Addressed feedback comments

Author: oldalton

IdentityCore/IdentityCore.xcodeproj/project.pbxproj

@@ -317,6 +317,8 @@
 		B275520B208185E600AA7A38 /* KeyvaultAuthentication.swift in Sources */ = {isa = PBXBuildFile; fileRef = B275520A208185E600AA7A38 /* KeyvaultAuthentication.swift */; };
 		B275520C208185E600AA7A38 /* KeyvaultAuthentication.swift in Sources */ = {isa = PBXBuildFile; fileRef = B275520A208185E600AA7A38 /* KeyvaultAuthentication.swift */; };
 		B275520E208186F500AA7A38 /* MSIDAutomation-Bridging-Header.h in Headers */ = {isa = PBXBuildFile; fileRef = B275520D208186F500AA7A38 /* MSIDAutomation-Bridging-Header.h */; };
+		B279835A20D33A0A0051167F /* MSIDIdTokenClaimsTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B279835920D33A090051167F /* MSIDIdTokenClaimsTests.m */; };
+		B279835B20D33A0A0051167F /* MSIDIdTokenClaimsTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B279835920D33A090051167F /* MSIDIdTokenClaimsTests.m */; };
 		B2807FF7204CAFDF00944D89 /* MSIDHelpers.h in Headers */ = {isa = PBXBuildFile; fileRef = B2807FF5204CAFDF00944D89 /* MSIDHelpers.h */; };
 		B2807FF8204CAFDF00944D89 /* MSIDHelpers.m in Sources */ = {isa = PBXBuildFile; fileRef = B2807FF6204CAFDF00944D89 /* MSIDHelpers.m */; };
 		B2807FF9204CAFDF00944D89 /* MSIDHelpers.m in Sources */ = {isa = PBXBuildFile; fileRef = B2807FF6204CAFDF00944D89 /* MSIDHelpers.m */; };
@@ -839,6 +841,7 @@
 		B27551FD208182BE00AA7A38 /* AuthHeader.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = AuthHeader.swift; sourceTree = "<group>"; };
 		B275520A208185E600AA7A38 /* KeyvaultAuthentication.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = KeyvaultAuthentication.swift; sourceTree = "<group>"; };
 		B275520D208186F500AA7A38 /* MSIDAutomation-Bridging-Header.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "MSIDAutomation-Bridging-Header.h"; sourceTree = "<group>"; };
+		B279835920D33A090051167F /* MSIDIdTokenClaimsTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDIdTokenClaimsTests.m; sourceTree = "<group>"; };
 		B2807FF5204CAFDF00944D89 /* MSIDHelpers.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDHelpers.h; sourceTree = "<group>"; };
 		B2807FF6204CAFDF00944D89 /* MSIDHelpers.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDHelpers.m; sourceTree = "<group>"; };
 		B2807FFA204CB16B00944D89 /* MSIDHelperTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDHelperTests.m; sourceTree = "<group>"; };
@@ -1824,6 +1827,7 @@
 				238EF0882091655D0035ABE6 /* MSIDHttpRequestTelemetryTests.m */,
 				B252913A2096698100E78695 /* MSIDAADIdTokenClaimsFactoryTests.m */,
 				B2DD4B4320A936FE0047A66E /* MSIDAccountCredentialsCacheTests.m */,
+				B279835920D33A090051167F /* MSIDIdTokenClaimsTests.m */,
 			);
 			path = tests;
 			sourceTree = "<group>";
@@ -2302,6 +2306,7 @@
 				B2936F8020ABFFC50050C585 /* MSIDAADOauth2FactoryTests.m in Sources */,
 				B2936F5020AA954A0050C585 /* MSIDAccountCacheItemTests.m in Sources */,
 				B2808004204CB2A700944D89 /* MSIDAADV1TokenResponseTests.m in Sources */,
+				B279835A20D33A0A0051167F /* MSIDIdTokenClaimsTests.m in Sources */,
 				B2936F4F20AA908F0050C585 /* MSIDCredentialCacheItemTests.m in Sources */,
 				B2936F7520ABF4940050C585 /* MSIDIdTokenTests.m in Sources */,
 				B2936F9120AE913E0050C585 /* MSIDLegacyTokenCacheIntegrationTests.m in Sources */,
@@ -2537,6 +2542,7 @@
 				B2DD5B9F204761550084313F /* MSIDAccessTokenTests.m in Sources */,
 				B2DD5BC120479AA80084313F /* MSIDJsonSerializerTests.m in Sources */,
 				B2DD5BB2204789FB0084313F /* MSIDIdTokenTests.m in Sources */,
+				B279835B20D33A0A0051167F /* MSIDIdTokenClaimsTests.m in Sources */,
 				B20657D01FC92B8F00412B7D /* MSIDTelemetryUIEventTests.m in Sources */,
 				B26A0B972072B9CB006BD95A /* MSIDAADV1Oauth2FactoryTests.m in Sources */,
 				B2DD5BA2204761660084313F /* MSIDLegacySingleResourceTokenTests.m in Sources */,

IdentityCore/src/cache/MSIDCacheAccessor.h

@@ -61,7 +61,7 @@
                                error:(NSError **)error;
 
 /*!
- This method saves only the SSO artifacts to the cache based on the broker response.
+ This method saves only the SSO artifacts to the cache based on the response.
  */
 - (BOOL)saveSSOStateWithConfiguration:(MSIDConfiguration *)configuration
                              response:(MSIDTokenResponse *)response

IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m

@@ -233,7 +233,7 @@ - (MSIDAccessToken *)getAccessTokenForAccount:(MSIDAccountIdentifier *)account
     query.realm = configuration.authority.msidTenant;
     query.clientId = configuration.clientId;
     query.target = configuration.target;
-    query.targetMatchingOptions = SubSet;
+    query.targetMatchingOptions = MSIDSubSet;
     query.credentialType = MSIDAccessTokenType;
 
     return (MSIDAccessToken *) [self getTokenWithAuthority:configuration.authority
@@ -286,7 +286,7 @@ - (MSIDIdToken *)getIDTokenForAccount:(MSIDAccountIdentifier *)account
     credentialsQuery.credentialType = MSIDRefreshTokenType;
     credentialsQuery.clientId = clientId;
     credentialsQuery.familyId = familyId;
-    credentialsQuery.clientIdMatchingOptions = SuperSet;
+    credentialsQuery.clientIdMatchingOptions = MSIDSuperSet;
     credentialsQuery.environmentAliases = environmentAliases;
 
     NSArray<MSIDCredentialCacheItem *> *resultCredentials = [_accountCredentialCache getCredentialsWithQuery:credentialsQuery legacyUserId:nil context:context error:error];
@@ -538,7 +538,7 @@ - (BOOL)saveAccessToken:(MSIDAccessToken *)accessToken
     query.realm = accessToken.authority.msidTenant;
     query.clientId = accessToken.clientId;
     query.target = [accessToken.scopes msidToString];
-    query.targetMatchingOptions = Intersect;
+    query.targetMatchingOptions = MSIDIntersect;
     query.credentialType = MSIDAccessTokenType;
 
     BOOL result = [_accountCredentialCache removeCredetialsWithQuery:query context:context error:error];

IdentityCore/src/cache/key/MSIDDefaultCredentialCacheQuery.h

@@ -26,10 +26,10 @@
 #import "MSIDDefaultCredentialCacheKey.h"
 
 typedef NS_ENUM(NSUInteger, MSIDComparisonOptions) {
-    ExactStringMatch,
-    SubSet,
-    Intersect,
-    SuperSet
+    MSIDExactStringMatch,
+    MSIDSubSet,
+    MSIDIntersect,
+    MSIDSuperSet
 };
 
 @interface MSIDDefaultCredentialCacheQuery : MSIDDefaultCredentialCacheKey

IdentityCore/src/cache/key/MSIDDefaultCredentialCacheQuery.m

@@ -31,8 +31,8 @@ - (instancetype)init
 
     if (self)
     {
-        _targetMatchingOptions = ExactStringMatch;
-        _clientIdMatchingOptions = ExactStringMatch;
+        _targetMatchingOptions = MSIDExactStringMatch;
+        _clientIdMatchingOptions = MSIDExactStringMatch;
         _matchAnyCredentialType = NO;
     }
 
@@ -82,7 +82,7 @@ - (NSString *)serviceForAccessToken
     if (self.queryClientId
         && self.realm
         && self.target
-        && self.targetMatchingOptions == ExactStringMatch)
+        && self.targetMatchingOptions == MSIDExactStringMatch)
     {
         return [self serviceWithType:self.credentialType clientID:self.queryClientId realm:self.realm target:self.target];
     }
@@ -155,7 +155,7 @@ - (BOOL)exactMatch
 - (NSString *)queryClientId
 {
     if ((self.clientId || self.familyId)
-        && (self.clientIdMatchingOptions == ExactStringMatch))
+        && (self.clientIdMatchingOptions == MSIDExactStringMatch))
     {
         return self.familyId ? self.familyId : self.clientId;
     }

IdentityCore/src/cache/token/MSIDCredentialCacheItem.m

@@ -228,11 +228,11 @@ - (BOOL)matchesTarget:(NSString *)target comparisonOptions:(MSIDComparisonOption
     }
 
     switch (comparisonOptions) {
-        case ExactStringMatch:
+        case MSIDExactStringMatch:
             return [self.target isEqualToString:target];
-        case SubSet:
+        case MSIDSubSet:
             return [[target scopeSet] isSubsetOfOrderedSet:[self.target scopeSet]];
-        case Intersect:
+        case MSIDIntersect:
             return [[target scopeSet] intersectsOrderedSet:[self.target scopeSet]];
         default:
             return NO;
@@ -299,7 +299,7 @@ - (BOOL)matchesWithRealm:(nullable NSString *)realm
           targetMatching:(MSIDComparisonOptions)matchingOptions
         clientIdMatching:(MSIDComparisonOptions)clientIDMatchingOptions
 {
-    if (clientIDMatchingOptions == SuperSet && (clientId || familyId))
+    if (clientIDMatchingOptions == MSIDSuperSet && (clientId || familyId))
     {
         if (![self.clientId isEqualToString:clientId]
             && ![self.familyId isEqualToString:familyId])

IdentityCore/src/oauth2/MSIDIdTokenClaims.m

@@ -50,6 +50,11 @@ - (instancetype)initWithRawIdToken:(NSString *)rawIdTokenString error:(NSError *
 {
     if ([NSString msidIsStringNilOrBlank:rawIdTokenString])
     {
+        if (error)
+        {
+            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorServerInvalidResponse, @"Nil id_token passed", nil, nil, nil, nil, nil);
+        }
+
         return nil;
     }
 
@@ -65,6 +70,12 @@ - (instancetype)initWithRawIdToken:(NSString *)rawIdTokenString error:(NSError *
     if (parts.count < 1)
     {
         MSID_LOG_ERROR(nil, @"Id token is invalid");
+
+        if (error)
+        {
+            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorServerInvalidResponse, @"Server returned empty id token", nil, nil, nil, nil, nil);
+        }
+
         return nil;
     }
 
@@ -83,12 +94,20 @@ - (instancetype)initWithRawIdToken:(NSString *)rawIdTokenString error:(NSError *
             {
                 MSID_LOG_WARN(nil, @"Failed to deserialize part of the id_token");
                 MSID_LOG_WARN_PII(nil, @"Failed to deserialize part of the id_token %@", jsonError);
+
+                if (error) *error = jsonError;
                 return nil;
             }
 
             if (![jsonObject isKindOfClass:[NSDictionary class]])
             {
                 MSID_LOG_WARN(nil, @"Invalid id token format");
+
+                if (error)
+                {
+                    *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorServerInvalidResponse, @"Server returned invalid id token", nil, nil, nil, nil, nil);
+                }
+
                 return nil;
             }
 
@@ -99,6 +118,12 @@ - (instancetype)initWithRawIdToken:(NSString *)rawIdTokenString error:(NSError *
     if (![allClaims count])
     {
         MSID_LOG_WARN(nil, @"Id token is invalid");
+
+        if (error)
+        {
+            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorServerInvalidResponse, @"Server returned id token without any claims", nil, nil, nil, nil, nil);
+        }
+
         return nil;
     }
 
@@ -109,7 +134,6 @@ - (instancetype)initWithRawIdToken:(NSString *)rawIdTokenString error:(NSError *
     }
 
     [self initDerivedProperties];
-    
     return self;
 }
 

IdentityCore/src/oauth2/aad_base/MSIDAADOauth2Factory.m

@@ -158,7 +158,7 @@ - (NSURL *)cacheURLForAuthority:(NSURL *)originalAuthority
 
     if ([MSIDAuthority isTenantless:originalAuthority])
     {
-        // If it's a tenantless authority, lookupb by universal "common" authority, which is supported by both v1 and v2
+        // If it's a tenantless authority, lookup by universal "common" authority, which is supported by both v1 and v2
         [lookupAuthorities addObject:[MSIDAuthority universalAuthorityURL:originalAuthority]];
     }
     else

IdentityCore/tests/MSIDAccountCredentialsCacheTests.m

@@ -831,7 +831,7 @@ - (void)testGetCredentialsWithQuery_whenNotExactMatch_andAccessTokenQuery_matchB
     MSIDDefaultCredentialCacheQuery *query = [MSIDDefaultCredentialCacheQuery new];
     query.credentialType = MSIDAccessTokenType;
     query.target = @"user.write";
-    query.targetMatchingOptions = SubSet;
+    query.targetMatchingOptions = MSIDSubSet;
 
     XCTAssertFalse(query.exactMatch);
     NSError *error = nil;
@@ -856,7 +856,7 @@ - (void)testGetCredentialsWithQuery_whenNotExactMatch_andAccessTokenQuery_matchB
     MSIDDefaultCredentialCacheQuery *query = [MSIDDefaultCredentialCacheQuery new];
     query.credentialType = MSIDAccessTokenType;
     query.target = @"user.write user.sing";
-    query.targetMatchingOptions = Intersect;
+    query.targetMatchingOptions = MSIDIntersect;
 
     XCTAssertFalse(query.exactMatch);
     NSError *error = nil;

IdentityCore/tests/MSIDIdTokenClaimsTests.m

@@ -0,0 +1,102 @@
+//------------------------------------------------------------------------------
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+//------------------------------------------------------------------------------
+
+#import <XCTest/XCTest.h>
+#import "MSIDIdTokenClaims.h"
+
+@interface MSIDIdTokenClaimsTests : XCTestCase
+
+@end
+
+@implementation MSIDIdTokenClaimsTests
+
+- (void)testInitWithRawIdToken_whenInvalidJSONInOnePart_shouldReturnNilNonNilError
+{
+    NSString *testIdToken = @"W10.e30.";
+    NSError *error = nil;
+    MSIDIdTokenClaims *claims = [[MSIDIdTokenClaims alloc] initWithRawIdToken:testIdToken error:&error];
+    XCTAssertNil(claims);
+    XCTAssertNotNil(error);
+}
+
+- (void)testInitWithRawIdToken_whenNonDictionaryJSONInOnePart_shouldReturnNilNonNilError
+{
+    NSString *testIdToken = @"e30.e30.";
+    NSError *error = nil;
+    MSIDIdTokenClaims *claims = [[MSIDIdTokenClaims alloc] initWithRawIdToken:testIdToken error:&error];
+    XCTAssertNil(claims);
+    XCTAssertNil(claims);
+}
+
+- (void)testInitWithRawIdToken_whenNilToken_shouldReturnNilAndNonNilError
+{
+    NSError *error = nil;
+    MSIDIdTokenClaims *claims = [[MSIDIdTokenClaims alloc] initWithRawIdToken:nil error:&error];
+    XCTAssertNil(claims);
+    XCTAssertNotNil(error);
+}
+
+- (void)testInitWithRawIdToken_whenValidIDToken_andUnsignedWithTwoParts_shouldReturnNoNilClaimsNilError
+{
+    NSString *testIdToken = @"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlRlc3QiLCJpYXQiOjE1MTYyMzkwMjJ9";
+    NSError *error = nil;
+    MSIDIdTokenClaims *claims = [[MSIDIdTokenClaims alloc] initWithRawIdToken:testIdToken error:&error];
+    XCTAssertNotNil(claims);
+    XCTAssertNil(error);
+    XCTAssertNotNil([claims jsonDictionary]);
+    XCTAssertEqualObjects([claims jsonDictionary][@"name"], @"Test");
+    XCTAssertEqualObjects([claims jsonDictionary][@"sub"], @"1234567890");
+    XCTAssertEqualObjects([claims jsonDictionary][@"iat"], @1516239022);
+}
+
+- (void)testInitWithRawIdToken_whenValidIDToken_andUnsigned_shouldReturnNoNilClaimsNilError
+{
+    NSString *testIdToken = @"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlRlc3QiLCJpYXQiOjE1MTYyMzkwMjJ9.";
+    NSError *error = nil;
+    MSIDIdTokenClaims *claims = [[MSIDIdTokenClaims alloc] initWithRawIdToken:testIdToken error:&error];
+    XCTAssertNotNil(claims);
+    XCTAssertNil(error);
+    XCTAssertNotNil([claims jsonDictionary]);
+    XCTAssertEqualObjects([claims jsonDictionary][@"name"], @"Test");
+    XCTAssertEqualObjects([claims jsonDictionary][@"sub"], @"1234567890");
+    XCTAssertEqualObjects([claims jsonDictionary][@"iat"], @1516239022);
+}
+
+- (void)testInitWithRawIdToken_whenValidIDToken_andSigned_shouldReturnNoNilClaimsNilError
+{
+    NSString *testIdToken = @"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlRlc3QiLCJpYXQiOjE1MTYyMzkwMjJ9.N8AkaYjoO2a_G5vpSKJxL-YCPWfX47VWoUzLwneVb8Y";
+    NSError *error = nil;
+    MSIDIdTokenClaims *claims = [[MSIDIdTokenClaims alloc] initWithRawIdToken:testIdToken error:&error];
+    XCTAssertNotNil(claims);
+    XCTAssertNil(error);
+    XCTAssertNotNil([claims jsonDictionary]);
+    XCTAssertEqualObjects([claims jsonDictionary][@"name"], @"Test");
+    XCTAssertEqualObjects([claims jsonDictionary][@"sub"], @"1234567890");
+    XCTAssertEqualObjects([claims jsonDictionary][@"iat"], @1516239022);
+}
+
+@end