Move validation of Authority to Factory

AzureAD · tnorling · Jun 15, 2020 · May 1, 2020 · May 13, 2020 · May 19, 2020
commit 85d1736df18d0369a1933229a65d8544b85113ce
@@ -5,7 +5,7 @@
 
 import { IUri } from "../IUri";
 import { ITenantDiscoveryResponse } from "./ITenantDiscoveryResponse";
-import { ClientConfigurationErrorMessage, ClientConfigurationError } from "../error/ClientConfigurationError";
+import { ClientConfigurationErrorMessage } from "../error/ClientConfigurationError";
 import { XhrClient, XhrResponse } from "../XHRClient";
 import { UrlUtils } from "../utils/UrlUtils";
 import TelemetryManager from "../telemetry/TelemetryManager";
@@ -25,18 +25,13 @@ export enum AuthorityType {
  * @hidden
  */
 export class Authority {
-    constructor(authority: string, validateAuthority: boolean, authorityMetadata?: ITenantDiscoveryResponse) {
-        this.IsValidationEnabled = validateAuthority;
+    constructor(authority: string, authorityMetadata?: ITenantDiscoveryResponse) {
         this.CanonicalAuthority = authority;
 
         this.validateAsUri();
         this.tenantDiscoveryResponse = authorityMetadata;
     }
 
-    public IsValidationEnabled: boolean;
-
-    public static TrustedHostList: Array<string> = [];
-
     public get Tenant(): string {
         return this.CanonicalAuthorityUrlComponents.PathSegments[0];
     }
@@ -170,18 +165,6 @@ export class Authority {
      * Only responds with the endpoint
      */
     public GetOpenIdConfigurationEndpoint(): string {
-        if (!this.IsValidationEnabled || this.IsInTrustedHostList(this.CanonicalAuthorityUrlComponents.HostNameAndPort)) {
-            return this.DefaultOpenIdConfigurationEndpoint;
-        }
-
-        throw ClientConfigurationError.createUntrustedAuthorityError();
-    }
-
-    /**
-     * Checks to see if the host is in a list of trusted hosts
-     * @param {string} The host to look up
-     */
-    private IsInTrustedHostList(host: string): boolean {
-        return Authority.TrustedHostList.indexOf(host.toLowerCase()) > -1;
+        return this.DefaultOpenIdConfigurationEndpoint;
     }
 }
@@ -13,9 +13,11 @@ import { ITenantDiscoveryResponse, OpenIdConfiguration } from "./ITenantDiscover
 import TelemetryManager from "../telemetry/TelemetryManager";
 import { XhrClient, XhrResponse } from "../XHRClient";
 import HttpEvent from "../telemetry/HttpEvent";
+import { UrlUtils } from '../utils/UrlUtils';
 
 export class AuthorityFactory {
     private static metadataMap = new Map<string, ITenantDiscoveryResponse>();
+    private static TrustedHostList: Array<string> = [];
 
     public static async saveMetadataFromNetwork(authorityInstance: Authority, telemetryManager: TelemetryManager, correlationId: string): Promise<ITenantDiscoveryResponse> {
         const metadata = await authorityInstance.resolveEndpointsAsync(telemetryManager, correlationId);
@@ -51,12 +53,12 @@ export class AuthorityFactory {
      * Use when validateAuthority is set to True to provide list of allowed domains.
      */
     public static async setKnownAuthorities(validateAuthority: boolean, knownAuthorities: Array<string>, telemetryManager: TelemetryManager, correlationId?: string): Promise<void> {
-        if (validateAuthority && !Authority.TrustedHostList.length){
+        if (validateAuthority && !this.TrustedHostList.length){
             knownAuthorities.forEach(function(authority){
-                Authority.TrustedHostList.push(authority);
+                this.TrustedHostList.push(authority.toLowerCase());
             });
 
-            if (!Authority.TrustedHostList.length){
+            if (!this.TrustedHostList.length){
                 await this.setTrustedAuthoritiesFromNetwork(telemetryManager, correlationId);
             }
         }
@@ -85,11 +87,19 @@ export class AuthorityFactory {
         metadata.forEach(function(entry: any){
             const authorities: Array<string> = entry.aliases;
             authorities.forEach(function(authority: string) {
-                Authority.TrustedHostList.push(authority);
+                this.TrustedHostList.push(authority.toLowerCase());
             });
         });
     } 
 
+    /**
+     * Checks to see if the host is in a list of trusted hosts
+     * @param {string} The host to look up
+     */
+    public static IsInTrustedHostList(host: string): boolean {
+        return this.TrustedHostList.indexOf(host.toLowerCase()) > -1;
+    }
+
     /**
      * Create an authority object of the correct type based on the url
      * Performs basic authority validation - checks to see if the authority is of a valid type (eg aad, b2c)
@@ -104,6 +114,11 @@ export class AuthorityFactory {
             this.saveMetadataFromConfig(authorityUrl, authorityMetadata);
         }
 
-        return new Authority(authorityUrl, validateAuthority, this.metadataMap.get(authorityUrl));
+        const host = UrlUtils.GetUrlComponents(authorityUrl).HostNameAndPort;
+        if (validateAuthority && !this.IsInTrustedHostList(host)) {
+            throw ClientConfigurationError.createUntrustedAuthorityError();
+        }
+
+        return new Authority(authorityUrl, this.metadataMap.get(authorityUrl));
     }
 }
@@ -1,14 +1,14 @@
-import { Authority } from "../authority/Authority";
 import { TENANT_PLACEHOLDER, EVENT_NAME_PREFIX } from "./TelemetryConstants";
 import { CryptoUtils } from "../utils/CryptoUtils";
 import { UrlUtils } from "../utils/UrlUtils";
+import { AuthorityFactory } from '../authority/AuthorityFactory';
 
 export const scrubTenantFromUri = (uri: string): String => {
 
     const url = UrlUtils.GetUrlComponents(uri);
 
     // validate trusted host
-    if (Authority.TrustedHostList.indexOf(url.HostNameAndPort.toLocaleLowerCase()) === -1) {
+    if (AuthorityFactory.IsInTrustedHostList(url.HostNameAndPort.toLocaleLowerCase())) {
         /**
          * returning what was passed because the library needs to work with uris that are non
          * AAD trusted but passed by users such as B2C or others.