Required feature update

Avery-Dunn · Avery-Dunn · commit 68bba5168b61 · 2024-06-06T10:07:35.000-07:00
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AzureArcManagedIdentitySource.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AzureArcManagedIdentitySource.java
@@ -19,9 +19,13 @@
 
 class AzureArcManagedIdentitySource extends AbstractManagedIdentitySource{
 
-    private final static Logger LOG = LoggerFactory.getLogger(AzureArcManagedIdentitySource.class);
+    private static final Logger LOG = LoggerFactory.getLogger(AzureArcManagedIdentitySource.class);
     private static final String ARC_API_VERSION = "2019-11-01";
     private static final String AZURE_ARC = "Azure Arc";
+    private static final String WINDOWS_PATH = System.getenv("ProgramData") + "/AzureConnectedMachineAgent/Tokens/";
+    private static final String LINUX_PATH = "/var/opt/azcmagent/tokens/";
+    private static final String FILE_EXTENSION = ".key";
+    private static final int MAX_FILE_SIZE_BYTES = 4096;
 
     private final URI MSI_ENDPOINT;
 
@@ -91,13 +95,13 @@ public ManagedIdentityResponse handleResponse(
         LOG.info("[Managed Identity] Response received. Status code: {response.StatusCode}");
 
         if (response.statusCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
-            if(!response.headers().containsKey("Www-Authenticate")) {
+            if(!response.headers().containsKey("WWW-Authenticate")) {
                 LOG.error("[Managed Identity] WWW-Authenticate header is expected but not found.");
                 throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_NO_CHALLENGE_ERROR, MsalError.MANAGED_IDENTITY_REQUEST_FAILED,
                         ManagedIdentitySourceType.AZURE_ARC);
             }
 
-            String challenge = response.headers().get("Www-Authenticate").get(0);
+            String challenge = response.headers().get("WWW-Authenticate").get(0);
             String[] splitChallenge = challenge.split("=");
 
             if (splitChallenge.length != 2) {
@@ -106,7 +110,15 @@ public ManagedIdentityResponse handleResponse(
                         ManagedIdentitySourceType.AZURE_ARC);
             }
 
-            Path path = Paths.get(splitChallenge[1]);
+            Path path = Paths.get(splitChallenge[1]).normalize();
+
+            validateFile(path);
+
+            if (!path.toFile().exists()) {
+                LOG.error("[Managed Identity] The WWW-Authenticate header specifies a file that does not exist");
+                throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_INVALID_FILEPATH, MsalError.MANAGED_IDENTITY_FILE_READ_ERROR,
+                        ManagedIdentitySourceType.AZURE_ARC);
+            }
 
             String authHeaderValue = null;
             try {
@@ -137,4 +149,35 @@ public ManagedIdentityResponse handleResponse(
 
         return super.handleResponse(parameters, response);
     }
+
+    private void validateFile(Path path) {
+        String osName = System.getProperty("os.name").toLowerCase();
+        if (!(osName.contains("windows") || osName.contains("linux"))) {
+            LOG.error(String.format("[Managed Identity] Unsupported platform: %s", osName));
+            throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_PLATFORM_NOT_SUPPORTED, MsalError.MANAGED_IDENTITY_FILE_READ_ERROR,
+                    ManagedIdentitySourceType.AZURE_ARC);
+        }
+
+        if (isValidWindowsPath(path) || isValidLinuxPath(path)) {
+            if (path.toFile().length() > MAX_FILE_SIZE_BYTES) {
+                LOG.error(String.format("[Managed Identity] File is larger than %s bytes.", MAX_FILE_SIZE_BYTES));
+                throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_INVALID_FILEPATH, MsalError.MANAGED_IDENTITY_FILE_READ_ERROR,
+                        ManagedIdentitySourceType.AZURE_ARC);
+            }
+        } else {
+            LOG.error("[Managed Identity] Invalid filepath.");
+            throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_INVALID_FILEPATH, MsalError.MANAGED_IDENTITY_FILE_READ_ERROR,
+                    ManagedIdentitySourceType.AZURE_ARC);
+        }
+
+        LOG.error("[Managed Identity] Path passed validation.");
+    }
+
+    private boolean isValidWindowsPath(Path path) {
+        return path.startsWith(WINDOWS_PATH) && path.toString().toLowerCase().endsWith(FILE_EXTENSION);
+    }
+
+    private boolean isValidLinuxPath(Path path) {
+        return path.startsWith(LINUX_PATH) && path.toString().toLowerCase().endsWith(FILE_EXTENSION);
+    }
 }
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/MsalErrorMessage.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/MsalErrorMessage.java
@@ -11,6 +11,10 @@ class MsalErrorMessage {
 
     public static final String MANAGED_IDENTITY_INVALID_CHALLENGE = "[Managed Identity] The WWW-Authenticate header in the response from Azure Arc Managed Identity Endpoint did not match the expected format.";
 
+    public static final String MANAGED_IDENTITY_PLATFORM_NOT_SUPPORTED = "[Managed Identity] This managed identity source is not available on this platform.";
+
+    public static final String MANAGED_IDENTITY_INVALID_FILEPATH = "[Managed Identity] The file on the file path in the WWW-Authenticate header is not secure or could not be found.";
+
     public static final String MANAGED_IDENTITY_USER_ASSIGNED_NOT_CONFIGURABLE_AT_RUNTIME = "[Managed Identity] Service Fabric user assigned managed identity ClientId or ResourceId is not configurable at runtime.";
 
     public static final String MANAGED_IDENTITY_USER_ASSIGNED_NOT_SUPPORTED = "[Managed Identity] User assigned identity is not supported by the %s Managed Identity. To authenticate with the system assigned identity use ManagedIdentityApplication.builder(ManagedIdentityId.systemAssigned()).build().";
diff --git a/msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ManagedIdentityTests.java b/msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ManagedIdentityTests.java
@@ -24,6 +24,8 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
 
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.Mockito.*;
@@ -602,25 +604,23 @@ void azureArcManagedIdentity_InvalidAuthHeader() throws Exception {
     }
 
     @Test
-    void azureArcManagedIdentityAuthheaderTest() throws Exception {
-        Path path = Paths.get(this.getClass().getResource("/msi-azure-arc-secret.txt").toURI());
+    void azureArcManagedIdentityAuthheaderValidationTest() throws Exception {
         IEnvironmentVariables environmentVariables = new EnvironmentVariablesHelper(ManagedIdentitySourceType.AZURE_ARC, azureArcEndpoint);
         ManagedIdentityApplication.setEnvironmentVariables(environmentVariables);
         ManagedIdentityClient.resetManagedIdentitySourceType();
         DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
 
-        // Mock 401 response that returns www-authenticate header
+        //Both a missing file and an invalid path structure should throw an exception
+        Path validPathWithMissingFile = Paths.get(System.getenv("ProgramData")+ "/AzureConnectedMachineAgent/Tokens/secret.key");
+        Path invalidPathWithRealFile = Paths.get(this.getClass().getResource("/msi-azure-arc-secret.txt").toURI());
+
+        // Mock 401 response that returns WWW-Authenticate header
         HttpResponse response = new HttpResponse();
         response.statusCode(HttpStatus.SC_UNAUTHORIZED);
-        response.headers().put("Www-Authenticate", Collections.singletonList("Basic realm=" + path));
+        response.headers().put("WWW-Authenticate", Collections.singletonList("Basic realm=" + validPathWithMissingFile));
 
         when(httpClientMock.send(expectedRequest(ManagedIdentitySourceType.AZURE_ARC, resource))).thenReturn(response);
 
-        // Mock the response when Authorization header is sent in request
-        HttpRequest expectedRequest = expectedRequest(ManagedIdentitySourceType.AZURE_ARC, resource);
-        expectedRequest.headers().put("Authorization", "Basic secret");
-        when(httpClientMock.send(expectedRequest)).thenReturn(expectedResponse(200, getSuccessfulResponse(resource)));
-
         miApp = ManagedIdentityApplication
                 .builder(ManagedIdentityId.systemAssigned())
                 .httpClient(httpClientMock)
@@ -629,10 +629,18 @@ void azureArcManagedIdentityAuthheaderTest() throws Exception {
         // Clear caching to avoid cross test pollution.
         miApp.tokenCache().accessTokens.clear();
 
-        IAuthenticationResult result = miApp.acquireTokenForManagedIdentity(
-                ManagedIdentityParameters.builder(resource)
-                        .build()).get();
+        CompletableFuture<IAuthenticationResult> future = miApp.acquireTokenForManagedIdentity(ManagedIdentityParameters.builder(resource).build());
 
-        assertNotNull(result.accessToken());
+        ExecutionException ex = assertThrows(ExecutionException.class, future::get);
+        assertTrue(ex.getCause() instanceof MsalServiceException);
+        assertTrue(ex.getMessage().contains(MsalErrorMessage.MANAGED_IDENTITY_INVALID_FILEPATH));
+
+        response.headers().put("WWW-Authenticate", Collections.singletonList("Basic realm=" + invalidPathWithRealFile));
+
+        future = miApp.acquireTokenForManagedIdentity(ManagedIdentityParameters.builder(resource).build());
+
+        ex = assertThrows(ExecutionException.class, future::get);
+        assertTrue(ex.getCause() instanceof MsalServiceException);
+        assertTrue(ex.getMessage().contains(MsalErrorMessage.MANAGED_IDENTITY_INVALID_FILEPATH));
     }
 }
