Merge pull request #1464 from AzureAD/release/4.0.2

Release ADAL 4.0.2
AzureAD · Sep 9, 2019 · 30efb1f · 30efb1f
2 parents 9c1a70c + 28f16ee
commit 30efb1f
Show file tree

Hide file tree

Showing 27 changed files with 1,130 additions and 100 deletions.
diff --git a/ADAL.podspec b/ADAL.podspec
@@ -1,7 +1,7 @@
 Pod::Spec.new do |s|
   s.name         = "ADAL"
   s.module_name  = "ADAL"
-  s.version      = "4.0.1"
+  s.version      = "4.0.2"
   s.summary      = "The ADAL SDK for iOS gives you the ability to add Azure Identity authentication to your application"
 
   s.description  = <<-DESC

diff --git a/ADAL/ADAL.xcodeproj/project.pbxproj b/ADAL/ADAL.xcodeproj/project.pbxproj
@@ -323,6 +323,7 @@
 		B2A02CE820F5AEEB0048792D /* ADALAADLoginTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 23B791CE2012B7A9008D4BD2 /* ADALAADLoginTests.m */; };
 		B2A02CE920F5AEF20048792D /* ADALADFSv4InteractiveLoginTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B2AACE0420DF2CFF00AC88E2 /* ADALADFSv4InteractiveLoginTests.m */; };
 		B2A02CEA20F5AEF50048792D /* ADALADFSv3InteractiveLoginTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 23B791D42012C0D6008D4BD2 /* ADALADFSv3InteractiveLoginTests.m */; };
+		B2A17EA422FFCA300051637E /* ADBrokerApplicationTokenHelper.m in Sources */ = {isa = PBXBuildFile; fileRef = B2775F7522FE7FC200D7DEB9 /* ADBrokerApplicationTokenHelper.m */; };
 		B2A409D620D36524004AA9B7 /* ADALiOSMSALCoexistenceCacheTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B2A409D520D36524004AA9B7 /* ADALiOSMSALCoexistenceCacheTests.m */; };
 		B2A409E220D36545004AA9B7 /* libIdentityCore.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D626FFC81FBD1B1300EE4487 /* libIdentityCore.a */; };
 		B2A409E320D3654B004AA9B7 /* libIdentityAutomation iOS.a in Frameworks */ = {isa = PBXBuildFile; fileRef = B27552182082BEB900AA7A38 /* libIdentityAutomation iOS.a */; };
@@ -1098,6 +1099,8 @@
 		B26207E022C872DA00F867D9 /* ADEnrollmentGateway+UnitTests.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "ADEnrollmentGateway+UnitTests.h"; sourceTree = "<group>"; };
 		B267CA191EE0E9FF00C0B5A8 /* ADNegotiateHandler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ADNegotiateHandler.h; sourceTree = "<group>"; };
 		B267CA1A1EE0E9FF00C0B5A8 /* ADNegotiateHandler.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ADNegotiateHandler.m; sourceTree = "<group>"; };
+		B2775F7422FE7FC200D7DEB9 /* ADBrokerApplicationTokenHelper.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ADBrokerApplicationTokenHelper.h; sourceTree = "<group>"; };
+		B2775F7522FE7FC200D7DEB9 /* ADBrokerApplicationTokenHelper.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ADBrokerApplicationTokenHelper.m; sourceTree = "<group>"; };
 		B2822A2C2055D67200390B6E /* ADLegacyMacTokenCache.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ADLegacyMacTokenCache.h; sourceTree = "<group>"; };
 		B2822A2D2055D67200390B6E /* ADLegacyMacTokenCache.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ADLegacyMacTokenCache.m; sourceTree = "<group>"; };
 		B2822A312055DBF800390B6E /* ADLegacyKeychainTokenCache.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ADLegacyKeychainTokenCache.m; sourceTree = "<group>"; };
@@ -1795,6 +1798,8 @@
 				9453C37A1C5801CB006B9E79 /* ADBrokerKeyHelper.m */,
 				9453C37B1C5801CB006B9E79 /* ADBrokerNotificationManager.h */,
 				9453C37C1C5801CB006B9E79 /* ADBrokerNotificationManager.m */,
+				B2775F7422FE7FC200D7DEB9 /* ADBrokerApplicationTokenHelper.h */,
+				B2775F7522FE7FC200D7DEB9 /* ADBrokerApplicationTokenHelper.m */,
 			);
 			path = ios;
 			sourceTree = "<group>";
@@ -3669,6 +3674,7 @@
 				D69A721B1D4FF68300E91DB3 /* ADAggregatedDispatcher.m in Sources */,
 				B299FF1A1F22BE32004A2CB9 /* NSString+ADURLExtensions.m in Sources */,
 				D664F1AA1D302B9C0017B799 /* ADAuthenticationParameters+Internal.m in Sources */,
+				B2A17EA422FFCA300051637E /* ADBrokerApplicationTokenHelper.m in Sources */,
 				D664F1AB1D302B9C0017B799 /* ADBrokerNotificationManager.m in Sources */,
 				D664F1AC1D302B9C0017B799 /* ADAuthenticationResult.m in Sources */,
 			);

diff --git a/ADAL/IdentityCore b/ADAL/IdentityCore
diff --git a/ADAL/automation/tests/interactive/ADALSovereignBlackForestLoginTests.m b/ADAL/automation/tests/interactive/ADALSovereignBlackForestLoginTests.m
@@ -31,6 +31,8 @@ @interface ADALSovereignLoginTests : ADALBaseUITest
 
 @end
 
+static const NSString *kAADGraphResourceGUID = @"00000002-0000-0000-c000-000000000000";
+
 @implementation ADALSovereignLoginTests
 
 - (void)setUp
@@ -57,7 +59,8 @@ - (void)testInteractiveAADLogin_withBlackforestUser_withPromptAlways_withLoginHi
                              @"user_identifier" : self.primaryAccount.account,
                              @"user_identifier_type" : @"optional_displayable",
                              @"extra_qp": @"instance_aware=true",
-                             @"authority" : @"https://login.microsoftonline.com/common"
+                             @"authority" : @"https://login.microsoftonline.com/common",
+                             @"resource": kAADGraphResourceGUID
                              };
     NSDictionary *config = [self.testConfiguration configWithAdditionalConfiguration:params];
 
@@ -84,7 +87,7 @@ - (void)testInteractiveAADLogin_withBlackforestUser_withPromptAlways_withLoginHi
     NSDictionary *silentParams = @{
                                 @"user_identifier" : self.primaryAccount.account,
                                 @"client_id" : self.testConfiguration.clientId,
-                                @"resource" : self.testConfiguration.resource,
+                                @"resource" : kAADGraphResourceGUID,
                                 @"authority" : @"https://login.microsoftonline.com/common"
                                 };
 
@@ -99,7 +102,7 @@ - (void)testInteractiveAADLogin_withBlackforestUser_withPromptAlways_withLoginHi
                      @"user_identifier" : self.primaryAccount.account,
                      @"client_id" : self.testConfiguration.clientId,
                      @"authority" : self.testConfiguration.authority,
-                     @"resource" : self.testConfiguration.resource
+                     @"resource" : kAADGraphResourceGUID
                      };
 
     config = [self.testConfiguration configWithAdditionalConfiguration:silentParams];
@@ -124,7 +127,8 @@ - (void)testInteractiveAADLogin_withBlackforestUser_withPromptAlways_noLoginHint
                              @"prompt_behavior" : @"always",
                              @"validate_authority" : @YES,
                              @"extra_qp": @"instance_aware=true",
-                             @"authority" : @"https://login.microsoftonline.com/common"
+                             @"authority" : @"https://login.microsoftonline.com/common",
+                             @"resource": kAADGraphResourceGUID
                              };
     NSDictionary *config = [self.testConfiguration configWithAdditionalConfiguration:params];
 

diff --git a/ADAL/resources/ios/Framework/Info.plist b/ADAL/resources/ios/Framework/Info.plist
@@ -15,7 +15,7 @@
 	<key>CFBundlePackageType</key>
 	<string>FMWK</string>
 	<key>CFBundleShortVersionString</key>
-	<string>4.0.1</string>
+	<string>4.0.2</string>
 	<key>CFBundleSignature</key>
 	<string>????</string>
 	<key>CFBundleVersion</key>

diff --git a/ADAL/resources/mac/Info.plist b/ADAL/resources/mac/Info.plist
@@ -15,7 +15,7 @@
 	<key>CFBundlePackageType</key>
 	<string>FMWK</string>
 	<key>CFBundleShortVersionString</key>
-	<string>4.0.1</string>
+	<string>4.0.2</string>
 	<key>CFBundleSignature</key>
 	<string>????</string>
 	<key>CFBundleVersion</key>

diff --git a/ADAL/src/ADALConstants.h b/ADAL/src/ADALConstants.h
@@ -28,6 +28,7 @@ extern NSString *const ADAL_BROKER_MESSAGE_VERSION;
 extern NSString *const ADAL_BROKER_APP_VERSION;
 extern NSString *const ADAL_BROKER_RESPONSE_KEY;
 extern NSString *const ADAL_BROKER_HASH_KEY;
+extern NSString *const ADAL_BROKER_NONCE_KEY;
 extern NSString *const ADAL_BROKER_INTUNE_RESPONSE_KEY;
 extern NSString *const ADAL_BROKER_INTUNE_HASH_KEY;
 extern NSString *const ADAL_MS_ENROLLMENT_ID;
@@ -46,6 +47,7 @@ extern NSString *const ADAL_AUTH_PROTECTION_POLICY_REQUIRED;
 extern NSString *const ADAL_AUTH_ADDITIONAL_USER_IDENTIFIER;
 
 extern NSString* const ADAL_BROKER_SCHEME;
+extern NSString* const ADAL_BROKER_NONCE_SCHEME;
 extern NSString* const ADAL_BROKER_APP_REDIRECT_URI;
 extern NSString* const ADAL_BROKER_APP_BUNDLE_ID;
 
diff --git a/ADAL/src/ADALConstants.m b/ADAL/src/ADALConstants.m
@@ -31,6 +31,7 @@
 NSString *const ADAL_BROKER_HASH_KEY                 = @"hash";
 NSString *const ADAL_BROKER_INTUNE_RESPONSE_KEY      = @"intune_mam_token";
 NSString *const ADAL_BROKER_INTUNE_HASH_KEY          = @"intune_mam_token_hash";
+NSString *const ADAL_BROKER_NONCE_KEY                = @"broker_nonce";
 NSString *const ADAL_MS_ENROLLMENT_ID                = @"microsoft_enrollment_id";
 
 NSString *const ADAL_CLIENT_TELEMETRY           = @"x-ms-clitelem";
@@ -48,6 +49,7 @@
 
 //application constants
 NSString* const ADAL_BROKER_SCHEME = @"msauth";
+NSString* const ADAL_BROKER_NONCE_SCHEME = @"msauthv3";
 NSString* const ADAL_BROKER_APP_REDIRECT_URI = @"urn:ietf:wg:oauth:2.0:oob";
 NSString* const ADAL_BROKER_APP_BUNDLE_ID = @"com.microsoft.azureauthenticator";
 
diff --git a/ADAL/src/ADAL_Internal.h b/ADAL/src/ADAL_Internal.h
@@ -28,7 +28,7 @@
 
 #define ADAL_VER_HIGH       4
 #define ADAL_VER_LOW        0
-#define ADAL_VER_PATCH      1
+#define ADAL_VER_PATCH      2
 
 #define STR_HELPER(x) #x
 #define STR(x) STR_HELPER(x)

diff --git a/ADAL/src/ADAuthenticationContext+Internal.h b/ADAL/src/ADAuthenticationContext+Internal.h
@@ -66,5 +66,10 @@ extern NSString* const ADRedirectUriInvalidError;
 + (BOOL)canHandleResponse:(NSURL *)response
         sourceApplication:(NSString *)sourceApplication;
 
++ (BOOL)isResponseFromBroker:(NSString*)sourceApplication
+                    response:(NSURL*)response;
+
++ (BOOL)handleBrokerResponse:(NSURL*)response sourceApplication:(NSString *)sourceApplication;
+
 @end
 
diff --git a/ADAL/src/ADAuthenticationContext+Internal.m b/ADAL/src/ADAuthenticationContext+Internal.m
@@ -195,8 +195,9 @@ + (BOOL)canHandleResponse:(NSURL *)response
         sourceApplication:(NSString *)sourceApplication
 {
 #if TARGET_OS_IPHONE
-    BOOL isResponseFromBroker = [self isResponseFromBroker:sourceApplication response:response];
-    if (!isResponseFromBroker) { return NO; }
+    // sourceApplication could be nil, we want to return early if we know for sure response is not from broker
+    BOOL responseNotFromBroker = sourceApplication && ![self isResponseFromBroker:sourceApplication response:response];
+    if (responseNotFromBroker) { return NO; }
 
     NSURLComponents *components = [NSURLComponents componentsWithURL:response resolvingAgainstBaseURL:NO];
     NSString *qp = [components percentEncodedQuery];
@@ -209,6 +210,12 @@ + (BOOL)canHandleResponse:(NSURL *)response
 
     if (!resumeDictionary) MSID_LOG_INFO(nil, @"No resume dictionary found.");
 
+    NSString *redirectUri = [resumeDictionary objectForKey:@"redirect_uri"];
+    if (redirectUri && ![response.absoluteString.lowercaseString hasPrefix:redirectUri.lowercaseString])
+    {
+        return NO;
+    }
+
     BOOL isADALInitiatedRequest = [resumeDictionary[kAdalSDKNameKey] isEqualToString:kAdalSDKObjc] || [[ADBrokerNotificationManager sharedInstance] hasCallback];
 
     return isValidVersion && isADALInitiatedRequest;
@@ -219,4 +226,21 @@ + (BOOL)canHandleResponse:(NSURL *)response
 #endif
 }
 
++ (BOOL)isResponseFromBroker:(NSString *)sourceApplication
+                    response:(NSURL *)response
+{
+    BOOL isBroker = [sourceApplication isEqualToString:ADAL_BROKER_APP_BUNDLE_ID];
+
+#ifdef DOGFOOD_BROKER
+    isBroker = isBroker || [sourceApplication isEqualToString:ADAL_BROKER_APP_BUNDLE_ID_DOGFOOD];
+#endif
+
+    return response && isBroker;
+}
+
++ (BOOL)handleBrokerResponse:(NSURL*)response sourceApplication:(nullable NSString *)sourceApplication;
+{
+    return [ADAuthenticationRequest internalHandleBrokerResponse:response sourceApplication:sourceApplication];
+}
+
 @end
diff --git a/ADAL/src/ADAuthenticationContext.m b/ADAL/src/ADAuthenticationContext.m
@@ -259,23 +259,6 @@ + (ADAuthenticationContext*)authenticationContextWithAuthority:(NSString*)author
 }
 #endif // TARGET_OS_IPHONE
 
-+ (BOOL)isResponseFromBroker:(NSString *)sourceApplication
-                    response:(NSURL *)response
-{
-    BOOL isBroker = [sourceApplication isEqualToString:ADAL_BROKER_APP_BUNDLE_ID];
-
-#ifdef DOGFOOD_BROKER
-    isBroker = isBroker || [sourceApplication isEqualToString:ADAL_BROKER_APP_BUNDLE_ID_DOGFOOD];
-#endif
-
-    return response && isBroker;
-}
-
-+ (BOOL)handleBrokerResponse:(NSURL*)response
-{
-    return [ADAuthenticationRequest internalHandleBrokerResponse:response];
-}
-
 #define REQUEST_WITH_REDIRECT_STRING(_redirect, _clientId, _resource) \
     THROW_ON_NIL_ARGUMENT(completionBlock) \
     CHECK_STRING_ARG_BLOCK(_clientId) \

diff --git a/ADAL/src/broker/ios/ADBrokerApplicationTokenHelper.h b/ADAL/src/broker/ios/ADBrokerApplicationTokenHelper.h
@@ -0,0 +1,39 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+#import <Foundation/Foundation.h>
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface ADBrokerApplicationTokenHelper : NSObject
+
+- (nullable instancetype)initWithAccessGroup:(NSString *)accessGroup;
+
+- (BOOL)saveApplicationBrokerToken:(NSString *)token
+                          clientId:(NSString *)clientId;
+
+- (nullable NSString *)getApplicationBrokerTokenForClientId:(NSString *)clientId;
+
+@end
+
+NS_ASSUME_NONNULL_END