Skip to content

Commit

Permalink
Update secret location for CCA tests (#4745)
Browse files Browse the repository at this point in the history 
* Update secret location for CCA tests

* update app id uri

* Fix pop tests

* Update to reuse existing CCA settings object

* Update claims with new client id and tenant
  • Loading branch information
@neha-bhargava
neha-bhargava committed May 8, 2024
1 parent e0d0975 commit 174da80
Show file tree
Hide file tree
Showing 4 changed files with 97 additions and 91 deletions.
5 changes: 3 additions & 2 deletions tests/Microsoft.Identity.Test.Common/TestConstants.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@ public static HashSet<string> s_scope
public const string MsiResource = "scope";
public static readonly string[] s_graphScopes = new[] { "user.read" };
public const uint JwtToAadLifetimeInSeconds = 60 * 10; // Ten minutes
public const string ClientCredentialAudience = "https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0";
public const string ClientCredentialAudience = "https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/v2.0";
public const string PublicCloudConfidentialClientID = "88f91eac-c606-4c67-a0e2-a5e8a186854f";
public const string AutomationTestCertName = "LabVaultAccessCert";
public static Dictionary<string, string> AdditionalAssertionClaims =>
new Dictionary<string, string>() { { "Key1", "Val1" }, { "Key2", "Val2" } };
Expand Down Expand Up @@ -229,7 +230,7 @@ public static HashSet<string> s_scope


public const string MsalCCAKeyVaultUri = "https://buildautomation.vault.azure.net/secrets/AzureADIdentityDivisionTestAgentSecret/";
public const string MsalCCAKeyVaultSecretName = "MSIDLABAccessSecret";
public const string MsalCCAKeyVaultSecretName = "MSIDLAB4-IDLABS-APP-AzureADMyOrg-CC";
public const string MsalOBOKeyVaultUri = "https://buildautomation.vault.azure.net/secrets/IdentityDivisionDotNetOBOServiceSecret/";
public const string MsalOBOKeyVaultSecretName = "IdentityDivisionDotNetOBOServiceSecret";
public const string MsalArlingtonOBOKeyVaultUri = "https://msidlabs.vault.azure.net:443/secrets/ARLMSIDLAB1-IDLASBS-App-CC-Secret";
Expand Down
5 changes: 2 additions & 3 deletions ...icrosoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsTests.NetFwk.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ public class ClientCredentialsTests
{
private static readonly string[] s_scopes = { "User.Read" };
private static readonly string[] s_keyvaultScope = { "https://vault.azure.net/.default" };
private const string PublicCloudConfidentialClientID = "f62c5ae3-bf3a-4af5-afa8-a68b800396e9";

private enum CredentialType
{
Expand Down Expand Up @@ -374,10 +373,10 @@ private string GetExpectedCacheKey(string clientId, string tenantId)
{
{ "aud", TestConstants.ClientCredentialAudience },
{ "exp", validUntil.ToUnixTimeSeconds().ToString(CultureInfo.InvariantCulture) },
{ "iss", PublicCloudConfidentialClientID.ToString(CultureInfo.InvariantCulture) },
{ "iss", TestConstants.PublicCloudConfidentialClientID.ToString(CultureInfo.InvariantCulture) },
{ "jti", Guid.NewGuid().ToString() },
{ "nbf", validFrom.ToUnixTimeSeconds().ToString(CultureInfo.InvariantCulture) },
{ "sub", PublicCloudConfidentialClientID.ToString(CultureInfo.InvariantCulture) },
{ "sub", TestConstants.PublicCloudConfidentialClientID.ToString(CultureInfo.InvariantCulture) },
{ "ip", "192.168.2.1" }
};
}
Expand Down
172 changes: 89 additions & 83 deletions tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/PoPTests.NetFwk.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,22 +45,12 @@ public class PoPTests

private static readonly string[] s_keyvaultScope = { "https://vault.azure.net/.default" };

private const string PublicCloudConfidentialClientID = "f62c5ae3-bf3a-4af5-afa8-a68b800396e9";
private const string PublicCloudTestAuthority = "https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47";
private const string ProtectedUrl = "https://www.contoso.com/path1/path2?queryParam1=a&queryParam2=b";
private static string s_publicCloudCcaSecret;
private KeyVaultSecretsProvider _keyVault;

[TestInitialize]
public void TestInitialize()
{
TestCommon.ResetInternalStaticCaches();

if (_keyVault == null)
{
_keyVault = new KeyVaultSecretsProvider(KeyVaultInstance.MsalTeam);
s_publicCloudCcaSecret = _keyVault.GetSecretByName(TestConstants.MsalCCAKeyVaultSecretName).Value;
}
}

[RunOn(TargetFrameworks.NetCore)]
Expand All @@ -82,11 +72,13 @@ public async Task HappyPath_Async()
var popConfig = new PoPAuthenticationConfiguration(new Uri(ProtectedUrl));
popConfig.HttpMethod = HttpMethod.Get;

var settings = ConfidentialAppSettings.GetSettings(Cloud.Public);

var confidentialApp = ConfidentialClientApplicationBuilder
.Create(PublicCloudConfidentialClientID)
.Create(settings.ClientId)
.WithExperimentalFeatures()
.WithAuthority(PublicCloudTestAuthority)
.WithClientSecret(s_publicCloudCcaSecret)
.WithAuthority(settings.Authority)
.WithClientSecret(settings.GetSecret())
.WithTestLogging()
.Build();

Expand All @@ -97,7 +89,7 @@ public async Task HappyPath_Async()

Assert.AreEqual("pop", result.TokenType);
PoPValidator.VerifyPoPToken(
PublicCloudConfidentialClientID,
settings.ClientId,
ProtectedUrl,
HttpMethod.Get,
result);
Expand All @@ -109,12 +101,14 @@ private async Task BearerAndPoP_CanCoexist_Async()
var popConfig = new PoPAuthenticationConfiguration(new Uri(ProtectedUrl));
popConfig.HttpMethod = HttpMethod.Get;

var settings = ConfidentialAppSettings.GetSettings(Cloud.Public);

var cca = ConfidentialClientApplicationBuilder
.Create(PublicCloudConfidentialClientID)
.Create(settings.ClientId)
.WithExperimentalFeatures()
.WithClientSecret(s_publicCloudCcaSecret)
.WithClientSecret(settings.GetSecret())
.WithTestLogging()
.WithAuthority(PublicCloudTestAuthority).Build();
.WithAuthority(settings.Authority).Build();
ConfigureInMemoryCache(cca);

// Act - acquire both a PoP and a Bearer token
Expand All @@ -127,10 +121,10 @@ private async Task BearerAndPoP_CanCoexist_Async()

Assert.AreEqual("pop", result.TokenType);
PoPValidator.VerifyPoPToken(
PublicCloudConfidentialClientID,
ProtectedUrl,
HttpMethod.Get,
result);
settings.ClientId,
ProtectedUrl,
HttpMethod.Get,
result);

Trace.WriteLine("Getting a Bearer token");
result = await cca
Expand All @@ -156,11 +150,13 @@ private async Task MultipleKeys_Async()
popConfig2.HttpMethod = HttpMethod.Post;
popConfig2.PopCryptoProvider = cryptoProvider;

var cca = ConfidentialClientApplicationBuilder.Create(PublicCloudConfidentialClientID)
var settings = ConfidentialAppSettings.GetSettings(Cloud.Public);

var cca = ConfidentialClientApplicationBuilder.Create(settings.ClientId)
.WithExperimentalFeatures()
.WithTestLogging()
.WithAuthority(PublicCloudTestAuthority)
.WithClientSecret(s_publicCloudCcaSecret).Build();
.WithAuthority(settings.Authority)
.WithClientSecret(settings.GetSecret()).Build();
ConfigureInMemoryCache(cca);

var result = await cca
Expand All @@ -171,17 +167,17 @@ private async Task MultipleKeys_Async()

Assert.AreEqual("pop", result.TokenType);
PoPValidator.VerifyPoPToken(
PublicCloudConfidentialClientID,
ProtectedUrl,
HttpMethod.Get,
result);
settings.ClientId,
ProtectedUrl,
HttpMethod.Get,
result);

// recreate the pca to ensure that the silent call is served from the cache, i.e. the key remains stable
cca = ConfidentialClientApplicationBuilder
.Create(PublicCloudConfidentialClientID)
.Create(settings.ClientId)
.WithExperimentalFeatures()
.WithAuthority(PublicCloudTestAuthority)
.WithClientSecret(s_publicCloudCcaSecret)
.WithAuthority(settings.Authority)
.WithClientSecret(settings.GetSecret())
.WithHttpClientFactory(new NoAccessHttpClientFactory()) // token should be served from the cache, no network access necessary
.Build();
ConfigureInMemoryCache(cca);
Expand All @@ -196,36 +192,38 @@ private async Task MultipleKeys_Async()
Assert.AreEqual("pop", result.TokenType);

PoPValidator.VerifyPoPToken(
PublicCloudConfidentialClientID,
ProtectedUrl,
HttpMethod.Get,
result);
settings.ClientId,
ProtectedUrl,
HttpMethod.Get,
result);

// Call some other Uri - the same pop assertion can be reused, i.e. no need to call Evo
result = await cca
.AcquireTokenForClient(s_keyvaultScope)
.WithProofOfPossession(popConfig2)
.ExecuteAsync()
.ConfigureAwait(false);
.AcquireTokenForClient(s_keyvaultScope)
.WithProofOfPossession(popConfig2)
.ExecuteAsync()
.ConfigureAwait(false);

Assert.AreEqual("pop", result.TokenType);
Assert.AreEqual(TokenSource.Cache, result.AuthenticationResultMetadata.TokenSource);

PoPValidator.VerifyPoPToken(
PublicCloudConfidentialClientID,
OtherProtectedUrl,
HttpMethod.Post,
result);
settings.ClientId,
OtherProtectedUrl,
HttpMethod.Post,
result);
}

[RunOn(TargetFrameworks.NetCore)]
public async Task PopTestWithConfigObjectAsync()
{
var settings = ConfidentialAppSettings.GetSettings(Cloud.Public);

var confidentialApp = ConfidentialClientApplicationBuilder
.Create(PublicCloudConfidentialClientID)
.Create(settings.ClientId)
.WithExperimentalFeatures()
.WithAuthority(PublicCloudTestAuthority)
.WithClientSecret(s_publicCloudCcaSecret)
.WithAuthority(settings.Authority)
.WithClientSecret(settings.GetSecret())
.WithTestLogging()
.Build();

Expand All @@ -240,21 +238,23 @@ public async Task PopTestWithConfigObjectAsync()

Assert.AreEqual("pop", result.TokenType);
PoPValidator.VerifyPoPToken(
PublicCloudConfidentialClientID,
ProtectedUrl,
HttpMethod.Get,
result);
settings.ClientId,
ProtectedUrl,
HttpMethod.Get,
result);
}

[TestMethod]
public async Task PopTestWithRSAAsync()
{
var telemetryClient = new TestTelemetryClient(TestConstants.ClientId);
var settings = ConfidentialAppSettings.GetSettings(Cloud.Public);

var confidentialApp = ConfidentialClientApplicationBuilder
.Create(PublicCloudConfidentialClientID)
.Create(settings.ClientId)
.WithExperimentalFeatures()
.WithAuthority(PublicCloudTestAuthority)
.WithClientSecret(s_publicCloudCcaSecret)
.WithAuthority(settings.Authority)
.WithClientSecret(settings.GetSecret())
.WithTelemetryClient(telemetryClient)
.Build();

Expand All @@ -270,10 +270,10 @@ public async Task PopTestWithRSAAsync()

Assert.AreEqual("pop", result.TokenType);
PoPValidator.VerifyPoPToken(
PublicCloudConfidentialClientID,
ProtectedUrl,
HttpMethod.Get,
result);
settings.ClientId,
ProtectedUrl,
HttpMethod.Get,
result);

MsalTelemetryEventDetails eventDetails = telemetryClient.TestTelemetryEventDetails;
Assert.IsNotNull(eventDetails);
Expand All @@ -283,11 +283,13 @@ public async Task PopTestWithRSAAsync()
[TestMethod]
public async Task PopTest_ExternalWilsonSigning_Async()
{
var settings = ConfidentialAppSettings.GetSettings(Cloud.Public);

var confidentialApp = ConfidentialClientApplicationBuilder
.Create(PublicCloudConfidentialClientID)
.Create(settings.ClientId)
.WithExperimentalFeatures()
.WithAuthority(PublicCloudTestAuthority)
.WithClientSecret(s_publicCloudCcaSecret)
.WithAuthority(settings.Authority)
.WithClientSecret(settings.GetSecret())
.Build();

// Create an RSA key Wilson style (SigningCredentials)
Expand Down Expand Up @@ -323,10 +325,10 @@ public async Task PopTest_ExternalWilsonSigning_Async()
string req = signedHttpRequestHandler.CreateSignedHttpRequest(signedHttpRequestDescriptor);

PoPValidator.VerifyPoPToken(
PublicCloudConfidentialClientID,
ProtectedUrl,
HttpMethod.Post,
req, "pop");
settings.ClientId,
ProtectedUrl,
HttpMethod.Post,
req, "pop");

var result2 = await confidentialApp.AcquireTokenForClient(s_keyvaultScope)
.WithProofOfPossession(popConfig)
Expand All @@ -340,11 +342,13 @@ public async Task PopTest_ExternalWilsonSigning_Async()
[TestMethod]
public async Task PopTestWithECDAsync()
{
var settings = ConfidentialAppSettings.GetSettings(Cloud.Public);

var confidentialApp = ConfidentialClientApplicationBuilder
.Create(PublicCloudConfidentialClientID)
.Create(settings.ClientId)
.WithExperimentalFeatures()
.WithAuthority(PublicCloudTestAuthority)
.WithClientSecret(s_publicCloudCcaSecret)
.WithAuthority(settings.Authority)
.WithClientSecret(settings.GetSecret())
.Build();

//ECD Provider
Expand All @@ -359,7 +363,7 @@ public async Task PopTestWithECDAsync()

Assert.AreEqual("pop", result.TokenType);
PoPValidator.VerifyPoPToken(
PublicCloudConfidentialClientID,
settings.ClientId,
ProtectedUrl,
HttpMethod.Post,
result);
Expand All @@ -382,11 +386,13 @@ public async Task NewPOP_WithKeyIdOnly_Async()
// Arrange MSALfin

// 2. Create a normal CCA
var settings = ConfidentialAppSettings.GetSettings(Cloud.Public);

var confidentialApp = ConfidentialClientApplicationBuilder
.Create(PublicCloudConfidentialClientID)
.Create(settings.ClientId)
.WithExperimentalFeatures()
.WithAuthority(PublicCloudTestAuthority)
.WithClientSecret(s_publicCloudCcaSecret)
.WithAuthority(settings.Authority)
.WithClientSecret(settings.GetSecret())
.Build();

// 3. When acquiring a token, use WithPopKeyId and OnBeforeTokenRequest extensiblity methods
Expand Down Expand Up @@ -426,22 +432,22 @@ public async Task NewPOP_WithKeyIdOnly_Async()

// play the POP token against a webservice that accepts POP to validate the keys
PoPValidator.VerifyPoPToken(
PublicCloudConfidentialClientID,
ProtectedUrl,
HttpMethod.Post,
req, "pop");
settings.ClientId,
ProtectedUrl,
HttpMethod.Post,
req, "pop");

// Additional check - if using the same key, the token should come from the cache
var result2 = await confidentialApp.AcquireTokenForClient(s_keyvaultScope)
.WithProofOfPosessionKeyId(keyId, "pop") // ensure tokens are bound to the key_id
.OnBeforeTokenRequest((data) =>
{
// add extra data to request
data.BodyParameters.Add("req_cnf", keyId);
data.BodyParameters.Add("token_type", "pop");
.WithProofOfPosessionKeyId(keyId, "pop") // ensure tokens are bound to the key_id
.OnBeforeTokenRequest((data) =>
{
// add extra data to request
data.BodyParameters.Add("req_cnf", keyId);
data.BodyParameters.Add("token_type", "pop");
return Task.CompletedTask;
})
return Task.CompletedTask;
})
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
Assert.AreEqual(
Expand Down
6 changes: 3 additions & 3 deletions tests/Microsoft.Identity.Test.Integration.netcore/Infrastructure/ConfidentialAppSettings.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,9 @@ public class ConfidentialAppSettings
{
private class PublicCloudConfidentialAppSettings : IConfidentialAppSettings
{
public string ClientId => UseAppIdUri? "https://request.msidlab.com" : "f62c5ae3-bf3a-4af5-afa8-a68b800396e9";
public string ClientId => UseAppIdUri? "api://88f91eac-c606-4c67-a0e2-a5e8a186854f" : "88f91eac-c606-4c67-a0e2-a5e8a186854f";

public string TenantId => "72f988bf-86f1-41af-91ab-2d7cd011db47";
public string TenantId => "f645ad92-e38d-4d1a-b510-d1b09a74a8ca";

public string Environment => "login.microsoftonline.com";

Expand All @@ -60,7 +60,7 @@ public X509Certificate2 GetCertificate()

public string GetSecret()
{
return GetSecretLazy(KeyVaultInstance.MsalTeam, TestConstants.MsalCCAKeyVaultSecretName).Value;
return GetSecretLazy(KeyVaultInstance.MSIDLab, TestConstants.MsalCCAKeyVaultSecretName).Value;
}
}

Expand Down

0 comments on commit 174da80

Please sign in to comment.