Merge pull request #540 from microsoftgraph/features/CertThumbprintValidation

peombwa · web-flow · commit f9c800ed16ed · 2021-02-16T14:08:44.000-08:00
Cert Thumbprint Validation &amp; Parameter Classification
diff --git a/src/Authentication/Authentication/Cmdlets/ConnectMgGraph.cs b/src/Authentication/Authentication/Cmdlets/ConnectMgGraph.cs
@@ -53,34 +53,43 @@ public class ConnectMgGraph : PSCmdlet, IModuleAssemblyInitializer, IModuleAssem
             HelpMessage = "The thumbprint of your certificate. The Certificate will be retrieved from the current user's certificate store.")]
         public string CertificateThumbprint { get; set; }
 
+        [Parameter(Mandatory = false,
+            ParameterSetName = Constants.AppParameterSet,
+            HelpMessage = "An X.509 certificate supplied during invocation.")]
+        public X509Certificate2 Certificate { get; set; }
+
         [Parameter(ParameterSetName = Constants.AccessTokenParameterSet,
             Position = 1,
             HelpMessage = "Specifies a bearer token for Microsoft Graph service. Access tokens do timeout and you'll have to handle their refresh.")]
         public string AccessToken { get; set; }
 
-        [Parameter(Position = 4,
+        [Parameter(ParameterSetName = Constants.AppParameterSet)]
+        [Parameter(ParameterSetName = Constants.UserParameterSet,
+            Position = 4,
             HelpMessage = "The id of the tenant to connect to.")]
         public string TenantId { get; set; }
 
-        [Parameter(Position = 5,
+        [Parameter(ParameterSetName = Constants.AppParameterSet)]
+        [Parameter(ParameterSetName = Constants.UserParameterSet,
+            Position = 5,
             HelpMessage = "Forces the command to get a new access token silently.")]
         public SwitchParameter ForceRefresh { get; set; }
 
-        [Parameter(Mandatory = false,
+        [Parameter(ParameterSetName = Constants.AppParameterSet)]
+        [Parameter(ParameterSetName = Constants.UserParameterSet,
+            Mandatory = false,
             HelpMessage = "Determines the scope of authentication context. This accepts `Process` for the current process, or `CurrentUser` for all sessions started by user.")]
         public ContextScope ContextScope { get; set; }
 
-        [Parameter(Mandatory = false,
+        [Parameter(ParameterSetName = Constants.AppParameterSet)]
+        [Parameter(ParameterSetName = Constants.AccessTokenParameterSet)]
+        [Parameter(ParameterSetName = Constants.UserParameterSet,
+            Mandatory = false,
             HelpMessage = "The name of the national cloud environment to connect to. By default global cloud is used.")]
         [ValidateNotNullOrEmpty]
         [Alias("EnvironmentName", "NationalCloud")]
         public string Environment { get; set; }
 
-        [Parameter(Mandatory = false,
-            ParameterSetName = Constants.AppParameterSet, 
-            HelpMessage = "An x509 Certificate supplied during invocation")]
-        public X509Certificate2 Certificate { get; set; }
-
         private readonly CancellationTokenSource _cancellationTokenSource = new CancellationTokenSource();
 
         private IGraphEnvironment environment;
@@ -312,6 +321,13 @@ private void ValidateParameters()
                             this.ThrowParameterError($"{nameof(CertificateThumbprint)} or {nameof(CertificateName)} or {nameof(Certificate)}");
                         }
 
+                        // A thumbprint will always have 40 characters since thumbprints are dynamically calculated as a SHA-1 hash of a certificate's binary data. A SHA-1 hash has a length of 40 hexadecimal numbers (160-bit = 20-byte).
+                        // See https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.thumbprint?view=net-5.0#remarks.
+                        if (!string.IsNullOrEmpty(CertificateThumbprint) && CertificateThumbprint.Length != 40)
+                        {
+                            this.ThrowError(string.Format(ErrorConstants.Message.InvalidCertificateThumbprint, nameof(CertificateThumbprint)), ErrorCategory.InvalidArgument);
+                        }
+
                         // Tenant Id
                         if (string.IsNullOrEmpty(TenantId))
                         {
diff --git a/src/Authentication/Authentication/ErrorConstants.cs b/src/Authentication/Authentication/ErrorConstants.cs
@@ -49,6 +49,7 @@ internal static class Message
             internal const string InvalidEnvironment = "Unable to find environment with name '{0}'. Use Get-MgEnvironment to list available environments.";
             internal const string CannotAccessFile = "Could not {0} file at '{1}'. Please ensure you have access to this file and try again in a few minutes..";
             internal const string CannotModifyBuiltInEnvironment = "Cannot {0} built-in environment {1}.";
+            internal const string InvalidCertificateThumbprint = "'{0}' must have a length of 40. Ensure you have the right certificate thumbprint then try again.";
         }
     }
 }
diff --git a/src/Authentication/Authentication/test/Connect-MgGraph.Tests.ps1 b/src/Authentication/Authentication/test/Connect-MgGraph.Tests.ps1
@@ -2,6 +2,7 @@ BeforeAll {
     $ModuleName = "Microsoft.Graph.Authentication"
     $ModulePath = Join-Path $PSScriptRoot "..\$ModuleName.psd1"
     Import-Module $ModulePath -Force
+    $RandomClientId = (New-Guid).Guid
 }
 Describe 'Connect-MgGraph In Delegated Mode' {
     It 'ShouldThrowExceptionWhenInvalidTenantIdIsSpecified' {
@@ -11,4 +12,14 @@ Describe 'Connect-MgGraph In Delegated Mode' {
     It 'ShouldThrowExceptionWhenInvalidScopeIsSpecified' {
         { Connect-MgGraph -Scopes 'User.Read.XYZ' -ErrorAction Stop } | Should -Throw -ExpectedMessage "*The scope 'User.Read.XYZ offline_access profile openid' does not exist*"
     }
+}
+
+Describe 'Connect-MgGraph In App Mode' {
+    It 'ShouldThrowExceptionWhenCertificateThumbprintLengthIs > 40' {
+        { Connect-MgGraph -ClientId $RandomClientId -CertificateThumbprint '12345678901234567890123456789012345678901' -ErrorAction Stop } | Should -Throw -ExpectedMessage "*'CertificateThumbprint' must have a length of 40.*"
+    }
+
+    It 'ShouldThrowExceptionWhenCertificateThumbprintLengthIs < 40' {
+        { Connect-MgGraph -ClientId $RandomClientId -CertificateThumbprint '123456789012345678901234567890123456789' -ErrorAction Stop } | Should -Throw -ExpectedMessage "*'CertificateThumbprint' must have a length of 40.*"
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ internal static class Message`
`49`	`49`	`internal const string InvalidEnvironment = "Unable to find environment with name '{0}'. Use Get-MgEnvironment to list available environments.";`
`50`	`50`	`internal const string CannotAccessFile = "Could not {0} file at '{1}'. Please ensure you have access to this file and try again in a few minutes..";`
`51`	`51`	`internal const string CannotModifyBuiltInEnvironment = "Cannot {0} built-in environment {1}.";`
	`52`	`+ internal const string InvalidCertificateThumbprint = "'{0}' must have a length of 40. Ensure you have the right certificate thumbprint then try again.";`
`52`	`53`	`}`
`53`	`54`	`}`
`54`	`55`	`}`