microsoft · stevengum · Sep 27, 2021 · Sep 2, 2021 · Sep 2, 2021 · Sep 3, 2021
diff --git a/libraries/botbuilder-core/package.json b/libraries/botbuilder-core/package.json
@@ -27,6 +27,7 @@
     }
   },
   "dependencies": {
+    "@azure/ms-rest-js": "1.9.1",
     "botbuilder-dialogs-adaptive-runtime-core": "4.1.6",
     "botbuilder-stdlib": "4.1.6",
     "botframework-connector": "4.1.6",

@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 import * as z from 'zod';
+import assert from 'assert';
 import { Configuration } from 'botbuilder-dialogs-adaptive-runtime-core';
 import {
     ManagedIdentityServiceClientCredentialsFactory,
@@ -82,35 +83,19 @@ export class ConfigurationServiceClientCredentialFactory extends PasswordService
 
         switch (appType) {
             case MicrosoftAppTypes.UserAssignedMsi:
-                if (!MicrosoftAppId || MicrosoftAppId.trim() === '') {
-                    throw new Error('MicrosoftAppId is required for MSI in configuration.');
-                }
-
-                if (!MicrosoftAppTenantId || MicrosoftAppTenantId.trim() === '') {
-                    throw new Error('MicrosoftAppTenantId is required for MSI in configuration.');
-                }
-
-                if (MicrosoftAppPassword && MicrosoftAppPassword.trim() !== '') {
-                    throw new Error('MicrosoftAppPassword must not be set for MSI in configuration.');
-                }
+                assert(MicrosoftAppId?.trim(), 'MicrosoftAppId is required for MSI in configuration.');
+                assert(MicrosoftAppTenantId?.trim(), 'MicrosoftAppTenantId is required for MSI in configuration.');
+                assert(!MicrosoftAppPassword?.trim(), 'MicrosoftAppPassword must not be set for MSI in configuration.');
 
                 this.inner = new ManagedIdentityServiceClientCredentialsFactory(
                     MicrosoftAppId,
                     new JwtTokenProviderFactory()
                 );
                 break;
             case MicrosoftAppTypes.SingleTenant:
-                if (!MicrosoftAppId || MicrosoftAppId.trim() === '') {
-                    throw new Error('MicrosoftAppId is required for SingleTenant in configuration.');
-                }
-
-                if (!MicrosoftAppTenantId || MicrosoftAppTenantId.trim() === '') {
-                    throw new Error('MicrosoftAppTenantId is required for SingleTenant in configuration.');
-                }
-
-                if (!MicrosoftAppPassword || MicrosoftAppPassword.trim() === '') {
-                    throw new Error('MicrosoftAppPassword is required for SingleTenant in configuration.');
-                }
+                assert(MicrosoftAppId?.trim(), 'MicrosoftAppId is required for SingleTenant in configuration.');
+                assert(MicrosoftAppPassword?.trim(), 'MicrosoftAppPassword is required for SingleTenant in configuration.');
+                assert(MicrosoftAppTenantId?.trim(), 'MicrosoftAppTenantId is required for SingleTenant in configuration.');
 
                 this.inner = new PasswordServiceClientCredentialFactory(
                     MicrosoftAppId,

@@ -55,7 +55,7 @@
     "build:browserify:run": "browserify -s BFC --debug lib/browser.js | exorcist lib/browser.js.map | sponge lib/browser.js",
     "build:downlevel-dts": "downlevel-dts lib _ts3.4/lib --checksum",
     "clean": "rimraf _ts3.4 lib tsconfig.tsbuildinfo",
-    "depcheck": "depcheck --config ../../.depcheckrc --ignores azure",
+    "depcheck": "depcheck --config ../../.depcheckrc --ignores azure,sinon",
     "lint": "eslint . --ext .js,.ts",
     "postbuild": "npm-run-all -p build:browserify build:downlevel-dts",
     "test": "yarn build && yarn test:mocha",

@@ -13,11 +13,6 @@ import { Claim } from './claimsIdentity';
  */
 export type ValidateClaims = (claims: Claim[]) => Promise<void>;
 
-/**
- * Used to contain a collection of valid JWT token issuers.
- */
-export type ValidTokenIssuers = string[];
-
 /**
  * General configuration settings for authentication.
  */

@@ -8,6 +8,7 @@
 
 import { DefaultAzureCredential } from '@azure/identity';
 import { JwtTokenProviderFactoryInterface } from './jwtTokenProviderFactoryInterface';
+import * as assert from 'assert';
 
 /**
  * @inheritdoc
@@ -17,9 +18,7 @@ export class JwtTokenProviderFactory implements JwtTokenProviderFactoryInterface
      * @inheritdoc
      */
     createAzureServiceTokenProvider(appId: string): DefaultAzureCredential {
-        if (!appId || appId.trim() === '') {
-            throw new Error('jwtTokenProviderFactory.createAzureServiceTokenProvider(): missing appid.');
-        }
+        assert(appId?.trim(), 'jwtTokenProviderFactory.createAzureServiceTokenProvider(): missing appid.');
 
         return new DefaultAzureCredential({ managedIdentityClientId: appId });
     }

@@ -10,6 +10,7 @@ import { TokenResponse } from 'adal-node';
 import { AppCredentials } from './appCredentials';
 import { JwtTokenProviderFactoryInterface } from './jwtTokenProviderFactoryInterface';
 import { ManagedIdentityAuthenticator } from './managedIdentityAuthenticator';
+import * as assert from 'assert';
 
 /**
  * Managed Service Identity auth implementation.
@@ -28,13 +29,8 @@ export class ManagedIdentityAppCredentials extends AppCredentials {
     constructor(appId: string, oAuthScope: string, tokenProviderFactory: JwtTokenProviderFactoryInterface) {
         super(appId, null, oAuthScope);
 
-        if (!appId || appId.trim() === '') {
-            throw new Error('ManagedIdentityAppCredentials.constructor(): missing appid.');
-        }
-
-        if (!tokenProviderFactory) {
-            throw new Error('ManagedIdentityAppCredentials.constructor(): missing tokenProviderFactory.');
-        }
+        assert(appId?.trim(), 'ManagedIdentityAppCredentials.constructor(): missing appid.');
+        assert(tokenProviderFactory, 'ManagedIdentityAppCredentials.constructor(): missing tokenProviderFactory.');
 
         this.tokenProviderFactory = tokenProviderFactory;
         super.appId = appId;
@@ -44,13 +40,11 @@ export class ManagedIdentityAppCredentials extends AppCredentials {
      * @inheritdoc
      */
     protected async refreshToken(): Promise<TokenResponse> {
-        if (!this.authenticator) {
-            this.authenticator = new ManagedIdentityAuthenticator(
-                this.appId,
-                this.oAuthScope,
-                this.tokenProviderFactory
-            );
-        }
+        this.authenticator ??= new ManagedIdentityAuthenticator(
+            this.appId,
+            this.oAuthScope,
+            this.tokenProviderFactory
+        );
 
         const token = await this.authenticator.getToken();
         return {

@@ -7,8 +7,9 @@
  */
 
 import { AccessToken, DefaultAzureCredential } from '@azure/identity';
-import { retry } from '../../../botbuilder-stdlib/lib';
+import { retry } from 'botbuilder-stdlib';
 import { JwtTokenProviderFactoryInterface } from './jwtTokenProviderFactoryInterface';
+import * as assert from 'assert';
 
 /**
  * Abstraction to acquire tokens from a Managed Service Identity.
@@ -25,17 +26,9 @@ export class ManagedIdentityAuthenticator {
      * @param tokenProviderFactory The JWT token provider factory to use.
      */
     constructor(appId: string, resource: string, tokenProviderFactory: JwtTokenProviderFactoryInterface) {
-        if (!appId || appId.trim() === '') {
-            throw new Error('ManagedIdentityAuthenticator.constructor(): missing appid.');
-        }
-
-        if (!resource || resource.trim() === '') {
-            throw new Error('ManagedIdentityAuthenticator.constructor(): missing resource.');
-        }
-
-        if (!tokenProviderFactory) {
-            throw new Error('ManagedIdentityAuthenticator.constructor(): missing tokenProviderFactory.');
-        }
+        assert(appId?.trim(), 'ManagedIdentityAuthenticator.constructor(): missing appid.');
+        assert(resource?.trim(), 'ManagedIdentityAuthenticator.constructor(): missing resource.');
+        assert(tokenProviderFactory, 'ManagedIdentityAuthenticator.constructor(): missing tokenProviderFactory.');
 
         this.resource = resource;
         this.tokenProvider = tokenProviderFactory.createAzureServiceTokenProvider(appId);

@@ -59,7 +59,7 @@ export class ManagedIdentityServiceClientCredentialsFactory extends ServiceClien
      * @inheritdoc
      */
     public async createCredentials(appId: string, audience: string): Promise<ServiceClientCredentials> {
-        if (appId != this.appId) {
+        if (!await this.isValidAppId(appId)) {
             throw new Error('ManagedIdentityServiceClientCredentialsFactory.createCredentials(): Invalid Managed ID.');
         }
 

@@ -229,9 +229,10 @@ export class ParameterizedBotFrameworkAuthentication extends BotFrameworkAuthent
     ): Promise<ClaimsIdentity> {
         // Add allowed token issuers from configuration (if present)
         if (this.authConfiguration.validTokenIssuers?.length > 0) {
-            const validIssuers = Array.from(ToBotFromBotOrEmulatorTokenValidationParameters.issuer);
-            validIssuers.push(...this.authConfiguration.validTokenIssuers);
-            ToBotFromBotOrEmulatorTokenValidationParameters.issuer = validIssuers;
+            ToBotFromBotOrEmulatorTokenValidationParameters.issuer = [
+                ...ToBotFromBotOrEmulatorTokenValidationParameters.issuer,
+                ...this.authConfiguration.validTokenIssuers
+            ]
         }
 
         const tokenExtractor = new JwtTokenExtractor(

@@ -68,45 +68,22 @@ export class PasswordServiceClientCredentialFactory implements ServiceClientCred
         }
 
         let credentials: MicrosoftAppCredentials;
-        let normalizedEndpoint = loginEndpoint?.toLowerCase();
+        const normalizedEndpoint = loginEndpoint?.toLowerCase();
+
         if (normalizedEndpoint?.startsWith(AuthenticationConstants.ToChannelFromBotLoginUrlPrefix)) {
-            // TODO: Unpack necessity of these empty credentials based on the loginEndpoint as no tokens are fetched when auth is disabled.
-            credentials =
-                appId == null
-                    ? MicrosoftAppCredentials.Empty
-                    : new MicrosoftAppCredentials(appId, this.password, this.tenantId, audience);
+            credentials = new MicrosoftAppCredentials(appId, this.password, this.tenantId, audience);
         } else if (normalizedEndpoint === GovernmentConstants.ToChannelFromBotLoginUrl.toLowerCase()) {
-            credentials =
-                appId == null
-                    ? new MicrosoftAppCredentials(
-                          undefined,
-                          undefined,
-                          undefined,
-                          GovernmentConstants.ToChannelFromBotOAuthScope
-                      )
-                    : new MicrosoftAppCredentials(appId, this.password, this.tenantId, audience);
-            normalizedEndpoint = loginEndpoint;
+            credentials = new MicrosoftAppCredentials(appId, this.password, this.tenantId, audience);
         } else {
-            credentials =
-                appId == null
-                    ? new PrivateCloudAppCredentials(
-                          undefined,
-                          undefined,
-                          undefined,
-                          undefined,
-                          normalizedEndpoint,
-                          validateAuthority
-                      )
-                    : new PrivateCloudAppCredentials(
-                          appId,
-                          this.password,
-                          this.tenantId,
-                          audience,
-                          normalizedEndpoint,
-                          validateAuthority
-                      );
+            credentials = new PrivateCloudAppCredentials(
+                appId,
+                this.password,
+                this.tenantId,
+                audience,
+                normalizedEndpoint,
+                validateAuthority
+            );
         }
-        credentials.oAuthEndpoint = normalizedEndpoint;
         return credentials;
     }
 }