From 5c38def327ee28c419d396909c6a469d8517bff9 Mon Sep 17 00:00:00 2001
From: Westin Musser <127992899+westin-m@users.noreply.github.com>
Date: Tue, 21 Mar 2023 14:25:59 -0700
Subject: [PATCH] Update values for build (#2118)

* Update Roslyn analyzers and TSA upload values for build

* Apply HttpVerb attributes to methods

* Add attributes for antiforgery token validation
---
 build/template-postbuild-code-analysis.yaml   |  8 ++++++--
 ...template-publish-analysis-and-cleanup.yaml | 19 +++----------------
 build/template-sign-binary.yaml               |  4 ++--
 build/tsaConfig.json                          | 19 +++++++++++++++++++
 .../Client/Controllers/HomeController.cs      |  8 +++++++-
 .../Client/Controllers/TodoListController.cs  |  7 +++++++
 .../Client/Controllers/HomeController.cs      |  6 ++++++
 .../Client/Controllers/TodoListController.cs  |  6 ++++++
 8 files changed, 56 insertions(+), 21 deletions(-)
 create mode 100644 build/tsaConfig.json

diff --git a/build/template-postbuild-code-analysis.yaml b/build/template-postbuild-code-analysis.yaml
index 7a73d132b..0c1c424ea 100644
--- a/build/template-postbuild-code-analysis.yaml
+++ b/build/template-postbuild-code-analysis.yaml
@@ -2,11 +2,15 @@
 # Run post-build code analysis (e.g. Roslyn analyzers)
 
 steps:
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@2
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@3
   displayName: 'Run Roslyn Analyzers'
+  inputs:
+    userProvideBuildInfo: auto
+  env:
+    system_accesstoken: $(System.AccessToken)
   continueOnError: true
 
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@1
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
   displayName: 'Check Roslyn Results '
   inputs:
     RoslynAnalyzers: true
diff --git a/build/template-publish-analysis-and-cleanup.yaml b/build/template-publish-analysis-and-cleanup.yaml
index 3b880ae53..f1af176b5 100644
--- a/build/template-publish-analysis-and-cleanup.yaml
+++ b/build/template-publish-analysis-and-cleanup.yaml
@@ -6,24 +6,11 @@ steps:
 - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
   displayName: 'Publish Security Analysis Logs'
 
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@1
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@2
   displayName: 'TSA upload to Codebase: Microsoft Identity Web .NET Stamp: Azure'
   inputs:
-    tsaVersion: TsaV2
-    codebase: NewOrUpdate
-    codeBaseName: 'Microsoft Identity Web'
-    notificationAlias: 'IdentityDevExDotnet@microsoft.com'
-    codeBaseAdmins: 'EUROPE\\aadidagt'
-    instanceUrlForTsaV2: IDENTITYDIVISION
-    projectNameIDENTITYDIVISION: IDDP
-    areaPath: 'IDDP\DevEx-Client-SDK\DotNet'
-    iterationPath: 'IDDP\Unscheduled'
-    uploadAPIScan: false
-    uploadFortifySCA: false
-    uploadFxCop: false
-    uploadModernCop: false
-    uploadPREfast: false
-    uploadTSLint: false
+    GdnPublishTsaOnboard: false 
+    GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)/build/tsaConfig.json'
   continueOnError: true
 
 - task: mspremier.PostBuildCleanup.PostBuildCleanup-task.PostBuildCleanup@3
diff --git a/build/template-sign-binary.yaml b/build/template-sign-binary.yaml
index 42cb0e7f2..576962d41 100644
--- a/build/template-sign-binary.yaml
+++ b/build/template-sign-binary.yaml
@@ -70,7 +70,7 @@ steps:
     AnalyzeVerbose: true
     AnalyzeHashes: true
  
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@1
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
   displayName: 'Check BinSkim Results'
   inputs:
-    BinSkim: true
+    GdnBreakGdnToolBinSkim: true
diff --git a/build/tsaConfig.json b/build/tsaConfig.json
new file mode 100644
index 000000000..75787b121
--- /dev/null
+++ b/build/tsaConfig.json
@@ -0,0 +1,19 @@
+{
+    "codebaseName": "Unified .NET Core", 
+    "notificationAliases": [
+        "idauthsdkmsidweb@microsoft.com"
+    ],
+    "codebaseAdmins": [
+        "EUROPE\\aadidagt"
+    ],
+    "instanceUrl": "https://identitydivision.visualstudio.com", 
+    "projectName": "IDDP",
+    "areaPath": "IDDP\\DevEx-Client-SDK\\DotNet", 
+    "iterationPath": "IDDP\\Unscheduled",
+    "tools": [
+        "binskim",
+        "credscan",
+        "policheck",
+        "rosalynnanalyzers"
+    ]
+}
\ No newline at end of file
diff --git a/tests/DevApps/B2CWebAppCallsWebApi/Client/Controllers/HomeController.cs b/tests/DevApps/B2CWebAppCallsWebApi/Client/Controllers/HomeController.cs
index 9c52a1f63..402da5274 100644
--- a/tests/DevApps/B2CWebAppCallsWebApi/Client/Controllers/HomeController.cs
+++ b/tests/DevApps/B2CWebAppCallsWebApi/Client/Controllers/HomeController.cs
@@ -3,6 +3,7 @@
 
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Routing;
 using Microsoft.Identity.Web;
 using System.Diagnostics;
 using WebApp_OpenIDConnect_DotNet.Models;
@@ -19,16 +20,21 @@ public HomeController(ITokenAcquisition tokenAcquisition)
             _tokenAcquisition = tokenAcquisition;
         }
 
+        [HttpPut]
+        [ValidateAntiForgeryToken]
         public IActionResult Index()
         {
             return View();
         }
 
+        
+        [HttpPost]
         [AllowAnonymous]
+        [ValidateAntiForgeryToken]
         [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
         public IActionResult Error()
         {
             return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
         }
     }
-}
\ No newline at end of file
+}
diff --git a/tests/DevApps/B2CWebAppCallsWebApi/Client/Controllers/TodoListController.cs b/tests/DevApps/B2CWebAppCallsWebApi/Client/Controllers/TodoListController.cs
index 525d34c65..5d6ff6d41 100644
--- a/tests/DevApps/B2CWebAppCallsWebApi/Client/Controllers/TodoListController.cs
+++ b/tests/DevApps/B2CWebAppCallsWebApi/Client/Controllers/TodoListController.cs
@@ -31,6 +31,7 @@ public TodoListController(IDownstreamApi downstreamWebApi, ITokenAcquisition tok
 
         // GET: TodoList
         //[AuthorizeForScopes(ScopeKeySection = "TodoList:TodoListScope")]
+        [HttpGet]
         [AuthorizeForScopes(
             ScopeKeySection = "TodoList:Scopes", UserFlow = Susi)] // Must be the same user flow as used in `GetAccessTokenForUserAsync()`
         public async Task<ActionResult> Index()
@@ -40,6 +41,7 @@ public async Task<ActionResult> Index()
             return View(value);
         }
 
+        [HttpGet]
         [AuthorizeForScopes(Scopes = new string[] { Scope }, UserFlow = Susi)] // Must be the same user flow as used in `GetAccessTokenForUserAsync()`
         public async Task<ActionResult> ClaimsSusi()
         {
@@ -50,6 +52,7 @@ await _tokenAcquisition.GetAccessTokenForUserAsync(
             return View(Claims, null);
         }
 
+        [HttpGet]
         [AuthorizeForScopes(Scopes = new string[] { Scope }, UserFlow = EditProfile)] // Must be the same user flow as used in `GetAccessTokenForUserAsync()`
         public async Task<ActionResult> ClaimsEditProfile()
         {
@@ -62,6 +65,7 @@ await _tokenAcquisition.GetAccessTokenForUserAsync(
 
 
         // GET: TodoList/Details/5
+        [HttpGet]
         public async Task<ActionResult> Details(int id)
         {
             var value = await _downstreamApi.GetForUserAsync<Todo>(
@@ -71,6 +75,7 @@ public async Task<ActionResult> Details(int id)
         }
 
         // GET: TodoList/Create
+        [HttpGet]
         public ActionResult Create()
         {
             Todo todo = new Todo() { Owner = HttpContext.User.Identity.Name };
@@ -87,6 +92,7 @@ public async Task<ActionResult> Create([Bind("Title,Owner")] Todo todo)
         }
 
         // GET: TodoList/Edit/5
+        [HttpGet]
         public async Task<ActionResult> Edit(int id)
         {
             Todo todo = await _downstreamApi.GetForUserAsync<Todo>(
@@ -117,6 +123,7 @@ await _downstreamApi.PatchForUserAsync<Todo, Todo>(
         }
 
         // GET: TodoList/Delete/5
+        [HttpGet]
         public async Task<ActionResult> Delete(int id)
         {
             Todo todo = await _downstreamApi.GetForUserAsync<Todo>(
diff --git a/tests/DevApps/WebAppCallsWebApiCallsGraph/Client/Controllers/HomeController.cs b/tests/DevApps/WebAppCallsWebApiCallsGraph/Client/Controllers/HomeController.cs
index c9a096992..be6237bbe 100644
--- a/tests/DevApps/WebAppCallsWebApiCallsGraph/Client/Controllers/HomeController.cs
+++ b/tests/DevApps/WebAppCallsWebApiCallsGraph/Client/Controllers/HomeController.cs
@@ -30,18 +30,23 @@ public HomeController(
             _downstreamApi = downstreamApi;
         }
 
+        [HttpPut]
+        [ValidateAntiForgeryToken]
         public IActionResult Index()
         {
             return View();
         }
 
+        [HttpPost]
         [AllowAnonymous]
+        [ValidateAntiForgeryToken]
         [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
         public IActionResult Error()
         {
             return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
         }
 
+        [HttpGet]
         [AuthorizeForScopes(ScopeKeySection = "SayHello:Scopes")]
         public async Task<ActionResult> SayHello()
         {
@@ -59,6 +64,7 @@ public async Task<ActionResult> SayHello()
             return View();
         }
 
+        [HttpGet]
         [AuthorizeForScopes(ScopeKeySection = "AzureFunction:Scopes")]
         public async Task<ActionResult> CallAzureFunction()
         {
diff --git a/tests/DevApps/WebAppCallsWebApiCallsGraph/Client/Controllers/TodoListController.cs b/tests/DevApps/WebAppCallsWebApiCallsGraph/Client/Controllers/TodoListController.cs
index b8416c1dd..82ff37e13 100644
--- a/tests/DevApps/WebAppCallsWebApiCallsGraph/Client/Controllers/TodoListController.cs
+++ b/tests/DevApps/WebAppCallsWebApiCallsGraph/Client/Controllers/TodoListController.cs
@@ -25,6 +25,7 @@ public TodoListController(IDownstreamApi downstreamApi)
         }
 
         // GET: api/todolist
+        [HttpGet]
         public async Task<ActionResult> Index()
         {
             var value = await _downstreamApi.GetForUserAsync<IEnumerable<Todo>>(
@@ -35,6 +36,7 @@ public async Task<ActionResult> Index()
         }
 
         // GET: api/todolist/5
+        [HttpGet]
         public async Task<ActionResult> Details(int id)
         {
             var value = await _downstreamApi.GetForUserAsync<Todo>(
@@ -44,6 +46,8 @@ public async Task<ActionResult> Details(int id)
         }
 
         // Create and present to the user (no service call)
+        [HttpPost]
+        [ValidateAntiForgeryToken]
         public ActionResult Create()
         {
             Todo todo = new Todo() { Owner = HttpContext.User.Identity.Name };
@@ -64,6 +68,7 @@ await _downstreamApi.PostForUserAsync<Todo, Todo>(
 
         // Get the content of the TODO of ID id to present it to the user for edition
         // GET: api/todolist/5
+        [HttpGet]
         public async Task<ActionResult> Edit(int id)
         {
             Todo todo = await _downstreamApi.GetForUserAsync<Todo>(
@@ -92,6 +97,7 @@ await _downstreamApi.PatchForUserAsync<Todo, Todo>(
         }
 
         // Get the content of the TODO of ID to present it to the user for deletion
+        [HttpGet]
         public async Task<ActionResult> Delete(int id)
         {
             Todo todo = await _downstreamApi.GetForUserAsync<Todo>(