIDKeychainUtil+MacInternal.h */,
 				583BFCAA24D88CED0035B901 /* MSIDRedirectUriVerifier.m */,
+				720AC2A62550D4FB00B2C7C8 /* MSIDAppExtensionUtil.m */,
 			);
 			path = mac;
 			sourceTree = "<group>";
@@ -3744,7 +3747,6 @@
 				23BDA6791FCE693800FE14BE /* MSIDKeychainUtil.m */,
 				96F21AEB20A4C6F2002B87C3 /* UIApplication+MSIDExtensions.h */,
 				96F21AEC20A4C6F2002B87C3 /* UIApplication+MSIDExtensions.m */,
-				96F21B0320A4FB27002B87C3 /* MSIDAppExtensionUtil.h */,
 				96F21B0420A4FB27002B87C3 /* MSIDAppExtensionUtil.m */,
 				583BFCAE24D9052E0035B901 /* MSIDRedirectUriVerifier.m */,
 			);
@@ -4559,6 +4561,7 @@
 				23B018C12356D51200207FEC /* NSDictionary+MSIDQueryItems.m */,
 				96CD69571FE84A0300D41938 /* MSIDJsonObject.h */,
 				96CD69581FE84A0300D41938 /* MSIDJsonObject.m */,
+				96F21B0320A4FB27002B87C3 /* MSIDAppExtensionUtil.h */,
 				23BDA6781FCE693800FE14BE /* MSIDKeychainUtil.h */,
 				B2CDB5721FE2F4DB003A4B5C /* NSOrderedSet+MSIDExtensions.h */,
 				B2CDB5731FE2F4DB003A4B5C /* NSOrderedSet+MSIDExtensions.m */,
@@ -6327,6 +6330,7 @@
 				239DF9AD20DED6F6002D428B /* MSIDConstants.m in Sources */,
 				23985AB52391BA1100942308 /* MSIDTokenResponseHandler.m in Sources */,
 				740340BB2460E5C400DFCF27 /* MSIDCurrentRequestTelemetrySerializedItem.m in Sources */,
+				720AC2A72550D4FB00B2C7C8 /* MSIDAppExtensionUtil.m in Sources */,
 				2348C313221B4EFF00498D56 /* MSIDBasicContext.m in Sources */,
 				600D19982095988C0004CD43 /* MSIDChallengeHandler.m in Sources */,
 				B26CEB042367B3B9009E6E54 /* MSIDSystemWebViewControllerFactory.m in Sources */,

IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationBrowserTokenRequest.h

@@ -36,12 +36,14 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic, readonly) MSIDAADAuthority *authority;
 @property (nonatomic, readonly) NSDictionary *headers;
 @property (nonatomic, readonly) NSData *httpBody;
+@property (nonatomic, readonly) BOOL useSSOCookieFallback;
 
 - (instancetype)initWithRequest:(NSURL *)requestURL
                         headers:(NSDictionary *)headers
                            body:(nullable NSData *)httpBody
                bundleIdentifier:(NSString *)bundleIdentifier
                requestValidator:(id<MSIDBrowserRequestValidating>)requestValidator
+           useSSOCookieFallback:(BOOL)useSSOCookieFallback
                           error:(NSError **)error;
 
 @end

IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationBrowserTokenRequest.m

@@ -36,6 +36,7 @@ - (instancetype)initWithRequest:(NSURL *)requestURL
                            body:(NSData *)httpBody
                bundleIdentifier:(NSString *)bundleIdentifier
                requestValidator:(id<MSIDBrowserRequestValidating>)requestValidator
+           useSSOCookieFallback:(BOOL)useSSOCookieFallback
                           error:(NSError **)error
 {
     self = [super init];
@@ -65,6 +66,7 @@ - (instancetype)initWithRequest:(NSURL *)requestURL
             return nil;
         }
 
+        _useSSOCookieFallback = useSSOCookieFallback;
         _headers = headers;
         _httpBody = httpBody;
         _bundleIdentifier = bundleIdentifier;

IdentityCore/src/cache/crypto/MSIDSymmetricKey.m

@@ -85,6 +85,39 @@ - (nullable NSString *)createVerifySignature:(NSData *)context
     return [NSString msidBase64UrlEncodedStringFromData:signedData];
 }
 
+/**
+ Key Derivation using Pseudorandom Functions in Counter Mode: SP 800-108
+ Spec link: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-108.pdf
+ Formula:
+ 
+ Fixed values:
+ 1. h - The length of the output of the PRF in bits
+ 2. r - The length of the binary representation of the counter i.
+ Input: KI, Label, Context, and L.
+ Process:
+ 1. n := ⎡L/h⎤.
+ 2. If n > 2^r -1, then indicate an error and stop.
+ 3. result(0):= ∅.
+ 4. For i = 1 to n, do
+ a. K(i) := PRF (KI, [i]2 || Label || 0x00 || Context || [L]2)
+ 12
+ SP 800-108 Recommendation for Key Derivation Using Pseudorandom Functions
+ b. result(i) := result(i-1) || K(i).
+ 5. Return: KO := the leftmost L bits of result(n).
+ Output: KO.
+ 
+ Implementation notes:
+ 1. PRF: we use HMAC-SHA256
+ h: 256
+ r: 32
+ L: 256
+ Label: AzureAD-SecureConversation
+ 
+ the input of HMAC-SHA256 would look like:
+ 0x00 0x00 0x00 0x01 || AzureAD-SecureConversation String in binary || 0x00 || context in binary || (256) in big-endian binary
+ 
+ */
+
 - (NSData *)computeKDFInCounterMode:(NSData *)ctx
 {
     if (ctx == nil)
@@ -112,13 +145,12 @@ - (NSData *)computeKDFInCounterMode:(NSData *)ctx
     return dataToReturn;
 }
 
-
 - (uint8_t *)kdfCounterMode:(uint8_t *)keyDerivationKey
      keyDerivationKeyLength:(size_t)keyDerivationKeyLength
                  fixedInput:(uint8_t *)fixedInput
            fixedInputLength:(size_t)fixedInputLength
 {
-    uint8_t ctr;
+    uint32_t ctr;
     unsigned char cHMAC[CC_SHA256_DIGEST_LENGTH];
     uint8_t *keyDerivated;
     uint8_t *dataInput;
@@ -175,7 +207,7 @@ - (uint8_t *)kdfCounterMode:(uint8_t *)keyDerivationKey
 
 
 /*
- *Function used to shift data of 1 byte. This byte is the "ctr".
+ *Function used to shift data by 4 byte and insert ctr in the first 4 bytes.
  */
 - (uint8_t *)updateDataInput:(uint8_t)ctr
                   fixedInput:(uint8_t *)fixedInput

IdentityCore/src/oauth2/token/MSIDPrimaryRefreshToken.m

@@ -208,7 +208,7 @@ - (NSUInteger)refreshInterval
 {
     if (self.expiryInterval > 0)
     {
-        return self.expiryInterval / 10;
+        return self.expiryInterval / 30;
     }
 
     return kDefaultPRTRefreshInterval;

IdentityCore/src/requests/MSIDSilentTokenRequest.m

@@ -392,17 +392,26 @@ - (void)refreshAccessToken:(MSIDBaseToken<MSIDRefreshableToken> *)refreshToken
 
     [self.requestParameters.authority loadOpenIdMetadataWithContext:self.requestParameters
                                                     completionBlock:^(__unused MSIDOpenIdProviderMetadata * _Nullable metadata, NSError * _Nullable error) {
-
-                                                        if (error)
-                                                        {
-                                                            completionBlock(nil, error);
-                                                            return;
-                                                        }
-
-                                                        [self acquireTokenWithRefreshTokenImpl:refreshToken
-                                                                               completionBlock:completionBlock];
-
-                                                    }];
+        
+        if (error)
+        {
+            completionBlock(nil, error);
+            return;
+        }
+        
+        // Check if token endpoint (from open id metadata) is the same cloud as the RT issuer cloud
+        // If not the same cloud, we don't send RT to wrong cloud.
+        if (![self.requestParameters.authority checkTokenEndpointForRTRefresh:self.requestParameters.tokenEndpoint])
+        {
+            NSError *interactionError = MSIDCreateError(MSIDErrorDomain, MSIDErrorInteractionRequired, @"User interaction is required (unable to use token from a different cloud).", nil, nil, nil, self.requestParameters.correlationId, nil, YES);
+            completionBlock(nil, interactionError);
+            return;
+        }
+        
+        [self acquireTokenWithRefreshTokenImpl:refreshToken
+                               completionBlock:completionBlock];
+        
+    }];
 }
 
 - (void)acquireTokenWithRefreshTokenImpl:(MSIDBaseToken<MSIDRefreshableToken> *)refreshToken

IdentityCore/src/telemetry/request_telemetry/MSIDLastRequestTelemetry.m

@@ -44,7 +44,7 @@ - (instancetype)initWithCoder:(NSCoder *)decoder
     self = [super init];
     if (self)
     {
-        self.apiId = (int)[decoder decodeFloatForKey:kApiId];
+        self.apiId = (NSInteger)[decoder decodeFloatForKey:kApiId];
 
         NSString *uuIdString = [decoder decodeObjectForKey:kCorrelationID];
         self.correlationId = ![NSString msidIsStringNilOrBlank:uuIdString] ? [[NSUUID UUID] initWithUUIDString:uuIdString] : nil;

…Core/src/util/ios/MSIDAppExtensionUtil.h …tityCore/src/util/MSIDAppExtensionUtil.hIdentityCore/src/util/ios/MSIDAppExtensionUtil.h renamed to IdentityCore/src/util/MSIDAppExtensionUtil.h IdentityCore/src/util/ios/MSIDAppExtensionUtil.h renamed to IdentityCore/src/util/MSIDAppExtensionUtil.h

@@ -33,14 +33,28 @@
 
 /// Determine whether or not the host app is an application extension based on the main bundle path
 + (BOOL)isExecutingInAppExtension;
+
+/// Application extension safe replacement for `openURL:`. The caller should make sure `isExecutingInAppExtension == NO` before calling this method.
++ (void)sharedApplicationOpenURL:(nonnull NSURL *)url;
+
+#if TARGET_OS_IPHONE
+// Helper method to check if the app state
++ (BOOL)runningInActiveState;
+
 /// Application extension safe replacement for `[UIApplication sharedApplication]`. The caller should make sure `isExecutingInAppExtension == NO` before calling this method.
 + (nullable UIApplication *)sharedApplication;
-/// Application extension safe replacement for `[[UIApplication sharedApplication] openURL:]`. The caller should make sure `isExecutingInAppExtension == NO` before calling this method.
-+ (void)sharedApplicationOpenURL:(nonnull NSURL *)url;
 
 /// Application extension safe replacement for `[[UIApplication sharedApplication] openURL:options:completionHandler:]`. The caller should make sure `isExecutingInAppExtension == NO` before calling this method.
 + (void)sharedApplicationOpenURL:(nonnull NSURL *)url
                          options:(nullable NSDictionary<UIApplicationOpenExternalURLOptionsKey, id> *)options
                completionHandler:(void (^ __nullable)(BOOL success))completionHandler;
+#else
+/// Application extension safe replacement for `[NSWorkspace sharedWorkspace]`. The caller should make sure `isExecutingInAppExtension == NO` before calling this method.
++ (nullable NSWorkspace *)sharedApplication;
 
+/// Application extension safe replacement for `[[NSWorkspace sharedWorkspace] openURL:configuration:completionHandler:]`. The caller should make sure `isExecutingInAppExtension == NO` before calling this method.
++ (void)sharedApplicationOpenURL:(nonnull NSURL *)url
+                   configuration:(nullable NSWorkspaceOpenConfiguration *)options
+               completionHandler:(void (^ __nullable)(BOOL success))completionHandler API_AVAILABLE(macos(10.15));
+#endif
 @end

IdentityCore/src/util/NSDictionary+MSIDExtensions.m

@@ -88,7 +88,6 @@ - (NSString *)msidWWWFormURLEncode
     return [NSString msidWWWFormURLEncodedStringFromDictionary:self];
 }
 
-
 - (NSDictionary *)msidDictionaryByRemovingFields:(NSArray *)fieldsToRemove
 {
     NSMutableDictionary *mutableDict = [self mutableCopy];