Merge branch 'dev' into avdunn/test-poc

Author: Avery-Dunn

README.md

@@ -16,7 +16,7 @@ Quick links:
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.20.1
+Current version - 1.21.0
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/main/msal4j-sdk/changelog.txt).
 
@@ -28,13 +28,13 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.20.1</version>
+    <version>1.21.0</version>
 </dependency>
 ```
 ### Gradle
 
 ```gradle
-implementation group: 'com.microsoft.azure', name: 'com.microsoft.aad.msal4j', version: '1.20.1'
+implementation group: 'com.microsoft.azure', name: 'com.microsoft.aad.msal4j', version: '1.21.0'
 ```
 
 ## Usage

changelog.txt

@@ -1,3 +1,11 @@
+Version 1.21.0
+=============
+- Add support for claims, client capabilities, and token revocation in Service Fabric scenarios (#929, #943)
+- Improve retry logic for HTTP requests, and add API to disable retries (#960, #963, #964)
+- Support multiple date formats in Managed identity scenarios (#956)
+- Fix query parameter issue in IMDS scenarios (#954)
+- Update dependencies used in tests to avoid CVE warnings (#962)
+
 Version 1.20.1
 =============
 - Fix Base64URL decoding bug (#938)

msal4j-sdk/README.md

@@ -16,7 +16,7 @@ Quick links:
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.20.1
+Current version - 1.21.0
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/master/changelog.txt).
 
@@ -28,13 +28,13 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.20.1</version>
+    <version>1.21.0</version>
 </dependency>
 ```
 ### Gradle
 
 ```gradle
-compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.20.1'
+compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.21.0'
 ```
 
 ## Usage

msal4j-sdk/bnd.bnd

@@ -1,2 +1,2 @@
-Export-Package: com.microsoft.aad.msal4j;version="1.20.1"
+Export-Package: com.microsoft.aad.msal4j;version="1.21.0"
 Automatic-Module-Name: com.microsoft.aad.msal4j

msal4j-sdk/pom.xml

@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.20.1</version>
+    <version>1.21.0</version>
     <packaging>jar</packaging>
     <name>msal4j</name>
     <description>

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AadInstanceDiscoveryProvider.java

@@ -235,8 +235,8 @@ static AadInstanceDiscoveryResponse sendInstanceDiscoveryRequest(URL authorityUr
 
         AadInstanceDiscoveryResponse response = JsonHelper.convertJsonStringToJsonSerializableObject(httpResponse.body(), AadInstanceDiscoveryResponse::fromJson);
 
-        if (httpResponse.statusCode() != HttpHelper.HTTP_STATUS_200) {
-            if (httpResponse.statusCode() == HttpHelper.HTTP_STATUS_400 && response.error().equals("invalid_instance")) {
+        if (httpResponse.statusCode() != HttpStatus.HTTP_OK) {
+            if (httpResponse.statusCode() == HttpStatus.HTTP_BAD_REQUEST && response.error().equals("invalid_instance")) {
                 // instance discovery failed due to an invalid authority, throw an exception.
                 throw MsalServiceExceptionFactory.fromHttpResponse(httpResponse);
             }
@@ -310,7 +310,7 @@ static String discoverRegion(MsalRequest msalRequest, ServiceBundle serviceBundl
             log.info("Starting call to IMDS endpoint.");
             IHttpResponse httpResponse = future.get(IMDS_TIMEOUT, IMDS_TIMEOUT_UNIT);
             //If call to IMDS endpoint was successful, return region from response body
-            if (httpResponse.statusCode() == HttpHelper.HTTP_STATUS_200 && !httpResponse.body().isEmpty()) {
+            if (httpResponse.statusCode() == HttpStatus.HTTP_OK && !httpResponse.body().isEmpty()) {
                 log.info(String.format("Region retrieved from IMDS endpoint: %s", httpResponse.body()));
                 currentRequest.regionSource(RegionTelemetry.REGION_SOURCE_IMDS.telemetryValue);
 

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractApplicationBase.java

@@ -32,6 +32,7 @@ public abstract class AbstractApplicationBase implements IApplicationBase {
     private IHttpClient httpClient;
     private Integer connectTimeoutForDefaultHttpClient;
     private Integer readTimeoutForDefaultHttpClient;
+    private boolean retryDisabled;
     String tenant;
 
     //The following fields are set in only some applications and/or set internally by the library. To avoid excessive
@@ -150,6 +151,10 @@ public Integer readTimeoutForDefaultHttpClient() {
         return this.readTimeoutForDefaultHttpClient;
     }
 
+    boolean isRetryDisabled() {
+        return this.retryDisabled;
+    }
+
     String tenant() {
         return this.tenant;
     }
@@ -190,6 +195,7 @@ public abstract static class Builder<T extends Builder<T>> {
         Boolean onlySendFailureTelemetry = false;
         Integer connectTimeoutForDefaultHttpClient;
         Integer readTimeoutForDefaultHttpClient;
+        boolean disableInternalRetries;
         private String clientId;
         private Authority authenticationAuthority = createDefaultAADAuthority();
 
@@ -319,6 +325,18 @@ public T readTimeoutForDefaultHttpClient(Integer val) {
             return self();
         }
 
+        /**
+         * The library has a number of policies for retrying HTTP calls in different scenarios.
+         * <p>
+         * This will disable all internal retry behavior, allowing customized retry behavior via your own implementation of {@link IHttpClient}
+         *
+         * @return instance of the Builder on which method was called
+         */
+        public T disableInternalRetries() {
+            disableInternalRetries = true;
+            return self();
+        }
+
         T telemetryConsumer(Consumer<List<HashMap<String, String>>> val) {
             validateNotNull("telemetryConsumer", val);
 
@@ -356,5 +374,16 @@ private static Authority createDefaultAADAuthority() {
         readTimeoutForDefaultHttpClient = builder.readTimeoutForDefaultHttpClient;
         authenticationAuthority = builder.authenticationAuthority;
         clientId = builder.clientId;
+        retryDisabled = builder.disableInternalRetries;
+
+        if (builder.httpClient == null) {
+            httpClient = new DefaultHttpClient(
+                    builder.proxy,
+                    builder.sslSocketFactory,
+                    builder.connectTimeoutForDefaultHttpClient,
+                    builder.readTimeoutForDefaultHttpClient);
+        } else {
+            httpClient = builder.httpClient;
+        }
     }
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractClientApplicationBase.java

@@ -566,9 +566,7 @@ public T correlationId(String val) {
         super.serviceBundle = new ServiceBundle(
                 builder.executorService,
                 new TelemetryManager(telemetryConsumer, builder.onlySendFailureTelemetry),
-                new HttpHelper(builder.httpClient == null ?
-                        new DefaultHttpClient(builder.proxy, builder.sslSocketFactory, builder.connectTimeoutForDefaultHttpClient, builder.readTimeoutForDefaultHttpClient) :
-                        builder.httpClient)
+                new HttpHelper(this, new DefaultRetryPolicy())
         );
 
         if (aadAadInstanceDiscoveryResponse != null) {

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthorizationResponseHandler.java

@@ -41,7 +41,7 @@ class AuthorizationResponseHandler implements HttpHandler {
     public void handle(HttpExchange httpExchange) throws IOException {
         try {
             if (!httpExchange.getRequestURI().getPath().equalsIgnoreCase("/")) {
-                httpExchange.sendResponseHeaders(200, 0);
+                httpExchange.sendResponseHeaders(HttpStatus.HTTP_OK, 0);
                 return;
             }
             String responseBody = new BufferedReader(new InputStreamReader(
@@ -92,13 +92,13 @@ private void sendErrorResponse(HttpExchange httpExchange, String response) throw
     private void send302Response(HttpExchange httpExchange, String redirectUri) throws IOException {
         Headers responseHeaders = httpExchange.getResponseHeaders();
         responseHeaders.set("Location", redirectUri);
-        httpExchange.sendResponseHeaders(302, 0);
+        httpExchange.sendResponseHeaders(HttpStatus.HTTP_FOUND, 0);
     }
 
     private void send200Response(HttpExchange httpExchange, String response) throws IOException {
         byte[] responseBytes = response.getBytes("UTF-8");
         httpExchange.getResponseHeaders().set("Content-Type", "text/html; charset=UTF-8");
-        httpExchange.sendResponseHeaders(200, responseBytes.length);
+        httpExchange.sendResponseHeaders(HttpStatus.HTTP_OK, responseBytes.length);
         OutputStream os = httpExchange.getResponseBody();
         os.write(responseBytes);
         os.close();

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientCertificate.java

@@ -110,7 +110,7 @@ static ClientCertificate create(final PrivateKey key, final X509Certificate publ
     }
 
     private static byte[] getHashSha1(final byte[] inputBytes) throws NoSuchAlgorithmException {
-        final MessageDigest md = MessageDigest.getInstance("SHA-1");
+        final MessageDigest md = MessageDigest.getInstance("SHA-1"); // CodeQL [SM05136] ADFS scenarios require SHA-1 hashing, and we cannot remove our use until ADFS does.
         md.update(inputBytes);
         return md.digest();
     }