Merge pull request #791 from AzureAD/avdunn/cert-service-fabric

Validate Service Fabric certs

Author: Avery-Dunn

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/DefaultHttpClient.java

@@ -21,14 +21,14 @@
 import java.util.Map;
 
 class DefaultHttpClient implements IHttpClient {
-    private final static Logger LOG = LoggerFactory.getLogger(DefaultHttpClient.class);
+    private static final  Logger LOG = LoggerFactory.getLogger(DefaultHttpClient.class);
 
-    private final Proxy proxy;
-    private final SSLSocketFactory sslSocketFactory;
+    final Proxy proxy;
+    final SSLSocketFactory sslSocketFactory;
 
     //By default, rely on the timeout behavior of the services requests are sent to
-    private int connectTimeout = 0;
-    private int readTimeout = 0;
+    int connectTimeout = 0;
+    int readTimeout = 0;
 
     DefaultHttpClient(Proxy proxy, SSLSocketFactory sslSocketFactory, Integer connectTimeout, Integer readTimeout) {
         this.proxy = proxy;
@@ -77,7 +77,7 @@ private HttpResponse executeHttpPost(HttpRequest httpRequest) throws Exception {
         }
     }
 
-    private HttpURLConnection openConnection(final URL finalURL)
+    HttpURLConnection openConnection(final URL finalURL)
             throws IOException {
         URLConnection connection;
 

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/DefaultHttpClientManagedIdentity.java

@@ -0,0 +1,167 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.aad.msal4j;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLSocketFactory;
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.Proxy;
+import java.net.URL;
+import java.net.URLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import java.security.KeyManagementException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+/** An extension for the default HttpClient which is meant to perform any extra HTTP behavior needed for a managed identity flow.
+ * <p>
+ * Currently the only extra behavior is the Service Fabric flow, where we must add a certificate thumbprint to the HTTP connection.
+ */
+class DefaultHttpClientManagedIdentity extends DefaultHttpClient {
+
+    public static final HostnameVerifier ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER;
+
+    static {
+        ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER = new HostnameVerifier() {
+            @SuppressWarnings("BadHostnameVerifier")
+            @Override
+            public boolean verify(String hostname, SSLSession session) {
+                return true;
+            }
+        };
+    }
+
+    DefaultHttpClientManagedIdentity(Proxy proxy, SSLSocketFactory sslSocketFactory, Integer connectTimeout, Integer readTimeout) {
+        super(proxy, sslSocketFactory, connectTimeout, readTimeout);
+    }
+
+    @Override
+    HttpURLConnection openConnection(final URL finalURL)
+            throws IOException {
+        URLConnection connection;
+
+        if (proxy != null) {
+            connection = finalURL.openConnection(proxy);
+        } else {
+            connection = finalURL.openConnection();
+        }
+
+        connection.setConnectTimeout(connectTimeout);
+        connection.setReadTimeout(readTimeout);
+
+        if (connection instanceof HttpURLConnection) {
+            return (HttpURLConnection) connection;
+        } else {
+            HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
+
+            if (sslSocketFactory != null) {
+                httpsConnection.setSSLSocketFactory(sslSocketFactory);
+            }
+
+            if (System.getenv(Constants.IDENTITY_SERVER_THUMBPRINT) != null) {
+                addTrustedCertificateThumbprint(httpsConnection, System.getenv(Constants.IDENTITY_SERVER_THUMBPRINT));
+            }
+
+            return httpsConnection;
+        }
+    }
+
+    /**
+     *
+     * Pins the specified HTTPS URL Connection to work against a specific server-side certificate with
+     * the specified thumbprint only.
+     *
+     * @param httpsUrlConnection The https url connection to configure
+     * @param certificateThumbprint The thumbprint of the certificate
+     */
+    public static void addTrustedCertificateThumbprint(HttpsURLConnection httpsUrlConnection,
+                                                       String certificateThumbprint) {
+        //We expect the connection to work against a specific server side certificate only, so it's safe to disable the
+        // host name verification.
+        if (httpsUrlConnection.getHostnameVerifier() != ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER) {
+            httpsUrlConnection.setHostnameVerifier(ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER);
+        }
+
+        // Create a Trust manager that trusts only certificate with specified thumbprint.
+        TrustManager[] certificateTrust = new TrustManager[]{new X509TrustManager() {
+            public X509Certificate[] getAcceptedIssuers() {
+                return new X509Certificate[]{};
+            }
+
+            public void checkClientTrusted(X509Certificate[] certificates, String authenticationType)
+                    throws CertificateException {
+                throw new CertificateException("No client side certificate configured.");
+            }
+
+            public void checkServerTrusted(X509Certificate[] certificates, String authenticationType)
+                    throws CertificateException {
+                if (certificates == null || certificates.length == 0) {
+                    throw new CertificateException("Did not receive any certificate from the server.");
+                }
+
+                for (X509Certificate x509Certificate : certificates) {
+                    String sslCertificateThumbprint = extractCertificateThumbprint(x509Certificate);
+                    if (certificateThumbprint.equalsIgnoreCase(sslCertificateThumbprint)) {
+                        return;
+                    }
+                }
+                throw new RuntimeException("Thumbprint of certificates received did not match the expected thumbprint.");
+            }
+        }
+        };
+
+        SSLSocketFactory sslSocketFactory;
+        try {
+            SSLContext sslContext = SSLContext.getInstance("TLS");
+            sslContext.init(null, certificateTrust, null);
+            sslSocketFactory = sslContext.getSocketFactory();
+        } catch (NoSuchAlgorithmException | KeyManagementException e) {
+            throw new RuntimeException("Error Creating SSL Context", e);
+        }
+
+        // Pin the connection to a specific certificate with specified thumbprint.
+        if (httpsUrlConnection.getSSLSocketFactory() != sslSocketFactory) {
+            httpsUrlConnection.setSSLSocketFactory(sslSocketFactory);
+        }
+    }
+
+    private static String extractCertificateThumbprint(Certificate certificate) {
+        try {
+            StringBuilder thumbprint = new StringBuilder();
+            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
+
+            byte[] encodedCertificate;
+
+            try {
+                encodedCertificate = certificate.getEncoded();
+            } catch (CertificateEncodingException e) {
+                throw new RuntimeException(e);
+            }
+
+            byte[] updatedDigest = messageDigest.digest(encodedCertificate);
+
+            for (byte b : updatedDigest) {
+                int unsignedByte = b & 0xff;
+
+                if (unsignedByte < 16) {
+                    thumbprint.append("0");
+                }
+                thumbprint.append(Integer.toHexString(unsignedByte));
+            }
+            return thumbprint.toString();
+        } catch (NoSuchAlgorithmException e) {
+            throw new MsalClientException("NoSuchAlgorithmException when extracting certificate thumbprint: ", e.getMessage());
+        }
+    }
+
+}

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/HttpHelper.java

@@ -67,6 +67,44 @@ public IHttpResponse executeHttpRequest(HttpRequest httpRequest,
         return httpResponse;
     }
 
+    //Overloaded version of the more commonly used HTTP executor. It does not use ServiceBundle, allowing an HTTP call to be
+    // made only with more bespoke request-level parameters rather than those from the app-level ServiceBundle
+    IHttpResponse executeHttpRequest(HttpRequest httpRequest,
+                                            RequestContext requestContext,
+                                            TelemetryManager telemetryManager,
+                                            IHttpClient httpClient) {
+        checkForThrottling(requestContext);
+
+        HttpEvent httpEvent = new HttpEvent(); // for tracking http telemetry
+        IHttpResponse httpResponse;
+
+        try (TelemetryHelper telemetryHelper = telemetryManager.createTelemetryHelper(
+                requestContext.telemetryRequestId(),
+                requestContext.clientId(),
+                httpEvent,
+                false)) {
+
+            addRequestInfoToTelemetry(httpRequest, httpEvent);
+
+            try {
+                httpResponse = executeHttpRequestWithRetries(httpRequest, httpClient);
+
+            } catch (Exception e) {
+                httpEvent.setOauthErrorCode(AuthenticationErrorCode.UNKNOWN);
+                throw new MsalClientException(e);
+            }
+
+            addResponseInfoToTelemetry(httpResponse, httpEvent);
+
+            if (httpResponse.headers() != null) {
+                HttpHelper.verifyReturnedCorrelationId(httpRequest, httpResponse);
+            }
+        }
+        processThrottlingInstructions(httpResponse, requestContext);
+
+        return httpResponse;
+    }
+
     private String getRequestThumbprint(RequestContext requestContext) {
         StringBuilder sb = new StringBuilder();
         sb.append(requestContext.clientId() + POINT_DELIMITER);

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ServiceFabricManagedIdentitySource.java

@@ -6,6 +6,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.net.SocketException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.util.Collections;
@@ -22,6 +23,12 @@ class ServiceFabricManagedIdentitySource extends AbstractManagedIdentitySource {
     private final ManagedIdentityIdType idType;
     private final String userAssignedId;
 
+    //Service Fabric requires a special check for an environment variable containing a certificate thumbprint used for validating requests.
+    //No other flow need this and an app developer may not be aware of it, so it was decided that for the Service Fabric flow we will simply override
+    // any HttpClient that may have been set by the app developer with our own client which performs the validation logic.
+    private final IHttpClient httpClient = new DefaultHttpClientManagedIdentity(null, null, null, null);
+    private final HttpHelper httpHelper = new HttpHelper(httpClient);
+
     @Override
     public void createManagedIdentityRequest(String resource) {
         managedIdentityRequest.baseEndpoint = msiEndpoint;
@@ -53,21 +60,54 @@ private ServiceFabricManagedIdentitySource(MsalRequest msalRequest, ServiceBundl
         this.userAssignedId = ((ManagedIdentityApplication) msalRequest.application()).getManagedIdentityId().getUserAssignedId();
     }
 
+    @Override
+    public ManagedIdentityResponse getManagedIdentityResponse(
+            ManagedIdentityParameters parameters) {
+
+        createManagedIdentityRequest(parameters.resource);
+        IHttpResponse response;
+
+        try {
+
+            HttpRequest httpRequest = managedIdentityRequest.method.equals(HttpMethod.GET) ?
+                    new HttpRequest(HttpMethod.GET,
+                            managedIdentityRequest.computeURI().toString(),
+                            managedIdentityRequest.headers) :
+                    new HttpRequest(HttpMethod.POST,
+                            managedIdentityRequest.computeURI().toString(),
+                            managedIdentityRequest.headers,
+                            managedIdentityRequest.getBodyAsString());
+
+            response = httpHelper.executeHttpRequest(httpRequest, managedIdentityRequest.requestContext(), serviceBundle.getTelemetryManager(),
+                    httpClient);
+        } catch (URISyntaxException e) {
+            throw new RuntimeException(e);
+        } catch (MsalClientException e) {
+            if (e.getCause() instanceof SocketException) {
+                throw new MsalServiceException(e.getMessage(), MsalError.MANAGED_IDENTITY_UNREACHABLE_NETWORK, managedIdentitySourceType);
+            }
+
+            throw e;
+        }
+
+        return handleResponse(parameters, response);
+    }
+
     static AbstractManagedIdentitySource create(MsalRequest msalRequest, ServiceBundle serviceBundle) {
 
         IEnvironmentVariables environmentVariables = getEnvironmentVariables((ManagedIdentityParameters) msalRequest.requestContext().apiParameters());
-        String msiEndpoint = environmentVariables.getEnvironmentVariable(Constants.MSI_ENDPOINT);
-        String identityHeader = environmentVariables.getEnvironmentVariable(Constants.IDENTITY_ENDPOINT);
+        String identityEndpoint = environmentVariables.getEnvironmentVariable(Constants.IDENTITY_ENDPOINT);
+        String identityHeader = environmentVariables.getEnvironmentVariable(Constants.IDENTITY_HEADER);
         String identityServerThumbprint = environmentVariables.getEnvironmentVariable(Constants.IDENTITY_SERVER_THUMBPRINT);
 
 
-        if (StringHelper.isNullOrBlank(msiEndpoint) || StringHelper.isNullOrBlank(identityHeader) || StringHelper.isNullOrBlank(identityServerThumbprint))
+        if (StringHelper.isNullOrBlank(identityEndpoint) || StringHelper.isNullOrBlank(identityHeader) || StringHelper.isNullOrBlank(identityServerThumbprint))
         {
             LOG.info("[Managed Identity] Service fabric managed identity is unavailable.");
             return null;
         }
 
-        return new ServiceFabricManagedIdentitySource(msalRequest, serviceBundle, validateAndGetUri(msiEndpoint), identityHeader);
+        return new ServiceFabricManagedIdentitySource(msalRequest, serviceBundle, validateAndGetUri(identityEndpoint), identityHeader);
     }
 
     private static URI validateAndGetUri(String msiEndpoint)

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ManagedIdentityTests.java

@@ -360,7 +360,7 @@ void managedIdentityTest_Retry(ManagedIdentitySourceType source, String endpoint
             return;
         }
 
-        fail("MsalManagedIdentityException is expected but not thrown.");
+        fail("MsalServiceException is expected but not thrown.");
     }
 
     @ParameterizedTest