Commit 364a6210 authored by Vibhuti Sharma [Microsoft]'s avatar Vibhuti Sharma [Microsoft]
Browse files

added check for issuer

parent a3a44e4d
Pipeline #60424 failed with stages
in 22 seconds
......@@ -25,6 +25,9 @@ import java.util.Map;
@Component
public class AuthorizationService implements IAuthorizationService {
private final String AAD_issuer_v1 = "https://sts.windows.net";
private final String AAD_issuer_v2 = "https://login.microsoftonline.com";
enum UserType {
REGULAR_USER,
GUEST_USER,
......@@ -40,14 +43,24 @@ public class AuthorizationService implements IAuthorizationService {
}
final UserPrincipal userPrincipal = (UserPrincipal) principal;
String issuer = userPrincipal.getClaim("iss").toString();
UserType type = getType(userPrincipal);
if (type == UserType.SERVICE_PRINCIPAL) {
if (type == UserType.SERVICE_PRINCIPAL && issuedByAAD(issuer)) {
return true;
}
return false;
}
/***
* Check that issuer string startswith accepted prefix of AAD issuer url (V1 or V2).
* @param issuer claim for "issuer"
* @return true if issuer startswith V1 url or V2 url
*/
private boolean issuedByAAD(String issuer) {
return issuer.startsWith(AAD_issuer_v1) || issuer.startsWith(AAD_issuer_v2);
}
/**
* The internal method to get the user principal.
*
......
......@@ -103,11 +103,23 @@ public class AuthorizationServiceTest {
}
@Test
public void shouldReturnTrueWhenAADTokenIsSetInContext() {
public void shouldReturnTrueWhenAADTokenIsSetInContext_AndIssuerIsAAD() {
createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.getAadIssuer());
assertTrue(authorizationService.isDomainAdminServiceAccount());
}
@Test
public void shouldReturnTrueWhenAADTokenIsSetInContext_AndIssuerIsAADV2() {
createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.getAadIssuerV2());
assertTrue(authorizationService.isDomainAdminServiceAccount());
}
@Test
public void shouldReturnFalseWhenAADTokenIsSetInContext_AndIssuerIsNotAAD() {
createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.getNonAadIssuer());
assertFalse(authorizationService.isDomainAdminServiceAccount());
}
@Getter
public class DummyAuthToken {
......
......@@ -18,7 +18,11 @@ public class TestUtils {
private static final String appId = "1234";
public static final String APPID = "appid";
public static final String aadIssuer = "https://sts.windows.net";
public static final String aadIssuerV2 = "https://login.microsoftonline.com";
public static final String nonAadIssuer = "https://login.abc.com";
public static String getAppId() {return appId;}
public static String getAadIssuer() {return aadIssuer;}
public static String getAadIssuerV2() {return aadIssuerV2;}
public static String getNonAadIssuer() {return nonAadIssuer;}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment