public void WhenAllowedCallersIsEmptyThrowException()
{
var unused = new AllowedCallersClaimsValidator(new BotSkillConfiguration()
{
AllowedCallers = new string[0]
});
}
public async Task AcceptAllowedCallersArray(string allowedCallerClaimId, IList <string> allowList)
{
var validator = new AllowedCallersClaimsValidator(allowList);
if (allowedCallerClaimId != null)
{
var claims = CreateCallerClaims(allowedCallerClaimId);
if (allowList != null)
{
if (allowList.Contains(allowedCallerClaimId) || allowList.Contains("*"))
{
await validator.ValidateClaimsAsync(claims);
}
else
{
await ValidateUnauthorizedAccessException(allowedCallerClaimId, validator, claims);
}
}
else
{
await ValidateUnauthorizedAccessException(allowedCallerClaimId, validator, claims);
}
}
}
public void AcceptEmptyAllowedCallersArray()
{
var validator = new AllowedCallersClaimsValidator(new BotSkillConfiguration()
{
AllowedCallers = new string[0]
});
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers()
.AddNewtonsoftJson();
// Register AuthConfiguration to enable custom claim validation.
services.AddSingleton(sp =>
{
var allowedCallers = new List <string>(sp.GetService <IConfiguration>().GetSection("AllowedCallers").Get <string[]>());
var claimsValidator = new AllowedCallersClaimsValidator(allowedCallers);
// If TenantId is specified in config, add the tenant as a valid JWT token issuer for Bot to Skill conversation.
// The token issuer for MSI and single tenant scenarios will be the tenant where the bot is registered.
var validTokenIssuers = new List <string>();
var tenantId = sp.GetService <IConfiguration>().GetSection(MicrosoftAppCredentials.MicrosoftAppTenantIdKey)?.Value;
if (!string.IsNullOrWhiteSpace(tenantId))
{
// For SingleTenant/MSI auth, the JWT tokens will be issued from the bot's home tenant.
// Therefore, these issuers need to be added to the list of valid token issuers for authenticating activity requests.
validTokenIssuers.Add(string.Format(CultureInfo.InvariantCulture, AuthenticationConstants.ValidTokenIssuerUrlTemplateV1, tenantId));
validTokenIssuers.Add(string.Format(CultureInfo.InvariantCulture, AuthenticationConstants.ValidTokenIssuerUrlTemplateV2, tenantId));
validTokenIssuers.Add(string.Format(CultureInfo.InvariantCulture, AuthenticationConstants.ValidGovernmentTokenIssuerUrlTemplateV1, tenantId));
validTokenIssuers.Add(string.Format(CultureInfo.InvariantCulture, AuthenticationConstants.ValidGovernmentTokenIssuerUrlTemplateV2, tenantId));
}
return(new AuthenticationConfiguration
{
ClaimsValidator = claimsValidator,
ValidTokenIssuers = validTokenIssuers
});
});
// Create the Bot Framework Authentication to be used with the Bot Adapter.
services.AddSingleton <BotFrameworkAuthentication, ConfigurationBotFrameworkAuthentication>();
// Create the Bot Framework Adapter with error handling enabled.
services.AddSingleton <IBotFrameworkHttpAdapter, SkillAdapterWithErrorHandler>();
// Create the storage we'll be using for User and Conversation state. (Memory is great for testing purposes.)
services.AddSingleton <IStorage, MemoryStorage>();
// Create the Conversation state. (Used by the Dialog system itself.)
services.AddSingleton <ConversationState>();
// Register LUIS recognizer.
services.AddSingleton <DialogSkillBotRecognizer>();
// The Dialog that will be run by the bot.
services.AddSingleton <ActivityRouterDialog>();
// Create the bot as a transient. In this case the ASP Controller is expecting an IBot.
services.AddTransient <IBot, SkillBot <ActivityRouterDialog> >();
}
public async Task AllowAnyCaller()
{
var validator = new AllowedCallersClaimsValidator(new BotSkillConfiguration()
{
AllowedCallers = new string[] { "*" }
});
var callerAppId = "BE3F9920-D42D-4D3A-9BDF-DBA62DAE3A00";
var claims = CreateCallerClaims(callerAppId);
await validator.ValidateClaimsAsync(claims);
}
public async Task NonAllowedCallerShouldThrowException()
{
var callerAppId = "BE3F9920-D42D-4D3A-9BDF-DBA62DAE3A00";
var validator = new AllowedCallersClaimsValidator(new BotSkillConfiguration()
{
AllowedCallers = new string[] { callerAppId }
});
var claims = CreateCallerClaims("I'm not allowed");
await validator.ValidateClaimsAsync(claims);
}
public void WhenAllowedCallersIsNullThrowException()
{
var unused = new AllowedCallersClaimsValidator(new BotSkillConfiguration());
}
private static async Task ValidateUnauthorizedAccessException(string allowedCallerClaimId, AllowedCallersClaimsValidator validator, List <Claim> claims)
{
Exception ex = await Assert.ThrowsAsync <UnauthorizedAccessException>(() => validator.ValidateClaimsAsync(claims));
Assert.Contains(allowedCallerClaimId, ex.Message);
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers()
.AddNewtonsoftJson();
// Register AuthConfiguration to enable custom claim validation.
services.AddSingleton(sp =>
{
var allowedCallers = new List <string>(sp.GetService <IConfiguration>().GetSection(CallersConfigKey).Get <string[]>());
var claimsValidator = new AllowedCallersClaimsValidator(allowedCallers);
// If TenantId is specified in config, add the tenant as a valid JWT token issuer for Bot to Skill conversation.
// The token issuer for MSI and single tenant scenarios will be the tenant where the bot is registered.
var validTokenIssuers = new List <string>();
var tenantId = sp.GetService <IConfiguration>().GetSection(MicrosoftAppCredentials.MicrosoftAppTenantIdKey)?.Value;
if (!string.IsNullOrWhiteSpace(tenantId))
{
// For SingleTenant/MSI auth, the JWT tokens will be issued from the bot's home tenant.
// Therefore, these issuers need to be added to the list of valid token issuers for authenticating activity requests.
validTokenIssuers.Add(string.Format(CultureInfo.InvariantCulture, AuthenticationConstants.ValidTokenIssuerUrlTemplateV1, tenantId));
validTokenIssuers.Add(string.Format(CultureInfo.InvariantCulture, AuthenticationConstants.ValidTokenIssuerUrlTemplateV2, tenantId));
validTokenIssuers.Add(string.Format(CultureInfo.InvariantCulture, AuthenticationConstants.ValidGovernmentTokenIssuerUrlTemplateV1, tenantId));
validTokenIssuers.Add(string.Format(CultureInfo.InvariantCulture, AuthenticationConstants.ValidGovernmentTokenIssuerUrlTemplateV2, tenantId));
}
return(new AuthenticationConfiguration
{
ClaimsValidator = claimsValidator,
ValidTokenIssuers = validTokenIssuers
});
});
services.AddSingleton <BotFrameworkAuthentication, ConfigurationBotFrameworkAuthentication>();
// Register the Cloud Adapter with error handling enabled.
// Note: some classes use the base BotAdapter so we add an extra registration that pulls the same instance.
services.AddSingleton <CloudAdapter, SkillAdapterWithErrorHandler>();
services.AddSingleton <IBotFrameworkHttpAdapter>(sp => sp.GetService <CloudAdapter>());
services.AddSingleton <BotAdapter>(sp => sp.GetService <CloudAdapter>());
// Register the skills conversation ID factory, the client and the request handler.
services.AddSingleton <SkillConversationIdFactoryBase, SkillConversationIdFactory>();
services.AddSingleton <ChannelServiceHandlerBase, CloudSkillHandler>();
// Create the storage we'll be using for User and Conversation state. (Memory is great for testing purposes.)
services.AddSingleton <IStorage, MemoryStorage>();
// Create the Conversation state. (Used by the Dialog system itself.)
services.AddSingleton <ConversationState>();
// The Dialog that will be run by the bot.
services.AddSingleton <ActivityRouterDialog>();
// The Bot needs an HttpClient to download and upload files.
services.AddHttpClient();
// Create a global dictionary for our ConversationReferences (used by proactive)
services.AddSingleton <ConcurrentDictionary <string, ContinuationParameters> >();
// Create the bot as a transient. In this case the ASP Controller is expecting an IBot.
services.AddTransient <IBot, SkillBot <ActivityRouterDialog> >();
// Gives us access to HttpContext so we can create URLs with the host name.
services.AddHttpContextAccessor();
}
public void AcceptNullAllowedCallersArray()
{
var validator = new AllowedCallersClaimsValidator(new BotSkillConfiguration());
}
