Merge branch 'dev' into veena/PasskeyBiometric

Author: Veena11

IdentityCore/src/MSIDError.h

@@ -171,6 +171,8 @@ typedef NS_ENUM(NSInteger, MSIDErrorCode)
      */
 
     MSIDErrorServerUnhandledResponse    = -51500,
+    // http status Code 403 or 404
+    MSIDErrorUnexpectedHttpResponse     = -51501,
 
     /*!
      =========================================================

IdentityCore/src/MSIDError.m

@@ -227,7 +227,8 @@ MSIDErrorCode MSIDErrorCodeForOAuthErrorWithSubErrorCode(NSString *oauthError, M
                       @(MSIDErrorServerError),
                       ],
               MSIDHttpErrorCodeDomain : @[
-                      @(MSIDErrorServerUnhandledResponse)
+                      @(MSIDErrorServerUnhandledResponse),
+                      @(MSIDErrorUnexpectedHttpResponse)
                       ]
 
               // TODO: add new codes here
@@ -304,6 +305,8 @@ void MSIDFillAndLogError(NSError **error, MSIDErrorCode errorCode, NSString *err
             // HTTP errors
         case MSIDErrorServerUnhandledResponse:
             return @"MSIDErrorServerUnhandledResponse";
+        case MSIDErrorUnexpectedHttpResponse:
+            return @"MSIDErrorUnexpectedHttpResponse";
             // Authority validation errors
         case MSIDErrorAuthorityValidation:
             return @"MSIDErrorAuthorityValidation";

IdentityCore/src/network/error_handler/MSIDAADRequestErrorHandler.m

@@ -150,7 +150,13 @@ - (void)handleError:(NSError *)error
         }
     }
 
-    NSError *httpError = MSIDCreateError(MSIDHttpErrorCodeDomain, MSIDErrorServerUnhandledResponse, errorDescription, nil, nil, nil, context.correlationId, additionalInfo, YES);
+    NSError *httpUnderlyingError = nil;
+    if (httpResponse.statusCode == 403 || httpResponse.statusCode == 404)
+    {
+        httpUnderlyingError = MSIDCreateError(MSIDHttpErrorCodeDomain, MSIDErrorUnexpectedHttpResponse, errorDescription, nil, nil, nil, context.correlationId, nil, YES);
+    }
+
+    NSError *httpError = MSIDCreateError(MSIDHttpErrorCodeDomain, MSIDErrorServerUnhandledResponse, errorDescription, nil, nil, httpUnderlyingError, context.correlationId, additionalInfo, YES);
 
     if (completionBlock) completionBlock(nil, httpError);
 }

IdentityCore/tests/MSIDAADRequestErrorHandlerTests.m

@@ -191,6 +191,8 @@ - (void)testHandleError_whenItIsNotServerError_shouldReturnStatusCodeAndHeaders
 
     XCTAssertEqualObjects(returnError.domain, MSIDHttpErrorCodeDomain);
     XCTAssertEqual(returnError.code, MSIDErrorServerUnhandledResponse);
+    NSError *underlyingError = returnError.userInfo[NSUnderlyingErrorKey];
+    XCTAssertEqual(underlyingError.code, MSIDErrorUnexpectedHttpResponse);
     XCTAssertEqualObjects(returnError.userInfo[MSIDHTTPHeadersKey], @{@"headerKey":@"headerValue"});
 
     XCTAssertNil(errorResponse);
@@ -275,6 +277,8 @@ - (void)testHandleError_whenItIsServerError_shouldReturnResponseCodeInError
 
     XCTAssertEqualObjects(returnError.domain, MSIDHttpErrorCodeDomain);
     XCTAssertEqual(returnError.code, MSIDErrorServerUnhandledResponse);
+    NSError *underlyingError = returnError.userInfo[NSUnderlyingErrorKey];
+    XCTAssertEqual(underlyingError.code, MSIDErrorUnexpectedHttpResponse);
     XCTAssertEqualObjects(returnError.userInfo[MSIDHTTPResponseCodeKey], @"404");
 }
 

IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h

@@ -33,6 +33,13 @@ typedef NS_ENUM(NSUInteger, MSIDAutomationWPJRegistrationAPIMode)
     MSIDAutomationWPJRegistrationAPIModeCompanyPortal = 2 //Company Portal
 };
 
+typedef NS_ENUM(NSInteger, MSIDAutomationWPJSSOExtensionSecureStorage)
+{
+    MSIDAutomationWPJSSOExtensionNoValueFound = 0,
+    MSIDAutomationWPJSSOExtensionValueNo = 1,
+    MSIDAutomationWPJSSOExtensionValueYes = 2
+};
+
 @interface MSIDAutomationTestRequest : NSObject <MSIDJsonSerializable>
 
 @property (nonatomic, strong) NSString *clientId;
@@ -86,6 +93,8 @@ typedef NS_ENUM(NSUInteger, MSIDAutomationWPJRegistrationAPIMode)
 @property (nonatomic) NSString *wpjRegistrationUpn;
 @property (nonatomic) BOOL operateOnPrimaryWPJ;
 @property (nonatomic) BOOL useMostSecureStorageForWpj;
+@property (nonatomic) BOOL isSecureEnclaveSupportedForWpj;
+@property (nonatomic) MSIDAutomationWPJSSOExtensionSecureStorage ssoExtensionSecureStorageEnabled;
 @property (nonatomic) BOOL shouldExpirePRT;
 @property (nonatomic) BOOL isSsoSeedingCompleted;
 @property (nonatomic) BOOL shouldOnlyDeleteSeedingPrt;

IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m

@@ -103,6 +103,8 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json
         _wpjRegistrationUpn = json[@"wpj_registration_upn"];
         _operateOnPrimaryWPJ = [json[@"wpj_operate_on_primary_reg"] boolValue];
         _useMostSecureStorageForWpj = [json[@"use_most_secure_storage"] boolValue];
+        _isSecureEnclaveSupportedForWpj = [json[@"wpj_secure_enclave_supported"] boolValue];
+        _ssoExtensionSecureStorageEnabled = (MSIDAutomationWPJSSOExtensionSecureStorage)[json[@"wpj_sso_extension_secure_storage_enabled"] integerValue];
         _shouldExpirePRT = [json[@"should_expire_prt"] boolValue];
         _isSsoSeedingCompleted = [json[@"is_sso_seeding_completed"] boolValue];
         _shouldOnlyDeleteSeedingPrt = [json[@"should_only_delete_seeding_prt"] boolValue];
@@ -184,6 +186,8 @@ - (NSDictionary *)jsonDictionary
     json[@"wpj_registration_upn"] = _wpjRegistrationUpn;
     json[@"wpj_operate_on_primary_reg"] = @(_operateOnPrimaryWPJ);
     json[@"use_most_secure_storage"] = @(_useMostSecureStorageForWpj);
+    json[@"wpj_secure_enclave_supported"] = @(_isSecureEnclaveSupportedForWpj);
+    json[@"wpj_sso_extension_secure_storage_enabled"] = @(_ssoExtensionSecureStorageEnabled);
     json[@"should_expire_prt"] = @(_shouldExpirePRT);
     json[@"is_sso_seeding_completed"] = @(_isSsoSeedingCompleted);
     json[@"should_only_delete_seeding_prt"] = @(_shouldOnlyDeleteSeedingPrt);

IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccountConfigurationRequest.h

@@ -48,6 +48,7 @@ extern MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeMA
 extern MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeMAMCASPO;
 extern MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeTrueMAMCA;
 extern MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeMDMCA;
+extern MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeTB;
 
 typedef NSString *MSIDTestAccountB2CProviderType;
 extern MSIDTestAccountB2CProviderType MSIDTestAccountB2CProviderTypeNone;

IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccountConfigurationRequest.m

@@ -46,6 +46,7 @@
 MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeMAMCASPO = @"mamspo";
 MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeTrueMAMCA = @"truemamca";
 MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeMDMCA = @"mdmca";
+MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeTB = @"tokenbinding";
 
 #pragma mark - MSIDTestAccountB2CProviderType;
 MSIDTestAccountB2CProviderType MSIDTestAccountB2CProviderTypeNone = @"none";

IdentityCore/tests/integration/ios/MSIDDefaultSilentTokenRequestTests.m

@@ -1336,6 +1336,68 @@ - (void)testAcquireTokenSilent_when429ThrottledErrorReturned_shouldReturnAllHead
     [self waitForExpectationsWithTimeout:1.0 handler:nil];
 }
 
+
+- (void)testAcquireTokenSilent_when403HttpCodeReturned_shouldReturnMSIDErrorUnexpectedHttpResponseInUnderlyingError
+{
+    MSIDRequestParameters *silentParameters = [self silentRequestParameters];
+    MSIDDefaultTokenCacheAccessor *tokenCache = self.tokenCache;
+
+    [self saveExpiredTokensInCache:tokenCache configuration:silentParameters.msidConfiguration];
+    silentParameters.accountIdentifier = [[MSIDAccountIdentifier alloc] initWithDisplayableId:DEFAULT_TEST_ID_TOKEN_USERNAME homeAccountId:DEFAULT_TEST_HOME_ACCOUNT_ID];
+
+    NSString *authority = DEFAULT_TEST_AUTHORITY_GUID;
+    MSIDTestURLResponse *discoveryResponse = [MSIDTestURLResponse discoveryResponseForAuthority:authority];
+    [MSIDTestURLSession addResponse:discoveryResponse];
+
+    MSIDTestURLResponse *oidcResponse = [MSIDTestURLResponse oidcResponseForAuthority:authority];
+    [MSIDTestURLSession addResponse:oidcResponse];
+
+    NSMutableDictionary *reqHeaders = [[MSIDTestURLResponse msidDefaultRequestHeaders] mutableCopy];
+    [reqHeaders setObject:@"application/x-www-form-urlencoded" forKey:@"Content-Type"];
+
+    MSIDTestURLResponse *errorTokenResponse =
+    [MSIDTestURLResponse requestURLString:DEFAULT_TEST_TOKEN_ENDPOINT_GUID
+                           requestHeaders:reqHeaders
+                        requestParamsBody:@{ @"client_id" : @"my_client_id",
+                                             @"scope" : @"user.read tasks.read openid profile offline_access",
+                                             @"grant_type" : @"refresh_token",
+                                             @"refresh_token" : DEFAULT_TEST_REFRESH_TOKEN,
+                                             MSID_OAUTH2_REDIRECT_URI : [[self silentRequestParameters] redirectUri],
+                                             @"client_info" : @"1"}
+                        responseURLString:DEFAULT_TEST_TOKEN_ENDPOINT_GUID
+                             responseCode:403
+                         httpHeaderFields:@{@"Retry-After": @"256",
+                                            @"Other-Header-Field": @"Other header field"
+                                            }
+                         dictionaryAsJSON:nil];
+
+    [errorTokenResponse->_requestHeaders removeObjectForKey:@"Content-Length"];
+
+    [MSIDTestURLSession addResponse:errorTokenResponse];
+
+    MSIDDefaultSilentTokenRequest *silentRequest = [[MSIDDefaultSilentTokenRequest alloc] initWithRequestParameters:silentParameters
+                                                                                                       forceRefresh:NO
+                                                                                                       oauthFactory:[MSIDAADV2Oauth2Factory new]
+                                                                                             tokenResponseValidator:[MSIDDefaultTokenResponseValidator new]
+                                                                                                         tokenCache:tokenCache
+                                                                                                      accountMetadataCache:self.accountMetadataCache];
+
+    XCTestExpectation *expectation = [self expectationWithDescription:@"silent request"];
+
+    [silentRequest executeRequestWithCompletion:^(MSIDTokenResult * _Nullable result, NSError * _Nullable error) {
+
+        XCTAssertNotNil(error);
+        XCTAssertNil(result);
+        XCTAssertEqual(error.code, MSIDErrorServerUnhandledResponse);
+        NSError *underlyingError = error.userInfo[NSUnderlyingErrorKey];
+        XCTAssertEqual(underlyingError.code, MSIDErrorUnexpectedHttpResponse);
+        XCTAssertEqualObjects(error.domain, MSIDHttpErrorCodeDomain);
+        XCTAssertEqualObjects(error.userInfo[MSIDHTTPResponseCodeKey], @"403");
+        [expectation fulfill];
+    }];
+
+    [self waitForExpectationsWithTimeout:1.0 handler:nil];
+}
 - (void)testAcquireTokenSilent_whenTokenEndpointInDifferentCloud_shouldReturnInteractionRequired
 {
     // Prepare RT in cache

azure_pipelines/broker_submodule_check.yml

@@ -0,0 +1,163 @@
+# Xcode
+# Build, test, and archive an Xcode workspace on macOS.
+# Add steps that install certificates, test, sign, and distribute an app, save build artifacts, and more:
+# https://docs.microsoft.com/azure/devops/pipelines/languages/xcode
+
+trigger:
+  branches:
+    include:
+    - dev
+
+pr:
+  autoCancel: true
+  branches:
+    include:
+    - '*'
+  drafts: true
+
+pool:
+  name: 'Azure Pipelines'
+
+resources:
+ repositories:
+   - repository: azure-activedirectory-tokenbroker-for-objc
+     type: github
+     endpoint: 'MSAL ObjC Service Connection'
+     name: AzureAD/azure-activedirectory-tokenbroker-for-objc
+
+   - repository: WorkplaceJoin-for-iOS
+     type: github
+     endpoint: 'MSAL ObjC Service Connection'
+     name: AzureAD/WorkplaceJoin-for-iOS
+
+jobs:
+- job: 'Validate_Pull_Request'
+  displayName: Validate Pull Request
+  pool:
+    vmImage: 'macOS-14'
+    timeOutInMinutes: 30
+
+  steps:
+  - checkout: azure-activedirectory-tokenbroker-for-objc
+    displayName: 'Checkout Broker'
+    clean: false
+    submodules: false
+    fetchTags: true
+    persistCredentials: true
+
+  - task: Bash@3
+    displayName: 'Checkout MSAL, ADAL, and submodules'
+    inputs:
+      workingDirectory: $(Pipeline.Workspace)/s
+      targetType: 'inline'
+      script: |
+        cd azure-activedirectory-tokenbroker-for-objc
+        git submodule update --init --recursive ADAuthenticationBroker/Frameworks/adal
+        git submodule update --init ADAuthenticationBroker/Frameworks/microsoft-authentication-library-for-objc
+
+  - checkout: self
+    displayName: 'Checkout IdentityCore'
+    clean: false
+    submodules: false
+    fetchTags: true
+    path: 's/azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks/microsoft-authentication-library-for-objc/MSAL/IdentityCore'
+    persistCredentials: true
+
+  - checkout: WorkplaceJoin-for-iOS
+    displayName: 'Checkout WPJ'
+    clean: false
+    submodules: false
+    fetchTags: true
+    path: 's/azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS'
+    persistCredentials: true
+
+  - task: AzureCLI@2
+    inputs:
+      azureSubscription: 'AuthSdkResourceManager'
+      scriptType: 'pscore'
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+        # if this fails, check out this bash script that includes diagnostics:
+        # https://gist.github.com/johnterickson/19f80a3e969e39f1000d118739176e62
+        # uncomment these for more debugging spew
+        # GIT_TRACE=1
+        # GIT_CURL_VERBOSE=1
+        
+        # Note that the resoruce is specified to limit the token to Azure DevOps
+        $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
+        Write-Host "##vso[task.setvariable variable=aadToken;issecret=true]$token"
+  - task: Bash@3
+    displayName: 'Checkout NGC Submodules'
+    env:
+      AccessToken: $(MSAzureToken_encoded)
+    inputs:
+      workingDirectory: $(Pipeline.Workspace)/s
+      targetType: 'inline'
+      script: |
+        cd azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks
+        git -c http.https://msazure.visualstudio.com/DefaultCollection/One/_git/AD-MFA-NGCAuthentication.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init AD-MFA-NGCAuthentication
+        cd AD-MFA-NGCAuthentication
+        git -c http.https://msazure.visualstudio.com/DefaultCollection/One/_git/AD-MFA-NGCKeyProvider-ios.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init NGCKeyProvider
+        git -c http.https://msazure.visualstudio.com/DefaultCollection/One/_git/AD-MFA-MSAuthNetworking.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init MSAuthNetworking
+
+  - task: Bash@3
+    displayName: 'Checkout WPJ openssl-msft submodule'
+    inputs:
+      workingDirectory: $(Pipeline.Workspace)/s
+      targetType: 'inline'
+      script: |
+        cd azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS
+        git -c http.https://msazure.visualstudio.com/DefaultCollection/PlatformCrypto/_git/openssl-msft.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init Frameworks/openssl-msft
+
+  - task: Bash@3
+    displayName: 'Update WPJ submodules'
+    inputs:
+      workingDirectory: $(Pipeline.Workspace)/s
+      targetType: 'inline'
+      script: |
+        cd azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS
+        git submodule update --init --recursive Frameworks/microsoft-authentication-library-for-objc
+        
+  - script: 'gem uninstall xcpretty -I --version 0.4.0'
+    displayName: 'Uninstall xcpretty v0.4.0'
+
+  - script: 'gem install xcpretty -N -v 0.3.0'
+    displayName: 'Install xcpretty v0.3.0'
+    
+  - script: 'gem install slather -N'
+    displayName: 'Install slather'
+
+  - task: UsePythonVersion@0
+    displayName: 'Use Python 3.x'
+
+  - task: Bash@3
+    displayName: 'Select Xcode version'
+    inputs:
+      targetType: 'inline'
+      script: '/bin/bash -c "sudo xcode-select -s /Applications/Xcode_15.4.app"'
+
+# The following is needed to install the visionOS SDK on macos-14 vm image which
+# doesn't have visionOS installed by default.
+# TODO: Remove when macos-14-arm64 is supported on ADO.
+  - task: Bash@3
+    displayName: download visionOS SDK
+    inputs:
+      targetType: 'inline'
+      script: |
+        echo "Downloading simulator for visionOS"
+        sudo xcode-select -s /Applications/Xcode_15.4.app/Contents/Developer
+        defaults write com.apple.dt.Xcode AllowUnsupportedVisionOSHost -bool YES
+        defaults write com.apple.CoreSimulator AllowUnsupportedVisionOSHost -bool YES
+        xcodebuild -downloadPlatform visionOS
+      failOnStderr: false
+
+
+  - task: Bash@3
+    displayName: 'Run a python script for Broker'
+    inputs:
+      targetType: 'inline'
+      script: |
+        cd azure-activedirectory-tokenbroker-for-objc
+        echo "executing build:./build.py"
+        python3 ./build.py
+