Merge pull request #1475 from AzureAD/release/1.8.0

Release/1.8.0

Author: kaisong1990

IdentityCore/src/MSIDBrokerConstants.h

@@ -104,3 +104,5 @@ extern NSString * _Nonnull const MSID_CREATE_NEW_URL_SESSION;
 extern NSString * _Nonnull const MSID_HTTP_CONNECTION_VALUE;
 extern NSString * _Nonnull const MSID_FORCE_REFRESH_KEY;
 
+extern BOOL MSID_SUPPRESS_CAMERA_CONSENT_PROMPT_IN_WEBVIEW;
+

IdentityCore/src/MSIDBrokerConstants.m

@@ -104,3 +104,6 @@
 // Http header
 NSString *const MSID_HTTP_CONNECTION = @"Connection";
 NSString *const MSID_HTTP_CONNECTION_VALUE = @"close";
+
+// Non-constant
+BOOL MSID_SUPPRESS_CAMERA_CONSENT_PROMPT_IN_WEBVIEW = NO;

IdentityCore/src/MSIDError.h

@@ -171,6 +171,8 @@ typedef NS_ENUM(NSInteger, MSIDErrorCode)
      */
 
     MSIDErrorServerUnhandledResponse    = -51500,
+    // http status Code 403 or 404
+    MSIDErrorUnexpectedHttpResponse     = -51501,
 
     /*!
      =========================================================
@@ -334,6 +336,24 @@ typedef NS_ENUM(NSInteger, MSIDErrorCode)
 
     // JIT - Error Handling config invalid or not found
     MSIDErrorJITErrorHandlingConfigNotFound        =   -51839,
+    
+    // Error is thrown when PSSO biometric policy flag mismatches with the config value
+    MSIDErrorPSSOBiometricPolicyMismatch        =   -51840,
+    
+    // Error is thrown when non ENtra passkey extension tries to access the passkey
+    MSIDErrorPSSOInvalidPasskeyExtension        =   -51841,
+    
+    // Error thrown when psso save login config operation fails
+    MSIDErrorPSSOSaveLoginConfigFailure        =   -51842,
+    
+    // Error is thrown when passkey accessed without biometric when h/w biometric policy configured
+    MSIDErrorPSSOPasskeyLAError        =   -51843,
+    
+    // Error is thrown when PSSO user registration attempted with no biometrics configured and sekey biometric policy is configured
+    MSIDErrorPSSOBiometricsNotEnrolled        =   -51844,
+    
+    // Error is thrown when PSSO user registration attempted with no biometrics available and sekey biometric policy is configured
+    MSIDErrorPSSOBiometricsNotAvailable        =   -51845,
 
     // Throttling errors
     MSIDErrorThrottleCacheNoRecord = -51900,

IdentityCore/src/MSIDError.m

@@ -207,6 +207,12 @@ MSIDErrorCode MSIDErrorCodeForOAuthErrorWithSubErrorCode(NSString *oauthError, M
                       @(MSIDErrorDeviceNotPSSORegistered),
                       @(MSIDErrorPSSOKeyIdMismatch),
                       @(MSIDErrorJITErrorHandlingConfigNotFound),
+                      @(MSIDErrorPSSOBiometricPolicyMismatch),
+                      @(MSIDErrorPSSOInvalidPasskeyExtension),
+                      @(MSIDErrorPSSOSaveLoginConfigFailure),
+                      @(MSIDErrorPSSOPasskeyLAError),
+                      @(MSIDErrorPSSOBiometricsNotEnrolled),
+                      @(MSIDErrorPSSOBiometricsNotAvailable),
                       ],
               MSIDOAuthErrorDomain : @[// Server Errors
                       @(MSIDErrorServerOauth),
@@ -224,7 +230,8 @@ MSIDErrorCode MSIDErrorCodeForOAuthErrorWithSubErrorCode(NSString *oauthError, M
                       @(MSIDErrorServerError),
                       ],
               MSIDHttpErrorCodeDomain : @[
-                      @(MSIDErrorServerUnhandledResponse)
+                      @(MSIDErrorServerUnhandledResponse),
+                      @(MSIDErrorUnexpectedHttpResponse)
                       ]
 
               // TODO: add new codes here
@@ -301,6 +308,8 @@ void MSIDFillAndLogError(NSError **error, MSIDErrorCode errorCode, NSString *err
             // HTTP errors
         case MSIDErrorServerUnhandledResponse:
             return @"MSIDErrorServerUnhandledResponse";
+        case MSIDErrorUnexpectedHttpResponse:
+            return @"MSIDErrorUnexpectedHttpResponse";
             // Authority validation errors
         case MSIDErrorAuthorityValidation:
             return @"MSIDErrorAuthorityValidation";
@@ -415,6 +424,18 @@ void MSIDFillAndLogError(NSError **error, MSIDErrorCode errorCode, NSString *err
             return @"MSIDErrorDeviceNotPSSORegistered";
         case MSIDErrorPSSOKeyIdMismatch:
             return @"MSIDErrorPSSOKeyIdMismatch";
+        case MSIDErrorPSSOBiometricPolicyMismatch:
+            return @"MSIDErrorPSSOBiometricPolicyMismatch";
+        case MSIDErrorPSSOInvalidPasskeyExtension:
+            return @"MSIDErrorPSSOInvalidPasskeyExtension";
+        case MSIDErrorPSSOSaveLoginConfigFailure:
+            return @"MSIDErrorPSSOSaveLoginConfigFailure";
+        case MSIDErrorPSSOPasskeyLAError:
+            return @"MSIDErrorPSSOPasskeyLAError";
+        case MSIDErrorPSSOBiometricsNotEnrolled:
+            return @"MSIDErrorPSSOBiometricsNotEnrolled";
+        case MSIDErrorPSSOBiometricsNotAvailable:
+            return @"MSIDErrorPSSOBiometricsNotAvailable";
             // Throttling errors
         case MSIDErrorThrottleCacheNoRecord:
             return @"MSIDErrorThrottleCacheNoRecord";

IdentityCore/src/broker_operation/response/MSIDDeviceInfo.h

@@ -46,6 +46,7 @@ typedef NS_ENUM(NSInteger, MSIDPlatformSSOStatus)
     MSIDPlatformSSONotEnabled = 0, //Platform SSO Not enabled in SSO Config
     MSIDPlatformSSOEnabledNotRegistered = 1, //Platform SSO Enabled in sso config , but not Registered
     MSIDPlatformSSOEnabledAndRegistered = 2, //Platform SSO Enabled in sso config and registered
+    MSIDPlatformSSORegistrationNeedsRepair = 3, //Platform registration needs to be repaired
 };
 
 typedef NS_ENUM(NSInteger, MSIDPreferredAuthMethod)

IdentityCore/src/broker_operation/response/MSIDDeviceInfo.m

@@ -176,6 +176,8 @@ - (NSString *)platformSSOStatusStringFromEnum:(MSIDPlatformSSOStatus)platformSSO
             return @"platformSSOEnabledNotRegistered";
         case MSIDPlatformSSOEnabledAndRegistered:
             return @"platformSSOEnabledAndRegistered";
+        case MSIDPlatformSSORegistrationNeedsRepair:
+            return @"platformSSORegistrationNeedsRepair";
 
         default:
             return nil;
@@ -187,6 +189,7 @@ - (MSIDPlatformSSOStatus)platformSSOStatusEnumFromString:(NSString *)platformSSO
     if ([platformSSOStatusString isEqualToString:@"platformSSONotEnabled"])    return MSIDPlatformSSONotEnabled;
     if ([platformSSOStatusString isEqualToString:@"platformSSOEnabledNotRegistered"])  return MSIDPlatformSSOEnabledNotRegistered;
     if ([platformSSOStatusString isEqualToString:@"platformSSOEnabledAndRegistered"])  return MSIDPlatformSSOEnabledAndRegistered;
+    if ([platformSSOStatusString isEqualToString:@"platformSSORegistrationNeedsRepair"])  return MSIDPlatformSSORegistrationNeedsRepair;
 
     return MSIDPlatformSSONotEnabled;
 }

IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m

@@ -1277,7 +1277,10 @@ - (BOOL)saveAccount:(MSIDAccount *)account
         }
         else
         {
-            [noReturnAccountsSet addObject:accountCacheItem.username];
+            if (accountCacheItem.username)
+            {
+                [noReturnAccountsSet addObject:accountCacheItem.username];
+            }
         }
     }
 

IdentityCore/src/logger/MSIDMaskedUsernameLogParameter.m

@@ -49,7 +49,7 @@ - (NSString *)maskedDescription
             domain = [stringValue substringFromIndex:emailIndex.location + 1];
         }
 
-        return [NSString stringWithFormat:@"auth.placeholder-%@__%@", [username msidSecretLoggingHash], domain];
+        return [NSString stringWithFormat:@"auth.placeholder-%@__%@", [username.lowercaseString msidSecretLoggingHash], domain.lowercaseString];
     }
 
     return [self.parameterValue msidSecretLoggingHash];

IdentityCore/src/network/error_handler/MSIDAADRequestErrorHandler.m

@@ -150,7 +150,13 @@ - (void)handleError:(NSError *)error
         }
     }
 
-    NSError *httpError = MSIDCreateError(MSIDHttpErrorCodeDomain, MSIDErrorServerUnhandledResponse, errorDescription, nil, nil, nil, context.correlationId, additionalInfo, YES);
+    NSError *httpUnderlyingError = nil;
+    if (httpResponse.statusCode == 403 || httpResponse.statusCode == 404)
+    {
+        httpUnderlyingError = MSIDCreateError(MSIDHttpErrorCodeDomain, MSIDErrorUnexpectedHttpResponse, errorDescription, nil, nil, nil, context.correlationId, nil, YES);
+    }
+
+    NSError *httpError = MSIDCreateError(MSIDHttpErrorCodeDomain, MSIDErrorServerUnhandledResponse, errorDescription, nil, nil, httpUnderlyingError, context.correlationId, additionalInfo, YES);
 
     if (completionBlock) completionBlock(nil, httpError);
 }

IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.h

@@ -38,7 +38,7 @@
 typedef void (^MSIDNavigationResponseBlock)(NSHTTPURLResponse *response);
 
 @interface MSIDOAuth2EmbeddedWebviewController :
-MSIDWebviewUIController <MSIDWebviewInteracting, WKNavigationDelegate>
+MSIDWebviewUIController <MSIDWebviewInteracting, WKNavigationDelegate, WKUIDelegate>
 
 typedef NSURLRequest *(^MSIDExternalDecidePolicyForBrowserActionBlock)(MSIDOAuth2EmbeddedWebviewController *webView, NSURL *url);
 

IdentityCore/src/webview/embeddedWebview/MSIDOAuth2EmbeddedWebviewController.m

@@ -108,6 +108,10 @@ -(void)dealloc
     {
         [self.webView setNavigationDelegate:nil];
     }
+    if ([self.webView.UIDelegate isEqual:self])
+    {
+        [self.webView setUIDelegate:nil];
+    }
 
     self.webView = nil;
 }
@@ -175,6 +179,7 @@ - (BOOL)loadView:(NSError *__autoreleasing*)error
     BOOL result = [super loadView:error];
 
     self.webView.navigationDelegate = self;
+    self.webView.UIDelegate = self;
 
 #if !EXCLUDE_FROM_MSALCPP
 #if DEBUG
@@ -479,6 +484,22 @@ - (void)webView:(WKWebView *)webView didReceiveServerRedirectForProvisionalNavig
     }
 }
 
+- (void) webView:(WKWebView *)webView
+requestMediaCapturePermissionForOrigin:(WKSecurityOrigin *)origin
+initiatedByFrame:(WKFrameInfo *)frame
+            type:(WKMediaCaptureType)type
+ decisionHandler:(void (^)(WKPermissionDecision decision))decisionHandler API_AVAILABLE(ios(15.0), macos(12.0))
+{
+    if (MSID_SUPPRESS_CAMERA_CONSENT_PROMPT_IN_WEBVIEW && type == WKMediaCaptureTypeCamera)
+    {
+        decisionHandler(WKPermissionDecisionGrant);
+    }
+    else
+    {
+        decisionHandler(WKPermissionDecisionPrompt);
+    }
+}
+
 #pragma mark - Loading Indicator
 
 - (void)onStartLoadingIndicator:(__unused id)sender

IdentityCore/tests/MSIDAADRequestErrorHandlerTests.m

@@ -191,6 +191,8 @@ - (void)testHandleError_whenItIsNotServerError_shouldReturnStatusCodeAndHeaders
 
     XCTAssertEqualObjects(returnError.domain, MSIDHttpErrorCodeDomain);
     XCTAssertEqual(returnError.code, MSIDErrorServerUnhandledResponse);
+    NSError *underlyingError = returnError.userInfo[NSUnderlyingErrorKey];
+    XCTAssertEqual(underlyingError.code, MSIDErrorUnexpectedHttpResponse);
     XCTAssertEqualObjects(returnError.userInfo[MSIDHTTPHeadersKey], @{@"headerKey":@"headerValue"});
 
     XCTAssertNil(errorResponse);
@@ -275,6 +277,8 @@ - (void)testHandleError_whenItIsServerError_shouldReturnResponseCodeInError
 
     XCTAssertEqualObjects(returnError.domain, MSIDHttpErrorCodeDomain);
     XCTAssertEqual(returnError.code, MSIDErrorServerUnhandledResponse);
+    NSError *underlyingError = returnError.userInfo[NSUnderlyingErrorKey];
+    XCTAssertEqual(underlyingError.code, MSIDErrorUnexpectedHttpResponse);
     XCTAssertEqualObjects(returnError.userInfo[MSIDHTTPResponseCodeKey], @"404");
 }
 

IdentityCore/tests/MSIDMaskedUsernameLogParameterTests.m

@@ -88,4 +88,15 @@ - (void)testDescription_whenPIINotEnabled_andEmailParameterWithNoDomain_andSpace
     XCTAssertEqualObjects(description, @"auth.placeholder-9f86d081__ ");
 }
 
+- (void)testDescription_whenPIINotEnabled_andEmailParameterWithDomain_shouldReturnSameMaskedValueForDifferentCase
+{
+    [MSIDLogger sharedLogger].logMaskingLevel = MSIDLogMaskingSettingsMaskAllPII;
+    MSIDMaskedUsernameLogParameter *logParameter = [[MSIDMaskedUsernameLogParameter alloc] initWithParameterValue:@"[email protected]"];
+    MSIDMaskedUsernameLogParameter *logParameter1 = [[MSIDMaskedUsernameLogParameter alloc] initWithParameterValue:@"[email protected]"];
+    NSString *description = [logParameter description];
+    NSString *description1 = [logParameter1 description];
+    XCTAssertEqualObjects(description, @"auth.placeholder-16f78a7d__domain.com");
+    XCTAssertEqualObjects(description, description1);
+}
+
 @end

IdentityCore/tests/MSIDTokenResponseTests.m

@@ -333,7 +333,13 @@ - (void)testJsonDictionary_whenAllPropertiesSetForSuccessResponse_shouldReturnJs
     XCTAssertEqualObjects(json[@"client_app_version"], @"1.0");
     XCTAssertEqualObjects(json[@"expires_in"], @"300");
     XCTAssertEqualObjects(json[@"expires_on"], @"1575635662");
-    XCTAssertEqualObjects(json[@"id_token"], @"eyJhbGciOiJSUzI1NiIsImtpZCI6Il9raWRfdmFsdWUiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJpc3N1ZXIiLCJuYW1lIjoiVGVzdCBuYW1lIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidXNlckBjb250b3NvLmNvbSIsInN1YiI6InN1YiJ9.eyJhbGciOiJSUzI1NiIsImtpZCI6Il9raWRfdmFsdWUiLCJ0eXAiOiJKV1QifQ");
+    
+    NSArray *idTokenComponents = [json[@"id_token"] componentsSeparatedByString:@"."];
+    XCTAssertEqual(idTokenComponents.count, 3);
+    XCTAssertEqualObjects(idTokenComponents[0], @"eyJhbGciOiJSUzI1NiIsImtpZCI6Il9raWRfdmFsdWUiLCJ0eXAiOiJKV1QifQ");
+    XCTAssertEqualObjects(idTokenComponents[1], @"eyJpc3MiOiJpc3N1ZXIiLCJuYW1lIjoiVGVzdCBuYW1lIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidXNlckBjb250b3NvLmNvbSIsInN1YiI6InN1YiJ9");
+    XCTAssertEqualObjects(idTokenComponents[2], @"eyJhbGciOiJSUzI1NiIsImtpZCI6Il9raWRfdmFsdWUiLCJ0eXAiOiJKV1QifQ");
+
     XCTAssertEqualObjects(json[@"provider_type"], @"provider_aad_v2");
     XCTAssertEqualObjects(json[@"scope"], @"scope 1");
     XCTAssertEqualObjects(json[@"token_type"], @"Bearer");

IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h

@@ -33,6 +33,13 @@ typedef NS_ENUM(NSUInteger, MSIDAutomationWPJRegistrationAPIMode)
     MSIDAutomationWPJRegistrationAPIModeCompanyPortal = 2 //Company Portal
 };
 
+typedef NS_ENUM(NSInteger, MSIDAutomationWPJSSOExtensionSecureStorage)
+{
+    MSIDAutomationWPJSSOExtensionNoValueFound = 0,
+    MSIDAutomationWPJSSOExtensionValueNo = 1,
+    MSIDAutomationWPJSSOExtensionValueYes = 2
+};
+
 @interface MSIDAutomationTestRequest : NSObject <MSIDJsonSerializable>
 
 @property (nonatomic, strong) NSString *clientId;
@@ -79,12 +86,15 @@ typedef NS_ENUM(NSUInteger, MSIDAutomationWPJRegistrationAPIMode)
 @property (nonatomic) BOOL corruptSessionKey;
 @property (nonatomic) BOOL useSafariUserAgent;
 @property (nonatomic) BOOL disableCertBasedAuth;
+@property (nonatomic) BOOL isMSAAccount;
 
 @property (nonatomic) MSIDAutomationWPJRegistrationAPIMode registrationMode;
 @property (nonatomic) NSString *wpjRegistrationTenantId;
 @property (nonatomic) NSString *wpjRegistrationUpn;
 @property (nonatomic) BOOL operateOnPrimaryWPJ;
 @property (nonatomic) BOOL useMostSecureStorageForWpj;
+@property (nonatomic) BOOL isSecureEnclaveSupportedForWpj;
+@property (nonatomic) MSIDAutomationWPJSSOExtensionSecureStorage ssoExtensionSecureStorageEnabled;
 @property (nonatomic) BOOL shouldExpirePRT;
 @property (nonatomic) BOOL isSsoSeedingCompleted;
 @property (nonatomic) BOOL shouldOnlyDeleteSeedingPrt;

IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m

@@ -53,6 +53,7 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json
         _brokerEnabled = [json[@"brokerEnabled"] boolValue];
         _clientCapabilities = json[@"client_capabilities"];
         _refreshToken = json[@"refresh_token"];
+        _isMSAAccount = [json[@"isMSAAccount"] boolValue];
 
 #if TARGET_OS_IPHONE
         NSString *webviewTypeString = json[@"webviewtype"];
@@ -102,6 +103,8 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json
         _wpjRegistrationUpn = json[@"wpj_registration_upn"];
         _operateOnPrimaryWPJ = [json[@"wpj_operate_on_primary_reg"] boolValue];
         _useMostSecureStorageForWpj = [json[@"use_most_secure_storage"] boolValue];
+        _isSecureEnclaveSupportedForWpj = [json[@"wpj_secure_enclave_supported"] boolValue];
+        _ssoExtensionSecureStorageEnabled = (MSIDAutomationWPJSSOExtensionSecureStorage)[json[@"wpj_sso_extension_secure_storage_enabled"] integerValue];
         _shouldExpirePRT = [json[@"should_expire_prt"] boolValue];
         _isSsoSeedingCompleted = [json[@"is_sso_seeding_completed"] boolValue];
         _shouldOnlyDeleteSeedingPrt = [json[@"should_only_delete_seeding_prt"] boolValue];
@@ -136,6 +139,7 @@ - (NSDictionary *)jsonDictionary
     json[@"corrupt_session_key"] = @(_corruptSessionKey);
     json[@"use_safari_ua"] = @(_useSafariUserAgent);
     json[@"disable_cert_based_auth"] = @(_disableCertBasedAuth);
+    json[@"isMSAAccount"] = @(_isMSAAccount);
 
     NSString *webviewType = nil;
 
@@ -182,6 +186,8 @@ - (NSDictionary *)jsonDictionary
     json[@"wpj_registration_upn"] = _wpjRegistrationUpn;
     json[@"wpj_operate_on_primary_reg"] = @(_operateOnPrimaryWPJ);
     json[@"use_most_secure_storage"] = @(_useMostSecureStorageForWpj);
+    json[@"wpj_secure_enclave_supported"] = @(_isSecureEnclaveSupportedForWpj);
+    json[@"wpj_sso_extension_secure_storage_enabled"] = @(_ssoExtensionSecureStorageEnabled);
     json[@"should_expire_prt"] = @(_shouldExpirePRT);
     json[@"is_sso_seeding_completed"] = @(_isSsoSeedingCompleted);
     json[@"should_only_delete_seeding_prt"] = @(_shouldOnlyDeleteSeedingPrt);

IdentityCore/tests/automation/shared/MSIDAutomationUserInformation.h

@@ -39,6 +39,7 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic) NSString *homeObjectId;
 @property (nonatomic) NSString *homeTenantId;
 @property (nonatomic) NSString *environment;
+@property (nonatomic) NSString *oneAuthAccountId;
 
 @end
 

IdentityCore/tests/automation/shared/MSIDAutomationUserInformation.m

@@ -39,6 +39,7 @@ - (NSDictionary *)jsonDictionary
     json[@"home_tenant_id"] = self.homeTenantId;
     json[@"environment"] = self.environment;
     json[@"legacyAccountId"] = self.legacyAccountId;
+    json[@"oneAuthAccountId"] = self.oneAuthAccountId;
     return json;
 }
 
@@ -59,6 +60,7 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(__unused NSEr
         _homeTenantId = json[@"home_tenant_id"];
         _environment = json[@"environment"];
         _legacyAccountId = json[@"legacyAccountId"];
+        _oneAuthAccountId = json[@"oneAuthAccountId"];
     }
 
     return self;

IdentityCore/tests/automation/ui_app_lib/MSIDClearCookiesTestAction.m

@@ -72,6 +72,14 @@ - (void)performActionWithParameters:(__unused NSDictionary *)parameters
                                                modifiedSince:[NSDate dateWithTimeIntervalSince1970:0]
                                            completionHandler:^{}];
 
+    NSHTTPCookieStorage *separatedStorage = [NSHTTPCookieStorage sharedCookieStorageForGroupContainerIdentifier:@"group.com.microsoft.azureauthenticator.sso"];
+    
+    for (NSHTTPCookie *cookie in separatedStorage.cookies)
+    {
+        [separatedStorage deleteCookie:cookie];
+        count++;
+    }
+    
     MSIDAutomationTestResult *testResult = [[MSIDAutomationTestResult alloc] initWithAction:self.actionIdentifier
                                                                                     success:YES
                                                                              additionalInfo:@{@"cleared_items_count":@(count)}];