Skip to content
This repository has been archived by the owner on Sep 29, 2023. It is now read-only.

Add support for dSTS enpoints #164

Merged
merged 10 commits into from
Aug 30, 2018
Merged

Add support for dSTS enpoints #164

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
195ea7e
Whitelisting dsts endpoints.
jmstimso Jul 10, 2018
ee6c228
adding whitespace
jmstimso Jul 10, 2018
0f9a0b1
changing back WORLD_WIDE_AUTHORITY
jmstimso Jul 10, 2018
585421d
add whitelist function
jmstimso Jul 12, 2018
eac76af
Adding unit tests
jmstimso Jul 13, 2018
cb10f06
fixed whitespace
jmstimso Jul 16, 2018
7980428
fix syntax error
jmstimso Jul 16, 2018
b888c13
Fix whitespace
jmstimso Jul 16, 2018
3517a43
fix more spaces
jmstimso Jul 16, 2018
57cc36b
Respond to PR comments
jmstimso Aug 27, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions adal/authority.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
#
# Copyright (c) Microsoft Corporation.
# All rights reserved.
Expand Down Expand Up @@ -61,6 +61,12 @@ def __init__(self, authority_url, validate_authority=True):
@property
def url(self):
return self._url.geturl()

def _whitelisted(self): # testing if self._url.hostname is a dsts whitelisted domain
for domain in AADConstants.WHITELISTED_DOMAINS:
if self._url.hostname.endswith(domain):
return True
return False

def _validate_authority_url(self):

Expand All @@ -71,7 +77,7 @@ def _validate_authority_url(self):
raise ValueError("The authority url must not have a query string.")

path_parts = [part for part in self._url.path.split('/') if part]
if len(path_parts) > 1:
if (len(path_parts) > 1) and (not self._whitelisted()): #if dsts host, path_parts will be 2
raise ValueError("The authority url must be of the format https://login.microsoftonline.com/your_tenant")
elif len(path_parts) == 1:
self._url = urlparse(self._url.geturl().rstrip('/'))
Expand All @@ -88,7 +94,10 @@ def _parse_authority(self):
def _perform_static_instance_discovery(self):

self._log.debug("Performing static instance discovery")


if self._whitelisted(): # testing if self._url.hostname is a dsts whitelisted domain
self._log.debug("Authority validated via static instance discovery")
return True
try:
AADConstants.WELL_KNOWN_AUTHORITY_HOSTS.index(self._url.hostname)
except ValueError:
Expand Down
11 changes: 10 additions & 1 deletion adal/constants.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
#
# Copyright (c) Microsoft Corporation.
# All rights reserved.
Expand Down Expand Up @@ -215,6 +215,15 @@ class AADConstants(object):
'login.microsoftonline.us',
'login.microsoftonline.de',
]
WHITELISTED_DOMAINS = [
# Define dSTS domains whitelist based on its Supported Environments & National Clouds list here
# https://microsoft.sharepoint.com/teams/AzureSecurityCompliance/Security/SitePages/dSTS%20Fundamentals.aspx
'dsts.core.windows.net',
'dsts.core.chinacloudapi.cn',
'dsts.core.cloudapi.de',
'dsts.core.usgovcloudapi.net',
'dsts.core.azure-test.net',
]
INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE = 'https://{authorize_host}/common/discovery/instance?authorization_endpoint={authorize_endpoint}&api-version=1.0' # pylint: disable=invalid-name
AUTHORIZE_ENDPOINT_PATH = '/oauth2/authorize'
TOKEN_ENDPOINT_PATH = '/oauth2/token'
Expand Down
15 changes: 14 additions & 1 deletion tests/test_authority.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
#
# Copyright (c) Microsoft Corporation.
# All rights reserved.
Expand Down Expand Up @@ -60,6 +60,7 @@ class TestAuthority(unittest.TestCase):
# discovery.
nonHardCodedAuthority = 'https://login.doesntexist.com/' + cp['tenant']
nonHardCodedAuthorizeEndpoint = nonHardCodedAuthority + '/oauth2/authorize'
dstsTestEndpoint = 'https://test-dsts.core.azure-test.net/dstsv2/common'


def setUp(self):
Expand Down Expand Up @@ -125,6 +126,11 @@ def test_success_static_instance_discovery(self):
self.performStaticInstanceDiscovery('login.windows.net')
self.performStaticInstanceDiscovery('login.chinacloudapi.cn')
self.performStaticInstanceDiscovery('login-us.microsoftonline.com')
self.performStaticInstanceDiscovery('test-dsts.dsts.core.windows.net')
self.performStaticInstanceDiscovery('test-dsts.dsts.core.chinacloudapi.cn')
self.performStaticInstanceDiscovery('test-dsts.dsts.core.cloudapi.de')
self.performStaticInstanceDiscovery('test-dsts.dsts.core.usgovcloudapi.net')
self.performStaticInstanceDiscovery('test-dsts.core.azure-test.net')


@httpretty.activate
Expand Down Expand Up @@ -186,6 +192,13 @@ def test_url_extra_path_elements(self):
"https://login.microsoftonline.com/your_tenant"):
context = AuthenticationContext(self.nonHardCodedAuthority + '/extra/path')

@httpretty.activate
def test_dsts_authority(self):
try:
context = AuthenticationContext(self.dstsTestEndpoint)
except:
self.fail("AuthenticationContext() rased an exception on dstsTestEndpoint")

@httpretty.activate
def test_url_extra_slashes(self):
util.setup_expected_instance_discovery_request(200,
Expand Down