Skip to content

Commit

Permalink
Merge pull request #1458 from AzureAD/release/2.7.14
Browse files Browse the repository at this point in the history
Merge release 2.7.14 into 2.7.x master
  • Loading branch information
oldalton authored Sep 3, 2019
2 parents 3d90061 + 6d577c6 commit 1d2e947
Show file tree
Hide file tree
Showing 26 changed files with 1,129 additions and 101 deletions.
2 changes: 1 addition & 1 deletion ADAL.podspec
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Pod::Spec.new do |s|
s.name = "ADAL"
s.module_name = "ADAL"
s.version = "2.7.13"
s.version = "2.7.14"
s.summary = "The ADAL SDK for iOS gives you the ability to add Azure Identity authentication to your application"

s.description = <<-DESC
Expand Down
6 changes: 6 additions & 0 deletions ADAL/ADAL.xcodeproj/project.pbxproj
Original file line number Diff line number Diff line change
Expand Up @@ -345,6 +345,7 @@
B2A02CE820F5AEEB0048792D /* ADALAADLoginTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 23B791CE2012B7A9008D4BD2 /* ADALAADLoginTests.m */; };
B2A02CE920F5AEF20048792D /* ADALADFSv4InteractiveLoginTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B2AACE0420DF2CFF00AC88E2 /* ADALADFSv4InteractiveLoginTests.m */; };
B2A02CEA20F5AEF50048792D /* ADALADFSv3InteractiveLoginTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 23B791D42012C0D6008D4BD2 /* ADALADFSv3InteractiveLoginTests.m */; };
B2A17EA422FFCA300051637E /* ADBrokerApplicationTokenHelper.m in Sources */ = {isa = PBXBuildFile; fileRef = B2775F7522FE7FC200D7DEB9 /* ADBrokerApplicationTokenHelper.m */; };
B2A409D620D36524004AA9B7 /* ADALiOSMSALCoexistenceCacheTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B2A409D520D36524004AA9B7 /* ADALiOSMSALCoexistenceCacheTests.m */; };
B2A409E220D36545004AA9B7 /* libIdentityCore.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D626FFC81FBD1B1300EE4487 /* libIdentityCore.a */; };
B2A409E320D3654B004AA9B7 /* libIdentityAutomation iOS.a in Frameworks */ = {isa = PBXBuildFile; fileRef = B27552182082BEB900AA7A38 /* libIdentityAutomation iOS.a */; };
Expand Down Expand Up @@ -1163,6 +1164,8 @@
B26207E022C872DA00F867D9 /* ADEnrollmentGateway+UnitTests.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "ADEnrollmentGateway+UnitTests.h"; sourceTree = "<group>"; };
B267CA191EE0E9FF00C0B5A8 /* ADNegotiateHandler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ADNegotiateHandler.h; sourceTree = "<group>"; };
B267CA1A1EE0E9FF00C0B5A8 /* ADNegotiateHandler.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ADNegotiateHandler.m; sourceTree = "<group>"; };
B2775F7422FE7FC200D7DEB9 /* ADBrokerApplicationTokenHelper.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ADBrokerApplicationTokenHelper.h; sourceTree = "<group>"; };
B2775F7522FE7FC200D7DEB9 /* ADBrokerApplicationTokenHelper.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ADBrokerApplicationTokenHelper.m; sourceTree = "<group>"; };
B2822A2C2055D67200390B6E /* ADLegacyMacTokenCache.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ADLegacyMacTokenCache.h; sourceTree = "<group>"; };
B2822A2D2055D67200390B6E /* ADLegacyMacTokenCache.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ADLegacyMacTokenCache.m; sourceTree = "<group>"; };
B2822A312055DBF800390B6E /* ADLegacyKeychainTokenCache.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ADLegacyKeychainTokenCache.m; sourceTree = "<group>"; };
Expand Down Expand Up @@ -1924,6 +1927,8 @@
9453C37A1C5801CB006B9E79 /* ADBrokerKeyHelper.m */,
9453C37B1C5801CB006B9E79 /* ADBrokerNotificationManager.h */,
9453C37C1C5801CB006B9E79 /* ADBrokerNotificationManager.m */,
B2775F7422FE7FC200D7DEB9 /* ADBrokerApplicationTokenHelper.h */,
B2775F7522FE7FC200D7DEB9 /* ADBrokerApplicationTokenHelper.m */,
);
path = ios;
sourceTree = "<group>";
Expand Down Expand Up @@ -3875,6 +3880,7 @@
D664F1A91D302B9C0017B799 /* ADPkeyAuthHelper.m in Sources */,
B299FF1A1F22BE32004A2CB9 /* NSString+ADURLExtensions.m in Sources */,
D664F1AA1D302B9C0017B799 /* ADAuthenticationParameters+Internal.m in Sources */,
B2A17EA422FFCA300051637E /* ADBrokerApplicationTokenHelper.m in Sources */,
D664F1AB1D302B9C0017B799 /* ADBrokerNotificationManager.m in Sources */,
D664F1AC1D302B9C0017B799 /* ADAuthenticationResult.m in Sources */,
E0A4E9701EA8080E008472FF /* ADWorkPlaceJoinConstants.m in Sources */,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ @interface ADALSovereignLoginTests : ADALBaseUITest

@end

static const NSString *kAADGraphResourceGUID = @"00000002-0000-0000-c000-000000000000";

@implementation ADALSovereignLoginTests

- (void)setUp
Expand All @@ -57,7 +59,8 @@ - (void)testInteractiveAADLogin_withBlackforestUser_withPromptAlways_withLoginHi
@"user_identifier" : self.primaryAccount.account,
@"user_identifier_type" : @"optional_displayable",
@"extra_qp": @"instance_aware=true",
@"authority" : @"https://login.microsoftonline.com/common"
@"authority" : @"https://login.microsoftonline.com/common",
@"resource": kAADGraphResourceGUID
};
NSDictionary *config = [self.testConfiguration configWithAdditionalConfiguration:params];

Expand All @@ -84,7 +87,7 @@ - (void)testInteractiveAADLogin_withBlackforestUser_withPromptAlways_withLoginHi
NSDictionary *silentParams = @{
@"user_identifier" : self.primaryAccount.account,
@"client_id" : self.testConfiguration.clientId,
@"resource" : self.testConfiguration.resource,
@"resource" : kAADGraphResourceGUID,
@"authority" : @"https://login.microsoftonline.com/common"
};

Expand All @@ -99,7 +102,7 @@ - (void)testInteractiveAADLogin_withBlackforestUser_withPromptAlways_withLoginHi
@"user_identifier" : self.primaryAccount.account,
@"client_id" : self.testConfiguration.clientId,
@"authority" : self.testConfiguration.authority,
@"resource" : self.testConfiguration.resource
@"resource" : kAADGraphResourceGUID
};

config = [self.testConfiguration configWithAdditionalConfiguration:silentParams];
Expand All @@ -124,7 +127,8 @@ - (void)testInteractiveAADLogin_withBlackforestUser_withPromptAlways_noLoginHint
@"prompt_behavior" : @"always",
@"validate_authority" : @YES,
@"extra_qp": @"instance_aware=true",
@"authority" : @"https://login.microsoftonline.com/common"
@"authority" : @"https://login.microsoftonline.com/common",
@"resource": kAADGraphResourceGUID
};
NSDictionary *config = [self.testConfiguration configWithAdditionalConfiguration:params];

Expand Down
2 changes: 1 addition & 1 deletion ADAL/resources/ios/Framework/Info.plist
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
<key>CFBundlePackageType</key>
<string>FMWK</string>
<key>CFBundleShortVersionString</key>
<string>2.7.13</string>
<string>2.7.14</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
Expand Down
2 changes: 2 additions & 0 deletions ADAL/src/ADALConstants.h
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ extern NSString *const ADAL_BROKER_MESSAGE_VERSION;
extern NSString *const ADAL_BROKER_APP_VERSION;
extern NSString *const ADAL_BROKER_RESPONSE_KEY;
extern NSString *const ADAL_BROKER_HASH_KEY;
extern NSString *const ADAL_BROKER_NONCE_KEY;
extern NSString *const ADAL_BROKER_INTUNE_RESPONSE_KEY;
extern NSString *const ADAL_BROKER_INTUNE_HASH_KEY;
extern NSString *const ADAL_MS_ENROLLMENT_ID;
Expand All @@ -46,6 +47,7 @@ extern NSString *const ADAL_AUTH_PROTECTION_POLICY_REQUIRED;
extern NSString *const ADAL_AUTH_ADDITIONAL_USER_IDENTIFIER;

extern NSString* const ADAL_BROKER_SCHEME;
extern NSString* const ADAL_BROKER_NONCE_SCHEME;
extern NSString* const ADAL_BROKER_APP_REDIRECT_URI;
extern NSString* const ADAL_BROKER_APP_BUNDLE_ID;

2 changes: 2 additions & 0 deletions ADAL/src/ADALConstants.m
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
NSString *const ADAL_BROKER_HASH_KEY = @"hash";
NSString *const ADAL_BROKER_INTUNE_RESPONSE_KEY = @"intune_mam_token";
NSString *const ADAL_BROKER_INTUNE_HASH_KEY = @"intune_mam_token_hash";
NSString *const ADAL_BROKER_NONCE_KEY = @"broker_nonce";
NSString *const ADAL_MS_ENROLLMENT_ID = @"microsoft_enrollment_id";

NSString *const ADAL_CLIENT_TELEMETRY = @"x-ms-clitelem";
Expand All @@ -48,6 +49,7 @@

//application constants
NSString* const ADAL_BROKER_SCHEME = @"msauth";
NSString* const ADAL_BROKER_NONCE_SCHEME = @"msauthv3";
NSString* const ADAL_BROKER_APP_REDIRECT_URI = @"urn:ietf:wg:oauth:2.0:oob";
NSString* const ADAL_BROKER_APP_BUNDLE_ID = @"com.microsoft.azureauthenticator";

2 changes: 1 addition & 1 deletion ADAL/src/ADAL_Internal.h
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
// through build script. Don't change its format unless changing build script as well.)
#define ADAL_VER_HIGH 2
#define ADAL_VER_LOW 7
#define ADAL_VER_PATCH 13
#define ADAL_VER_PATCH 14

#define STR_HELPER(x) #x
#define STR(x) STR_HELPER(x)
Expand Down
5 changes: 5 additions & 0 deletions ADAL/src/ADAuthenticationContext+Internal.h
Original file line number Diff line number Diff line change
Expand Up @@ -63,5 +63,10 @@ extern NSString* const ADRedirectUriInvalidError;
+ (BOOL)canHandleResponse:(NSURL *)response
sourceApplication:(NSString *)sourceApplication;

+ (BOOL)isResponseFromBroker:(NSString*)sourceApplication
response:(NSURL*)response;

+ (BOOL)handleBrokerResponse:(NSURL*)response sourceApplication:(NSString *)sourceApplication;

@end

28 changes: 26 additions & 2 deletions ADAL/src/ADAuthenticationContext+Internal.m
Original file line number Diff line number Diff line change
Expand Up @@ -181,8 +181,9 @@ + (BOOL)canHandleResponse:(NSURL *)response
sourceApplication:(NSString *)sourceApplication
{
#if TARGET_OS_IPHONE
BOOL isResponseFromBroker = [self isResponseFromBroker:sourceApplication response:response];
if (!isResponseFromBroker) { return NO; }
// sourceApplication could be nil, we want to return early if we know for sure response is not from broker
BOOL responseNotFromBroker = sourceApplication && ![self isResponseFromBroker:sourceApplication response:response];
if (responseNotFromBroker) { return NO; }

NSURLComponents *components = [NSURLComponents componentsWithURL:response resolvingAgainstBaseURL:NO];
NSString *qp = [components percentEncodedQuery];
Expand All @@ -195,6 +196,12 @@ + (BOOL)canHandleResponse:(NSURL *)response

if (!resumeDictionary) MSID_LOG_INFO(nil, @"No resume dictionary found.");

NSString *redirectUri = [resumeDictionary objectForKey:@"redirect_uri"];
if (redirectUri && ![response.absoluteString.lowercaseString hasPrefix:redirectUri.lowercaseString])
{
return NO;
}

BOOL isADALInitiatedRequest = [resumeDictionary[kAdalSDKNameKey] isEqualToString:kAdalSDKObjc] || [[ADBrokerNotificationManager sharedInstance] hasCallback];

return isValidVersion && isADALInitiatedRequest;
Expand All @@ -205,4 +212,21 @@ + (BOOL)canHandleResponse:(NSURL *)response
#endif
}

+ (BOOL)isResponseFromBroker:(NSString *)sourceApplication
response:(NSURL *)response
{
BOOL isBroker = [sourceApplication isEqualToString:ADAL_BROKER_APP_BUNDLE_ID];

#ifdef DOGFOOD_BROKER
isBroker = isBroker || [sourceApplication isEqualToString:ADAL_BROKER_APP_BUNDLE_ID_DOGFOOD];
#endif

return response && isBroker;
}

+ (BOOL)handleBrokerResponse:(NSURL*)response sourceApplication:(nullable NSString *)sourceApplication;
{
return [ADAuthenticationRequest internalHandleBrokerResponse:response sourceApplication:sourceApplication];
}

@end
17 changes: 0 additions & 17 deletions ADAL/src/ADAuthenticationContext.m
Original file line number Diff line number Diff line change
Expand Up @@ -261,23 +261,6 @@ + (ADAuthenticationContext*)authenticationContextWithAuthority:(NSString*)author
}
#endif // TARGET_OS_IPHONE

+ (BOOL)isResponseFromBroker:(NSString *)sourceApplication
response:(NSURL *)response
{
BOOL isBroker = [sourceApplication isEqualToString:ADAL_BROKER_APP_BUNDLE_ID];

#ifdef DOGFOOD_BROKER
isBroker = isBroker || [sourceApplication isEqualToString:ADAL_BROKER_APP_BUNDLE_ID_DOGFOOD];
#endif

return response && isBroker;
}

+ (BOOL)handleBrokerResponse:(NSURL*)response
{
return [ADAuthenticationRequest internalHandleBrokerResponse:response];
}

#define REQUEST_WITH_REDIRECT_STRING(_redirect, _clientId, _resource) \
THROW_ON_NIL_ARGUMENT(completionBlock) \
CHECK_STRING_ARG_BLOCK(_clientId) \
Expand Down
39 changes: 39 additions & 0 deletions ADAL/src/broker/ios/ADBrokerApplicationTokenHelper.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
// Copyright (c) Microsoft Corporation.
// All rights reserved.
//
// This code is licensed under the MIT License.
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files(the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions :
//
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
// THE SOFTWARE.

#import <Foundation/Foundation.h>

NS_ASSUME_NONNULL_BEGIN

@interface ADBrokerApplicationTokenHelper : NSObject

- (nullable instancetype)initWithAccessGroup:(NSString *)accessGroup;

- (BOOL)saveApplicationBrokerToken:(NSString *)token
clientId:(NSString *)clientId;

- (nullable NSString *)getApplicationBrokerTokenForClientId:(NSString *)clientId;

@end

NS_ASSUME_NONNULL_END
130 changes: 130 additions & 0 deletions ADAL/src/broker/ios/ADBrokerApplicationTokenHelper.m
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
// Copyright (c) Microsoft Corporation.
// All rights reserved.
//
// This code is licensed under the MIT License.
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files(the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions :
//
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
// THE SOFTWARE.

#import "ADBrokerApplicationTokenHelper.h"
#import "MSIDKeychainUtil.h"

@interface ADBrokerApplicationTokenHelper()

@property (nonatomic) NSString *keychainAccessGroup;

@end

@implementation ADBrokerApplicationTokenHelper

- (instancetype)initWithAccessGroup:(NSString *)accessGroup
{
if (!(self = [super init]))
{
return nil;
}

if (!accessGroup)
{
accessGroup = [[NSBundle mainBundle] bundleIdentifier];
}

if (!MSIDKeychainUtil.teamId)
{
return nil;
}

// Add team prefix to keychain group if it is missed.
if (![accessGroup hasPrefix:MSIDKeychainUtil.teamId])
{
accessGroup = [MSIDKeychainUtil accessGroup:accessGroup];
}

_keychainAccessGroup = accessGroup;

return self;
}

- (BOOL)saveApplicationBrokerToken:(NSString *)token
clientId:(NSString *)clientId
{
NSDictionary *keyQuery = [self applicationTokenQueryWithClientId:clientId];

NSDictionary *updateAttributes = @{(id)kSecValueData : [token dataUsingEncoding:NSUTF8StringEncoding]};

OSStatus err = SecItemUpdate((CFDictionaryRef)keyQuery, (CFDictionaryRef)updateAttributes);

MSID_LOG_INFO(nil, @"Updating application token for clientId %@", clientId);

if (err == errSecItemNotFound)
{
MSID_LOG_INFO(nil, @"Application token not found. Saving new one in cache");

NSMutableDictionary *mutableKeyQuery = [keyQuery mutableCopy];
mutableKeyQuery[(id)kSecAttrAccessible] = (id)kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;
mutableKeyQuery[(id)kSecAttrAccessGroup] = self.keychainAccessGroup;
mutableKeyQuery[(id)kSecValueData] = [token dataUsingEncoding:NSUTF8StringEncoding];

err = SecItemAdd((CFDictionaryRef)mutableKeyQuery, NULL);
}

if (err != errSecSuccess)
{
MSID_LOG_ERROR(nil, @"Failed to write application token. Application will not have SSO in broker for the next request, write error %ld", (long)err);
return NO;
}

return YES;
}

- (NSString *)getApplicationBrokerTokenForClientId:(NSString *)clientId
{
OSStatus err = noErr;
NSMutableDictionary *keyQuery = [[self applicationTokenQueryWithClientId:clientId] mutableCopy];
keyQuery[(id)kSecReturnData] = @YES;

// Get the key bits.
CFDataRef key = nil;
err = SecItemCopyMatching((__bridge CFDictionaryRef)keyQuery, (CFTypeRef *)&key);
if (err == errSecSuccess)
{
MSID_LOG_INFO(nil, @"Found a valid application token");
NSData *result = (__bridge_transfer NSData*)key;
return [[NSString alloc] initWithData:result encoding:NSUTF8StringEncoding];
}

MSID_LOG_INFO(nil, @"Didn't find any valid application tokens with result %ld", (long)err);

return nil;
}

- (NSDictionary *)applicationTokenQueryWithClientId:(NSString *)clientId
{
return @{
(id)kSecClass : (id)kSecClassKey,
(id)kSecAttrApplicationTag : [self applicationTokenTagWithClientId:clientId],
(id)kSecAttrAccessGroup : self.keychainAccessGroup
};
}

- (NSData *)applicationTokenTagWithClientId:(NSString *)clientId
{
return [[NSString stringWithFormat:@"com.microsoft.adBrokerAppToken-%@", clientId] dataUsingEncoding:NSUTF8StringEncoding];
}

@end
Loading

0 comments on commit 1d2e947

Please sign in to comment.