Merge pull request #1279 from AzureAD/master

Master

Author: kaisong1990

IdentityCore/src/util/MSIDRedirectUri.h

@@ -25,6 +25,20 @@
 
 #import <Foundation/Foundation.h>
 
+typedef NS_ENUM(NSInteger, MSIDRedirectUriValidationResult)
+{
+    MSIDRedirectUriValidationResultMatched = 0,
+    MSIDRedirectUriValidationResultNilOrEmpty,
+    MSIDRedirectUriValidationResultSchemeNilOrEmpty,
+    MSIDRedirectUriValidationResultHostNilOrEmpty,
+    MSIDRedirectUriValidationResultHttpFormatNotSupport,
+    MSIDRedirectUriValidationResultMSALFormatBundleIdMismatched,
+    MSIDRedirectUriValidationResultMSALFormatHostNilOrEmpty,
+    MSIDRedirectUriValidationResultoauth20FormatNotSupport,
+    MSIDRedirectUriValidationResultUnknownNotMatched
+};
+
+
 NS_ASSUME_NONNULL_BEGIN
 
 /**
@@ -54,7 +68,7 @@ NS_ASSUME_NONNULL_BEGIN
 
 + (nullable NSURL *)defaultBrokerCapableRedirectUri;
 
-+ (BOOL)redirectUriIsBrokerCapable:(NSURL *)redirectUri;
++ (MSIDRedirectUriValidationResult)redirectUriIsBrokerCapable:(NSURL *)redirectUri;
 
 @end
 

IdentityCore/src/util/MSIDRedirectUri.m

@@ -70,24 +70,62 @@ + (NSURL *)defaultBrokerCapableRedirectUri
     return [NSURL URLWithString:redirectUri];
 }
 
-+ (BOOL)redirectUriIsBrokerCapable:(NSURL *)redirectUri
++ (MSIDRedirectUriValidationResult)redirectUriIsBrokerCapable:(NSURL *)redirectUri
 {
+    if ([NSString msidIsStringNilOrBlank:redirectUri.absoluteString])
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, nil, @"MSIDRedirectUri validation: redirect_uri is nil or empty");
+        return MSIDRedirectUriValidationResultNilOrEmpty;
+    }
+    
     NSURL *defaultRedirectUri = [MSIDRedirectUri defaultBrokerCapableRedirectUri];
-
+    
     // Check default MSAL format
     if ([defaultRedirectUri isEqual:redirectUri])
     {
-        return YES;
+        return MSIDRedirectUriValidationResultMatched;
     }
-
+    
     // Check default ADAL format
     if ([redirectUri.host isEqualToString:[[NSBundle mainBundle] bundleIdentifier]]
         && redirectUri.scheme.length > 0)
     {
-        return YES;
+        return MSIDRedirectUriValidationResultMatched;
+    }
+    
+    // Add extra validation on why redirect_uri is not capable
+    if ([redirectUri.scheme isEqualToString:@"http"] || [redirectUri.scheme isEqualToString:@"https"])
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, nil, @"MSIDRedirectUri validation: redirect_uri is (http(s)://host), and is not supported");
+        return MSIDRedirectUriValidationResultHttpFormatNotSupport;
+    }
+    else if ([redirectUri.host isEqualToString:@"auth"] && [redirectUri.absoluteString hasPrefix:@"msauth"])
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, nil, @"MSIDRedirectUri validation: redirect_uri is MSAL format, but bundle_id could mismatch");
+        return MSIDRedirectUriValidationResultMSALFormatBundleIdMismatched;
+    }
+    else if ([redirectUri.absoluteString hasPrefix:@"msauth"])
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, nil, @"MSIDRedirectUri validation: redirect_uri is as (msauth.bundle_id), and auth host is missing");
+        return MSIDRedirectUriValidationResultMSALFormatHostNilOrEmpty;
+    }
+    else if ([NSString msidIsStringNilOrBlank:redirectUri.scheme])
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, nil, @"MSIDRedirectUri validation: redirect_uri is as (://host) without schema");
+        return MSIDRedirectUriValidationResultSchemeNilOrEmpty;
+    }
+    else if ([NSString msidIsStringNilOrBlank:redirectUri.host])
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, nil, @"MSIDRedirectUri validation: redirect_uri is as (scheme://) without host");
+        return MSIDRedirectUriValidationResultHostNilOrEmpty;
+    }
+    else if ([redirectUri.absoluteString isEqualToString:@"urn:ietf:wg:oauth:2.0:oob"])
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, nil, @"MSIDRedirectUri validation: redirect_uri is urn:ietf:wg:oauth:2.0:oob, and not supported");
+        return MSIDRedirectUriValidationResultoauth20FormatNotSupport;
     }
 
-    return NO;
+    return MSIDRedirectUriValidationResultUnknownNotMatched;
 }
 
 @end

IdentityCore/src/util/ios/MSIDRedirectUriVerifier.m

@@ -58,7 +58,7 @@ + (MSIDRedirectUri *)msidRedirectUriWithCustomUri:(NSString *)customRedirectUri
             return nil;
         }
 
-        BOOL brokerCapable = !bypassRedirectValidation && [MSIDRedirectUri redirectUriIsBrokerCapable:redirectURI];
+        BOOL brokerCapable = !bypassRedirectValidation && [MSIDRedirectUri redirectUriIsBrokerCapable:redirectURI] == MSIDRedirectUriValidationResultMatched;
 
         MSIDRedirectUri *redirectUri = [[MSIDRedirectUri alloc] initWithRedirectUri:redirectURI
                                                                       brokerCapable:brokerCapable];

IdentityCore/src/util/mac/MSIDRedirectUriVerifier.m

@@ -42,7 +42,7 @@ + (MSIDRedirectUri *)msidRedirectUriWithCustomUri:(NSString *)customRedirectUri
             return nil;
         }
 
-        BOOL isBrokerCapable = [MSIDRedirectUri redirectUriIsBrokerCapable:customRedirectURL] || bypassRedirectValidation;
+        BOOL isBrokerCapable = [MSIDRedirectUri redirectUriIsBrokerCapable:customRedirectURL] == MSIDRedirectUriValidationResultMatched || bypassRedirectValidation;
         return [[MSIDRedirectUri alloc] initWithRedirectUri:customRedirectURL
                                               brokerCapable:isBrokerCapable];
     }

IdentityCore/tests/MSIDBrokerRedirectUriTest.m

@@ -51,9 +51,14 @@ - (void)test_get_default_broker_capable_redirectUri
     XCTAssertNotNil(redirectUri);
 }
 
-- (void)test_redirectUri_is_broker_capable_with_invalid_url
+- (void)test_check_empty_redirectUri
 {
-    XCTAssertFalse([MSIDRedirectUri redirectUriIsBrokerCapable:[NSURL URLWithString:@"https://fakeurl.contoso.com"]]);
+    XCTAssertTrue([MSIDRedirectUri redirectUriIsBrokerCapable:[NSURL URLWithString:@""]] == MSIDRedirectUriValidationResultNilOrEmpty);
+}
+
+- (void)test_redirectUri_is_broker_capable_with_https_url
+{
+    XCTAssertTrue([MSIDRedirectUri redirectUriIsBrokerCapable:[NSURL URLWithString:@"https://fakeurl.contoso.com"]] == MSIDRedirectUriValidationResultHttpFormatNotSupport);
 }
 
 - (void)test_check_default_redirect_msal_format
@@ -64,7 +69,7 @@ - (void)test_check_default_redirect_msal_format
 #else
     url = [NSURL URLWithString:@"msauth.com.apple.dt.xctest.tool://auth"];
 #endif
-    XCTAssertTrue([MSIDRedirectUri redirectUriIsBrokerCapable:url]);
+    XCTAssertTrue([MSIDRedirectUri redirectUriIsBrokerCapable:url] == MSIDRedirectUriValidationResultMatched);
 
 }
 
@@ -76,7 +81,7 @@ - (void)test_check_default_redirect_adal_format
 #else
     url = [NSURL URLWithString:@"myscheme://com.apple.dt.xctest.tool"];
 #endif
-    XCTAssertTrue([MSIDRedirectUri redirectUriIsBrokerCapable:url]);
+    XCTAssertTrue([MSIDRedirectUri redirectUriIsBrokerCapable:url] == MSIDRedirectUriValidationResultMatched);
 
 }
 
@@ -88,8 +93,23 @@ - (void)test_check_default_redirect_adal_format_without_scheme
 #else
     url = [NSURL URLWithString:@"com.apple.dt.xctest.tool"];
 #endif
-    XCTAssertFalse([MSIDRedirectUri redirectUriIsBrokerCapable:url]);
+    XCTAssertTrue([MSIDRedirectUri redirectUriIsBrokerCapable:url] == MSIDRedirectUriValidationResultSchemeNilOrEmpty);
+
+}
+
+- (void)test_checkRedirect_uri_miss_host
+{
+    XCTAssertTrue([MSIDRedirectUri redirectUriIsBrokerCapable:[NSURL URLWithString:@"myscheme://"]] == MSIDRedirectUriValidationResultHostNilOrEmpty);
+}
+
+- (void)test_checkRedirect_uri_msal_format_miss_host
+{
+    XCTAssertTrue([MSIDRedirectUri redirectUriIsBrokerCapable:[NSURL URLWithString:@"msauth.com.microsoft.MSIDTestsHostApp://"]] == MSIDRedirectUriValidationResultMSALFormatHostNilOrEmpty);
+}
 
+- (void)test_checkRedirect_uri_msal_format_miss_scheme
+{
+    XCTAssertTrue([MSIDRedirectUri redirectUriIsBrokerCapable:[NSURL URLWithString:@"://auth"]] == MSIDRedirectUriValidationResultSchemeNilOrEmpty);
 }
 
 @end

changelog.txt

@@ -1,3 +1,6 @@
+Version 1.7.25
+* Update broker redirect_uri validation with more information in invalid scenario (#1264)
+
 Version 1.7.24
 * Added method name with line number for errors in telemetry (#1266)