| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279 |
- /*
- * @copyright
- * Copyright © Microsoft Open Technologies, Inc.
- *
- * All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http: *www.apache.org/licenses/LICENSE-2.0
- *
- * THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR CONDITIONS
- * OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
- * ANY IMPLIED WARRANTIES OR CONDITIONS OF TITLE, FITNESS FOR A
- * PARTICULAR PURPOSE, MERCHANTABILITY OR NON-INFRINGEMENT.
- *
- * See the Apache License, Version 2.0 for the specific language
- * governing permissions and limitations under the License.
- */
- 'use strict';
- var request = require('request');
- var url = require('url');
- var _ = require('underscore');
- var AADConstants = require('./constants').AADConstants;
- var Logger = require('./log').Logger;
- var util = require('./util');
- /**
- * Constructs an Authority object with a specific authority URL.
- * @private
- * @constructor
- * @param {string} authorityUrl A URL that identifies a token authority.
- * @param {bool} validateAuthority Indicates whether the Authority url should be validated as an actual AAD
- * authority. The default is true.
- */
- function Authority(authorityUrl, validateAuthority) {
- this._log = null;
- this._url = url.parse(authorityUrl);
- this._validateAuthorityUrl();
- this._validated = !validateAuthority;
- this._host = null;
- this._tenant = null;
- this._parseAuthority();
- this._authorizationEndpoint = null;
- this._tokenEndpoint = null;
- this._deviceCodeEndpoint = null;
- this._isAdfsAuthority = (this._tenant.toLowerCase() === "adfs");
- }
- /**
- * The URL of the authority
- * @instance
- * @type {string}
- * @memberOf Authority
- * @name url
- */
- Object.defineProperty(Authority.prototype, 'url', {
- get: function() {
- return url.format(this._url);
- }
- });
- /**
- * The token endpoint that the authority uses as discovered by instance discovery.
- * @instance
- * @type {string}
- * @memberOf Authority
- * @name tokenEndpoint
- */
- Object.defineProperty(Authority.prototype, 'tokenEndpoint', {
- get: function() {
- return this._tokenEndpoint;
- }
- });
- Object.defineProperty(Authority.prototype, 'deviceCodeEndpoint', {
- get: function() {
- return this._deviceCodeEndpoint;
- }
- });
- /**
- * Checks the authority url to ensure that it meets basic requirements such as being over SSL. If it does not then
- * this method will throw if any of the checks fail.
- * @private
- * @throws {Error} If the authority url fails to pass any validation checks.
- */
- Authority.prototype._validateAuthorityUrl = function() {
- if (this._url.protocol !== 'https:') {
- throw new Error('The authority url must be an https endpoint.');
- }
- if (this._url.query) {
- throw new Error('The authority url must not have a query string.');
- }
- };
- /**
- * Parse the authority to get the tenant name. The rest of the
- * URL is thrown away in favor of one of the endpoints from the validation doc.
- * @private
- */
- Authority.prototype._parseAuthority = function() {
- this._host = this._url.host;
- var pathParts = this._url.pathname.split('/');
- this._tenant = pathParts[1];
- if (!this._tenant) {
- throw new Error('Could not determine tenant.');
- }
- };
- /**
- * Performs instance discovery based on a simple match against well known authorities.
- * @private
- * @return {bool} Returns true if the authority is recognized.
- */
- Authority.prototype._performStaticInstanceDiscovery = function() {
- this._log.verbose('Performing static instance discovery');
- var hostIndex = _.indexOf(AADConstants.WELL_KNOWN_AUTHORITY_HOSTS, this._url.hostname);
- var found = hostIndex > -1;
- if (found) {
- this._log.verbose('Authority validated via static instance discovery.');
- }
- return found;
- };
- Authority.prototype._createAuthorityUrl = function() {
- return 'https://' + this._url.host + '/' + encodeURIComponent(this._tenant) + AADConstants.AUTHORIZE_ENDPOINT_PATH;
- };
- /**
- * Creates an instance discovery endpoint url for the specific authority that this object represents.
- * @private
- * @param {string} authorityHost The host name of a well known authority.
- * @return {URL} The constructed endpoint url.
- */
- Authority.prototype._createInstanceDiscoveryEndpointFromTemplate = function(authorityHost) {
- var discoveryEndpoint = AADConstants.INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE;
- discoveryEndpoint = discoveryEndpoint.replace('{authorize_host}', authorityHost);
- discoveryEndpoint = discoveryEndpoint.replace('{authorize_endpoint}', encodeURIComponent(this._createAuthorityUrl()));
- return url.parse(discoveryEndpoint);
- };
- /**
- * Performs instance discovery via a network call to well known authorities.
- * @private
- * @param {Authority.InstanceDiscoveryCallback} callback The callback function. If succesful,
- * this function calls the callback with the
- * tenantDiscoveryEndpoint returned by the
- * server.
- */
- Authority.prototype._performDynamicInstanceDiscovery = function(callback) {
- try {
- var self = this;
- var discoveryEndpoint = this._createInstanceDiscoveryEndpointFromTemplate(AADConstants.WORLD_WIDE_AUTHORITY);
- var getOptions = util.createRequestOptions(self);
- this._log.verbose('Attempting instance discover');
- this._log.verbose('Attempting instance discover at: ' + url.format(discoveryEndpoint), true);
- request.get(discoveryEndpoint, getOptions, util.createRequestHandler('Instance Discovery', this._log, callback,
- function(response, body) {
- var discoveryResponse = JSON.parse(body);
- if (discoveryResponse['tenant_discovery_endpoint']) {
- callback(null, discoveryResponse['tenant_discovery_endpoint']);
- } else {
- callback(self._log.createError('Failed to parse instance discovery response'));
- }
- })
- );
- } catch(e) {
- callback(e);
- }
- };
- /**
- * @callback InstanceDiscoveryCallback
- * @private
- * @memberOf Authority
- * @param {Error} err If an error occurs during instance discovery then it will be returned here.
- * @param {string} tenantDiscoveryEndpoint If instance discovery is successful then this will contain the
- * tenantDiscoveryEndpoint associated with the authority.
- */
- /**
- * Determines whether the authority is recognized as a trusted AAD authority.
- * @private
- * @param {Authority.InstanceDiscoveryCallback} callback The callback function.
- */
- Authority.prototype._validateViaInstanceDiscovery = function(callback) {
- if (this._performStaticInstanceDiscovery()) {
- callback();
- } else {
- this._performDynamicInstanceDiscovery(callback);
- }
- };
- /**
- * @callback GetOauthEndpointsCallback
- * @private
- * @memberOf Authority
- * @param {Error} error An error if one occurred.
- */
- /**
- * Given a tenant discovery endpoint this method will attempt to discover the token endpoint. If the
- * tenant discovery endpoint is unreachable for some reason then it will fall back to a algorithmic generation of the
- * token endpoint url.
- * @private
- * @param {string} tenantDiscoveryEndpoint The url of the tenant discovery endpoint for this authority.
- * @param {Authority.GetOauthEndpointsCallback} callback The callback function.
- */
- Authority.prototype._getOAuthEndpoints = function(tenantDiscoveryEndpoint, callback) {
- if (this._tokenEndpoint && this._deviceCodeEndpoint) {
- callback();
- return;
- } else {
- // fallback to the well known token endpoint path.
- if (!this._tokenEndpoint){
- this._tokenEndpoint = url.format('https://' + this._url.host + '/' + encodeURIComponent(this._tenant)) + AADConstants.TOKEN_ENDPOINT_PATH;
- }
- if (!this._deviceCodeEndpoint){
- this._deviceCodeEndpoint = url.format('https://' + this._url.host + '/' + encodeURIComponent(this._tenant)) + AADConstants.DEVICE_ENDPOINT_PATH;
- }
- callback();
- return;
- }
- };
- /**
- * @callback ValidateCallback
- * @memberOf Authority
- */
- /**
- * Perform validation on the authority represented by this object. In addition to simple validation
- * the oauth token endpoint will be retrieved.
- * @param {Authority.ValidateCallback} callback The callback function.
- */
- Authority.prototype.validate = function(callContext, callback) {
- this._log = new Logger('Authority', callContext._logContext);
- this._callContext = callContext;
- var self = this;
- if (!this._validated) {
- this._log.verbose('Performing instance discovery');
- this._log.verbose('Performing instance discovery: ' + url.format(this._url), true);
- this._validateViaInstanceDiscovery(function(err, tenantDiscoveryEndpoint) {
- if (err)
- {
- callback(err);
- } else {
- self._validated = true;
- self._getOAuthEndpoints(tenantDiscoveryEndpoint, callback);
- return;
- }
- });
- } else {
- this._log.verbose('Instance discovery/validation has either already been completed or is turned off');
- this._log.verbose('Instance discovery/validation has either already been completed or is turned off: ' + url.format(this._url), true);
- this._getOAuthEndpoints(null, callback);
- return;
- }
- };
- module.exports.Authority = Authority;
|