Implemented remaining SkillValidation methods and tests (#972)

Author: tracyboehrer

libraries/bot-connector/pom.xml

@@ -49,6 +49,10 @@
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+    </dependency>
 
     <!-- to support ms rest consumption -->
     <dependency>

libraries/bot-connector/src/main/java/com/microsoft/bot/connector/Async.java

@@ -4,7 +4,6 @@
 package com.microsoft.bot.connector;
 
 import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.CompletionException;
 
 /**
  * Asyc and CompletableFuture helpers methods.
@@ -14,23 +13,6 @@ private Async() {
 
     }
 
-    /**
-     * Executes a block and throws a completion exception if needed.
-     *
-     * @param supplier The block to execute.
-     * @param <T> The type of the return value.
-     * @return The return value.
-     */
-    public static <T> T tryThrow(ThrowSupplier<T> supplier) {
-        try {
-            return supplier.get();
-        } catch (CompletionException ce) {
-            throw ce;
-        } catch (Throwable t) {
-            throw new CompletionException(t);
-        }
-    }
-
     /**
      * Executes a block and returns a CompletableFuture with either the return
      * value or the exception (completeExceptionally).

libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/AuthenticationConstants.java

@@ -146,6 +146,11 @@ private AuthenticationConstants() {
      */
     public static final String ANONYMOUS_SKILL_APPID = "AnonymousSkill";
 
+    /**
+     * Indicates anonymous (no app Id and password were provided).
+     */
+    public static final String ANONYMOUS_AUTH_TYPE = "anonymous";
+
     /**
      * The default clock skew in minutes.
      */

libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/ClaimsIdentity.java

@@ -13,6 +13,7 @@
  */
 public class ClaimsIdentity {
     private String issuer;
+    private String type;
     private Map<String, String> claims;
 
     private ClaimsIdentity() {
@@ -35,8 +36,20 @@ public ClaimsIdentity(String withAuthIssuer) {
      * @param withClaims     A Map of claims.
      */
     public ClaimsIdentity(String withAuthIssuer, Map<String, String> withClaims) {
-        this.issuer = withAuthIssuer;
-        this.claims = withClaims;
+        this(withAuthIssuer, null, withClaims);
+    }
+
+    /**
+     * Manually construct with issuer and claims.
+     *
+     * @param withAuthIssuer The auth issuer.
+     * @param withType The auth type.
+     * @param withClaims     A Map of claims.
+     */
+    public ClaimsIdentity(String withAuthIssuer, String withType, Map<String, String> withClaims) {
+        issuer = withAuthIssuer;
+        type = withType;
+        claims = withClaims;
     }
 
     /**
@@ -50,6 +63,7 @@ public ClaimsIdentity(DecodedJWT jwt) {
             jwt.getClaims().forEach((k, v) -> claims.put(k, v.asString()));
         }
         issuer = jwt.getIssuer();
+        type = jwt.getType();
     }
 
     /**
@@ -78,4 +92,13 @@ public Map<String, String> claims() {
     public String getIssuer() {
         return issuer;
     }
+
+    /**
+     * The type.
+     *
+     * @return The type.
+     */
+    public String getType() {
+        return type;
+    }
 }

libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/JwtTokenValidation.java

@@ -202,4 +202,34 @@ public static String getAppIdFromClaims(Map<String, String> claims) throws Illeg
 
         return appId;
     }
+
+    /**
+     * Internal helper to check if the token has the shape we expect "Bearer [big long string]".
+     *
+     * @param authHeader >A string containing the token header.
+     * @return True if the token is valid, false if not.
+     */
+    public static boolean isValidTokenFormat(String authHeader) {
+        if (StringUtils.isEmpty(authHeader)) {
+            // No token, not valid.
+            return false;
+        }
+
+        String[] parts = authHeader.split(" ");
+        if (parts.length != 2) {
+            // Tokens MUST have exactly 2 parts. If we don't have 2 parts, it's not a valid token
+            return false;
+        }
+
+        // We now have an array that should be:
+        // [0] = "Bearer"
+        // [1] = "[Big Long String]"
+        String authScheme = parts[0];
+        if (!StringUtils.equals(authScheme, "Bearer")) {
+            // The scheme MUST be "Bearer"
+            return false;
+        }
+
+        return true;
+    }
 }

libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/SkillValidation.java

@@ -3,9 +3,13 @@
 
 package com.microsoft.bot.connector.authentication;
 
+import com.auth0.jwt.JWT;
+import com.microsoft.bot.connector.Async;
 import java.time.Duration;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
+import java.util.concurrent.CompletableFuture;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -97,7 +101,104 @@ public static Boolean isSkillClaim(Map<String, String> claims) {
 
         // Skill claims must contain and app ID and the AppID must be different than the
         // audience.
-        return appId != audience.get().getValue();
+        return !StringUtils.equals(appId, audience.get().getValue());
     }
 
+    /**
+     * Determines if a given Auth header is from from a skill to bot or bot to skill request.
+     *
+     * @param authHeader Bearer Token, in the "Bearer [Long String]" Format.
+     * @return True, if the token was issued for a skill to bot communication. Otherwise, false.
+     */
+    public static boolean isSkillToken(String authHeader) {
+        if (!JwtTokenValidation.isValidTokenFormat(authHeader)) {
+            return false;
+        }
+
+        // We know is a valid token, split it and work with it:
+        // [0] = "Bearer"
+        // [1] = "[Big Long String]"
+        String bearerToken = authHeader.split(" ")[1];
+
+        // Parse token
+        ClaimsIdentity identity = new ClaimsIdentity(JWT.decode(bearerToken));
+
+        return isSkillClaim(identity.claims());
+    }
+
+    /**
+     * Helper to validate a skills ClaimsIdentity.
+     *
+     * @param identity The ClaimsIdentity to validate.
+     * @param credentials The CredentialProvider.
+     * @return Nothing if success, otherwise a CompletionException
+     */
+    public static CompletableFuture<Void> validateIdentity(
+        ClaimsIdentity identity,
+        CredentialProvider credentials
+    ) {
+        if (identity == null) {
+            // No valid identity. Not Authorized.
+            return Async.completeExceptionally(new AuthenticationException("Invalid Identity"));
+        }
+
+        if (!identity.isAuthenticated()) {
+            // The token is in some way invalid. Not Authorized.
+            return Async.completeExceptionally(new AuthenticationException("Token Not Authenticated"));
+        }
+
+        Optional<Map.Entry<String, String>> versionClaim = identity.claims().entrySet().stream()
+            .filter(item -> StringUtils.equals(AuthenticationConstants.VERSION_CLAIM, item.getKey()))
+            .findFirst();
+        if (!versionClaim.isPresent()) {
+            // No version claim
+            return Async.completeExceptionally(
+                new AuthenticationException(
+                    AuthenticationConstants.VERSION_CLAIM + " claim is required on skill Tokens."
+                )
+            );
+        }
+
+        // Look for the "aud" claim, but only if issued from the Bot Framework
+        Optional<Map.Entry<String, String>> audienceClaim = identity.claims().entrySet().stream()
+            .filter(item -> StringUtils.equals(AuthenticationConstants.AUDIENCE_CLAIM, item.getKey()))
+            .findFirst();
+        if (!audienceClaim.isPresent() || StringUtils.isEmpty(audienceClaim.get().getValue())) {
+            // Claim is not present or doesn't have a value. Not Authorized.
+            return Async.completeExceptionally(
+                new AuthenticationException(
+                    AuthenticationConstants.AUDIENCE_CLAIM + " claim is required on skill Tokens."
+                )
+            );
+        }
+
+        String appId = JwtTokenValidation.getAppIdFromClaims(identity.claims());
+        if (StringUtils.isEmpty(appId)) {
+            return Async.completeExceptionally(new AuthenticationException("Invalid appId."));
+        }
+
+        return credentials.isValidAppId(audienceClaim.get().getValue())
+            .thenApply(isValid -> {
+                if (!isValid) {
+                    throw new AuthenticationException("Invalid audience.");
+                }
+                return null;
+            });
+    }
+
+    /**
+     * Creates a ClaimsIdentity for an anonymous (unauthenticated) skill.
+     *
+     * @return A ClaimsIdentity instance with authentication type set to
+     * AuthenticationConstants.AnonymousAuthType and a reserved
+     * AuthenticationConstants.AnonymousSkillAppId claim.
+     */
+    public static ClaimsIdentity createAnonymousSkillClaim() {
+        Map<String, String> claims = new HashMap<>();
+        claims.put(AuthenticationConstants.APPID_CLAIM, AuthenticationConstants.ANONYMOUS_SKILL_APPID);
+        return new ClaimsIdentity(
+            AuthenticationConstants.ANONYMOUS_AUTH_TYPE,
+            AuthenticationConstants.ANONYMOUS_AUTH_TYPE,
+            claims);
+    }
 }

libraries/bot-connector/src/test/java/com/microsoft/bot/connector/AsyncTests.java

@@ -0,0 +1,38 @@
+package com.microsoft.bot.connector;
+
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CompletionException;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class AsyncTests {
+    @Test()
+    public void AsyncTryCompletionShouldCompleteExceptionally() {
+        CompletableFuture<Void> result = Async.tryCompletable(() -> {
+           throw new IllegalArgumentException("test");
+        });
+
+        Assert.assertTrue(result.isCompletedExceptionally());
+    }
+
+    @Test
+    public void AsyncTryCompletionShouldComplete() {
+        CompletableFuture<Boolean> result = Async.tryCompletable(() -> CompletableFuture.completedFuture(true));
+        Assert.assertTrue(result.join());
+    }
+
+    @Test
+    public void AsyncWrapBlockShouldCompleteExceptionally() {
+        CompletableFuture<Void> result = Async.wrapBlock(() -> {
+            throw new IllegalArgumentException("test");
+        });
+
+        Assert.assertTrue(result.isCompletedExceptionally());
+    }
+
+    @Test
+    public void AsyncWrapBlockShouldComplete() {
+        CompletableFuture<Boolean> result = Async.wrapBlock(() -> true);
+        Assert.assertTrue(result.join());
+    }
+}