From 1abd81858115b8676157e74e7faa47a7f13d9ad0 Mon Sep 17 00:00:00 2001 From: Antonio Alwan Date: Wed, 23 Oct 2024 15:31:31 -0700 Subject: [PATCH 01/32] Add temp test adjust --- .../ui_tests_lib/lab_api/MSIDTestAutomationAccount.h | 4 ++++ .../ui_tests_lib/lab_api/MSIDTestAutomationAccount.m | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.h b/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.h index 486891f37..6bb2ea7ad 100644 --- a/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.h +++ b/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.h @@ -48,6 +48,10 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic, nullable, readonly) NSString *associatedAppID; +- (void)updateWithObjectId:(NSString *)objectId + upn:(NSString *)upn + homeObjectId:(NSString *)homeObjectId; + @end NS_ASSUME_NONNULL_END diff --git a/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.m b/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.m index 51a5e45ab..2171daaed 100644 --- a/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.m +++ b/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.m @@ -56,6 +56,16 @@ + (NSDictionary *)tenantMappingDictionary return s_tenantMappingDictionary; } +- (void)updateWithObjectId:(NSString *)objectId + upn:(NSString *)upn + homeObjectId:(NSString *)homeObjectId +{ + _objectId = objectId; + _upn = upn; + _homeObjectId = homeObjectId; + _homeAccountId = [NSString stringWithFormat:@"%@.%@", homeObjectId, _homeTenantId]; +} + - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError * __autoreleasing *)error { From 7cc3a47eb10688f79299bfc863883f29566c998e Mon Sep 17 00:00:00 2001 From: Antonio Alwan Date: Wed, 30 Oct 2024 09:31:22 -0700 Subject: [PATCH 02/32] Test addition 4 --- .../ui_tests_lib/lab_api/MSIDTestAutomationAccount.h | 4 ---- .../ui_tests_lib/lab_api/MSIDTestAutomationAccount.m | 10 ---------- .../MSIDTestAutomationAccountConfigurationRequest.h | 1 + .../MSIDTestAutomationAccountConfigurationRequest.m | 1 + 4 files changed, 2 insertions(+), 14 deletions(-) diff --git a/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.h b/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.h index 6bb2ea7ad..486891f37 100644 --- a/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.h +++ b/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.h @@ -48,10 +48,6 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic, nullable, readonly) NSString *associatedAppID; -- (void)updateWithObjectId:(NSString *)objectId - upn:(NSString *)upn - homeObjectId:(NSString *)homeObjectId; - @end NS_ASSUME_NONNULL_END diff --git a/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.m b/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.m index 2171daaed..51a5e45ab 100644 --- a/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.m +++ b/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccount.m @@ -56,16 +56,6 @@ + (NSDictionary *)tenantMappingDictionary return s_tenantMappingDictionary; } -- (void)updateWithObjectId:(NSString *)objectId - upn:(NSString *)upn - homeObjectId:(NSString *)homeObjectId -{ - _objectId = objectId; - _upn = upn; - _homeObjectId = homeObjectId; - _homeAccountId = [NSString stringWithFormat:@"%@.%@", homeObjectId, _homeTenantId]; -} - - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError * __autoreleasing *)error { diff --git a/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccountConfigurationRequest.h b/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccountConfigurationRequest.h index d1e691630..ce6c14ba8 100644 --- a/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccountConfigurationRequest.h +++ b/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccountConfigurationRequest.h @@ -48,6 +48,7 @@ extern MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeMA extern MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeMAMCASPO; extern MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeTrueMAMCA; extern MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeMDMCA; +extern MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeTB; typedef NSString *MSIDTestAccountB2CProviderType; extern MSIDTestAccountB2CProviderType MSIDTestAccountB2CProviderTypeNone; diff --git a/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccountConfigurationRequest.m b/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccountConfigurationRequest.m index 4f819e9de..bd2686572 100644 --- a/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccountConfigurationRequest.m +++ b/IdentityCore/tests/automation/ui_tests_lib/lab_api/MSIDTestAutomationAccountConfigurationRequest.m @@ -46,6 +46,7 @@ MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeMAMCASPO = @"mamspo"; MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeTrueMAMCA = @"truemamca"; MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeMDMCA = @"mdmca"; +MSIDTestAccountProtectionPolicyType MSIDTestAccountProtectionPolicyTypeTB = @"tokenbinding"; #pragma mark - MSIDTestAccountB2CProviderType; MSIDTestAccountB2CProviderType MSIDTestAccountB2CProviderTypeNone = @"none"; From 757ffd106711a30d2e7132e03f9b1c28ba624d80 Mon Sep 17 00:00:00 2001 From: Antonio Alwan Date: Thu, 31 Oct 2024 16:56:03 -0700 Subject: [PATCH 03/32] automation tests addition 6 --- .../tests/automation/shared/MSIDAutomationTestRequest.h | 1 + .../tests/automation/shared/MSIDAutomationTestRequest.m | 2 ++ 2 files changed, 3 insertions(+) diff --git a/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h b/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h index 58a708754..a0ef6529b 100644 --- a/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h +++ b/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h @@ -85,6 +85,7 @@ typedef NS_ENUM(NSUInteger, MSIDAutomationWPJRegistrationAPIMode) @property (nonatomic) NSString *wpjRegistrationUpn; @property (nonatomic) BOOL operateOnPrimaryWPJ; @property (nonatomic) BOOL useMostSecureStorageForWpj; +@property (nonatomic) BOOL isSecureEnclaveSupportedForWpj; @property (nonatomic) BOOL shouldExpirePRT; @property (nonatomic) BOOL isSsoSeedingCompleted; @property (nonatomic) BOOL shouldOnlyDeleteSeedingPrt; diff --git a/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m b/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m index bc4fb8d22..5617319b1 100644 --- a/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m +++ b/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m @@ -102,6 +102,7 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json _wpjRegistrationUpn = json[@"wpj_registration_upn"]; _operateOnPrimaryWPJ = [json[@"wpj_operate_on_primary_reg"] boolValue]; _useMostSecureStorageForWpj = [json[@"use_most_secure_storage"] boolValue]; + _isSecureEnclaveSupportedForWpj = [json[@"wpj_secure_enclave_supported"] boolValue]; _shouldExpirePRT = [json[@"should_expire_prt"] boolValue]; _isSsoSeedingCompleted = [json[@"is_sso_seeding_completed"] boolValue]; _shouldOnlyDeleteSeedingPrt = [json[@"should_only_delete_seeding_prt"] boolValue]; @@ -182,6 +183,7 @@ - (NSDictionary *)jsonDictionary json[@"wpj_registration_upn"] = _wpjRegistrationUpn; json[@"wpj_operate_on_primary_reg"] = @(_operateOnPrimaryWPJ); json[@"use_most_secure_storage"] = @(_useMostSecureStorageForWpj); + json[@"wpj_secure_enclave_supported"] = @(_isSecureEnclaveSupportedForWpj); json[@"should_expire_prt"] = @(_shouldExpirePRT); json[@"is_sso_seeding_completed"] = @(_isSsoSeedingCompleted); json[@"should_only_delete_seeding_prt"] = @(_shouldOnlyDeleteSeedingPrt); From 54f11133571b92cdd61072deb8bb4a813bba1115 Mon Sep 17 00:00:00 2001 From: Sergey Demchenko Date: Thu, 7 Nov 2024 15:51:58 -0800 Subject: [PATCH 04/32] Support web_page_uri. --- .../request/token_request/MSIDBrokerOperationTokenRequest.h | 1 + .../request/token_request/MSIDBrokerOperationTokenRequest.m | 4 ++++ IdentityCore/src/parameters/MSIDRequestParameters.h | 1 + 3 files changed, 6 insertions(+) diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h index adaf19afb..d7c0bd84d 100644 --- a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h +++ b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h @@ -43,6 +43,7 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic, nullable) MSIDClaimsRequest *claimsRequest; @property (nonatomic) NSDate *requestSentDate; @property (nonatomic) NSString *nonce; +@property (nonatomic) NSString *webPageUri; @property (nonatomic, nullable) NSString *accountHomeTenantId; @property (nonatomic, nullable) NSString *clientSku; @property (nonatomic) BOOL skipValidateResultAccount; diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m index cca25f497..df67d1b18 100644 --- a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m +++ b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m @@ -61,6 +61,7 @@ + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request request.claimsRequest = parameters.claimsRequest; request.requestSentDate = requestSentDate; request.nonce = parameters.nonce; + request.webPageUri = parameters.webPageUri; request.clientSku = parameters.clientSku; request.skipValidateResultAccount = parameters.skipValidateResultAccount; request.forceRefresh = parameters.forceRefresh; @@ -79,6 +80,8 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__au _configuration = [[MSIDConfiguration alloc] initWithJSONDictionary:json error:error]; if (!_configuration) return nil; + _webPageUri = [json msidStringObjectForKey:@"web_page_uri"]; + _providerType = MSIDProviderTypeFromString([json msidStringObjectForKey:MSID_PROVIDER_TYPE_JSON_KEY]); _oidcScope = [json msidStringObjectForKey:MSID_BROKER_EXTRA_OIDC_SCOPES_KEY]; @@ -135,6 +138,7 @@ - (NSDictionary *)jsonDictionary } [json addEntriesFromDictionary:configurationJson]; + json[@"web_page_uri"] = self.webPageUri; json[MSID_PROVIDER_TYPE_JSON_KEY] = MSIDProviderTypeToString(self.providerType); json[MSID_BROKER_EXTRA_OIDC_SCOPES_KEY] = self.oidcScope; json[MSID_BROKER_EXTRA_QUERY_PARAM_KEY] = [self.extraQueryParameters msidWWWFormURLEncode]; diff --git a/IdentityCore/src/parameters/MSIDRequestParameters.h b/IdentityCore/src/parameters/MSIDRequestParameters.h index 5eb29a1f6..5e4ef39f4 100644 --- a/IdentityCore/src/parameters/MSIDRequestParameters.h +++ b/IdentityCore/src/parameters/MSIDRequestParameters.h @@ -48,6 +48,7 @@ @property (nonatomic) MSIDAuthority *providedAuthority; @property (nonatomic) MSIDAuthority *cloudAuthority; @property (nonatomic) NSString *redirectUri; +@property (nonatomic) NSString *webPageUri; @property (nonatomic) NSString *clientId; @property (nonatomic) NSString *target; @property (nonatomic) NSString *oidcScope; From fdddf08845407bd80cc51d462d8a735c2aec0d51 Mon Sep 17 00:00:00 2001 From: Ameya Date: Fri, 22 Nov 2024 13:03:40 -0800 Subject: [PATCH 05/32] Make upn hash case insensitive --- .../src/logger/MSIDMaskedUsernameLogParameter.m | 2 +- .../tests/MSIDMaskedUsernameLogParameterTests.m | 11 +++++++++++ changelog.txt | 3 +++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/IdentityCore/src/logger/MSIDMaskedUsernameLogParameter.m b/IdentityCore/src/logger/MSIDMaskedUsernameLogParameter.m index 3bf4f0342..c387b116f 100644 --- a/IdentityCore/src/logger/MSIDMaskedUsernameLogParameter.m +++ b/IdentityCore/src/logger/MSIDMaskedUsernameLogParameter.m @@ -49,7 +49,7 @@ - (NSString *)maskedDescription domain = [stringValue substringFromIndex:emailIndex.location + 1]; } - return [NSString stringWithFormat:@"auth.placeholder-%@__%@", [username msidSecretLoggingHash], domain]; + return [NSString stringWithFormat:@"auth.placeholder-%@__%@", [username.lowercaseString msidSecretLoggingHash], domain.lowercaseString]; } return [self.parameterValue msidSecretLoggingHash]; diff --git a/IdentityCore/tests/MSIDMaskedUsernameLogParameterTests.m b/IdentityCore/tests/MSIDMaskedUsernameLogParameterTests.m index 85d8e66c3..039b26c15 100644 --- a/IdentityCore/tests/MSIDMaskedUsernameLogParameterTests.m +++ b/IdentityCore/tests/MSIDMaskedUsernameLogParameterTests.m @@ -88,4 +88,15 @@ - (void)testDescription_whenPIINotEnabled_andEmailParameterWithNoDomain_andSpace XCTAssertEqualObjects(description, @"auth.placeholder-9f86d081__ "); } +- (void)testDescription_whenPIINotEnabled_andEmailParameterWithDomain_shouldReturnSameMaskedValueForDifferentCase +{ + [MSIDLogger sharedLogger].logMaskingLevel = MSIDLogMaskingSettingsMaskAllPII; + MSIDMaskedUsernameLogParameter *logParameter = [[MSIDMaskedUsernameLogParameter alloc] initWithParameterValue:@"username@domain.com"]; + MSIDMaskedUsernameLogParameter *logParameter1 = [[MSIDMaskedUsernameLogParameter alloc] initWithParameterValue:@"UserNamE@domAIN.com"]; + NSString *description = [logParameter description]; + NSString *description1 = [logParameter1 description]; + XCTAssertEqualObjects(description, @"auth.placeholder-16f78a7d__domain.com"); + XCTAssertEqualObjects(description, description1); +} + @end diff --git a/changelog.txt b/changelog.txt index 6e9f447a5..c06ac07f2 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,6 @@ +Version TBD +* Make hashed ups in logs case insensitive (#1446) + Version 1.7.43 * Support web_page_uri #1440 * Save error received from ESTS, and return it to the client on silent broker calls (#1438) From 5ca20e3174275ccf217046612785ea0267f4b31a Mon Sep 17 00:00:00 2001 From: Juan Arias Roldan <1686668+juan-arias@users.noreply.github.com> Date: Fri, 22 Nov 2024 15:44:04 -0800 Subject: [PATCH 06/32] Use older version of xcpretty --- azure_pipelines/msal_submodule_check.yaml | 8 +++++++- azure_pipelines/pr-validation.yml | 10 ++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/azure_pipelines/msal_submodule_check.yaml b/azure_pipelines/msal_submodule_check.yaml index c1655d688..ff5f6a8bd 100644 --- a/azure_pipelines/msal_submodule_check.yaml +++ b/azure_pipelines/msal_submodule_check.yaml @@ -39,11 +39,17 @@ jobs: - script: | /bin/bash -c "sudo xcode-select -s /Applications/Xcode_15.4.app" displayName: 'Switch to use Xcode 15.4' + - task: CmdLine@2 + displayName: Installing xcpretty + inputs: + script: | + gem install xcpretty -N -v 0.3.0 + failOnStderr: true - task: CmdLine@2 displayName: Installing dependencies inputs: script: | - gem install xcpretty slather bundler -N + gem install slather bundler -N failOnStderr: true # The following is needed to install the visionOS SDK on macos-14 vm image which diff --git a/azure_pipelines/pr-validation.yml b/azure_pipelines/pr-validation.yml index 5b21f0b48..d7dc2fa58 100644 --- a/azure_pipelines/pr-validation.yml +++ b/azure_pipelines/pr-validation.yml @@ -29,10 +29,16 @@ jobs: steps: - task: CmdLine@2 - displayName: Installing dependencies + displayName: Installing xcpretty inputs: script: | - gem install xcpretty slather -N + gem install xcpretty -N -v 0.3.0 + failOnStderr: true + - task: CmdLine@2 + displayName: Installing slather + inputs: + script: | + gem install slather -N failOnStderr: true - checkout: self clean: true From fc1356d0b8cc386367efeb9f71641509451ba844 Mon Sep 17 00:00:00 2001 From: Olga Dalton Date: Tue, 26 Nov 2024 10:34:32 -0800 Subject: [PATCH 07/32] Minor automation tweaks --- .../automation/ui_app_lib/MSIDClearCookiesTestAction.m | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/IdentityCore/tests/automation/ui_app_lib/MSIDClearCookiesTestAction.m b/IdentityCore/tests/automation/ui_app_lib/MSIDClearCookiesTestAction.m index 3b95974bd..dc96cb47b 100644 --- a/IdentityCore/tests/automation/ui_app_lib/MSIDClearCookiesTestAction.m +++ b/IdentityCore/tests/automation/ui_app_lib/MSIDClearCookiesTestAction.m @@ -72,6 +72,14 @@ - (void)performActionWithParameters:(__unused NSDictionary *)parameters modifiedSince:[NSDate dateWithTimeIntervalSince1970:0] completionHandler:^{}]; + NSHTTPCookieStorage *separatedStorage = [NSHTTPCookieStorage sharedCookieStorageForGroupContainerIdentifier:@"group.com.microsoft.azureauthenticator.sso"]; + + for (NSHTTPCookie *cookie in separatedStorage.cookies) + { + [cookieStore deleteCookie:cookie]; + count++; + } + MSIDAutomationTestResult *testResult = [[MSIDAutomationTestResult alloc] initWithAction:self.actionIdentifier success:YES additionalInfo:@{@"cleared_items_count":@(count)}]; From 8f9c19811bf160f2253255e5090af92b945b6bef Mon Sep 17 00:00:00 2001 From: Olga Dalton Date: Tue, 26 Nov 2024 12:37:29 -0800 Subject: [PATCH 08/32] Fix cookie clearing --- .../tests/automation/ui_app_lib/MSIDClearCookiesTestAction.m | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/IdentityCore/tests/automation/ui_app_lib/MSIDClearCookiesTestAction.m b/IdentityCore/tests/automation/ui_app_lib/MSIDClearCookiesTestAction.m index dc96cb47b..a03bf5051 100644 --- a/IdentityCore/tests/automation/ui_app_lib/MSIDClearCookiesTestAction.m +++ b/IdentityCore/tests/automation/ui_app_lib/MSIDClearCookiesTestAction.m @@ -76,7 +76,7 @@ - (void)performActionWithParameters:(__unused NSDictionary *)parameters for (NSHTTPCookie *cookie in separatedStorage.cookies) { - [cookieStore deleteCookie:cookie]; + [separatedStorage deleteCookie:cookie]; count++; } From b9d2bcebd9e90e4712353d8bcf9be337eb403302 Mon Sep 17 00:00:00 2001 From: Olga Dalton Date: Mon, 2 Dec 2024 16:55:16 -0800 Subject: [PATCH 09/32] MSA Automation support --- .../tests/automation/shared/MSIDAutomationTestRequest.h | 1 + .../tests/automation/shared/MSIDAutomationTestRequest.m | 2 ++ .../tests/automation/shared/MSIDAutomationUserInformation.h | 1 + .../tests/automation/shared/MSIDAutomationUserInformation.m | 2 ++ 4 files changed, 6 insertions(+) diff --git a/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h b/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h index 58a708754..9e51983df 100644 --- a/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h +++ b/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h @@ -79,6 +79,7 @@ typedef NS_ENUM(NSUInteger, MSIDAutomationWPJRegistrationAPIMode) @property (nonatomic) BOOL corruptSessionKey; @property (nonatomic) BOOL useSafariUserAgent; @property (nonatomic) BOOL disableCertBasedAuth; +@property (nonatomic) BOOL isMSAAccount; @property (nonatomic) MSIDAutomationWPJRegistrationAPIMode registrationMode; @property (nonatomic) NSString *wpjRegistrationTenantId; diff --git a/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m b/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m index bc4fb8d22..d3bc30c3d 100644 --- a/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m +++ b/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m @@ -53,6 +53,7 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json _brokerEnabled = [json[@"brokerEnabled"] boolValue]; _clientCapabilities = json[@"client_capabilities"]; _refreshToken = json[@"refresh_token"]; + _isMSAAccount = [json[@"isMSAAccount"] boolValue]; #if TARGET_OS_IPHONE NSString *webviewTypeString = json[@"webviewtype"]; @@ -136,6 +137,7 @@ - (NSDictionary *)jsonDictionary json[@"corrupt_session_key"] = @(_corruptSessionKey); json[@"use_safari_ua"] = @(_useSafariUserAgent); json[@"disable_cert_based_auth"] = @(_disableCertBasedAuth); + json[@"isMSAAccount"] = @(_isMSAAccount); NSString *webviewType = nil; diff --git a/IdentityCore/tests/automation/shared/MSIDAutomationUserInformation.h b/IdentityCore/tests/automation/shared/MSIDAutomationUserInformation.h index 15df8acc6..014649e82 100644 --- a/IdentityCore/tests/automation/shared/MSIDAutomationUserInformation.h +++ b/IdentityCore/tests/automation/shared/MSIDAutomationUserInformation.h @@ -39,6 +39,7 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic) NSString *homeObjectId; @property (nonatomic) NSString *homeTenantId; @property (nonatomic) NSString *environment; +@property (nonatomic) NSString *oneAuthAccountId; @end diff --git a/IdentityCore/tests/automation/shared/MSIDAutomationUserInformation.m b/IdentityCore/tests/automation/shared/MSIDAutomationUserInformation.m index e65affceb..fa2b4cd0c 100644 --- a/IdentityCore/tests/automation/shared/MSIDAutomationUserInformation.m +++ b/IdentityCore/tests/automation/shared/MSIDAutomationUserInformation.m @@ -39,6 +39,7 @@ - (NSDictionary *)jsonDictionary json[@"home_tenant_id"] = self.homeTenantId; json[@"environment"] = self.environment; json[@"legacyAccountId"] = self.legacyAccountId; + json[@"oneAuthAccountId"] = self.oneAuthAccountId; return json; } @@ -59,6 +60,7 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(__unused NSEr _homeTenantId = json[@"home_tenant_id"]; _environment = json[@"environment"]; _legacyAccountId = json[@"legacyAccountId"]; + _oneAuthAccountId = json[@"oneAuthAccountId"]; } return self; From 77b8b96a7c5e632feea0d8d47820b57436ab7cc4 Mon Sep 17 00:00:00 2001 From: Antonio Alwan Date: Fri, 6 Dec 2024 15:55:30 -0800 Subject: [PATCH 10/32] Add more cases --- .../tests/automation/shared/MSIDAutomationTestRequest.h | 8 ++++++++ .../tests/automation/shared/MSIDAutomationTestRequest.m | 2 ++ 2 files changed, 10 insertions(+) diff --git a/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h b/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h index a0ef6529b..4f81a2995 100644 --- a/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h +++ b/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h @@ -33,6 +33,13 @@ typedef NS_ENUM(NSUInteger, MSIDAutomationWPJRegistrationAPIMode) MSIDAutomationWPJRegistrationAPIModeCompanyPortal = 2 //Company Portal }; +typedef NS_ENUM(NSInteger, MSIDAutomationWPJSSOExtensionSecureStorage) +{ + MSIDAutomationWPJSSOExtensionNoValueFound = 0, + MSIDAutomationWPJSSOExtensionValueNo = 1, + MSIDAutomationWPJSSOExtensionValueYes = 2 +}; + @interface MSIDAutomationTestRequest : NSObject @property (nonatomic, strong) NSString *clientId; @@ -86,6 +93,7 @@ typedef NS_ENUM(NSUInteger, MSIDAutomationWPJRegistrationAPIMode) @property (nonatomic) BOOL operateOnPrimaryWPJ; @property (nonatomic) BOOL useMostSecureStorageForWpj; @property (nonatomic) BOOL isSecureEnclaveSupportedForWpj; +@property (nonatomic) MSIDAutomationWPJSSOExtensionSecureStorage ssoExtensionSecureStorageEnabled; @property (nonatomic) BOOL shouldExpirePRT; @property (nonatomic) BOOL isSsoSeedingCompleted; @property (nonatomic) BOOL shouldOnlyDeleteSeedingPrt; diff --git a/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m b/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m index 5617319b1..2930c6e14 100644 --- a/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m +++ b/IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m @@ -103,6 +103,7 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json _operateOnPrimaryWPJ = [json[@"wpj_operate_on_primary_reg"] boolValue]; _useMostSecureStorageForWpj = [json[@"use_most_secure_storage"] boolValue]; _isSecureEnclaveSupportedForWpj = [json[@"wpj_secure_enclave_supported"] boolValue]; + _ssoExtensionSecureStorageEnabled = (MSIDAutomationWPJSSOExtensionSecureStorage)[json[@"wpj_sso_extension_secure_storage_enabled"] integerValue]; _shouldExpirePRT = [json[@"should_expire_prt"] boolValue]; _isSsoSeedingCompleted = [json[@"is_sso_seeding_completed"] boolValue]; _shouldOnlyDeleteSeedingPrt = [json[@"should_only_delete_seeding_prt"] boolValue]; @@ -184,6 +185,7 @@ - (NSDictionary *)jsonDictionary json[@"wpj_operate_on_primary_reg"] = @(_operateOnPrimaryWPJ); json[@"use_most_secure_storage"] = @(_useMostSecureStorageForWpj); json[@"wpj_secure_enclave_supported"] = @(_isSecureEnclaveSupportedForWpj); + json[@"wpj_sso_extension_secure_storage_enabled"] = @(_ssoExtensionSecureStorageEnabled); json[@"should_expire_prt"] = @(_shouldExpirePRT); json[@"is_sso_seeding_completed"] = @(_isSsoSeedingCompleted); json[@"should_only_delete_seeding_prt"] = @(_shouldOnlyDeleteSeedingPrt); From e6ba0736a075eb22de65e5b7cb2d6784403764d5 Mon Sep 17 00:00:00 2001 From: Kai Song Date: Wed, 11 Dec 2024 16:34:49 -0800 Subject: [PATCH 11/32] wait inorder --- .../automation/ui_tests_lib/MSIDBaseUITest.m | 41 +++++++++++++------ 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m b/IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m index dbc7cd237..7a077a9e5 100644 --- a/IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m +++ b/IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m @@ -314,22 +314,29 @@ - (void)enterPassword:(NSString *)password app:(XCUIApplication *)application is // Enter password XCUIElement *passwordSecureTextField = [application.secureTextFields elementBoundByIndex:0]; // This is explicitly to check the new screen where to ask user to signin with the following 2 options. This caused several automation failures - // 1. Use my password - // 2. Sign in to an orgnization - XCUIElement *useMyPasswordButton = application.buttons[@"Use my password"]; - XCUIElement *currentElement = [self waitForEitherElements:passwordSecureTextField and:useMyPasswordButton]; - if (currentElement.elementType == XCUIElementTypeButton) + + XCTWaiterResult result = [self waitForElementsAndContinue:passwordSecureTextField]; + if (result == XCTWaiterResultCompleted) { - [currentElement tap]; - [self enterPassword:password - app:application - isMainApp:isMainApp]; - return; + [self tapElementAndWaitForKeyboardToAppear:passwordSecureTextField app:application]; + NSString *passwordString = [NSString stringWithFormat:@"%@\n", password]; + [self enterText:passwordSecureTextField isMainApp:isMainApp text:passwordString]; + } + else + { + // 1. Use my password + // 2. Sign in to an orgnization + XCUIElement *useMyPasswordButton = application.buttons[@"Use my password"]; + result = [self waitForElementsAndContinue:useMyPasswordButton]; + if (result == XCTWaiterResultCompleted) + { + [useMyPasswordButton tap]; + [self enterPassword:password + app:application + isMainApp:isMainApp]; + } } - [self tapElementAndWaitForKeyboardToAppear:passwordSecureTextField app:application]; - NSString *passwordString = [NSString stringWithFormat:@"%@\n", password]; - [self enterText:passwordSecureTextField isMainApp:isMainApp text:passwordString]; } - (void)adfsEnterPassword:(XCUIApplication *)application @@ -487,6 +494,14 @@ - (XCUIElement *)waitForEitherElements:(XCUIElement *)object1 and:(XCUIElement * return object1.exists ? object1 : object2; } +- (XCTWaiterResult)waitForElementsAndContinue:(XCUIElement *)object +{ + NSPredicate *existsPredicate = [NSPredicate predicateWithFormat:@"%@.exists == 1" argumentArray:@[object]]; + + XCTestExpectation *expectation = [[XCTNSPredicateExpectation alloc] initWithPredicate:existsPredicate object:object];//[self expectationForPredicate:existsPredicate evaluatedWithObject:nil handler:nil]; + return [XCTWaiter waitForExpectations:@[expectation] timeout:10.0f enforceOrder:YES]; +} + - (void)tapElementAndWaitForKeyboardToAppear:(XCUIElement *)element { [self tapElementAndWaitForKeyboardToAppear:element app:[XCUIApplication new]]; From 0cff59bb6e1cedcc3fd526805d304d4790f48c0a Mon Sep 17 00:00:00 2001 From: Kai Song Date: Thu, 12 Dec 2024 09:26:32 -0800 Subject: [PATCH 12/32] Increase waiting time --- IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m b/IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m index 7a077a9e5..b940fc1b2 100644 --- a/IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m +++ b/IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m @@ -494,12 +494,12 @@ - (XCUIElement *)waitForEitherElements:(XCUIElement *)object1 and:(XCUIElement * return object1.exists ? object1 : object2; } -- (XCTWaiterResult)waitForElementsAndContinue:(XCUIElement *)object +- (XCTWaiterResult)waitForElementsAndContinueIfNotAppear:(XCUIElement *)object { NSPredicate *existsPredicate = [NSPredicate predicateWithFormat:@"%@.exists == 1" argumentArray:@[object]]; - XCTestExpectation *expectation = [[XCTNSPredicateExpectation alloc] initWithPredicate:existsPredicate object:object];//[self expectationForPredicate:existsPredicate evaluatedWithObject:nil handler:nil]; - return [XCTWaiter waitForExpectations:@[expectation] timeout:10.0f enforceOrder:YES]; + XCTestExpectation *expectation = [[XCTNSPredicateExpectation alloc] initWithPredicate:existsPredicate object:object]; + return [XCTWaiter waitForExpectations:@[expectation] timeout:30.0f enforceOrder:YES]; } - (void)tapElementAndWaitForKeyboardToAppear:(XCUIElement *)element From b043a5f47ba20848a60637b9edfd752a9f6558fa Mon Sep 17 00:00:00 2001 From: Kai Song Date: Thu, 12 Dec 2024 11:53:17 -0800 Subject: [PATCH 13/32] Update API --- IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m b/IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m index b940fc1b2..1279298c1 100644 --- a/IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m +++ b/IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m @@ -315,7 +315,7 @@ - (void)enterPassword:(NSString *)password app:(XCUIApplication *)application is XCUIElement *passwordSecureTextField = [application.secureTextFields elementBoundByIndex:0]; // This is explicitly to check the new screen where to ask user to signin with the following 2 options. This caused several automation failures - XCTWaiterResult result = [self waitForElementsAndContinue:passwordSecureTextField]; + XCTWaiterResult result = [self waitForElementsAndContinueIfNotAppear:passwordSecureTextField]; if (result == XCTWaiterResultCompleted) { [self tapElementAndWaitForKeyboardToAppear:passwordSecureTextField app:application]; @@ -327,7 +327,7 @@ - (void)enterPassword:(NSString *)password app:(XCUIApplication *)application is // 1. Use my password // 2. Sign in to an orgnization XCUIElement *useMyPasswordButton = application.buttons[@"Use my password"]; - result = [self waitForElementsAndContinue:useMyPasswordButton]; + result = [self waitForElementsAndContinueIfNotAppear:useMyPasswordButton]; if (result == XCTWaiterResultCompleted) { [useMyPasswordButton tap]; From 9d5c4259fd2e7e2d02361804eb1e089027a28154 Mon Sep 17 00:00:00 2001 From: Kai Date: Fri, 13 Dec 2024 08:50:53 -0800 Subject: [PATCH 14/32] dummy change to trigger pipeline --- azure_pipelines/msal_submodule_check.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/azure_pipelines/msal_submodule_check.yaml b/azure_pipelines/msal_submodule_check.yaml index ff5f6a8bd..02bc20bb2 100644 --- a/azure_pipelines/msal_submodule_check.yaml +++ b/azure_pipelines/msal_submodule_check.yaml @@ -108,6 +108,7 @@ jobs: targetType: 'inline' script: | rm -rf $(Agent.BuildDirectory)/s/build/status.txt + - task: PublishTestResults@2 condition: always() displayName: Publish Test Report From c7346624215d00a3826ba379eb2179e0c578b3e6 Mon Sep 17 00:00:00 2001 From: Veena Soman Date: Tue, 17 Dec 2024 16:15:14 -0800 Subject: [PATCH 15/32] Add new error mapping for http error code 403 and 404 --- IdentityCore/src/MSIDError.h | 2 + IdentityCore/src/MSIDError.m | 5 +- .../MSIDAADRequestErrorHandler.m | 8 ++- .../tests/MSIDAADRequestErrorHandlerTests.m | 4 ++ .../ios/MSIDDefaultSilentTokenRequestTests.m | 60 +++++++++++++++++++ 5 files changed, 77 insertions(+), 2 deletions(-) diff --git a/IdentityCore/src/MSIDError.h b/IdentityCore/src/MSIDError.h index b77d8df3f..b72347214 100644 --- a/IdentityCore/src/MSIDError.h +++ b/IdentityCore/src/MSIDError.h @@ -171,6 +171,8 @@ typedef NS_ENUM(NSInteger, MSIDErrorCode) */ MSIDErrorServerUnhandledResponse = -51500, + // http status Code 403 or 404 + MSIDErrorUnExpectedHttpResponse = -51501, /*! ========================================================= diff --git a/IdentityCore/src/MSIDError.m b/IdentityCore/src/MSIDError.m index 5de01abe0..5925c2ab3 100644 --- a/IdentityCore/src/MSIDError.m +++ b/IdentityCore/src/MSIDError.m @@ -224,7 +224,8 @@ MSIDErrorCode MSIDErrorCodeForOAuthErrorWithSubErrorCode(NSString *oauthError, M @(MSIDErrorServerError), ], MSIDHttpErrorCodeDomain : @[ - @(MSIDErrorServerUnhandledResponse) + @(MSIDErrorServerUnhandledResponse), + @(MSIDErrorUnExpectedHttpResponse) ] // TODO: add new codes here @@ -301,6 +302,8 @@ void MSIDFillAndLogError(NSError **error, MSIDErrorCode errorCode, NSString *err // HTTP errors case MSIDErrorServerUnhandledResponse: return @"MSIDErrorServerUnhandledResponse"; + case MSIDErrorUnExpectedHttpResponse: + return @"MSIDErrorUnExpectedHttpResponse"; // Authority validation errors case MSIDErrorAuthorityValidation: return @"MSIDErrorAuthorityValidation"; diff --git a/IdentityCore/src/network/error_handler/MSIDAADRequestErrorHandler.m b/IdentityCore/src/network/error_handler/MSIDAADRequestErrorHandler.m index 4d255e1ce..a19458658 100644 --- a/IdentityCore/src/network/error_handler/MSIDAADRequestErrorHandler.m +++ b/IdentityCore/src/network/error_handler/MSIDAADRequestErrorHandler.m @@ -150,7 +150,13 @@ - (void)handleError:(NSError *)error } } - NSError *httpError = MSIDCreateError(MSIDHttpErrorCodeDomain, MSIDErrorServerUnhandledResponse, errorDescription, nil, nil, nil, context.correlationId, additionalInfo, YES); + NSError *httpUnderlyingError = nil; + if (httpResponse.statusCode == 403 || httpResponse.statusCode == 404) + { + httpUnderlyingError = MSIDCreateError(MSIDHttpErrorCodeDomain, MSIDErrorUnExpectedHttpResponse, errorDescription, nil, nil, nil, context.correlationId, nil, YES); + } + + NSError *httpError = MSIDCreateError(MSIDHttpErrorCodeDomain, MSIDErrorServerUnhandledResponse, errorDescription, nil, nil, httpUnderlyingError, context.correlationId, additionalInfo, YES); if (completionBlock) completionBlock(nil, httpError); } diff --git a/IdentityCore/tests/MSIDAADRequestErrorHandlerTests.m b/IdentityCore/tests/MSIDAADRequestErrorHandlerTests.m index 6847799eb..3b1bd6f9f 100644 --- a/IdentityCore/tests/MSIDAADRequestErrorHandlerTests.m +++ b/IdentityCore/tests/MSIDAADRequestErrorHandlerTests.m @@ -191,6 +191,8 @@ - (void)testHandleError_whenItIsNotServerError_shouldReturnStatusCodeAndHeaders XCTAssertEqualObjects(returnError.domain, MSIDHttpErrorCodeDomain); XCTAssertEqual(returnError.code, MSIDErrorServerUnhandledResponse); + NSError *underlyingError = returnError.userInfo[NSUnderlyingErrorKey]; + XCTAssertEqual(underlyingError.code, MSIDErrorUnExpectedHttpResponse); XCTAssertEqualObjects(returnError.userInfo[MSIDHTTPHeadersKey], @{@"headerKey":@"headerValue"}); XCTAssertNil(errorResponse); @@ -275,6 +277,8 @@ - (void)testHandleError_whenItIsServerError_shouldReturnResponseCodeInError XCTAssertEqualObjects(returnError.domain, MSIDHttpErrorCodeDomain); XCTAssertEqual(returnError.code, MSIDErrorServerUnhandledResponse); + NSError *underlyingError = returnError.userInfo[NSUnderlyingErrorKey]; + XCTAssertEqual(underlyingError.code, MSIDErrorUnExpectedHttpResponse); XCTAssertEqualObjects(returnError.userInfo[MSIDHTTPResponseCodeKey], @"404"); } diff --git a/IdentityCore/tests/integration/ios/MSIDDefaultSilentTokenRequestTests.m b/IdentityCore/tests/integration/ios/MSIDDefaultSilentTokenRequestTests.m index 1562ee18a..e1b5047be 100644 --- a/IdentityCore/tests/integration/ios/MSIDDefaultSilentTokenRequestTests.m +++ b/IdentityCore/tests/integration/ios/MSIDDefaultSilentTokenRequestTests.m @@ -1336,6 +1336,66 @@ - (void)testAcquireTokenSilent_when429ThrottledErrorReturned_shouldReturnAllHead [self waitForExpectationsWithTimeout:1.0 handler:nil]; } + +- (void)testAcquireTokenSilent_when403HttpCodeReturned_shouldReturnMSIDErrorUnexpectedHttpResponseInUnderlyingError +{ + MSIDRequestParameters *silentParameters = [self silentRequestParameters]; + MSIDDefaultTokenCacheAccessor *tokenCache = self.tokenCache; + + [self saveExpiredTokensInCache:tokenCache configuration:silentParameters.msidConfiguration]; + silentParameters.accountIdentifier = [[MSIDAccountIdentifier alloc] initWithDisplayableId:DEFAULT_TEST_ID_TOKEN_USERNAME homeAccountId:DEFAULT_TEST_HOME_ACCOUNT_ID]; + + NSString *authority = DEFAULT_TEST_AUTHORITY_GUID; + MSIDTestURLResponse *discoveryResponse = [MSIDTestURLResponse discoveryResponseForAuthority:authority]; + [MSIDTestURLSession addResponse:discoveryResponse]; + + MSIDTestURLResponse *oidcResponse = [MSIDTestURLResponse oidcResponseForAuthority:authority]; + [MSIDTestURLSession addResponse:oidcResponse]; + + NSMutableDictionary *reqHeaders = [[MSIDTestURLResponse msidDefaultRequestHeaders] mutableCopy]; + [reqHeaders setObject:@"application/x-www-form-urlencoded" forKey:@"Content-Type"]; + + MSIDTestURLResponse *errorTokenResponse = + [MSIDTestURLResponse requestURLString:DEFAULT_TEST_TOKEN_ENDPOINT_GUID + requestHeaders:reqHeaders + requestParamsBody:@{ @"client_id" : @"my_client_id", + @"scope" : @"user.read tasks.read openid profile offline_access", + @"grant_type" : @"refresh_token", + @"refresh_token" : DEFAULT_TEST_REFRESH_TOKEN, + MSID_OAUTH2_REDIRECT_URI : [[self silentRequestParameters] redirectUri], + @"client_info" : @"1"} + responseURLString:DEFAULT_TEST_TOKEN_ENDPOINT_GUID + responseCode:403 + httpHeaderFields:@{@"Retry-After": @"256", + @"Other-Header-Field": @"Other header field" + } + dictionaryAsJSON:nil]; + + [errorTokenResponse->_requestHeaders removeObjectForKey:@"Content-Length"]; + + [MSIDTestURLSession addResponse:errorTokenResponse]; + + MSIDDefaultSilentTokenRequest *silentRequest = [[MSIDDefaultSilentTokenRequest alloc] initWithRequestParameters:silentParameters + forceRefresh:NO + oauthFactory:[MSIDAADV2Oauth2Factory new] + tokenResponseValidator:[MSIDDefaultTokenResponseValidator new] + tokenCache:tokenCache + accountMetadataCache:self.accountMetadataCache]; + + XCTestExpectation *expectation = [self expectationWithDescription:@"silent request"]; + + [silentRequest executeRequestWithCompletion:^(MSIDTokenResult * _Nullable result, NSError * _Nullable error) { + + XCTAssertNotNil(error); + XCTAssertNil(result); + XCTAssertEqual(error.code, MSIDErrorServerUnhandledResponse); + XCTAssertEqualObjects(error.domain, MSIDHttpErrorCodeDomain); + XCTAssertEqualObjects(error.userInfo[MSIDHTTPResponseCodeKey], @"403"); + [expectation fulfill]; + }]; + + [self waitForExpectationsWithTimeout:1.0 handler:nil]; +} - (void)testAcquireTokenSilent_whenTokenEndpointInDifferentCloud_shouldReturnInteractionRequired { // Prepare RT in cache From ef4d6800c4df8569b4240afde5a15e843ed1683c Mon Sep 17 00:00:00 2001 From: Veena Soman Date: Tue, 17 Dec 2024 18:54:08 -0800 Subject: [PATCH 16/32] update the error name --- IdentityCore/src/MSIDError.h | 2 +- IdentityCore/src/MSIDError.m | 6 +++--- .../src/network/error_handler/MSIDAADRequestErrorHandler.m | 2 +- IdentityCore/tests/MSIDAADRequestErrorHandlerTests.m | 4 ++-- .../integration/ios/MSIDDefaultSilentTokenRequestTests.m | 2 ++ 5 files changed, 9 insertions(+), 7 deletions(-) diff --git a/IdentityCore/src/MSIDError.h b/IdentityCore/src/MSIDError.h index b72347214..03ba38958 100644 --- a/IdentityCore/src/MSIDError.h +++ b/IdentityCore/src/MSIDError.h @@ -172,7 +172,7 @@ typedef NS_ENUM(NSInteger, MSIDErrorCode) MSIDErrorServerUnhandledResponse = -51500, // http status Code 403 or 404 - MSIDErrorUnExpectedHttpResponse = -51501, + MSIDErrorUnexpectedHttpResponse = -51501, /*! ========================================================= diff --git a/IdentityCore/src/MSIDError.m b/IdentityCore/src/MSIDError.m index 5925c2ab3..720824a30 100644 --- a/IdentityCore/src/MSIDError.m +++ b/IdentityCore/src/MSIDError.m @@ -225,7 +225,7 @@ MSIDErrorCode MSIDErrorCodeForOAuthErrorWithSubErrorCode(NSString *oauthError, M ], MSIDHttpErrorCodeDomain : @[ @(MSIDErrorServerUnhandledResponse), - @(MSIDErrorUnExpectedHttpResponse) + @(MSIDErrorUnexpectedHttpResponse) ] // TODO: add new codes here @@ -302,8 +302,8 @@ void MSIDFillAndLogError(NSError **error, MSIDErrorCode errorCode, NSString *err // HTTP errors case MSIDErrorServerUnhandledResponse: return @"MSIDErrorServerUnhandledResponse"; - case MSIDErrorUnExpectedHttpResponse: - return @"MSIDErrorUnExpectedHttpResponse"; + case MSIDErrorUnexpectedHttpResponse: + return @"MSIDErrorUnexpectedHttpResponse"; // Authority validation errors case MSIDErrorAuthorityValidation: return @"MSIDErrorAuthorityValidation"; diff --git a/IdentityCore/src/network/error_handler/MSIDAADRequestErrorHandler.m b/IdentityCore/src/network/error_handler/MSIDAADRequestErrorHandler.m index a19458658..8afe7ce90 100644 --- a/IdentityCore/src/network/error_handler/MSIDAADRequestErrorHandler.m +++ b/IdentityCore/src/network/error_handler/MSIDAADRequestErrorHandler.m @@ -153,7 +153,7 @@ - (void)handleError:(NSError *)error NSError *httpUnderlyingError = nil; if (httpResponse.statusCode == 403 || httpResponse.statusCode == 404) { - httpUnderlyingError = MSIDCreateError(MSIDHttpErrorCodeDomain, MSIDErrorUnExpectedHttpResponse, errorDescription, nil, nil, nil, context.correlationId, nil, YES); + httpUnderlyingError = MSIDCreateError(MSIDHttpErrorCodeDomain, MSIDErrorUnexpectedHttpResponse, errorDescription, nil, nil, nil, context.correlationId, nil, YES); } NSError *httpError = MSIDCreateError(MSIDHttpErrorCodeDomain, MSIDErrorServerUnhandledResponse, errorDescription, nil, nil, httpUnderlyingError, context.correlationId, additionalInfo, YES); diff --git a/IdentityCore/tests/MSIDAADRequestErrorHandlerTests.m b/IdentityCore/tests/MSIDAADRequestErrorHandlerTests.m index 3b1bd6f9f..2d60e87de 100644 --- a/IdentityCore/tests/MSIDAADRequestErrorHandlerTests.m +++ b/IdentityCore/tests/MSIDAADRequestErrorHandlerTests.m @@ -192,7 +192,7 @@ - (void)testHandleError_whenItIsNotServerError_shouldReturnStatusCodeAndHeaders XCTAssertEqualObjects(returnError.domain, MSIDHttpErrorCodeDomain); XCTAssertEqual(returnError.code, MSIDErrorServerUnhandledResponse); NSError *underlyingError = returnError.userInfo[NSUnderlyingErrorKey]; - XCTAssertEqual(underlyingError.code, MSIDErrorUnExpectedHttpResponse); + XCTAssertEqual(underlyingError.code, MSIDErrorUnexpectedHttpResponse); XCTAssertEqualObjects(returnError.userInfo[MSIDHTTPHeadersKey], @{@"headerKey":@"headerValue"}); XCTAssertNil(errorResponse); @@ -278,7 +278,7 @@ - (void)testHandleError_whenItIsServerError_shouldReturnResponseCodeInError XCTAssertEqualObjects(returnError.domain, MSIDHttpErrorCodeDomain); XCTAssertEqual(returnError.code, MSIDErrorServerUnhandledResponse); NSError *underlyingError = returnError.userInfo[NSUnderlyingErrorKey]; - XCTAssertEqual(underlyingError.code, MSIDErrorUnExpectedHttpResponse); + XCTAssertEqual(underlyingError.code, MSIDErrorUnexpectedHttpResponse); XCTAssertEqualObjects(returnError.userInfo[MSIDHTTPResponseCodeKey], @"404"); } diff --git a/IdentityCore/tests/integration/ios/MSIDDefaultSilentTokenRequestTests.m b/IdentityCore/tests/integration/ios/MSIDDefaultSilentTokenRequestTests.m index e1b5047be..d0be9c0a7 100644 --- a/IdentityCore/tests/integration/ios/MSIDDefaultSilentTokenRequestTests.m +++ b/IdentityCore/tests/integration/ios/MSIDDefaultSilentTokenRequestTests.m @@ -1389,6 +1389,8 @@ - (void)testAcquireTokenSilent_when403HttpCodeReturned_shouldReturnMSIDErrorUnex XCTAssertNotNil(error); XCTAssertNil(result); XCTAssertEqual(error.code, MSIDErrorServerUnhandledResponse); + NSError *underlyingError = error.userInfo[NSUnderlyingErrorKey]; + XCTAssertEqual(underlyingError.code, MSIDErrorUnexpectedHttpResponse); XCTAssertEqualObjects(error.domain, MSIDHttpErrorCodeDomain); XCTAssertEqualObjects(error.userInfo[MSIDHTTPResponseCodeKey], @"403"); [expectation fulfill]; From f75169dca25bef4904de309aef9ed73c4a03d1cf Mon Sep 17 00:00:00 2001 From: Sergei Demchenko Date: Thu, 19 Dec 2024 17:31:14 -0800 Subject: [PATCH 17/32] Merge Hotfix/1.7.44 (#1456) (#1459) * Add support of "lookup" mode in broker (#1450) * Add support of "lookup" mode in broker. * Fix tests. * modified: changelog.txt * Support web_page_uri. * modified: changelog.txt * Update changelog. * modified: changelog.txt --- .../token_request/MSIDBrokerOperationTokenRequest.h | 3 +++ .../token_request/MSIDBrokerOperationTokenRequest.m | 3 +++ .../MSIDBrowserNativeMessageGetTokenResponse.m | 4 ++-- IdentityCore/src/oauth2/MSIDOauth2Factory.m | 2 +- IdentityCore/src/oauth2/MSIDTokenResponse.h | 2 ++ IdentityCore/src/oauth2/MSIDTokenResponse.m | 5 +++++ IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h | 1 + IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m | 5 +++++ IdentityCore/src/parameters/MSIDRequestParameters.h | 3 +++ IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h | 1 + IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m | 3 +++ .../requests/sdk/adal/MSIDLegacyTokenResponseValidator.m | 1 + .../requests/sdk/msal/MSIDDefaultTokenResponseValidator.m | 3 +++ .../tests/MSIDDefaultTokenResponseValidatorTests.m | 4 ++++ IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m | 1 + changelog.txt | 7 +++++++ 16 files changed, 45 insertions(+), 3 deletions(-) diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h index d7c0bd84d..d4dc1198c 100644 --- a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h +++ b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h @@ -36,6 +36,7 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic) MSIDProviderType providerType; @property (nonatomic, nullable) NSString *oidcScope; @property (nonatomic, nullable) NSDictionary *extraQueryParameters; +@property (nonatomic) BOOL allowAnyExtraURLQueryParameters; @property (nonatomic) BOOL instanceAware; @property (nonatomic, nullable) NSDictionary *enrollmentIds; @property (nonatomic, nullable) NSDictionary *mamResources; @@ -48,6 +49,8 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic, nullable) NSString *clientSku; @property (nonatomic) BOOL skipValidateResultAccount; @property (nonatomic) BOOL forceRefresh; +@property (nonatomic) BOOL ignoreScopeValidation; + + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request withParameters:(MSIDRequestParameters *)parameters diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m index df67d1b18..ea0f98fe0 100644 --- a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m +++ b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m @@ -66,6 +66,8 @@ + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request request.skipValidateResultAccount = parameters.skipValidateResultAccount; request.forceRefresh = parameters.forceRefresh; request.platformSequence = parameters.platformSequence; + request.allowAnyExtraURLQueryParameters = parameters.allowAnyExtraURLQueryParameters; + request.ignoreScopeValidation = parameters.ignoreScopeValidation; return YES; } @@ -153,6 +155,7 @@ - (NSDictionary *)jsonDictionary json[MSID_CLIENT_SKU_KEY] = self.clientSku; json[MSID_SKIP_VALIDATE_RESULT_ACCOUNT_KEY] = [@(self.skipValidateResultAccount) stringValue]; json[MSID_FORCE_REFRESH_KEY] = [@(self.forceRefresh) stringValue]; + return json; } diff --git a/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m b/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m index 6d6020154..11c230562 100644 --- a/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m +++ b/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m @@ -71,7 +71,7 @@ - (NSDictionary *)jsonDictionary } __auto_type accountJson = [NSMutableDictionary new]; - accountJson[@"userName"] = tokenResponse.idTokenObj.username; + accountJson[@"userName"] = tokenResponse.accountUpn; accountJson[@"id"] = tokenResponse.accountIdentifier; response[@"account"] = accountJson; @@ -79,7 +79,7 @@ - (NSDictionary *)jsonDictionary __auto_type propertiesJson = [NSMutableDictionary new]; // TODO: once ests follow the latest protocol, this should be removed. Account ID should be read from accountJson. - propertiesJson[@"UPN"] = tokenResponse.idTokenObj.username; + propertiesJson[@"UPN"] = accountJson[@"userName"]; response[@"properties"] = propertiesJson; return response; diff --git a/IdentityCore/src/oauth2/MSIDOauth2Factory.m b/IdentityCore/src/oauth2/MSIDOauth2Factory.m index c630f6036..5a87870e0 100644 --- a/IdentityCore/src/oauth2/MSIDOauth2Factory.m +++ b/IdentityCore/src/oauth2/MSIDOauth2Factory.m @@ -375,7 +375,7 @@ - (BOOL)fillAccount:(MSIDAccount *)account fromResponse:(MSIDTokenResponse *)response configuration:(MSIDConfiguration *)configuration { - NSString *homeAccountId = response.idTokenObj.userId; + NSString *homeAccountId = response.idTokenObj.userId ?: [response accountIdentifier]; if (!homeAccountId) { diff --git a/IdentityCore/src/oauth2/MSIDTokenResponse.h b/IdentityCore/src/oauth2/MSIDTokenResponse.h index f229c49e6..a45f0ae9a 100644 --- a/IdentityCore/src/oauth2/MSIDTokenResponse.h +++ b/IdentityCore/src/oauth2/MSIDTokenResponse.h @@ -91,6 +91,8 @@ @property (nonatomic, readonly, nullable) NSString *accountIdentifier; +@property (nonatomic, readonly, nullable) NSString *accountUpn; + - (nullable instancetype)initWithJSONDictionary:(nonnull NSDictionary *)json refreshToken:(nullable MSIDBaseToken *)token error:(NSError * _Nullable __autoreleasing *_Nullable)error; diff --git a/IdentityCore/src/oauth2/MSIDTokenResponse.m b/IdentityCore/src/oauth2/MSIDTokenResponse.m index 3c17270e7..52c4fe814 100644 --- a/IdentityCore/src/oauth2/MSIDTokenResponse.m +++ b/IdentityCore/src/oauth2/MSIDTokenResponse.m @@ -131,6 +131,11 @@ - (NSString *)accountIdentifier return self.idTokenObj.uniqueId; } +- (NSString *)accountUpn +{ + return self.idTokenObj.username; +} + #pragma mark - Protected - (MSIDIdTokenClaims *)tokenClaimsFromRawIdToken:(NSString *)rawIdToken error:(NSError *__autoreleasing*)error diff --git a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h index 1e9463aa9..31ee60eb0 100644 --- a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h +++ b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h @@ -37,6 +37,7 @@ @property (nonatomic, nullable) MSIDClientInfo *clientInfo; @property (nonatomic, nullable) NSString *familyId; @property (nonatomic, nullable) NSString *suberror; +/// UPN of the user. @property (nonatomic, nullable) NSString *additionalUserId; // Custom properties that ADAL/MSAL handles diff --git a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m index 0f6af0008..69670aedc 100644 --- a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m +++ b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m @@ -79,6 +79,11 @@ - (NSString *)accountIdentifier return self.clientInfo.accountIdentifier; } +- (NSString *)accountUpn +{ + return [super accountUpn] ?: self.additionalUserId; +} + #pragma mark - MSIDJsonSerializable - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__autoreleasing*)error diff --git a/IdentityCore/src/parameters/MSIDRequestParameters.h b/IdentityCore/src/parameters/MSIDRequestParameters.h index 5e4ef39f4..93425a3a5 100644 --- a/IdentityCore/src/parameters/MSIDRequestParameters.h +++ b/IdentityCore/src/parameters/MSIDRequestParameters.h @@ -54,6 +54,7 @@ @property (nonatomic) NSString *oidcScope; @property (nonatomic) MSIDAccountIdentifier *accountIdentifier; @property (nonatomic) BOOL validateAuthority; +@property (nonatomic) BOOL ignoreScopeValidation; @property (nonatomic) NSString *nonce; @property (nonatomic) NSString *clientSku; @property (nonatomic) BOOL skipValidateResultAccount; @@ -67,6 +68,8 @@ @property (nonatomic) NSDictionary *extraTokenRequestParameters; // Additional URL query parameters that will be added to both token and authorize requests @property (nonatomic) NSDictionary *extraURLQueryParameters; +// Currently used only in broker to enable/disable EQP filtering. +@property (nonatomic) BOOL allowAnyExtraURLQueryParameters; @property (nonatomic) NSUInteger tokenExpirationBuffer; @property (nonatomic) BOOL extendedLifetimeEnabled; @property (nonatomic) BOOL instanceAware; diff --git a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h index 4c7c53c76..10f495607 100644 --- a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h +++ b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h @@ -68,6 +68,7 @@ - (BOOL)validateTokenResult:(nonnull MSIDTokenResult *)tokenResult configuration:(nonnull MSIDConfiguration *)configuration oidcScope:(nullable NSString *)oidcScope + validateScopes:(BOOL)validateScopes correlationID:(nonnull NSUUID *)correlationID error:(NSError * _Nullable __autoreleasing * _Nullable)error; diff --git a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m index 1c260e395..622aa6de8 100644 --- a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m +++ b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m @@ -124,6 +124,7 @@ - (MSIDTokenResult *)createTokenResultFromResponse:(MSIDTokenResponse *)tokenRes - (BOOL)validateTokenResult:(__unused MSIDTokenResult *)tokenResult configuration:(__unused MSIDConfiguration *)configuration oidcScope:(__unused NSString *)oidcScope + validateScopes:(__unused BOOL)validateScopes correlationID:(__unused NSUUID *)correlationID error:(__unused NSError *__autoreleasing*)error { @@ -224,6 +225,7 @@ - (MSIDTokenResult *)validateAndSaveBrokerResponse:(MSIDBrokerResponse *)brokerR BOOL resultValid = [self validateTokenResult:tokenResult configuration:configuration oidcScope:oidcScope + validateScopes:YES correlationID:correlationID error:error]; @@ -289,6 +291,7 @@ - (MSIDTokenResult *)validateAndSaveTokenResponse:(MSIDTokenResponse *)tokenResp BOOL resultValid = [self validateTokenResult:tokenResult configuration:parameters.msidConfiguration oidcScope:parameters.oidcScope + validateScopes:!parameters.ignoreScopeValidation correlationID:parameters.correlationId error:error]; diff --git a/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m b/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m index 9940c4f82..9c9b21088 100644 --- a/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m +++ b/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m @@ -37,6 +37,7 @@ @implementation MSIDLegacyTokenResponseValidator - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult configuration:(__unused MSIDConfiguration *)configuration oidcScope:(__unused NSString *)oidcScope + validateScopes:(__unused BOOL)validateScopes correlationID:(NSUUID *)correlationID error:(NSError *__autoreleasing*)error { diff --git a/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m b/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m index 41ebca0cc..96a795b12 100644 --- a/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m +++ b/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m @@ -35,6 +35,7 @@ @implementation MSIDDefaultTokenResponseValidator - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult configuration:(MSIDConfiguration *)configuration oidcScope:(NSString *)oidcScope + validateScopes:(BOOL)validateScopes correlationID:(NSUUID *)correlationID error:(NSError *__autoreleasing*)error { @@ -47,6 +48,8 @@ - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult { return YES; } + + if (!validateScopes) return YES; NSOrderedSet *grantedScopes = tokenResult.accessToken.scopes; NSOrderedSet *normalizedGrantedScopes = grantedScopes.normalizedScopeSet; diff --git a/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m b/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m index 995c1c67c..337ecb4a9 100644 --- a/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m +++ b/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m @@ -87,6 +87,7 @@ - (void)testValidateTokenResult_whenSomeScopesRejectedByServer_shouldReturnError [self.validator validateTokenResult:result configuration:configuration oidcScope:defaultOidcScope + validateScopes:YES correlationID:correlationID error:&error]; @@ -131,6 +132,7 @@ - (void)testValidateTokenResult_whenEmailScopesNotIncludedByServer_shouldReturnV BOOL validated = [self.validator validateTokenResult:result configuration:configuration oidcScope:defaultOidcScope + validateScopes:YES correlationID:correlationID error:&error]; @@ -171,6 +173,7 @@ - (void)testValidateTokenResult_whenEmailScopesIncludedByServer_shouldReturnVali BOOL validated = [self.validator validateTokenResult:result configuration:configuration oidcScope:defaultOidcScope + validateScopes:YES correlationID:correlationID error:&error]; @@ -206,6 +209,7 @@ - (void)testValidateTokenResult_whenWithValidResponse_shouldReturnValidResult BOOL validated = [self.validator validateTokenResult:result configuration:configuration oidcScope:defaultOidcScope + validateScopes:YES correlationID:correlationID error:&error]; diff --git a/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m b/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m index c6ae18042..e1c15a710 100644 --- a/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m +++ b/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m @@ -207,6 +207,7 @@ - (void)testValidateTokenResult_whenResultContainsAccount_shouldReturnNoError BOOL result = [self.validator validateTokenResult:testResult configuration:[MSIDConfiguration new] oidcScope:nil + validateScopes:YES correlationID:[NSUUID new] error:&error]; diff --git a/changelog.txt b/changelog.txt index c06ac07f2..314310c0d 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,12 +1,19 @@ Version TBD * Make hashed ups in logs case insensitive (#1446) +Version 1.7.44 +* Merge 1.7.42-hotfix + Version 1.7.43 * Support web_page_uri #1440 * Save error received from ESTS, and return it to the client on silent broker calls (#1438) * XPC CommonCore Minor change to support broker XPC changes (#1436) * Assign completion block before perform request (#1434) +Version 1.7.42-hotfix +* Add support of "lookup" mode in broker #1450 +* Support web_page_uri #1440 + Version 1.7.42 * Support extra query parameters on signout (#1243) * Wrap ASAuthorizationProviderExtensionAuthorizationRequest methods (#1427) From 4b7f1838004f5340ece2a2d59ec9596ee8bad094 Mon Sep 17 00:00:00 2001 From: Juan Arias Roldan <1686668+juan-arias@users.noreply.github.com> Date: Tue, 7 Jan 2025 15:16:48 -0800 Subject: [PATCH 18/32] Uninstall xcpretty version 0.4.0 before installing version 0.3.0 --- azure_pipelines/msal_submodule_check.yaml | 8 +++++++- azure_pipelines/pr-validation.yml | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/azure_pipelines/msal_submodule_check.yaml b/azure_pipelines/msal_submodule_check.yaml index 02bc20bb2..d0179f766 100644 --- a/azure_pipelines/msal_submodule_check.yaml +++ b/azure_pipelines/msal_submodule_check.yaml @@ -40,7 +40,13 @@ jobs: /bin/bash -c "sudo xcode-select -s /Applications/Xcode_15.4.app" displayName: 'Switch to use Xcode 15.4' - task: CmdLine@2 - displayName: Installing xcpretty + displayName: Uninstalling xcpretty v0.4.0 + inputs: + script: | + gem uninstall xcpretty -I --version 0.4.0 + failOnStderr: false + - task: CmdLine@2 + displayName: Installing xcpretty v0.3.0 inputs: script: | gem install xcpretty -N -v 0.3.0 diff --git a/azure_pipelines/pr-validation.yml b/azure_pipelines/pr-validation.yml index d7dc2fa58..482a61e25 100644 --- a/azure_pipelines/pr-validation.yml +++ b/azure_pipelines/pr-validation.yml @@ -29,7 +29,13 @@ jobs: steps: - task: CmdLine@2 - displayName: Installing xcpretty + displayName: Uninstalling xcpretty v0.4.0 + inputs: + script: | + gem uninstall xcpretty -I --version 0.4.0 + failOnStderr: false + - task: CmdLine@2 + displayName: Installing xcpretty v0.3.0 inputs: script: | gem install xcpretty -N -v 0.3.0 From 13f4bca60a4d15386667884d1f4252fcca4407a2 Mon Sep 17 00:00:00 2001 From: Veena Soman Date: Fri, 10 Jan 2025 11:17:08 -0800 Subject: [PATCH 19/32] Fix crash due to null value being added to set --- .../src/cache/accessor/MSIDDefaultTokenCacheAccessor.m | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m b/IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m index 94235e730..57919600c 100644 --- a/IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m +++ b/IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m @@ -1277,7 +1277,10 @@ - (BOOL)saveAccount:(MSIDAccount *)account } else { - [noReturnAccountsSet addObject:accountCacheItem.username]; + if (accountCacheItem.username) + { + [noReturnAccountsSet addObject:accountCacheItem.username]; + } } } From 3ff8a24d339c1951e30410146bd52ccc18b4d502 Mon Sep 17 00:00:00 2001 From: Veena Soman Date: Fri, 10 Jan 2025 13:03:27 -0800 Subject: [PATCH 20/32] Add tests --- .../MSIDDefaultAccessorSSOIntegrationTests.m | 59 ++++++++++++++++++- IdentityCore/tests/util/MSIDTestIdTokenUtil.h | 6 ++ IdentityCore/tests/util/MSIDTestIdTokenUtil.m | 17 ++++++ 3 files changed, 81 insertions(+), 1 deletion(-) diff --git a/IdentityCore/tests/integration/MSIDDefaultAccessorSSOIntegrationTests.m b/IdentityCore/tests/integration/MSIDDefaultAccessorSSOIntegrationTests.m index 640b74f2e..d664e40ab 100644 --- a/IdentityCore/tests/integration/MSIDDefaultAccessorSSOIntegrationTests.m +++ b/IdentityCore/tests/integration/MSIDDefaultAccessorSSOIntegrationTests.m @@ -1788,6 +1788,55 @@ - (void)testAccountsWithAuthority_whenReturnSignedInAccountTrue_shouldFilterOutS XCTAssertFalse([accountUPNs containsObject:@"upn2@test.com"]); } +- (void)testAccountsWithAuthority_whenReturnSignedInAccountTrue_AndUserNameNil_shouldNotCrash +{ + // setup default cache + [self saveResponseWithUPN:@"upn@test.com" + clientId:@"test_client_id" + authority:@"https://login.windows.net/common" + responseScopes:@"user.read user.write" + inputScopes:@"user.read user.write" + uid:@"uid" + utid:@"utid" + accessToken:@"access token" + refreshToken:@"refresh token" + familyId:@"3" + accessor:_nonSSOAccessor]; + + [self saveResponseWithUPN:nil + clientId:@"test_client_id2" + authority:@"https://login.windows.net/common" + responseScopes:@"user.read user.write" + inputScopes:@"user.read user.write" + uid:@"uid2" + utid:@"utid2" + accessToken:@"access token" + refreshToken:@"refresh token 2" + familyId:nil + accessor:_nonSSOAccessor]; + + // sign out the second account + NSError *error; + XCTAssertTrue([_accountMetadataCache updateSignInStateForHomeAccountId:@"uid2.utid2" clientId:@"test_client_id2" state:MSIDAccountMetadataStateSignedOut context:nil error:&error]); + XCTAssertNil(error); + + // setup legacy cache + [self saveResponseWithUPN:@"upn3@test.com" + clientId:@"test_client_id3" + authority:@"https://login.windows.net/common" + responseScopes:@"user.read user.write" + inputScopes:@"user.read user.write" + uid:@"uid3" + utid:@"utid3" + accessToken:@"access token" + refreshToken:@"refresh token 2" + familyId:@"3" + accessor:_otherAccessor]; + + NSArray *accounts = [_defaultAccessor accountsWithAuthority:nil clientId:@"test_client_id2" familyId:@"3" accountIdentifier:nil accountMetadataCache:_accountMetadataCache signedInAccountsOnly:YES context:nil error:&error]; + XCTAssertEqual([accounts count], 2); +} + - (void)testAccountsWithAuthority_whenReturnSignedInAccountTrue_shouldFilterOutSignedOutAccountInBothDefaultAndLegacyCache { // setup default cache @@ -3117,7 +3166,15 @@ - (void)saveResponseWithUPN:(NSString *)upn appIdentifier:(NSString *)appIdentifier accessor:(id)accessor { - NSString *idToken = [MSIDTestIdTokenUtil idTokenWithPreferredUsername:upn subject:@"subject" givenName:@"Hello" familyName:@"World" name:@"Hello World" version:@"2.0" tid:tenantId]; + NSString *idToken = nil; + if (!upn) + { + idToken = [MSIDTestIdTokenUtil idTokenWithGivenName:@"Hello" familyName:@"World" name:@"Hello World" version:@"2.0" tid:tenantId]; + } + else + { + idToken = [MSIDTestIdTokenUtil idTokenWithPreferredUsername:upn subject:@"subject" givenName:@"Hello" familyName:@"World" name:@"Hello World" version:@"2.0" tid:tenantId]; + } MSIDTokenResponse *response = [MSIDTestTokenResponse v2TokenResponseWithAT:accessToken RT:refreshToken diff --git a/IdentityCore/tests/util/MSIDTestIdTokenUtil.h b/IdentityCore/tests/util/MSIDTestIdTokenUtil.h index b6096d6f4..bf5cae04c 100644 --- a/IdentityCore/tests/util/MSIDTestIdTokenUtil.h +++ b/IdentityCore/tests/util/MSIDTestIdTokenUtil.h @@ -83,4 +83,10 @@ version:(NSString *)version tid:(NSString *)tid; ++ (NSString *)idTokenWithGivenName:(NSString *)givenName + familyName:(NSString *)familyName + name:(NSString *)name + version:(NSString *)version + tid:(NSString *)tid; + @end diff --git a/IdentityCore/tests/util/MSIDTestIdTokenUtil.m b/IdentityCore/tests/util/MSIDTestIdTokenUtil.m index c9c31c9cd..3bc9b26ea 100644 --- a/IdentityCore/tests/util/MSIDTestIdTokenUtil.m +++ b/IdentityCore/tests/util/MSIDTestIdTokenUtil.m @@ -170,6 +170,23 @@ + (NSString *)idTokenWithPreferredUsername:(NSString *)username tid:@"contoso.com"]; } ++ (NSString *)idTokenWithGivenName:(NSString *)givenName + familyName:(NSString *)familyName + name:(NSString *)name + version:(NSString *)version + tid:(NSString *)tid +{ + NSString *idTokenp1 = [@{ @"typ": @"JWT", @"alg": @"RS256", @"kid": @"_kid_value"} msidBase64UrlJson]; + NSString *idTokenp2 = [@{ @"iss" : @"issuer", + @"given_name" : givenName, + @"family_name" : familyName, + @"name" : name, + @"ver": version, + @"tid": tid ? tid : @"" + } msidBase64UrlJson]; + return [NSString stringWithFormat:@"%@.%@.%@", idTokenp1, idTokenp2, idTokenp1]; +} + + (NSString *)idTokenWithPreferredUsername:(NSString *)username subject:(NSString *)subject givenName:(NSString *)givenName From 427d4fa9c5bf03bbfdaed06bec29dca2644750fa Mon Sep 17 00:00:00 2001 From: Veena Soman Date: Mon, 13 Jan 2025 10:38:32 -0800 Subject: [PATCH 21/32] Add new errors for passkey biometric policy mismatch and invalid passkey extension --- IdentityCore/src/MSIDError.h | 6 ++++++ IdentityCore/src/MSIDError.m | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/IdentityCore/src/MSIDError.h b/IdentityCore/src/MSIDError.h index b77d8df3f..194871f07 100644 --- a/IdentityCore/src/MSIDError.h +++ b/IdentityCore/src/MSIDError.h @@ -334,6 +334,12 @@ typedef NS_ENUM(NSInteger, MSIDErrorCode) // JIT - Error Handling config invalid or not found MSIDErrorJITErrorHandlingConfigNotFound = -51839, + + // Error is thrown when PSSO biometric policy flag mismatches with the config value + MSIDErrorPSSOBiometricPolicyMismatch = -51840, + + // Error is thrown when non ENtra passkey extension tries to access the passkey + MSIDErrorPSSOInvalidPasskeyExtension = -51841, // Throttling errors MSIDErrorThrottleCacheNoRecord = -51900, diff --git a/IdentityCore/src/MSIDError.m b/IdentityCore/src/MSIDError.m index 5de01abe0..cd6e23138 100644 --- a/IdentityCore/src/MSIDError.m +++ b/IdentityCore/src/MSIDError.m @@ -207,6 +207,8 @@ MSIDErrorCode MSIDErrorCodeForOAuthErrorWithSubErrorCode(NSString *oauthError, M @(MSIDErrorDeviceNotPSSORegistered), @(MSIDErrorPSSOKeyIdMismatch), @(MSIDErrorJITErrorHandlingConfigNotFound), + @(MSIDErrorPSSOBiometricPolicyMismatch), + @(MSIDErrorPSSOInvalidPasskeyExtension), ], MSIDOAuthErrorDomain : @[// Server Errors @(MSIDErrorServerOauth), @@ -415,6 +417,10 @@ void MSIDFillAndLogError(NSError **error, MSIDErrorCode errorCode, NSString *err return @"MSIDErrorDeviceNotPSSORegistered"; case MSIDErrorPSSOKeyIdMismatch: return @"MSIDErrorPSSOKeyIdMismatch"; + case MSIDErrorPSSOBiometricPolicyMismatch: + return @"MSIDErrorPSSOBiometricPolicyMismatch"; + case MSIDErrorPSSOInvalidPasskeyExtension: + return @"MSIDErrorPSSOInvalidPasskeyExtension"; // Throttling errors case MSIDErrorThrottleCacheNoRecord: return @"MSIDErrorThrottleCacheNoRecord"; From e6220cb6ed58afb2da1b6a55c669fc1d9b5fd23a Mon Sep 17 00:00:00 2001 From: mipetriu Date: Tue, 14 Jan 2025 15:16:57 -0800 Subject: [PATCH 22/32] added new broker submodule check yml and replaced code in msal check for testing --- azure_pipelines/broker_submodule_check.yml | 168 +++++++++++++++++ azure_pipelines/msal_submodule_check.yaml | 210 +++++++++++++-------- 2 files changed, 295 insertions(+), 83 deletions(-) create mode 100644 azure_pipelines/broker_submodule_check.yml diff --git a/azure_pipelines/broker_submodule_check.yml b/azure_pipelines/broker_submodule_check.yml new file mode 100644 index 000000000..8521291b1 --- /dev/null +++ b/azure_pipelines/broker_submodule_check.yml @@ -0,0 +1,168 @@ +# Xcode +# Build, test, and archive an Xcode workspace on macOS. +# Add steps that install certificates, test, sign, and distribute an app, save build artifacts, and more: +# https://docs.microsoft.com/azure/devops/pipelines/languages/xcode + +trigger: + branches: + include: + - dev + +pr: + autoCancel: true + branches: + include: + - '*' + drafts: true + +pool: + name: 'Azure Pipelines' + +resources: + repositories: + - repository: azure-activedirectory-tokenbroker-for-objc + type: github + endpoint: 'MSAL ObjC Service Connection' + name: AzureAD/azure-activedirectory-tokenbroker-for-objc + + - repository: WorkplaceJoin-for-iOS + type: github + endpoint: 'MSAL ObjC Service Connection' + name: AzureAD/WorkplaceJoin-for-iOS + +jobs: +- job: 'Validate_Pull_Request' + displayName: Validate Pull Request + pool: + vmImage: 'macOS-14' + timeOutInMinutes: 30 + + steps: + - checkout: azure-activedirectory-tokenbroker-for-objc + displayName: 'Checkout Broker' + clean: false + submodules: false + fetchTags: true + persistCredentials: true + + - task: Bash@3 + displayName: 'Checkout MSAL, ADAL, and submodules' + inputs: + workingDirectory: $(Pipeline.Workspace)/s + targetType: 'inline' + script: | + cd azure-activedirectory-tokenbroker-for-objc + git submodule update --init --recursive ADAuthenticationBroker/Frameworks/adal + git submodule update --init ADAuthenticationBroker/Frameworks/microsoft-authentication-library-for-objc + + - checkout: self + displayName: 'Checkout IdentityCore' + clean: false + submodules: false + fetchTags: true + path: 's/azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks/microsoft-authentication-library-for-objc/MSAL/IdentityCore' + persistCredentials: true + + - checkout: WorkplaceJoin-for-iOS + displayName: 'Checkout WPJ' + clean: false + submodules: false + fetchTags: true + path: 's/azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS' + persistCredentials: true + + - task: AzureCLI@2 + inputs: + azureSubscription: 'AuthSdkResourceManager' + scriptType: 'pscore' + scriptLocation: 'inlineScript' + inlineScript: | + # if this fails, check out this bash script that includes diagnostics: + # https://gist.github.com/johnterickson/19f80a3e969e39f1000d118739176e62 + # uncomment these for more debugging spew + # GIT_TRACE=1 + # GIT_CURL_VERBOSE=1 + + # Note that the resoruce is specified to limit the token to Azure DevOps + $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv + Write-Host "##vso[task.setvariable variable=aadToken;issecret=true]$token" + - task: Bash@3 + displayName: 'Checkout NGC Submodules' + env: + AccessToken: $(MSAzureToken_encoded) + inputs: + workingDirectory: $(Pipeline.Workspace)/s + targetType: 'inline' + script: | + cd azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks + git -c http.https://msazure.visualstudio.com/DefaultCollection/One/_git/AD-MFA-NGCAuthentication.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init AD-MFA-NGCAuthentication + cd AD-MFA-NGCAuthentication + git -c http.https://msazure.visualstudio.com/DefaultCollection/One/_git/AD-MFA-NGCKeyProvider-ios.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init NGCKeyProvider + git -c http.https://msazure.visualstudio.com/DefaultCollection/One/_git/AD-MFA-MSAuthNetworking.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init MSAuthNetworking + + - task: Bash@3 + displayName: 'Checkout WPJ openssl-msft submodule' + inputs: + workingDirectory: $(Pipeline.Workspace)/s + targetType: 'inline' + script: | + cd azure-activedirectory-tokenbroker-for-objc + REV=$(git rev-parse HEAD:ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS) + cd ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS + git pull origin $REV + cd Frameworks + git -c http.https://msazure.visualstudio.com/DefaultCollection/PlatformCrypto/_git/openssl-msft.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init openssl-msft + + - task: Bash@3 + displayName: 'Update WPJ submodules' + inputs: + workingDirectory: $(Pipeline.Workspace)/s + targetType: 'inline' + script: | + cd azure-activedirectory-tokenbroker-for-objc + cd ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS + git submodule update --init --recursive + + - script: 'gem uninstall xcpretty -I --version 0.4.0' + displayName: 'Uninstall xcpretty v0.4.0' + + - script: 'gem install xcpretty -N -v 0.3.0' + displayName: 'Install xcpretty v0.3.0' + + - script: 'gem install slather -N' + displayName: 'Install slather' + + - task: UsePythonVersion@0 + displayName: 'Use Python 3.x' + + - task: Bash@3 + displayName: 'Select Xcode version' + inputs: + targetType: 'inline' + script: '/bin/bash -c "sudo xcode-select -s /Applications/Xcode_15.4.app"' + +# The following is needed to install the visionOS SDK on macos-14 vm image which +# doesn't have visionOS installed by default. +# TODO: Remove when macos-14-arm64 is supported on ADO. + - task: Bash@3 + displayName: download visionOS SDK + inputs: + targetType: 'inline' + script: | + echo "Downloading simulator for visionOS" + sudo xcode-select -s /Applications/Xcode_15.4.app/Contents/Developer + defaults write com.apple.dt.Xcode AllowUnsupportedVisionOSHost -bool YES + defaults write com.apple.CoreSimulator AllowUnsupportedVisionOSHost -bool YES + xcodebuild -downloadPlatform visionOS + failOnStderr: false + + + - task: Bash@3 + displayName: 'Run a python script for Broker' + inputs: + targetType: 'inline' + script: | + cd azure-activedirectory-tokenbroker-for-objc + echo "executing build:./build.py" + python3 ./build.py + diff --git a/azure_pipelines/msal_submodule_check.yaml b/azure_pipelines/msal_submodule_check.yaml index d0179f766..f92315035 100644 --- a/azure_pipelines/msal_submodule_check.yaml +++ b/azure_pipelines/msal_submodule_check.yaml @@ -1,125 +1,169 @@ -# Pipeline will be triggered for PR & any updates on the PR on all branches -pr: +# Xcode +# Build, test, and archive an Xcode workspace on macOS. +# Add steps that install certificates, test, sign, and distribute an app, save build artifacts, and more: +# https://docs.microsoft.com/azure/devops/pipelines/languages/xcode + +trigger: branches: include: - - '*' + - dev -# Trigger CI for only main/release branches -trigger: +pr: + autoCancel: true branches: include: - - main - - release/* + - '*' + drafts: true + +pool: + name: 'Azure Pipelines' resources: repositories: - - repository: microsoft-authentication-library-for-objc + - repository: azure-activedirectory-tokenbroker-for-objc type: github endpoint: 'MSAL ObjC Service Connection' - name: AzureAD/microsoft-authentication-library-for-objc + name: AzureAD/azure-activedirectory-tokenbroker-for-objc + + - repository: WorkplaceJoin-for-iOS + type: github + endpoint: 'MSAL ObjC Service Connection' + name: AzureAD/WorkplaceJoin-for-iOS -# Define parallel jobs that run build script for specified targets jobs: - job: 'Validate_Pull_Request' - strategy: - maxParallel: 3 - matrix: - IOS_FRAMEWORK: - target: "iosFramework iosTestApp sampleIosApp sampleIosAppSwift" - MAC_FRAMEWORK: - target: "macFramework" - VISION_FRAMEWORK: - target: "visionOSFramework" displayName: Validate Pull Request pool: vmImage: 'macOS-14' timeOutInMinutes: 30 steps: - - script: | - /bin/bash -c "sudo xcode-select -s /Applications/Xcode_15.4.app" - displayName: 'Switch to use Xcode 15.4' - - task: CmdLine@2 - displayName: Uninstalling xcpretty v0.4.0 + - checkout: azure-activedirectory-tokenbroker-for-objc + displayName: 'Checkout Broker' + clean: false + submodules: false + fetchTags: true + persistCredentials: true + + - task: Bash@3 + displayName: 'Checkout MSAL, ADAL, and submodules' inputs: + workingDirectory: $(Pipeline.Workspace)/s + targetType: 'inline' script: | - gem uninstall xcpretty -I --version 0.4.0 - failOnStderr: false - - task: CmdLine@2 - displayName: Installing xcpretty v0.3.0 + cd azure-activedirectory-tokenbroker-for-objc + git submodule update --init --recursive ADAuthenticationBroker/Frameworks/adal + git submodule update --init ADAuthenticationBroker/Frameworks/microsoft-authentication-library-for-objc + + - checkout: self + displayName: 'Checkout IdentityCore' + clean: false + submodules: false + fetchTags: true + path: 's/azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks/microsoft-authentication-library-for-objc/MSAL/IdentityCore' + persistCredentials: true + + - checkout: WorkplaceJoin-for-iOS + displayName: 'Checkout WPJ' + clean: false + submodules: false + fetchTags: true + path: 's/azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS' + persistCredentials: true + + - task: AzureCLI@2 inputs: + azureSubscription: 'AuthSdkResourceManager' + scriptType: 'pscore' + scriptLocation: 'inlineScript' + inlineScript: | + # if this fails, check out this bash script that includes diagnostics: + # https://gist.github.com/johnterickson/19f80a3e969e39f1000d118739176e62 + # uncomment these for more debugging spew + # GIT_TRACE=1 + # GIT_CURL_VERBOSE=1 + + # Note that the resoruce is specified to limit the token to Azure DevOps + $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv + Write-Host "##vso[task.setvariable variable=aadToken;issecret=true]$token" + - task: Bash@3 + displayName: 'Checkout NGC Submodules' + env: + AccessToken: $(MSAzureToken_encoded) + inputs: + workingDirectory: $(Pipeline.Workspace)/s + targetType: 'inline' script: | - gem install xcpretty -N -v 0.3.0 - failOnStderr: true - - task: CmdLine@2 - displayName: Installing dependencies + cd azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks + git -c http.https://msazure.visualstudio.com/DefaultCollection/One/_git/AD-MFA-NGCAuthentication.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init AD-MFA-NGCAuthentication + cd AD-MFA-NGCAuthentication + git -c http.https://msazure.visualstudio.com/DefaultCollection/One/_git/AD-MFA-NGCKeyProvider-ios.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init NGCKeyProvider + git -c http.https://msazure.visualstudio.com/DefaultCollection/One/_git/AD-MFA-MSAuthNetworking.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init MSAuthNetworking + + - task: Bash@3 + displayName: 'Checkout WPJ openssl-msft submodule' inputs: + workingDirectory: $(Pipeline.Workspace)/s + targetType: 'inline' script: | - gem install slather bundler -N - failOnStderr: true + cd azure-activedirectory-tokenbroker-for-objc + REV=$(git rev-parse HEAD:ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS) + cd ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS + git pull origin $REV + cd Frameworks + git -c http.https://msazure.visualstudio.com/DefaultCollection/PlatformCrypto/_git/openssl-msft.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init openssl-msft -# The following is needed to install the visionOS SDK on macos-14 vm image which -# doesn't have visionOS installed by default. -# TODO: Remove when macos-14-arm64 is supported on ADO. - task: Bash@3 - displayName: download visionOS SDK + displayName: 'Update WPJ submodules' inputs: + workingDirectory: $(Pipeline.Workspace)/s targetType: 'inline' script: | - echo $(target) - if [ $(target) == 'visionOSFramework' ]; then - echo "Downloading simulator for visionOS" - sudo xcode-select -s /Applications/Xcode_15.4.app/Contents/Developer - defaults write com.apple.dt.Xcode AllowUnsupportedVisionOSHost -bool YES - defaults write com.apple.CoreSimulator AllowUnsupportedVisionOSHost -bool YES - xcodebuild -downloadPlatform visionOS - else - echo "Not visionOS job, no download needed" - fi - failOnStderr: false + cd azure-activedirectory-tokenbroker-for-objc + cd ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS + git submodule update --init --recursive + + - script: 'gem uninstall xcpretty -I --version 0.4.0' + displayName: 'Uninstall xcpretty v0.4.0' - - checkout: microsoft-authentication-library-for-objc - displayName: 'Checkout MSAL' - clean: true - submodules: true - fetchTags: true - persistCredentials: true + - script: 'gem install xcpretty -N -v 0.3.0' + displayName: 'Install xcpretty v0.3.0' + + - script: 'gem install slather -N' + displayName: 'Install slather' - - checkout: self - clean: true - submodules: false - fetchDepth: 1 - path: 's/microsoft-authentication-library-for-objc/MSAL/IdentityCore' - persistCredentials: false + - task: UsePythonVersion@0 + displayName: 'Use Python 3.x' - task: Bash@3 - displayName: Run Build script & check for Errors + displayName: 'Select Xcode version' + inputs: + targetType: 'inline' + script: '/bin/bash -c "sudo xcode-select -s /Applications/Xcode_15.4.app"' + +# The following is needed to install the visionOS SDK on macos-14 vm image which +# doesn't have visionOS installed by default. +# TODO: Remove when macos-14-arm64 is supported on ADO. + - task: Bash@3 + displayName: download visionOS SDK inputs: targetType: 'inline' script: | - cd $(Agent.BuildDirectory)/s/microsoft-authentication-library-for-objc - { output=$(./build.py --target $(target) 2>&1 1>&3-) ;} 3>&1 - final_status=$(<./build/status.txt) - echo "FINAL STATUS = ${final_status}" - echo "POSSIBLE ERRORS: ${output}" - - if [ $final_status != "0" ]; then - echo "Build & Testing Failed! \n ${output}" >&2 - fi - failOnStderr: true + echo "Downloading simulator for visionOS" + sudo xcode-select -s /Applications/Xcode_15.4.app/Contents/Developer + defaults write com.apple.dt.Xcode AllowUnsupportedVisionOSHost -bool YES + defaults write com.apple.CoreSimulator AllowUnsupportedVisionOSHost -bool YES + xcodebuild -downloadPlatform visionOS + failOnStderr: false + + - task: Bash@3 - condition: always() - displayName: Cleanup + displayName: 'Run a python script for Broker' inputs: targetType: 'inline' script: | - rm -rf $(Agent.BuildDirectory)/s/build/status.txt + cd azure-activedirectory-tokenbroker-for-objc + echo "executing build:./build.py" + python3 ./build.py - - task: PublishTestResults@2 - condition: always() - displayName: Publish Test Report - inputs: - testResultsFormat: 'JUnit' - testResultsFiles: '$(Agent.BuildDirectory)/s/build/reports/*' - failTaskOnFailedTests: true - testRunTitle: 'Test Run - $(target)' + From aa232cc5ec67ffb1dc9a3437706528b1e80ab6bc Mon Sep 17 00:00:00 2001 From: mipetriu Date: Tue, 14 Jan 2025 17:07:25 -0800 Subject: [PATCH 23/32] revert testing changes in msal submodule check and update wpj openssl submodule checkout --- azure_pipelines/broker_submodule_check.yml | 13 +- azure_pipelines/msal_submodule_check.yaml | 210 ++++++++------------- 2 files changed, 87 insertions(+), 136 deletions(-) diff --git a/azure_pipelines/broker_submodule_check.yml b/azure_pipelines/broker_submodule_check.yml index 8521291b1..358839935 100644 --- a/azure_pipelines/broker_submodule_check.yml +++ b/azure_pipelines/broker_submodule_check.yml @@ -106,12 +106,8 @@ jobs: workingDirectory: $(Pipeline.Workspace)/s targetType: 'inline' script: | - cd azure-activedirectory-tokenbroker-for-objc - REV=$(git rev-parse HEAD:ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS) - cd ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS - git pull origin $REV - cd Frameworks - git -c http.https://msazure.visualstudio.com/DefaultCollection/PlatformCrypto/_git/openssl-msft.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init openssl-msft + cd azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS + git -c http.https://msazure.visualstudio.com/DefaultCollection/PlatformCrypto/_git/openssl-msft.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init Frameworks/openssl-msft - task: Bash@3 displayName: 'Update WPJ submodules' @@ -119,9 +115,8 @@ jobs: workingDirectory: $(Pipeline.Workspace)/s targetType: 'inline' script: | - cd azure-activedirectory-tokenbroker-for-objc - cd ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS - git submodule update --init --recursive + cd azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS + git submodule update --init --recursive Frameworks/microsoft-authentication-library-for-objc - script: 'gem uninstall xcpretty -I --version 0.4.0' displayName: 'Uninstall xcpretty v0.4.0' diff --git a/azure_pipelines/msal_submodule_check.yaml b/azure_pipelines/msal_submodule_check.yaml index f92315035..d0179f766 100644 --- a/azure_pipelines/msal_submodule_check.yaml +++ b/azure_pipelines/msal_submodule_check.yaml @@ -1,145 +1,62 @@ -# Xcode -# Build, test, and archive an Xcode workspace on macOS. -# Add steps that install certificates, test, sign, and distribute an app, save build artifacts, and more: -# https://docs.microsoft.com/azure/devops/pipelines/languages/xcode - -trigger: - branches: - include: - - dev - +# Pipeline will be triggered for PR & any updates on the PR on all branches pr: - autoCancel: true branches: include: - '*' - drafts: true -pool: - name: 'Azure Pipelines' +# Trigger CI for only main/release branches +trigger: + branches: + include: + - main + - release/* resources: repositories: - - repository: azure-activedirectory-tokenbroker-for-objc + - repository: microsoft-authentication-library-for-objc type: github endpoint: 'MSAL ObjC Service Connection' - name: AzureAD/azure-activedirectory-tokenbroker-for-objc - - - repository: WorkplaceJoin-for-iOS - type: github - endpoint: 'MSAL ObjC Service Connection' - name: AzureAD/WorkplaceJoin-for-iOS + name: AzureAD/microsoft-authentication-library-for-objc +# Define parallel jobs that run build script for specified targets jobs: - job: 'Validate_Pull_Request' + strategy: + maxParallel: 3 + matrix: + IOS_FRAMEWORK: + target: "iosFramework iosTestApp sampleIosApp sampleIosAppSwift" + MAC_FRAMEWORK: + target: "macFramework" + VISION_FRAMEWORK: + target: "visionOSFramework" displayName: Validate Pull Request pool: vmImage: 'macOS-14' timeOutInMinutes: 30 steps: - - checkout: azure-activedirectory-tokenbroker-for-objc - displayName: 'Checkout Broker' - clean: false - submodules: false - fetchTags: true - persistCredentials: true - - - task: Bash@3 - displayName: 'Checkout MSAL, ADAL, and submodules' + - script: | + /bin/bash -c "sudo xcode-select -s /Applications/Xcode_15.4.app" + displayName: 'Switch to use Xcode 15.4' + - task: CmdLine@2 + displayName: Uninstalling xcpretty v0.4.0 inputs: - workingDirectory: $(Pipeline.Workspace)/s - targetType: 'inline' script: | - cd azure-activedirectory-tokenbroker-for-objc - git submodule update --init --recursive ADAuthenticationBroker/Frameworks/adal - git submodule update --init ADAuthenticationBroker/Frameworks/microsoft-authentication-library-for-objc - - - checkout: self - displayName: 'Checkout IdentityCore' - clean: false - submodules: false - fetchTags: true - path: 's/azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks/microsoft-authentication-library-for-objc/MSAL/IdentityCore' - persistCredentials: true - - - checkout: WorkplaceJoin-for-iOS - displayName: 'Checkout WPJ' - clean: false - submodules: false - fetchTags: true - path: 's/azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS' - persistCredentials: true - - - task: AzureCLI@2 - inputs: - azureSubscription: 'AuthSdkResourceManager' - scriptType: 'pscore' - scriptLocation: 'inlineScript' - inlineScript: | - # if this fails, check out this bash script that includes diagnostics: - # https://gist.github.com/johnterickson/19f80a3e969e39f1000d118739176e62 - # uncomment these for more debugging spew - # GIT_TRACE=1 - # GIT_CURL_VERBOSE=1 - - # Note that the resoruce is specified to limit the token to Azure DevOps - $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv - Write-Host "##vso[task.setvariable variable=aadToken;issecret=true]$token" - - task: Bash@3 - displayName: 'Checkout NGC Submodules' - env: - AccessToken: $(MSAzureToken_encoded) + gem uninstall xcpretty -I --version 0.4.0 + failOnStderr: false + - task: CmdLine@2 + displayName: Installing xcpretty v0.3.0 inputs: - workingDirectory: $(Pipeline.Workspace)/s - targetType: 'inline' script: | - cd azure-activedirectory-tokenbroker-for-objc/ADAuthenticationBroker/Frameworks - git -c http.https://msazure.visualstudio.com/DefaultCollection/One/_git/AD-MFA-NGCAuthentication.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init AD-MFA-NGCAuthentication - cd AD-MFA-NGCAuthentication - git -c http.https://msazure.visualstudio.com/DefaultCollection/One/_git/AD-MFA-NGCKeyProvider-ios.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init NGCKeyProvider - git -c http.https://msazure.visualstudio.com/DefaultCollection/One/_git/AD-MFA-MSAuthNetworking.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init MSAuthNetworking - - - task: Bash@3 - displayName: 'Checkout WPJ openssl-msft submodule' + gem install xcpretty -N -v 0.3.0 + failOnStderr: true + - task: CmdLine@2 + displayName: Installing dependencies inputs: - workingDirectory: $(Pipeline.Workspace)/s - targetType: 'inline' script: | - cd azure-activedirectory-tokenbroker-for-objc - REV=$(git rev-parse HEAD:ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS) - cd ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS - git pull origin $REV - cd Frameworks - git -c http.https://msazure.visualstudio.com/DefaultCollection/PlatformCrypto/_git/openssl-msft.extraheader="AUTHORIZATION: bearer $(aadToken)" submodule update --init openssl-msft - - - task: Bash@3 - displayName: 'Update WPJ submodules' - inputs: - workingDirectory: $(Pipeline.Workspace)/s - targetType: 'inline' - script: | - cd azure-activedirectory-tokenbroker-for-objc - cd ADAuthenticationBroker/Frameworks/WorkplaceJoin-for-iOS - git submodule update --init --recursive - - - script: 'gem uninstall xcpretty -I --version 0.4.0' - displayName: 'Uninstall xcpretty v0.4.0' - - - script: 'gem install xcpretty -N -v 0.3.0' - displayName: 'Install xcpretty v0.3.0' - - - script: 'gem install slather -N' - displayName: 'Install slather' - - - task: UsePythonVersion@0 - displayName: 'Use Python 3.x' - - - task: Bash@3 - displayName: 'Select Xcode version' - inputs: - targetType: 'inline' - script: '/bin/bash -c "sudo xcode-select -s /Applications/Xcode_15.4.app"' + gem install slather bundler -N + failOnStderr: true # The following is needed to install the visionOS SDK on macos-14 vm image which # doesn't have visionOS installed by default. @@ -149,21 +66,60 @@ jobs: inputs: targetType: 'inline' script: | - echo "Downloading simulator for visionOS" - sudo xcode-select -s /Applications/Xcode_15.4.app/Contents/Developer - defaults write com.apple.dt.Xcode AllowUnsupportedVisionOSHost -bool YES - defaults write com.apple.CoreSimulator AllowUnsupportedVisionOSHost -bool YES - xcodebuild -downloadPlatform visionOS + echo $(target) + if [ $(target) == 'visionOSFramework' ]; then + echo "Downloading simulator for visionOS" + sudo xcode-select -s /Applications/Xcode_15.4.app/Contents/Developer + defaults write com.apple.dt.Xcode AllowUnsupportedVisionOSHost -bool YES + defaults write com.apple.CoreSimulator AllowUnsupportedVisionOSHost -bool YES + xcodebuild -downloadPlatform visionOS + else + echo "Not visionOS job, no download needed" + fi failOnStderr: false + - checkout: microsoft-authentication-library-for-objc + displayName: 'Checkout MSAL' + clean: true + submodules: true + fetchTags: true + persistCredentials: true + + - checkout: self + clean: true + submodules: false + fetchDepth: 1 + path: 's/microsoft-authentication-library-for-objc/MSAL/IdentityCore' + persistCredentials: false - task: Bash@3 - displayName: 'Run a python script for Broker' + displayName: Run Build script & check for Errors inputs: targetType: 'inline' script: | - cd azure-activedirectory-tokenbroker-for-objc - echo "executing build:./build.py" - python3 ./build.py + cd $(Agent.BuildDirectory)/s/microsoft-authentication-library-for-objc + { output=$(./build.py --target $(target) 2>&1 1>&3-) ;} 3>&1 + final_status=$(<./build/status.txt) + echo "FINAL STATUS = ${final_status}" + echo "POSSIBLE ERRORS: ${output}" - + if [ $final_status != "0" ]; then + echo "Build & Testing Failed! \n ${output}" >&2 + fi + failOnStderr: true + - task: Bash@3 + condition: always() + displayName: Cleanup + inputs: + targetType: 'inline' + script: | + rm -rf $(Agent.BuildDirectory)/s/build/status.txt + + - task: PublishTestResults@2 + condition: always() + displayName: Publish Test Report + inputs: + testResultsFormat: 'JUnit' + testResultsFiles: '$(Agent.BuildDirectory)/s/build/reports/*' + failTaskOnFailedTests: true + testRunTitle: 'Test Run - $(target)' From e739d3de0726c0ff7639d913715b1945f5213408 Mon Sep 17 00:00:00 2001 From: mipetriu Date: Thu, 16 Jan 2025 16:40:20 -0800 Subject: [PATCH 24/32] add global constant for camera suppression --- IdentityCore/src/MSIDBrokerConstants.h | 2 ++ IdentityCore/src/MSIDBrokerConstants.m | 3 +++ .../MSIDOAuth2EmbeddedWebviewController.h | 2 +- .../MSIDOAuth2EmbeddedWebviewController.m | 21 +++++++++++++++++++ 4 files changed, 27 insertions(+), 1 deletion(-) diff --git a/IdentityCore/src/MSIDBrokerConstants.h b/IdentityCore/src/MSIDBrokerConstants.h index 203c7e19d..db43380cc 100644 --- a/IdentityCore/src/MSIDBrokerConstants.h +++ b/IdentityCore/src/MSIDBrokerConstants.h @@ -104,3 +104,5 @@ extern NSString * _Nonnull const MSID_CREATE_NEW_URL_SESSION; extern NSString * _Nonnull const MSID_HTTP_CONNECTION_VALUE; extern NSString * _Nonnull const MSID_FORCE_REFRESH_KEY; +extern BOOL MSID_SUPPRESS_CAMERA_CONSENT_PROMPT_IN_WEBVIEW; + diff --git a/IdentityCore/src/MSIDBrokerConstants.m b/IdentityCore/src/MSIDBrokerConstants.m index 5c3b48567..85100f791 100644 --- a/IdentityCore/src/MSIDBrokerConstants.m +++ b/IdentityCore/src/MSIDBrokerConstants.m @@ -104,3 +104,6 @@ // Http header NSString *const MSID_HTTP_CONNECTION = @"Connection"; NSString *const MSID_HTTP_CONNECTION_VALUE = @"close"; + +// Non-constant +BOOL MSID_SUPPRESS_CAMERA_CONSENT_PROMPT_IN_WEBVIEW = NO; diff --git a/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.h b/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.h index 6d9cda25d..34ae0a3e5 100644 --- a/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.h +++ b/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.h @@ -38,7 +38,7 @@ typedef void (^MSIDNavigationResponseBlock)(NSHTTPURLResponse *response); @interface MSIDOAuth2EmbeddedWebviewController : -MSIDWebviewUIController +MSIDWebviewUIController typedef NSURLRequest *(^MSIDExternalDecidePolicyForBrowserActionBlock)(MSIDOAuth2EmbeddedWebviewController *webView, NSURL *url); diff --git a/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m b/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m index 40320c7a2..d15c16113 100644 --- a/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m +++ b/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m @@ -108,6 +108,10 @@ -(void)dealloc { [self.webView setNavigationDelegate:nil]; } + if ([self.webView.UIDelegate isEqual:self]) + { + [self.webView setUIDelegate:nil]; + } self.webView = nil; } @@ -175,6 +179,7 @@ - (BOOL)loadView:(NSError *__autoreleasing*)error BOOL result = [super loadView:error]; self.webView.navigationDelegate = self; + self.webView.UIDelegate = self; #if !EXCLUDE_FROM_MSALCPP #if DEBUG @@ -479,6 +484,22 @@ - (void)webView:(WKWebView *)webView didReceiveServerRedirectForProvisionalNavig } } +- (void) webView:(WKWebView *)webView +requestMediaCapturePermissionForOrigin:(WKSecurityOrigin *)origin +initiatedByFrame:(WKFrameInfo *)frame + type:(WKMediaCaptureType)type + decisionHandler:(void (^)(WKPermissionDecision decision))decisionHandler API_AVAILABLE(ios(15.0)) +{ + if (MSID_SUPPRESS_CAMERA_CONSENT_PROMPT_IN_WEBVIEW) + { + decisionHandler(WKPermissionDecisionGrant); + } + else + { + decisionHandler(WKPermissionDecisionPrompt); + } +} + #pragma mark - Loading Indicator - (void)onStartLoadingIndicator:(__unused id)sender From edd3fbdab8d9dd8f53819fc5a8429e9f3f6421a9 Mon Sep 17 00:00:00 2001 From: mipetriu Date: Thu, 16 Jan 2025 16:50:46 -0800 Subject: [PATCH 25/32] add check for camera in prompt suppression check --- .../embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m b/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m index d15c16113..919d5e320 100644 --- a/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m +++ b/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m @@ -490,7 +490,7 @@ - (void) webView:(WKWebView *)webView type:(WKMediaCaptureType)type decisionHandler:(void (^)(WKPermissionDecision decision))decisionHandler API_AVAILABLE(ios(15.0)) { - if (MSID_SUPPRESS_CAMERA_CONSENT_PROMPT_IN_WEBVIEW) + if (MSID_SUPPRESS_CAMERA_CONSENT_PROMPT_IN_WEBVIEW && type == WKMediaCaptureTypeCamera) { decisionHandler(WKPermissionDecisionGrant); } From 67f702270859888d612441ea9aeae0e5f0efc6fe Mon Sep 17 00:00:00 2001 From: Veena Soman Date: Thu, 16 Jan 2025 21:15:57 -0800 Subject: [PATCH 26/32] add one more new pSSO error --- IdentityCore/src/MSIDError.h | 3 +++ IdentityCore/src/MSIDError.m | 3 +++ 2 files changed, 6 insertions(+) diff --git a/IdentityCore/src/MSIDError.h b/IdentityCore/src/MSIDError.h index 194871f07..64455bfec 100644 --- a/IdentityCore/src/MSIDError.h +++ b/IdentityCore/src/MSIDError.h @@ -340,6 +340,9 @@ typedef NS_ENUM(NSInteger, MSIDErrorCode) // Error is thrown when non ENtra passkey extension tries to access the passkey MSIDErrorPSSOInvalidPasskeyExtension = -51841, + + // Error thrown when psso save login config operation fails + MSIDErrorPSSOSaveLoginConfigFailure = -51842, // Throttling errors MSIDErrorThrottleCacheNoRecord = -51900, diff --git a/IdentityCore/src/MSIDError.m b/IdentityCore/src/MSIDError.m index cd6e23138..2abc9bef7 100644 --- a/IdentityCore/src/MSIDError.m +++ b/IdentityCore/src/MSIDError.m @@ -209,6 +209,7 @@ MSIDErrorCode MSIDErrorCodeForOAuthErrorWithSubErrorCode(NSString *oauthError, M @(MSIDErrorJITErrorHandlingConfigNotFound), @(MSIDErrorPSSOBiometricPolicyMismatch), @(MSIDErrorPSSOInvalidPasskeyExtension), + @(MSIDErrorPSSOSaveLoginConfigFailure), ], MSIDOAuthErrorDomain : @[// Server Errors @(MSIDErrorServerOauth), @@ -421,6 +422,8 @@ void MSIDFillAndLogError(NSError **error, MSIDErrorCode errorCode, NSString *err return @"MSIDErrorPSSOBiometricPolicyMismatch"; case MSIDErrorPSSOInvalidPasskeyExtension: return @"MSIDErrorPSSOInvalidPasskeyExtension"; + case MSIDErrorPSSOSaveLoginConfigFailure: + return @"MSIDErrorPSSOSaveLoginConfigFailure"; // Throttling errors case MSIDErrorThrottleCacheNoRecord: return @"MSIDErrorThrottleCacheNoRecord"; From 03314fc0b1cea217266c2328aeb8c9781f42a7a5 Mon Sep 17 00:00:00 2001 From: Veena Soman Date: Fri, 17 Jan 2025 13:25:39 -0800 Subject: [PATCH 27/32] Add PSSO registration needs repair status in getDeviceInfo psso status --- IdentityCore/src/broker_operation/response/MSIDDeviceInfo.h | 1 + IdentityCore/src/broker_operation/response/MSIDDeviceInfo.m | 3 +++ 2 files changed, 4 insertions(+) diff --git a/IdentityCore/src/broker_operation/response/MSIDDeviceInfo.h b/IdentityCore/src/broker_operation/response/MSIDDeviceInfo.h index 16cc4153f..0ddee1c20 100644 --- a/IdentityCore/src/broker_operation/response/MSIDDeviceInfo.h +++ b/IdentityCore/src/broker_operation/response/MSIDDeviceInfo.h @@ -46,6 +46,7 @@ typedef NS_ENUM(NSInteger, MSIDPlatformSSOStatus) MSIDPlatformSSONotEnabled = 0, //Platform SSO Not enabled in SSO Config MSIDPlatformSSOEnabledNotRegistered = 1, //Platform SSO Enabled in sso config , but not Registered MSIDPlatformSSOEnabledAndRegistered = 2, //Platform SSO Enabled in sso config and registered + MSIDPlatformSSORegistrationNeedsRepair = 3, //Platform registration needs to be repaired }; typedef NS_ENUM(NSInteger, MSIDPreferredAuthMethod) diff --git a/IdentityCore/src/broker_operation/response/MSIDDeviceInfo.m b/IdentityCore/src/broker_operation/response/MSIDDeviceInfo.m index a279fe13d..1df2f3d6f 100644 --- a/IdentityCore/src/broker_operation/response/MSIDDeviceInfo.m +++ b/IdentityCore/src/broker_operation/response/MSIDDeviceInfo.m @@ -176,6 +176,8 @@ - (NSString *)platformSSOStatusStringFromEnum:(MSIDPlatformSSOStatus)platformSSO return @"platformSSOEnabledNotRegistered"; case MSIDPlatformSSOEnabledAndRegistered: return @"platformSSOEnabledAndRegistered"; + case MSIDPlatformSSORegistrationNeedsRepair: + return @"platformSSORegistrationNeedsRepair"; default: return nil; @@ -187,6 +189,7 @@ - (MSIDPlatformSSOStatus)platformSSOStatusEnumFromString:(NSString *)platformSSO if ([platformSSOStatusString isEqualToString:@"platformSSONotEnabled"]) return MSIDPlatformSSONotEnabled; if ([platformSSOStatusString isEqualToString:@"platformSSOEnabledNotRegistered"]) return MSIDPlatformSSOEnabledNotRegistered; if ([platformSSOStatusString isEqualToString:@"platformSSOEnabledAndRegistered"]) return MSIDPlatformSSOEnabledAndRegistered; + if ([platformSSOStatusString isEqualToString:@"platformSSORegistrationNeedsRepair"]) return MSIDPlatformSSORegistrationNeedsRepair; return MSIDPlatformSSONotEnabled; } From 329a6a56f2d01c370e11da76d1723f106ed349dd Mon Sep 17 00:00:00 2001 From: mipetriu Date: Tue, 21 Jan 2025 16:25:09 -0800 Subject: [PATCH 28/32] add macos version restriction --- .../embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m b/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m index 919d5e320..5216c7cda 100644 --- a/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m +++ b/IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m @@ -488,7 +488,7 @@ - (void) webView:(WKWebView *)webView requestMediaCapturePermissionForOrigin:(WKSecurityOrigin *)origin initiatedByFrame:(WKFrameInfo *)frame type:(WKMediaCaptureType)type - decisionHandler:(void (^)(WKPermissionDecision decision))decisionHandler API_AVAILABLE(ios(15.0)) + decisionHandler:(void (^)(WKPermissionDecision decision))decisionHandler API_AVAILABLE(ios(15.0), macos(12.0)) { if (MSID_SUPPRESS_CAMERA_CONSENT_PROMPT_IN_WEBVIEW && type == WKMediaCaptureTypeCamera) { From e9e5616b2cffbd4e620008e0a524ee3eff1d9d36 Mon Sep 17 00:00:00 2001 From: Veena Soman Date: Fri, 24 Jan 2025 19:19:57 -0800 Subject: [PATCH 29/32] Add new psso error --- IdentityCore/src/MSIDError.h | 9 +++++++++ IdentityCore/src/MSIDError.m | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/IdentityCore/src/MSIDError.h b/IdentityCore/src/MSIDError.h index cbddcd64c..7eb38a0cc 100644 --- a/IdentityCore/src/MSIDError.h +++ b/IdentityCore/src/MSIDError.h @@ -345,6 +345,15 @@ typedef NS_ENUM(NSInteger, MSIDErrorCode) // Error thrown when psso save login config operation fails MSIDErrorPSSOSaveLoginConfigFailure = -51842, + + // Error is thrown when passkey accessed without biometric when h/w biometric policy configured + MSIDErrorPSSOPasskeyLAError = -51843, + + // Error is thrown when PSSO user registration attempted with no biometrics configured and sekey biometric policy is configured + MSIDErrorPSSOBiometricsNotEnrolled = -51844, + + // Error is thrown when PSSO user registration attempted with no biometrics available and sekey biometric policy is configured + MSIDErrorPSSOBiometricsNotAvailable = -51845, // Throttling errors MSIDErrorThrottleCacheNoRecord = -51900, diff --git a/IdentityCore/src/MSIDError.m b/IdentityCore/src/MSIDError.m index 8740353c2..56b7c539f 100644 --- a/IdentityCore/src/MSIDError.m +++ b/IdentityCore/src/MSIDError.m @@ -210,6 +210,9 @@ MSIDErrorCode MSIDErrorCodeForOAuthErrorWithSubErrorCode(NSString *oauthError, M @(MSIDErrorPSSOBiometricPolicyMismatch), @(MSIDErrorPSSOInvalidPasskeyExtension), @(MSIDErrorPSSOSaveLoginConfigFailure), + @(MSIDErrorPSSOPasskeyLAError), + @(MSIDErrorPSSOBiometricsNotEnrolled), + @(MSIDErrorPSSOBiometricsNotAvailable), ], MSIDOAuthErrorDomain : @[// Server Errors @(MSIDErrorServerOauth), @@ -427,6 +430,12 @@ void MSIDFillAndLogError(NSError **error, MSIDErrorCode errorCode, NSString *err return @"MSIDErrorPSSOInvalidPasskeyExtension"; case MSIDErrorPSSOSaveLoginConfigFailure: return @"MSIDErrorPSSOSaveLoginConfigFailure"; + case MSIDErrorPSSOPasskeyLAError: + return @"MSIDErrorPSSOPasskeyLAError"; + case MSIDErrorPSSOBiometricsNotEnrolled: + return @"MSIDErrorPSSOBiometricsNotEnrolled"; + case MSIDErrorPSSOBiometricsNotAvailable: + return @"MSIDErrorPSSOBiometricsNotAvailable"; // Throttling errors case MSIDErrorThrottleCacheNoRecord: return @"MSIDErrorThrottleCacheNoRecord"; From 7fd5f1b717a1d7276c3906637e0a714455154319 Mon Sep 17 00:00:00 2001 From: Kai Song Date: Tue, 28 Jan 2025 09:19:53 -0800 Subject: [PATCH 30/32] Update changelog.txt --- changelog.txt | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/changelog.txt b/changelog.txt index 314310c0d..74fa7f01e 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,5 +1,11 @@ -Version TBD +Version 1.7.45 * Make hashed ups in logs case insensitive (#1446) +* Add new psso error (#1471) +* Add PSSO registration needs repair status in getDeviceInfo psso status (#1465) +* Suppress camera consent prompt in embedded webview when configured (#1464) +* Fix crash due to null value being added to set (#1461) +* Add new errors for passkey biometric policy mismatch (#1462) + Version 1.7.44 * Merge 1.7.42-hotfix From e4aed05a12f52ce65f5d913c884c52c0226331e8 Mon Sep 17 00:00:00 2001 From: Kai Song Date: Tue, 28 Jan 2025 10:12:41 -0800 Subject: [PATCH 31/32] Update change log --- changelog.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.txt b/changelog.txt index 5485df59c..cd517ea9b 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,4 +1,4 @@ -Version 1.7.45 +Version 1.8.0 * Make hashed ups in logs case insensitive (#1446) * Add new psso error (#1471) * Add PSSO registration needs repair status in getDeviceInfo psso status (#1465) From 96770786c5c119ab8a8487511248306252127ba4 Mon Sep 17 00:00:00 2001 From: Juan Arias Roldan <1686668+juan-arias@users.noreply.github.com> Date: Fri, 31 Jan 2025 11:15:56 -0800 Subject: [PATCH 32/32] Split dummy test id token to avoid getting it flagged as a secret. --- IdentityCore/tests/MSIDTokenResponseTests.m | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/IdentityCore/tests/MSIDTokenResponseTests.m b/IdentityCore/tests/MSIDTokenResponseTests.m index 3f37f19c5..0dd9ee97b 100644 --- a/IdentityCore/tests/MSIDTokenResponseTests.m +++ b/IdentityCore/tests/MSIDTokenResponseTests.m @@ -333,7 +333,13 @@ - (void)testJsonDictionary_whenAllPropertiesSetForSuccessResponse_shouldReturnJs XCTAssertEqualObjects(json[@"client_app_version"], @"1.0"); XCTAssertEqualObjects(json[@"expires_in"], @"300"); XCTAssertEqualObjects(json[@"expires_on"], @"1575635662"); - XCTAssertEqualObjects(json[@"id_token"], @"eyJhbGciOiJSUzI1NiIsImtpZCI6Il9raWRfdmFsdWUiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJpc3N1ZXIiLCJuYW1lIjoiVGVzdCBuYW1lIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidXNlckBjb250b3NvLmNvbSIsInN1YiI6InN1YiJ9.eyJhbGciOiJSUzI1NiIsImtpZCI6Il9raWRfdmFsdWUiLCJ0eXAiOiJKV1QifQ"); + + NSArray *idTokenComponents = [json[@"id_token"] componentsSeparatedByString:@"."]; + XCTAssertEqual(idTokenComponents.count, 3); + XCTAssertEqualObjects(idTokenComponents[0], @"eyJhbGciOiJSUzI1NiIsImtpZCI6Il9raWRfdmFsdWUiLCJ0eXAiOiJKV1QifQ"); + XCTAssertEqualObjects(idTokenComponents[1], @"eyJpc3MiOiJpc3N1ZXIiLCJuYW1lIjoiVGVzdCBuYW1lIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidXNlckBjb250b3NvLmNvbSIsInN1YiI6InN1YiJ9"); + XCTAssertEqualObjects(idTokenComponents[2], @"eyJhbGciOiJSUzI1NiIsImtpZCI6Il9raWRfdmFsdWUiLCJ0eXAiOiJKV1QifQ"); + XCTAssertEqualObjects(json[@"provider_type"], @"provider_aad_v2"); XCTAssertEqualObjects(json[@"scope"], @"scope 1"); XCTAssertEqualObjects(json[@"token_type"], @"Bearer");