Skip to content

Commit

Permalink
Update values for build (#2118)
Browse files Browse the repository at this point in the history 
* Update Roslyn analyzers and TSA upload values for build

* Apply HttpVerb attributes to methods

* Add attributes for antiforgery token validation
  • Loading branch information
@westin-m
westin-m authored Mar 21, 2023
1 parent 28fd15c commit 5c38def
Show file tree
Hide file tree
Showing 8 changed files with 56 additions and 21 deletions.
8 changes: 6 additions & 2 deletions build/template-postbuild-code-analysis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,15 @@
# Run post-build code analysis (e.g. Roslyn analyzers)

steps:
- task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@2
- task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@3
displayName: 'Run Roslyn Analyzers'
inputs:
userProvideBuildInfo: auto
env:
system_accesstoken: $(System.AccessToken)
continueOnError: true

- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@1
- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
displayName: 'Check Roslyn Results '
inputs:
RoslynAnalyzers: true
19 changes: 3 additions & 16 deletions build/template-publish-analysis-and-cleanup.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,24 +6,11 @@ steps:
- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
displayName: 'Publish Security Analysis Logs'

- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@1
- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@2
displayName: 'TSA upload to Codebase: Microsoft Identity Web .NET Stamp: Azure'
inputs:
tsaVersion: TsaV2
codebase: NewOrUpdate
codeBaseName: 'Microsoft Identity Web'
notificationAlias: 'IdentityDevExDotnet@microsoft.com'
codeBaseAdmins: 'EUROPE\\aadidagt'
instanceUrlForTsaV2: IDENTITYDIVISION
projectNameIDENTITYDIVISION: IDDP
areaPath: 'IDDP\DevEx-Client-SDK\DotNet'
iterationPath: 'IDDP\Unscheduled'
uploadAPIScan: false
uploadFortifySCA: false
uploadFxCop: false
uploadModernCop: false
uploadPREfast: false
uploadTSLint: false
GdnPublishTsaOnboard: false
GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)/build/tsaConfig.json'
continueOnError: true

- task: mspremier.PostBuildCleanup.PostBuildCleanup-task.PostBuildCleanup@3
Expand Down
4 changes: 2 additions & 2 deletions build/template-sign-binary.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ steps:
AnalyzeVerbose: true
AnalyzeHashes: true

- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@1
- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
displayName: 'Check BinSkim Results'
inputs:
BinSkim: true
GdnBreakGdnToolBinSkim: true
19 changes: 19 additions & 0 deletions build/tsaConfig.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"codebaseName": "Unified .NET Core",
"notificationAliases": [
"idauthsdkmsidweb@microsoft.com"
],
"codebaseAdmins": [
"EUROPE\\aadidagt"
],
"instanceUrl": "https://identitydivision.visualstudio.com",
"projectName": "IDDP",
"areaPath": "IDDP\\DevEx-Client-SDK\\DotNet",
"iterationPath": "IDDP\\Unscheduled",
"tools": [
"binskim",
"credscan",
"policheck",
"rosalynnanalyzers"
]
}
8 changes: 7 additions & 1 deletion tests/DevApps/B2CWebAppCallsWebApi/Client/Controllers/HomeController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Routing;
using Microsoft.Identity.Web;
using System.Diagnostics;
using WebApp_OpenIDConnect_DotNet.Models;
Expand All @@ -19,16 +20,21 @@ public HomeController(ITokenAcquisition tokenAcquisition)
_tokenAcquisition = tokenAcquisition;
}

[HttpPut]
[ValidateAntiForgeryToken]
public IActionResult Index()
{
return View();
}


[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
[ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
public IActionResult Error()
{
return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
}
}
}
}
7 changes: 7 additions & 0 deletions tests/DevApps/B2CWebAppCallsWebApi/Client/Controllers/TodoListController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ public TodoListController(IDownstreamApi downstreamWebApi, ITokenAcquisition tok

// GET: TodoList
//[AuthorizeForScopes(ScopeKeySection = "TodoList:TodoListScope")]
[HttpGet]
[AuthorizeForScopes(
ScopeKeySection = "TodoList:Scopes", UserFlow = Susi)] // Must be the same user flow as used in `GetAccessTokenForUserAsync()`
public async Task<ActionResult> Index()
Expand All @@ -40,6 +41,7 @@ public async Task<ActionResult> Index()
return View(value);
}

[HttpGet]
[AuthorizeForScopes(Scopes = new string[] { Scope }, UserFlow = Susi)] // Must be the same user flow as used in `GetAccessTokenForUserAsync()`
public async Task<ActionResult> ClaimsSusi()
{
Expand All @@ -50,6 +52,7 @@ await _tokenAcquisition.GetAccessTokenForUserAsync(
return View(Claims, null);
}

[HttpGet]
[AuthorizeForScopes(Scopes = new string[] { Scope }, UserFlow = EditProfile)] // Must be the same user flow as used in `GetAccessTokenForUserAsync()`
public async Task<ActionResult> ClaimsEditProfile()
{
Expand All @@ -62,6 +65,7 @@ await _tokenAcquisition.GetAccessTokenForUserAsync(


// GET: TodoList/Details/5
[HttpGet]
public async Task<ActionResult> Details(int id)
{
var value = await _downstreamApi.GetForUserAsync<Todo>(
Expand All @@ -71,6 +75,7 @@ public async Task<ActionResult> Details(int id)
}

// GET: TodoList/Create
[HttpGet]
public ActionResult Create()
{
Todo todo = new Todo() { Owner = HttpContext.User.Identity.Name };
Expand All @@ -87,6 +92,7 @@ public async Task<ActionResult> Create([Bind("Title,Owner")] Todo todo)
}

// GET: TodoList/Edit/5
[HttpGet]
public async Task<ActionResult> Edit(int id)
{
Todo todo = await _downstreamApi.GetForUserAsync<Todo>(
Expand Down Expand Up @@ -117,6 +123,7 @@ await _downstreamApi.PatchForUserAsync<Todo, Todo>(
}

// GET: TodoList/Delete/5
[HttpGet]
public async Task<ActionResult> Delete(int id)
{
Todo todo = await _downstreamApi.GetForUserAsync<Todo>(
Expand Down
6 changes: 6 additions & 0 deletions tests/DevApps/WebAppCallsWebApiCallsGraph/Client/Controllers/HomeController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,18 +30,23 @@ public HomeController(
_downstreamApi = downstreamApi;
}

[HttpPut]
[ValidateAntiForgeryToken]
public IActionResult Index()
{
return View();
}

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
[ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
public IActionResult Error()
{
return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
}

[HttpGet]
[AuthorizeForScopes(ScopeKeySection = "SayHello:Scopes")]
public async Task<ActionResult> SayHello()
{
Expand All @@ -59,6 +64,7 @@ public async Task<ActionResult> SayHello()
return View();
}

[HttpGet]
[AuthorizeForScopes(ScopeKeySection = "AzureFunction:Scopes")]
public async Task<ActionResult> CallAzureFunction()
{
Expand Down
6 changes: 6 additions & 0 deletions tests/DevApps/WebAppCallsWebApiCallsGraph/Client/Controllers/TodoListController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ public TodoListController(IDownstreamApi downstreamApi)
}

// GET: api/todolist
[HttpGet]
public async Task<ActionResult> Index()
{
var value = await _downstreamApi.GetForUserAsync<IEnumerable<Todo>>(
Expand All @@ -35,6 +36,7 @@ public async Task<ActionResult> Index()
}

// GET: api/todolist/5
[HttpGet]
public async Task<ActionResult> Details(int id)
{
var value = await _downstreamApi.GetForUserAsync<Todo>(
Expand All @@ -44,6 +46,8 @@ public async Task<ActionResult> Details(int id)
}

// Create and present to the user (no service call)
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Create()
{
Todo todo = new Todo() { Owner = HttpContext.User.Identity.Name };
Expand All @@ -64,6 +68,7 @@ await _downstreamApi.PostForUserAsync<Todo, Todo>(

// Get the content of the TODO of ID id to present it to the user for edition
// GET: api/todolist/5
[HttpGet]
public async Task<ActionResult> Edit(int id)
{
Todo todo = await _downstreamApi.GetForUserAsync<Todo>(
Expand Down Expand Up @@ -92,6 +97,7 @@ await _downstreamApi.PatchForUserAsync<Todo, Todo>(
}

// Get the content of the TODO of ID to present it to the user for deletion
[HttpGet]
public async Task<ActionResult> Delete(int id)
{
Todo todo = await _downstreamApi.GetForUserAsync<Todo>(
Expand Down

0 comments on commit 5c38def

Please sign in to comment.