Skip to content

Commit

Permalink
Added messages for all UnauthorizedAccessException (#6786)
Browse files Browse the repository at this point in the history 
* Added messages for all UnauthorizedAccessException

* Adjust unit tests for changes in UnauthorizedAccessException messages

---------

Co-authored-by: Tracy Boehrer <trboehre@microsoft.com>
  • Loading branch information
@tracyboehrer
tracyboehrer and Tracy Boehrer committed May 7, 2024
1 parent 673dbca commit 4952e8f
Show file tree
Hide file tree
Showing 11 changed files with 40 additions and 40 deletions.
2 changes: 1 addition & 1 deletion libraries/Microsoft.Bot.Builder/ChannelServiceHandler.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ internal override async Task<ClaimsIdentity> AuthenticateAsync(string authHeader
if (!isAuthDisabled)
{
// No auth header. Auth is required. Request is not authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("No Authorization header");
}

// In the scenario where auth is disabled, we still want to have the
Expand Down
4 changes: 2 additions & 2 deletions libraries/Microsoft.Bot.Connector/Authentication/AseChannelValidation.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,13 +133,13 @@ public static async Task<ClaimsIdentity> AuthenticateAseTokenAsync(string authHe
if (identity == null)
{
// No valid identity. Not Authorized.
throw new UnauthorizedAccessException("Invalid Identity");
throw new UnauthorizedAccessException("No valid Identity");
}

if (!identity.IsAuthenticated)
{
// The token is in some way invalid. Not Authorized.
throw new UnauthorizedAccessException("Token Not Authenticated");
throw new UnauthorizedAccessException("Identity Not Authenticated");
}

// Now check that the AppID in the claimset matches
Expand Down
4 changes: 2 additions & 2 deletions libraries/Microsoft.Bot.Connector/Authentication/BuiltinBotFrameworkAuthentication.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ public override async Task<ClaimsIdentity> AuthenticateChannelRequestAsync(strin
if (!isAuthDisabled)
{
// No auth header. Auth is required. Request is not authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("No Authorization header");
}

// In the scenario where auth is disabled, we still want to have the
Expand Down Expand Up @@ -107,7 +107,7 @@ public override async Task<AuthenticateRequestResult> AuthenticateStreamingReque
{
if (string.IsNullOrWhiteSpace(channelIdHeader) && !await _credentialsFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false))
{
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("No Channel ID header");
}

var claimsIdentity = await JwtTokenValidation.ValidateAuthHeader(authHeader, new DelegatingCredentialProvider(_credentialsFactory), GetChannelProvider(), channelIdHeader, httpClient: _authHttpClient).ConfigureAwait(false);
Expand Down
12 changes: 6 additions & 6 deletions libraries/Microsoft.Bot.Connector/Authentication/ChannelValidation.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,13 +100,13 @@ public static async Task<ClaimsIdentity> AuthenticateChannelToken(string authHea
if (identity == null)
{
// No valid identity. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("No valid identity");
}

if (!identity.IsAuthenticated)
{
// The token is in some way invalid. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Identity Not Authenticated");
}

// Now check that the AppID in the claimset matches
Expand All @@ -121,7 +121,7 @@ public static async Task<ClaimsIdentity> AuthenticateChannelToken(string authHea
if (audienceClaim == null)
{
// The relevant audience Claim MUST be present. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Missing aud claim");
}

// The AppId from the claim in the token must match the AppId specified by the developer.
Expand All @@ -130,7 +130,7 @@ public static async Task<ClaimsIdentity> AuthenticateChannelToken(string authHea
if (string.IsNullOrWhiteSpace(appIdFromClaim))
{
// Claim is present, but doesn't have a value. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Missing AppId claim");
}

if (!await credentials.IsValidAppIdAsync(appIdFromClaim).ConfigureAwait(false))
Expand Down Expand Up @@ -187,13 +187,13 @@ public static async Task<ClaimsIdentity> AuthenticateChannelToken(string authHea
if (string.IsNullOrWhiteSpace(serviceUrlClaim))
{
// Claim must be present. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Missing serviceurl claim");
}

if (!string.Equals(serviceUrlClaim, serviceUrl, StringComparison.OrdinalIgnoreCase))
{
// Claim must match. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("serviceurl claim mismatch");
}

return identity;
Expand Down
4 changes: 2 additions & 2 deletions libraries/Microsoft.Bot.Connector/Authentication/EmulatorValidation.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,13 +157,13 @@ public static async Task<ClaimsIdentity> AuthenticateEmulatorToken(string authHe
if (identity == null)
{
// No valid identity. Not Authorized.
throw new UnauthorizedAccessException("Invalid Identity");
throw new UnauthorizedAccessException("No valid Identity");
}

if (!identity.IsAuthenticated)
{
// The token is in some way invalid. Not Authorized.
throw new UnauthorizedAccessException("Token Not Authenticated");
throw new UnauthorizedAccessException("Identity Not Authenticated");
}

// Now check that the AppID in the claimset matches
Expand Down
12 changes: 6 additions & 6 deletions libraries/Microsoft.Bot.Connector/Authentication/EnterpriseChannelValidation.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,13 +104,13 @@ public static async Task ValidateIdentity(ClaimsIdentity identity, ICredentialPr
if (identity == null)
{
// No valid identity. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("No valid identity");
}

if (!identity.IsAuthenticated)
{
// The token is in some way invalid. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Identity Not Authenticated");
}

// Now check that the AppID in the claimset matches
Expand All @@ -125,7 +125,7 @@ public static async Task ValidateIdentity(ClaimsIdentity identity, ICredentialPr
if (audienceClaim == null)
{
// The relevant audience Claim MUST be present. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Missing aud claim");
}

// The AppId from the claim in the token must match the AppId specified by the developer.
Expand All @@ -134,7 +134,7 @@ public static async Task ValidateIdentity(ClaimsIdentity identity, ICredentialPr
if (string.IsNullOrWhiteSpace(appIdFromClaim))
{
// Claim is present, but doesn't have a value. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Empty aud claim");
}

if (!await credentials.IsValidAppIdAsync(appIdFromClaim).ConfigureAwait(false))
Expand All @@ -149,13 +149,13 @@ public static async Task ValidateIdentity(ClaimsIdentity identity, ICredentialPr
if (string.IsNullOrWhiteSpace(serviceUrlClaim))
{
// Claim must be present. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Missing serviceurl claim");
}

if (!string.Equals(serviceUrlClaim, serviceUrl, StringComparison.OrdinalIgnoreCase))
{
// Claim must match. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("serviceurl claim mismatch");
}
}
}
Expand Down
12 changes: 6 additions & 6 deletions libraries/Microsoft.Bot.Connector/Authentication/GovernmentChannelValidation.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,13 +109,13 @@ public static async Task ValidateIdentity(ClaimsIdentity identity, ICredentialPr
if (identity == null)
{
// No valid identity. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("No valid identity");
}

if (!identity.IsAuthenticated)
{
// The token is in some way invalid. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Identity Not Authenticated");
}

// Now check that the AppID in the claimset matches
Expand All @@ -130,7 +130,7 @@ public static async Task ValidateIdentity(ClaimsIdentity identity, ICredentialPr
if (audienceClaim == null)
{
// The relevant audience Claim MUST be present. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Missing aud claim");
}

// The AppId from the claim in the token must match the AppId specified by the developer.
Expand All @@ -139,7 +139,7 @@ public static async Task ValidateIdentity(ClaimsIdentity identity, ICredentialPr
if (string.IsNullOrWhiteSpace(appIdFromClaim))
{
// Claim is present, but doesn't have a value. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("aud claim empty");
}

if (!await credentials.IsValidAppIdAsync(appIdFromClaim).ConfigureAwait(false))
Expand All @@ -154,13 +154,13 @@ public static async Task ValidateIdentity(ClaimsIdentity identity, ICredentialPr
if (string.IsNullOrWhiteSpace(serviceUrlClaim))
{
// Claim must be present. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Missing serviceurl claim");
}

if (!string.Equals(serviceUrlClaim, serviceUrl, StringComparison.OrdinalIgnoreCase))
{
// Claim must match. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("serviceurl claim mismatch");
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion libraries/Microsoft.Bot.Connector/Authentication/JwtTokenValidation.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ public static async Task<ClaimsIdentity> AuthenticateRequest(IActivity activity,
if (!isAuthDisabled)
{
// No Auth Header and Auth is required. Request is not authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("No Authorization header");
}

// Check if the activity is for a skill call and is coming from the Emulator.
Expand Down
20 changes: 10 additions & 10 deletions libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ public override async Task<AuthenticateRequestResult> AuthenticateStreamingReque
{
if (string.IsNullOrWhiteSpace(channelIdHeader) && !await _credentialsFactory.IsAuthenticationDisabledAsync(cancellationToken).ConfigureAwait(false))
{
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("No Channel ID header");
}

var claimsIdentity = await JwtTokenValidation_ValidateAuthHeaderAsync(authHeader, channelIdHeader, null, cancellationToken).ConfigureAwait(false);
Expand Down Expand Up @@ -128,7 +128,7 @@ private async Task<ClaimsIdentity> JwtTokenValidation_AuthenticateRequestAsync(A
if (!isAuthDisabled)
{
// No Auth Header. Auth is required. Request is not authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("No Authorization header");
}

// Check if the activity is for a skill call and is coming from the Emulator.
Expand Down Expand Up @@ -244,13 +244,13 @@ private async Task SkillValidation_ValidateIdentityAsync(ClaimsIdentity identity
if (identity == null)
{
// No valid identity. Not Authorized.
throw new UnauthorizedAccessException("Invalid Identity");
throw new UnauthorizedAccessException("No valid Identity");
}

if (!identity.IsAuthenticated)
{
// The token is in some way invalid. Not Authorized.
throw new UnauthorizedAccessException("Token Not Authenticated");
throw new UnauthorizedAccessException("Identity Not Authenticated");
}

var versionClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.VersionClaim);
Expand Down Expand Up @@ -428,13 +428,13 @@ private async Task GovernmentChannelValidation_ValidateIdentityAsync(ClaimsIdent
if (identity == null)
{
// No valid identity. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("No valid identity");
}

if (!identity.IsAuthenticated)
{
// The token is in some way invalid. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Identity no authenticated");
}

// Now check that the AppID in the claimset matches
Expand All @@ -449,7 +449,7 @@ private async Task GovernmentChannelValidation_ValidateIdentityAsync(ClaimsIdent
if (audienceClaim == null)
{
// The relevant audience Claim MUST be present. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Missing aud claim");
}

// The AppId from the claim in the token must match the AppId specified by the developer.
Expand All @@ -458,7 +458,7 @@ private async Task GovernmentChannelValidation_ValidateIdentityAsync(ClaimsIdent
if (string.IsNullOrWhiteSpace(appIdFromClaim))
{
// Claim is present, but doesn't have a value. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Empty aud claim");
}

if (!await _credentialsFactory.IsValidAppIdAsync(appIdFromClaim, cancellationToken).ConfigureAwait(false))
Expand All @@ -473,13 +473,13 @@ private async Task GovernmentChannelValidation_ValidateIdentityAsync(ClaimsIdent
if (string.IsNullOrWhiteSpace(serviceUrlClaim))
{
// Claim must be present. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("Missing serviceurl claim");
}

if (!string.Equals(serviceUrlClaim, serviceUrl, StringComparison.OrdinalIgnoreCase))
{
// Claim must match. Not Authorized.
throw new UnauthorizedAccessException();
throw new UnauthorizedAccessException("serviceurl claim mismatch");
}
}
}
Expand Down
4 changes: 2 additions & 2 deletions libraries/Microsoft.Bot.Connector/Authentication/SkillValidation.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,13 +178,13 @@ internal static async Task ValidateIdentityAsync(ClaimsIdentity identity, ICrede
if (identity == null)
{
// No valid identity. Not Authorized.
throw new UnauthorizedAccessException("Invalid Identity");
throw new UnauthorizedAccessException("No valid Identity");
}

if (!identity.IsAuthenticated)
{
// The token is in some way invalid. Not Authorized.
throw new UnauthorizedAccessException("Token Not Authenticated");
throw new UnauthorizedAccessException("Identity Not Authenticated");
}

var versionClaim = identity.Claims.FirstOrDefault(c => c.Type == AuthenticationConstants.VersionClaim);
Expand Down
4 changes: 2 additions & 2 deletions tests/Microsoft.Bot.Connector.Tests/Authentication/SkillValidationTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,13 +88,13 @@ public async Task IdentityValidationTests()
// Null identity
var exception = await Assert.ThrowsAsync<UnauthorizedAccessException>(
async () => await SkillValidation.ValidateIdentityAsync(null, mockCredentials.Object));
Assert.Equal("Invalid Identity", exception.Message);
Assert.Equal("No valid Identity", exception.Message);

// not authenticated identity
mockIdentity.Setup(x => x.IsAuthenticated).Returns(false);
exception = await Assert.ThrowsAsync<UnauthorizedAccessException>(
async () => await SkillValidation.ValidateIdentityAsync(mockIdentity.Object, mockCredentials.Object));
Assert.Equal("Token Not Authenticated", exception.Message);
Assert.Equal("Identity Not Authenticated", exception.Message);

// No version claims
mockIdentity.Setup(x => x.IsAuthenticated).Returns(true);
Expand Down

0 comments on commit 4952e8f

Please sign in to comment.