Skip to content

Latest commit

 

History

History
58 lines (49 loc) · 1.95 KB

SkillClaimsValidation.md

File metadata and controls

58 lines (49 loc) · 1.95 KB

HowTo: Block all Skill Claims

Write a class that conforms to the ValidateClaims interface and throws an exception if the claims are skill claims:

class AllowedSkillsClaimsValidator:

    config_key = "ALLOWED_CALLERS"

    def __init__(self, config: DefaultConfig):
        if not config:
            raise TypeError(
                "AllowedSkillsClaimsValidator: config object cannot be None."
            )

        # ALLOWED_CALLERS is the setting in config.py file
        # that consists of the list of parent bot ids that are allowed to access the skill
        # to add a new parent bot simply go to the AllowedCallers and add
        # the parent bot's microsoft app id to the list
        caller_list = getattr(config, self.config_key)
        if caller_list is None:
            raise TypeError(f'"{self.config_key}" not found in configuration.')
        self._allowed_callers = caller_list

    @property
        def claims_validator(self) -> Callable[[List[Dict]], Awaitable]:
            async def allow_callers_claims_validator(claims: Dict[str, object]):
                if skillValidation.is_skill_claim(claims):
                    raise PermissionError(
                        "Invalid call from a skill."
                    )

                return

        return allow_callers_claims_validator

Update BotFrameworkAdapter instantiation, to pass the AuthenticationConfiguration constructor the function defined above:

AUTH_CONFIG = AuthenticationConfiguration(
    claims_validator=AllowedSkillsClaimsValidator(CONFIG).claims_validator
)
SETTINGS = BotFrameworkAdapterSettings(
    ...,
    auth_configuration=AUTH_CONFIG,
)
ADAPTER = BotFrameworkAdapter(
    ...,
    SETTINGS,
)

For SingleTenant type bots, the additional issuers must be added based on the tenant id:

AUTH_CONFIG = AuthenticationConfiguration(
    claims_validator=AllowedSkillsClaimsValidator(CONFIG).claims_validator,
    tenant_id=the_tenant_id
)