authority Path validation (#202)

authority Path validation

Author: SomkaPe

src/main/java/com/microsoft/aad/msal4j/AADAuthority.java

@@ -26,8 +26,7 @@ class AADAuthority extends Authority {
     String deviceCodeEndpoint;
 
     AADAuthority(final URL authorityUrl) {
-        super(authorityUrl);
-        validateAuthorityUrl();
+        super(authorityUrl, AuthorityType.AAD);
         setAuthorityProperties();
         this.authority = String.format(AAD_AUTHORITY_FORMAT, host, tenant);
     }

src/main/java/com/microsoft/aad/msal4j/ADFSAuthority.java

@@ -13,7 +13,7 @@ class ADFSAuthority extends Authority{
     private final static String ADFS_AUTHORITY_FORMAT = "https://%s/%s/";
 
     ADFSAuthority(final URL authorityUrl) {
-        super(authorityUrl);
+        super(authorityUrl, AuthorityType.ADFS);
         this.authority = String.format(ADFS_AUTHORITY_FORMAT, host, tenant);
         this.authorizationEndpoint = authority + AUTHORIZATION_ENDPOINT;
         this.tokenEndpoint = authority + TOKEN_ENDPOINT;

src/main/java/com/microsoft/aad/msal4j/Authority.java

@@ -14,7 +14,7 @@
  * Represents Authentication Authority responsible for issuing access tokens.
  */
 
-@Accessors(fluent=true)
+@Accessors(fluent = true)
 @Getter(AccessLevel.PACKAGE)
 abstract class Authority {
 
@@ -40,9 +40,9 @@ URL tokenEndpointUrl() throws MalformedURLException {
         return new URL(tokenEndpoint);
     }
 
-    Authority(URL canonicalAuthorityUrl){
+    Authority(URL canonicalAuthorityUrl, AuthorityType authorityType) {
         this.canonicalAuthorityUrl = canonicalAuthorityUrl;
-        this.authorityType = detectAuthorityType(canonicalAuthorityUrl);
+        this.authorityType = authorityType;
         setCommonAuthorityProperties();
     }
 
@@ -51,15 +51,19 @@ private void setCommonAuthorityProperties() {
         this.host = canonicalAuthorityUrl.getAuthority().toLowerCase();
     }
 
-    static Authority createAuthority(URL authorityUrl){
-       AuthorityType authorityType = detectAuthorityType(authorityUrl);
-       if(authorityType == AuthorityType.AAD){
-           return new AADAuthority(authorityUrl);
-       } else if(authorityType == AuthorityType.B2C) {
-           return new B2CAuthority(authorityUrl);
-       } else {
-           throw new IllegalArgumentException("Unsupported Authority Type");
-       }
+    static Authority createAuthority(URL authorityUrl) {
+        validateAuthority(authorityUrl);
+
+        AuthorityType authorityType = detectAuthorityType(authorityUrl);
+        if (authorityType == AuthorityType.AAD) {
+            return new AADAuthority(authorityUrl);
+        } else if (authorityType == AuthorityType.B2C) {
+            return new B2CAuthority(authorityUrl);
+        } else if (authorityType == AuthorityType.ADFS) {
+            return new ADFSAuthority(authorityUrl);
+        } else {
+            throw new IllegalArgumentException("Unsupported Authority Type");
+        }
     }
 
     static AuthorityType detectAuthorityType(URL authorityUrl) {
@@ -75,36 +79,56 @@ static AuthorityType detectAuthorityType(URL authorityUrl) {
 
         final String firstPath = path.substring(0, path.indexOf("/"));
 
-
-        if(isB2CAuthority(firstPath)){
+        if (isB2CAuthority(firstPath)) {
             return AuthorityType.B2C;
-        } else if(isAdfsAuthority(firstPath)) {
+        } else if (isAdfsAuthority(firstPath)) {
             return AuthorityType.ADFS;
         } else {
             return AuthorityType.AAD;
         }
     }
 
-    void validateAuthorityUrl() {
-        if (!this.canonicalAuthorityUrl.getProtocol().equalsIgnoreCase("https")) {
+    static void validateAuthority(URL authorityUrl) {
+        if (!authorityUrl.getProtocol().equalsIgnoreCase("https")) {
             throw new IllegalArgumentException(
                     "authority should use the 'https' scheme");
         }
 
-        if (this.canonicalAuthorityUrl.toString().contains("#")) {
+        if (authorityUrl.toString().contains("#")) {
             throw new IllegalArgumentException(
                     "authority is invalid format (contains fragment)");
         }
 
-        if (!StringHelper.isBlank(this.canonicalAuthorityUrl.getQuery())) {
+        if (!StringHelper.isBlank(authorityUrl.getQuery())) {
             throw new IllegalArgumentException(
                     "authority cannot contain query parameters");
         }
+
+        final String path = authorityUrl.getPath();
+
+        if (path.length() == 0) {
+            throw new IllegalArgumentException(
+                    IllegalArgumentExceptionMessages.AUTHORITY_URI_EMPTY_PATH);
+        }
+
+        String[] segments = path.substring(1).split("/");
+
+        if (segments.length == 0) {
+            throw new IllegalArgumentException(
+                    IllegalArgumentExceptionMessages.AUTHORITY_URI_EMPTY_PATH_SEGMENT);
+        }
+
+        for (String segment : segments) {
+            if (StringHelper.isBlank(segment)) {
+                throw new IllegalArgumentException(
+                        IllegalArgumentExceptionMessages.AUTHORITY_URI_EMPTY_PATH_SEGMENT);
+            }
+        }
     }
 
     static String getTenant(URL authorityUrl, AuthorityType authorityType) {
         String[] segments = authorityUrl.getPath().substring(1).split("/");
-        if(authorityType == AuthorityType.B2C){
+        if (authorityType == AuthorityType.B2C) {
             return segments[1];
         }
         return segments[0];
@@ -118,7 +142,7 @@ private static boolean isAdfsAuthority(final String firstPath) {
         return firstPath.compareToIgnoreCase(ADFS_PATH_SEGMENT) == 0;
     }
 
-    private static boolean isB2CAuthority(final String firstPath){
+    private static boolean isB2CAuthority(final String firstPath) {
         return firstPath.compareToIgnoreCase(B2C_PATH_SEGMENT) == 0;
     }
 }

src/main/java/com/microsoft/aad/msal4j/B2CAuthority.java

@@ -21,19 +21,23 @@ class B2CAuthority extends Authority{
     private String policy;
 
     B2CAuthority(final URL authorityUrl){
-        super(authorityUrl);
-        validateAuthorityUrl();
+        super(authorityUrl, AuthorityType.B2C);
         setAuthorityProperties();
     }
 
-    private void setAuthorityProperties() {
-        String[] segments = canonicalAuthorityUrl.getPath().substring(1).split("/");
-
+    private void validatePathSegments(String[] segments){
         if(segments.length < 3){
             throw new IllegalArgumentException(
                     "B2C 'authority' Uri should have at least 3 segments in the path " +
                             "(i.e. https://<host>/tfp/<tenant>/<policy>/...)");
         }
+    }
+
+    private void setAuthorityProperties() {
+        String[] segments = canonicalAuthorityUrl.getPath().substring(1).split("/");
+
+        validatePathSegments(segments);
+
         policy = segments[2];
 
         final String b2cAuthorityFormat = "https://%s/%s/%s/%s/";

src/main/java/com/microsoft/aad/msal4j/ClientApplicationBase.java

@@ -235,7 +235,7 @@ ServiceBundle getServiceBundle() {
         return serviceBundle;
     }
 
-    protected static String canonicalizeUrl(String authority) {
+    protected static String enforceTrailingSlash(String authority) {
         authority = authority.toLowerCase();
 
         if (!authority.endsWith("/")) {
@@ -288,14 +288,17 @@ public Builder(String clientId) {
          * @throws MalformedURLException if val is malformed URL
          */
         public T authority(String val) throws MalformedURLException {
-            authority = canonicalizeUrl(val);
+            authority = enforceTrailingSlash(val);
 
-            switch (Authority.detectAuthorityType(new URL(authority))) {
+            URL authorityURL = new URL(authority);
+            Authority.validateAuthority(authorityURL);
+
+            switch (Authority.detectAuthorityType(authorityURL)) {
                 case AAD:
-                    authenticationAuthority = new AADAuthority(new URL(authority));
+                    authenticationAuthority = new AADAuthority(authorityURL);
                     break;
                 case ADFS:
-                    authenticationAuthority = new ADFSAuthority(new URL(authority));
+                    authenticationAuthority = new ADFSAuthority(authorityURL);
                     break;
                 default:
                     throw new IllegalArgumentException("Unsupported authority type.");
@@ -305,12 +308,15 @@ public T authority(String val) throws MalformedURLException {
         }
 
         public T b2cAuthority(String val) throws MalformedURLException{
-            authority = canonicalizeUrl(val);
+            authority = enforceTrailingSlash(val);
+
+            URL authorityURL = new URL(authority);
+            Authority.validateAuthority(authorityURL);
 
-            if(Authority.detectAuthorityType(new URL(authority)) != AuthorityType.B2C){
+            if(Authority.detectAuthorityType(authorityURL) != AuthorityType.B2C){
                 throw new IllegalArgumentException("Unsupported authority type. Please use B2C authority");
             }
-            authenticationAuthority = new B2CAuthority(new URL(authority));
+            authenticationAuthority = new B2CAuthority(authorityURL);
 
             validateAuthority = false;
             return self();

src/main/java/com/microsoft/aad/msal4j/IllegalArgumentExceptionMessages.java

@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.aad.msal4j;
+
+class IllegalArgumentExceptionMessages {
+
+    final static String AUTHORITY_URI_EMPTY_PATH_SEGMENT = "Authority Uri should not have empty path segments";
+
+    final static String AUTHORITY_URI_EMPTY_PATH = "Authority Uri should have at least one segment in the path";
+
+}

src/test/java/com/microsoft/aad/msal4j/AuthorityTest.java

@@ -8,11 +8,12 @@
 
 import org.powermock.core.classloader.annotations.PrepareForTest;
 import org.testng.Assert;
+import org.testng.annotations.DataProvider;
 import org.testng.annotations.Test;
 
-@Test(groups = { "checkin" })
-@PrepareForTest({ AADAuthority.class, HttpHelper.class,
-        JsonHelper.class, AadInstanceDiscoveryResponse.class })
+@Test(groups = {"checkin"})
+@PrepareForTest({AADAuthority.class, HttpHelper.class,
+        JsonHelper.class, AadInstanceDiscoveryResponse.class})
 public class AuthorityTest extends AbstractMsalTests {
 
     @Test
@@ -33,45 +34,28 @@ public void testDetectAuthorityType_B2C() throws Exception {
         Assert.assertEquals(Authority.detectAuthorityType(url), AuthorityType.B2C);
     }
 
-    @Test(expectedExceptions = IllegalArgumentException.class,
-            expectedExceptionsMessageRegExp =
-                    "authority Uri should have at least one segment in the path \\(i.e. https://<host>/<path>/...\\)")
-    public void testAADAuthorityConstructor_NoPathAuthority() throws MalformedURLException {
-        new AADAuthority(new URL("https://something.com/"));
-    }
-
     @Test(expectedExceptions = IllegalArgumentException.class,
             expectedExceptionsMessageRegExp =
                     "B2C 'authority' Uri should have at least 3 segments in the path \\(i.e. https://<host>/tfp/<tenant>/<policy>/...\\)")
     public void testB2CAuthorityConstructor_NotEnoughSegments() throws MalformedURLException {
         new B2CAuthority(new URL("https://something.com/tfp/somethingelse/"));
     }
 
-    @Test(expectedExceptions = NullPointerException.class, expectedExceptionsMessageRegExp = "canonicalAuthorityUrl")
-    public void testAADAuthorityConstructor_NullAuthority() {
-        new AADAuthority(null);
-    }
-
-    @Test(expectedExceptions = NullPointerException.class, expectedExceptionsMessageRegExp = "canonicalAuthorityUrl")
-    public void testB2CAuthorityConstructor_NullAuthority() {
-        new B2CAuthority(null);
-    }
-
     @Test(expectedExceptions = IllegalArgumentException.class, expectedExceptionsMessageRegExp = "authority should use the 'https' scheme")
     public void testAADAuthorityConstructor_HttpAuthority() throws MalformedURLException {
-        new AADAuthority(new URL("http://I.com/not/h/t/t/p/s/"));
+        Authority.validateAuthority(new URL("http://I.com/not/h/t/t/p/s/"));
     }
 
     @Test(expectedExceptions = IllegalArgumentException.class, expectedExceptionsMessageRegExp = "authority is invalid format \\(contains fragment\\)")
     public void testAADAuthorityConstructor_UrlHasFragment() throws MalformedURLException {
-        new AADAuthority(new URL("https://I.com/something/#haha"));
+        Authority.validateAuthority(new URL("https://I.com/something/#haha"));
     }
 
 
     @Test(expectedExceptions = IllegalArgumentException.class, expectedExceptionsMessageRegExp = "authority cannot contain query parameters")
     public void testAADAuthorityConstructor_AuthorityHasQuery()
             throws MalformedURLException {
-        new AADAuthority(new URL("https://I.com/not/?query=not-allowed"));
+        Authority.validateAuthority(new URL("https://I.com/not/?query=not-allowed"));
     }
 
 
@@ -96,7 +80,7 @@ public void testConstructor_AADAuthority() throws MalformedURLException {
 
     @Test
     public void testConstructor_B2CAuthority() throws MalformedURLException {
-        final B2CAuthority aa = new B2CAuthority (new URL(TestConfiguration.B2C_AUTHORITY));
+        final B2CAuthority aa = new B2CAuthority(new URL(TestConfiguration.B2C_AUTHORITY));
         Assert.assertNotNull(aa);
         Assert.assertEquals(aa.authority(),
                 TestConfiguration.B2C_AUTHORITY + "/");
@@ -128,22 +112,22 @@ public void testConstructor_ADFSAuthority() throws MalformedURLException {
     }
 
     @Test
-    public void testB2CAuthority_SameCanonicalAuthority() throws MalformedURLException{
+    public void testB2CAuthority_SameCanonicalAuthority() throws MalformedURLException {
 
-        PublicClientApplication pca =  PublicClientApplication.builder("client_id").
+        PublicClientApplication pca = PublicClientApplication.builder("client_id").
                 b2cAuthority(TestConfiguration.B2C_AUTHORITY_CUSTOM_PORT).build();
         Assert.assertEquals(pca.authenticationAuthority.authority,
                 TestConfiguration.B2C_AUTHORITY_CUSTOM_PORT_TAIL_SLASH);
 
-        PublicClientApplication pca2 =  PublicClientApplication.builder("client_id").
+        PublicClientApplication pca2 = PublicClientApplication.builder("client_id").
                 b2cAuthority(TestConfiguration.B2C_AUTHORITY_CUSTOM_PORT_TAIL_SLASH).build();
         Assert.assertEquals(pca2.authenticationAuthority.authority,
                 TestConfiguration.B2C_AUTHORITY_CUSTOM_PORT_TAIL_SLASH);
     }
 
     @Test
-    public void testNoAuthorityPassedIn_DefaultsToCommonAuthority(){
-        PublicClientApplication pca =  PublicClientApplication.builder("client_id").build();
+    public void testNoAuthorityPassedIn_DefaultsToCommonAuthority() {
+        PublicClientApplication pca = PublicClientApplication.builder("client_id").build();
 
         Assert.assertEquals(pca.authority(), TestConfiguration.AAD_COMMON_AUTHORITY);
         Assert.assertNotNull(pca.authenticationAuthority);
@@ -153,7 +137,7 @@ public void testNoAuthorityPassedIn_DefaultsToCommonAuthority(){
     public void testDoStaticInstanceDiscovery_ValidateTrue_TrustedAuthority()
             throws MalformedURLException, Exception {
         final AADAuthority aa = new AADAuthority(new URL(TestConfiguration.AAD_TENANT_ENDPOINT));
-       //PS Assert.assertTrue(aa.doStaticInstanceDiscovery(true));
+        //PS Assert.assertTrue(aa.doStaticInstanceDiscovery(true));
     }
 
     @Test
@@ -169,4 +153,25 @@ public void testDoStaticInstanceDiscovery_ValidateFalse_TrustedAuthority()
         final AADAuthority aa = new AADAuthority(new URL(TestConfiguration.AAD_UNKNOWN_TENANT_ENDPOINT));
         //PS Assert.assertTrue(aa.doStaticInstanceDiscovery(false));
     }
+
+
+    @DataProvider(name = "authoritiesWithEmptyPath")
+    public static Object[][] createData() {
+        return new Object[][]{{"https://login.microsoftonline.com/"},
+                {"https://login.microsoftonline.com//"},
+                {"https://login.microsoftonline.com//tenant"},
+                {"https://login.microsoftonline.com////tenant//path1"}};
+    }
+
+    @Test(dataProvider = "authoritiesWithEmptyPath", expectedExceptions = IllegalArgumentException.class,
+            expectedExceptionsMessageRegExp = IllegalArgumentExceptionMessages.AUTHORITY_URI_EMPTY_PATH_SEGMENT)
+    public void testValidateAuthorityEmptyPathSegments(String authority) throws MalformedURLException {
+        Authority.validateAuthority(new URL(authority));
+    }
+
+    @Test(expectedExceptions = IllegalArgumentException.class,
+            expectedExceptionsMessageRegExp = IllegalArgumentExceptionMessages.AUTHORITY_URI_EMPTY_PATH)
+    public void testValidateAuthorityEmptyPath() throws MalformedURLException {
+        Authority.validateAuthority(new URL("https://login.microsoftonline.com"));
+    }
 }