Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

trust reference.serviceUrl if credentials.appId is truthy #1889

Merged
merged 3 commits into from
Mar 13, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 13 additions & 6 deletions libraries/botbuilder/src/botFrameworkAdapter.ts
Original file line number Diff line number Diff line change
Expand Up @@ -272,12 +272,19 @@ export class BotFrameworkAdapter extends BotAdapter implements ExtendedUserToken

let credentials: AppCredentials = this.credentials;

// If the provided OAuthScope doesn't match the current one on the instance's credentials, create
// a new AppCredentials with the correct OAuthScope.
if (credentials.oAuthScope !== audience) {
// The BotFrameworkAdapter JavaScript implementation supports one Bot per instance, so get
// the botAppId from the credentials.
credentials = await this.buildCredentials(this.credentials.appId, audience);
// For authenticated flows (where the bot has an AppId), the ConversationReference's serviceUrl needs
// to be trusted for the bot to acquire a token when sending activities to the conversation.
// For anonymous flows, the serviceUrl should not be trusted.
if (credentials.appId) {
AppCredentials.trustServiceUrl(reference.serviceUrl);

// If the provided OAuthScope doesn't match the current one on the instance's credentials, create
// a new AppCredentials with the correct OAuthScope.
if (credentials.oAuthScope !== audience) {
// The BotFrameworkAdapter JavaScript implementation supports one Bot per instance, so get
// the botAppId from the credentials.
credentials = await this.buildCredentials(credentials.appId, audience);
}
}

const connectorClient = this.createConnectorClientInternal(reference.serviceUrl, credentials);
Expand Down
66 changes: 50 additions & 16 deletions libraries/botbuilder/tests/botFrameworkAdapter.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -467,22 +467,6 @@ describe(`BotFrameworkAdapter`, function () {
});
});

it(`should continueConversation().`, function (done) {
let called = false;
const adapter = new AdapterUnderTest();
adapter.continueConversation(reference, (context) => {
assert(context, `context not passed.`);
assert(context.activity, `context has no request.`);
assert(context.activity.type === 'event', `request has invalid type.`);
assert(context.activity.from && context.activity.from.id === reference.user.id, `request has invalid from.id.`);
assert(context.activity.recipient && context.activity.recipient.id === reference.bot.id, `request has invalid recipient.id.`);
called = true;
}).then(() => {
assert(called, `bot logic not called.`);
done();
});
});

it(`should createConversation().`, function (done) {
let called = false;
const adapter = new AdapterUnderTest();
Expand Down Expand Up @@ -1198,6 +1182,56 @@ describe(`BotFrameworkAdapter`, function () {
});

describe('continueConversation', function() {
it(`should succeed.`, function (done) {
let called = false;
const adapter = new AdapterUnderTest();
adapter.continueConversation(reference, (context) => {
assert(context, `context not passed.`);
assert(context.activity, `context has no request.`);
assert(context.activity.type === 'event', `request has invalid type.`);
assert(context.activity.from && context.activity.from.id === reference.user.id, `request has invalid from.id.`);
assert(context.activity.recipient && context.activity.recipient.id === reference.bot.id, `request has invalid recipient.id.`);
called = true;
}).then(() => {
assert(called, `bot logic not called.`);
done();
});
});

it(`should not trust reference.serviceUrl if there is no AppId on the credentials.`, function (done) {
let called = false;
const adapter = new AdapterUnderTest();
adapter.continueConversation(reference, (context) => {
assert(context, `context not passed.`);
assert(context.activity, `context has no request.`);
assert(context.activity.type === 'event', `request has invalid type.`);
assert(context.activity.from && context.activity.from.id === reference.user.id, `request has invalid from.id.`);
assert(context.activity.recipient && context.activity.recipient.id === reference.bot.id, `request has invalid recipient.id.`);
assert(!MicrosoftAppCredentials.isTrustedServiceUrl('https://example.org/channel'));
called = true;
}).then(() => {
assert(called, `bot logic not called.`);
done();
});
});

it(`should trust reference.serviceUrl if there is an AppId on the credentials.`, function (done) {
let called = false;
const adapter = new AdapterUnderTest({ appId: '2id', appPassword: '2pw' });
adapter.continueConversation(reference, (context) => {
assert(context, `context not passed.`);
assert(context.activity, `context has no request.`);
assert(context.activity.type === 'event', `request has invalid type.`);
assert(context.activity.from && context.activity.from.id === reference.user.id, `request has invalid from.id.`);
assert(context.activity.recipient && context.activity.recipient.id === reference.bot.id, `request has invalid recipient.id.`);
assert(MicrosoftAppCredentials.isTrustedServiceUrl('https://example.org/channel'));
called = true;
}).then(() => {
assert(called, `bot logic not called.`);
done();
});
});

it(`should work with oAuthScope and logic passed in.`, async () => {
let called = false;
const adapter = new AdapterUnderTest();
Expand Down