fix: [#4449] CloudAdapter always builds Connector with MicrosoftAppCredentials (never CertificateAppCredentials) -- certificate auth flow broken (#4457)

sw-joelmut · web-flow · commit 60b3f98815d1 · 2023-05-05T08:39:15.000-05:00
* Add support for certificates

* Fix typos
diff --git a/libraries/botbuilder-core/src/configurationBotFrameworkAuthentication.ts b/libraries/botbuilder-core/src/configurationBotFrameworkAuthentication.ts
@@ -88,6 +88,16 @@ const TypedOptions = z
          * A value for the CallerId.
          */
         CallerId: z.string(),
+
+        /**
+         * Certificate thumbprint to authenticate the appId against AAD.
+         */
+        [AuthenticationConstants.CertificateThumbprint]: z.string(),
+
+        /**
+         * Certificate key to authenticate the appId against AAD.
+         */
+        [AuthenticationConstants.CertificatePrivateKey]: z.string(),
     })
     .partial();
 
diff --git a/libraries/botbuilder-core/src/configurationServiceClientCredentialFactory.ts b/libraries/botbuilder-core/src/configurationServiceClientCredentialFactory.ts
@@ -5,6 +5,8 @@ import * as z from 'zod';
 import { ok } from 'assert';
 import { Configuration } from 'botbuilder-dialogs-adaptive-runtime-core';
 import {
+    AuthenticationConstants,
+    CertificateServiceClientCredentialsFactory,
     JwtTokenProviderFactory,
     ManagedIdentityServiceClientCredentialsFactory,
     PasswordServiceClientCredentialFactory,
@@ -37,6 +39,16 @@ const TypedConfig = z
          * The tenant id assigned to your bot in the [Bot Framework Portal](https://dev.botframework.com/).
          */
         MicrosoftAppTenantId: z.string(),
+
+        /**
+         * Certificate thumbprint to authenticate the appId against AAD.
+         */
+        [AuthenticationConstants.CertificateThumbprint]: z.string(),
+
+        /**
+         * Certificate key to authenticate the appId against AAD.
+         */
+        [AuthenticationConstants.CertificatePrivateKey]: z.string(),
     })
     .partial();
 
@@ -62,10 +74,24 @@ export class ConfigurationServiceClientCredentialFactory extends PasswordService
             MicrosoftAppPassword = null,
             MicrosoftAppType = null,
             MicrosoftAppTenantId = null,
+            [AuthenticationConstants.CertificateThumbprint]: CertificateThumbprint = null,
+            [AuthenticationConstants.CertificatePrivateKey]: CertificatePrivateKey = null,
         } = TypedConfig.nonstrict().parse(factoryOptions);
         super(MicrosoftAppId, MicrosoftAppPassword, MicrosoftAppTenantId);
 
         const appType = MicrosoftAppType?.trim() ?? MultiTenant;
+        const withCertificate = CertificateThumbprint || CertificatePrivateKey;
+
+        if (withCertificate) {
+            ok(
+                CertificateThumbprint?.trim(),
+                'CertificateThumbprint is required when using a Certificate in configuration.'
+            );
+            ok(
+                CertificatePrivateKey?.trim(),
+                'CertificatePrivateKey is required when using a Certificate in configuration.'
+            );
+        }
 
         switch (appType.toLocaleLowerCase()) {
             case UserAssignedMsi.toLocaleLowerCase():
@@ -80,18 +106,44 @@ export class ConfigurationServiceClientCredentialFactory extends PasswordService
                 break;
             case SingleTenant.toLocaleLowerCase():
                 ok(MicrosoftAppId?.trim(), 'MicrosoftAppId is required for SingleTenant in configuration.');
-                ok(MicrosoftAppPassword?.trim(), 'MicrosoftAppPassword is required for SingleTenant in configuration.');
                 ok(MicrosoftAppTenantId?.trim(), 'MicrosoftAppTenantId is required for SingleTenant in configuration.');
 
-                this.inner = new PasswordServiceClientCredentialFactory(
-                    MicrosoftAppId,
-                    MicrosoftAppPassword,
-                    MicrosoftAppTenantId
-                );
+                if (withCertificate) {
+                    this.inner = new CertificateServiceClientCredentialsFactory(
+                        MicrosoftAppId,
+                        CertificateThumbprint,
+                        CertificatePrivateKey,
+                        MicrosoftAppTenantId
+                    );
+                } else {
+                    ok(
+                        MicrosoftAppPassword?.trim(),
+                        'MicrosoftAppPassword is required for SingleTenant in configuration.'
+                    );
+
+                    this.inner = new PasswordServiceClientCredentialFactory(
+                        MicrosoftAppId,
+                        MicrosoftAppPassword,
+                        MicrosoftAppTenantId
+                    );
+                }
                 break;
             default:
                 //MultiTenant
-                this.inner = new PasswordServiceClientCredentialFactory(MicrosoftAppId, MicrosoftAppPassword, '');
+                if (withCertificate) {
+                    ok(
+                        MicrosoftAppId?.trim(),
+                        'MicrosoftAppId is required for MultiTenant when using a Certificate in configuration.'
+                    );
+
+                    this.inner = new CertificateServiceClientCredentialsFactory(
+                        MicrosoftAppId,
+                        CertificateThumbprint,
+                        CertificatePrivateKey
+                    );
+                } else {
+                    this.inner = new PasswordServiceClientCredentialFactory(MicrosoftAppId, MicrosoftAppPassword, '');
+                }
                 break;
         }
     }
diff --git a/libraries/botbuilder-core/tests/configurationServiceClientCredentialFactory.test.js b/libraries/botbuilder-core/tests/configurationServiceClientCredentialFactory.test.js
@@ -6,6 +6,7 @@ const {
     ConfigurationServiceClientCredentialFactory,
     createServiceClientCredentialFactoryFromConfiguration,
 } = require('../');
+const { CertificateAppCredentials } = require('botframework-connector');
 
 describe('ConfigurationServiceClientCredentialFactory', function () {
     class TestConfiguration {
@@ -96,6 +97,52 @@ describe('ConfigurationServiceClientCredentialFactory', function () {
         createServiceClientCredentialFactoryFromConfiguration(config);
     });
 
+    it('createServiceClientCredentialFactoryFromConfiguration() with certificate', async function () {
+        const config = new TestConfiguration({
+            CertificateThumbprint: 'CertificateThumbprint',
+            CertificatePrivateKey: 'CertificatePrivateKey',
+        });
+
+        const serviceClient = createServiceClientCredentialFactoryFromConfiguration(config);
+        const credentialClient = await serviceClient.createCredentials(TestConfiguration.DefaultConfig.MicrosoftAppId);
+        assert(credentialClient instanceof CertificateAppCredentials);
+    });
+
+    it('createServiceClientCredentialFactoryFromConfiguration() with certificate and no MicrosoftAppId', async function () {
+        const config = new TestConfiguration({
+            MicrosoftAppId: undefined,
+            CertificateThumbprint: 'CertificateThumbprint',
+            CertificatePrivateKey: 'CertificatePrivateKey',
+        });
+
+        assert.throws(() => createServiceClientCredentialFactoryFromConfiguration(config), {
+            name: 'AssertionError',
+            message: 'MicrosoftAppId is required for MultiTenant when using a Certificate in configuration.',
+        });
+    });
+
+    it('createServiceClientCredentialFactoryFromConfiguration() with certificate and no CertificatePrivateKey', async function () {
+        const config = new TestConfiguration({
+            CertificateThumbprint: 'CertificateThumbprint',
+        });
+
+        assert.throws(() => createServiceClientCredentialFactoryFromConfiguration(config), {
+            name: 'AssertionError',
+            message: 'CertificatePrivateKey is required when using a Certificate in configuration.',
+        });
+    });
+
+    it('createServiceClientCredentialFactoryFromConfiguration() with certificate and no CertificateThumbprint', async function () {
+        const config = new TestConfiguration({
+            CertificatePrivateKey: 'CertificatePrivateKey',
+        });
+
+        assert.throws(() => createServiceClientCredentialFactoryFromConfiguration(config), {
+            name: 'AssertionError',
+            message: 'CertificateThumbprint is required when using a Certificate in configuration.',
+        });
+    });
+
     it('createServiceClientCredentialFactoryFromConfiguration() with casing-string MicrosoftAppType configuration should work', function () {
         const config = new TestConfiguration({ ...SingleTenantConfig, MicrosoftAppType: 'singletenant' });
 
@@ -137,6 +184,18 @@ describe('ConfigurationServiceClientCredentialFactory', function () {
         });
     });
 
+    it('createServiceClientCredentialFactoryFromConfiguration() singleTenant with certificate', async function () {
+        const config = new TestConfiguration({
+            ...SingleTenantConfig,
+            CertificateThumbprint: 'CertificateThumbprint',
+            CertificatePrivateKey: 'CertificatePrivateKey',
+        });
+
+        const serviceClient = createServiceClientCredentialFactoryFromConfiguration(config);
+        const credentialClient = await serviceClient.createCredentials(SingleTenantConfig.MicrosoftAppId);
+        assert(credentialClient instanceof CertificateAppCredentials);
+    });
+
     it('createServiceClientCredentialFactoryFromConfiguration() manageIdentityApp with config should work', function () {
         const config = new TestConfiguration(MSIConfig);
         const bfAuth = createServiceClientCredentialFactoryFromConfiguration(config);
diff --git a/libraries/botframework-connector/src/auth/authenticationConstants.ts b/libraries/botframework-connector/src/auth/authenticationConstants.ts
@@ -181,4 +181,14 @@ export namespace AuthenticationConstants {
      * Indicates that bot identity is anonymous (no appId and password were provided).
      */
     export const AnonymousAuthType = 'anonymous';
+
+    /**
+     * Certificate thumbprint to authenticate the appId against AAD.
+     */
+    export const CertificateThumbprint = 'CertificateThumbprint';
+
+    /**
+     * Certificate key to authenticate the appId against AAD.
+     */
+    export const CertificatePrivateKey = 'CertificatePrivateKey';
 }
diff --git a/libraries/botframework-connector/src/auth/certificateServiceClientCredentialsFactory.ts b/libraries/botframework-connector/src/auth/certificateServiceClientCredentialsFactory.ts
@@ -0,0 +1,81 @@
+/**
+ * @module botframework-connector
+ */
+/**
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License.
+ */
+
+import type { ServiceClientCredentials } from '@azure/ms-rest-js';
+import { ServiceClientCredentialsFactory } from './serviceClientCredentialsFactory';
+import { ok } from 'assert';
+import { CertificateAppCredentials } from './certificateAppCredentials';
+
+/**
+ * A Certificate implementation of the [ServiceClientCredentialsFactory](xref:botframework-connector.ServiceClientCredentialsFactory) abstract class.
+ */
+export class CertificateServiceClientCredentialsFactory extends ServiceClientCredentialsFactory {
+    private readonly appId: string;
+    private readonly certificateThumbprint: string;
+    private readonly certificatePrivateKey: string;
+    private readonly tenantId: string | null;
+
+    /**
+     * Initializes a new instance of the CertificateServiceClientCredentialsFactory class.
+     *
+     * @param appId Microsoft application Id related to the certificate.
+     * @param certificateThumbprint A hex encoded thumbprint of the certificate.
+     * @param certificatePrivateKey A PEM encoded certificate private key.
+     * @param tenantId Optional. The oauth token tenant.
+     */
+    constructor(appId: string, certificateThumbprint: string, certificatePrivateKey: string, tenantId?: string) {
+        super();
+        ok(appId?.trim(), 'CertificateServiceClientCredentialsFactory.constructor(): missing appId.');
+        ok(
+            certificateThumbprint?.trim(),
+            'CertificateServiceClientCredentialsFactory.constructor(): missing certificateThumbprint.'
+        );
+        ok(
+            certificatePrivateKey?.trim(),
+            'CertificateServiceClientCredentialsFactory.constructor(): missing certificatePrivateKey.'
+        );
+
+        this.appId = appId;
+        this.certificateThumbprint = certificateThumbprint;
+        this.certificatePrivateKey = certificatePrivateKey;
+        this.tenantId = tenantId;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    async isValidAppId(appId: string): Promise<boolean> {
+        return appId === this.appId;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    async isAuthenticationDisabled(): Promise<boolean> {
+        // Auth is always enabled for Certificate.
+        return;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    async createCredentials(appId: string, audience: string): Promise<ServiceClientCredentials> {
+        ok(
+            await this.isValidAppId(appId),
+            'CertificateServiceClientCredentialsFactory.createCredentials(): Invalid Managed ID.'
+        );
+
+        return new CertificateAppCredentials(
+            this.appId,
+            this.certificateThumbprint,
+            this.certificatePrivateKey,
+            this.tenantId,
+            audience
+        );
+    }
+}
diff --git a/libraries/botframework-connector/src/auth/index.ts b/libraries/botframework-connector/src/auth/index.ts
@@ -15,6 +15,7 @@ export * from './authenticateRequestResult';
 export * from './botFrameworkAuthentication';
 export * from './botFrameworkAuthenticationFactory';
 export * from './certificateAppCredentials';
+export * from './certificateServiceClientCredentialsFactory';
 export * from './channelValidation';
 export * from './claimsIdentity';
 export * from './connectorFactory';
