Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce string allocations by comparing issuers in-place #2597

Merged
merged 16 commits into from
Jun 5, 2024
Merged

Reduce string allocations by comparing issuers in-place #2597

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
294b614
compare issuers without string allocations
kellyyangsong May 14, 2024
dc24e70
add changelog details for this bug
kellyyangsong May 14, 2024
ee637d4
comment update
kellyyangsong May 16, 2024
e5ff68a
use spans
kellyyangsong May 29, 2024
bd9bf1a
Merge branch 'dev' into kellysong/string-replace
kellyyangsong May 29, 2024
61fe257
fix concat error
kellyyangsong May 29, 2024
a47bc59
Merge branch 'kellysong/string-replace' of https://github.com/AzureAD…
kellyyangsong May 29, 2024
d91c75f
change request
kellyyangsong May 30, 2024
a585032
Delay creation of issuer until necessary + remove unecessary indexOf …
kellyyangsong May 30, 2024
c04a235
Add unit tests for new methods
kellyyangsong Jun 4, 2024
52da7cd
Forgot to push - update internal method
kellyyangsong Jun 4, 2024
27d0708
Change requests
kellyyangsong Jun 4, 2024
825d528
Delay calling indexOf
kellyyangsong Jun 4, 2024
b84ad93
change requests
kellyyangsong Jun 5, 2024
cd85053
Merge branch 'dev' of https://github.com/AzureAD/azure-activedirector…
kellyyangsong Jun 5, 2024
747dd39
Add additional test case for IsValidIssuer
kellyyangsong Jun 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 49 additions & 2 deletions src/Microsoft.IdentityModel.Validators/AadIssuerValidator/AadIssuerValidator.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
using Microsoft.IdentityModel.Protocols;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.IdentityModel.Tokens;
using static Microsoft.IdentityModel.Validators.AadIssuerValidator;

namespace Microsoft.IdentityModel.Validators
{
Expand Down Expand Up @@ -281,7 +280,7 @@
}

// If a valid issuer is not found, throw
throw LogHelper.LogExceptionMessage(

Check failure on line 283 in src/Microsoft.IdentityModel.Validators/AadIssuerValidator/AadIssuerValidator.cs

View workflow job for this annotation

GitHub Actions / Wilson GitHub Action Test 

Microsoft.IdentityModel.Validators.AadIssuerValidator.ValidateAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException : IDX40001: Issuer: 'https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/v1.1', does not match any of the valid issuers provided for this application.

Check failure on line 283 in src/Microsoft.IdentityModel.Validators/AadIssuerValidator/AadIssuerValidator.cs

View workflow job for this annotation

GitHub Actions / Wilson GitHub Action Test 

Microsoft.IdentityModel.Validators.AadIssuerValidator.ValidateAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException : IDX40001: Issuer: 'https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/v2.0', does not match any of the valid issuers provided for this application.

Check failure on line 283 in src/Microsoft.IdentityModel.Validators/AadIssuerValidator/AadIssuerValidator.cs

View workflow job for this annotation

GitHub Actions / Wilson GitHub Action Test 

Microsoft.IdentityModel.Validators.AadIssuerValidator.ValidateAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException : IDX40001: Issuer: 'https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/v2.0', does not match any of the valid issuers provided for this application.

Check failure on line 283 in src/Microsoft.IdentityModel.Validators/AadIssuerValidator/AadIssuerValidator.cs

View workflow job for this annotation

GitHub Actions / Wilson GitHub Action Test 

Microsoft.IdentityModel.Validators.AadIssuerValidator.ValidateAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException : IDX40001: Issuer: 'https://sts.windows.net/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/', does not match any of the valid issuers provided for this application.

Check failure on line 283 in src/Microsoft.IdentityModel.Validators/AadIssuerValidator/AadIssuerValidator.cs

View workflow job for this annotation

GitHub Actions / Wilson GitHub Action Test 

Microsoft.IdentityModel.Validators.AadIssuerValidator.ValidateAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException : IDX40001: Issuer: 'https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/v1.1', does not match any of the valid issuers provided for this application.

Check failure on line 283 in src/Microsoft.IdentityModel.Validators/AadIssuerValidator/AadIssuerValidator.cs

View workflow job for this annotation

GitHub Actions / Wilson GitHub Action Test 

Microsoft.IdentityModel.Validators.AadIssuerValidator.ValidateAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException : IDX40001: Issuer: 'https://sts.windows.net/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/', does not match any of the valid issuers provided for this application.

Check failure on line 283 in src/Microsoft.IdentityModel.Validators/AadIssuerValidator/AadIssuerValidator.cs

View workflow job for this annotation

GitHub Actions / Wilson GitHub Action Test 

Microsoft.IdentityModel.Validators.AadIssuerValidator.ValidateAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException : IDX40001: Issuer: 'https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/v2.0', does not match any of the valid issuers provided for this application.

Check failure on line 283 in src/Microsoft.IdentityModel.Validators/AadIssuerValidator/AadIssuerValidator.cs

View workflow job for this annotation

GitHub Actions / Wilson GitHub Action Test 

Microsoft.IdentityModel.Validators.AadIssuerValidator.ValidateAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException : IDX40001: Issuer: 'https://sts.windows.net/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/', does not match any of the valid issuers provided for this application.
new SecurityTokenInvalidIssuerException(
LogHelper.FormatInvariant(
LogMessages.IDX40001,
Expand Down Expand Up @@ -390,14 +389,62 @@

if (validIssuerTemplate.Contains(TenantIdTemplate))
{
return validIssuerTemplate.Replace(TenantIdTemplate, tenantId) == actualIssuer;
return IssuersWithTemplatesAreEqual(validIssuerTemplate, TenantIdTemplate, actualIssuer, tenantId);
kellyyangsong marked this conversation as resolved.
Show resolved Hide resolved
}
else
{
kellyyangsong marked this conversation as resolved.
Show resolved Hide resolved
kellyyangsong marked this conversation as resolved.
Show resolved Hide resolved
return validIssuerTemplate == actualIssuer;
}
}
kellyyangsong marked this conversation as resolved.
Show resolved Hide resolved

/// <summary>
kellyyangsong marked this conversation as resolved.
Show resolved Hide resolved
/// Compare two Issuers with templates without string allocations.
/// </summary>
internal static bool IssuersWithTemplatesAreEqual(string issuer1, string issuer1Template, string issuer2, string issuer2Template)
{
int firstHalfIssuer1EndIndex = issuer1.IndexOf(issuer1Template, StringComparison.Ordinal);
int firstHalfIssuer2EndIndex = issuer2.IndexOf(issuer2Template, StringComparison.Ordinal);

// ensure indices exist for both issuers
if (firstHalfIssuer1EndIndex == -1 || firstHalfIssuer2EndIndex == -1)
return false;

// if the indices aren't equal, then the issuers aren't equal
if (firstHalfIssuer1EndIndex != firstHalfIssuer2EndIndex)
kellyyangsong marked this conversation as resolved.
Show resolved Hide resolved
return false;

// ensure the first part of the issuer1 matches the first part of issuer2
if (!StringSegmentsAreEqual(issuer1, 0, firstHalfIssuer1EndIndex, issuer2, 0, firstHalfIssuer2EndIndex))
kellyyangsong marked this conversation as resolved.
Show resolved Hide resolved
return false;

int secondHalfIssuer1StartIndex = firstHalfIssuer1EndIndex + issuer1Template.Length;
int secondHalfIssuer2StartIndex = firstHalfIssuer2EndIndex + issuer2Template.Length;

// if the indices aren't equal, then the issuers aren't equal
if (secondHalfIssuer1StartIndex != secondHalfIssuer2StartIndex)
return false;

// ensure the second halves are equal
if (!StringSegmentsAreEqual(issuer1, secondHalfIssuer1StartIndex, issuer1.Length, issuer2, secondHalfIssuer2StartIndex, issuer2.Length))
return false;

return true;
}

/// <summary>
/// Compare two string segments for equality without string allocations.
/// </summary>
private static bool StringSegmentsAreEqual(string str1, int str1Start, int str1End, string str2, int str2Start, int str2End)
kellyyangsong marked this conversation as resolved.
Show resolved Hide resolved
{
for (int i = str1Start, j = str2Start; i < str1End && j < str2End; i++, j++)
{
if (str1[i] != str2[j])
return false;
}

return true;
}

private void SetEffectiveLKGIssuer(string aadIssuer, ProtocolVersion protocolVersion, TimeSpan lastKnownGoodLifetime)
{
var issuerLKG = new IssuerLastKnownGood
Expand Down
11 changes: 3 additions & 8 deletions src/Microsoft.IdentityModel.Validators/AadTokenValidationParametersExtension.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,25 +77,20 @@ internal static bool ValidateIssuerSigningKey(SecurityKey securityKey, SecurityT
if (!string.IsNullOrEmpty(tokenIssuer) && !tokenIssuer.Contains(tenantIdFromToken, StringComparison.Ordinal))
throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidIssuerException(LogHelper.FormatInvariant(LogMessages.IDX40004, LogHelper.MarkAsNonPII(tokenIssuer), LogHelper.MarkAsNonPII(tenantIdFromToken))));

// creating an effectiveSigningKeyIssuer is required as signingKeyIssuer might contain {tenantid}
var effectiveSigningKeyIssuer = signingKeyIssuer.Replace(AadIssuerValidator.TenantIdTemplate, tenantIdFromToken, StringComparison.Ordinal);
var v2TokenIssuer = openIdConnectConfiguration.Issuer?.Replace(AadIssuerValidator.TenantIdTemplate, tenantIdFromToken, StringComparison.Ordinal);
#else
if (!string.IsNullOrEmpty(tokenIssuer) && !tokenIssuer.Contains(tenantIdFromToken))
throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidIssuerException(LogHelper.FormatInvariant(LogMessages.IDX40004, LogHelper.MarkAsNonPII(tokenIssuer), LogHelper.MarkAsNonPII(tenantIdFromToken))));

// creating an effectiveSigningKeyIssuer is required as signingKeyIssuer might contain {tenantid}
var effectiveSigningKeyIssuer = signingKeyIssuer.Replace(AadIssuerValidator.TenantIdTemplate, tenantIdFromToken);
var v2TokenIssuer = openIdConnectConfiguration.Issuer?.Replace(AadIssuerValidator.TenantIdTemplate, tenantIdFromToken);
#endif

// comparing effectiveSigningKeyIssuer with v2TokenIssuer is required as well because of the following scenario:
// 1. service trusts /common/v2.0 endpoint
// 2. service receieves a v1 token that has issuer like sts.windows.net
// 3. signing key issuers will never match sts.windows.net as v1 endpoint doesn't have issuers attached to keys
// v2TokenIssuer is the representation of Token.Issuer (if it was a v2 issuer)
if (effectiveSigningKeyIssuer != tokenIssuer && effectiveSigningKeyIssuer != v2TokenIssuer)
throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidIssuerException(LogHelper.FormatInvariant(LogMessages.IDX40005, LogHelper.MarkAsNonPII(tokenIssuer), LogHelper.MarkAsNonPII(effectiveSigningKeyIssuer))));
if (!AadIssuerValidator.IssuersWithTemplatesAreEqual(signingKeyIssuer, tenantIdFromToken, tokenIssuer, tenantIdFromToken)
&& !AadIssuerValidator.IssuersWithTemplatesAreEqual(signingKeyIssuer, tenantIdFromToken, openIdConnectConfiguration.Issuer ?? string.Empty, tenantIdFromToken))
throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidIssuerException(LogHelper.FormatInvariant(LogMessages.IDX40005, LogHelper.MarkAsNonPII(tokenIssuer), LogHelper.MarkAsNonPII(openIdConnectConfiguration.Issuer))));
kellyyangsong marked this conversation as resolved.
Show resolved Hide resolved
}

return true;
Expand Down
Loading