Merge branch 'dev' into sedemche/browser_core_mats

Author: antrix1989

IdentityCore/src/MSIDConstants.h

@@ -213,8 +213,10 @@ extern NSString * _Nonnull const MSID_BROWSER_RESPONSE_SWITCH_BROWSER_RESUME;
 
 extern NSString * _Nonnull const MSID_FLIGHT_USE_V2_WEB_RESPONSE_FACTORY;
 extern NSString * _Nonnull const MSID_FLIGHT_SUPPORT_DUNA_CBA;
+extern NSString * _Nonnull const MSID_FLIGHT_DISABLE_JIT_TROUBLESHOOTING_LEGACY_AUTH;
 extern NSString * _Nonnull const MSID_FLIGHT_CLIENT_SFRT_STATUS;
 extern NSString * _Nonnull const MSID_FLIGHT_DISABLE_PREFERRED_IDENTITY_CBA;
+extern NSString * _Nonnull const MSID_FLIGHT_SUPPORT_STATE_DUNA_CBA;
 
 /**
  * Flight to indicate if remove account artifacts should be disabled

IdentityCore/src/MSIDConstants.m

@@ -85,8 +85,10 @@
 
 NSString *const MSID_FLIGHT_USE_V2_WEB_RESPONSE_FACTORY = @"use_v2_web_response_factory";
 NSString *const MSID_FLIGHT_SUPPORT_DUNA_CBA = @"support_duna_cba_v2";
+NSString *const MSID_FLIGHT_DISABLE_JIT_TROUBLESHOOTING_LEGACY_AUTH = @"disable_jit_remediation_legacy_auth";
 NSString *const MSID_FLIGHT_CLIENT_SFRT_STATUS = @"sfrt_v2";
 NSString *const MSID_FLIGHT_DISABLE_PREFERRED_IDENTITY_CBA = @"dis_pre_iden_cba";
+NSString *const MSID_FLIGHT_SUPPORT_STATE_DUNA_CBA = @"support_state_duna_cba";
 
 // Making the flight string short to avoid legacy broker url size limit
 NSString *const MSID_FLIGHT_DISABLE_REMOVE_ACCOUNT_ARTIFACTS = @"disable_rm_metadata";

IdentityCore/src/broker_operation/request/browser_native_message_request/MSIDBrokerOperationBrowserNativeMessageRequest.m

@@ -61,17 +61,17 @@ + (NSString *)operation
 
 - (NSString *)callerBundleIdentifier
 {
-    return self.parentProcessBundleIdentifier ?: NSLocalizedString(@"N/A", nil);
+    return self.parentProcessBundleIdentifier ?: @"";
 }
 
 - (NSString *)callerTeamIdentifier
 {
-    return self.parentProcessTeamId ?: NSLocalizedString(@"N/A", nil);
+    return self.parentProcessTeamId ?: @"";
 }
 
 - (NSString *)localizedCallerDisplayName
 {
-    return self.parentProcessLocalizedName ?: NSLocalizedString(@"N/A", nil);
+    return self.parentProcessLocalizedName ?: @"";
 }
 
 - (NSString *)localizedApplicationInfo
@@ -87,7 +87,7 @@ - (NSString *)localizedApplicationInfo
         return brokerOperationRequest.localizedApplicationInfo;
     }
 
-    return NSLocalizedString(@"N/A", nil);
+    return @"";
 }
 
 #pragma mark - MSIDJsonSerializable

IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationBrowserTokenRequest.m

@@ -57,6 +57,11 @@ - (instancetype)initWithRequest:(NSURL *)requestURL
         _requestURL = requestURL;
 
         [self printRequestURLInfo:requestURL];
+        if (![httpBody length])
+        {
+            // Apple doesn't provide/expose the HTTP method of the request SSO extension intercepted. If httpBody is nil we assume GET else POST.
+            MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, @"[Browser SSO] Request body is empty or undefined. SSO extension will assume HTTP method to GET.");
+        }
 
         if (![requestValidator shouldHandleURL:_requestURL])
         {
@@ -121,8 +126,8 @@ + (NSString *)protocolLogNameForRequestURL:(NSURL *)requestURL
             return logProtocolNames[keyword];
         }
     }
-    
-    return @"N/A";
+    NSString *lastPathComponent = [requestURL lastPathComponent];
+    return [NSString msidIsStringNilOrBlank:lastPathComponent] ? @"N/A" : lastPathComponent;
 }
 
 - (void)printRequestURLInfo:(NSURL *)requestURL

IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.m

@@ -581,7 +581,7 @@ - (MSIDIsFRTEnabledStatus)checkFRTEnabled:(nullable id<MSIDRequestContext>)conte
 
         if ([NSString msidIsStringNilOrBlank:flagEnableFRT] || (!shouldEnableFRT && !shouldDisableFRT))
         {
-            MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"FRT flight set to keep current status: %ld", (long)status);
+            MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"FRT flight set to keep current status: %ld", (long)status);
             return status;
         }
         MSIDIsFRTEnabledStatus newStatus = status;

IdentityCore/src/oauth2/aad_base/MSIDAADWebviewFactory.m

@@ -206,12 +206,14 @@ - (MSIDWebviewResponse *)oAuthResponseWithURL:(NSURL *)url
     {
         MSIDSwitchBrowserResponse *switchBrowserResponse = [[MSIDSwitchBrowserResponse alloc] initWithURL:url
                                                                                               redirectUri:endRedirectUri
+                                                                                             requestState:requestState
                                                                                                   context:context
                                                                                                     error:nil];
         if (switchBrowserResponse) return switchBrowserResponse;
 
         MSIDSwitchBrowserResumeResponse *switchBrowserResumeResponse = [[MSIDSwitchBrowserResumeResponse alloc] initWithURL:url
                                                                                                                 redirectUri:endRedirectUri
+                                                                                                               requestState:requestState
                                                                                                                     context:context
                                                                                                                       error:nil];
         if (switchBrowserResumeResponse) return switchBrowserResumeResponse;

IdentityCore/src/requests/MSIDEcdhApv.m

@@ -27,13 +27,13 @@
 
 @implementation MSIDEcdhApv
 
-const NSUInteger kExpectedECP256KeyLength = 65;
-
 - (instancetype)initWithKey:(SecKeyRef)publicKey
                   apvPrefix:(NSString *)apvPrefix
                     context:(id<MSIDRequestContext> _Nullable)context
                       error:(NSError * _Nullable __autoreleasing *)error
 {
+    const NSUInteger kExpectedECP256KeyLength = 65;
+    
     if (publicKey == NULL)
     {
         if (error) *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Public STK provided is not defined.", nil, nil, nil, context.correlationId, nil, NO);

IdentityCore/src/webview/MSIDCertAuthManager.h

@@ -44,6 +44,7 @@ NS_ASSUME_NONNULL_BEGIN
 - (void)startWithURL:(NSURL *)startURL
     parentController:(MSIDViewController *)parentViewController
              context:(id<MSIDRequestContext>)context
+ephemeralWebBrowserSession:(BOOL)ephemeralWebBrowserSession
      completionBlock:(MSIDWebUICompletionHandler)completionBlock;
 
 - (BOOL)completeWithCallbackURL:(NSURL *)url;

IdentityCore/src/webview/MSIDCertAuthManager.m

@@ -79,6 +79,7 @@ - (BOOL)completeWithCallbackURL:(NSURL *)url
 - (void)startWithURL:(NSURL *)startURL
     parentController:(MSIDViewController *)parentViewController
              context:(id<MSIDRequestContext>)context
+   ephemeralWebBrowserSession:(BOOL)ephemeralWebBrowserSession
      completionBlock:(MSIDWebUICompletionHandler)completionBlock
 {
     [MSIDMainThreadUtil executeOnMainThreadIfNeeded:^{
@@ -113,7 +114,7 @@ - (void)startWithURL:(NSURL *)startURL
                                                                             parentController:parentViewController
                                                                     useAuthenticationSession:self.useAuthSession
                                                                    allowSafariViewController:YES
-                                                                  ephemeralWebBrowserSession:YES
+                                                                  ephemeralWebBrowserSession:ephemeralWebBrowserSession
                                                                                      context:context];
 
         self.systemWebViewController.appActivities = self.activities;

IdentityCore/src/webview/embeddedWebview/MSIDAADOAuthEmbeddedWebviewController.m

@@ -29,6 +29,9 @@
 #import "MSIDWorkPlaceJoinConstants.h"
 #import "MSIDPKeyAuthHandler.h"
 #import "MSIDWorkPlaceJoinUtil.h"
+#import "MSIDWebAuthNUtil.h"
+#import "MSIDFlightManager.h"
+#import "MSIDConstants.h"
 
 #if !MSID_EXCLUDE_WEBKIT
 
@@ -67,6 +70,28 @@ - (BOOL)decidePolicyAADForNavigationAction:(WKNavigationAction *)navigationActio
     BOOL isBrokerUrl = [@"msauth" caseInsensitiveCompare:requestURL.scheme] == NSOrderedSame;
     BOOL isBrowserUrl = [@"browser" caseInsensitiveCompare:requestURL.scheme] == NSOrderedSame;
 
+    if (![MSIDFlightManager.sharedInstance boolForKey:MSID_FLIGHT_DISABLE_JIT_TROUBLESHOOTING_LEGACY_AUTH])
+    {
+        // When not running in SSO extension, the CA block page will return with "https" scheme instead of "browser"
+        if (requestURL && ![MSIDWebAuthNUtil amIRunningInExtension] &&
+            self.externalDecidePolicyForBrowserAction &&
+            [@"https" caseInsensitiveCompare:requestURL.scheme] == NSOrderedSame)
+        {
+            // Create new URL replacing 'https' scheme with 'browser' scheme
+            NSURL *legacyFlowUrl = [NSURL URLWithString:[NSString stringWithFormat:@"browser%@", [requestURL.absoluteString substringFromIndex:5]]];
+            NSURLRequest *challengeResponse = self.externalDecidePolicyForBrowserAction(self, legacyFlowUrl);
+
+            if (challengeResponse)
+            {
+                MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.context, @"Found AAD policy for navigation using https url and externalDecidePolicyForBrowserAction in legacy auth flow.");
+                decisionHandler(WKNavigationActionPolicyCancel);
+                [self loadRequest:challengeResponse];
+
+                return YES;
+            }
+        }
+    }
+    
     if (isBrokerUrl || isBrowserUrl)
     {
         // Let external code decide if browser url is allowed to continue