Merge pull request #1545 from AzureAD/release/1.14.0

Release/1.14.0

Author: juan-arias

IdentityCore/src/MSIDConstants.h

@@ -216,6 +216,7 @@ extern NSString * _Nonnull const MSID_FLIGHT_SUPPORT_DUNA_CBA;
 extern NSString * _Nonnull const MSID_FLIGHT_DISABLE_JIT_TROUBLESHOOTING_LEGACY_AUTH;
 extern NSString * _Nonnull const MSID_FLIGHT_CLIENT_SFRT_STATUS;
 extern NSString * _Nonnull const MSID_FLIGHT_DISABLE_PREFERRED_IDENTITY_CBA;
+extern NSString * _Nonnull const MSID_FLIGHT_SUPPORT_STATE_DUNA_CBA;
 
 /**
  * Flight to indicate if remove account artifacts should be disabled

IdentityCore/src/MSIDConstants.m

@@ -88,6 +88,7 @@
 NSString *const MSID_FLIGHT_DISABLE_JIT_TROUBLESHOOTING_LEGACY_AUTH = @"disable_jit_remediation_legacy_auth";
 NSString *const MSID_FLIGHT_CLIENT_SFRT_STATUS = @"sfrt_v2";
 NSString *const MSID_FLIGHT_DISABLE_PREFERRED_IDENTITY_CBA = @"dis_pre_iden_cba";
+NSString *const MSID_FLIGHT_SUPPORT_STATE_DUNA_CBA = @"support_state_duna_cba";
 
 // Making the flight string short to avoid legacy broker url size limit
 NSString *const MSID_FLIGHT_DISABLE_REMOVE_ACCOUNT_ARTIFACTS = @"disable_rm_metadata";

IdentityCore/src/oauth2/aad_base/MSIDAADWebviewFactory.m

@@ -206,12 +206,14 @@ - (MSIDWebviewResponse *)oAuthResponseWithURL:(NSURL *)url
     {
         MSIDSwitchBrowserResponse *switchBrowserResponse = [[MSIDSwitchBrowserResponse alloc] initWithURL:url
                                                                                               redirectUri:endRedirectUri
+                                                                                             requestState:requestState
                                                                                                   context:context
                                                                                                     error:nil];
         if (switchBrowserResponse) return switchBrowserResponse;
 
         MSIDSwitchBrowserResumeResponse *switchBrowserResumeResponse = [[MSIDSwitchBrowserResumeResponse alloc] initWithURL:url
                                                                                                                 redirectUri:endRedirectUri
+                                                                                                               requestState:requestState
                                                                                                                     context:context
                                                                                                                       error:nil];
         if (switchBrowserResumeResponse) return switchBrowserResumeResponse;

IdentityCore/src/requests/MSIDEcdhApv.m

@@ -27,13 +27,13 @@
 
 @implementation MSIDEcdhApv
 
-const NSUInteger kExpectedECP256KeyLength = 65;
-
 - (instancetype)initWithKey:(SecKeyRef)publicKey
                   apvPrefix:(NSString *)apvPrefix
                     context:(id<MSIDRequestContext> _Nullable)context
                       error:(NSError * _Nullable __autoreleasing *)error
 {
+    const NSUInteger kExpectedECP256KeyLength = 65;
+    
     if (publicKey == NULL)
     {
         if (error) *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Public STK provided is not defined.", nil, nil, nil, context.correlationId, nil, NO);

IdentityCore/src/webview/operations/ios/MSIDSwitchBrowserOperation.m

@@ -32,6 +32,8 @@
 #import "MSIDWebviewAuthorization.h"
 #import "MSIDCertAuthManager.h"
 #import "MSIDInteractiveTokenRequestParameters.h"
+#import "MSIDConstants.h"
+#import "MSIDFlightManager.h"
 
 @interface MSIDSwitchBrowserOperation()
 
@@ -82,6 +84,12 @@ - (void)invokeWithRequestParameters:(nonnull MSIDInteractiveTokenRequestParamete
     NSMutableDictionary *queryItems = [NSMutableDictionary new];
     queryItems[@"code"] = self.switchBrowserResponse.switchBrowserSessionToken;
     queryItems[MSID_OAUTH2_REDIRECT_URI] = requestParameters.redirectUri;
+    
+    if ([MSIDFlightManager.sharedInstance boolForKey:MSID_FLIGHT_SUPPORT_STATE_DUNA_CBA] && self.switchBrowserResponse.state)
+    {
+        queryItems[MSID_OAUTH2_STATE] = self.switchBrowserResponse.state;
+    }
+    
     NSURLComponents *requestURLComponents = [[NSURLComponents alloc] initWithString:self.switchBrowserResponse.actionUri];
     requestURLComponents.percentEncodedQuery = [queryItems msidURLEncode];
     NSURL *startURL = requestURLComponents.URL;

IdentityCore/src/webview/operations/ios/MSIDSwitchBrowserResumeOperation.m

@@ -28,6 +28,8 @@
 #import "MSIDWebviewFactory.h"
 #import "MSIDInteractiveTokenRequestParameters.h"
 #import "MSIDWebResponseOperationFactory.h"
+#import "MSIDConstants.h"
+#import "MSIDFlightManager.h"
 
 @interface MSIDSwitchBrowserResumeOperation()
 
@@ -87,6 +89,22 @@ - (void)invokeWithRequestParameters:(nonnull MSIDInteractiveTokenRequestParamete
      webviewResponseCompletionBlock:(nonnull MSIDWebviewAuthCompletionHandler)webviewResponseCompletionBlock
    authorizationCodeCompletionBlock:(nonnull MSIDInteractiveAuthorizationCodeCompletionBlock)authorizationCodeCompletionBlock
 {
+    if ([MSIDFlightManager.sharedInstance boolForKey:MSID_FLIGHT_SUPPORT_STATE_DUNA_CBA])
+    {
+        MSIDSwitchBrowserResponse *parentResponse = (MSIDSwitchBrowserResponse *)self.switchBrowserResumeResponse.parentResponse;
+        NSError *stateValidationError = nil;
+        
+        BOOL stateValidated = [MSIDSwitchBrowserResponse validateStateParameter:self.switchBrowserResumeResponse.state
+                                                                  expectedState:parentResponse.state.msidBase64UrlDecode
+                                                                          error:&stateValidationError];
+        if (!stateValidated)
+        {
+            MSID_LOG_WITH_CTX(MSIDLogLevelError, requestParameters, @"Resume operation rejected due to state validation failure");
+            if (webviewResponseCompletionBlock) webviewResponseCompletionBlock(nil, stateValidationError);
+            return;
+        }
+    }
+    
     webRequestConfiguration.startURL = [[NSURL alloc] initWithString:self.switchBrowserResumeResponse.actionUri];
     NSMutableDictionary *customHeaders = [webRequestConfiguration.customHeaders mutableCopy] ?: [NSMutableDictionary new];
     customHeaders[@"Authorization"] = [NSString stringWithFormat:@"Bearer %@", self.switchBrowserResumeResponse.switchBrowserSessionToken];

IdentityCore/src/webview/response/MSIDSwitchBrowserResponse.h

@@ -35,6 +35,7 @@ typedef NS_OPTIONS(NSInteger, MSIDSwitchBrowserModes) {
 @property (nonatomic, readonly) NSString *actionUri;
 @property (nonatomic, readonly) NSString *switchBrowserSessionToken;
 @property (nonatomic, readonly) BOOL useEphemeralWebBrowserSession;
+@property (nonatomic, readonly) NSString *state;
 
 - (instancetype )init NS_UNAVAILABLE;
 + (instancetype)new NS_UNAVAILABLE;
@@ -45,9 +46,13 @@ typedef NS_OPTIONS(NSInteger, MSIDSwitchBrowserModes) {
 
 - (instancetype)initWithURL:(NSURL *)url
                 redirectUri:(NSString *)redirectUri
+               requestState:(NSString *)requestState
                     context:(id<MSIDRequestContext>)context
                       error:(NSError *__autoreleasing*)error;
 
 + (BOOL)isDUNAActionUrl:(NSURL *)url operation:(NSString *)operation;
 
++ (BOOL)validateStateParameter:(NSString *)receivedState
+                 expectedState:(NSString *)expectedState
+                         error:(NSError *__autoreleasing*)error;
 @end

IdentityCore/src/webview/response/MSIDSwitchBrowserResponse.m

@@ -38,6 +38,7 @@ + (NSString *)operation
 
 - (instancetype)initWithURL:(NSURL *)url
                 redirectUri:(NSString *)redirectUri
+               requestState:(NSString *)requestState
                     context:(id<MSIDRequestContext>)context
                       error:(NSError *__autoreleasing*)error
 {
@@ -48,8 +49,26 @@ - (instancetype)initWithURL:(NSURL *)url
     if (self)
     {
         if (![self isMyUrl:url redirectUri:redirectUri]) return nil;
+        
+        if ([MSIDFlightManager.sharedInstance boolForKey:MSID_FLIGHT_SUPPORT_STATE_DUNA_CBA])
+        {
+            NSError *stateCheckError = nil;
+            BOOL stateValidated = [MSIDSwitchBrowserResponse validateStateParameter:self.parameters[MSID_OAUTH2_STATE]
+                                                                      expectedState:requestState
+                                                                              error:&stateCheckError];
+            if (!stateValidated)
+            {
+                if (stateCheckError && error)
+                {
+                    *error = stateCheckError;
+                }
+                return nil;
+            }
+        }
+        
         _actionUri = self.parameters[@"action_uri"];
         _useEphemeralWebBrowserSession = YES;
+        _state = self.parameters[MSID_OAUTH2_STATE];
 
         NSString* browserOptionsString = self.parameters[@"browser_modes"];
         if (browserOptionsString)
@@ -105,6 +124,45 @@ + (BOOL)isDUNAActionUrl:(NSURL *)url operation:(NSString *)operation
     return NO;
 }
 
++ (BOOL)validateStateParameter:(NSString *)receivedState
+                 expectedState:(NSString *)expectedState
+                         error:(NSError *__autoreleasing*)error
+{
+    if (!receivedState && !expectedState)
+    {
+        return YES;
+    }
+    
+    if (!expectedState || !receivedState)
+    {
+        if (error)
+        {
+            *error = MSIDCreateError(MSIDOAuthErrorDomain,
+                                     MSIDErrorServerInvalidState,
+                                     [NSString stringWithFormat:@"Missing or invalid state returned state: %@", receivedState],
+                                     nil, nil, nil, nil, nil, YES);
+        }
+        return NO;
+    }
+    
+    BOOL result = [receivedState.msidBase64UrlDecode isEqualToString:expectedState];
+    
+    if (!result)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"State parameter mismatch");
+        if (error)
+        {
+            *error = MSIDCreateError(MSIDOAuthErrorDomain,
+                                     MSIDErrorServerInvalidState,
+                                     [NSString stringWithFormat:@"State parameter mismatch. Expected: %@, Received: %@", expectedState, receivedState],
+                                     nil, nil, nil, nil, nil, YES);
+        }
+        return NO;
+    }
+    
+    return YES;
+}
+
 #pragma mark - Private
 
 - (BOOL)isMyUrl:(NSURL *)url

IdentityCore/tests/IdentityCoreTests-Bridging-Header.h

@@ -20,3 +20,5 @@
 #import "MSIDWebWPJResponse.h"
 #import "MSIDWebviewFactory.h"
 #import "MSIDSwitchBrowserResumeOperation.h"
+#import "MSIDFlightManagerMockProvider.h"
+#import "MSIDFlightManager.h"

IdentityCore/tests/MSIDSwitchBrowserOperationTest.swift

@@ -78,13 +78,16 @@ class MSIDAuthorizeWebRequestConfigurationMock : MSIDAuthorizeWebRequestConfigur
 final class MSIDSwitchBrowserOperationTest: XCTestCase 
 {
     lazy var validSwitchBrowserResponse: MSIDSwitchBrowserResponse? = {
-        let url = URL(string: "msauth.com.microsoft.msaltestapp://auth/switch_browser?action_uri=some_uri&code=some_code")!
-        return try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth", context: nil)
+        let url = URL(string: "msauth.com.microsoft.msaltestapp://auth/switch_browser?action_uri=some_uri&code=some_code&state=c3RhdGU")!
+        return try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth", requestState: "state", context: nil)
     }()
 
     override func setUpWithError() throws
     {
         // Put setup code here. This method is called before the invocation of each test method in the class.
+        let flightProvider = MSIDFlightManagerMockProvider()
+        flightProvider.boolForKeyContainer = [MSID_FLIGHT_SUPPORT_STATE_DUNA_CBA: true]
+        MSIDFlightManager.sharedInstance().flightProvider = flightProvider
     }
 
     override func tearDownWithError() throws 
@@ -148,7 +151,7 @@ final class MSIDSwitchBrowserOperationTest: XCTestCase
 
         XCTAssertEqual(1, certAuthManagerMock.startWithUrlInvokedCount)
         XCTAssertEqual(1, certAuthManagerMock.resetStateInvokedCount)
-        XCTAssertEqual(URL(string: "some_uri?code=some_code"), certAuthManagerMock.startURLProvidedParam)
+        XCTAssertEqual(URL(string: "some_uri?state=c3RhdGU&code=some_code"), certAuthManagerMock.startURLProvidedParam)
     }
 
     func testInvoke_whenWebRequestConfigurationReturnError_shouldReturnError() async throws
@@ -186,7 +189,7 @@ final class MSIDSwitchBrowserOperationTest: XCTestCase
 
         XCTAssertEqual(1, certAuthManagerMock.startWithUrlInvokedCount)
         XCTAssertEqual(1, certAuthManagerMock.resetStateInvokedCount)
-        XCTAssertEqual(URL(string: "some_uri?code=some_code"), certAuthManagerMock.startURLProvidedParam)
+        XCTAssertEqual(URL(string: "some_uri?state=c3RhdGU&code=some_code"), certAuthManagerMock.startURLProvidedParam)
         XCTAssertEqual(1, webRequestConfigurationMock.responseWithResultURLInvokedCount)
     }
 
@@ -222,7 +225,7 @@ final class MSIDSwitchBrowserOperationTest: XCTestCase
 
         XCTAssertEqual(1, certAuthManagerMock.startWithUrlInvokedCount)
         XCTAssertEqual(1, certAuthManagerMock.resetStateInvokedCount)
-        XCTAssertEqual(URL(string: "some_uri?code=some_code"), certAuthManagerMock.startURLProvidedParam)
+        XCTAssertEqual(URL(string: "some_uri?state=c3RhdGU&code=some_code"), certAuthManagerMock.startURLProvidedParam)
         XCTAssertEqual(1, webRequestConfigurationMock.responseWithResultURLInvokedCount)
     }
 }