UNPKG

botframework-connector

Version:

Bot Connector is autorest generated connector client.

github.com/Microsoft/botbuilder-js

Microsoft/botbuilder-js

251 lines (221 loc) 10.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
/** * @module botframework-connector */ /** * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ /* eslint-disable @typescript-eslint/no-namespace */ import { AuthenticationConfiguration } from './authenticationConfiguration'; import { AuthenticationConstants } from './authenticationConstants'; import { AuthenticationError } from './authenticationError'; import { Claim, ClaimsIdentity } from './claimsIdentity'; import { GovernmentConstants } from './governmentConstants'; import { ICredentialProvider } from './credentialProvider'; import { JwtTokenExtractor } from './jwtTokenExtractor'; import { JwtTokenValidation } from './jwtTokenValidation'; import { StatusCodes } from 'botframework-schema'; import { ToBotFromBotOrEmulatorTokenValidationParameters } from './tokenValidationParameters'; import { decode, VerifyOptions } from 'jsonwebtoken'; /** * @deprecated Use `ConfigurationBotFrameworkAuthentication` instead to perform skill validation. * Validates JWT tokens sent to and from a Skill. */ export namespace SkillValidation { /** * Determines if a given Auth header is from a skill to bot or bot to skill request. * * @param {string} authHeader Bearer Token, in the "Bearer [Long String]" Format. * @returns {boolean} True, if the token was issued for a skill to bot communication. Otherwise, false. */ export function isSkillToken(authHeader: string): boolean { if (!JwtTokenValidation.isValidTokenFormat(authHeader)) { return false; } // We know is a valid token, split it and work with it: // [0] = "Bearer" // [1] = "[Big Long String]" const [, ...bearerTokens] = authHeader.trim().split(' '); // Parse the Big Long String into an actual token. const payload = decode(bearerTokens.join(' ')); let claims: Claim[] = []; if (payload && typeof payload === 'object') { claims = Object.entries(payload).map(([type, value]) => ({ type, value, })); } return isSkillClaim(claims); } /** * Checks if the given object of claims represents a skill. * * @remarks * A skill claim should contain: * An "AuthenticationConstants.VersionClaim" claim. * An "AuthenticationConstants.AudienceClaim" claim. * An "AuthenticationConstants.AppIdClaim" claim (v1) or an a "AuthenticationConstants.AuthorizedParty" claim (v2). * And the appId claim should be different than the audience claim. * The audience claim should be a guid, indicating that it is from another bot/skill. * @param claims An object of claims. * @returns {boolean} True if the object of claims is a skill claim, false if is not. */ export function isSkillClaim(claims: Claim[]): boolean { if (!claims) { throw new TypeError('SkillValidation.isSkillClaim(): missing claims.'); } // Group claims by type for fast lookup const claimsByType = claims.reduce((acc, claim) => ({ ...acc, [claim.type]: claim }), {}); // Short circuit if this is a anonymous skill app ID (generated via createAnonymousSkillClaim) const appIdClaim = claimsByType[AuthenticationConstants.AppIdClaim]; if (appIdClaim && appIdClaim.value === AuthenticationConstants.AnonymousSkillAppId) { return true; } const versionClaim = claimsByType[AuthenticationConstants.VersionClaim]; const versionValue = versionClaim && versionClaim.value; if (!versionValue) { // Must have a version claim. return false; } const audClaim = claimsByType[AuthenticationConstants.AudienceClaim]; const audienceValue = audClaim && audClaim.value; if ( !audClaim || AuthenticationConstants.ToBotFromChannelTokenIssuer === audienceValue || GovernmentConstants.ToBotFromChannelTokenIssuer === audienceValue ) { // The audience is https://api.botframework.com and not an appId. return false; } const appId = JwtTokenValidation.getAppIdFromClaims(claims); if (!appId) { return false; } // Skill claims must contain and app ID and the AppID must be different than the audience. return appId !== audienceValue; } /** * Validates that the incoming Auth Header is a token sent from a bot to a skill or from a skill to a bot. * * @param authHeader The raw HTTP header in the format: "Bearer [longString]". * @param credentials The user defined set of valid credentials, such as the AppId. * @param channelService The channelService value that distinguishes public Azure from US Government Azure. * @param channelId The ID of the channel to validate. * @param authConfig The authentication configuration. * @returns {Promise<ClaimsIdentity>} A "ClaimsIdentity" instance if the validation is successful. */ export async function authenticateChannelToken( authHeader: string, credentials: ICredentialProvider, channelService: string, channelId: string, authConfig: AuthenticationConfiguration, ): Promise<ClaimsIdentity> { if (!authConfig) { throw new AuthenticationError( 'SkillValidation.authenticateChannelToken(): invalid authConfig parameter', StatusCodes.INTERNAL_SERVER_ERROR, ); } const openIdMetadataUrl = JwtTokenValidation.isGovernment(channelService) ? GovernmentConstants.ToBotFromEmulatorOpenIdMetadataUrl : AuthenticationConstants.ToBotFromEmulatorOpenIdMetadataUrl; // Add allowed token issuers from configuration. const verifyOptions: VerifyOptions = { ...ToBotFromBotOrEmulatorTokenValidationParameters, issuer: [ ...ToBotFromBotOrEmulatorTokenValidationParameters.issuer, ...(authConfig.validTokenIssuers ?? []), ], }; const tokenExtractor = new JwtTokenExtractor( verifyOptions, openIdMetadataUrl, AuthenticationConstants.AllowedSigningAlgorithms, ); const parts: string[] = authHeader.split(' '); const identity = await tokenExtractor.getIdentity( parts[0], parts[1], channelId, authConfig.requiredEndorsements, ); await validateIdentity(identity, credentials); return identity; } /** * @ignore * @private * @param identity * @param credentials */ export async function validateIdentity(identity: ClaimsIdentity, credentials: ICredentialProvider): Promise<void> { if (!identity) { // No valid identity. Not Authorized. throw new AuthenticationError( 'SkillValidation.validateIdentity(): Invalid identity', StatusCodes.UNAUTHORIZED, ); } if (!identity.isAuthenticated) { // The token is in some way invalid. Not Authorized. throw new AuthenticationError( 'SkillValidation.validateIdentity(): Token not authenticated', StatusCodes.UNAUTHORIZED, ); } const versionClaim = identity.getClaimValue(AuthenticationConstants.VersionClaim); // const versionClaim = identity.claims.FirstOrDefault(c => c.Type == AuthenticationConstants.VersionClaim); if (!versionClaim) { // No version claim throw new AuthenticationError( `SkillValidation.validateIdentity(): '${AuthenticationConstants.VersionClaim}' claim is required on skill Tokens.`, StatusCodes.UNAUTHORIZED, ); } // Look for the "aud" claim, but only if issued from the Bot Framework const audienceClaim = identity.getClaimValue(AuthenticationConstants.AudienceClaim); if (!audienceClaim) { // Claim is not present or doesn't have a value. Not Authorized. throw new AuthenticationError( `SkillValidation.validateIdentity(): '${AuthenticationConstants.AudienceClaim}' claim is required on skill Tokens.`, StatusCodes.UNAUTHORIZED, ); } if (!(await credentials.isValidAppId(audienceClaim))) { // The AppId is not valid. Not Authorized. throw new AuthenticationError( 'SkillValidation.validateIdentity(): Invalid audience.', StatusCodes.UNAUTHORIZED, ); } const appId = JwtTokenValidation.getAppIdFromClaims(identity.claims); if (!appId) { // Invalid appId throw new AuthenticationError( 'SkillValidation.validateIdentity(): Invalid appId.', StatusCodes.UNAUTHORIZED, ); } // TODO: check the appId against the registered skill client IDs. // Check the AppId and ensure that only works against my whitelist authConfig can have info on how to get the // whitelist AuthenticationConfiguration // We may need to add a ClaimsIdentityValidator delegate or class that allows the dev to inject a custom validator. } /** * Creates a set of claims that represent an anonymous skill. Useful for testing bots locally in the emulator * * @returns A [ClaimsIdentity](xref.botframework-connector.ClaimsIdentity) instance with authentication type set to [AuthenticationConstants.AnonymousAuthType](xref.botframework-connector.AuthenticationConstants) and a reserved [AuthenticationConstants.AnonymousSkillAppId](xref.botframework-connector.AuthenticationConstants) claim. */ export function createAnonymousSkillClaim(): ClaimsIdentity { return new ClaimsIdentity( [ { type: AuthenticationConstants.AppIdClaim, value: AuthenticationConstants.AnonymousSkillAppId, }, ], AuthenticationConstants.AnonymousAuthType, ); } }