diff --git a/libraries/bot-builder/src/main/java/com/microsoft/bot/builder/BotFrameworkAdapter.java b/libraries/bot-builder/src/main/java/com/microsoft/bot/builder/BotFrameworkAdapter.java index 1d079fea5..6e1fa16d4 100644 --- a/libraries/bot-builder/src/main/java/com/microsoft/bot/builder/BotFrameworkAdapter.java +++ b/libraries/bot-builder/src/main/java/com/microsoft/bot/builder/BotFrameworkAdapter.java @@ -379,21 +379,11 @@ public CompletableFuture continueConversation( context.getTurnState().add(BOT_IDENTITY_KEY, claimsIdentity); context.getTurnState().add(OAUTH_SCOPE_KEY, audience); - String appIdFromClaims = JwtTokenValidation.getAppIdFromClaims(claimsIdentity.claims()); - return credentialProvider.isValidAppId(appIdFromClaims).thenCompose(isValidAppId -> { - // If we receive a valid app id in the incoming token claims, add the - // channel service URL to the trusted services list so we can send messages - // back. - if (!StringUtils.isEmpty(appIdFromClaims) && isValidAppId) { - AppCredentials.trustServiceUrl(reference.getServiceUrl()); - } - - return createConnectorClient(reference.getServiceUrl(), claimsIdentity, audience) - .thenCompose(connectorClient -> { - context.getTurnState().add(CONNECTOR_CLIENT_KEY, connectorClient); - return runPipeline(context, callback); - }); - }); + return createConnectorClient(reference.getServiceUrl(), claimsIdentity, audience) + .thenCompose(connectorClient -> { + context.getTurnState().add(CONNECTOR_CLIENT_KEY, connectorClient); + return runPipeline(context, callback); + }); } catch (Exception e) { pipelineResult.completeExceptionally(e); } diff --git a/libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/AppCredentials.java b/libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/AppCredentials.java index 497d94125..5be313ce4 100644 --- a/libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/AppCredentials.java +++ b/libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/AppCredentials.java @@ -7,14 +7,10 @@ import com.microsoft.bot.restclient.credentials.ServiceClientCredentials; import okhttp3.OkHttpClient; import org.apache.commons.lang3.StringUtils; -import org.slf4j.LoggerFactory; import java.net.MalformedURLException; import java.net.URL; -import java.time.LocalDateTime; import java.util.concurrent.CompletableFuture; -import java.util.concurrent.ConcurrentHashMap; -import java.util.concurrent.ConcurrentMap; /** * Base abstraction for AAD credentials for auth and caching. @@ -24,16 +20,6 @@ *

*/ public abstract class AppCredentials implements ServiceClientCredentials { - private static final int EXPIRATION_SLACK = 5; - private static final int EXPIRATION_DAYS = 1; - private static ConcurrentMap trustHostNames = new ConcurrentHashMap<>(); - - static { - trustHostNames.put("api.botframework.com", LocalDateTime.MAX); - trustHostNames.put("token.botframework.com", LocalDateTime.MAX); - trustHostNames.put("api.botframework.azure.us", LocalDateTime.MAX); - trustHostNames.put("token.botframework.azure.us", LocalDateTime.MAX); - } private String appId; private String authTenant; @@ -62,73 +48,6 @@ public AppCredentials(String withChannelAuthTenant, String withOAuthScope) { : withOAuthScope; } - /** - * Adds the host of service url to trusted hosts. - * - * @param serviceUrl The service URI. - */ - public static void trustServiceUrl(String serviceUrl) { - trustServiceUrl(serviceUrl, LocalDateTime.now().plusDays(EXPIRATION_DAYS)); - } - - /** - * Adds the host of service url to trusted hosts with the specified expiration. - * - *

- * Note: The will fail to add if the url is not valid. - *

- * - * @param serviceUrl The service URI. - * @param expirationTime The expiration time after which this service url is not - * trusted anymore. - */ - public static void trustServiceUrl(String serviceUrl, LocalDateTime expirationTime) { - try { - URL url = new URL(serviceUrl); - trustServiceUrl(url, expirationTime); - } catch (MalformedURLException e) { - LoggerFactory.getLogger(MicrosoftAppCredentials.class).error("trustServiceUrl", e); - } - } - - /** - * Adds the host of service url to trusted hosts with the specified expiration. - * - * @param serviceUrl The service URI. - * @param expirationTime The expiration time after which this service url is not - * trusted anymore. - */ - public static void trustServiceUrl(URL serviceUrl, LocalDateTime expirationTime) { - trustHostNames.put(serviceUrl.getHost(), expirationTime); - } - - /** - * Checks if the service url is for a trusted host or not. - * - * @param serviceUrl The service URI. - * @return true if the service is trusted. - */ - public static boolean isTrustedServiceUrl(String serviceUrl) { - try { - URL url = new URL(serviceUrl); - return isTrustedServiceUrl(url); - } catch (MalformedURLException e) { - LoggerFactory.getLogger(AppCredentials.class).error("trustServiceUrl", e); - return false; - } - } - - /** - * Checks if the service url is for a trusted host or not. - * - * @param serviceUrl The service URI. - * @return true if the service is trusted. - */ - public static boolean isTrustedServiceUrl(URL serviceUrl) { - return !trustHostNames.getOrDefault(serviceUrl.getHost(), LocalDateTime.MIN) - .isBefore(LocalDateTime.now().minusMinutes(EXPIRATION_SLACK)); - } - /** * Gets the App ID for this credential. * @@ -245,7 +164,7 @@ boolean shouldSetToken(String url) { if (StringUtils.isBlank(getAppId()) || getAppId().equals(AuthenticationConstants.ANONYMOUS_SKILL_APPID)) { return false; } - return isTrustedServiceUrl(url); + return true; } // lazy Authenticator create. diff --git a/libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/JwtTokenValidation.java b/libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/JwtTokenValidation.java index 286eab799..34a77a78f 100644 --- a/libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/JwtTokenValidation.java +++ b/libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/JwtTokenValidation.java @@ -98,13 +98,7 @@ public static CompletableFuture authenticateRequest( return JwtTokenValidation.validateAuthHeader( authHeader, credentials, channelProvider, activity.getChannelId(), activity.getServiceUrl(), authConfig - ) - - .thenApply(identity -> { - // On the standard Auth path, we need to trust the URL that was incoming. - MicrosoftAppCredentials.trustServiceUrl(activity.getServiceUrl()); - return identity; - }); + ); } /** diff --git a/libraries/bot-connector/src/test/java/com/microsoft/bot/connector/JwtTokenValidationTests.java b/libraries/bot-connector/src/test/java/com/microsoft/bot/connector/JwtTokenValidationTests.java index 7b307e5eb..b4bbb8b70 100644 --- a/libraries/bot-connector/src/test/java/com/microsoft/bot/connector/JwtTokenValidationTests.java +++ b/libraries/bot-connector/src/test/java/com/microsoft/bot/connector/JwtTokenValidationTests.java @@ -155,24 +155,6 @@ public void Emulator_AuthHeader_CorrectAppIdAndServiceUrl_WithPrivateChannelServ "TheChannel"); } - /** - * Tests with a valid Token and service url; and ensures that Service url is added to Trusted service url list. - */ - @Test - public void ChannelMsaHeaderValidServiceUrlShouldBeTrusted() throws IOException, ExecutionException, InterruptedException { - String header = getHeaderToken(); - CredentialProvider credentials = new SimpleCredentialProvider(APPID, ""); - Activity activity = new Activity(ActivityTypes.MESSAGE); - activity.setServiceUrl("https://smba.trafficmanager.net/amer-client-ss.msg/"); - JwtTokenValidation.authenticateRequest( - activity, - header, - credentials, - new SimpleChannelProvider()).join(); - - Assert.assertTrue(MicrosoftAppCredentials.isTrustedServiceUrl("https://smba.trafficmanager.net/amer-client-ss.msg/")); - } - /** * Tests with a valid Token and invalid service url; and ensures that Service url is NOT added to Trusted service url list. */ @@ -192,7 +174,6 @@ public void ChannelMsaHeaderInvalidServiceUrlShouldNotBeTrusted() throws IOExcep Assert.fail("Should have thrown AuthenticationException"); } catch (CompletionException e) { Assert.assertTrue(e.getCause() instanceof AuthenticationException); - Assert.assertFalse(MicrosoftAppCredentials.isTrustedServiceUrl("https://webchat.botframework.com/")); } } @@ -255,26 +236,6 @@ public void ChannelNoHeaderAuthenticationEnabledShouldThrow() throws IOException } catch (CompletionException e) { Assert.assertTrue(e.getCause() instanceof AuthenticationException); } - - Assert.assertFalse(MicrosoftAppCredentials.isTrustedServiceUrl("https://smba.trafficmanager.net/amer-client-ss.msg/")); - } - - /** - * Tests with no authentication header and makes sure the service URL is not added to the trusted list. - */ - @Test - public void ChannelAuthenticationDisabledServiceUrlShouldNotBeTrusted() throws ExecutionException, InterruptedException { - String header = ""; - CredentialProvider credentials = new SimpleCredentialProvider("", ""); - - Activity activity = new Activity(ActivityTypes.MESSAGE); - activity.setServiceUrl("https://webchat.botframework.com/"); - ClaimsIdentity identity = JwtTokenValidation.authenticateRequest( - activity, - header, - credentials, - new SimpleChannelProvider()).join(); - Assert.assertFalse(MicrosoftAppCredentials.isTrustedServiceUrl("https://webchat.botframework.com/")); } @Test diff --git a/libraries/bot-connector/src/test/java/com/microsoft/bot/connector/MicrosoftAppCredentialsTests.java b/libraries/bot-connector/src/test/java/com/microsoft/bot/connector/MicrosoftAppCredentialsTests.java index eb466f119..c5cc21b6b 100644 --- a/libraries/bot-connector/src/test/java/com/microsoft/bot/connector/MicrosoftAppCredentialsTests.java +++ b/libraries/bot-connector/src/test/java/com/microsoft/bot/connector/MicrosoftAppCredentialsTests.java @@ -14,27 +14,6 @@ import java.time.LocalDateTime; public class MicrosoftAppCredentialsTests { - @Test - public void ValidUrlTrusted() { - MicrosoftAppCredentials.trustServiceUrl("https://goodurl.com"); - Assert.assertTrue(MicrosoftAppCredentials.isTrustedServiceUrl("https://goodurl.com")); - } - - @Test - public void InvalidUrlTrusted() { - MicrosoftAppCredentials.trustServiceUrl("badurl"); - Assert.assertFalse(MicrosoftAppCredentials.isTrustedServiceUrl("badurl")); - } - - @Test - public void TrustedUrlExpiration() throws InterruptedException { - // There is a +5 minute window for an expired url - MicrosoftAppCredentials.trustServiceUrl("https://goodurl.com", LocalDateTime.now().minusMinutes(6)); - Assert.assertFalse(MicrosoftAppCredentials.isTrustedServiceUrl("https://goodurl.com")); - - MicrosoftAppCredentials.trustServiceUrl("https://goodurl.com", LocalDateTime.now().minusMinutes(4)); - Assert.assertTrue(MicrosoftAppCredentials.isTrustedServiceUrl("https://goodurl.com")); - } @Test public void ValidateAuthEndpoint() {