/*
|
* @copyright
|
* Copyright © Microsoft Open Technologies, Inc.
|
*
|
* All Rights Reserved
|
*
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
* you may not use this file except in compliance with the License.
|
* You may obtain a copy of the License at
|
*
|
* http: *www.apache.org/licenses/LICENSE-2.0
|
*
|
* THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR CONDITIONS
|
* OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
|
* ANY IMPLIED WARRANTIES OR CONDITIONS OF TITLE, FITNESS FOR A
|
* PARTICULAR PURPOSE, MERCHANTABILITY OR NON-INFRINGEMENT.
|
*
|
* See the Apache License, Version 2.0 for the specific language
|
* governing permissions and limitations under the License.
|
*/
|
'use strict';
|
|
var request = require('request');
|
var url = require('url');
|
var _ = require('underscore');
|
|
var AADConstants = require('./constants').AADConstants;
|
var Logger = require('./log').Logger;
|
var util = require('./util');
|
|
/**
|
* Constructs an Authority object with a specific authority URL.
|
* @private
|
* @constructor
|
* @param {string} authorityUrl A URL that identifies a token authority.
|
* @param {bool} validateAuthority Indicates whether the Authority url should be validated as an actual AAD
|
* authority. The default is true.
|
*/
|
function Authority(authorityUrl, validateAuthority) {
|
this._log = null;
|
this._url = url.parse(authorityUrl);
|
this._validateAuthorityUrl();
|
|
this._validated = !validateAuthority;
|
this._host = null;
|
this._tenant = null;
|
this._parseAuthority();
|
|
this._authorizationEndpoint = null;
|
this._tokenEndpoint = null;
|
this._deviceCodeEndpoint = null;
|
this._isAdfsAuthority = (this._tenant.toLowerCase() === "adfs");
|
}
|
|
/**
|
* The URL of the authority
|
* @instance
|
* @type {string}
|
* @memberOf Authority
|
* @name url
|
*/
|
Object.defineProperty(Authority.prototype, 'url', {
|
get: function() {
|
return url.format(this._url);
|
}
|
});
|
|
/**
|
* The token endpoint that the authority uses as discovered by instance discovery.
|
* @instance
|
* @type {string}
|
* @memberOf Authority
|
* @name tokenEndpoint
|
*/
|
Object.defineProperty(Authority.prototype, 'tokenEndpoint', {
|
get: function() {
|
return this._tokenEndpoint;
|
}
|
});
|
|
Object.defineProperty(Authority.prototype, 'deviceCodeEndpoint', {
|
get: function() {
|
return this._deviceCodeEndpoint;
|
}
|
});
|
|
/**
|
* Checks the authority url to ensure that it meets basic requirements such as being over SSL. If it does not then
|
* this method will throw if any of the checks fail.
|
* @private
|
* @throws {Error} If the authority url fails to pass any validation checks.
|
*/
|
Authority.prototype._validateAuthorityUrl = function() {
|
if (this._url.protocol !== 'https:') {
|
throw new Error('The authority url must be an https endpoint.');
|
}
|
|
if (this._url.query) {
|
throw new Error('The authority url must not have a query string.');
|
}
|
};
|
|
/**
|
* Parse the authority to get the tenant name. The rest of the
|
* URL is thrown away in favor of one of the endpoints from the validation doc.
|
* @private
|
*/
|
Authority.prototype._parseAuthority = function() {
|
this._host = this._url.host;
|
|
var pathParts = this._url.pathname.split('/');
|
this._tenant = pathParts[1];
|
|
if (!this._tenant) {
|
throw new Error('Could not determine tenant.');
|
}
|
};
|
|
/**
|
* Performs instance discovery based on a simple match against well known authorities.
|
* @private
|
* @return {bool} Returns true if the authority is recognized.
|
*/
|
Authority.prototype._performStaticInstanceDiscovery = function() {
|
this._log.verbose('Performing static instance discovery');
|
|
var hostIndex = _.indexOf(AADConstants.WELL_KNOWN_AUTHORITY_HOSTS, this._url.hostname);
|
var found = hostIndex > -1;
|
|
if (found) {
|
this._log.verbose('Authority validated via static instance discovery.');
|
}
|
|
return found;
|
};
|
|
Authority.prototype._createAuthorityUrl = function() {
|
return 'https://' + this._url.host + '/' + encodeURIComponent(this._tenant) + AADConstants.AUTHORIZE_ENDPOINT_PATH;
|
};
|
|
/**
|
* Creates an instance discovery endpoint url for the specific authority that this object represents.
|
* @private
|
* @param {string} authorityHost The host name of a well known authority.
|
* @return {URL} The constructed endpoint url.
|
*/
|
Authority.prototype._createInstanceDiscoveryEndpointFromTemplate = function(authorityHost) {
|
var discoveryEndpoint = AADConstants.INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE;
|
discoveryEndpoint = discoveryEndpoint.replace('{authorize_host}', authorityHost);
|
discoveryEndpoint = discoveryEndpoint.replace('{authorize_endpoint}', encodeURIComponent(this._createAuthorityUrl()));
|
return url.parse(discoveryEndpoint);
|
};
|
|
/**
|
* Performs instance discovery via a network call to well known authorities.
|
* @private
|
* @param {Authority.InstanceDiscoveryCallback} callback The callback function. If succesful,
|
* this function calls the callback with the
|
* tenantDiscoveryEndpoint returned by the
|
* server.
|
*/
|
Authority.prototype._performDynamicInstanceDiscovery = function(callback) {
|
try {
|
var self = this;
|
var discoveryEndpoint = this._createInstanceDiscoveryEndpointFromTemplate(AADConstants.WORLD_WIDE_AUTHORITY);
|
|
var getOptions = util.createRequestOptions(self);
|
|
this._log.verbose('Attempting instance discover');
|
this._log.verbose('Attempting instance discover at: ' + url.format(discoveryEndpoint), true);
|
request.get(discoveryEndpoint, getOptions, util.createRequestHandler('Instance Discovery', this._log, callback,
|
function(response, body) {
|
var discoveryResponse = JSON.parse(body);
|
|
if (discoveryResponse['tenant_discovery_endpoint']) {
|
callback(null, discoveryResponse['tenant_discovery_endpoint']);
|
} else {
|
callback(self._log.createError('Failed to parse instance discovery response'));
|
}
|
})
|
);
|
} catch(e) {
|
callback(e);
|
}
|
};
|
|
/**
|
* @callback InstanceDiscoveryCallback
|
* @private
|
* @memberOf Authority
|
* @param {Error} err If an error occurs during instance discovery then it will be returned here.
|
* @param {string} tenantDiscoveryEndpoint If instance discovery is successful then this will contain the
|
* tenantDiscoveryEndpoint associated with the authority.
|
*/
|
|
/**
|
* Determines whether the authority is recognized as a trusted AAD authority.
|
* @private
|
* @param {Authority.InstanceDiscoveryCallback} callback The callback function.
|
*/
|
Authority.prototype._validateViaInstanceDiscovery = function(callback) {
|
if (this._performStaticInstanceDiscovery()) {
|
callback();
|
} else {
|
this._performDynamicInstanceDiscovery(callback);
|
}
|
};
|
|
/**
|
* @callback GetOauthEndpointsCallback
|
* @private
|
* @memberOf Authority
|
* @param {Error} error An error if one occurred.
|
*/
|
|
/**
|
* Given a tenant discovery endpoint this method will attempt to discover the token endpoint. If the
|
* tenant discovery endpoint is unreachable for some reason then it will fall back to a algorithmic generation of the
|
* token endpoint url.
|
* @private
|
* @param {string} tenantDiscoveryEndpoint The url of the tenant discovery endpoint for this authority.
|
* @param {Authority.GetOauthEndpointsCallback} callback The callback function.
|
*/
|
Authority.prototype._getOAuthEndpoints = function(tenantDiscoveryEndpoint, callback) {
|
if (this._tokenEndpoint && this._deviceCodeEndpoint) {
|
callback();
|
return;
|
} else {
|
// fallback to the well known token endpoint path.
|
if (!this._tokenEndpoint){
|
this._tokenEndpoint = url.format('https://' + this._url.host + '/' + encodeURIComponent(this._tenant)) + AADConstants.TOKEN_ENDPOINT_PATH;
|
}
|
|
if (!this._deviceCodeEndpoint){
|
this._deviceCodeEndpoint = url.format('https://' + this._url.host + '/' + encodeURIComponent(this._tenant)) + AADConstants.DEVICE_ENDPOINT_PATH;
|
}
|
|
callback();
|
return;
|
}
|
};
|
|
/**
|
* @callback ValidateCallback
|
* @memberOf Authority
|
*/
|
|
/**
|
* Perform validation on the authority represented by this object. In addition to simple validation
|
* the oauth token endpoint will be retrieved.
|
* @param {Authority.ValidateCallback} callback The callback function.
|
*/
|
Authority.prototype.validate = function(callContext, callback) {
|
this._log = new Logger('Authority', callContext._logContext);
|
this._callContext = callContext;
|
var self = this;
|
|
if (!this._validated) {
|
this._log.verbose('Performing instance discovery');
|
this._log.verbose('Performing instance discovery: ' + url.format(this._url), true);
|
this._validateViaInstanceDiscovery(function(err, tenantDiscoveryEndpoint) {
|
if (err)
|
{
|
callback(err);
|
} else {
|
self._validated = true;
|
self._getOAuthEndpoints(tenantDiscoveryEndpoint, callback);
|
return;
|
}
|
});
|
} else {
|
this._log.verbose('Instance discovery/validation has either already been completed or is turned off');
|
this._log.verbose('Instance discovery/validation has either already been completed or is turned off: ' + url.format(this._url), true);
|
this._getOAuthEndpoints(null, callback);
|
return;
|
}
|
};
|
|
module.exports.Authority = Authority;
|
