PR feedback

Avery-Dunn · Avery-Dunn · commit deba5cb09fa2 · 2026-05-18T11:51:54.000-07:00
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientAssertion.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientAssertion.java
@@ -66,9 +66,13 @@ final class ClientAssertion implements IClientAssertion {
 
     /**
      * Gets the JWT assertion for client authentication.
-     * If this ClientAssertion was created with a Callable, the callable will be
-     * invoked each time this method is called to generate a fresh assertion.
-     * If created with a context-aware Function, it is invoked with a default (empty) context.
+     *
+     * <p>Dispatch logic:
+     * <ul>
+     *   <li>Context-aware provider: delegates to {@link #assertion(AssertionRequestOptions)} with empty context</li>
+     *   <li>Callable provider: invokes the callable to generate a fresh assertion</li>
+     *   <li>Static string: returns the stored assertion directly</li>
+     * </ul>
      *
      * @return A JWT assertion string
      * @throws MsalClientException if the assertion provider returns null/empty or throws an exception
@@ -87,10 +91,17 @@ public String assertion() {
 
     /**
      * Gets the JWT assertion for client authentication with context information.
-     * If this ClientAssertion was created with a context-aware Function, the function will receive
-     * the provided context. If created with a Callable or static string, the context is ignored.
      *
-     * @param options context information for the assertion request
+     * <p>Dispatch logic:
+     * <ul>
+     *   <li>Context-aware provider: invokes the Function with the provided options</li>
+     *   <li>Callable or static: context is ignored, falls back to {@link #assertion()}</li>
+     * </ul>
+     *
+     * <p>This method is the primary entry point used by {@code TokenRequestExecutor} when
+     * building token requests, as it can pass FMI path and token endpoint context.
+     *
+     * @param options context information for the assertion request (may contain nulls for non-FMI flows)
      * @return A JWT assertion string
      * @throws MsalClientException if the assertion provider returns null/empty or throws an exception
      */
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientCredentialParameters.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientCredentialParameters.java
@@ -5,6 +5,7 @@
 
 import java.util.Map;
 import java.util.Set;
+import java.util.TreeMap;
 
 import static com.microsoft.aad.msal4j.ParameterValidationUtils.validateNotNull;
 
@@ -106,14 +107,22 @@ public String fmiPath() {
      * Returns an empty string if fmiPath is not set.
      * This is the single source of truth for the fmi_path cache key hash computation,
      * used by both cache writes (TokenCache) and cache reads (silent lookup).
+     * The result is memoized since ClientCredentialParameters is immutable after construction.
      */
+    private String fmiCacheKeyHashCache;
+
     String computeFmiCacheKeyHash() {
+        if (fmiCacheKeyHashCache != null) {
+            return fmiCacheKeyHashCache;
+        }
         if (!StringHelper.isBlank(fmiPath)) {
-            java.util.TreeMap<String, String> components = new java.util.TreeMap<>();
+            TreeMap<String, String> components = new TreeMap<>();
             components.put("fmi_path", fmiPath);
-            return StringHelper.computeExtCacheKeyHash(components);
+            fmiCacheKeyHashCache = StringHelper.computeExtCacheKeyHash(components);
+        } else {
+            fmiCacheKeyHashCache = "";
         }
-        return "";
+        return fmiCacheKeyHashCache;
     }
 
     public static class ClientCredentialParametersBuilder {
@@ -203,9 +212,7 @@ public ClientCredentialParametersBuilder clientCredential(IClientCredential clie
          * @return builder that can be used to construct ClientCredentialParameters
          */
         public ClientCredentialParametersBuilder fmiPath(String fmiPath) {
-            if (fmiPath != null && fmiPath.trim().isEmpty()) {
-                throw new IllegalArgumentException("fmiPath cannot be empty or blank");
-            }
+            ParameterValidationUtils.validateNotBlank("fmiPath", fmiPath);
             this.fmiPath = fmiPath;
             return this;
         }
diff --git a/msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/FmiTest.java b/msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/FmiTest.java
@@ -357,6 +357,15 @@ void fmiPath_WhitespaceOnlyThrowsIllegalArgumentException() {
                         .build());
     }
 
+    @Test
+    void fmiPath_NullValueThrowsIllegalArgumentException() {
+        assertThrows(IllegalArgumentException.class, () ->
+                ClientCredentialParameters
+                        .builder(Collections.singleton("scope"))
+                        .fmiPath(null)
+                        .build());
+    }
+
     // ========================================================================
     // Exact cache key string validation
     // ========================================================================
@@ -451,4 +460,118 @@ void fmiPath_NoFmiPath_CacheKeyUsesAccessTokenCredentialType() throws Exception
                 "Cache key without fmi_path should use 'accesstoken' credential type and no hash suffix");
     }
 
+    // ========================================================================
+    // Cache filter isolation: FMI tokens not returned for non-FMI requests (and vice versa)
+    // ========================================================================
+
+    @Test
+    void fmiPath_CacheIsolation_FmiTokenNotReturnedForNonFmiRequest() throws Exception {
+        // Seed cache with an FMI-tagged token, then verify a non-FMI request does NOT
+        // return it from cache (goes to IdP instead).
+        DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
+
+        when(httpClientMock.send(any(HttpRequest.class))).thenReturn(
+                TestHelper.expectedResponse(HttpStatus.HTTP_OK,
+                        TestHelper.getSuccessfulTokenResponse(new HashMap<>())));
+
+        ConfidentialClientApplication cca =
+                ConfidentialClientApplication.builder("clientId",
+                                ClientCredentialFactory.createFromSecret("secret"))
+                        .authority("https://login.microsoftonline.com/tenant/")
+                        .aadInstanceDiscoveryResponse(TestHelper.getInstanceDiscoveryResponse())
+                        .httpClient(httpClientMock)
+                        .build();
+
+        // First request WITH fmi_path — seeds cache with an FMI-tagged token
+        ClientCredentialParameters fmiParams = ClientCredentialParameters
+                .builder(Collections.singleton("scope"))
+                .fmiPath("agentApp1")
+                .build();
+        cca.acquireToken(fmiParams).get();
+        assertEquals(1, cca.tokenCache.accessTokens.size());
+
+        // Second request WITHOUT fmi_path — should NOT get the FMI token from cache
+        ClientCredentialParameters nonFmiParams = ClientCredentialParameters
+                .builder(Collections.singleton("scope"))
+                .build();
+        cca.acquireToken(nonFmiParams).get();
+
+        // Both tokens should now be in cache (FMI miss → went to IdP → stored as non-FMI)
+        assertEquals(2, cca.tokenCache.accessTokens.size(),
+                "Non-FMI request should not match FMI-tagged cache entry; both tokens should exist");
+    }
+
+    @Test
+    void fmiPath_CacheIsolation_NonFmiTokenNotReturnedForFmiRequest() throws Exception {
+        // Seed cache with a non-FMI token, then verify an FMI request does NOT
+        // return it from cache (goes to IdP instead).
+        DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
+
+        when(httpClientMock.send(any(HttpRequest.class))).thenReturn(
+                TestHelper.expectedResponse(HttpStatus.HTTP_OK,
+                        TestHelper.getSuccessfulTokenResponse(new HashMap<>())));
+
+        ConfidentialClientApplication cca =
+                ConfidentialClientApplication.builder("clientId",
+                                ClientCredentialFactory.createFromSecret("secret"))
+                        .authority("https://login.microsoftonline.com/tenant/")
+                        .aadInstanceDiscoveryResponse(TestHelper.getInstanceDiscoveryResponse())
+                        .httpClient(httpClientMock)
+                        .build();
+
+        // First request WITHOUT fmi_path — seeds cache with a non-FMI token
+        ClientCredentialParameters nonFmiParams = ClientCredentialParameters
+                .builder(Collections.singleton("scope"))
+                .build();
+        cca.acquireToken(nonFmiParams).get();
+        assertEquals(1, cca.tokenCache.accessTokens.size());
+
+        // Second request WITH fmi_path — should NOT get the non-FMI token from cache
+        ClientCredentialParameters fmiParams = ClientCredentialParameters
+                .builder(Collections.singleton("scope"))
+                .fmiPath("agentApp1")
+                .build();
+        cca.acquireToken(fmiParams).get();
+
+        // Both tokens should now be in cache (FMI miss → went to IdP → stored as FMI)
+        assertEquals(2, cca.tokenCache.accessTokens.size(),
+                "FMI request should not match non-FMI cache entry; both tokens should exist");
+    }
+
+    @Test
+    void fmiPath_CacheIsolation_DifferentFmiPathsNotShared() throws Exception {
+        // Two different fmi_path values should produce separate cache entries
+        DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
+
+        when(httpClientMock.send(any(HttpRequest.class))).thenReturn(
+                TestHelper.expectedResponse(HttpStatus.HTTP_OK,
+                        TestHelper.getSuccessfulTokenResponse(new HashMap<>())));
+
+        ConfidentialClientApplication cca =
+                ConfidentialClientApplication.builder("clientId",
+                                ClientCredentialFactory.createFromSecret("secret"))
+                        .authority("https://login.microsoftonline.com/tenant/")
+                        .aadInstanceDiscoveryResponse(TestHelper.getInstanceDiscoveryResponse())
+                        .httpClient(httpClientMock)
+                        .build();
+
+        // Request with fmi_path "agentA"
+        ClientCredentialParameters paramsA = ClientCredentialParameters
+                .builder(Collections.singleton("scope"))
+                .fmiPath("agentA")
+                .build();
+        cca.acquireToken(paramsA).get();
+
+        // Request with fmi_path "agentB"
+        ClientCredentialParameters paramsB = ClientCredentialParameters
+                .builder(Collections.singleton("scope"))
+                .fmiPath("agentB")
+                .build();
+        cca.acquireToken(paramsB).get();
+
+        // Each fmi_path produces a different hash → different cache key → 2 entries
+        assertEquals(2, cca.tokenCache.accessTokens.size(),
+                "Different fmi_path values should produce separate cache entries");
+    }
+
 }
