Merge pull request #885 from blancqua/blancqua/www-auth-fix

Fix Www-Authenticate not being read

Author: Avery-Dunn

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AzureArcManagedIdentitySource.java

@@ -14,8 +14,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.util.Collections;
-import java.util.HashMap;
+import java.util.*;
 
 class AzureArcManagedIdentitySource extends AbstractManagedIdentitySource{
 
@@ -26,6 +25,7 @@ class AzureArcManagedIdentitySource extends AbstractManagedIdentitySource{
     private static final String LINUX_PATH = "/var/opt/azcmagent/tokens/";
     private static final String FILE_EXTENSION = ".key";
     private static final int MAX_FILE_SIZE_BYTES = 4096;
+    private static final String WWW_AUTHENTICATE_HEADER = "WWW-Authenticate";
 
     private final URI MSI_ENDPOINT;
 
@@ -92,20 +92,20 @@ public ManagedIdentityResponse handleResponse(
             ManagedIdentityParameters parameters,
             IHttpResponse response) {
 
-        LOG.info("[Managed Identity] Response received. Status code: {response.StatusCode}");
+        LOG.info("[Managed Identity] Response received. Status code: {}", response.statusCode());
 
         if (response.statusCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
-            if(!response.headers().containsKey("WWW-Authenticate")) {
-                LOG.error("[Managed Identity] WWW-Authenticate header is expected but not found.");
-                throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_NO_CHALLENGE_ERROR, MsalError.MANAGED_IDENTITY_REQUEST_FAILED,
-                        ManagedIdentitySourceType.AZURE_ARC);
-            }
-
-            String challenge = response.headers().get("WWW-Authenticate").get(0);
+            String challenge =
+                    readChallengeFrom(response)
+                            .orElseGet(() -> {
+                                LOG.error("[Managed Identity] {} is expected but not found.", WWW_AUTHENTICATE_HEADER);
+                                throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_NO_CHALLENGE_ERROR, MsalError.MANAGED_IDENTITY_REQUEST_FAILED,
+                                        ManagedIdentitySourceType.AZURE_ARC);
+                            });
             String[] splitChallenge = challenge.split("=");
 
             if (splitChallenge.length != 2) {
-                LOG.error("[Managed Identity] The WWW-Authenticate header for Azure arc managed identity is not an expected format.");
+                LOG.error("[Managed Identity] The {} header for Azure arc managed identity is not an expected format.", WWW_AUTHENTICATE_HEADER);
                 throw new MsalServiceException(MsalErrorMessage.MANAGED_IDENTITY_INVALID_CHALLENGE, MsalError.MANAGED_IDENTITY_REQUEST_FAILED,
                         ManagedIdentitySourceType.AZURE_ARC);
             }
@@ -150,6 +150,16 @@ public ManagedIdentityResponse handleResponse(
         return super.handleResponse(parameters, response);
     }
 
+    private Optional<String> readChallengeFrom(IHttpResponse response) {
+        return response.headers()
+                .entrySet()
+                .stream()
+                .filter(entry -> WWW_AUTHENTICATE_HEADER.equalsIgnoreCase(entry.getKey()))
+                .map(Map.Entry::getValue)
+                .flatMap(Collection::stream)
+                .findFirst();
+    }
+
     private void validateFile(Path path) {
         String osName = System.getProperty("os.name").toLowerCase();
         if (!(osName.contains("windows") || osName.contains("linux"))) {
@@ -170,7 +180,7 @@ private void validateFile(Path path) {
                     ManagedIdentitySourceType.AZURE_ARC);
         }
 
-        LOG.error("[Managed Identity] Path passed validation.");
+        LOG.info("[Managed Identity] Path passed validation.");
     }
 
     private boolean isValidWindowsPath(Path path) {

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ManagedIdentityTests.java

@@ -4,29 +4,29 @@
 package com.microsoft.aad.msal4j;
 
 import com.nimbusds.oauth2.sdk.util.URLUtils;
-import org.apache.http.HttpStatus;
-import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.TestInstance;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.MethodSource;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.mockito.junit.jupiter.MockitoExtension;
 
 import java.net.SocketException;
-import java.net.URISyntaxException;
 import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutionException;
 
+import static com.microsoft.aad.msal4j.ManagedIdentitySourceType.*;
+import static com.microsoft.aad.msal4j.MsalError.*;
+import static com.microsoft.aad.msal4j.MsalErrorMessage.*;
+import static java.util.Collections.*;
+import static org.apache.http.HttpStatus.*;
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.Mockito.*;
 
@@ -77,8 +77,8 @@ private HttpRequest expectedRequest(ManagedIdentitySourceType source, String res
             case APP_SERVICE: {
                 endpoint = appServiceEndpoint;
 
-                queryParameters.put("api-version", Collections.singletonList("2019-08-01"));
-                queryParameters.put("resource", Collections.singletonList(resource));
+                queryParameters.put("api-version", singletonList("2019-08-01"));
+                queryParameters.put("resource", singletonList(resource));
 
                 headers.put("X-IDENTITY-HEADER", "secret");
                 break;
@@ -89,43 +89,43 @@ private HttpRequest expectedRequest(ManagedIdentitySourceType source, String res
                 headers.put("ContentType", "application/x-www-form-urlencoded");
                 headers.put("Metadata", "true");
 
-                bodyParameters.put("resource", Collections.singletonList(resource));
+                bodyParameters.put("resource", singletonList(resource));
 
-                queryParameters.put("resource", Collections.singletonList(resource));
+                queryParameters.put("resource", singletonList(resource));
                 return new HttpRequest(HttpMethod.GET, computeUri(endpoint, queryParameters), headers, URLUtils.serializeParameters(bodyParameters));
             }
             case IMDS: {
                 endpoint = IMDS_ENDPOINT;
-                queryParameters.put("api-version", Collections.singletonList("2018-02-01"));
-                queryParameters.put("resource", Collections.singletonList(resource));
+                queryParameters.put("api-version", singletonList("2018-02-01"));
+                queryParameters.put("resource", singletonList(resource));
                 headers.put("Metadata", "true");
                 break;
             }
             case AZURE_ARC: {
                 endpoint = azureArcEndpoint;
 
-                queryParameters.put("api-version", Collections.singletonList("2019-11-01"));
-                queryParameters.put("resource", Collections.singletonList(resource));
+                queryParameters.put("api-version", singletonList("2019-11-01"));
+                queryParameters.put("resource", singletonList(resource));
 
                 headers.put("Metadata", "true");
                 break;
             }
             case SERVICE_FABRIC:
                 endpoint = serviceFabricEndpoint;
-                queryParameters.put("api-version", Collections.singletonList("2019-07-01-preview"));
-                queryParameters.put("resource", Collections.singletonList(resource));
+                queryParameters.put("api-version", singletonList("2019-07-01-preview"));
+                queryParameters.put("resource", singletonList(resource));
                 break;
         }
 
         switch (id.getIdType()) {
             case CLIENT_ID:
-                queryParameters.put("client_id", Collections.singletonList(id.getUserAssignedId()));
+                queryParameters.put("client_id", singletonList(id.getUserAssignedId()));
                 break;
             case RESOURCE_ID:
-                queryParameters.put("mi_res_id", Collections.singletonList(id.getUserAssignedId()));
+                queryParameters.put("mi_res_id", singletonList(id.getUserAssignedId()));
                 break;
             case OBJECT_ID:
-                queryParameters.put("object_id", Collections.singletonList(id.getUserAssignedId()));
+                queryParameters.put("object_id", singletonList(id.getUserAssignedId()));
                 break;
         }
 
@@ -511,43 +511,6 @@ void managedIdentity_RequestFailed_UnreachableNetwork(ManagedIdentitySourceType
         verify(httpClientMock, times(1)).send(any());
     }
 
-    @Test
-    void azureArcManagedIdentity_MissingAuthHeader() throws Exception {
-        IEnvironmentVariables environmentVariables = new EnvironmentVariablesHelper(ManagedIdentitySourceType.AZURE_ARC, azureArcEndpoint);
-        ManagedIdentityApplication.setEnvironmentVariables(environmentVariables);
-        DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
-
-        HttpResponse response = new HttpResponse();
-        response.statusCode(HttpStatus.SC_UNAUTHORIZED);
-
-        when(httpClientMock.send(any())).thenReturn(response);
-
-        miApp = ManagedIdentityApplication
-                .builder(ManagedIdentityId.systemAssigned())
-                .httpClient(httpClientMock)
-                .build();
-
-        // Clear caching to avoid cross test pollution.
-        miApp.tokenCache().accessTokens.clear();
-
-        try {
-            miApp.acquireTokenForManagedIdentity(
-                    ManagedIdentityParameters.builder(resource)
-                            .build()).get();
-        } catch (Exception exception) {
-            assert(exception.getCause() instanceof MsalServiceException);
-
-            MsalServiceException miException = (MsalServiceException) exception.getCause();
-            assertEquals(ManagedIdentitySourceType.AZURE_ARC.name(), miException.managedIdentitySource());
-            assertEquals(MsalError.MANAGED_IDENTITY_REQUEST_FAILED, miException.errorCode());
-            assertEquals(MsalErrorMessage.MANAGED_IDENTITY_NO_CHALLENGE_ERROR, miException.getMessage());
-            return;
-        }
-
-        fail("MsalServiceException is expected but not thrown.");
-        verify(httpClientMock, times(1)).send(any());
-    }
-
     @ParameterizedTest
     @MethodSource("com.microsoft.aad.msal4j.ManagedIdentityTestDataProvider#createDataError")
     void managedIdentity_SharedCache(ManagedIdentitySourceType source, String endpoint) throws Exception {
@@ -589,81 +552,85 @@ void managedIdentity_SharedCache(ManagedIdentitySourceType source, String endpoi
         verify(httpClientMock, times(1)).send(any());
     }
 
-    @Test
-    void azureArcManagedIdentity_InvalidAuthHeader() throws Exception {
-        IEnvironmentVariables environmentVariables = new EnvironmentVariablesHelper(ManagedIdentitySourceType.AZURE_ARC, azureArcEndpoint);
-        ManagedIdentityApplication.setEnvironmentVariables(environmentVariables);
-        DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
-
-        HttpResponse response = new HttpResponse();
-        response.statusCode(HttpStatus.SC_UNAUTHORIZED);
-        response.headers().put("WWW-Authenticate", Collections.singletonList("xyz"));
+    @Nested
+    class AzureArc {
 
-        when(httpClientMock.send(any())).thenReturn(response);
+        @Test
+        void missingAuthHeader() throws Exception {
+            mockHttpResponse(emptyMap());
 
-        miApp = ManagedIdentityApplication
-                .builder(ManagedIdentityId.systemAssigned())
-                .httpClient(httpClientMock)
-                .build();
-
-        // Clear caching to avoid cross test pollution.
-        miApp.tokenCache().accessTokens.clear();
+            assertMsalServiceException(MANAGED_IDENTITY_REQUEST_FAILED, MANAGED_IDENTITY_NO_CHALLENGE_ERROR);
+        }
 
-        try {
-            miApp.acquireTokenForManagedIdentity(
-                    ManagedIdentityParameters.builder(resource)
-                            .build()).get();
-        } catch (Exception exception) {
-            assert(exception.getCause() instanceof MsalServiceException);
+        @ParameterizedTest
+        @ValueSource(strings = {"WWW-Authenticate", "Www-Authenticate"})
+        void invalidAuthHeader(String authHeaderKey) throws Exception {
+            mockHttpResponse(singletonMap(authHeaderKey, singletonList("xyz")));
 
-            MsalServiceException miException = (MsalServiceException) exception.getCause();
-            assertEquals(ManagedIdentitySourceType.AZURE_ARC.name(), miException.managedIdentitySource());
-            assertEquals(MsalError.MANAGED_IDENTITY_REQUEST_FAILED, miException.errorCode());
-            assertEquals(MsalErrorMessage.MANAGED_IDENTITY_INVALID_CHALLENGE, miException.getMessage());
-            return;
+            assertMsalServiceException(MANAGED_IDENTITY_REQUEST_FAILED,
+                    MANAGED_IDENTITY_INVALID_CHALLENGE);
         }
 
-        fail("MsalServiceException is expected but not thrown.");
-        verify(httpClientMock, times(1)).send(any());
-    }
+        @ParameterizedTest
+        @ValueSource(strings = {"WWW-Authenticate", "Www-Authenticate"})
+        void validPathWithMissingFile(String authHeaderKey)
+                throws Exception {
+            Path validPathWithMissingFile = Paths.get(
+                    System.getenv("ProgramData") + "/AzureConnectedMachineAgent/Tokens/secret.key");
 
-    @Test
-    void azureArcManagedIdentityAuthheaderValidationTest() throws Exception {
-        IEnvironmentVariables environmentVariables = new EnvironmentVariablesHelper(ManagedIdentitySourceType.AZURE_ARC, azureArcEndpoint);
-        ManagedIdentityApplication.setEnvironmentVariables(environmentVariables);
-        DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
+            mockHttpResponse(singletonMap(authHeaderKey, singletonList("Basic realm=" + validPathWithMissingFile)));
 
-        //Both a missing file and an invalid path structure should throw an exception
-        Path validPathWithMissingFile = Paths.get(System.getenv("ProgramData")+ "/AzureConnectedMachineAgent/Tokens/secret.key");
-        Path invalidPathWithRealFile = Paths.get(this.getClass().getResource("/msi-azure-arc-secret.txt").toURI());
+            assertMsalServiceException(MANAGED_IDENTITY_FILE_READ_ERROR,
+                    MANAGED_IDENTITY_INVALID_FILEPATH);
+        }
 
-        // Mock 401 response that returns WWW-Authenticate header
-        HttpResponse response = new HttpResponse();
-        response.statusCode(HttpStatus.SC_UNAUTHORIZED);
-        response.headers().put("WWW-Authenticate", Collections.singletonList("Basic realm=" + validPathWithMissingFile));
+        @ParameterizedTest
+        @ValueSource(strings = {"WWW-Authenticate", "Www-Authenticate"})
+        void invalidPathWithRealFile(String authHeaderKey)
+                throws Exception {
+            Path invalidPathWithRealFile = Paths.get(
+                    this.getClass().getResource("/msi-azure-arc-secret.txt").toURI());
 
-        when(httpClientMock.send(expectedRequest(ManagedIdentitySourceType.AZURE_ARC, resource))).thenReturn(response);
+            mockHttpResponse(singletonMap(authHeaderKey, singletonList("Basic realm=" + invalidPathWithRealFile)));
 
-        miApp = ManagedIdentityApplication
-                .builder(ManagedIdentityId.systemAssigned())
-                .httpClient(httpClientMock)
-                .build();
+            assertMsalServiceException(MANAGED_IDENTITY_FILE_READ_ERROR,
+                    MANAGED_IDENTITY_INVALID_FILEPATH);
+        }
 
-        // Clear caching to avoid cross test pollution.
-        miApp.tokenCache().accessTokens.clear();
+        private void mockHttpResponse(Map<String, ? extends List<String>> responseHeaders) throws Exception {
+            IEnvironmentVariables environmentVariables = new EnvironmentVariablesHelper(AZURE_ARC, azureArcEndpoint);
+            ManagedIdentityApplication.setEnvironmentVariables(environmentVariables);
+            DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
 
-        CompletableFuture<IAuthenticationResult> future = miApp.acquireTokenForManagedIdentity(ManagedIdentityParameters.builder(resource).build());
+            HttpResponse response = new HttpResponse();
+            response.statusCode(SC_UNAUTHORIZED);
+            response.headers().putAll(responseHeaders);
 
-        ExecutionException ex = assertThrows(ExecutionException.class, future::get);
-        assertTrue(ex.getCause() instanceof MsalServiceException);
-        assertTrue(ex.getMessage().contains(MsalErrorMessage.MANAGED_IDENTITY_INVALID_FILEPATH));
+            when(httpClientMock.send(
+                    expectedRequest(AZURE_ARC, resource))).thenReturn(
+                    response);
 
-        response.headers().put("WWW-Authenticate", Collections.singletonList("Basic realm=" + invalidPathWithRealFile));
+            miApp = ManagedIdentityApplication
+                    .builder(ManagedIdentityId.systemAssigned())
+                    .httpClient(httpClientMock)
+                    .build();
 
-        future = miApp.acquireTokenForManagedIdentity(ManagedIdentityParameters.builder(resource).build());
+            // Clear caching to avoid cross test pollution.
+            miApp.tokenCache().accessTokens.clear();
+        }
 
-        ex = assertThrows(ExecutionException.class, future::get);
-        assertTrue(ex.getCause() instanceof MsalServiceException);
-        assertTrue(ex.getMessage().contains(MsalErrorMessage.MANAGED_IDENTITY_INVALID_FILEPATH));
+        private void assertMsalServiceException(String errorCode, String message) throws Exception {
+            CompletableFuture<IAuthenticationResult> future =
+                    miApp.acquireTokenForManagedIdentity(
+                            ManagedIdentityParameters.builder(resource).build());
+
+            ExecutionException ex = assertThrows(ExecutionException.class, future::get);
+            assertInstanceOf(MsalServiceException.class, ex.getCause());
+            MsalServiceException msalException = (MsalServiceException) ex.getCause();
+            assertEquals(AZURE_ARC.name(),
+                    msalException.managedIdentitySource());
+            assertEquals(errorCode, msalException.errorCode());
+            assertTrue(ex.getMessage().contains(message));
+        }
     }
 }