Add initial regression tests for the new validation path (#2810)

* Added initial validation tests between ValidateTokenAsync using TokenValidationParameters and ValidationParameters
Added error message when validating a signature and the key is not found using the kid, without trying all keys

* Updated remaining files post merge from dev

* Removed null inner exception parameter as it is not needed.

* Added tests around invalid signature.

* Updated log message to match the variable name

* Removed JwtSecurityTokenHandler as it is not used.

* Addressed PR feedback

* Updated names on diff

* Moved StackFrame to central file.
Added ctor JsonWebTokenHandlerValidationParametersTheoryData to take TestId.

---------

Co-authored-by: id4s <[email protected]>

Author: iNinja

src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.DecryptToken.cs

@@ -215,8 +215,7 @@ internal Result<string> DecryptToken(
                         LogHelper.MarkAsSecurityArtifact(jwtToken, JwtTokenUtilities.SafeLogJwtToken)),
                     ValidationFailureType.TokenDecryptionFailed,
                     typeof(SecurityTokenKeyWrapException),
-                    decryptionKeyUnwrapFailedStackFrame,
-                    null);
+                    decryptionKeyUnwrapFailedStackFrame);
 
                 return (null, exceptionDetail);
             }

src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateSignature.cs

@@ -16,11 +16,6 @@ namespace Microsoft.IdentityModel.JsonWebTokens
     /// <remarks>This partial class contains methods and logic related to the validation of tokens' signatures.</remarks>
     public partial class JsonWebTokenHandler : TokenHandler
     {
-        static internal class SignatureStackFrames
-        {
-            // Test StackFrame to validate caching solution. Need to add all the possible stack frames.
-            static internal StackFrame? NoKeysProvided;
-        }
         /// <summary>
         /// Validates the JWT signature.
         /// </summary>
@@ -96,12 +91,27 @@ internal static Result<SecurityKey> ValidateSignature(
                 return ValidateSignatureUsingAllKeys(jwtToken, validationParameters, configuration, callContext);
             else
             {
-                StackFrame stackFrame = SignatureStackFrames.NoKeysProvided ??= new StackFrame(true);
+                if (!string.IsNullOrEmpty(jwtToken.Kid))
+                {
+                    StackFrame kidNotMatchedNoTryAllStackFrame = StackFrames.KidNotMatchedNoTryAll ??= new StackFrame(true);
+                    return new ExceptionDetail(
+                        new MessageDetail(
+                            TokenLogMessages.IDX10502,
+                            LogHelper.MarkAsNonPII(jwtToken.Kid),
+                            LogHelper.MarkAsNonPII(validationParameters.IssuerSigningKeys.Count),
+                            LogHelper.MarkAsNonPII(configuration?.SigningKeys.Count ?? 0),
+                            LogHelper.MarkAsSecurityArtifact(jwtToken.EncodedToken, JwtTokenUtilities.SafeLogJwtToken)),
+                        ValidationFailureType.SignatureValidationFailed,
+                        typeof(SecurityTokenSignatureKeyNotFoundException),
+                        kidNotMatchedNoTryAllStackFrame);
+                }
+
+                StackFrame noKeysProvidedStackFrame = StackFrames.NoKeysProvided ??= new StackFrame(true);
                 return new ExceptionDetail(
                     new MessageDetail(TokenLogMessages.IDX10500),
                     ValidationFailureType.SignatureValidationFailed,
                     typeof(SecurityTokenSignatureKeyNotFoundException),
-                    stackFrame);
+                    noKeysProvidedStackFrame);
             }
         }
 

src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateToken.StackFrames.cs

@@ -48,6 +48,9 @@ internal static class StackFrames
             // ReadToken
             internal static StackFrame? ReadTokenNullOrEmpty;
             internal static StackFrame? ReadTokenMalformed;
+            // ValidateSignature
+            internal static StackFrame? KidNotMatchedNoTryAll;
+            internal static StackFrame? NoKeysProvided;
         }
     }
 }

src/Microsoft.IdentityModel.JsonWebTokens/JwtTokenUtilities.cs

@@ -373,8 +373,7 @@ private static ExceptionDetail GetDecryptionError(
                         LogHelper.MarkAsSecurityArtifact(decryptionParameters.EncodedToken, SafeLogJwtToken)),
                     ValidationFailureType.TokenDecryptionFailed,
                     typeof(SecurityTokenDecryptionFailedException),
-                    new StackFrame(true),
-                    null);
+                    new StackFrame(true));
             else if (algorithmNotSupportedByCryptoProvider)
                 return new ExceptionDetail(
                     new MessageDetail(

src/Microsoft.IdentityModel.Tokens/LogMessages.cs

@@ -89,6 +89,7 @@ internal static class LogMessages
         // 10500 - SignatureValidation
         public const string IDX10500 = "IDX10500: Signature validation failed. No security keys were provided to validate the signature.";
         //public const string IDX10501 = "IDX10501: Signature validation failed. Unable to match key: \nkid: '{0}'. \nNumber of keys in TokenValidationParameters: '{1}'. \nNumber of keys in Configuration: '{2}'. \nExceptions caught:\n '{3}'. \ntoken: '{4}'.";
+        public const string IDX10502 = "IDX10502: Signature validation failed. The token's kid is: '{0}', but did not match any keys in ValidationParameters or Configuration and TryAllIssuerSigningKeys is false. Number of keys in ValidationParameters: '{1}'. \nNumber of keys in Configuration: '{2}'.\ntoken: '{3}'.";
         public const string IDX10503 = "IDX10503: Signature validation failed. The token's kid is: '{0}', but did not match any keys in TokenValidationParameters or Configuration. Keys tried: '{1}'. Number of keys in TokenValidationParameters: '{2}'. \nNumber of keys in Configuration: '{3}'. \nExceptions caught:\n '{4}'.\ntoken: '{5}'. See https://aka.ms/IDX10503 for details.";
         public const string IDX10504 = "IDX10504: Unable to validate signature, token does not have a signature: '{0}'.";
         public const string IDX10505 = "IDX10505: Signature validation failed. The user defined 'Delegate' specified on TokenValidationParameters returned null when validating token: '{0}'.";

test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.DecryptTokenTests.cs

@@ -3,7 +3,6 @@
 
 using System;
 using System.IdentityModel.Tokens.Jwt.Tests;
-using Microsoft.IdentityModel.Abstractions;
 using Microsoft.IdentityModel.Logging;
 using Microsoft.IdentityModel.TestUtils;
 using Microsoft.IdentityModel.Tokens;
@@ -112,7 +111,6 @@ public static TheoryData<TokenDecryptingTheoryData> JsonWebTokenHandlerDecryptTo
                             new MessageDetail(TokenLogMessages.IDX10612),
                             ValidationFailureType.TokenDecryptionFailed,
                             typeof(SecurityTokenException),
-                            null,
                             null),
                     },
                     new TokenDecryptingTheoryData
@@ -125,7 +123,6 @@ public static TheoryData<TokenDecryptingTheoryData> JsonWebTokenHandlerDecryptTo
                             new MessageDetail(TokenLogMessages.IDX10000, "jwtToken"),
                             ValidationFailureType.NullArgument,
                             typeof(ArgumentNullException),
-                            null,
                             null),
                     },
                     new TokenDecryptingTheoryData
@@ -138,7 +135,6 @@ public static TheoryData<TokenDecryptingTheoryData> JsonWebTokenHandlerDecryptTo
                             new MessageDetail(TokenLogMessages.IDX10000, "validationParameters"),
                             ValidationFailureType.NullArgument,
                             typeof(ArgumentNullException),
-                            null,
                             null),
                     },
                     new TokenDecryptingTheoryData
@@ -196,7 +192,6 @@ public static TheoryData<TokenDecryptingTheoryData> JsonWebTokenHandlerDecryptTo
                                     JwtTokenUtilities.SafeLogJwtToken)),
                             ValidationFailureType.TokenDecryptionFailed,
                             typeof(SecurityTokenDecryptionFailedException),
-                            null,
                             null),
                     }
                 };

test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.ReadTokenTests.cs

@@ -78,7 +78,6 @@ public static TheoryData<TokenReadingTheoryData> JsonWebTokenHandlerReadTokenTes
                                 LogHelper.MarkAsNonPII("token")),
                             ValidationFailureType.NullArgument,
                             typeof(ArgumentNullException),
-                            null,
                             null)
                     },
                     new TokenReadingTheoryData
@@ -92,7 +91,6 @@ public static TheoryData<TokenReadingTheoryData> JsonWebTokenHandlerReadTokenTes
                                 LogHelper.MarkAsNonPII("token")),
                             ValidationFailureType.NullArgument,
                             typeof(ArgumentNullException),
-                            null,
                             null)
                     },
                     new TokenReadingTheoryData

test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.ValidateSignatureTests.cs

@@ -88,7 +88,6 @@ public static TheoryData<JsonWebTokenHandlerValidateSignatureTheoryData> JsonWeb
                                 "jwtToken"),
                             ValidationFailureType.NullArgument,
                             typeof(ArgumentNullException),
-                            null,
                             null)
                     },
                     new JsonWebTokenHandlerValidateSignatureTheoryData {
@@ -102,7 +101,6 @@ public static TheoryData<JsonWebTokenHandlerValidateSignatureTheoryData> JsonWeb
                                 "validationParameters"),
                             ValidationFailureType.NullArgument,
                             typeof(ArgumentNullException),
-                            null,
                             null)
                     },
                     new JsonWebTokenHandlerValidateSignatureTheoryData {
@@ -119,7 +117,6 @@ public static TheoryData<JsonWebTokenHandlerValidateSignatureTheoryData> JsonWeb
                                 "fakeParameter"),
                             ValidationFailureType.NullArgument,
                             typeof(ArgumentNullException),
-                            null,
                             null)
                     },
                     new JsonWebTokenHandlerValidateSignatureTheoryData
@@ -134,7 +131,6 @@ public static TheoryData<JsonWebTokenHandlerValidateSignatureTheoryData> JsonWeb
                                 LogHelper.MarkAsSecurityArtifact(unsignedToken, JwtTokenUtilities.SafeLogJwtToken)),
                             ValidationFailureType.SignatureValidationFailed,
                             typeof(SecurityTokenInvalidSignatureException),
-                            null,
                             null)
                     },
                     new JsonWebTokenHandlerValidateSignatureTheoryData
@@ -204,20 +200,18 @@ public static TheoryData<JsonWebTokenHandlerValidateSignatureTheoryData> JsonWeb
                             new MessageDetail(TokenLogMessages.IDX10500),
                             ValidationFailureType.SignatureValidationFailed,
                             typeof(SecurityTokenSignatureKeyNotFoundException),
-                            null,
                             null)
                     },
                     new JsonWebTokenHandlerValidateSignatureTheoryData
                     {
                         TestId = "Invalid_NoKeys",
                         JWT = new JsonWebToken(EncodedJwts.LiveJwt),
                         ValidationParameters = new ValidationParameters(),
-                        ExpectedException = ExpectedException.SecurityTokenSignatureKeyNotFoundException("IDX10500:"),
+                        ExpectedException = ExpectedException.SecurityTokenSignatureKeyNotFoundException("IDX10502:"),
                         Result = new ExceptionDetail(
                             new MessageDetail(TokenLogMessages.IDX10500),
                             ValidationFailureType.SignatureValidationFailed,
                             typeof(SecurityTokenSignatureKeyNotFoundException),
-                            null,
                             null)
                     }
                 };