Ssathe/fix casting for xml attr type (#3217)

* Tried a fix in XMLSignatureConsant.cs so that we dont get type instead of Type.

* Identified places to change and created app context switches

* Added default switch value

* Updated the test Signature Values to be returned as per the switch value

* Reverted the changes made to XMLSignatureConstants and PublicApis

* Updated the tests to consider the switch value now

* Added new test case to test Signature with capitalized Type

* Reverted changes made to type in RoleDescriptorTemplate

* NIT repairs as per the comments

Author: saurabhsathe-ms

src/Microsoft.IdentityModel.Tokens/AppContextSwitches.cs

@@ -91,6 +91,13 @@ internal static class AppContextSwitches
         private static bool? _doNotScrubExceptions;
         internal static bool DoNotScrubExceptions => _doNotScrubExceptions ??= (AppContext.TryGetSwitch(DoNotScrubExceptionsSwitch, out bool doNotScrubExceptions) && doNotScrubExceptions);
 
+        /// <summary>
+        /// When enabled, the XML type attribute will be capitalized (XML) for saml configurations.
+        /// </summary>
+        internal const string UseCapitalizedXMLTypeAttrSwitch = "Switch.Microsoft.IdentityModel.UseCapitalizedXMLTypeAttr";
+        private static bool? _useCapitalizedXMLTypeAttr;
+        internal static bool UseCapitalizedXMLTypeAttr => _useCapitalizedXMLTypeAttr ??= (AppContext.TryGetSwitch(UseCapitalizedXMLTypeAttrSwitch, out bool useCapitalizedXMLTypeAttr) && useCapitalizedXMLTypeAttr);
+
         /// <summary>
         /// Used for testing to reset all switches to its default value.
         /// </summary>
@@ -113,6 +120,9 @@ internal static void ResetAllSwitches()
 
             _doNotScrubExceptions = null;
             AppContext.SetSwitch(DoNotScrubExceptionsSwitch, false);
+
+            _useCapitalizedXMLTypeAttr = null;
+            AppContext.SetSwitch(UseCapitalizedXMLTypeAttrSwitch, false);
         }
     }
 }

src/Microsoft.IdentityModel.Tokens/InternalAPI.Unshipped.txt

@@ -0,0 +1,2 @@
+const Microsoft.IdentityModel.Tokens.AppContextSwitches.UseCapitalizedXMLTypeAttrSwitch = "Switch.Microsoft.IdentityModel.UseCapitalizedXMLTypeAttr" -> string
+static Microsoft.IdentityModel.Tokens.AppContextSwitches.UseCapitalizedXMLTypeAttr.get -> bool

src/Microsoft.IdentityModel.Xml/PublicAPI.Shipped.txt

@@ -8,7 +8,6 @@ const Microsoft.IdentityModel.Xml.XmlSignatureConstants.Attributes.Id = "Id" ->
 const Microsoft.IdentityModel.Xml.XmlSignatureConstants.Attributes.NcName = "NCName" -> string
 const Microsoft.IdentityModel.Xml.XmlSignatureConstants.Attributes.Nil = "nil" -> string
 const Microsoft.IdentityModel.Xml.XmlSignatureConstants.Attributes.PrefixList = "PrefixList" -> string
-const Microsoft.IdentityModel.Xml.XmlSignatureConstants.Attributes.Type = "type" -> string
 const Microsoft.IdentityModel.Xml.XmlSignatureConstants.Attributes.URI = "URI" -> string
 const Microsoft.IdentityModel.Xml.XmlSignatureConstants.Elements.CanonicalizationMethod = "CanonicalizationMethod" -> string
 const Microsoft.IdentityModel.Xml.XmlSignatureConstants.Elements.DigestMethod = "DigestMethod" -> string

src/Microsoft.IdentityModel.Xml/PublicAPI.Unshipped.txt

@@ -0,0 +1 @@
+static Microsoft.IdentityModel.Xml.XmlSignatureConstants.Attributes.Type.get -> string

src/Microsoft.IdentityModel.Xml/XmlSignatureConstants.cs

@@ -1,6 +1,8 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using Microsoft.IdentityModel.Tokens;
+
 namespace Microsoft.IdentityModel.Xml
 {
     /// <summary>
@@ -31,7 +33,11 @@ public static class Attributes
             public const string NcName = "NCName";
             public const string Nil = "nil";
             public const string PrefixList = "PrefixList";
-            public const string Type = "type";
+            // Change the non-constant field `Type` to a property to resolve CA2211 diagnostic.
+            public static string Type
+            {
+                get => AppContextSwitches.UseCapitalizedXMLTypeAttr ? "Type" : "type";
+            }
             public const string URI = "URI";
         }
 

test/Microsoft.IdentityModel.TestUtils/Default.cs

@@ -1021,7 +1021,7 @@ public static Signature Signature
                 {
                     KeyInfo = KeyInfo,
                     SignedInfo = SignedInfo,
-                    SignatureValue = "kzGIa0ZwE1Y7CYZ3hZHdFLGEQ6LvTdoKYSr+jClEdoL8l0bRf0Mkp7zsp0uCPyoZHKVBatU7otEmbciu9FWNMSXmpiDj9eSL/eNqpJ0sRkaNPyM3AqR2zy7TG2481K4SWZfo5EahrSat0glEUC6i3sxojjLb8DRq8ETYO1JsNhLOHQjKWlBEBZ04rAcz/kWXt0N1CQne4+GozQtiaMDvN/PXeqwiEYHbS1Gr5G16wHdiFZNYylH2pW14+t5t/eIZX8c/VJNT5uM09KHeBSMEn7Uksp2qx1brKP1K9SULzke0Pgx+lIJZgVndGbviGd5UP4ufovexs4F5TkhI7Pel6A=="
+                    SignatureValue = AppContextSwitches.UseCapitalizedXMLTypeAttr ? "OaTq3jGqbPLUVROvhiqV+PneMwdu6iZgVv7vbW++wEk4tSXoqEUkY+b/M2ZzHFy0M/k33migp3s0w+Ff1vNHRI0uT8Zs1D+EdI/Oz4Pu3FwPA/UK+8qe+JTRAOhdN5H7Wv4c0p1nrWJlVlT5WWCUe2uRSpojS2+D+KC1gG/DiDqK5gWgQt/7Z0HV8ml6C0PTqXWvZcYc1u49Y3tNEPOUuSXGzSZOAfhEAMdQ6+qC+126wcbSFK5ww1aOI2K6Nk3u8sxJUXHdUXs92DKvLemcaHXw0yDNUNi/izVldy3yu6VEDEflCJkj1+yvB52U+EpvG/7IGwY66QceVbu/1FFLFA==" : "kzGIa0ZwE1Y7CYZ3hZHdFLGEQ6LvTdoKYSr+jClEdoL8l0bRf0Mkp7zsp0uCPyoZHKVBatU7otEmbciu9FWNMSXmpiDj9eSL/eNqpJ0sRkaNPyM3AqR2zy7TG2481K4SWZfo5EahrSat0glEUC6i3sxojjLb8DRq8ETYO1JsNhLOHQjKWlBEBZ04rAcz/kWXt0N1CQne4+GozQtiaMDvN/PXeqwiEYHbS1Gr5G16wHdiFZNYylH2pW14+t5t/eIZX8c/VJNT5uM09KHeBSMEn7Uksp2qx1brKP1K9SULzke0Pgx+lIJZgVndGbviGd5UP4ufovexs4F5TkhI7Pel6A=="
                 };
                 return signature;
             }
@@ -1035,7 +1035,7 @@ public static Signature SignatureReferenceWithoutPrefix
                 {
                     KeyInfo = KeyInfo,
                     SignedInfo = SignedInfoReferenceWithoutPrefix,
-                    SignatureValue = "OaTq3jGqbPLUVROvhiqV+PneMwdu6iZgVv7vbW++wEk4tSXoqEUkY+b/M2ZzHFy0M/k33migp3s0w+Ff1vNHRI0uT8Zs1D+EdI/Oz4Pu3FwPA/UK+8qe+JTRAOhdN5H7Wv4c0p1nrWJlVlT5WWCUe2uRSpojS2+D+KC1gG/DiDqK5gWgQt/7Z0HV8ml6C0PTqXWvZcYc1u49Y3tNEPOUuSXGzSZOAfhEAMdQ6+qC+126wcbSFK5ww1aOI2K6Nk3u8sxJUXHdUXs92DKvLemcaHXw0yDNUNi/izVldy3yu6VEDEflCJkj1+yvB52U+EpvG/7IGwY66QceVbu/1FFLFA=="
+                    SignatureValue = AppContextSwitches.UseCapitalizedXMLTypeAttr ? "OaTq3jGqbPLUVROvhiqV+PneMwdu6iZgVv7vbW++wEk4tSXoqEUkY+b/M2ZzHFy0M/k33migp3s0w+Ff1vNHRI0uT8Zs1D+EdI/Oz4Pu3FwPA/UK+8qe+JTRAOhdN5H7Wv4c0p1nrWJlVlT5WWCUe2uRSpojS2+D+KC1gG/DiDqK5gWgQt/7Z0HV8ml6C0PTqXWvZcYc1u49Y3tNEPOUuSXGzSZOAfhEAMdQ6+qC+126wcbSFK5ww1aOI2K6Nk3u8sxJUXHdUXs92DKvLemcaHXw0yDNUNi/izVldy3yu6VEDEflCJkj1+yvB52U+EpvG/7IGwY66QceVbu/1FFLFA==" : "kzGIa0ZwE1Y7CYZ3hZHdFLGEQ6LvTdoKYSr+jClEdoL8l0bRf0Mkp7zsp0uCPyoZHKVBatU7otEmbciu9FWNMSXmpiDj9eSL/eNqpJ0sRkaNPyM3AqR2zy7TG2481K4SWZfo5EahrSat0glEUC6i3sxojjLb8DRq8ETYO1JsNhLOHQjKWlBEBZ04rAcz/kWXt0N1CQne4+GozQtiaMDvN/PXeqwiEYHbS1Gr5G16wHdiFZNYylH2pW14+t5t/eIZX8c/VJNT5uM09KHeBSMEn7Uksp2qx1brKP1K9SULzke0Pgx+lIJZgVndGbviGd5UP4ufovexs4F5TkhI7Pel6A=="
                 };
                 return signature;
             }
@@ -1049,7 +1049,7 @@ public static Signature SignatureReferenceWithId
                 {
                     KeyInfo = KeyInfo,
                     SignedInfo = SignedInfoReferenceWithId,
-                    SignatureValue = "BOMo5aCr+YIjOq+lmPj8be8/6u8iXJFXuJskeWaYk1iNadUhhUPcSHeFv8XmOBIXV7Yrvk2WiVoBKawJh79iqRrVpJmdpHTxuukUua6iijxEEhwjYGLneleVgBzDTnk2os21WThYSEXmhi52z4Or0eq29vObOlRN3c2VlqDba8avu8jMNqZuKWsptxLDS1q0JfE8zu7Srs9y2GD7SULbWYpsl2VIO3ZCV+0/YWnBHQ09Ee1QKP18HMNr3jgrmpNj165olYKnn+Vr2YDEBSuNX1mxdw2bqAbpEeWITmmIkW2KDivxOtL2lOZEC6QnEVidWr1oyFUb+srKAlmksiy3wA=="
+                    SignatureValue = AppContextSwitches.UseCapitalizedXMLTypeAttr ? "fqbb3WVUTLu/ihWXHUYgPWO5rgnm9AuwAT8YeiWiood/z+ObWpTwxs42be4HIDac9U94hR05rfLOR+0WxmlzhJp7/fye50VHMKex5kAAp9aCMAzCvDkfNzhMUN3WOHGEFOs4tmxrR0TBV6j+KNnjyDs3AUtdzZnZB+QmOJAlZubdOzWk/D0CGSXSgMmqYgmvH/GZGQWxQtbGMFuB29VCR7moegGN/9VAo/K7Z22xmfUWNKWVHB0OUC8FI36sadVnnUvcKnUo3M3pnQwbEWYz/+rMSYYrboM4dOKEqxZCgFXKou08Pz0MtNe2VwketLbJrKSmuEJOgVnXrzPTwlVSpw==" : "BOMo5aCr+YIjOq+lmPj8be8/6u8iXJFXuJskeWaYk1iNadUhhUPcSHeFv8XmOBIXV7Yrvk2WiVoBKawJh79iqRrVpJmdpHTxuukUua6iijxEEhwjYGLneleVgBzDTnk2os21WThYSEXmhi52z4Or0eq29vObOlRN3c2VlqDba8avu8jMNqZuKWsptxLDS1q0JfE8zu7Srs9y2GD7SULbWYpsl2VIO3ZCV+0/YWnBHQ09Ee1QKP18HMNr3jgrmpNj165olYKnn+Vr2YDEBSuNX1mxdw2bqAbpEeWITmmIkW2KDivxOtL2lOZEC6QnEVidWr1oyFUb+srKAlmksiy3wA=="
                 };
                 return signature;
             }

test/Microsoft.IdentityModel.TestUtils/TestSets.cs

@@ -862,6 +862,7 @@ public static SignedInfoTestSet ReferenceDigestValueNotBase64
             {
                 var digestValue = Guid.NewGuid().ToString();
                 var reference = Default.ReferenceWithNullTokenStreamNS;
+                string typeAttr = AppContextSwitches.UseCapitalizedXMLTypeAttr ? "Type" : "type";
                 reference.DigestValue = digestValue;
                 var signedInfo = Default.SignedInfoNS;
                 signedInfo.References.Clear();
@@ -883,7 +884,8 @@ public static SignedInfoTestSet ReferenceDigestValueNotBase64
                                 SecurityAlgorithms.EnvelopedSignature,
                                 SecurityAlgorithms.ExclusiveC14n,
                                 Default.ReferenceDigestMethod,
-                                digestValue))
+                                digestValue,
+                                typeAttr))
                 };
             }
         }
@@ -974,6 +976,7 @@ public static SignedInfoTestSet UnknownReferenceTransform
                 reference.CanonicalizingTransfrom = new ExclusiveCanonicalizationTransform();
                 signedInfo.References.Clear();
                 signedInfo.References.Add(reference);
+                string typeAttr = AppContextSwitches.UseCapitalizedXMLTypeAttr ? "Type" : "type";
                 return new SignedInfoTestSet
                 {
                     SignedInfo = signedInfo,
@@ -990,7 +993,8 @@ public static SignedInfoTestSet UnknownReferenceTransform
                                 unknownTransform,
                                 SecurityAlgorithms.ExclusiveC14n,
                                 SecurityAlgorithms.Sha256Digest,
-                                Default.ReferenceDigestValue))
+                                Default.ReferenceDigestValue,
+                                typeAttr))
 
                 };
             }

test/Microsoft.IdentityModel.TestUtils/XmlGenerator.cs

@@ -354,12 +354,12 @@ public static string Generate(SignedInfo signedInfo)
 
         public static string ReferenceTemplate
         {
-            get => "<{0}Reference Id=\"{1}\" type=\"{2}\" URI=\"{3}\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><Transforms><Transform Algorithm=\"{4}\" /><Transform Algorithm=\"{5}\" /></Transforms><DigestMethod Algorithm=\"{6}\" /><DigestValue>{7}</DigestValue></{0}Reference>";
+            get => "<{0}Reference Id=\"{1}\" {2}=\"{3}\" URI=\"{4}\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><Transforms><Transform Algorithm=\"{5}\" /><Transform Algorithm=\"{6}\" /></Transforms><DigestMethod Algorithm=\"{7}\" /><DigestValue>{8}</DigestValue></{0}Reference>";
         }
 
-        public static string ReferenceXml(string prefix, string id, string type, string referenceUri, string envelopingAlgorithm, string c14nAlgorithm, string digestAlgorithm, string digestValue)
+        public static string ReferenceXml(string prefix, string id, string type, string referenceUri, string envelopingAlgorithm, string c14nAlgorithm, string digestAlgorithm, string digestValue, string typeAttr = "type")
         {
-            return string.Format(ReferenceTemplate, prefix, id, type, referenceUri, envelopingAlgorithm, c14nAlgorithm, digestAlgorithm, digestValue);
+            return string.Format(ReferenceTemplate, prefix, id, typeAttr, type, referenceUri, envelopingAlgorithm, c14nAlgorithm, digestAlgorithm, digestValue);
         }
 
         // Always assumes two transforms

test/Microsoft.IdentityModel.Xml.Tests/DSigSerializerTests.cs

@@ -9,7 +9,6 @@
 using System.Xml;
 using Microsoft.IdentityModel.TestUtils;
 using Microsoft.IdentityModel.Tokens;
-using Microsoft.IdentityModel.Xml;
 using Xunit;
 
 #pragma warning disable CS3016 // Arrays as attribute arguments is not CLS-compliant
@@ -166,6 +165,27 @@ public void ReadSignature(DSigSerializerTheoryData theoryData)
             TestUtilities.AssertFailIfErrors(context);
         }
 
+        [Theory, MemberData(nameof(ReadSignatureTheoryDataTypeCapitalized), DisableDiscoveryEnumeration = true)]
+        public void ReadSignatureTypeCapitalized(DSigSerializerTheoryData theoryData)
+        {
+            var context = TestUtilities.WriteHeader($"{this}.ReadSignature", theoryData);
+            bool switchValue;
+            AppContext.TryGetSwitch("Switch.Microsoft.IdentityModel.UseCapitalizedXMLTypeAttr", out switchValue);
+            AppContext.SetSwitch("Switch.Microsoft.IdentityModel.UseCapitalizedXMLTypeAttr", true);
+            try
+            {
+                var signature = theoryData.Serializer.ReadSignature(XmlUtilities.CreateDictionaryReader(theoryData.Xml));
+                theoryData.ExpectedException.ProcessNoException(context);
+                IdentityComparer.AreEqual(signature, theoryData.Signature, context);
+            }
+            catch (Exception ex)
+            {
+                theoryData.ExpectedException.ProcessException(ex, context);
+            }
+            AppContext.SetSwitch("Switch.Microsoft.IdentityModel.UseCapitalizedXMLTypeAttr", switchValue);
+            TestUtilities.AssertFailIfErrors(context);
+        }
+
         public static TheoryData<DSigSerializerTheoryData> ReadSignatureTheoryData
         {
             get
@@ -236,6 +256,79 @@ public static TheoryData<DSigSerializerTheoryData> ReadSignatureTheoryData
             }
         }
 
+        public static TheoryData<DSigSerializerTheoryData> ReadSignatureTheoryDataTypeCapitalized
+        {
+            get
+            {
+                bool switchValue;
+                AppContext.TryGetSwitch("Switch.Microsoft.IdentityModel.UseCapitalizedXMLTypeAttr", out switchValue);
+                AppContext.SetSwitch("Switch.Microsoft.IdentityModel.UseCapitalizedXMLTypeAttr", true);
+                var signature = Default.Signature;
+                signature.SignedInfo.References[0] = Default.ReferenceWithNullTokenStream;
+
+                // uncomment to view exception displayed to user
+                // ExpectedException.DefaultVerbose = true;
+                var theoryData = new TheoryData<DSigSerializerTheoryData>
+                {
+                    new DSigSerializerTheoryData
+                    {
+                        First = true,
+                        Signature = signature,
+                        TestId = nameof(Default.Signature),
+                        Xml =  XmlGenerator.Generate(Default.Signature),
+                    }
+                };
+
+                signature = Default.SignatureReferenceWithId;
+                signature.SignedInfo.References[0] = Default.ReferenceWithNullTokenStreamAndId;
+                theoryData.Add(new DSigSerializerTheoryData
+                {
+                    Signature = signature,
+                    TestId = nameof(Default.SignatureReferenceWithId),
+                    Xml = XmlGenerator.Generate(Default.SignatureReferenceWithId),
+                });
+
+                signature = Default.Signature;
+                signature.SignedInfo.References[0] = Default.ReferenceWithNullTokenStream;
+                theoryData.Add(new DSigSerializerTheoryData
+                {
+                    Signature = signature,
+                    TestId = nameof(Default.Signature) + "ReferenceWithoutPrefix",
+                    Xml = XmlGenerator.Generate(Default.SignatureReferenceWithoutPrefix),
+                });
+
+                signature = Default.Signature;
+                signature.SignedInfo.References[0] = Default.ReferenceWithNullTokenStream;
+                signature.SignedInfo.References[0].DigestMethod = $"_{SecurityAlgorithms.Sha256Digest}";
+                theoryData.Add(new DSigSerializerTheoryData
+                {
+                    Signature = signature,
+                    TestId = "UnknownDigestAlgorithm",
+                    Xml = XmlGenerator.Generate(Default.Signature).Replace(SecurityAlgorithms.Sha256Digest, $"_{SecurityAlgorithms.Sha256Digest}")
+                });
+
+                signature = Default.Signature;
+                signature.SignedInfo.References[0] = Default.ReferenceWithNullTokenStream;
+                signature.SignedInfo.SignatureMethod = $"_{SecurityAlgorithms.RsaSha256Signature}";
+                theoryData.Add(new DSigSerializerTheoryData
+                {
+                    Signature = signature,
+                    TestId = "UnknownSignatureAlgorithm",
+                    Xml = XmlGenerator.Generate(Default.Signature).Replace(SecurityAlgorithms.RsaSha256Signature, $"_{SecurityAlgorithms.RsaSha256Signature}")
+                });
+
+                theoryData.Add(new DSigSerializerTheoryData
+                {
+                    ExpectedException = new ExpectedException(typeof(XmlReadException), "IDX30022:"),
+                    Signature = new Signature(),
+                    TestId = "EmptySignature",
+                    Xml = "<Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\"></Signature>"
+                });
+                AppContext.SetSwitch("Switch.Microsoft.IdentityModel.UseCapitalizedXMLTypeAttr", switchValue);
+                return theoryData;
+            }
+        }
+
         [Theory, MemberData(nameof(WriteSignatureTheoryData), DisableDiscoveryEnumeration = true)]
         public void WriteSignature(DSigSerializerTheoryData theoryData)
         {