Skip to content

Regression tests: Audience #2838

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
Oct 1, 2024
Merged

Regression tests: Audience #2838

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
1296457
Fixed audience validator unit tests. Renamed variables to improve cla…
iNinja Sep 23, 2024
76e6b9b
Extracted regression tests related to audience to a separate file. Ad…
iNinja Sep 23, 2024
8d2dba3
Remove whitespace
iNinja Sep 24, 2024
2f98fc7
Cherry picked common functionality extraction from Lifetime branch
iNinja Sep 26, 2024
c3ee1e7
Added AudienceValidationError to handle custom exception properties
iNinja Sep 26, 2024
cef517e
Added delegates to skip validations
iNinja Sep 26, 2024
57079d9
Removed token signing from audience validation tests, skipping all va…
iNinja Sep 26, 2024
f0ea745
Merge branch 'dev' into iinglese/regression-tests-audience
iNinja Sep 26, 2024
dd83685
Updated validation delegate names
iNinja Sep 26, 2024
b6c4385
Updated header being written in tests
iNinja Sep 26, 2024
d518e5f
Merge branch 'dev' into iinglese/regression-tests-audience
iNinja Sep 27, 2024
a7eff15
Moved skip validation delegates to TestUtils
iNinja Sep 27, 2024
08a8800
Added DisableDiscoveryEnumeration flag to test method
iNinja Sep 27, 2024
33f4c7c
Moved concatenation of strings used when creating Audience related ex…
iNinja Sep 27, 2024
c47d3b8
Merge branch 'dev' into iinglese/regression-tests-audience
iNinja Sep 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions src/Microsoft.IdentityModel.Tokens/Validation/Results/Details/AudienceValidationError.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

using System;
using System.Collections.Generic;
using System.Diagnostics;

#nullable enable
namespace Microsoft.IdentityModel.Tokens
{
internal class AudienceValidationError : ValidationError
{
private string? _invalidAudience;

public AudienceValidationError(
MessageDetail messageDetail,
Type exceptionType,
StackFrame stackFrame,
IList<string>? invalidAudiences)
: base(messageDetail, ValidationFailureType.AudienceValidationFailed, exceptionType, stackFrame)
{
_invalidAudience = Utility.SerializeAsSingleCommaDelimitedString(invalidAudiences);
}

internal override void AddAdditionalInformation(ISecurityTokenException exception)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect that since we are creating derived ValidationError types, we do not need the method AddAdditionalInformation or the interface ISecurityTokenException.

For example, when we create the AudienceValidationError, we call the ctor that takes the list of available audiences.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let’s keep the conversation going on that to find the best solution that can support any exception our users may decide to return.
I’d rather not expand the scope of this PR to that as it’s already a week in review.

{
if (exception is SecurityTokenInvalidAudienceException invalidAudienceException)
invalidAudienceException.InvalidAudience = _invalidAudience;
}
}
}
#nullable restore
18 changes: 9 additions & 9 deletions src/Microsoft.IdentityModel.Tokens/Validation/Validators.Audience.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,31 +52,31 @@ internal static ValidationResult<string> ValidateAudience(IList<string> tokenAud
new StackFrame(true));

if (tokenAudiences == null)
return new ValidationError(
return new AudienceValidationError(
new MessageDetail(LogMessages.IDX10207),
ValidationFailureType.AudienceValidationFailed,
typeof(SecurityTokenInvalidAudienceException),
new StackFrame(true));
new StackFrame(true),
tokenAudiences);

if (tokenAudiences.Count == 0)
return new ValidationError(
return new AudienceValidationError(
new MessageDetail(LogMessages.IDX10206),
ValidationFailureType.AudienceValidationFailed,
typeof(SecurityTokenInvalidAudienceException),
new StackFrame(true));
new StackFrame(true),
tokenAudiences);

string? validAudience = ValidTokenAudience(tokenAudiences, validationParameters.ValidAudiences, validationParameters.IgnoreTrailingSlashWhenValidatingAudience);
if (validAudience != null)
return validAudience;

return new ValidationError(
return new AudienceValidationError(
new MessageDetail(
LogMessages.IDX10215,
LogHelper.MarkAsNonPII(Utility.SerializeAsSingleCommaDelimitedString(tokenAudiences)),
LogHelper.MarkAsNonPII(Utility.SerializeAsSingleCommaDelimitedString(validationParameters.ValidAudiences))),
ValidationFailureType.AudienceValidationFailed,
typeof(SecurityTokenInvalidAudienceException),
new StackFrame(true));
new StackFrame(true),
tokenAudiences);
}

private static string? ValidTokenAudience(IList<string> tokenAudiences, IList<string> validAudiences, bool ignoreTrailingSlashWhenValidatingAudience)
Expand Down
98 changes: 98 additions & 0 deletions src/Microsoft.IdentityModel.Tokens/Validation/Validators.SkipValidations.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

using System;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;

#nullable enable
namespace Microsoft.IdentityModel.Tokens
{
public static partial class Validators
{
internal static AlgorithmValidationDelegate SkipAlgorithmValidation = delegate (
string algorithm,
SecurityKey securityKey,
SecurityToken securityToken,
ValidationParameters
validationParameters,
CallContext callContext)
{
return algorithm;
};

internal static AudienceValidationDelegate SkipAudienceValidation = delegate (
IList<string> audiences,
SecurityToken? securityToken,
ValidationParameters validationParameters,
CallContext callContext)
{
return "skipped"; // The audience that was validated.
};

internal static IssuerValidationDelegateAsync SkipIssuerValidation = delegate (
string issuer,
SecurityToken securityToken,
ValidationParameters validationParameters,
CallContext callContext,
CancellationToken cancellationToken)
{
return Task.FromResult(new ValidationResult<ValidatedIssuer>(
new ValidatedIssuer(issuer, IssuerValidationSource.NotValidated)));
};

internal static IssuerSigningKeyValidationDelegate SkipIssuerSigningKeyValidation = delegate (
SecurityKey signingKey,
SecurityToken securityToken,
ValidationParameters validationParameters,
BaseConfiguration? configuration,
CallContext? callContext)
{
return new ValidatedSigningKeyLifetime(
null, // ValidFrom
null, // ValidTo
null);// ValidationTime
};

internal static LifetimeValidationDelegate SkipLifetimeValidation = delegate (
DateTime? notBefore,
DateTime? expires,
SecurityToken? securityToken,
ValidationParameters validationParameters,
CallContext callContext)
{
return new ValidatedLifetime(notBefore, expires);
};

internal static SignatureValidationDelegate SkipSignatureValidation = delegate (
SecurityToken securityToken,
ValidationParameters validationParameters,
BaseConfiguration? configuration,
CallContext? callContext)
{
// This key is not used during the validation process. It is only used to satisfy the delegate signature.
// Follow up PR will change this to remove the SecurityKey return value.
return new(result: new JsonWebKey());
};

internal static TokenReplayValidationDelegate SkipTokenReplayValidation = delegate (
DateTime? expirationTime,
string securityToken,
ValidationParameters validationParameters,
CallContext callContext)
{
return expirationTime;
};

internal static TokenTypeValidationDelegate SkipTokenTypeValidation = delegate (
string? type,
SecurityToken? securityToken,
ValidationParameters validationParameters,
CallContext callContext)
{
return new ValidatedTokenType("skipped", 0);
};
}
}
#nullable restore
173 changes: 173 additions & 0 deletions ...IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.ValidateTokenAsyncTests.Audience.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

#nullable enable
using System.Collections.Generic;
using System.Threading.Tasks;
using Microsoft.IdentityModel.TestUtils;
using Microsoft.IdentityModel.Tokens;
using TokenValidators = Microsoft.IdentityModel.Tokens.Validators;
using Xunit;

namespace Microsoft.IdentityModel.JsonWebTokens.Tests
{
public partial class JsonWebTokenHandlerValidateTokenAsyncTests
{
[Theory, MemberData(nameof(ValidateTokenAsync_AudienceTestCases))]
public async Task ValidateTokenAsync_Audience(ValidateTokenAsyncAudienceTheoryData theoryData)
{
var context = TestUtilities.WriteHeader($"{this}.ValidateTokenAsync_Audience", theoryData);

string jwtString = CreateToken(theoryData.Audience);

await ValidateAndCompareResults(jwtString, theoryData, context);

TestUtilities.AssertFailIfErrors(context);
}

public static TheoryData<ValidateTokenAsyncAudienceTheoryData> ValidateTokenAsync_AudienceTestCases
{
get
{
return new TheoryData<ValidateTokenAsyncAudienceTheoryData>
{
new ValidateTokenAsyncAudienceTheoryData("Valid_AudiencesMatch")
{
Audience = Default.Audience,
TokenValidationParameters = CreateTokenValidationParameters([Default.Audience]),
ValidationParameters = CreateValidationParameters([Default.Audience]),
},
new ValidateTokenAsyncAudienceTheoryData("Invalid_AudiencesDontMatch")
{
// This scenario is the same if the token audience is an empty string or whitespace.
// As long as the token audience and the valid audience are not equal, the validation fails.
TokenValidationParameters = CreateTokenValidationParameters([Default.Audience]),
ValidationParameters = CreateValidationParameters([Default.Audience]),
Audience = "InvalidAudience",
ExpectedIsValid = false,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
// ValidateTokenAsync with ValidationParameters returns a different error message to account for the
// removal of the ValidAudience property from the ValidationParameters class.
ExpectedExceptionValidationParameters = ExpectedException.SecurityTokenInvalidAudienceException("IDX10215:"),
},
new ValidateTokenAsyncAudienceTheoryData("Valid_AudienceWithinValidAudiences")
{
Audience = Default.Audience,
TokenValidationParameters = CreateTokenValidationParameters(["ExtraAudience", Default.Audience, "AnotherAudience"]),
ValidationParameters = CreateValidationParameters(["ExtraAudience", Default.Audience, "AnotherAudience"]),
},
new ValidateTokenAsyncAudienceTheoryData("Valid_AudienceWithSlash_IgnoreTrailingSlashTrue")
{
// Audience has a trailing slash, but IgnoreTrailingSlashWhenValidatingAudience is true.
Audience = Default.Audience + "/",
TokenValidationParameters = CreateTokenValidationParameters([Default.Audience], true),
ValidationParameters = CreateValidationParameters([Default.Audience], true),
},
new ValidateTokenAsyncAudienceTheoryData("Invalid_AudienceWithSlash_IgnoreTrailingSlashFalse")
{
// Audience has a trailing slash and IgnoreTrailingSlashWhenValidatingAudience is false.
Audience = Default.Audience + "/",
TokenValidationParameters = CreateTokenValidationParameters([Default.Audience], false),
ValidationParameters = CreateValidationParameters([Default.Audience], false),
ExpectedIsValid = false,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
ExpectedExceptionValidationParameters = ExpectedException.SecurityTokenInvalidAudienceException("IDX10215:"),
},
new ValidateTokenAsyncAudienceTheoryData("Valid_ValidAudiencesWithSlash_IgnoreTrailingSlashTrue")
{
// ValidAudiences has a trailing slash, but IgnoreTrailingSlashWhenValidatingAudience is true.
Audience = Default.Audience,
TokenValidationParameters = CreateTokenValidationParameters([Default.Audience + "/"], true),
ValidationParameters = CreateValidationParameters([Default.Audience + "/"], true),
},
new ValidateTokenAsyncAudienceTheoryData("Invalid_ValidAudiencesWithSlash_IgnoreTrailingSlashFalse")
{
// ValidAudiences has a trailing slash and IgnoreTrailingSlashWhenValidatingAudience is false.
Audience = Default.Audience,
TokenValidationParameters = CreateTokenValidationParameters([Default.Audience + "/"], false),
ValidationParameters = CreateValidationParameters([Default.Audience + "/"], false),
ExpectedIsValid = false,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10214:"),
ExpectedExceptionValidationParameters = ExpectedException.SecurityTokenInvalidAudienceException("IDX10215:"),
},
new ValidateTokenAsyncAudienceTheoryData("Invalid_AudienceNullIsTreatedAsEmptyList")
{
// JsonWebToken.Audiences defaults to an empty list if no audiences are provided.
TokenValidationParameters = CreateTokenValidationParameters([Default.Audience]),
ValidationParameters = CreateValidationParameters([Default.Audience]),
Audience = null,
ExpectedIsValid = false,
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10206:"),
},
new ValidateTokenAsyncAudienceTheoryData("Invalid_ValidAudiencesIsNull")
{
TokenValidationParameters = CreateTokenValidationParameters(null),
ValidationParameters = CreateValidationParameters(null),
Audience = string.Empty,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Should this be a valid Audience while the Audiences property on TVP or VP is null?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current validation path considers the case where no valid audiences are provided to be invalid and throws.
The new validation path took that as a base and kept the same behaviour.

If you believe that having no valid audiences should be considered the same as skipping the validation, we can look into it and find out what the correct behaviour would be.

ExpectedIsValid = false,
// TVP path has a special case when ValidAudience is null or empty and ValidAudiences is null.
ExpectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10208:"),
// VP path has a default empty List for ValidAudiences, so it will always return IDX10206 if no audiences are provided.
ExpectedExceptionValidationParameters = ExpectedException.SecurityTokenInvalidAudienceException("IDX10206:"),
},
};

static TokenValidationParameters CreateTokenValidationParameters(
List<string>? audiences,
bool ignoreTrailingSlashWhenValidatingAudience = false) =>

// Only validate the audience.
new TokenValidationParameters
{
ValidateAudience = true,
ValidateIssuer = false,
ValidateLifetime = false,
ValidateTokenReplay = false,
ValidateIssuerSigningKey = false,
RequireSignedTokens = false,
ValidAudiences = audiences,
IgnoreTrailingSlashWhenValidatingAudience = ignoreTrailingSlashWhenValidatingAudience,
};

static ValidationParameters CreateValidationParameters(
List<string>? audiences,
bool ignoreTrailingSlashWhenValidatingAudience = false)
{
ValidationParameters validationParameters = new ValidationParameters();
audiences?.ForEach(audience => validationParameters.ValidAudiences.Add(audience));
validationParameters.IgnoreTrailingSlashWhenValidatingAudience = ignoreTrailingSlashWhenValidatingAudience;

// Skip all validations except audience
validationParameters.AlgorithmValidator = TokenValidators.SkipAlgorithmValidation;
validationParameters.IssuerValidatorAsync = TokenValidators.SkipIssuerValidation;
validationParameters.IssuerSigningKeyValidator = TokenValidators.SkipIssuerSigningKeyValidation;
validationParameters.LifetimeValidator = TokenValidators.SkipLifetimeValidation;
validationParameters.SignatureValidator = TokenValidators.SkipSignatureValidation;

return validationParameters;
}
}
}

public class ValidateTokenAsyncAudienceTheoryData : ValidateTokenAsyncBaseTheoryData
{
public ValidateTokenAsyncAudienceTheoryData(string testId) : base(testId) { }

public string? Audience { get; internal set; } = Default.Audience;
}

private static string CreateToken(string? audience)
{
JsonWebTokenHandler jsonWebTokenHandler = new JsonWebTokenHandler();

SecurityTokenDescriptor securityTokenDescriptor = new SecurityTokenDescriptor
{
Subject = Default.ClaimsIdentity,
Audience = audience,
};

return jsonWebTokenHandler.CreateToken(securityTokenDescriptor);
}
}
}
#nullable restore
Loading
Loading