diff --git a/IdentityCore/IdentityCore.xcodeproj/project.pbxproj b/IdentityCore/IdentityCore.xcodeproj/project.pbxproj index 06478fc05..d3cbf04d8 100644 --- a/IdentityCore/IdentityCore.xcodeproj/project.pbxproj +++ b/IdentityCore/IdentityCore.xcodeproj/project.pbxproj @@ -527,6 +527,15 @@ 23FB5C452255A11D002BF1EB /* MSIDClaimsRequest.m in Sources */ = {isa = PBXBuildFile; fileRef = 23FB5C24225517AA002BF1EB /* MSIDClaimsRequest.m */; }; 23FB5C462255A135002BF1EB /* MSIDIndividualClaimRequest.m in Sources */ = {isa = PBXBuildFile; fileRef = 23FB5C29225517AA002BF1EB /* MSIDIndividualClaimRequest.m */; }; 23FB5C472255A13A002BF1EB /* MSIDIndividualClaimRequestAdditionalInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = 23FB5C27225517AA002BF1EB /* MSIDIndividualClaimRequestAdditionalInfo.m */; }; + 2A24814D2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A24814C2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.m */; }; + 2A24814E2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A24814B2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.h */; }; + 2A24814F2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A24814C2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.m */; }; + 2A2481532CB07BCC006FCB34 /* MSIDSSOXpcSilentTokenRequest.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A2481512CB07BCC006FCB34 /* MSIDSSOXpcSilentTokenRequest.m */; }; + 2A2481542CB07BCC006FCB34 /* MSIDSSOXpcSilentTokenRequest.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A2481502CB07BCC006FCB34 /* MSIDSSOXpcSilentTokenRequest.h */; }; + 2A2481582CB08050006FCB34 /* MSIDXpcSingleSignOnProvider.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A2481562CB08050006FCB34 /* MSIDXpcSingleSignOnProvider.m */; }; + 2A2481592CB08050006FCB34 /* MSIDXpcSingleSignOnProvider.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A2481552CB08050006FCB34 /* MSIDXpcSingleSignOnProvider.h */; }; + 2A24815F2CB08344006FCB34 /* MSIDXpcSilentTokenRequestController.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A24815D2CB08344006FCB34 /* MSIDXpcSilentTokenRequestController.m */; }; + 2A2481602CB08344006FCB34 /* MSIDXpcSilentTokenRequestController.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A24815C2CB08344006FCB34 /* MSIDXpcSilentTokenRequestController.h */; }; 2A0278912D6E3216005655B4 /* MSIDAADTokenRequestServerTelemetryTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A0278902D6E3216005655B4 /* MSIDAADTokenRequestServerTelemetryTests.m */; }; 2A0278922D6E3216005655B4 /* MSIDAADTokenRequestServerTelemetryTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A0278902D6E3216005655B4 /* MSIDAADTokenRequestServerTelemetryTests.m */; }; 2A0278A32D6E3787005655B4 /* MSIDLastRequestTelemetry+Tests.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A0278A22D6E3787005655B4 /* MSIDLastRequestTelemetry+Tests.h */; }; @@ -2406,6 +2415,14 @@ 23FB5C2E22551866002BF1EB /* MSIDClaimsRequest+ClientCapabilities.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "MSIDClaimsRequest+ClientCapabilities.m"; sourceTree = ""; }; 23FB5C32225585E6002BF1EB /* MSIDClaimsRequestMock.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDClaimsRequestMock.h; sourceTree = ""; }; 23FB5C33225585E6002BF1EB /* MSIDClaimsRequestMock.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDClaimsRequestMock.m; sourceTree = ""; }; + 2A24814B2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDSSORemoteSilentTokenRequest.h; sourceTree = ""; }; + 2A24814C2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDSSORemoteSilentTokenRequest.m; sourceTree = ""; }; + 2A2481502CB07BCC006FCB34 /* MSIDSSOXpcSilentTokenRequest.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDSSOXpcSilentTokenRequest.h; sourceTree = ""; }; + 2A2481512CB07BCC006FCB34 /* MSIDSSOXpcSilentTokenRequest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDSSOXpcSilentTokenRequest.m; sourceTree = ""; }; + 2A2481552CB08050006FCB34 /* MSIDXpcSingleSignOnProvider.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDXpcSingleSignOnProvider.h; sourceTree = ""; }; + 2A2481562CB08050006FCB34 /* MSIDXpcSingleSignOnProvider.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDXpcSingleSignOnProvider.m; sourceTree = ""; }; + 2A24815C2CB08344006FCB34 /* MSIDXpcSilentTokenRequestController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDXpcSilentTokenRequestController.h; sourceTree = ""; }; + 2A24815D2CB08344006FCB34 /* MSIDXpcSilentTokenRequestController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDXpcSilentTokenRequestController.m; sourceTree = ""; }; 2A0278902D6E3216005655B4 /* MSIDAADTokenRequestServerTelemetryTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDAADTokenRequestServerTelemetryTests.m; sourceTree = ""; }; 2A0278A22D6E3787005655B4 /* MSIDLastRequestTelemetry+Tests.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "MSIDLastRequestTelemetry+Tests.h"; sourceTree = ""; }; 51E364572863C0F300A97F82 /* MSIDTelemetryConditionalCompile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MSIDTelemetryConditionalCompile.h; sourceTree = ""; }; @@ -5127,6 +5144,10 @@ B49323A02AD4DB2700E0CBC0 /* MSIDSSOExtensionPasskeyAssertionRequest.m */, B443EFF02AD6299300782168 /* MSIDSSOExtensionPasskeyCredentialRequest.h */, B443EFF12AD629A300782168 /* MSIDSSOExtensionPasskeyCredentialRequest.m */, + 2A24814B2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.h */, + 2A24814C2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.m */, + 2A2481502CB07BCC006FCB34 /* MSIDSSOXpcSilentTokenRequest.h */, + 2A2481512CB07BCC006FCB34 /* MSIDSSOXpcSilentTokenRequest.m */, ); path = broker; sourceTree = ""; @@ -5141,6 +5162,8 @@ 23B5DF7B234031ED002C530F /* MSIDSSOExtensionSilentTokenRequestController.m */, B217863623A5994300839CE8 /* MSIDSSOExtensionSignoutController.h */, B217863723A5994300839CE8 /* MSIDSSOExtensionSignoutController.m */, + 2A24815C2CB08344006FCB34 /* MSIDXpcSilentTokenRequestController.h */, + 2A24815D2CB08344006FCB34 /* MSIDXpcSilentTokenRequestController.m */, ); path = broker; sourceTree = ""; @@ -5322,6 +5345,8 @@ 728209CF26FEA0F600B5F018 /* MSIDKeyOperationUtil.m */, 237777C82853FF9400DDEAFC /* ASAuthorizationController+MSIDExtensions.h */, 237777C92853FF9400DDEAFC /* ASAuthorizationController+MSIDExtensions.m */, + 2A2481552CB08050006FCB34 /* MSIDXpcSingleSignOnProvider.h */, + 2A2481562CB08050006FCB34 /* MSIDXpcSingleSignOnProvider.m */, ); path = util; sourceTree = ""; @@ -5881,6 +5906,7 @@ 232C65882138BDC5002A41FE /* MSIDAADAuthorityMetadataResponse.h in Headers */, 23C548052A2A5DBF00633DC0 /* MSIDBrokerOperationBrowserNativeMessageRequest.h in Headers */, B2C7089C219926C200D917B8 /* MSIDBrokerResponse+Internal.h in Headers */, + 2A2481602CB08344006FCB34 /* MSIDXpcSilentTokenRequestController.h in Headers */, B286B9C72389DE7F007833AD /* MSIDAccountMetadataCacheAccessor.h in Headers */, B286B9B12389DD6C007833AD /* MSIDPKeyAuthHandler.h in Headers */, E733EDD525C0A47600ACB79A /* MSIDThumbprintCalculatable.h in Headers */, @@ -5897,6 +5923,7 @@ 74D926C324B3EFC300AA4270 /* MSIDLastRequestTelemetry+Internal.h in Headers */, 235480CA20DDF81000246F72 /* MSIDAuthorityFactory.h in Headers */, 58BC2392271E0D94008A77BE /* MSIDSSOExtensionGetSsoCookiesRequest.h in Headers */, + 2A24814E2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.h in Headers */, B217863823A5994300839CE8 /* MSIDSSOExtensionSignoutController.h in Headers */, A0C7DE4425D4522300F5B5B6 /* MSIDThrottlingModelFactory.h in Headers */, B286B9942389DC76007833AD /* MSIDDefaultTokenRequestProvider+Internal.h in Headers */, @@ -6069,6 +6096,7 @@ 58E2A1FC24E497400027A28A /* MSIDWebResponseOperationConstants.h in Headers */, 5887EBF12BBF6490005F9634 /* MSIDAuthenticationSchemeSshCert.h in Headers */, B2AF1D2E218BCEDE0080C1A0 /* MSIDInteractiveTokenRequest.h in Headers */, + 2A2481592CB08050006FCB34 /* MSIDXpcSingleSignOnProvider.h in Headers */, 1E707FE22407337300716148 /* MSIDBrokerOperationResponse.h in Headers */, B251CC48204105A7005E0179 /* MSIDBaseToken.h in Headers */, 1E62D0E6228B760A000E2BBC /* MSIDKeychainUtil.h in Headers */, @@ -6196,6 +6224,7 @@ 74F04D4D246CB5B100094017 /* MSIDCurrentRequestTelemetrySerializedItem+Internal.h in Headers */, 238E19DD2086FE28004DF483 /* MSIDAADAuthorizationCodeRequest.h in Headers */, B227037622A4C29800030ADC /* MSIDExtendedTokenCacheDataSource.h in Headers */, + 2A2481542CB07BCC006FCB34 /* MSIDSSOXpcSilentTokenRequest.h in Headers */, B251CC49204105A7005E0179 /* MSIDIdToken.h in Headers */, B2F671EC2467AB4500649855 /* MSIDInteractiveRequestControlling.h in Headers */, B443F0002AD6327700782168 /* MSIDBrokerOperationPasskeyCredentialRequest.h in Headers */, @@ -7100,12 +7129,14 @@ 580E2547271A014F003D1795 /* MSIDDeviceHeader.m in Sources */, 583BFCAB24D88CED0035B901 /* MSIDRedirectUriVerifier.m in Sources */, B253152723DD61FB00432133 /* MSIDSSOExtensionGetDeviceInfoRequest.m in Sources */, + 2A24815F2CB08344006FCB34 /* MSIDXpcSilentTokenRequestController.m in Sources */, 23C548062A2A5DBF00633DC0 /* MSIDBrokerOperationBrowserNativeMessageRequest.m in Sources */, 238D5D8C22B353830091A135 /* MSIDAADV2TokenResponseForV1Request.m in Sources */, 2352AF342AA7C7B700FA2253 /* MSIDBrowserNativeMessageGetTokenResponse.m in Sources */, 589BDB292718F18800BF3799 /* MSIDCredentialHeader.m in Sources */, B25A356F1FC4D70300C7FD43 /* MSIDLogger.m in Sources */, 5887EBF32BBF6490005F9634 /* MSIDAuthenticationSchemeSshCert.m in Sources */, + 2A2481532CB07BCC006FCB34 /* MSIDSSOXpcSilentTokenRequest.m in Sources */, B2C7088F2198E48E00D917B8 /* NSData+AES.m in Sources */, 96F21B3320A65896002B87C3 /* MSIDWebviewAuthorization.m in Sources */, B27893832470CFE700627C28 /* MSIDAssymetricKeyGeneratorFactory.m in Sources */, @@ -7128,6 +7159,7 @@ 23FB5C3122551866002BF1EB /* MSIDClaimsRequest+ClientCapabilities.m in Sources */, 23B39ACD209CF317000AA905 /* MSIDAADNetworkConfiguration.m in Sources */, 23FB5C462255A135002BF1EB /* MSIDIndividualClaimRequest.m in Sources */, + 2A2481582CB08050006FCB34 /* MSIDXpcSingleSignOnProvider.m in Sources */, 238F80A222C2BE1600437CB1 /* MSIDGetV1IdTokenHttpEvent.m in Sources */, 60BE060D23A1A3ED00CDA662 /* MSIDDeviceInfo.m in Sources */, 23071657229F56AE00FDD044 /* MSIDAADV2Oauth2FactoryForV1Request.m in Sources */, @@ -7343,6 +7375,7 @@ B28D90A7218FD1E800E230D6 /* MSIDLegacyTokenResponseValidator.m in Sources */, 1E5319AA24A425B7007BCF30 /* MSIDAuthenticationScheme.m in Sources */, B286B99F2389DCBA007833AD /* MSIDRequestParameters+Broker.m in Sources */, + 2A24814D2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.m in Sources */, B26A0B7F2071ADCE006BD95A /* MSIDOauth2Factory.m in Sources */, B217863A23A5994300839CE8 /* MSIDSSOExtensionSignoutController.m in Sources */, B2C707FF2192530E00D917B8 /* MSIDDefaultSilentTokenRequest.m in Sources */, @@ -7878,6 +7911,7 @@ 609E74CB228DE23B005E3FED /* MSIDAccountMetadataCacheKey.m in Sources */, B2807FF8204CAFDF00944D89 /* MSIDHelpers.m in Sources */, 2317FFBD2A43988900E3DAA2 /* MSIDBrokerOperationBrowserNativeMessageRequest.m in Sources */, + 2A24814F2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.m in Sources */, 23B018C32356D51200207FEC /* NSDictionary+MSIDQueryItems.m in Sources */, 580E2546271A014F003D1795 /* MSIDDeviceHeader.m in Sources */, 234DE5842A9456F600E244B3 /* MSIDBrowserNativeMessageRequest.m in Sources */, diff --git a/IdentityCore/src/MSIDConstants.h b/IdentityCore/src/MSIDConstants.h index e8ece2b60..77352c254 100644 --- a/IdentityCore/src/MSIDConstants.h +++ b/IdentityCore/src/MSIDConstants.h @@ -93,6 +93,14 @@ typedef NS_ENUM(NSInteger, MSIDHeaderType) MSIDHeaderTypeDeviceRegistration }; +typedef NS_ENUM(NSUInteger, MSIDXpcMode) +{ + MSIDXpcModeDisable = 0, // Broker Xpc service call is disabled + MSIDXpcModeBackup,// Broker Xpc service call is only used as a backup service when SsoExtension service failed. If SsoExtenion is not available on the device (canPerformRequest returns false), Broker Xpc service call will be disabled + MSIDXpcModeFull, // Broker Xpc service call is used as a backup call when SsoExtension service failed. If SsoExtenion is not available on the device, Xpc service call will be the primary auth service + MSIDXpcModeOverride // Development only: Broker Xpc service is used as main Sso service, and ignored SsoExtension service completely. This option will be ignored in production and will be treated same as MSIDXpcModeDisable +}; + typedef void (^MSIDRequestCompletionBlock)(MSIDTokenResult * _Nullable result, NSError * _Nullable error); typedef void (^MSIDSignoutRequestCompletionBlock)(BOOL success, NSError * _Nullable error); typedef void (^MSIDGetAccountsRequestCompletionBlock)(NSArray * _Nullable accounts, BOOL returnBrokerAccountsOnly, NSError * _Nullable error); diff --git a/IdentityCore/src/controllers/MSIDRequestControllerFactory.m b/IdentityCore/src/controllers/MSIDRequestControllerFactory.m index 4b92560ee..4c146619a 100644 --- a/IdentityCore/src/controllers/MSIDRequestControllerFactory.m +++ b/IdentityCore/src/controllers/MSIDRequestControllerFactory.m @@ -35,6 +35,9 @@ #import "MSIDRequestParameters+Broker.h" #import "MSIDAuthority.h" #import "MSIDSignoutController.h" +#if TARGET_OS_OSX +#import "MSIDXpcSilentTokenRequestController.h" +#endif @implementation MSIDRequestControllerFactory @@ -43,6 +46,30 @@ @implementation MSIDRequestControllerFactory skipLocalRt:(MSIDSilentControllerLocalRtUsageType)skipLocalRt tokenRequestProvider:(id)tokenRequestProvider error:(NSError *__autoreleasing*)error +{ + if (parameters.xpcMode == MSIDXpcModeDisable) + { + return [self SilentControllerWithoutXpcForParameters:parameters + forceRefresh:forceRefresh + skipLocalRt:skipLocalRt + tokenRequestProvider:tokenRequestProvider + error:error]; + } + else + { + return [self silentControllerWithXpcForParameters:parameters + forceRefresh:forceRefresh + skipLocalRt:skipLocalRt + tokenRequestProvider:tokenRequestProvider + error:error]; + } +} + ++ (nullable id)SilentControllerWithoutXpcForParameters:(MSIDRequestParameters *)parameters + forceRefresh:(BOOL)forceRefresh + skipLocalRt:(MSIDSilentControllerLocalRtUsageType)skipLocalRt + tokenRequestProvider:(id)tokenRequestProvider + error:(NSError *__autoreleasing*)error { // Nested auth protocol - Reverse client id & redirect uri if ([parameters isNestedAuthProtocol]) @@ -77,12 +104,21 @@ @implementation MSIDRequestControllerFactory // TODO: Performance optimization: check account source. // if (parameters.accountIdentifier.source == BROKER) return brokerController; + if (!brokerController) + { + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, parameters, @"No fallback brokerController is provided", nil); + } + __auto_type localController = [[MSIDSilentController alloc] initWithRequestParameters:parameters forceRefresh:forceRefresh tokenRequestProvider:tokenRequestProvider fallbackInteractiveController:brokerController error:error]; - if (!localController) return nil; + if (!localController) + { + MSID_LOG_WITH_CTX(MSIDLogLevelWarning, parameters, @"failed to initialize silentController, return early", nil); + return nil; + } switch (skipLocalRt) { case MSIDSilentControllerForceSkippingLocalRt: @@ -101,6 +137,95 @@ @implementation MSIDRequestControllerFactory return localController; } ++ (nullable id)silentControllerWithXpcForParameters:(MSIDRequestParameters *)parameters + forceRefresh:(BOOL)forceRefresh + skipLocalRt:(MSIDSilentControllerLocalRtUsageType)skipLocalRt + tokenRequestProvider:(id)tokenRequestProvider + error:(NSError *__autoreleasing*)error +{ + // Nested auth protocol - Reverse client id & redirect uri + if ([parameters isNestedAuthProtocol]) + { + [parameters reverseNestedAuthParametersIfNeeded]; + } + + MSIDSilentController *fallbackController = nil; + + if ([parameters shouldUseBroker]) + { + if (parameters.allowUsingLocalCachedRtWhenSsoExtFailed) + { + fallbackController = [[MSIDSilentController alloc] initWithRequestParameters:parameters + forceRefresh:YES + tokenRequestProvider:tokenRequestProvider + error:error]; + fallbackController.isLocalFallbackMode = YES; + } + + MSIDSilentController *xpcController = nil; +#if TARGET_OS_OSX + if (parameters.xpcMode != MSIDXpcModeDisable && [MSIDXpcSilentTokenRequestController canPerformRequest]) + { + xpcController = [[MSIDXpcSilentTokenRequestController alloc] initWithRequestParameters:parameters + forceRefresh:forceRefresh + tokenRequestProvider:tokenRequestProvider + fallbackInteractiveController:fallbackController + error:error]; + if (parameters.xpcMode == MSIDXpcModeFull || parameters.xpcMode == MSIDXpcModeOverride) + { + // If in Xpc full mode, the XPCController will work as a isolated controller when SsoExtension cannotPerformRequest + fallbackController = xpcController; + xpcController = nil; + } + } +#endif + + BOOL shouldSkipSsoExtension = parameters.xpcMode == MSIDXpcModeOverride; + + if (!shouldSkipSsoExtension && [MSIDSSOExtensionSilentTokenRequestController canPerformRequest]) + { + fallbackController = [[MSIDSSOExtensionSilentTokenRequestController alloc] initWithRequestParameters:parameters + forceRefresh:forceRefresh + tokenRequestProvider:tokenRequestProvider + fallbackInteractiveController:xpcController?:fallbackController + error:error]; + } + } + + if (!fallbackController) + { + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, parameters, @"No fallbackController is provided", nil); + } + + MSIDSilentController *silentController = [[MSIDSilentController alloc] initWithRequestParameters:parameters + forceRefresh:forceRefresh + tokenRequestProvider:tokenRequestProvider + fallbackInteractiveController:fallbackController + error:error]; + if (!silentController) + { + MSID_LOG_WITH_CTX(MSIDLogLevelWarning, parameters, @"failed to initialize silentController, return early", nil); + return nil; + } + + switch (skipLocalRt) { + case MSIDSilentControllerForceSkippingLocalRt: + silentController.skipLocalRt = YES; + break; + case MSIDSilentControllerForceUsingLocalRt: + silentController.skipLocalRt = NO; + break; + case MSIDSilentControllerUndefinedLocalRtUsage: + if (fallbackController) silentController.skipLocalRt = YES; + break; + default: + break; + } + + return silentController; + +} + + (nullable id)interactiveControllerForParameters:(nonnull MSIDInteractiveTokenRequestParameters *)parameters tokenRequestProvider:(nonnull id)tokenRequestProvider error:(NSError * _Nullable __autoreleasing * _Nullable)error diff --git a/IdentityCore/src/controllers/broker/MSIDXpcSilentTokenRequestController.h b/IdentityCore/src/controllers/broker/MSIDXpcSilentTokenRequestController.h new file mode 100644 index 000000000..8bf5ec34f --- /dev/null +++ b/IdentityCore/src/controllers/broker/MSIDXpcSilentTokenRequestController.h @@ -0,0 +1,36 @@ +// +// Copyright (c) Microsoft Corporation. +// All rights reserved. +// +// This code is licensed under the MIT License. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files(the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions : +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + + +#import "MSIDSilentController.h" + +NS_ASSUME_NONNULL_BEGIN + +@interface MSIDXpcSilentTokenRequestController : MSIDSilentController + ++ (BOOL)canPerformRequest; + +@end + +NS_ASSUME_NONNULL_END diff --git a/IdentityCore/src/controllers/broker/MSIDXpcSilentTokenRequestController.m b/IdentityCore/src/controllers/broker/MSIDXpcSilentTokenRequestController.m new file mode 100644 index 000000000..5bc028991 --- /dev/null +++ b/IdentityCore/src/controllers/broker/MSIDXpcSilentTokenRequestController.m @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. +// All rights reserved. +// +// This code is licensed under the MIT License. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files(the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions : +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + +#import "MSIDXpcSilentTokenRequestController.h" +#import "MSIDSilentController+Internal.h" +#import "MSIDXpcSingleSignOnProvider.h" + +@implementation MSIDXpcSilentTokenRequestController + +- (void)acquireToken:(MSIDRequestCompletionBlock)completionBlock +{ + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Beginning silent broker xpc flow."); + MSIDRequestCompletionBlock completionBlockWrapper = ^(MSIDTokenResult *result, NSError *error) + { + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Silent broker xpc flow finished. Result %@, error: %ld error domain: %@, shouldFallBack: %@", _PII_NULLIFY(result), (long)error.code, error.domain, @(self.fallbackController != nil)); + completionBlock(result, error); + }; + + __auto_type request = [self.tokenRequestProvider silentXpcTokenRequestWithParameters:self.requestParameters + forceRefresh:self.forceRefresh]; + [self acquireTokenWithRequest:request completionBlock:completionBlockWrapper]; +} + ++ (BOOL)canPerformRequest +{ + if (@available(macOS 13, *)) { + return YES; + } else { + return NO; + } +} + +@end + diff --git a/IdentityCore/src/parameters/MSIDRequestParameters.h b/IdentityCore/src/parameters/MSIDRequestParameters.h index 93425a3a5..79be19c91 100644 --- a/IdentityCore/src/parameters/MSIDRequestParameters.h +++ b/IdentityCore/src/parameters/MSIDRequestParameters.h @@ -108,6 +108,9 @@ #pragma mark - SSO context @property (nonatomic) MSIDExternalSSOContext *ssoContext; +#pragma mark - Xpc Mode +@property (nonatomic) MSIDXpcMode xpcMode; + - (NSURL *)tokenEndpoint; #pragma mark Methods diff --git a/IdentityCore/src/requests/broker/MSIDSSOExtensionSilentTokenRequest.h b/IdentityCore/src/requests/broker/MSIDSSOExtensionSilentTokenRequest.h index 5141e9199..35b177649 100644 --- a/IdentityCore/src/requests/broker/MSIDSSOExtensionSilentTokenRequest.h +++ b/IdentityCore/src/requests/broker/MSIDSSOExtensionSilentTokenRequest.h @@ -21,30 +21,12 @@ // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN // THE SOFTWARE. -#import "MSIDSilentTokenRequest.h" +#import "MSIDSSORemoteSilentTokenRequest.h" #import "MSIDProviderType.h" -@class MSIDAccountMetadataCacheAccessor; - NS_ASSUME_NONNULL_BEGIN -@interface MSIDSSOExtensionSilentTokenRequest : MSIDSilentTokenRequest - -@property (nonatomic, readonly, nonnull) id tokenCache; - -- (nullable instancetype)initWithRequestParameters:(MSIDRequestParameters *)parameters - forceRefresh:(BOOL)forceRefresh - oauthFactory:(MSIDOauth2Factory *)oauthFactory - tokenResponseValidator:(MSIDTokenResponseValidator *)tokenResponseValidator NS_UNAVAILABLE; - -- (nullable instancetype)initWithRequestParameters:(MSIDRequestParameters *)parameters - forceRefresh:(BOOL)forceRefresh - oauthFactory:(MSIDOauth2Factory *)oauthFactory - tokenResponseValidator:(MSIDTokenResponseValidator *)tokenResponseValidator - tokenCache:(id)tokenCache - accountMetadataCache:(nullable MSIDAccountMetadataCacheAccessor *)accountMetadataCache - extendedTokenCache:(nullable id)extendedTokenCache - NS_DESIGNATED_INITIALIZER; +@interface MSIDSSOExtensionSilentTokenRequest : MSIDSSORemoteSilentTokenRequest @end diff --git a/IdentityCore/src/requests/broker/MSIDSSOExtensionSilentTokenRequest.m b/IdentityCore/src/requests/broker/MSIDSSOExtensionSilentTokenRequest.m index 602444bbf..18a38665f 100644 --- a/IdentityCore/src/requests/broker/MSIDSSOExtensionSilentTokenRequest.m +++ b/IdentityCore/src/requests/broker/MSIDSSOExtensionSilentTokenRequest.m @@ -25,47 +25,27 @@ #import #import "ASAuthorizationSingleSignOnProvider+MSIDExtensions.h" #import "MSIDSSOExtensionSilentTokenRequest.h" -#import "MSIDSilentTokenRequest.h" #import "MSIDRequestParameters.h" -#import "MSIDAccountIdentifier.h" -#import "MSIDAuthority.h" -#import "MSIDJsonSerializer.h" #import "ASAuthorizationSingleSignOnProvider+MSIDExtensions.h" #import "MSIDSSOExtensionTokenRequestDelegate.h" #import "MSIDBrokerOperationSilentTokenRequest.h" #import "NSDictionary+MSIDQueryItems.h" -#import "MSIDOauth2Factory.h" -#import "MSIDBrokerOperationTokenResponse.h" -#import "MSIDIntuneEnrollmentIdsCache.h" -#import "MSIDIntuneMAMResourcesCache.h" -#import "MSIDSSOTokenResponseHandler.h" -#import "MSIDThrottlingService.h" -#import "MSIDDefaultTokenCacheAccessor.h" #import "ASAuthorizationController+MSIDExtensions.h" -#if !EXCLUDE_FROM_MSALCPP -#import "MSIDLastRequestTelemetry.h" -#endif - @interface MSIDSSOExtensionSilentTokenRequest () -@property (nonatomic) ASAuthorizationController *authorizationController; @property (nonatomic, copy) MSIDRequestCompletionBlock requestCompletionBlock; -@property (nonatomic) id tokenCache; -@property (nonatomic) MSIDAccountMetadataCacheAccessor *accountMetadataCache; +@property (nonatomic) MSIDBrokerOperationSilentTokenRequest *operationRequest; +@property (nonatomic) ASAuthorizationController *authorizationController; @property (nonatomic) MSIDSSOExtensionTokenRequestDelegate *extensionDelegate; @property (nonatomic) ASAuthorizationSingleSignOnProvider *ssoProvider; -@property (nonatomic, readonly) MSIDProviderType providerType; -@property (nonatomic, readonly) MSIDIntuneEnrollmentIdsCache *enrollmentIdsCache; -@property (nonatomic, readonly) MSIDIntuneMAMResourcesCache *mamResourcesCache; -@property (nonatomic, readonly) MSIDSSOTokenResponseHandler *ssoTokenResponseHandler; -@property (nonatomic) MSIDBrokerOperationSilentTokenRequest *operationRequest; -@property (nonatomic) NSDate *requestSentDate; @end @implementation MSIDSSOExtensionSilentTokenRequest +@synthesize requestCompletionBlock, operationRequest; + - (instancetype)initWithRequestParameters:(MSIDRequestParameters *)parameters forceRefresh:(BOOL)forceRefresh oauthFactory:(MSIDOauth2Factory *)oauthFactory @@ -77,126 +57,21 @@ - (instancetype)initWithRequestParameters:(MSIDRequestParameters *)parameters self = [super initWithRequestParameters:parameters forceRefresh:forceRefresh oauthFactory:oauthFactory - tokenResponseValidator:tokenResponseValidator]; - + tokenResponseValidator:tokenResponseValidator + tokenCache:tokenCache + accountMetadataCache:accountMetadataCache + extendedTokenCache:extendedTokenCache]; if (self) { - _tokenCache = tokenCache; - _ssoTokenResponseHandler = [MSIDSSOTokenResponseHandler new]; _extensionDelegate = [MSIDSSOExtensionTokenRequestDelegate new]; _extensionDelegate.context = parameters; - __typeof__(self) __weak weakSelf = self; - _extensionDelegate.completionBlock = ^(MSIDBrokerOperationTokenResponse *operationResponse, NSError *error) - { - __typeof__(self) strongSelf = weakSelf; -#if TARGET_OS_OSX && !EXCLUDE_FROM_MSALCPP - strongSelf.ssoTokenResponseHandler.externalCacheSeeder = strongSelf.externalCacheSeeder; -#endif - - [strongSelf.ssoTokenResponseHandler handleOperationResponse:operationResponse - requestParameters:strongSelf.requestParameters - tokenResponseValidator:strongSelf.tokenResponseValidator - oauthFactory:strongSelf.oauthFactory - tokenCache:strongSelf.tokenCache - accountMetadataCache:strongSelf.accountMetadataCache - validateAccount:NO - error:error - completionBlock:^(MSIDTokenResult *result, NSError *localError) - { - MSIDRequestCompletionBlock completionBlock = strongSelf.requestCompletionBlock; - strongSelf.requestCompletionBlock = nil; - if (localError) - { - /** - * If SSO-EXT responses error, we should update throttling db - */ - if ([MSIDThrottlingService isThrottlingEnabled]) - { - [strongSelf.throttlingService updateThrottlingService:localError tokenRequest:strongSelf.operationRequest]; - } - } - if (completionBlock) completionBlock(result, localError); - }]; - }; - + _extensionDelegate.completionBlock = [super getCompletionBlock]; _ssoProvider = [ASAuthorizationSingleSignOnProvider msidSharedProvider]; - _providerType = [[oauthFactory class] providerType]; - _enrollmentIdsCache = [MSIDIntuneEnrollmentIdsCache sharedCache]; - _mamResourcesCache = [MSIDIntuneMAMResourcesCache sharedCache]; - _accountMetadataCache = accountMetadataCache; - - self.throttlingService = [[MSIDThrottlingService alloc] initWithDataSource:extendedTokenCache context:parameters]; } return self; } -#pragma mark - MSIDSilentTokenRequest - -- (void)executeRequestWithCompletion:(MSIDRequestCompletionBlock)completionBlock -{ - if (!self.requestParameters.accountIdentifier) - { - MSID_LOG_WITH_CTX(MSIDLogLevelError, self.requestParameters, @"Account parameter cannot be nil"); - - NSError *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorMissingAccountParameter, @"Account parameter cannot be nil", nil, nil, nil, self.requestParameters.correlationId, nil, YES); - completionBlock(nil, error); - return; - } - - NSString *upn = self.requestParameters.accountIdentifier.displayableId; - - [self.requestParameters.authority resolveAndValidate:self.requestParameters.validateAuthority - userPrincipalName:upn - context:self.requestParameters - completionBlock:^(__unused NSURL *openIdConfigurationEndpoint, - __unused BOOL validated, NSError *error) - { - if (error) - { - completionBlock(nil, error); - return; - } - - NSDictionary *enrollmentIds = [self.enrollmentIdsCache enrollmentIdsJsonDictionaryWithContext:self.requestParameters - error:nil]; - - NSDictionary *mamResources = [self.mamResourcesCache resourcesJsonDictionaryWithContext:self.requestParameters - error:nil]; - self.requestSentDate = [NSDate date]; - self.operationRequest = [MSIDBrokerOperationSilentTokenRequest tokenRequestWithParameters:self.requestParameters - providerType:self.providerType - enrollmentIds:enrollmentIds - mamResources:mamResources - requestSentDate:self.requestSentDate]; - if (![MSIDThrottlingService isThrottlingEnabled]) - { - [self executeRequestImplWithCompletionBlock:completionBlock]; - } - else - { - [self.throttlingService shouldThrottleRequest:self.operationRequest resultBlock:^(BOOL shouldBeThrottled, NSError * _Nullable cachedError) - { - MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Throttle decision: %@" , (shouldBeThrottled ? @"YES" : @"NO")); - - if (cachedError) - { - MSID_LOG_WITH_CTX(MSIDLogLevelWarning, self.requestParameters, @"Throttling return error: %@ ", MSID_PII_LOG_MASKABLE(cachedError)); - } - - if (shouldBeThrottled && cachedError) - { - completionBlock(nil,cachedError); - return; - } - - [self executeRequestImplWithCompletionBlock:completionBlock]; - }]; - } - - }]; -} - - (void)executeRequestImplWithCompletionBlock:(MSIDRequestCompletionBlock _Nonnull)completionBlock { NSDictionary *jsonDictionary = [self.operationRequest jsonDictionary]; @@ -221,15 +96,5 @@ - (void)executeRequestImplWithCompletionBlock:(MSIDRequestCompletionBlock _Nonnu [self.authorizationController msidPerformRequests]; } -- (id)tokenCache -{ - return _tokenCache; -} - -- (MSIDAccountMetadataCacheAccessor *)metadataCache -{ - return self.accountMetadataCache; -} - @end #endif diff --git a/IdentityCore/src/requests/broker/MSIDSSORemoteSilentTokenRequest.h b/IdentityCore/src/requests/broker/MSIDSSORemoteSilentTokenRequest.h new file mode 100644 index 000000000..96a68ec66 --- /dev/null +++ b/IdentityCore/src/requests/broker/MSIDSSORemoteSilentTokenRequest.h @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. +// All rights reserved. +// +// This code is licensed under the MIT License. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files(the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions : +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + + +#import "MSIDSilentTokenRequest.h" +#import "MSIDSSOExtensionRequestDelegate.h" + +@class MSIDAccountMetadataCacheAccessor; + +NS_ASSUME_NONNULL_BEGIN + +@interface MSIDSSORemoteSilentTokenRequest : MSIDSilentTokenRequest + +- (nullable instancetype)initWithRequestParameters:(MSIDRequestParameters *)parameters + forceRefresh:(BOOL)forceRefresh + oauthFactory:(MSIDOauth2Factory *)oauthFactory + tokenResponseValidator:(MSIDTokenResponseValidator *)tokenResponseValidator NS_UNAVAILABLE; + +- (nullable instancetype)initWithRequestParameters:(MSIDRequestParameters *)parameters + forceRefresh:(BOOL)forceRefresh + oauthFactory:(MSIDOauth2Factory *)oauthFactory + tokenResponseValidator:(MSIDTokenResponseValidator *)tokenResponseValidator + tokenCache:(id)tokenCache + accountMetadataCache:(nullable MSIDAccountMetadataCacheAccessor *)accountMetadataCache + extendedTokenCache:(nullable id)extendedTokenCache + NS_DESIGNATED_INITIALIZER; + +- (MSIDSSOExtensionRequestDelegateCompletionBlock)getCompletionBlock; + +@property (nonatomic, readonly, nonnull) id tokenCache; + +@end + +NS_ASSUME_NONNULL_END diff --git a/IdentityCore/src/requests/broker/MSIDSSORemoteSilentTokenRequest.m b/IdentityCore/src/requests/broker/MSIDSSORemoteSilentTokenRequest.m new file mode 100644 index 000000000..1b3fb97ec --- /dev/null +++ b/IdentityCore/src/requests/broker/MSIDSSORemoteSilentTokenRequest.m @@ -0,0 +1,201 @@ +// +// Copyright (c) Microsoft Corporation. +// All rights reserved. +// +// This code is licensed under the MIT License. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files(the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions : +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + +#import "MSIDSSORemoteSilentTokenRequest.h" +#import "MSIDRequestParameters.h" +#import "MSIDAccountIdentifier.h" +#import "MSIDAuthority.h" +#import "MSIDJsonSerializer.h" +#import "MSIDBrokerOperationSilentTokenRequest.h" +#import "NSDictionary+MSIDQueryItems.h" +#import "MSIDOauth2Factory.h" +#import "MSIDBrokerOperationTokenResponse.h" +#import "MSIDIntuneEnrollmentIdsCache.h" +#import "MSIDIntuneMAMResourcesCache.h" +#import "MSIDSSOTokenResponseHandler.h" +#import "MSIDThrottlingService.h" +#import "MSIDDefaultTokenCacheAccessor.h" +#if !EXCLUDE_FROM_MSALCPP +#import "MSIDLastRequestTelemetry.h" +#endif + +@interface MSIDSSORemoteSilentTokenRequest () + +@property (nonatomic) id tokenCache; +@property (nonatomic, copy) MSIDRequestCompletionBlock requestCompletionBlock; +@property (nonatomic) MSIDAccountMetadataCacheAccessor *accountMetadataCache; +@property (nonatomic, readonly) MSIDIntuneEnrollmentIdsCache *enrollmentIdsCache; +@property (nonatomic, readonly) MSIDIntuneMAMResourcesCache *mamResourcesCache; +@property (nonatomic, readonly) MSIDSSOTokenResponseHandler *ssoTokenResponseHandler; +@property (nonatomic) MSIDBrokerOperationSilentTokenRequest *operationRequest; +@property (nonatomic, readonly) MSIDProviderType providerType; +@property (nonatomic) NSDate *requestSentDate; + +@end + +@implementation MSIDSSORemoteSilentTokenRequest + +- (instancetype)initWithRequestParameters:(MSIDRequestParameters *)parameters + forceRefresh:(BOOL)forceRefresh + oauthFactory:(MSIDOauth2Factory *)oauthFactory + tokenResponseValidator:(MSIDTokenResponseValidator *)tokenResponseValidator + tokenCache:(id)tokenCache + accountMetadataCache:(MSIDAccountMetadataCacheAccessor *)accountMetadataCache + extendedTokenCache:(nullable id)extendedTokenCache +{ + self = [super initWithRequestParameters:parameters + forceRefresh:forceRefresh + oauthFactory:oauthFactory + tokenResponseValidator:tokenResponseValidator]; + + if (self) + { + _tokenCache = tokenCache; + _ssoTokenResponseHandler = [MSIDSSOTokenResponseHandler new]; + _providerType = [[oauthFactory class] providerType]; + _enrollmentIdsCache = [MSIDIntuneEnrollmentIdsCache sharedCache]; + _mamResourcesCache = [MSIDIntuneMAMResourcesCache sharedCache]; + _accountMetadataCache = accountMetadataCache; + + self.throttlingService = [[MSIDThrottlingService alloc] initWithDataSource:extendedTokenCache context:parameters]; + + } + + return self; +} + +- (MSIDSSOExtensionRequestDelegateCompletionBlock)getCompletionBlock +{ + return ^(MSIDBrokerOperationTokenResponse *operationResponse, NSError *error) + { +#if TARGET_OS_OSX && !EXCLUDE_FROM_MSALCPP + self.ssoTokenResponseHandler.externalCacheSeeder = self.externalCacheSeeder; +#endif + [self.ssoTokenResponseHandler handleOperationResponse:operationResponse + requestParameters:self.requestParameters + tokenResponseValidator:self.tokenResponseValidator + oauthFactory:self.oauthFactory + tokenCache:self.tokenCache + accountMetadataCache:self.accountMetadataCache + validateAccount:NO + error:error + completionBlock:^(MSIDTokenResult *result, NSError *localError) + { + MSIDRequestCompletionBlock completionBlock = self.requestCompletionBlock; + self.requestCompletionBlock = nil; + if (localError) + { + /** + * If SSO-EXT responses error, we should update throttling db + */ + if ([MSIDThrottlingService isThrottlingEnabled]) + { + [self.throttlingService updateThrottlingService:localError tokenRequest:self.operationRequest]; + } + } + if (completionBlock) completionBlock(result, localError); + }]; + }; +} + +- (void)executeRequestWithCompletion:(MSIDRequestCompletionBlock)completionBlock +{ + if (!self.requestParameters.accountIdentifier) + { + MSID_LOG_WITH_CTX(MSIDLogLevelError, self.requestParameters, @"Account parameter cannot be nil"); + + NSError *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorMissingAccountParameter, @"Account parameter cannot be nil", nil, nil, nil, self.requestParameters.correlationId, nil, YES); + completionBlock(nil, error); + return; + } + + NSString *upn = self.requestParameters.accountIdentifier.displayableId; + + [self.requestParameters.authority resolveAndValidate:self.requestParameters.validateAuthority + userPrincipalName:upn + context:self.requestParameters + completionBlock:^(__unused NSURL *openIdConfigurationEndpoint, + __unused BOOL validated, NSError *error) + { + if (error) + { + completionBlock(nil, error); + return; + } + + NSDictionary *enrollmentIds = [self.enrollmentIdsCache enrollmentIdsJsonDictionaryWithContext:self.requestParameters + error:nil]; + + NSDictionary *mamResources = [self.mamResourcesCache resourcesJsonDictionaryWithContext:self.requestParameters + error:nil]; + self.requestSentDate = [NSDate date]; + self.operationRequest = [MSIDBrokerOperationSilentTokenRequest tokenRequestWithParameters:self.requestParameters + providerType:self.providerType + enrollmentIds:enrollmentIds + mamResources:mamResources + requestSentDate:self.requestSentDate]; + if (![MSIDThrottlingService isThrottlingEnabled]) + { + [self executeRequestImplWithCompletionBlock:completionBlock]; + } + else + { + [self.throttlingService shouldThrottleRequest:self.operationRequest resultBlock:^(BOOL shouldBeThrottled, NSError * _Nullable cachedError) + { + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Throttle decision: %@" , (shouldBeThrottled ? @"YES" : @"NO")); + + if (cachedError) + { + MSID_LOG_WITH_CTX(MSIDLogLevelWarning, self.requestParameters, @"Throttling return error: %@ ", MSID_PII_LOG_MASKABLE(cachedError)); + } + + if (shouldBeThrottled && cachedError) + { + completionBlock(nil,cachedError); + return; + } + + [self executeRequestImplWithCompletionBlock:completionBlock]; + }]; + } + + }]; +} + +- (void)executeRequestImplWithCompletionBlock:(MSIDRequestCompletionBlock _Nonnull)completionBlock +{ + NSAssert(NO, @"Abstract method."); +} + +- (id)tokenCache +{ + return _tokenCache; +} + +- (MSIDAccountMetadataCacheAccessor *)metadataCache +{ + return self.accountMetadataCache; +} + +@end diff --git a/IdentityCore/src/requests/broker/MSIDSSOXpcSilentTokenRequest.h b/IdentityCore/src/requests/broker/MSIDSSOXpcSilentTokenRequest.h new file mode 100644 index 000000000..0084af22f --- /dev/null +++ b/IdentityCore/src/requests/broker/MSIDSSOXpcSilentTokenRequest.h @@ -0,0 +1,34 @@ +// +// Copyright (c) Microsoft Corporation. +// All rights reserved. +// +// This code is licensed under the MIT License. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files(the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions : +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + + +#import "MSIDSSORemoteSilentTokenRequest.h" + +NS_ASSUME_NONNULL_BEGIN + +@interface MSIDSSOXpcSilentTokenRequest : MSIDSSORemoteSilentTokenRequest + +@end + +NS_ASSUME_NONNULL_END diff --git a/IdentityCore/src/requests/broker/MSIDSSOXpcSilentTokenRequest.m b/IdentityCore/src/requests/broker/MSIDSSOXpcSilentTokenRequest.m new file mode 100644 index 000000000..e589c95e2 --- /dev/null +++ b/IdentityCore/src/requests/broker/MSIDSSOXpcSilentTokenRequest.m @@ -0,0 +1,108 @@ +// +// Copyright (c) Microsoft Corporation. +// All rights reserved. +// +// This code is licensed under the MIT License. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files(the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions : +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + + +#import "MSIDSSOXpcSilentTokenRequest.h" +#import "MSIDSSOExtensionRequestDelegate.h" +#import "MSIDBrokerOperationSilentTokenRequest.h" +#import "MSIDRequestParameters.h" +#import "MSIDXpcSingleSignOnProvider.h" +#import "MSIDBrokerOperationTokenResponse.h" + +@interface MSIDSSOXpcSilentTokenRequest() + +@property (nonatomic, copy) MSIDSSOExtensionRequestDelegateCompletionBlock completionBlock; +@property (nonatomic, copy) MSIDRequestCompletionBlock requestCompletionBlock; +@property (nonatomic) MSIDBrokerOperationSilentTokenRequest *operationRequest; +@property (nonatomic) MSIDXpcSingleSignOnProvider *xpcSingleSignOnProvider; +@property (nonatomic) id context; + +@end + +@implementation MSIDSSOXpcSilentTokenRequest + +@synthesize requestCompletionBlock, operationRequest; + +- (instancetype)initWithRequestParameters:(MSIDRequestParameters *)parameters + forceRefresh:(BOOL)forceRefresh + oauthFactory:(MSIDOauth2Factory *)oauthFactory + tokenResponseValidator:(MSIDTokenResponseValidator *)tokenResponseValidator + tokenCache:(id)tokenCache + accountMetadataCache:(MSIDAccountMetadataCacheAccessor *)accountMetadataCache + extendedTokenCache:(nullable id)extendedTokenCache +{ + self = [super initWithRequestParameters:parameters + forceRefresh:forceRefresh + oauthFactory:oauthFactory + tokenResponseValidator:tokenResponseValidator + tokenCache:tokenCache + accountMetadataCache:accountMetadataCache + extendedTokenCache:extendedTokenCache]; + if (self) + { + self.completionBlock = [super getCompletionBlock]; + self.xpcSingleSignOnProvider = [MSIDXpcSingleSignOnProvider new]; + self.context = parameters; + } + + return self; +} + +- (void)executeRequestImplWithCompletionBlock:(MSIDRequestCompletionBlock _Nonnull)completionBlock +{ + NSDictionary *jsonDictionary = [self.operationRequest jsonDictionary]; + + if (!jsonDictionary) + { + NSError *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInvalidInternalParameter, @"Failed to serialize SSO request dictionary for silent token request", nil, nil, nil, self.requestParameters.correlationId, nil, YES); + completionBlock(nil, error); + return; + } + + self.requestCompletionBlock = completionBlock; + [self performXpcRequest:jsonDictionary]; +} + +- (void)performXpcRequest:(NSDictionary *)xpcRequest +{ + // Get the bundle object for the main bundle + NSBundle *mainBundle = [NSBundle mainBundle]; + + // Retrieve the bundle identifier + NSString *bundleIdentifier = [mainBundle bundleIdentifier]; + NSDictionary *parameters = @{@"source_application": bundleIdentifier, + @"sso_request_param": xpcRequest, + @"is_silent": @(YES), + @"sso_request_operation": [self.operationRequest.class operation], + @"sso_request_id": [[NSUUID UUID] UUIDString]}; + [self.xpcSingleSignOnProvider handleRequestParam:parameters + brokerKey:self.operationRequest.brokerKey + assertKindOfResponseClass:MSIDBrokerOperationTokenResponse.class + context:self.context + continueBlock:^(id _Nullable response, NSError * _Nullable error) { + self.completionBlock(response, error); + }]; +} + +@end diff --git a/IdentityCore/src/requests/sdk/MSIDTokenRequestProviding.h b/IdentityCore/src/requests/sdk/MSIDTokenRequestProviding.h index c14bd7be9..e1f1e8e37 100644 --- a/IdentityCore/src/requests/sdk/MSIDTokenRequestProviding.h +++ b/IdentityCore/src/requests/sdk/MSIDTokenRequestProviding.h @@ -48,4 +48,7 @@ - (nullable MSIDSilentTokenRequest *)silentSSOExtensionTokenRequestWithParameters:(nonnull MSIDRequestParameters *)parameters forceRefresh:(BOOL)forceRefresh; +- (nullable MSIDSilentTokenRequest *)silentXpcTokenRequestWithParameters:(nonnull MSIDRequestParameters *)parameters + forceRefresh:(BOOL)forceRefresh; + @end diff --git a/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenRequestProvider.m b/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenRequestProvider.m index 06bd41263..e4d9dd81e 100644 --- a/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenRequestProvider.m +++ b/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenRequestProvider.m @@ -92,14 +92,19 @@ - (nullable MSIDBrokerTokenRequest *)brokerTokenRequestWithParameters:(nonnull M - (MSIDInteractiveTokenRequest *)interactiveSSOExtensionTokenRequestWithParameters:(__unused MSIDInteractiveTokenRequestParameters *)parameters { - // TODO: not implemented yet. + // Not supported return nil; } - (MSIDSilentTokenRequest *)silentSSOExtensionTokenRequestWithParameters:(__unused MSIDRequestParameters *)parameters forceRefresh:(__unused BOOL)forceRefresh { - // TODO: not implemented yet. + // Not supported + return nil; +} + +- (nullable MSIDSilentTokenRequest *)silentXpcTokenRequestWithParameters:(nonnull MSIDRequestParameters *)parameters forceRefresh:(BOOL)forceRefresh { + // Not supported return nil; } diff --git a/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenRequestProvider.m b/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenRequestProvider.m index a89bfdd62..5e2b4b848 100644 --- a/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenRequestProvider.m +++ b/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenRequestProvider.m @@ -30,6 +30,7 @@ #import "MSIDDefaultTokenRequestProvider+Internal.h" #import "MSIDSSOExtensionSilentTokenRequest.h" #import "MSIDSSOExtensionInteractiveTokenRequest.h" +#import "MSIDSSOXpcSilentTokenRequest.h" @implementation MSIDDefaultTokenRequestProvider @@ -123,4 +124,20 @@ - (MSIDSilentTokenRequest *)silentSSOExtensionTokenRequestWithParameters:(__unus return request; } +- (nullable MSIDSilentTokenRequest *)silentXpcTokenRequestWithParameters:(nonnull MSIDRequestParameters *)parameters forceRefresh:(BOOL)forceRefresh { +#if TARGET_OS_OSX + __auto_type request = [[MSIDSSOXpcSilentTokenRequest alloc] initWithRequestParameters:parameters + forceRefresh:forceRefresh + oauthFactory:self.oauthFactory + tokenResponseValidator:self.tokenResponseValidator + tokenCache:self.tokenCache + accountMetadataCache:self.accountMetadataCache + extendedTokenCache:self.tokenCache.accountCredentialCache.dataSource]; + return request; +#else + return nil; +#endif +} + + @end diff --git a/IdentityCore/src/util/MSIDXpcSingleSignOnProvider.h b/IdentityCore/src/util/MSIDXpcSingleSignOnProvider.h new file mode 100644 index 000000000..fa7497ecc --- /dev/null +++ b/IdentityCore/src/util/MSIDXpcSingleSignOnProvider.h @@ -0,0 +1,53 @@ +// +// Copyright (c) Microsoft Corporation. +// All rights reserved. +// +// This code is licensed under the MIT License. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files(the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions : +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + + +#import +#import "MSIDSSOExtensionRequestDelegate.h" + +NS_ASSUME_NONNULL_BEGIN + +@interface MSIDXpcSingleSignOnProvider : NSObject + +// For interactive auth request +// Note: completion thread is not gurantee, please submit to the correct thread as needed +- (void)handleRequestParam:(NSDictionary *)requestParam + parentViewFrame:(NSRect)frame + brokerKey:brokerKey + assertKindOfResponseClass:(Class)aClass + context:(id)context + continueBlock:(MSIDSSOExtensionRequestDelegateCompletionBlock)continueBlock; + +// For silent auth request +- (void)handleRequestParam:(NSDictionary *)requestParam + brokerKey:brokerKey + assertKindOfResponseClass:(Class)aClass + context:(id)context + continueBlock:(MSIDSSOExtensionRequestDelegateCompletionBlock)continueBlock; + ++ (BOOL)canPerformRequest; + +NS_ASSUME_NONNULL_END + +@end diff --git a/IdentityCore/src/util/MSIDXpcSingleSignOnProvider.m b/IdentityCore/src/util/MSIDXpcSingleSignOnProvider.m new file mode 100644 index 000000000..1064d3e05 --- /dev/null +++ b/IdentityCore/src/util/MSIDXpcSingleSignOnProvider.m @@ -0,0 +1,350 @@ +// +// Copyright (c) Microsoft Corporation. +// All rights reserved. +// +// This code is licensed under the MIT License. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files(the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions : +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + +#define requireIsAPPLSignedAnchor "anchor apple generic" + +#define requireIsAPPLSignedExternal "certificate 1[field.1.2.840.113635.100.6.2.6] exists" +#define requireIsMSFTSignedExternal "certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = UBF8T346G9" + +#define coreRequirementExternal "(" requireIsAPPLSignedExternal ") and (" requireIsMSFTSignedExternal ")" + +// For App Store, Microsoft certificates don't show up in certificate chain. +// Instead, we check for the app to be Microsoft App Group. +#define requireIsAppStoreSigned "certificate leaf[field.1.2.840.113635.100.6.1.9] exists" +#define requireBelongsToMSFTAppGroup "entitlement[\"com.apple.security.application-groups\"] = \"UBF8T346G9.\"*" + +#define coreRequirementAppStore "(" requireIsAppStoreSigned ") and (" requireBelongsToMSFTAppGroup ")" + +#define distributionRequirement "(" requireIsAPPLSignedAnchor ") and ((" coreRequirementAppStore ") or (" coreRequirementExternal "))" + +// For internal builds only we also recognize dev builds but exclude them from external builds +// for sake of simplicity and performance + +#define requireIsAPPLSignedInternal "certificate 1[field.1.2.840.113635.100.6.2.1] exists" +#define requireIsMSFTSignedInternal "certificate leaf[subject.CN] = \"%@\"" + +// requireIsXctestApp comes from the generated XctestCodeRequirement.h above +#define coreRequirementInternal "((" requireIsAPPLSignedInternal ") and (" requireIsMSFTSignedInternal "))" + +#define developmentRequirement "(" requireIsAPPLSignedAnchor ") and ((" coreRequirementAppStore ") or (" coreRequirementExternal ") or (" coreRequirementInternal "))" + +#import "MSIDXpcSingleSignOnProvider.h" +#import "MSIDJsonSerializableFactory.h" +#import "MSIDBrokerCryptoProvider.h" +#import "MSIDBrokerConstants.h" +#import "NSData+MSIDExtensions.h" +#import "MSIDBrokerOperationTokenResponse.h" +#import "MSIDRequestContext.h" +#import "MSIDConstants.h" + +@protocol MSIDXpcBrokerInstanceProtocol + +- (void)handleXpcWithRequestParams:(NSDictionary *)passedInParams + parentViewFrame:(NSRect)frame + completionBlock:(void (^)(NSDictionary * _Nonnull, NSDate * _Nonnull, NSString * _Nonnull, NSError * _Nullable))blockName; +- (void)canPerformAuthorization:(NSURL *)url + completionBlock:(void (^)(BOOL))blockName; + +@end + +@protocol MSIDXpcBrokerDispatcherProtocol + +- (void)getBrokerInstanceEndpointWithReply:(void (^)(NSXPCListenerEndpoint * _Nullable listenerEndpoint, NSDictionary * _Nullable params, NSError * _Nullable error))reply; +@end + +typedef void (^NSXPCListenerEndpointCompletionBlock)(id _Nullable xpcService, NSXPCConnection * _Nullable directConnection, NSError *error); + +static NSString *machServiceName = @"UBF8T346G9.com.microsoft.entrabroker.EntraIdentityBrokerXPC.Mach"; +static NSString *brokerDispatcher = @"com.microsoft.entrabroker.BrokerApp"; +static NSString *brokerInstance = @"com.microsoft.EntraIdentityBroker.Service"; + +@implementation MSIDXpcSingleSignOnProvider + +- (void)handleRequestParam:(NSDictionary *)requestParam + brokerKey:brokerKey + assertKindOfResponseClass:(Class)aClass + context:(id)context + continueBlock:(MSIDSSOExtensionRequestDelegateCompletionBlock)continueBlock +{ + [self handleRequestParam:requestParam + parentViewFrame:CGRectZero + brokerKey:brokerKey + assertKindOfResponseClass:(Class)aClass + context:(id)context + continueBlock:continueBlock]; +} + +- (void)handleRequestParam:(NSDictionary *)requestParam + parentViewFrame:(NSRect)frame + brokerKey:brokerKey + assertKindOfResponseClass:(Class)aClass + context:(id)context + continueBlock:(MSIDSSOExtensionRequestDelegateCompletionBlock)continueBlock +{ + [self getXpcService:^(id xpcService, NSXPCConnection *directConnection, NSError *error) { + if (!xpcService || error) + { + if (continueBlock) continueBlock(nil, error); + return; + } + + [xpcService handleXpcWithRequestParams:requestParam parentViewFrame:frame completionBlock:^(NSDictionary * _Nonnull replyParam, NSDate * _Nonnull __unused xpcStartDate, NSString * _Nonnull __unused processId, NSError * _Nonnull callbackError) { + [directConnection suspend]; + [directConnection invalidate]; + + BOOL forceRunOnBackgroundQueue = [[replyParam objectForKey:MSID_BROKER_OPERATION_KEY] isEqualToString:@"refresh"]; + [self forceRunOnBackgroundQueue:forceRunOnBackgroundQueue dispatchBlock:^{ + if (callbackError) + { + MSID_LOG_WITH_CTX_PII(MSIDLogLevelError, nil, @"[Entra broker] CLIENT received operationResponse with error: %@", callbackError); + if (continueBlock) continueBlock(nil, callbackError); + return; + } + + NSError *innerError = nil; + __auto_type operationResponse = (MSIDBrokerOperationTokenResponse *)[MSIDJsonSerializableFactory createFromJSONDictionary:replyParam classTypeJSONKey:MSID_BROKER_OPERATION_RESPONSE_TYPE_JSON_KEY assertKindOfClass:aClass error:&innerError]; + + if (!operationResponse) + { + MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"[Entra broker] CLIENT cannot create operationResponse"); + if (continueBlock) continueBlock(nil, innerError); + } + else + { + MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"[Entra broker] CLIENT received operationResponse, error: %@", callbackError); + if (continueBlock) continueBlock(operationResponse, callbackError); + } + }]; + }]; + }]; +} + ++ (BOOL)canPerformRequest +{ + // TODO: The full implementation will be done in 3166516 + // Synchronously entering this class method + @synchronized (self) { + dispatch_group_t group = dispatch_group_create(); + dispatch_group_enter(group); + + __block BOOL result = NO; + MSIDXpcSingleSignOnProvider *localInstance = [MSIDXpcSingleSignOnProvider new]; + [localInstance getXpcService:^(id xpcService, NSXPCConnection *directConnection, NSError *error) { + if (!xpcService || error) + { + dispatch_group_leave(group); + return; + } + + NSURL *url = [NSURL URLWithString:MSID_DEFAULT_AAD_AUTHORITY]; + [xpcService canPerformAuthorization:url completionBlock:^(BOOL canPerformRequest) { + [directConnection suspend]; + [directConnection invalidate]; + + result = canPerformRequest; + dispatch_group_leave(group); + }]; + }]; + + // If nothing came back in 2 sec, return false and unblock this thread + dispatch_time_t timeout = dispatch_time(DISPATCH_TIME_NOW, 2 * NSEC_PER_SEC); + dispatch_group_wait(group, timeout); + + return result; + } +} + +#pragma mark - Helpers + +- (NSString *)codeSignRequirementForBundleId:(NSString *)bundleId devIdentity:(NSString *)devIdentity +{ +#if DEBUG + if ([NSString msidIsStringNilOrBlank:devIdentity]) + { + MSID_LOG_WITH_CTX(MSIDLogLevelWarning, nil, @"devIdentity is not provided, fail to set code sign requirement for Xpc service. End early", nil, nil); + return nil; + } + + NSString *codeSignFormat = [NSString stringWithCString:developmentRequirement encoding:NSUTF8StringEncoding]; + NSString *baseRequirementWithDevIdentity = [NSString stringWithFormat:codeSignFormat, devIdentity]; + NSString *stringWithAdditionalRequirements = [NSString stringWithFormat:@"(identifier \"%@\") and %@" + " and !(entitlement[\"com.apple.security.cs.allow-dyld-environment-variables\"] /* exists */)" + " and !(entitlement[\"com.apple.security.cs.disable-library-validation\"] /* exists */)" + " and !(entitlement[\"com.apple.security.cs.allow-unsigned-executable-memory\"] /* exists */)" + " and !(entitlement[\"com.apple.security.cs.allow-jit\"] /* exists */)", bundleId, baseRequirementWithDevIdentity]; +#else + NSString *baseRequirementWithDevIdentity = [NSString stringWithCString:distributionRequirement encoding:NSUTF8StringEncoding]; + NSString *stringWithAdditionalRequirements = [NSString stringWithFormat:@"(identifier \"%@\") and %@" + " and !(entitlement[\"com.apple.security.cs.allow-dyld-environment-variables\"] /* exists */)" + " and !(entitlement[\"com.apple.security.cs.disable-library-validation\"] /* exists */)" + " and !(entitlement[\"com.apple.security.cs.allow-unsigned-executable-memory\"] /* exists */)" + " and !(entitlement[\"com.apple.security.cs.allow-jit\"] /* exists */)" + " and !(entitlement[\"com.apple.security.get-task-allow\"] /* exists */)" , bundleId, baseRequirementWithDevIdentity]; +#endif + + return stringWithAdditionalRequirements; +} + +- (NSString *)signingIdentity +{ + SecCodeRef selfCode = NULL; + OSStatus status = SecCodeCopySelf(kSecCSDefaultFlags, &selfCode); + + if (!selfCode) + { + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, [NSString stringWithFormat:@"Failed to copy signing information, status; %ld", (long)status], nil, nil); + return nil; + } + + CFDictionaryRef cfDic = NULL; + status = SecCodeCopySigningInformation(selfCode, kSecCSSigningInformation, &cfDic); + + if (!cfDic) + { + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, [NSString stringWithFormat:@"Failed to copy signing dictionary, status: %ld", (long)status], nil, nil); + CFRelease(selfCode); + return nil; + } + + NSDictionary *signingDic = CFBridgingRelease(cfDic); + CFRelease(selfCode); + + return [self devSigningIdentityFromSigningDictionary:signingDic]; +} + +- (NSString *)devSigningIdentityFromSigningDictionary:(NSDictionary *)signingDic +{ + NSArray *signingCertificates = signingDic[@"certificates"]; + + if (!signingCertificates + || ![signingCertificates isKindOfClass:[NSArray class]] + || ![signingCertificates count]) + { + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, @"No certificates present in the signing dictionary", nil, nil); + return nil; + } + + SecCertificateRef leafCert = (__bridge SecCertificateRef)(signingCertificates[0]); + CFStringRef certCommonName = NULL; + OSStatus status = SecCertificateCopyCommonName(leafCert, &certCommonName); + + if (!certCommonName) + { + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, [NSString stringWithFormat:@"Error with code %ld, description %@", (long)status, @"Failed to copy certificate common name"], nil, nil); + return nil; + } + + return CFBridgingRelease(certCommonName); +} + +- (void)forceRunOnBackgroundQueue:(BOOL)forceOnBackgroundQueue dispatchBlock:(void (^)(void))dispatchBlock +{ + if (forceOnBackgroundQueue && [NSThread isMainThread]) + { + dispatch_async(dispatch_get_global_queue( DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(void){ + dispatchBlock(); + }); + } + else + { + dispatchBlock(); + } +} + +- (void)getXpcService:(NSXPCListenerEndpointCompletionBlock)continueBlock +{ + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, @"[Entra broker] CLIENT - started establishing connection"); + NSXPCConnection *connection = [[NSXPCConnection alloc] initWithMachServiceName:machServiceName options:0]; + + NSString *codeSigningRequirement = [self codeSignRequirementForBundleId:brokerDispatcher devIdentity:[self signingIdentity]]; + if ([NSString msidIsStringNilOrBlank:codeSigningRequirement]) + { + // This can only happen under debug build under development environment + continueBlock(nil, nil, MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"[Entra broker] CLIENT -- developer error, codeSigningRequirement is not provided", nil, nil, nil, nil, nil, YES)); + return; + } + + connection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(MSIDXpcBrokerDispatcherProtocol)]; + if (@available(macOS 13.0, *)) { + [connection setCodeSigningRequirement:codeSigningRequirement]; + } else { + // Intentionally left empty because the entire XPC flow will only be available on macOS 13 and above and gaurded through canPerformRequest + return; + } + + [connection resume]; + [connection setInterruptionHandler:^{ + NSError *xpcUnexpectedError = MSIDCreateError(MSIDErrorDomain, MSIDErrorSSOExtensionUnexpectedError, @"[Entra broker] CLIENT -- dispatcher connection is interrupted", nil, nil, nil, nil, nil, YES); + if (continueBlock) continueBlock(nil, nil, xpcUnexpectedError); + }]; + + id parentXpcService = [connection remoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) { + NSError *xpcUnexpectedError = MSIDCreateError(MSIDErrorDomain, MSIDErrorSSOExtensionUnexpectedError, [NSString stringWithFormat:@"[Entra broker] CLIENT -- failed to connect to dispatcher, error: %@", error], nil, nil, nil, nil, nil, YES); + if (continueBlock) continueBlock(nil, nil, xpcUnexpectedError); + }]; + + [parentXpcService getBrokerInstanceEndpointWithReply:^(NSXPCListenerEndpoint * _Nullable listenerEndpoint, NSDictionary * _Nullable __unused params, NSError * _Nullable error) { + [connection suspend]; + [connection invalidate]; + if (error) + { + NSError *xpcUnexpectedError = MSIDCreateError(MSIDErrorDomain, MSIDErrorSSOExtensionUnexpectedError, [NSString stringWithFormat:@"[Entra broker] CLIENT - get broker instance endpoint failed: %@", error], nil, nil, nil, nil, nil, YES); + if (continueBlock) continueBlock(nil, nil, xpcUnexpectedError); + return; + } + + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, @"[Entra broker] CLIENT - connected to new service endpoint %@", listenerEndpoint); + NSXPCConnection *directConnection = [[NSXPCConnection alloc] initWithListenerEndpoint:listenerEndpoint]; + directConnection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(MSIDXpcBrokerInstanceProtocol)]; + NSString *clientCodeSigningRequirement = [self codeSignRequirementForBundleId:brokerInstance devIdentity:[self signingIdentity]]; + if ([NSString msidIsStringNilOrBlank:clientCodeSigningRequirement]) + { + // This can only happen under debug build under development environment + continueBlock(nil, nil, MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"[Entra broker] CLIENT -- developer error, codeSigningRequirement is not provided", nil, nil, nil, nil, nil, YES)); + return; + } + + if (@available(macOS 13.0, *)) { + [directConnection setCodeSigningRequirement:clientCodeSigningRequirement]; + } else { + // This should not happen since the entry point has been guarded by version + MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"[Entra broker] CLIENT - fall into unsupported platform end XPC disconnect from service!", nil); + } + + [directConnection resume]; + [directConnection setInterruptionHandler:^{ + NSError *xpcUnexpectedError = MSIDCreateError(MSIDErrorDomain, MSIDErrorSSOExtensionUnexpectedError, @"[Entra broker] CLIENT -- instance connection is interrupted", nil, nil, nil, nil, nil, YES); + if (continueBlock) continueBlock(nil, nil, xpcUnexpectedError); + }]; + + id directService = [directConnection remoteObjectProxyWithErrorHandler:^(NSError * _Nonnull callbackError) { + NSError *xpcUnexpectedError = MSIDCreateError(MSIDErrorDomain, MSIDErrorSSOExtensionUnexpectedError, [NSString stringWithFormat:@"[Entra broker] CLIENT -- failed to connect to instance, error: %@", callbackError], nil, nil, nil, nil, nil, YES); + if (continueBlock) continueBlock(nil, nil, xpcUnexpectedError); + }]; + + if (continueBlock) continueBlock(directService, directConnection, nil); + }]; +} + +@end diff --git a/IdentityCore/tests/MSIDRequestControllerFactoryTests.m b/IdentityCore/tests/MSIDRequestControllerFactoryTests.m index 8f04b031e..1a86f123a 100644 --- a/IdentityCore/tests/MSIDRequestControllerFactoryTests.m +++ b/IdentityCore/tests/MSIDRequestControllerFactoryTests.m @@ -33,6 +33,15 @@ #import "MSIDSSOExtensionSilentTokenRequestController.h" #import "MSIDTestSwizzle.h" #import "MSIDRequestParameters+Broker.h" +#if TARGET_OS_OSX +#import "MSIDXpcSilentTokenRequestController.h" +#endif + +@interface MSIDBaseRequestController (Testing) + +@property (nonatomic, readwrite) id fallbackController; + +@end @interface MSIDRequestControllerFactoryTests : XCTestCase @@ -189,6 +198,271 @@ - (void)testWhenUseLocalRt_isUnDefined_shouldSkip_whenFallBackController_isValid XCTAssertTrue([(MSIDSilentController *)controller skipLocalRt]); } + +#if TARGET_OS_OSX +- (void)testWhenSsoExtensionIsEnabled_andXpcIsPartiallyEnabled_andSsoExtensionIsDisabled_controllersOrder_areCorrect +{ + MSIDTestTokenRequestProvider *provider = [[MSIDTestTokenRequestProvider alloc] initWithTestResponse:nil + testError:nil + testWebMSAuthResponse:nil]; + MSIDRequestParameters *parameters = [self requestParameters]; + parameters.xpcMode = MSIDXpcModeBackup; + parameters.allowUsingLocalCachedRtWhenSsoExtFailed = YES; + + NSError *error; + SEL selectorForMSIDSSOExtensionSilentTokenRequestController = NSSelectorFromString(@"canPerformRequest"); + [MSIDTestSwizzle classMethod:selectorForMSIDSSOExtensionSilentTokenRequestController + class:[MSIDSSOExtensionSilentTokenRequestController class] + block:(id)^(void) + { + return NO; + }]; + + SEL selectorForMSIDXpcSilentTokenRequestController = NSSelectorFromString(@"canPerformRequest"); + [MSIDTestSwizzle classMethod:selectorForMSIDXpcSilentTokenRequestController + class:[MSIDXpcSilentTokenRequestController class] + block:(id)^(void) + { + return YES; + }]; + + SEL selectorForMSIDRequestParameters = NSSelectorFromString(@"shouldUseBroker"); + [MSIDTestSwizzle instanceMethod:selectorForMSIDRequestParameters + class:[MSIDRequestParameters class] + block:(id)^(void) + { + return YES; + }]; + + id controller = [MSIDRequestControllerFactory silentControllerForParameters:parameters + forceRefresh:NO + skipLocalRt:MSIDSilentControllerForceSkippingLocalRt + tokenRequestProvider:provider + error:&error]; + // 1. Start with local signin controller to read cached tokens + if (![controller isMemberOfClass:MSIDSilentController.class]) + { + XCTFail(); + } + + XCTAssertTrue([(MSIDSilentController *)controller skipLocalRt]); + XCTAssertFalse([(MSIDSilentController *)controller forceRefresh]); + + MSIDBaseRequestController *baseController = (MSIDBaseRequestController *)controller; + + // 2. When SsoExtension controller disabled, use local signin controller to refresh. XPC is ignore as it is in XPC backup mode + if (![baseController.fallbackController isMemberOfClass:MSIDSilentController.class]) + { + XCTFail(); + } + + baseController = (MSIDSilentController *)baseController.fallbackController; + XCTAssertTrue([(MSIDSilentController *)baseController forceRefresh]); + XCTAssertTrue([(MSIDSilentController *)baseController isLocalFallbackMode]); +} + +- (void)testWhenSsoExtensionIsEnabled_andXpcIsPartiallyEnabled_andSsoExtensionIsEnabled_controllersOrder_areCorrect +{ + MSIDTestTokenRequestProvider *provider = [[MSIDTestTokenRequestProvider alloc] initWithTestResponse:nil + testError:nil + testWebMSAuthResponse:nil]; + MSIDRequestParameters *parameters = [self requestParameters]; + parameters.xpcMode = MSIDXpcModeBackup; + parameters.allowUsingLocalCachedRtWhenSsoExtFailed = YES; + + NSError *error; + SEL selectorForMSIDSSOExtensionSilentTokenRequestController = NSSelectorFromString(@"canPerformRequest"); + [MSIDTestSwizzle classMethod:selectorForMSIDSSOExtensionSilentTokenRequestController + class:[MSIDSSOExtensionSilentTokenRequestController class] + block:(id)^(void) + { + return YES; + }]; + + SEL selectorForMSIDXpcSilentTokenRequestController = NSSelectorFromString(@"canPerformRequest"); + [MSIDTestSwizzle classMethod:selectorForMSIDXpcSilentTokenRequestController + class:[MSIDXpcSilentTokenRequestController class] + block:(id)^(void) + { + return YES; + }]; + + SEL selectorForMSIDRequestParameters = NSSelectorFromString(@"shouldUseBroker"); + [MSIDTestSwizzle instanceMethod:selectorForMSIDRequestParameters + class:[MSIDRequestParameters class] + block:(id)^(void) + { + return YES; + }]; + + id controller = [MSIDRequestControllerFactory silentControllerForParameters:parameters + forceRefresh:NO + skipLocalRt:MSIDSilentControllerForceSkippingLocalRt + tokenRequestProvider:provider + error:&error]; + // 1. Start with local signin controller to read cached tokens + if (![controller isMemberOfClass:MSIDSilentController.class]) + { + XCTFail(); + } + + XCTAssertTrue([(MSIDSilentController *)controller skipLocalRt]); + XCTAssertFalse([(MSIDSilentController *)controller forceRefresh]); + + MSIDBaseRequestController *baseController = (MSIDBaseRequestController *)controller; + if (![baseController.fallbackController isMemberOfClass:MSIDSSOExtensionSilentTokenRequestController.class]) + { + XCTFail(); + } + + // 2. When local signin controller failed, use SsoExtension controller + baseController = (MSIDSSOExtensionSilentTokenRequestController *)baseController.fallbackController; + if (![baseController.fallbackController isMemberOfClass:MSIDXpcSilentTokenRequestController.class]) + { + XCTFail(); + } + + // 3. When SsoExtension controller failed, use Xpc Controller + baseController = (MSIDXpcSilentTokenRequestController *)baseController.fallbackController; + if (![baseController.fallbackController isMemberOfClass:MSIDSilentController.class]) + { + XCTFail(); + } + + // 4. When Xpc controller failed, use local signin controller to refresh + baseController = (MSIDSilentController *)baseController.fallbackController; + XCTAssertTrue([(MSIDSilentController *)baseController forceRefresh]); + XCTAssertTrue([(MSIDSilentController *)baseController isLocalFallbackMode]); +} + +- (void)testWhenSsoExtensionIsEnabled_andXpcIsFullyEnabled_andSsoExtensionIsDisabled_controllersOrder_areCorrect +{ + MSIDTestTokenRequestProvider *provider = [[MSIDTestTokenRequestProvider alloc] initWithTestResponse:nil + testError:nil + testWebMSAuthResponse:nil]; + MSIDRequestParameters *parameters = [self requestParameters]; + parameters.xpcMode = MSIDXpcModeFull; + parameters.allowUsingLocalCachedRtWhenSsoExtFailed = YES; + + NSError *error; + SEL selectorForMSIDSSOExtensionSilentTokenRequestController = NSSelectorFromString(@"canPerformRequest"); + [MSIDTestSwizzle classMethod:selectorForMSIDSSOExtensionSilentTokenRequestController + class:[MSIDSSOExtensionSilentTokenRequestController class] + block:(id)^(void) + { + return NO; + }]; + + SEL selectorForMSIDXpcSilentTokenRequestController = NSSelectorFromString(@"canPerformRequest"); + [MSIDTestSwizzle classMethod:selectorForMSIDXpcSilentTokenRequestController + class:[MSIDXpcSilentTokenRequestController class] + block:(id)^(void) + { + return YES; + }]; + + SEL selectorForMSIDRequestParameters = NSSelectorFromString(@"shouldUseBroker"); + [MSIDTestSwizzle instanceMethod:selectorForMSIDRequestParameters + class:[MSIDRequestParameters class] + block:(id)^(void) + { + return YES; + }]; + + id controller = [MSIDRequestControllerFactory silentControllerForParameters:parameters + forceRefresh:NO + skipLocalRt:MSIDSilentControllerForceSkippingLocalRt + tokenRequestProvider:provider + error:&error]; + // 1. Start with local signin controller to read cached tokens + if (![controller isMemberOfClass:MSIDSilentController.class]) + { + XCTFail(); + } + + XCTAssertTrue([(MSIDSilentController *)controller skipLocalRt]); + XCTAssertFalse([(MSIDSilentController *)controller forceRefresh]); + + // 2. When local signin controller failed, use SsoExtension controller + MSIDBaseRequestController *baseController = (MSIDBaseRequestController *)controller; + if (![baseController.fallbackController isMemberOfClass:MSIDXpcSilentTokenRequestController.class]) + { + XCTFail(); + } + + // 2. When SsoExtension controller failed, use Xpc Controller + baseController = (MSIDXpcSilentTokenRequestController *)baseController.fallbackController; + if (![baseController.fallbackController isMemberOfClass:MSIDSilentController.class]) + { + XCTFail(); + } + + // 3. When Xpc controller failed, use local signin controller to refresh + baseController = (MSIDSilentController *)baseController.fallbackController; + XCTAssertTrue([(MSIDSilentController *)baseController forceRefresh]); + XCTAssertTrue([(MSIDSilentController *)baseController isLocalFallbackMode]); +} +#endif + +- (void)testWhenSsoExtensionIsEnabled_andXpcIsDisabled_controllersOrder_areCorrect +{ + MSIDTestTokenRequestProvider *provider = [[MSIDTestTokenRequestProvider alloc] initWithTestResponse:nil + testError:nil + testWebMSAuthResponse:nil]; + MSIDRequestParameters *parameters = [self requestParameters]; + parameters.allowUsingLocalCachedRtWhenSsoExtFailed = YES; + + NSError *error; + SEL selectorForMSIDSSOExtensionSilentTokenRequestController = NSSelectorFromString(@"canPerformRequest"); + [MSIDTestSwizzle classMethod:selectorForMSIDSSOExtensionSilentTokenRequestController + class:[MSIDSSOExtensionSilentTokenRequestController class] + block:(id)^(void) + { + return YES; + }]; + + SEL selectorForMSIDRequestParameters = NSSelectorFromString(@"shouldUseBroker"); + [MSIDTestSwizzle instanceMethod:selectorForMSIDRequestParameters + class:[MSIDRequestParameters class] + block:(id)^(void) + { + return YES; + }]; + + + id controller = [MSIDRequestControllerFactory silentControllerForParameters:parameters + forceRefresh:NO + skipLocalRt:MSIDSilentControllerForceSkippingLocalRt + tokenRequestProvider:provider + error:&error]; + // 1. Start with local signin controller to read cached tokens + if (![controller isMemberOfClass:MSIDSilentController.class]) + { + XCTFail(); + } + + XCTAssertTrue([(MSIDSilentController *)controller skipLocalRt]); + XCTAssertFalse([(MSIDSilentController *)controller forceRefresh]); + + // 2. When local signin controller failed, use SsoExtension controller + MSIDBaseRequestController *baseController = (MSIDBaseRequestController *)controller; + if (![baseController.fallbackController isMemberOfClass:MSIDSSOExtensionSilentTokenRequestController.class]) + { + XCTFail(); + } + + // 3. When SsoExtension controller failed, use local signin controller to refresh + baseController = (MSIDSSOExtensionSilentTokenRequestController *)baseController.fallbackController; + if (![baseController.fallbackController isMemberOfClass:MSIDSilentController.class]) + { + XCTFail(); + } + + baseController = (MSIDSilentController *)baseController.fallbackController; + XCTAssertTrue([(MSIDSilentController *)baseController forceRefresh]); + XCTAssertTrue([(MSIDSilentController *)baseController isLocalFallbackMode]); +} + - (void)testWhenUseLocalRt_isUnDefined_shouldNotSkip_whenFallBackController_isNotValid { MSIDTestTokenRequestProvider *provider = [[MSIDTestTokenRequestProvider alloc] initWithTestResponse:nil diff --git a/IdentityCore/tests/mocks/MSIDTestTokenRequestProvider.m b/IdentityCore/tests/mocks/MSIDTestTokenRequestProvider.m index b069adbfd..d307ddb0d 100644 --- a/IdentityCore/tests/mocks/MSIDTestTokenRequestProvider.m +++ b/IdentityCore/tests/mocks/MSIDTestTokenRequestProvider.m @@ -118,4 +118,9 @@ - (nullable MSIDSilentTokenRequest *)silentSSOExtensionTokenRequestWithParameter return [[MSIDTestSilentTokenRequest alloc] initWithTestResponse:self.testTokenResult testError:self.testError]; } +- (nullable MSIDSilentTokenRequest *)silentXpcTokenRequestWithParameters:(nonnull MSIDRequestParameters *)parameters forceRefresh:(BOOL)forceRefresh { + return [[MSIDTestSilentTokenRequest alloc] initWithTestResponse:self.testTokenResult testError:self.testError]; +} + + @end