Merge pull request #140 from AzureAD/oldalton/msal_updates_to_cache

unpluggedk · web-flow · commit 30b15d8e26b9 · 2018-05-24T14:25:39.000-07:00
Additional fixes based on MSAL integration
diff --git a/IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.h b/IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.h
@@ -48,18 +48,18 @@
               context:(id<MSIDRequestContext>)context
                 error:(NSError **)error;
 
-- (BOOL)removeAllTokensForAccount:(MSIDAccountIdentifier *)account
-                      environment:(NSString *)environment
-                         clientId:(NSString *)clientId
-                          context:(id<MSIDRequestContext>)context
-                            error:(NSError **)error;
+- (BOOL)clearCacheForAccount:(MSIDAccountIdentifier *)account
+                 environment:(NSString *)environment
+                    clientId:(NSString *)clientId
+                     context:(id<MSIDRequestContext>)context
+                       error:(NSError **)error;
 
 - (BOOL)validateAndRemoveRefreshToken:(MSIDRefreshToken *)token
                               context:(id<MSIDRequestContext>)context
                                 error:(NSError **)error;
 
-- (BOOL)removeAccessToken:(MSIDAccessToken *)token
-                  context:(id<MSIDRequestContext>)context
-                    error:(NSError **)error;
+- (BOOL)removeToken:(MSIDBaseToken *)token
+            context:(id<MSIDRequestContext>)context
+              error:(NSError **)error;
 
 @end
diff --git a/IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m b/IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m
@@ -246,7 +246,7 @@ - (MSIDIdToken *)getIDTokenForAccount:(MSIDAccountIdentifier *)account
     NSArray<NSString *> *environmentAliases = [[MSIDAadAuthorityCache sharedInstance] cacheAliasesForEnvironment:environment];
     __auto_type accountsPerUserId = [self getAccountsPerUserIdForAliases:environmentAliases context:context error:error];
 
-    if (![accountsPerUserId count])
+    if (!accountsPerUserId)
     {
         MSID_LOG_INFO(context, @"No accounts found, returning!");
         [self stopCacheEvent:event withItem:nil success:NO context:context];
@@ -304,11 +304,11 @@ - (BOOL)removeAccount:(MSIDAccount *)account
     return result;
 }
 
-- (BOOL)removeAllTokensForAccount:(MSIDAccountIdentifier *)account
-                      environment:(NSString *)environment
-                         clientId:(NSString *)clientId
-                          context:(id<MSIDRequestContext>)context
-                            error:(NSError **)error
+- (BOOL)clearCacheForAccount:(MSIDAccountIdentifier *)account
+                 environment:(NSString *)environment
+                    clientId:(NSString *)clientId
+                     context:(id<MSIDRequestContext>)context
+                       error:(NSError **)error
 {
     if (!account
         || !environment
@@ -328,6 +328,18 @@ - (BOOL)removeAllTokensForAccount:(MSIDAccountIdentifier *)account
 
     BOOL result = [_accountCredentialCache removeCredetialsWithQuery:query context:context error:error];
 
+    if (!result)
+    {
+        [self stopCacheEvent:event withItem:nil success:NO context:context];
+        return NO;
+    }
+
+    MSIDDefaultAccountCacheQuery *accountsQuery = [MSIDDefaultAccountCacheQuery new];
+    accountsQuery.homeAccountId = account.homeAccountId;
+    accountsQuery.environment = environment;
+
+    result = [_accountCredentialCache removeAccountsWithQuery:accountsQuery context:context error:error];
+
     [self stopCacheEvent:event withItem:nil success:result context:context];
     return result;
 }
@@ -368,13 +380,6 @@ - (BOOL)validateAndRemoveRefreshToken:(MSIDRefreshToken *)token
     return YES;
 }
 
-- (BOOL)removeAccessToken:(MSIDAccessToken *)token
-                  context:(id<MSIDRequestContext>)context
-                    error:(NSError **)error
-{
-    return [self removeToken:token context:context error:error];
-}
-
 #pragma mark - Input validation
 
 - (BOOL)checkUserIdentifier:(NSString *)userIdentifier
diff --git a/IdentityCore/src/cache/accessor/MSIDLegacyTokenCacheAccessor.h b/IdentityCore/src/cache/accessor/MSIDLegacyTokenCacheAccessor.h
@@ -53,4 +53,8 @@
                   context:(id<MSIDRequestContext>)context
                     error:(NSError **)error;
 
+- (BOOL)clearCacheForAccount:(MSIDAccountIdentifier *)account
+                     context:(id<MSIDRequestContext>)context
+                       error:(NSError **)error;
+
 @end
diff --git a/IdentityCore/src/cache/accessor/MSIDLegacyTokenCacheAccessor.m b/IdentityCore/src/cache/accessor/MSIDLegacyTokenCacheAccessor.m
@@ -214,7 +214,7 @@ - (BOOL)clearWithContext:(id<MSIDRequestContext>)context
     NSArray<NSString *> *environmentAliases = [[MSIDAadAuthorityCache sharedInstance] cacheAliasesForEnvironment:environment];
 
     BOOL (^filterBlock)(MSIDCredentialCacheItem *tokenCacheItem) = ^BOOL(MSIDCredentialCacheItem *tokenCacheItem) {
-        if (![tokenCacheItem.environment msidIsEquivalentWithAnyAlias:environmentAliases])
+        if ([environmentAliases count] && ![tokenCacheItem.environment msidIsEquivalentWithAnyAlias:environmentAliases])
         {
             return NO;
         }
@@ -329,6 +329,32 @@ - (BOOL)removeAccessToken:(MSIDLegacyAccessToken *)token
     return [self removeToken:token userId:token.legacyUserId context:context error:error];
 }
 
+- (BOOL)clearCacheForAccount:(MSIDAccountIdentifier *)account
+                     context:(id<MSIDRequestContext>)context
+                       error:(NSError **)error
+{
+    if (!account.legacyAccountId)
+    {
+        [self fillInternalErrorWithMessage:@"Can't clear cache without user id" context:context error:error];
+        return NO;
+    }
+
+    MSID_LOG_VERBOSE(context, @"(Legacy accessor) Clearing cache with account");
+    MSID_LOG_VERBOSE_PII(context, @"(Legacy accessor) Clearing cache with account %@", account.legacyAccountId);
+
+    MSIDTelemetryCacheEvent *event = [self startCacheEventWithName:MSID_TELEMETRY_EVENT_TOKEN_CACHE_DELETE context:context];
+
+    MSIDLegacyTokenCacheQuery *query = [MSIDLegacyTokenCacheQuery new];
+    query.legacyUserId = account.legacyAccountId;
+
+    BOOL result = [_dataSource removeItemsWithKey:query context:context error:error];
+
+    [_dataSource saveWipeInfoWithContext:context error:nil];
+
+    [self stopTelemetryEvent:event withItem:nil success:result context:context];
+    return result;
+}
+
 #pragma mark - Input validation
 
 - (void)fillInternalErrorWithMessage:(NSString *)message
diff --git a/IdentityCore/src/cache/mac/MSIDMacTokenCache.m b/IdentityCore/src/cache/mac/MSIDMacTokenCache.m
@@ -385,6 +385,12 @@ - (BOOL)removeItemsWithKeyImpl:(MSIDCacheKey *)key
     {
         return YES;
     }
+
+    if (!key.service)
+    {
+        [self.cache[@"tokens"] removeObjectForKey:userId];
+        return YES;
+    }
     
     if (![userTokens objectForKey:[self legacyKeyWithoutAccount:key]])
     {
diff --git a/IdentityCore/src/cache/token/MSIDAccountCacheItem.m b/IdentityCore/src/cache/token/MSIDAccountCacheItem.m
@@ -201,7 +201,7 @@ - (BOOL)matchesWithHomeAccountId:(nullable NSString *)homeAccountId
         return NO;
     }
 
-    if (environmentAliases && ![self.environment msidIsEquivalentWithAnyAlias:environmentAliases])
+    if ([environmentAliases count] && ![self.environment msidIsEquivalentWithAnyAlias:environmentAliases])
     {
         return NO;
     }
diff --git a/IdentityCore/src/cache/token/MSIDCredentialCacheItem.m b/IdentityCore/src/cache/token/MSIDCredentialCacheItem.m
@@ -284,7 +284,7 @@ - (BOOL)matchByEnvironment:(nullable NSString *)environment
         return NO;
     }
 
-    if (environmentAliases && ![self.environment msidIsEquivalentWithAnyAlias:environmentAliases])
+    if ([environmentAliases count] && ![self.environment msidIsEquivalentWithAnyAlias:environmentAliases])
     {
         return NO;
     }
@@ -299,7 +299,7 @@ - (BOOL)matchesWithRealm:(nullable NSString *)realm
           targetMatching:(MSIDComparisonOptions)matchingOptions
         clientIdMatching:(MSIDComparisonOptions)clientIDMatchingOptions
 {
-    if (clientIDMatchingOptions == SuperSet)
+    if (clientIDMatchingOptions == SuperSet && (clientId || familyId))
     {
         if (![self.clientId isEqualToString:clientId]
             && ![self.familyId isEqualToString:familyId])
diff --git a/IdentityCore/tests/integration/MSIDDefaultAccessorSSOIntegrationTests.m b/IdentityCore/tests/integration/MSIDDefaultAccessorSSOIntegrationTests.m
@@ -1450,7 +1450,7 @@ - (void)testRemoveAccessToken_whenTokenProvided_shouldRemoveToken
     MSIDAccessToken *secondToken = accessTokens[1];
 
     NSError *error = nil;
-    BOOL result = [_defaultAccessor removeAccessToken:secondToken context:nil error:&error];
+    BOOL result = [_defaultAccessor removeToken:secondToken context:nil error:&error];
     XCTAssertTrue(result);
     XCTAssertNil(error);
 
@@ -1462,10 +1462,63 @@ - (void)testRemoveAccessToken_whenTokenProvided_shouldRemoveToken
     XCTAssertEqual([remaininRefreshTokens count], 1);
 }
 
+- (void)testRemoveIDToken_whenTokenProvided_shouldRemoveToken
+{
+    // Save first token
+    [self saveResponseWithUPN:@"upn@test.com"
+                     clientId:@"test_client_id2"
+                    authority:@"https://login.windows.net/common"
+               responseScopes:@"user.read user.write"
+                  inputScopes:@"user.read user.write"
+                          uid:@"uid"
+                         utid:@"utid"
+                  accessToken:@"access token"
+                 refreshToken:@"refresh token"
+                     familyId:nil
+                     accessor:_nonSSOAccessor];
+
+    // Save first token
+    [self saveResponseWithUPN:@"upn@test.com"
+                     clientId:@"test_client_id"
+                    authority:@"https://login.windows.net/common"
+               responseScopes:@"user.sing"
+                  inputScopes:@"user.sing"
+                          uid:@"uid"
+                         utid:@"utid"
+                  accessToken:@"access token"
+                 refreshToken:@"refresh token"
+                     familyId:nil
+                     accessor:_nonSSOAccessor];
+
+    NSArray *accessTokens = [self getAllAccessTokens];
+    XCTAssertEqual([accessTokens count], 2);
+
+    NSArray *refreshTokens = [self getAllRefreshTokens];
+    XCTAssertEqual([refreshTokens count], 2);
+
+    NSArray *idTokens = [self getAllIDTokens];
+    XCTAssertEqual([idTokens count], 2);
+
+    MSIDIdToken *firstToken = idTokens[0];
+    MSIDIdToken *secondToken = idTokens[1];
+
+    NSError *error = nil;
+    BOOL result = [_defaultAccessor removeToken:secondToken context:nil error:&error];
+    XCTAssertTrue(result);
+    XCTAssertNil(error);
+
+    NSArray *remainingIDTokens = [self getAllIDTokens];
+    XCTAssertEqual([remainingIDTokens count], 1);
+    XCTAssertEqualObjects(remainingIDTokens[0], firstToken);
+
+    NSArray *remaininRefreshTokens = [self getAllRefreshTokens];
+    XCTAssertEqual([remaininRefreshTokens count], 2);
+}
+
 - (void)testRemoveAccessToken_whenNilTokenProvided_shouldReturnError
 {
     NSError *error = nil;
-    BOOL result = [_defaultAccessor removeAccessToken:nil context:nil error:&error];
+    BOOL result = [_defaultAccessor removeToken:nil context:nil error:&error];
     XCTAssertFalse(result);
     XCTAssertNotNil(error);
     XCTAssertEqual(error.code, MSIDErrorInternal);
@@ -1670,42 +1723,53 @@ - (void)testRemoveAccount_whenAccountNotNil_shouldRemoveAccount
     XCTAssertNil(error);
 
     accounts = [_defaultAccessor allAccountsForEnvironment:@"login.windows.net" clientId:@"test_client_id" familyId:nil context:nil error:&error];
-    XCTAssertNil(accounts);
     XCTAssertNil(error);
     XCTAssertEqual([accounts count], 0);
 }
 
-#pragma mark - RemoveAllTokensForAccount
+#pragma mark - clearCacheForAccount
 
-- (void)testRemoveAllTokensForAccount_whenNilAccount_shouldReturnError
+- (void)testClearCacheForAccount_whenNilAccount_shouldReturnError
 {
     NSError *error = nil;
-    BOOL result = [_defaultAccessor removeAllTokensForAccount:nil environment:@"login.microsoftonline.com" clientId:@"test_client_id" context:nil error:&error];
+    BOOL result = [_defaultAccessor clearCacheForAccount:nil environment:@"login.microsoftonline.com" clientId:@"test_client_id" context:nil error:&error];
     XCTAssertFalse(result);
     XCTAssertNotNil(error);
     XCTAssertEqual(error.code, MSIDErrorInternal);
 }
 
-- (void)testRemoveAllTokensForAccount_whenNilClientId_shouldReturnError
+- (void)testClearCacheForAccount_whenNilClientId_shouldReturnError
 {
     NSError *error = nil;
-    BOOL result = [_defaultAccessor removeAllTokensForAccount:[MSIDAccountIdentifier new] environment:@"login.microsoftonline.com" clientId:nil context:nil error:&error];
+    BOOL result = [_defaultAccessor clearCacheForAccount:[MSIDAccountIdentifier new] environment:@"login.microsoftonline.com" clientId:nil context:nil error:&error];
     XCTAssertFalse(result);
     XCTAssertNotNil(error);
     XCTAssertEqual(error.code, MSIDErrorInternal);
 }
 
-- (void)testRemoveAllTokensForAccount_whenNilEnvironment_shouldReturnError
+- (void)testClearCacheForAccount_whenNilEnvironment_shouldReturnError
 {
     NSError *error = nil;
-    BOOL result = [_defaultAccessor removeAllTokensForAccount:[MSIDAccountIdentifier new] environment:nil clientId:@"test" context:nil error:&error];
+    BOOL result = [_defaultAccessor clearCacheForAccount:[MSIDAccountIdentifier new] environment:nil clientId:@"test" context:nil error:&error];
     XCTAssertFalse(result);
     XCTAssertNotNil(error);
     XCTAssertEqual(error.code, MSIDErrorInternal);
 }
 
-- (void)testRemoveAllTokenForAccount_whenAccountProvided_shouldRemoveTokens
+- (void)testClearCacheForAccount_whenAccountProvided_shouldRemoveTokens
 {
+    [self saveResponseWithUPN:@"upn@test.com"
+                     clientId:@"test_client_id"
+                    authority:@"https://login.windows.net/common"
+               responseScopes:@"user.sing"
+                  inputScopes:@"user.sing"
+                          uid:@"uid2"
+                         utid:@"utid2"
+                  accessToken:@"access token 2"
+                 refreshToken:@"refresh token"
+                     familyId:nil
+                     accessor:_nonSSOAccessor];
+
     [self saveResponseWithUPN:@"upn@test.com"
                      clientId:@"test_client_id"
                     authority:@"https://login.windows.net/common"
@@ -1735,35 +1799,64 @@ - (void)testRemoveAllTokenForAccount_whenAccountProvided_shouldRemoveTokens
 
     XCTAssertNotNil(accounts);
     XCTAssertNil(error);
-    XCTAssertEqual([accounts count], 1);
+    XCTAssertEqual([accounts count], 2);
 
     NSArray *allATs = [self getAllAccessTokens];
-    XCTAssertEqual([allATs count], 2);
+    XCTAssertEqual([allATs count], 3);
 
     NSArray *allRTs = [self getAllRefreshTokens];
-    XCTAssertEqual([allRTs count], 1);
+    XCTAssertEqual([allRTs count], 2);
 
     NSArray *allIDs = [self getAllIDTokens];
-    XCTAssertEqual([allIDs count], 1);
+    XCTAssertEqual([allIDs count], 2);
 
-    MSIDAccount *account = accounts[0];
+    MSIDAccount *account = nil;
+
+    for (MSIDAccount *accountInCache in accounts)
+    {
+        if ([accountInCache.homeAccountId isEqualToString:@"uid.utid"])
+        {
+            account = accountInCache;
+            break;
+        }
+    }
+
+    XCTAssertNotNil(account);
 
     MSIDAccountIdentifier *identifier = [MSIDAccountIdentifier new];
     identifier.homeAccountId = account.homeAccountId;
     identifier.legacyAccountId = account.username;
 
-    BOOL result = [_defaultAccessor removeAllTokensForAccount:identifier environment:@"login.windows.net" clientId:@"test_client_id" context:nil error:&error];
+    BOOL result = [_defaultAccessor clearCacheForAccount:identifier environment:@"login.windows.net" clientId:@"test_client_id" context:nil error:&error];
     XCTAssertTrue(result);
     XCTAssertNil(error);
 
     allATs = [self getAllAccessTokens];
-    XCTAssertEqual([allATs count], 0);
+    XCTAssertEqual([allATs count], 1);
+
+    MSIDAccessToken *accessToken = allATs[0];
+    XCTAssertEqualObjects(accessToken.homeAccountId, @"uid2.utid2");
 
     allRTs = [self getAllRefreshTokens];
-    XCTAssertEqual([allRTs count], 0);
+    XCTAssertEqual([allRTs count], 1);
+
+    MSIDRefreshToken *refreshToken = allRTs[0];
+    XCTAssertEqualObjects(refreshToken.homeAccountId, @"uid2.utid2");
 
     allIDs = [self getAllIDTokens];
-    XCTAssertEqual([allIDs count], 0);
+    XCTAssertEqual([allIDs count], 1);
+    MSIDIdToken *idToken = allIDs[0];
+    XCTAssertEqualObjects(idToken.homeAccountId, @"uid2.utid2");
+
+    accounts = [_defaultAccessor allAccountsForEnvironment:@"login.windows.net"
+                                                  clientId:@"test_client_id"
+                                                  familyId:nil
+                                                   context:nil
+                                                     error:&error];
+    XCTAssertEqual([accounts count], 1);
+
+    MSIDAccount *remainingAccount = accounts[0];
+    XCTAssertEqualObjects(remainingAccount.homeAccountId, @"uid2.utid2");
 }
 
 #pragma mark - Helpers
diff --git a/IdentityCore/tests/integration/MSIDLegacyAccessorSSOIntegrationTests.m b/IdentityCore/tests/integration/MSIDLegacyAccessorSSOIntegrationTests.m

Original file line number	Diff line number	Diff line change
`@@ -385,6 +385,12 @@ - (BOOL)removeItemsWithKeyImpl:(MSIDCacheKey *)key`
`385`	`385`	`{`
`386`	`386`	`return YES;`
`387`	`387`	`}`
	`388`	`+`
	`389`	`+ if (!key.service)`
	`390`	`+ {`
	`391`	`+ [self.cache[@"tokens"] removeObjectForKey:userId];`
	`392`	`+ return YES;`
	`393`	`+ }`
`388`	`394`
`389`	`395`	`if (![userTokens objectForKey:[self legacyKeyWithoutAccount:key]])`
`390`	`396`	`{`
Original file line number	Diff line number	Diff line change
`@@ -201,7 +201,7 @@ - (BOOL)matchesWithHomeAccountId:(nullable NSString *)homeAccountId`
`201`	`201`	`return NO;`
`202`	`202`	`}`
`203`	`203`
`204`		`- if (environmentAliases && ![self.environment msidIsEquivalentWithAnyAlias:environmentAliases])`
	`204`	`+ if ([environmentAliases count] && ![self.environment msidIsEquivalentWithAnyAlias:environmentAliases])`
`205`	`205`	`{`
`206`	`206`	`return NO;`
`207`	`207`	`}`
Original file line number	Diff line number	Diff line change
`@@ -284,7 +284,7 @@ - (BOOL)matchByEnvironment:(nullable NSString *)environment`
`284`	`284`	`return NO;`
`285`	`285`	`}`
`286`	`286`
`287`		`- if (environmentAliases && ![self.environment msidIsEquivalentWithAnyAlias:environmentAliases])`
	`287`	`+ if ([environmentAliases count] && ![self.environment msidIsEquivalentWithAnyAlias:environmentAliases])`
`288`	`288`	`{`
`289`	`289`	`return NO;`
`290`	`290`	`}`
`@@ -299,7 +299,7 @@ - (BOOL)matchesWithRealm:(nullable NSString *)realm`
`299`	`299`	`targetMatching:(MSIDComparisonOptions)matchingOptions`
`300`	`300`	`clientIdMatching:(MSIDComparisonOptions)clientIDMatchingOptions`
`301`	`301`	`{`
`302`		`- if (clientIDMatchingOptions == SuperSet)`
	`302`	`+ if (clientIDMatchingOptions == SuperSet && (clientId \|\| familyId))`
`303`	`303`	`{`
`304`	`304`	`if (![self.clientId isEqualToString:clientId]`
`305`	`305`	`&& ![self.familyId isEqualToString:familyId])`