adds host and scheme validation for access token providers

CHANGELOG.md

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - Added the ability to configure the underlying transport in Go. #1003
+- Adds hostname and protocol validation in authentication. #1051
 
 ### Changed
 

abstractions/dotnet/Microsoft.Kiota.Abstractions.Tests/Authentication/AuthenticationTests.cs

@@ -52,4 +52,63 @@ public async Task BaseBearerTokenAuthenticationProviderSetsBearerHeader()
         Assert.Equal("Authorization", testRequest.Headers.First().Key); // First element is Auth header
         Assert.Equal($"Bearer {expectedToken}", testRequest.Headers.First().Value); // First element is Auth header
     }
+
+    [Theory]
+    [InlineData("https://graph.microsoft.com",true)]// PASS
+    [InlineData("https://graph.microsoft.us/v1.0/me",true)]// PASS as we don't look at the path segment
+    [InlineData("https://test.microsoft.com",false)]// Fail
+    [InlineData("https://grAph.MicrosofT.com",true)] // PASS since we don't care about case
+    [InlineData("https://developer.microsoft.com",false)] // Failed
+    public void AllowedHostValidatorValidatesUrls(string urlToTest, bool expectedResult)
+    {
+        // Test through the constructor
+        // Arrange
+        var whiteList = new[] { "graph.microsoft.com", "graph.microsoft.us"};
+        var validator = new AllowedHostsValidator(whiteList);
+
+        // Act 
+        var validationResult = validator.IsUrlHostValid(new Uri(urlToTest));
+
+        // Assert
+        Assert.Equal(expectedResult, validationResult);
+        Assert.Contains(whiteList[0], validator.AllowedHosts);
+        Assert.Contains(whiteList[1], validator.AllowedHosts);
+
+
+        // Test through the setter
+        // Arrange
+        var emptyValidator = new AllowedHostsValidator
+        {
+            AllowedHosts = whiteList // set the validator through the property
+        };
+
+        // Act 
+        var emptyValidatorResult = emptyValidator.IsUrlHostValid(new Uri(urlToTest));
+
+        // Assert
+        Assert.Equal(emptyValidatorResult, validationResult);
+        Assert.Contains(whiteList[0], emptyValidator.AllowedHosts);
+        Assert.Contains(whiteList[1], emptyValidator.AllowedHosts);
+    }
+
+
+    [Theory]
+    [InlineData("https://graph.microsoft.com")]// PASS
+    [InlineData("https://graph.microsoft.us/v1.0/me")]// PASS
+    [InlineData("https://test.microsoft.com")]// PASS
+    [InlineData("https://grAph.MicrosofT.com")] // PASS
+    [InlineData("https://developer.microsoft.com")] // PASS
+    public void AllowedHostValidatorAllowsAllUrls(string urlToTest)
+    {
+        // Test through the constructor
+        // Arrange
+        var validator = new AllowedHostsValidator();
+
+        // Act 
+        var validationResult = validator.IsUrlHostValid(new Uri(urlToTest));
+
+        // Assert
+        Assert.True(validationResult);
+        Assert.Empty(validator.AllowedHosts);
+    }
 }

abstractions/dotnet/src/authentication/AllowedHostsValidator.cs

@@ -0,0 +1,53 @@
+// ------------------------------------------------------------------------------
+//  Copyright (c) Microsoft Corporation.  All Rights Reserved.  Licensed under the MIT License.  See License in the project root for license information.
+// ------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+
+namespace Microsoft.Kiota.Abstractions.Authentication
+{
+    /// <summary>
+    /// Validator for handling allowed hosts for authentication
+    /// </summary>
+    public class AllowedHostsValidator
+    {
+        private HashSet<string> _allowedHosts;
+
+        /// <summary>
+        /// The <see cref="AllowedHostsValidator"/> constructor
+        /// </summary>
+        /// <param name="validHosts"> Collection of valid Hosts</param>
+        public AllowedHostsValidator(IEnumerable<string> validHosts = null)
+        {
+            _allowedHosts = new HashSet<string>(validHosts ?? Array.Empty<string>(), StringComparer.OrdinalIgnoreCase);
+        }
+
+        /// <summary>
+        /// Gets/Sets the collection of allowed hosts for the configurator
+        /// </summary>
+        public IEnumerable<string> AllowedHosts
+        {
+            get => _allowedHosts.AsEnumerable();
+            set
+            {
+                if(value is null) throw new ArgumentNullException(nameof(value));
+                _allowedHosts = new HashSet<string>(value.Where(x => !string.IsNullOrEmpty(x)), StringComparer.OrdinalIgnoreCase);
+            }
+        }
+
+        /// <summary>
+        /// Validates that the given Uri is valid
+        /// </summary>
+        /// <param name="uri">The <see cref="Uri"/> to validate</param>
+        /// <returns>
+        /// true - if the host is in the <see cref="AllowedHosts"/>. If <see cref="AllowedHosts"/> is empty, it will return true for all urls.
+        /// false - if the <see cref="AllowedHosts"/> is not empty and the host is not in the list
+        /// </returns>
+        public bool IsUrlHostValid(Uri uri)
+        {
+            return !_allowedHosts.Any() || _allowedHosts.Contains(uri.Host);
+        }
+    }
+}

abstractions/dotnet/src/authentication/BaseBearerTokenAuthenticationProvider.cs

@@ -38,9 +38,8 @@ public async Task AuthenticateRequestAsync(RequestInformation request, Cancellat
         if(!request.Headers.ContainsKey(AuthorizationHeaderKey))
         {
             var token = await AccessTokenProvider.GetAuthorizationTokenAsync(request.URI, cancellationToken);
-            if(string.IsNullOrEmpty(token))
-                throw new InvalidOperationException("Could not get an authorization token");
-            request.Headers.Add(AuthorizationHeaderKey, $"Bearer {token}");
+            if(!string.IsNullOrEmpty(token))
+                request.Headers.Add(AuthorizationHeaderKey, $"Bearer {token}");
         }
     }
 }

abstractions/go/authentication/allowed_hosts_validator.go

@@ -0,0 +1,49 @@
+package authentication
+
+import (
+	u "net/url"
+	"strings"
+)
+
+// AllowedHostsValidator Maintains a list of valid hosts and allows authentication providers to check whether a host is valid before authenticating a request
+type AllowedHostsValidator struct {
+	validHosts map[string]bool
+}
+
+// NewAllowedHostsValidator creates a new AllowedHostsValidator object with provided values.
+func NewAllowedHostsValidator(validHosts []string) AllowedHostsValidator {
+	result := AllowedHostsValidator{}
+	result.SetAllowedHosts(validHosts)
+	return result
+}
+
+// GetAllowedHosts returns the list of valid hosts.
+func (v *AllowedHostsValidator) GetAllowedHosts() map[string]bool {
+	hosts := make(map[string]bool, len(v.validHosts))
+	for host := range v.validHosts {
+		hosts[host] = true
+	}
+	return hosts
+}
+
+//SetAllowedHosts sets the list of valid hosts.
+func (v *AllowedHostsValidator) SetAllowedHosts(hosts []string) {
+	v.validHosts = make(map[string]bool, len(hosts))
+	if len(hosts) > 0 {
+		for _, host := range hosts {
+			v.validHosts[strings.ToLower(host)] = true
+		}
+	}
+}
+
+// IsValidHost returns true if the host is valid.
+func (v *AllowedHostsValidator) IsUrlHostValid(uri *u.URL) bool {
+	if uri == nil {
+		return false
+	}
+	host := uri.Host
+	if host == "" {
+		return false
+	}
+	return v.validHosts[strings.ToLower(host)]
+}

abstractions/go/authentication/base_bearer_token_authentication_provider.go

@@ -36,10 +36,9 @@ func (provider *BaseBearerTokenAuthenticationProvider) AuthenticateRequest(reque
 		if err != nil {
 			return err
 		}
-		if token == "" {
-			return errors.New("could not get an authorization token")
+		if token != "" {
+			request.Headers[authorizationHeader] = "Bearer " + token
 		}
-		request.Headers[authorizationHeader] = "Bearer " + token
 	}
 
 	return nil

abstractions/java/lib/src/main/java/com/microsoft/kiota/authentication/AllowedHostsValidator.java

@@ -0,0 +1,51 @@
+package com.microsoft.kiota.authentication;
+
+import java.net.URI;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.annotation.Nonnull;
+
+/** Maintains a list of valid hosts and allows authentication providers to check whether a host is valid before authenticating a request */
+public class AllowedHostsValidator {
+    private HashSet<String> validHosts;
+    /**
+     * Creates a new AllowedHostsValidator.
+     * @param validHosts The list of valid hosts.
+     */
+    public AllowedHostsValidator(@Nonnull final String... allowedHosts) {
+        this.setAllowedHosts(allowedHosts);
+    }
+
+    /**
+     * Gets the allowed hosts. Read-only.
+     * @return the allowed hosts.
+     */
+    @Nonnull
+    public Set<String> getAllowedHosts() {
+        return Collections.unmodifiableSet(this.validHosts);
+    }
+    /**
+     * Sets the allowed hosts.
+     * @param allowedHosts the allowed hosts.
+     */
+    public void setAllowedHosts(@Nonnull final String... allowedHosts) {
+        validHosts = new HashSet<String>();
+        if(allowedHosts != null) {
+            for (final String host : allowedHosts) {
+                if (host != null && !host.isEmpty())
+                    validHosts.add(host.trim().toLowerCase());
+            }
+        }
+    }
+
+    /**
+     * Checks if the provided host is allowed.
+     * @param uri the uri to check the host for.
+     * @return true if the host is allowed, false otherwise.
+     */
+    public boolean isUrlHostValid(@Nonnull final URI uri) {
+        return validHosts.isEmpty() || validHosts.contains(uri.getHost().trim().toLowerCase());
+    }
+}

abstractions/java/lib/src/main/java/com/microsoft/kiota/authentication/BaseBearerTokenAuthenticationProvider.java

@@ -28,10 +28,10 @@ public CompletableFuture<Void> authenticateRequest(final RequestInformation requ
             }
             return this.accessTokenProvider.getAuthorizationToken(targetUri)
                 .thenApply(token -> {
-                    if(token == null || token.isEmpty()) {
-                        throw new UnsupportedOperationException("Could not get an authorization token", null);
+                    if(token != null && !token.isEmpty())) { 
+                    // Not an error, just no need to authenticate as we might have been given an external URL from the main API (large file upload, etc.)
+                        request.headers.put(authorizationHeaderKey, "Bearer " + token);
                     }
-                    request.headers.put(authorizationHeaderKey, "Bearer " + token);
                     return null;
                 });
         } else {

abstractions/typescript/src/authentication/allowedHostsValidator.ts

@@ -0,0 +1,60 @@
+/** Maintains a list of valid hosts and allows authentication providers to check whether a host is valid before authenticating a request */
+export class AllowedHostsValidator {
+    private allowedHosts: Set<string>;
+    /**
+     * Creates a new AllowedHostsValidator object with provided values.
+     * @param allowedHosts A list of valid hosts.  If the list is empty, all hosts are valid.
+     */
+    public constructor(allowedHosts: Set<string> = new Set<string>()) {
+        this.allowedHosts = allowedHosts ?? new Set<string>();
+    }
+    /**
+     * Gets the list of valid hosts.  If the list is empty, all hosts are valid.
+     * @returns A list of valid hosts.  If the list is empty, all hosts are valid.
+     */
+    public getAllowedHosts(): string[] {
+        return Array.from(this.allowedHosts);
+    }
+    /**
+     * Sets the list of valid hosts.  If the list is empty, all hosts are valid.
+     * @param allowedHosts A list of valid hosts.  If the list is empty, all hosts are valid.
+     */
+    public setAllowedHosts(allowedHosts: Set<string>): void {
+        this.allowedHosts = allowedHosts;
+    }
+    /**
+     * Checks whether the provided host is valid.
+     * @param url The url to check.
+     */
+    public isUrlHostValid(url: string): boolean {
+        if(!url) return false;
+        if(this.allowedHosts.size === 0) return true;
+        const schemeAndRest = url.split("://");
+        if(schemeAndRest.length >= 2) {
+            const rest = schemeAndRest[1];
+            if(rest) {
+                return this.isHostAndPathValid(rest);
+            }
+        } else if (!url.startsWith("http")) {
+            // protocol relative URL domain.tld/path
+            return this.isHostAndPathValid(url);
+        }
+        //@ts-ignore
+        if(window && window.location && window.location.host) {
+            // we're in a browser, and we're using paths only ../path, ./path, /path, etc.
+            //@ts-ignore
+            return this.allowedHosts.has((window.location.host as string)?.toLowerCase());
+        }
+        return false;
+    }
+    private isHostAndPathValid(rest: string): boolean {
+        const hostAndRest = rest.split("/");
+        if(hostAndRest.length >= 2) {
+            const host = hostAndRest[0];
+            if(host) {    
+                return this.allowedHosts.has(host.toLowerCase());
+            }
+        }
+        return false;
+    }
+}

abstractions/typescript/src/authentication/baseBearerTokenAuthenticationProvider.ts

@@ -18,13 +18,12 @@ export class BaseBearerTokenAuthenticationProvider implements AuthenticationProv
         }
         if (!request.headers?.has(BaseBearerTokenAuthenticationProvider.authorizationHeaderKey)) {
             const token = await this.accessTokenProvider.getAuthorizationToken(request.URL);
-            if (!token) {
-                throw new Error('Could not get an authorization token');
-            }
             if (!request.headers) {
                 request.headers = new Map<string, string>();
             }
-            request.headers?.set(BaseBearerTokenAuthenticationProvider.authorizationHeaderKey, `Bearer ${token}`);
+            if(token) {
+                request.headers?.set(BaseBearerTokenAuthenticationProvider.authorizationHeaderKey, `Bearer ${token}`);
+            }
         }
     }
 }

abstractions/typescript/src/authentication/index.ts

@@ -1,4 +1,5 @@
 export * from './accessTokenProvider';
+export * from './allowedHostsValidator';
 export * from './authenticationProvider';
 export * from './anonymousAuthenticationProvider';
 export * from './baseBearerTokenAuthenticationProvider';