Merge pull request #1543 from AzureAD/josephpab/dunaStateValidation

Duna State Validation

Author: josephpab

IdentityCore/src/oauth2/aad_base/MSIDAADWebviewFactory.m

@@ -206,12 +206,14 @@ - (MSIDWebviewResponse *)oAuthResponseWithURL:(NSURL *)url
     {
         MSIDSwitchBrowserResponse *switchBrowserResponse = [[MSIDSwitchBrowserResponse alloc] initWithURL:url
                                                                                               redirectUri:endRedirectUri
+                                                                                             requestState:requestState
                                                                                                   context:context
                                                                                                     error:nil];
         if (switchBrowserResponse) return switchBrowserResponse;
 
         MSIDSwitchBrowserResumeResponse *switchBrowserResumeResponse = [[MSIDSwitchBrowserResumeResponse alloc] initWithURL:url
                                                                                                                 redirectUri:endRedirectUri
+                                                                                                               requestState:requestState
                                                                                                                     context:context
                                                                                                                       error:nil];
         if (switchBrowserResumeResponse) return switchBrowserResumeResponse;

IdentityCore/src/webview/operations/ios/MSIDSwitchBrowserOperation.m

@@ -82,6 +82,12 @@ - (void)invokeWithRequestParameters:(nonnull MSIDInteractiveTokenRequestParamete
     NSMutableDictionary *queryItems = [NSMutableDictionary new];
     queryItems[@"code"] = self.switchBrowserResponse.switchBrowserSessionToken;
     queryItems[MSID_OAUTH2_REDIRECT_URI] = requestParameters.redirectUri;
+    
+    if (self.switchBrowserResponse.state)
+    {
+        queryItems[MSID_OAUTH2_STATE] = self.switchBrowserResponse.state;
+    }
+    
     NSURLComponents *requestURLComponents = [[NSURLComponents alloc] initWithString:self.switchBrowserResponse.actionUri];
     requestURLComponents.percentEncodedQuery = [queryItems msidURLEncode];
     NSURL *startURL = requestURLComponents.URL;

IdentityCore/src/webview/operations/ios/MSIDSwitchBrowserResumeOperation.m

@@ -87,6 +87,19 @@ - (void)invokeWithRequestParameters:(nonnull MSIDInteractiveTokenRequestParamete
      webviewResponseCompletionBlock:(nonnull MSIDWebviewAuthCompletionHandler)webviewResponseCompletionBlock
    authorizationCodeCompletionBlock:(nonnull MSIDInteractiveAuthorizationCodeCompletionBlock)authorizationCodeCompletionBlock
 {
+    MSIDSwitchBrowserResponse *parentResponse = (MSIDSwitchBrowserResponse *)self.switchBrowserResumeResponse.parentResponse;
+    NSError *stateValidationError = nil;
+    
+    BOOL stateValidated = [MSIDSwitchBrowserResponse validateStateParameter:self.switchBrowserResumeResponse.state
+                                                              expectedState:parentResponse.state
+                                                                      error:&stateValidationError];
+    if (!stateValidated)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, requestParameters, @"Resume operation rejected due to state validation failure");
+        if (webviewResponseCompletionBlock) webviewResponseCompletionBlock(nil, stateValidationError);
+        return;
+    }
+    
     webRequestConfiguration.startURL = [[NSURL alloc] initWithString:self.switchBrowserResumeResponse.actionUri];
     NSMutableDictionary *customHeaders = [webRequestConfiguration.customHeaders mutableCopy] ?: [NSMutableDictionary new];
     customHeaders[@"Authorization"] = [NSString stringWithFormat:@"Bearer %@", self.switchBrowserResumeResponse.switchBrowserSessionToken];

IdentityCore/src/webview/response/MSIDSwitchBrowserResponse.h

@@ -35,6 +35,7 @@ typedef NS_OPTIONS(NSInteger, MSIDSwitchBrowserModes) {
 @property (nonatomic, readonly) NSString *actionUri;
 @property (nonatomic, readonly) NSString *switchBrowserSessionToken;
 @property (nonatomic, readonly) BOOL useEphemeralWebBrowserSession;
+@property (nonatomic, readonly) NSString *state;
 
 - (instancetype )init NS_UNAVAILABLE;
 + (instancetype)new NS_UNAVAILABLE;
@@ -45,9 +46,13 @@ typedef NS_OPTIONS(NSInteger, MSIDSwitchBrowserModes) {
 
 - (instancetype)initWithURL:(NSURL *)url
                 redirectUri:(NSString *)redirectUri
+               requestState:(NSString *)requestState
                     context:(id<MSIDRequestContext>)context
                       error:(NSError *__autoreleasing*)error;
 
 + (BOOL)isDUNAActionUrl:(NSURL *)url operation:(NSString *)operation;
 
++ (BOOL)validateStateParameter:(NSString *)receivedState
+                 expectedState:(NSString *)expectedState
+                         error:(NSError *__autoreleasing*)error;
 @end

IdentityCore/src/webview/response/MSIDSwitchBrowserResponse.m

@@ -38,6 +38,7 @@ + (NSString *)operation
 
 - (instancetype)initWithURL:(NSURL *)url
                 redirectUri:(NSString *)redirectUri
+               requestState:(NSString *)requestState
                     context:(id<MSIDRequestContext>)context
                       error:(NSError *__autoreleasing*)error
 {
@@ -48,8 +49,23 @@ - (instancetype)initWithURL:(NSURL *)url
     if (self)
     {
         if (![self isMyUrl:url redirectUri:redirectUri]) return nil;
+        
+        NSError *stateCheckError = nil;
+        BOOL stateValidated = [MSIDSwitchBrowserResponse validateStateParameter:self.parameters[MSID_OAUTH2_STATE]
+                                                                  expectedState:requestState
+                                                                          error:&stateCheckError];
+        if (!stateValidated)
+        {
+            if (stateCheckError && error)
+            {
+                *error = stateCheckError;
+            }
+            return nil;
+        }
+        
         _actionUri = self.parameters[@"action_uri"];
         _useEphemeralWebBrowserSession = YES;
+        _state = self.parameters[MSID_OAUTH2_STATE];
 
         NSString* browserOptionsString = self.parameters[@"browser_modes"];
         if (browserOptionsString)
@@ -105,6 +121,45 @@ + (BOOL)isDUNAActionUrl:(NSURL *)url operation:(NSString *)operation
     return NO;
 }
 
++ (BOOL)validateStateParameter:(NSString *)receivedState
+                 expectedState:(NSString *)expectedState
+                         error:(NSError *__autoreleasing*)error
+{
+    if (!receivedState && !expectedState)
+    {
+        return YES;
+    }
+    
+    if (!expectedState || !receivedState)
+    {
+        if (error)
+        {
+            *error = MSIDCreateError(MSIDOAuthErrorDomain,
+                                     MSIDErrorServerInvalidState,
+                                     [NSString stringWithFormat:@"Missing or invalid state returned state: %@", receivedState],
+                                     nil, nil, nil, nil, nil, YES);
+        }
+        return NO;
+    }
+    
+    BOOL result = [receivedState isEqualToString:expectedState];
+    
+    if (!result)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"State parameter mismatch");
+        if (error)
+        {
+            *error = MSIDCreateError(MSIDOAuthErrorDomain,
+                                     MSIDErrorServerInvalidState,
+                                     [NSString stringWithFormat:@"State parameter mismatch. Expected: %@, Received: %@", expectedState, receivedState],
+                                     nil, nil, nil, nil, nil, YES);
+        }
+        return NO;
+    }
+    
+    return YES;
+}
+
 #pragma mark - Private
 
 - (BOOL)isMyUrl:(NSURL *)url

IdentityCore/tests/MSIDSwitchBrowserOperationTest.swift

@@ -78,8 +78,8 @@ class MSIDAuthorizeWebRequestConfigurationMock : MSIDAuthorizeWebRequestConfigur
 final class MSIDSwitchBrowserOperationTest: XCTestCase 
 {
     lazy var validSwitchBrowserResponse: MSIDSwitchBrowserResponse? = {
-        let url = URL(string: "msauth.com.microsoft.msaltestapp://auth/switch_browser?action_uri=some_uri&code=some_code")!
-        return try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth", context: nil)
+        let url = URL(string: "msauth.com.microsoft.msaltestapp://auth/switch_browser?action_uri=some_uri&code=some_code&state=state")!
+        return try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth", requestState: "state", context: nil)
     }()
 
     override func setUpWithError() throws
@@ -148,7 +148,7 @@ final class MSIDSwitchBrowserOperationTest: XCTestCase
 
         XCTAssertEqual(1, certAuthManagerMock.startWithUrlInvokedCount)
         XCTAssertEqual(1, certAuthManagerMock.resetStateInvokedCount)
-        XCTAssertEqual(URL(string: "some_uri?code=some_code"), certAuthManagerMock.startURLProvidedParam)
+        XCTAssertEqual(URL(string: "some_uri?state=state&code=some_code"), certAuthManagerMock.startURLProvidedParam)
     }
 
     func testInvoke_whenWebRequestConfigurationReturnError_shouldReturnError() async throws
@@ -186,7 +186,7 @@ final class MSIDSwitchBrowserOperationTest: XCTestCase
 
         XCTAssertEqual(1, certAuthManagerMock.startWithUrlInvokedCount)
         XCTAssertEqual(1, certAuthManagerMock.resetStateInvokedCount)
-        XCTAssertEqual(URL(string: "some_uri?code=some_code"), certAuthManagerMock.startURLProvidedParam)
+        XCTAssertEqual(URL(string: "some_uri?state=state&code=some_code"), certAuthManagerMock.startURLProvidedParam)
         XCTAssertEqual(1, webRequestConfigurationMock.responseWithResultURLInvokedCount)
     }
 
@@ -222,7 +222,7 @@ final class MSIDSwitchBrowserOperationTest: XCTestCase
 
         XCTAssertEqual(1, certAuthManagerMock.startWithUrlInvokedCount)
         XCTAssertEqual(1, certAuthManagerMock.resetStateInvokedCount)
-        XCTAssertEqual(URL(string: "some_uri?code=some_code"), certAuthManagerMock.startURLProvidedParam)
+        XCTAssertEqual(URL(string: "some_uri?state=state&code=some_code"), certAuthManagerMock.startURLProvidedParam)
         XCTAssertEqual(1, webRequestConfigurationMock.responseWithResultURLInvokedCount)
     }
 }

IdentityCore/tests/MSIDSwitchBrowserResponseTest.swift

@@ -42,7 +42,7 @@ final class MSIDSwitchBrowserResponseTest: XCTestCase
     {
         let url = URL(string: "msauth.com.microsoft.msaltestapp://auth/switch_browser?action_uri=some_uri&code=some_code")!
 
-        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth",  context: nil)
+        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth", requestState: nil,  context: nil)
 
         XCTAssertNotNil(response)
         XCTAssertEqual(response?.actionUri, "some_uri")
@@ -53,7 +53,7 @@ final class MSIDSwitchBrowserResponseTest: XCTestCase
     {
         let url = URL(string: "MSAUTH.COM.MICROSOFT.msaltestapp://auth/switch_browser?action_uri=some_uri&code=some_code")!
 
-        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://AUTH",  context: nil)
+        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://AUTH", requestState: nil,  context: nil)
 
         XCTAssertNotNil(response)
         XCTAssertEqual(response?.actionUri, "some_uri")
@@ -64,7 +64,7 @@ final class MSIDSwitchBrowserResponseTest: XCTestCase
     {
         let url = URL(string: "msauth.com.microsoft.msaltestapp://auth/switch_browser?action_uri=some_uri&code=some_code#ff")!
 
-        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth#fragment",  context: nil)
+        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth#fragment", requestState: nil,  context: nil)
 
         XCTAssertNotNil(response)
         XCTAssertEqual(response?.actionUri, "some_uri")
@@ -75,42 +75,59 @@ final class MSIDSwitchBrowserResponseTest: XCTestCase
     {
         let url = URL(string: "msauth://broker_bundle_id//switch_browser?action_uri=some_uri&code=some_code")!
 
-        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth://broker_bundle_id", context: nil)
+        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth://broker_bundle_id", requestState: nil, context: nil)
 
         XCTAssertNotNil(response)
         XCTAssertEqual(response?.actionUri, "some_uri")
         XCTAssertEqual(response?.switchBrowserSessionToken, "some_code")
     }
 
-    func testInit_whenValidBrowserMode_hasBitmaskPrivateSessionShouldBeTrue() throws
+    func testInit_whenStateIsPresentInUrl_shouldCreateObject() throws
+    {
+        let url = URL(string: "msauth://broker_bundle_id//switch_browser?action_uri=some_uri&code=some_code&browser_modes=AAAAAA&state=state")!
+        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth://broker_bundle_id", requestState: "state", context: nil)
+        
+        XCTAssertNotNil(response)
+        XCTAssertEqual(response?.state, "state")
+    }
+    
+    func testInit_whenValidBrowserMode_hasBitmaskPrivateSession_shouldBeTrue() throws
     {
         let url = URL(string: "msauth://broker_bundle_id//switch_browser?action_uri=some_uri&code=some_code&browser_modes=AQAAAA")!
 
-        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth://broker_bundle_id", context: nil)
+        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth://broker_bundle_id", requestState: nil, context: nil)
 
         XCTAssertNotNil(response)
         XCTAssertEqual(response?.actionUri, "some_uri")
         XCTAssertEqual(response?.switchBrowserSessionToken, "some_code")
         XCTAssertEqual(response?.useEphemeralWebBrowserSession, true)
     }
 
-    func testInit_whenInvalidBrowserMode_hasBitmaskPrivateSessionShouldBeFalse() throws
+    func testInit_whenInvalidBrowserMode_hasBitmaskPrivateSession_shouldBeFalse() throws
     {
         let url = URL(string: "msauth://broker_bundle_id//switch_browser?action_uri=some_uri&code=some_code&browser_modes=AAAAAA")!
 
-        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth://broker_bundle_id", context: nil)
+        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth://broker_bundle_id", requestState: nil, context: nil)
 
         XCTAssertNotNil(response)
         XCTAssertEqual(response?.actionUri, "some_uri")
         XCTAssertEqual(response?.switchBrowserSessionToken, "some_code")
         XCTAssertEqual(response?.useEphemeralWebBrowserSession, false)
     }
 
+    func testInit_whenStateIsMissingFromUrl_shouldReturnNil() throws
+    {
+        let url = URL(string: "msauth://broker_bundle_id//switch_browser?action_uri=some_uri&code=some_code&browser_modes=AAAAAA")!
+        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth://broker_bundle_id", requestState: "state", context: nil)
+        
+        XCTAssertNil(response)
+    }
+    
     func testInit_whenInvalidUrl_shouldReturnNil() throws
     {
         let url = URL(string: "msauth.com.microsoft.msaltestapp://auth/abc?action_uri=some_uri&code=some_code")!
 
-        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth", context: nil)
+        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth", requestState: nil, context: nil)
 
         XCTAssertNil(response)
     }
@@ -119,7 +136,7 @@ final class MSIDSwitchBrowserResponseTest: XCTestCase
     {
         let url = URL(string: "abc.com.microsoft.msaltestapp://auth/switch_browser?action_uri=some_uri&code=some_code")!
 
-        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth", context: nil)
+        let response = try? MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth", requestState: nil, context: nil)
 
         XCTAssertNil(response)
     }
@@ -128,7 +145,7 @@ final class MSIDSwitchBrowserResponseTest: XCTestCase
     {
         let url = URL(string: "msauth.com.microsoft.msaltestapp://auth/switch_browser?code=some_code")!
 
-        XCTAssertThrowsError(try MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth", context: nil)) { error in
+        XCTAssertThrowsError(try MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth", requestState: nil, context: nil)) { error in
             XCTAssertEqual((error as NSError).code, MSIDErrorCode.serverInvalidResponse.rawValue)
             XCTAssertEqual((error as NSError).domain, MSIDOAuthErrorDomain)
             XCTAssertEqual((error as NSError).userInfo["MSIDErrorDescriptionKey"] as? String, "action_uri is nil.")
@@ -139,7 +156,7 @@ final class MSIDSwitchBrowserResponseTest: XCTestCase
     {
         let url = URL(string: "msauth.com.microsoft.msaltestapp://auth/switch_browser?action_uri=some_uri")!
 
-        XCTAssertThrowsError(try MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth", context: nil)) { error in
+        XCTAssertThrowsError(try MSIDSwitchBrowserResponse(url: url, redirectUri: "msauth.com.microsoft.msaltestapp://auth", requestState: nil, context: nil)) { error in
             XCTAssertEqual((error as NSError).code, MSIDErrorCode.serverInvalidResponse.rawValue)
             XCTAssertEqual((error as NSError).domain, MSIDOAuthErrorDomain)
             XCTAssertEqual((error as NSError).userInfo["MSIDErrorDescriptionKey"] as? String, "code is nil.")

IdentityCore/tests/MSIDSwitchBrowserResumeOperationTest.swift

@@ -30,10 +30,10 @@ final class MSIDSwitchBrowserResumeOperationTest: XCTestCase
     lazy var validSwitchBrowserResumeResponse: MSIDSwitchBrowserResumeResponse? = {
 
         let switchUrl = URL(string: "msauth.com.microsoft.msaltestapp://auth/switch_browser?action_uri=some_uri&code=some_code")!
-        let switchBrowserResponse = try? MSIDSwitchBrowserResponse(url: switchUrl, redirectUri: "msauth.com.microsoft.msaltestapp://auth",  context: nil)
+        let switchBrowserResponse = try? MSIDSwitchBrowserResponse(url: switchUrl, redirectUri: "msauth.com.microsoft.msaltestapp://auth", requestState: nil,  context: nil)
 
         let resumeUrl = URL(string: "msauth.com.microsoft.msaltestapp://auth/switch_browser_resume?action_uri=some_uri&code=some_code")!
-        let resumeResponse = try? MSIDSwitchBrowserResumeResponse(url: resumeUrl, redirectUri: "msauth.com.microsoft.msaltestapp://auth", context: nil)
+        let resumeResponse = try? MSIDSwitchBrowserResumeResponse(url: resumeUrl, redirectUri: "msauth.com.microsoft.msaltestapp://auth", requestState: nil, context: nil)
         resumeResponse?.parent = switchBrowserResponse
 
         return resumeResponse