Merge pull request #151 from AzureAD/sedemche/split_authorities

Split authority

Author: antrix1989

IdentityCore/IdentityCore.xcodeproj/project.pbxproj

@@ -36,4 +36,8 @@
 
 @property (nonatomic, nullable) NSString *drsDiscoveryApiVersion;
 
+- (BOOL)isAADPublicCloud:(nonnull NSString *)host;
+
+- (nonnull NSSet<NSString *> *)trustedHosts;
+
 @end

IdentityCore/src/MSIDAADNetworkConfiguration.h

@@ -23,8 +23,10 @@
 
 #import "MSIDAADNetworkConfiguration.h"
 #import "MSIDAADEndpointProvider.h"
+#import "MSIDConstants.h"
 
 static MSIDAADNetworkConfiguration *s_defaultConfiguration;
+static NSSet<NSString *> *s_trustedHostList;
 
 @implementation MSIDAADNetworkConfiguration
 
@@ -33,6 +35,15 @@ + (void)initialize
     if (self == [MSIDAADNetworkConfiguration self])
     {
         s_defaultConfiguration = [MSIDAADNetworkConfiguration new];
+        
+        s_trustedHostList = [NSSet setWithObjects:MSIDTrustedAuthority,
+                             MSIDTrustedAuthorityUS,
+                             MSIDTrustedAuthorityChina,
+                             MSIDTrustedAuthorityChina2,
+                             MSIDTrustedAuthorityGermany,
+                             MSIDTrustedAuthorityWorldWide,
+                             MSIDTrustedAuthorityUSGovernment,
+                             MSIDTrustedAuthorityCloudGovApi, nil];
     }
 }
 
@@ -59,4 +70,16 @@ + (void)setDefaultConfiguration:(MSIDAADNetworkConfiguration *)defaultConfigurat
     s_defaultConfiguration = defaultConfiguration;
 }
 
+- (BOOL)isAADPublicCloud:(NSString *)host
+{
+    if (!host) return NO;
+    
+    return [s_trustedHostList containsObject:host];
+}
+
+- (NSSet<NSString *> *)trustedHosts
+{
+    return s_trustedHostList;
+}
+
 @end

IdentityCore/src/MSIDAADNetworkConfiguration.m

@@ -25,7 +25,7 @@
 
 NS_ASSUME_NONNULL_BEGIN
 
-@interface MSIDCache <KeyType, ObjectType> : NSObject
+@interface MSIDCache <KeyType, ObjectType> : NSObject <NSCopying>
 
 - (nullable ObjectType)objectForKey:(KeyType)key;
 

IdentityCore/src/MSIDCache.h

@@ -87,4 +87,14 @@ - (NSUInteger)count
     return count;
 }
 
+#pragma mark - NSCopying
+
+- (id)copyWithZone:(NSZone *)zone
+{
+    MSIDCache *item = [[self.class allocWithZone:zone] init];
+    item->_container = [_container copyWithZone:zone];
+    
+    return item;
+}
+
 @end

IdentityCore/src/MSIDCache.m

@@ -21,8 +21,17 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 // THE SOFTWARE.
 
-extern NSString *const MSID_PLATFORM_KEY;//The SDK platform. iOS or OSX
-extern NSString *const MSID_VERSION_KEY;
-extern NSString *const MSID_CPU_KEY;//E.g. ARM64
-extern NSString *const MSID_OS_VER_KEY;//iOS/OSX version
-extern NSString *const MSID_DEVICE_MODEL_KEY;//E.g. iPhone 5S
+extern NSString * _Nonnull const MSID_PLATFORM_KEY;//The SDK platform. iOS or OSX
+extern NSString * _Nonnull const MSID_VERSION_KEY;
+extern NSString * _Nonnull const MSID_CPU_KEY;//E.g. ARM64
+extern NSString * _Nonnull const MSID_OS_VER_KEY;//iOS/OSX version
+extern NSString * _Nonnull const MSID_DEVICE_MODEL_KEY;//E.g. iPhone 5S
+
+extern NSString * _Nonnull const MSIDTrustedAuthority;
+extern NSString * _Nonnull const MSIDTrustedAuthorityUS;
+extern NSString * _Nonnull const MSIDTrustedAuthorityChina;
+extern NSString * _Nonnull const MSIDTrustedAuthorityChina2;
+extern NSString * _Nonnull const MSIDTrustedAuthorityGermany;
+extern NSString * _Nonnull const MSIDTrustedAuthorityWorldWide;
+extern NSString * _Nonnull const MSIDTrustedAuthorityUSGovernment;
+extern NSString * _Nonnull const MSIDTrustedAuthorityCloudGovApi;

IdentityCore/src/MSIDConstants.h

@@ -28,3 +28,12 @@
 NSString *const MSID_CPU_KEY                    = @"x-client-CPU";
 NSString *const MSID_OS_VER_KEY                 = @"x-client-OS";
 NSString *const MSID_DEVICE_MODEL_KEY           = @"x-client-DM";
+
+NSString *const MSIDTrustedAuthority             = @"login.windows.net";
+NSString *const MSIDTrustedAuthorityUS           = @"login.microsoftonline.us";
+NSString *const MSIDTrustedAuthorityChina        = @"login.chinacloudapi.cn";
+NSString *const MSIDTrustedAuthorityChina2       = @"login.partner.microsoftonline.cn";
+NSString *const MSIDTrustedAuthorityGermany      = @"login.microsoftonline.de";
+NSString *const MSIDTrustedAuthorityWorldWide    = @"login.microsoftonline.com";
+NSString *const MSIDTrustedAuthorityUSGovernment = @"login-us.microsoftonline.com";
+NSString *const MSIDTrustedAuthorityCloudGovApi  = @"login.usgovcloudapi.net";

IdentityCore/src/MSIDConstants.m

@@ -21,8 +21,8 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 // THE SOFTWARE.
 
-typedef NS_ENUM(NSInteger, MSIDADFSType)
+typedef NS_ENUM(NSInteger, MSIDDRSType)
 {
-    MSIDADFSTypeOnPrems,
-    MSIDADFSTypeCloud
+    MSIDDRSTypeOnPrem,
+    MSIDDRSTypeInCloud
 };

IdentityCore/src/MSIDADFSType.h IdentityCore/src/MSIDDRSType.hIdentityCore/src/MSIDADFSType.h renamed to IdentityCore/src/MSIDDRSType.h

@@ -39,6 +39,8 @@
 #import "MSIDDefaultAccountCacheQuery.h"
 #import "MSIDAccountIdentifier.h"
 #import "MSIDTelemetry+Cache.h"
+#import "MSIDAuthority.h"
+#import "MSIDAuthorityFactory.h"
 
 @interface MSIDDefaultTokenCacheAccessor()
 {
@@ -137,8 +139,8 @@ - (MSIDRefreshToken *)getRefreshTokenWithAccount:(MSIDAccountIdentifier *)accoun
 
         MSIDDefaultCredentialCacheQuery *query = [MSIDDefaultCredentialCacheQuery new];
         query.homeAccountId = account.homeAccountId;
-        query.environment = configuration.authority.msidHostWithPortIfNecessary;
-        query.clientId = configuration.clientId;
+        query.environmentAliases = [_factory defaultCacheAliasesForEnvironment:configuration.authority.environment];
+        query.clientId = familyId ? nil : configuration.clientId;
         query.familyId = familyId;
         query.credentialType = MSIDRefreshTokenType;
 
@@ -219,8 +221,8 @@ - (MSIDAccessToken *)getAccessTokenForAccount:(MSIDAccountIdentifier *)account
 
     MSIDDefaultCredentialCacheQuery *query = [MSIDDefaultCredentialCacheQuery new];
     query.homeAccountId = account.homeAccountId;
-    query.environment = configuration.authority.msidHostWithPortIfNecessary;
-    query.realm = configuration.authority.msidTenant;
+    query.environmentAliases = [_factory defaultCacheAliasesForEnvironment:configuration.authority.environment];
+    query.realm = configuration.authority.url.msidTenant;
     query.clientId = configuration.clientId;
     query.target = configuration.target;
     query.targetMatchingOptions = MSIDSubSet;
@@ -239,8 +241,8 @@ - (MSIDIdToken *)getIDTokenForAccount:(MSIDAccountIdentifier *)account
 {
     MSIDDefaultCredentialCacheQuery *query = [MSIDDefaultCredentialCacheQuery new];
     query.homeAccountId = account.homeAccountId;
-    query.environment = configuration.authority.msidHostWithPortIfNecessary;
-    query.realm = configuration.authority.msidTenant;
+    query.environmentAliases = [_factory defaultCacheAliasesForEnvironment:configuration.authority.environment];
+    query.realm = configuration.authority.url.msidTenant;
     query.clientId = configuration.clientId;
     query.credentialType = MSIDIDTokenType;
 
@@ -265,11 +267,11 @@ - (MSIDIdToken *)getIDTokenForAccount:(MSIDAccountIdentifier *)account
     NSArray<NSString *> *environmentAliases = [_factory defaultCacheAliasesForEnvironment:environment];
     __auto_type accountsPerUserId = [self getAccountsPerUserIdForAliases:environmentAliases context:context error:error];
 
-    if (!accountsPerUserId)
+    if (![accountsPerUserId count])
     {
         MSID_LOG_INFO(context, @"No accounts found, returning!");
         [MSIDTelemetry stopCacheEvent:event withItem:nil success:NO context:context];
-        return nil;
+        return @[];
     }
 
     MSIDDefaultCredentialCacheQuery *credentialsQuery = [MSIDDefaultCredentialCacheQuery new];
@@ -321,7 +323,7 @@ - (MSIDAccount *)accountForIdentifier:(MSIDAccountIdentifier *)accountIdentifier
 
     MSIDDefaultAccountCacheQuery *cacheQuery = [MSIDDefaultAccountCacheQuery new];
     cacheQuery.homeAccountId = accountIdentifier.homeAccountId;
-    cacheQuery.environmentAliases = [_factory defaultCacheAliasesForEnvironment:configuration.authority.msidHostWithPortIfNecessary];
+    cacheQuery.environmentAliases = [_factory defaultCacheAliasesForEnvironment:configuration.authority.environment];
     cacheQuery.accountType = MSIDAccountTypeMSSTS;
 
     NSArray<MSIDAccountCacheItem *> *accountCacheItems = [_accountCredentialCache getAccountsWithQuery:cacheQuery context:context error:error];
@@ -440,7 +442,7 @@ - (BOOL)validateAndRemoveRefreshToken:(MSIDRefreshToken *)token
     MSID_LOG_VERBOSE(context, @"Removing refresh token with clientID %@, authority %@", token.clientId, token.authority);
     MSID_LOG_VERBOSE_PII(context, @"Removing refresh token with clientID %@, authority %@, userId %@, token %@", token.clientId, token.authority, token.accountIdentifier.homeAccountId, _PII_NULLIFY(token.refreshToken));
 
-    NSURL *authority = token.storageAuthority ? token.storageAuthority : token.authority;
+    NSURL *authority = token.storageAuthority.url ? token.storageAuthority.url : token.authority.url;
 
     MSIDDefaultCredentialCacheQuery *query = [MSIDDefaultCredentialCacheQuery new];
     query.homeAccountId = token.accountIdentifier.homeAccountId;
@@ -650,8 +652,8 @@ - (BOOL)saveAccessToken:(MSIDAccessToken *)accessToken
     // Delete access tokens with intersecting scopes
     MSIDDefaultCredentialCacheQuery *query = [MSIDDefaultCredentialCacheQuery new];
     query.homeAccountId = accessToken.accountIdentifier.homeAccountId;
-    query.environment = accessToken.authority.msidHostWithPortIfNecessary;
-    query.realm = accessToken.authority.msidTenant;
+    query.environment = accessToken.authority.environment;
+    query.realm = accessToken.authority.url.msidTenant;
     query.clientId = accessToken.clientId;
     query.target = [accessToken.scopes msidToString];
     query.targetMatchingOptions = MSIDIntersect;
@@ -727,42 +729,37 @@ - (BOOL)removeToken:(MSIDBaseToken *)token
 
 #pragma mark - Private
 
-- (MSIDBaseToken *)getTokenWithAuthority:(NSURL *)authority
+- (MSIDBaseToken *)getTokenWithAuthority:(MSIDAuthority *)authority
                               cacheQuery:(MSIDDefaultCredentialCacheQuery *)cacheQuery
                                  context:(id<MSIDRequestContext>)context
                                    error:(NSError **)error
 {
     MSIDTelemetryCacheEvent *event = [MSIDTelemetry startCacheEventWithName:MSID_TELEMETRY_EVENT_TOKEN_CACHE_LOOKUP context:context];
 
-    NSArray<NSString *> *aliases = [_factory defaultCacheAliasesForEnvironment:authority.msidHostWithPortIfNecessary];
+    MSID_LOG_VERBOSE(context, @"(Default accessor) Looking for token with aliases %@, tenant %@, clientId %@, scopes %@", cacheQuery.environmentAliases, cacheQuery.realm, cacheQuery.clientId, cacheQuery.target);
 
-    for (NSString *alias in aliases)
-    {
-        MSID_LOG_VERBOSE(context, @"(Default accessor) Looking for token with alias %@, tenant %@, clientId %@, scopes %@", alias, cacheQuery.realm, cacheQuery.clientId, cacheQuery.target);
+    NSError *cacheError = nil;
 
-        NSError *cacheError = nil;
+    NSArray<MSIDCredentialCacheItem *> *cacheItems = [_accountCredentialCache getCredentialsWithQuery:cacheQuery legacyUserId:nil context:context error:error];
 
-        NSArray<MSIDCredentialCacheItem *> *cacheItems = [_accountCredentialCache getCredentialsWithQuery:cacheQuery legacyUserId:nil context:context error:error];
+    if (cacheError)
+    {
+        if (error) *error = cacheError;
+        [MSIDTelemetry stopCacheEvent:event withItem:nil success:NO context:context];
+        return nil;
+    }
 
-        if (cacheError)
-        {
-            if (error) *error = cacheError;
-            [MSIDTelemetry stopCacheEvent:event withItem:nil success:NO context:context];
-            return nil;
-        }
+    if ([cacheItems count])
+    {
+        MSIDBaseToken *resultToken = [cacheItems[0] tokenWithType:cacheQuery.credentialType];
 
-        if ([cacheItems count])
+        if (resultToken)
         {
-            MSIDBaseToken *resultToken = [cacheItems[0] tokenWithType:cacheQuery.credentialType];
-
-            if (resultToken)
-            {
-                MSID_LOG_VERBOSE(context, @"(Default accessor) Found %lu tokens", (unsigned long)[cacheItems count]);
-                resultToken.storageAuthority = resultToken.authority;
-                resultToken.authority = authority;
-                [MSIDTelemetry stopCacheEvent:event withItem:resultToken success:YES context:context];
-                return resultToken;
-            }
+            MSID_LOG_VERBOSE(context, @"(Default accessor) Found %lu tokens", (unsigned long)[cacheItems count]);
+            resultToken.storageAuthority = resultToken.authority;
+            resultToken.authority = authority;
+            [MSIDTelemetry stopCacheEvent:event withItem:resultToken success:YES context:context];
+            return resultToken;
         }
     }
 
@@ -778,7 +775,7 @@ - (MSIDBaseToken *)getTokenWithAuthority:(NSURL *)authority
 }
 
 - (MSIDBaseToken *)getRefreshTokenByLegacyUserId:(NSString *)legacyUserId
-                                       authority:(NSURL *)authority
+                                       authority:(MSIDAuthority *)authority
                                         clientId:(NSString *)clientId
                                         familyId:(NSString *)familyId
                                          context:(id<MSIDRequestContext>)context
@@ -789,7 +786,7 @@ - (MSIDBaseToken *)getRefreshTokenByLegacyUserId:(NSString *)legacyUserId
 
     MSIDTelemetryCacheEvent *event = [MSIDTelemetry startCacheEventWithName:MSID_TELEMETRY_EVENT_TOKEN_CACHE_LOOKUP context:context];
 
-    NSArray<NSString *> *aliases = [_factory defaultCacheAliasesForEnvironment:authority.msidHostWithPortIfNecessary];
+    NSArray<NSString *> *aliases = [_factory defaultCacheAliasesForEnvironment:authority.environment];
 
     NSString *clientIdForQueries = clientId;
 
@@ -875,7 +872,7 @@ - (BOOL)saveAccount:(MSIDAccount *)account
 
     MSIDTelemetryCacheEvent *event = [MSIDTelemetry startCacheEventWithName:MSID_TELEMETRY_EVENT_TOKEN_CACHE_WRITE context:context];
     MSIDAccountCacheItem *cacheItem = account.accountCacheItem;
-    cacheItem.environment = [_factory cacheEnvironmentFromEnvironment:account.authority.msidHostWithPortIfNecessary context:context];
+    cacheItem.environment = [_factory cacheEnvironmentFromEnvironment:account.authority.environment context:context];
 
     BOOL result = [_accountCredentialCache saveAccount:cacheItem context:context error:error];
     [MSIDTelemetry stopCacheEvent:event withItem:nil success:result context:context];