Only allow BearerTokenAuthPolicy for HTTPS (#4170)

Co-authored-by: Anton Kolesnyk <antkmsft@users.noreply.github.com>
2022-12-07 20:03:17 -08:00 · 2022-12-07 20:03:17 -08:00 · 405ae8cba7
commit 405ae8cba7
parent 456a8e9fb9
2 changed files with 38 additions and 0 deletions
--- a/sdk/core/azure-core/src/http/bearer_token_authentication_policy.cpp
+++ b/sdk/core/azure-core/src/http/bearer_token_authentication_policy.cpp
@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // SPDX-License-Identifier: MIT

+#include "azure/core/credentials/credentials.hpp"
 #include "azure/core/http/policies/policy.hpp"

 #include <chrono>
@ -9,12 +10,19 @@ using Azure::Core::Context;
 using namespace Azure::Core::Http;
 using namespace Azure::Core::Http::Policies;
 using namespace Azure::Core::Http::Policies::_internal;
+using Azure::Core::Credentials::AuthenticationException;

 std::unique_ptr<RawResponse> BearerTokenAuthenticationPolicy::Send(
    Request& request,
    NextHttpPolicy nextPolicy,
    Context const& context) const
 {
+  if (request.GetUrl().GetScheme() != "https")
+  {
+    throw AuthenticationException(
+        "Bearer token authentication is not permitted for non TLS protected (https) endpoints.");
+  }
+
  {
    std::lock_guard<std::mutex> lock(m_accessTokenMutex);

--- a/sdk/core/azure-core/test/ut/bearer_token_authentication_policy_test.cpp
+++ b/sdk/core/azure-core/test/ut/bearer_token_authentication_policy_test.cpp
@ -2,6 +2,8 @@
 // SPDX-License-Identifier: MIT

 #include <azure/core/http/policies/policy.hpp>
+
+#include <azure/core/credentials/credentials.hpp>
 #include <azure/core/internal/http/pipeline.hpp>

 #include <gtest/gtest.h>
@ -202,3 +204,31 @@ TEST(BearerTokenAuthenticationPolicy, RefreshAfterExpiry)
    }
  }
 }
+
+TEST(BearerTokenAuthenticationPolicy, HttpEndpoint)
+{
+  using namespace std::chrono_literals;
+  auto accessToken = std::make_shared<Azure::Core::Credentials::AccessToken>();
+
+  std::vector<std::unique_ptr<Azure::Core::Http::Policies::HttpPolicy>> policies;
+
+  Azure::Core::Credentials::TokenRequestContext tokenRequestContext;
+  tokenRequestContext.Scopes = {"https://microsoft.com/.default"};
+
+  policies.emplace_back(
+      std::make_unique<Azure::Core::Http::Policies::_internal::BearerTokenAuthenticationPolicy>(
+          std::make_shared<TestTokenCredential>(accessToken), tokenRequestContext));
+
+  policies.emplace_back(std::make_unique<TestTransportPolicy>());
+
+  Azure::Core::Http::_internal::HttpPipeline pipeline(policies);
+
+  Azure::Core::Http::Request request(
+      Azure::Core::Http::HttpMethod::Get, Azure::Core::Url("http://www.azure.com"));
+
+  *accessToken = {"ACCESSTOKEN1", std::chrono::system_clock::now()};
+
+  EXPECT_THROW(
+      static_cast<void>(pipeline.Send(request, Azure::Core::Context())),
+      Azure::Core::Credentials::AuthenticationException);
+}