add flight to check state validation

Author: p3dr0rv

common/src/main/java/com/microsoft/identity/common/internal/ui/webview/switchbrowser/SwitchBrowserProtocolCoordinator.kt

@@ -37,7 +37,6 @@ import com.microsoft.identity.common.java.opentelemetry.AttributeName
 import com.microsoft.identity.common.java.opentelemetry.OTelUtility
 import com.microsoft.identity.common.java.opentelemetry.SpanExtension
 import com.microsoft.identity.common.java.opentelemetry.SpanName
-import com.microsoft.identity.common.java.providers.oauth2.AuthorizationRequest
 import com.microsoft.identity.common.java.ui.AuthorizationAgent
 import com.microsoft.identity.common.logging.Logger
 import io.opentelemetry.api.trace.Span
@@ -121,12 +120,11 @@ class SwitchBrowserProtocolCoordinator(
             val actionUri = extras.getString(SWITCH_BROWSER.ACTION_URI)
             val code = extras.getString(SWITCH_BROWSER.CODE)
             val state = extras.getString(SWITCH_BROWSER.STATE)
-            if (actionUri.isNullOrEmpty() || code.isNullOrEmpty() || state.isNullOrEmpty()) {
+            if (actionUri.isNullOrEmpty() || code.isNullOrEmpty()) {
                 val clientException = ClientException(
                     ClientException.MISSING_PARAMETER,
                     "Action URI is null/empty: ${actionUri.isNullOrEmpty()}," +
-                            " code is null/empty: ${code.isNullOrEmpty()}," +
-                            " state is null/empty: ${state.isNullOrEmpty()}"
+                            " code is null/empty: ${code.isNullOrEmpty()}."
                 )
                 span.setStatus(StatusCode.ERROR)
                 span.recordException(clientException)

common/src/main/java/com/microsoft/identity/common/internal/ui/webview/switchbrowser/SwitchBrowserUriHelper.kt

@@ -25,6 +25,8 @@ package com.microsoft.identity.common.internal.ui.webview.switchbrowser
 import android.net.Uri
 import com.microsoft.identity.common.adal.internal.AuthenticationConstants.SWITCH_BROWSER
 import com.microsoft.identity.common.java.exception.ClientException
+import com.microsoft.identity.common.java.flighting.CommonFlight
+import com.microsoft.identity.common.java.flighting.CommonFlightsManager
 import com.microsoft.identity.common.java.opentelemetry.SpanExtension
 import com.microsoft.identity.common.logging.Logger
 import io.opentelemetry.api.trace.StatusCode
@@ -36,6 +38,13 @@ object SwitchBrowserUriHelper {
 
     private const val TAG = "SwitchBrowserUriHelper"
 
+    internal val STATE_VALIDATION_REQUIRED: Boolean by lazy {
+        CommonFlightsManager
+            .getFlightsProvider()
+            .isFlightEnabled(CommonFlight.SWITCH_BROWSER_PROTOCOL_REQUIRES_STATE)
+    }
+
+
     /**
      * Build the process uri for the switch browser challenge.
      *
@@ -70,20 +79,24 @@ object SwitchBrowserUriHelper {
             Logger.error(methodTag, errorMessage, exception)
             throw exception
         }
-        val state = uri.getQueryParameter(
-            SWITCH_BROWSER.STATE
-        )
-        if (state.isNullOrEmpty()) {
-            // This should never happen, but if it does, we should log it and throw.
-            val errorMessage = "switch browser action state is null or empty"
-            val exception = ClientException(ClientException.MALFORMED_URL, errorMessage)
-            Logger.error(methodTag, errorMessage, exception)
-            throw exception
-        }
+
         // Query parameters for the process uri.
         val queryParams = hashMapOf<String, String>()
         queryParams[SWITCH_BROWSER.CODE] = code
-        queryParams[SWITCH_BROWSER.STATE] = state
+        if (STATE_VALIDATION_REQUIRED) {
+            val state = uri.getQueryParameter(
+                SWITCH_BROWSER.STATE
+            )
+            if (state.isNullOrEmpty()) {
+                // This should never happen, but if it does, we should log it and throw.
+                val errorMessage = "switch browser action state is null or empty"
+                val exception = ClientException(ClientException.MALFORMED_URL, errorMessage)
+                Logger.error(methodTag, errorMessage, exception)
+                throw exception
+            } else {
+                queryParams[SWITCH_BROWSER.STATE] = state
+            }
+        }
         // Construct the uri to the process endpoint.
         return buildSwitchBrowserUri(actionUri, queryParams)
     }
@@ -97,9 +110,21 @@ object SwitchBrowserUriHelper {
      * @return The resume uri constructed from the bundle.
      * e.g. actionUri
      */
-    fun buildResumeUri(actionUri: String, state: String): Uri {
+    fun buildResumeUri(actionUri: String, state: String?): Uri {
+        val methodTag = "$TAG:buildResumeUri"
         // Construct the uri to the resume endpoint.
-        val queryParams = hashMapOf(SWITCH_BROWSER.STATE to state)
+        val queryParams = hashMapOf<String, String>()
+        if (STATE_VALIDATION_REQUIRED) {
+            if (state.isNullOrEmpty()) {
+                // This should never happen, but if it does, we should log it and throw.
+                val errorMessage = "State is null or empty"
+                val exception = ClientException(ClientException.MISSING_PARAMETER, errorMessage)
+                Logger.error(methodTag, errorMessage, exception)
+                throw exception
+            } else {
+                queryParams[SWITCH_BROWSER.STATE] = state
+            }
+        }
         return buildSwitchBrowserUri(actionUri, queryParams)
     }
 
@@ -126,10 +151,15 @@ object SwitchBrowserUriHelper {
      * Check if state in the auth request matches the state provided.
      */
     fun statesMatch(authorizationUrl: String, state: String?) {
+        val methodTag = "$TAG:statesMatch"
+        if (!STATE_VALIDATION_REQUIRED) {
+            Logger.info(methodTag, "State validation is not required.")
+            return
+        }
         val span = SpanExtension.current()
         // Validate the state from auth request and redirect URL is the same
         if (state.isNullOrEmpty()) {
-             val clientException = ClientException(
+            val clientException = ClientException(
                 ClientException.STATE_MISMATCH,
                 "State is null."
             )
@@ -139,6 +169,16 @@ object SwitchBrowserUriHelper {
             throw clientException
         }
         val authRequestState = Uri.parse(authorizationUrl).getQueryParameter(SWITCH_BROWSER.STATE)
+        if (authRequestState.isNullOrEmpty()) {
+            val clientException = ClientException(
+                ClientException.STATE_MISMATCH,
+                "Authorization request state is null."
+            )
+            span.setStatus(StatusCode.ERROR)
+            span.recordException(clientException)
+            span.end()
+            throw clientException
+        }
         if (state != authRequestState) {
             val clientException = ClientException(
                 ClientException.STATE_MISMATCH,
@@ -149,6 +189,7 @@ object SwitchBrowserUriHelper {
             span.end()
             throw clientException
         }
+        Logger.info(methodTag, "States match.")
     }
 
     /**

common/src/test/java/com/microsoft/identity/common/internal/ui/webview/challengehandlers/SwitchBrowserRequestHandlerTest.kt

@@ -27,9 +27,12 @@ import android.content.Context
 import android.content.Intent
 import android.net.Uri
 import com.microsoft.identity.common.internal.ui.browser.CustomTabsManager
+import com.microsoft.identity.common.internal.ui.webview.switchbrowser.SwitchBrowserUriHelper
 import com.microsoft.identity.common.java.browser.Browser
 import com.microsoft.identity.common.java.browser.IBrowserSelector
 import com.microsoft.identity.common.java.exception.ClientException
+import io.mockk.every
+import io.mockk.mockkObject
 import org.junit.Assert
 import org.junit.Test
 import org.junit.runner.RunWith
@@ -46,7 +49,8 @@ import org.robolectric.RobolectricTestRunner
 class SwitchBrowserRequestHandlerTest {
 
     @Test
-    fun `test processChallenge success`() {
+    fun `test processChallenge success (stateRequired)`() {
+        isStateRequired(true)
         // Mock parameters
         val mockActivity = mock<Activity>()
         var activityExecuted = false
@@ -66,6 +70,28 @@ class SwitchBrowserRequestHandlerTest {
         Assert.assertTrue(activityExecuted)
     }
 
+    @Test
+    fun `test processChallenge success (StateNotRequired)`() {
+        isStateRequired(false)
+        // Mock parameters
+        val mockActivity = mock<Activity>()
+        var activityExecuted = false
+        doAnswer {
+            activityExecuted = true
+            null
+        }.whenever(mockActivity).startActivity(any())
+        val context = mock(Context::class.java)
+        val customTabsManager = mock(CustomTabsManager::class.java)
+        val challenge = mock(SwitchBrowserChallenge::class.java)
+        `when`(challenge.processUri).thenReturn(Uri.parse("https://example.com"))
+        `when`(challenge.authorizationUrl).thenReturn("https://auth.com")
+        val browserSelector = // Browser available
+            IBrowserSelector { _, _ -> Browser("fakeBrowser", emptySet(), "browser", false) }
+        val handler = SwitchBrowserRequestHandler(mockActivity, context, customTabsManager, browserSelector, null)
+        handler.processChallenge(challenge)
+        Assert.assertTrue(activityExecuted)
+    }
+
     @Test
     fun `test processChallenge no browser available`() {
         // Mock parameters
@@ -87,13 +113,9 @@ class SwitchBrowserRequestHandlerTest {
 
     @Test
     fun `test processChallenge states mismatch`() {
+        isStateRequired(true)
         // Mock parameters
         val mockActivity = mock<Activity>()
-        var activityExecuted = false
-        doAnswer {
-            activityExecuted = true
-            null
-        }.whenever(mockActivity).startActivity(any())
         val context = mock(Context::class.java)
         val customTabsManager = mock(CustomTabsManager::class.java)
         val challenge = mock(SwitchBrowserChallenge::class.java)
@@ -108,4 +130,9 @@ class SwitchBrowserRequestHandlerTest {
         Assert.assertEquals(ClientException.STATE_MISMATCH, exception.errorCode)
         Assert.assertEquals("State does not match with the auth request state.", exception.message)
     }
+
+    private fun isStateRequired(isStateRequired: Boolean) {
+        mockkObject(SwitchBrowserUriHelper)
+        every { SwitchBrowserUriHelper.STATE_VALIDATION_REQUIRED } returns isStateRequired
+    }
 }

common/src/test/java/com/microsoft/identity/common/internal/ui/webview/switchbrowser/SwitchBrowserProtocolCoordinatorTest.kt

@@ -32,6 +32,8 @@ import com.microsoft.identity.common.internal.ui.webview.challengehandlers.Switc
 import com.microsoft.identity.common.java.AuthenticationConstants.AAD.AUTHORIZATION
 import com.microsoft.identity.common.java.exception.ClientException
 import com.microsoft.identity.common.java.ui.AuthorizationAgent
+import io.mockk.every
+import io.mockk.mockkObject
 import org.junit.Assert
 import org.junit.Test
 import org.junit.runner.RunWith
@@ -44,7 +46,8 @@ import org.robolectric.RobolectricTestRunner
 class SwitchBrowserProtocolCoordinatorTest {
 
     @Test
-    fun `test processSwitchBrowserResume with valid extras`() {
+    fun `test processSwitchBrowserResume with valid extras (stateRequired)`() {
+        isStateRequired(true)
         // Mock parameters
         val mockSwitchBrowserRequestHandler = mock(SwitchBrowserRequestHandler::class.java)
         doNothing().`when`(mockSwitchBrowserRequestHandler).resetChallengeState()
@@ -67,8 +70,57 @@ class SwitchBrowserProtocolCoordinatorTest {
         }
     }
 
+    @Test
+    fun `test processSwitchBrowserResume with valid extras (StateNotRequired)`() {
+        isStateRequired(false)
+        // Mock parameters
+        val mockSwitchBrowserRequestHandler = mock(SwitchBrowserRequestHandler::class.java)
+        doNothing().`when`(mockSwitchBrowserRequestHandler).resetChallengeState()
+        val code = "switch_browser_code"
+        val actionUrl = "test.example.com/switchbrowser/path"
+        val extras = Bundle().apply {
+            putString(SWITCH_BROWSER.CODE, code)
+            putString(SWITCH_BROWSER.ACTION_URI, actionUrl)
+        }
+        // Create an instance of SwitchBrowserProtocolCoordinator
+        val coordinator = SwitchBrowserProtocolCoordinator(mockSwitchBrowserRequestHandler)
+
+        // Call the method to be tested
+        coordinator.processSwitchBrowserResume("https://auth.com",extras) { uri, headers ->
+            // Verify the resume URI
+            Assert.assertEquals(actionUrl, uri.host + uri.path)
+            Assert.assertEquals(code, headers[AUTHORIZATION])
+        }
+    }
+
+    @Test
+    fun `test processSwitchBrowserResume with missing state (stateRequired)`() {
+        isStateRequired(true)
+        // Mock parameters
+        val mockSwitchBrowserRequestHandler = mock(SwitchBrowserRequestHandler::class.java)
+        val code = "switch_browser_code"
+        val actionUrl = "test.example.com/switchbrowser/path"
+        val extras = Bundle().apply {
+            putString(SWITCH_BROWSER.CODE, code)
+            putString(SWITCH_BROWSER.ACTION_URI, actionUrl)
+        }
+        // Create an instance of SwitchBrowserProtocolCoordinator
+        val coordinator = SwitchBrowserProtocolCoordinator(mockSwitchBrowserRequestHandler)
+
+        val exception = Assert.assertThrows(ClientException::class.java) {
+            // Call the method to be tested
+            coordinator.processSwitchBrowserResume("",extras) { _, _ ->
+                // This block should not be executed
+                Assert.fail()
+            }
+        }
+        Assert.assertEquals(ClientException.STATE_MISMATCH, exception.errorCode)
+        Assert.assertEquals("State is null.", exception.message)
+    }
+
     @Test
     fun `test processSwitchBrowserResume with missing extras`() {
+        isStateRequired(false)
         // Mock parameters
         val mockSwitchBrowserRequestHandler = mock(SwitchBrowserRequestHandler::class.java)
         val extras = Bundle().apply {
@@ -86,7 +138,7 @@ class SwitchBrowserProtocolCoordinatorTest {
             }
         }
         Assert.assertEquals(ClientException.MISSING_PARAMETER, exception.errorCode)
-        Assert.assertEquals("Action URI is null/empty: true, code is null/empty: true, state is null/empty: true", exception.message)
+        Assert.assertEquals("Action URI is null/empty: true, code is null/empty: true.", exception.message)
     }
 
     @Test
@@ -170,4 +222,9 @@ class SwitchBrowserProtocolCoordinatorTest {
             intent.getSerializableExtra(AUTHORIZATION_AGENT) as AuthorizationAgent
         )
     }
+
+    private fun isStateRequired(isStateRequired: Boolean) {
+        mockkObject(SwitchBrowserUriHelper)
+        every { SwitchBrowserUriHelper.STATE_VALIDATION_REQUIRED } returns isStateRequired
+    }
 }