[WebPubSub] Fix origin validation (Azure#38359)

JialinXin · web-flow · commit 08f5e5ad7502 · 2023-08-29T06:40:11.000-07:00
* Fix multiple Origins not correctly get.

* prepare release
diff --git a/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSub/CHANGELOG.md b/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSub/CHANGELOG.md
@@ -1,14 +1,9 @@
 # Release History
 
-## 1.7.0-beta.1 (Unreleased)
-
-### Features Added
-
-### Breaking Changes
+## 1.7.0 (2023-08-28)
 
 ### Bugs Fixed
-
-### Other Changes
+- Fix multi request origins validation.
 
 ## 1.6.0 (2023-07-12)
 
diff --git a/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSub/src/Microsoft.Azure.WebJobs.Extensions.WebPubSub.csproj b/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSub/src/Microsoft.Azure.WebJobs.Extensions.WebPubSub.csproj
@@ -5,7 +5,7 @@
     <PackageId>Microsoft.Azure.WebJobs.Extensions.WebPubSub</PackageId>
     <PackageTags>Azure, WebPubSub</PackageTags>
     <Description>Azure Functions extension for the WebPubSub service</Description>
-    <Version>1.7.0-beta.1</Version>
+    <Version>1.7.0</Version>
     <!--The ApiCompatVersion is managed automatically and should not generally be modified manually.-->
     <ApiCompatVersion>1.6.0</ApiCompatVersion>
     <NoWarn>$(NoWarn);AZC0001;CS8632;CA1056;CA2227</NoWarn>
diff --git a/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSub/src/Services/WebPubSubRequestExtensions.cs b/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSub/src/Services/WebPubSubRequestExtensions.cs
@@ -101,7 +101,7 @@ internal static bool IsValidationRequest(this HttpRequest request, out List<stri
                 request.Headers.TryGetValue(Constants.Headers.WebHookRequestOrigin, out StringValues requestOrigin);
                 if (requestOrigin.Any())
                 {
-                    requestHosts = requestOrigin.ToList();
+                    requestHosts = requestOrigin.SelectMany(x => x.Split(Constants.HeaderSeparator, StringSplitOptions.RemoveEmptyEntries)).ToList();
                     return true;
                 }
             }
diff --git a/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSub/src/Utilities.cs b/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSub/src/Utilities.cs
@@ -218,7 +218,9 @@ public static bool IsValidationRequest(this HttpRequestMessage req, out List<str
         {
             if (req.Method == HttpMethod.Options || req.Method == HttpMethod.Get)
             {
-                requestHosts = req.Headers.GetValues(Constants.Headers.WebHookRequestOrigin).ToList();
+                requestHosts = req.Headers.GetValues(Constants.Headers.WebHookRequestOrigin)
+                    .SelectMany(x => x.Split(Constants.HeaderSeparator, StringSplitOptions.RemoveEmptyEntries))
+                    .ToList();
                 return true;
             }
             requestHosts = null;
diff --git a/sdk/webpubsub/Microsoft.Azure.WebPubSub.AspNetCore/CHANGELOG.md b/sdk/webpubsub/Microsoft.Azure.WebPubSub.AspNetCore/CHANGELOG.md
@@ -1,14 +1,10 @@
 # Release History
 
-## 1.2.0-beta.1 (Unreleased)
-
-### Features Added
-
-### Breaking Changes
+## 1.2.0 (2023-08-28)
 
 ### Bugs Fixed
 
-### Other Changes
+- Fix multi request origins validation.
 
 ## 1.1.0 (2023-07-12)
 
diff --git a/sdk/webpubsub/Microsoft.Azure.WebPubSub.AspNetCore/src/Extensions/WebPubSubRequestExtensions.cs b/sdk/webpubsub/Microsoft.Azure.WebPubSub.AspNetCore/src/Extensions/WebPubSubRequestExtensions.cs
@@ -100,7 +100,7 @@ internal static bool IsPreflightRequest(this HttpRequest request, out IReadOnlyL
                 request.Headers.TryGetValue(Constants.Headers.WebHookRequestOrigin, out StringValues requestOrigin);
                 if (requestOrigin.Count > 0)
                 {
-                    requestOrigins = requestOrigin;
+                    requestOrigins = requestOrigin.SelectMany(x => x.Split(Constants.HeaderSeparator, StringSplitOptions.RemoveEmptyEntries)).ToList();
                     return true;
                 }
             }
diff --git a/sdk/webpubsub/Microsoft.Azure.WebPubSub.AspNetCore/src/Microsoft.Azure.WebPubSub.AspNetCore.csproj b/sdk/webpubsub/Microsoft.Azure.WebPubSub.AspNetCore/src/Microsoft.Azure.WebPubSub.AspNetCore.csproj
@@ -2,7 +2,7 @@
   <PropertyGroup>
     <Description>Azure SDK client library for the WebPubSub service</Description>
     <AssemblyTitle>Azure SDK for WebPubSub</AssemblyTitle>
-    <Version>1.2.0-beta.1</Version>
+    <Version>1.2.0</Version>
     <!--The ApiCompatVersion is managed automatically and should not generally be modified manually.-->
     <ApiCompatVersion>1.1.0</ApiCompatVersion>
     <PackageTags>Azure, WebPubSub</PackageTags>
diff --git a/sdk/webpubsub/Microsoft.Azure.WebPubSub.AspNetCore/tests/WebPubSubEventRequestTests.cs b/sdk/webpubsub/Microsoft.Azure.WebPubSub.AspNetCore/tests/WebPubSubEventRequestTests.cs
@@ -273,9 +273,10 @@ public void TestSignatureCheck_MultiSignatureSuccess(string signatures)
 
         [TestCase("OPTIONS", true)]
         [TestCase("DELETE", false)]
-        public void TestAbuseProtection(string httpMethod, bool valid)
+        [TestCase("OPTIONS", true, true)]
+        public void TestAbuseProtection(string httpMethod, bool valid, bool multiDomains = false)
         {
-            var context = PrepareHttpContext(TestUri, WebPubSubEventType.System, Constants.Events.ConnectEvent, httpMethod: httpMethod);
+            var context = PrepareHttpContext(TestUri, WebPubSubEventType.System, Constants.Events.ConnectEvent, httpMethod: httpMethod, multiDomains: multiDomains);
 
             var result = context.Request.IsPreflightRequest(out var requestHosts);
 
@@ -285,6 +286,14 @@ public void TestAbuseProtection(string httpMethod, bool valid)
             {
                 Assert.NotNull(requestHosts);
                 Assert.AreEqual(TestUri.Host, requestHosts[0]);
+                if (multiDomains)
+                {
+                    Assert.AreEqual(2, requestHosts.Count);
+                }
+                else
+                {
+                    Assert.AreEqual(1, requestHosts.Count);
+                }
             }
         }
 
@@ -309,7 +318,8 @@ private static HttpContext PrepareHttpContext(
             string httpMethod = "POST",
             string userId = "testuser",
             string body = null,
-            string contentType = Constants.ContentTypes.PlainTextContentType)
+            string contentType = Constants.ContentTypes.PlainTextContentType,
+            bool multiDomains = false)
         {
             var context = new DefaultHttpContext();
             var services = new ServiceCollection();
@@ -337,7 +347,12 @@ private static HttpContext PrepareHttpContext(
             if (!string.IsNullOrEmpty(uri.Host))
             {
                 headers.Add("Host", uri.Host);
-                headers.Add(Constants.Headers.WebHookRequestOrigin, uri.Host);
+                var origins = uri.Host;
+                if (multiDomains)
+                {
+                    origins += ", custom.domain.com";
+                }
+                headers.Add(Constants.Headers.WebHookRequestOrigin, origins);
             }
 
             if (userId != null)

Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ internal static bool IsValidationRequest(this HttpRequest request, out List<stri`
`101`	`101`	`request.Headers.TryGetValue(Constants.Headers.WebHookRequestOrigin, out StringValues requestOrigin);`
`102`	`102`	`if (requestOrigin.Any())`
`103`	`103`	`{`
`104`		`- requestHosts = requestOrigin.ToList();`
	`104`	`+ requestHosts = requestOrigin.SelectMany(x => x.Split(Constants.HeaderSeparator, StringSplitOptions.RemoveEmptyEntries)).ToList();`
`105`	`105`	`return true;`
`106`	`106`	`}`
`107`	`107`	`}`
Original file line number	Diff line number	Diff line change
`@@ -218,7 +218,9 @@ public static bool IsValidationRequest(this HttpRequestMessage req, out List<str`
`218`	`218`	`{`
`219`	`219`	`if (req.Method == HttpMethod.Options \|\| req.Method == HttpMethod.Get)`
`220`	`220`	`{`
`221`		`- requestHosts = req.Headers.GetValues(Constants.Headers.WebHookRequestOrigin).ToList();`
	`221`	`+ requestHosts = req.Headers.GetValues(Constants.Headers.WebHookRequestOrigin)`
	`222`	`+ .SelectMany(x => x.Split(Constants.HeaderSeparator, StringSplitOptions.RemoveEmptyEntries))`
	`223`	`+ .ToList();`
`222`	`224`	`return true;`
`223`	`225`	`}`
`224`	`226`	`requestHosts = null;`
Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ internal static bool IsPreflightRequest(this HttpRequest request, out IReadOnlyL`
`100`	`100`	`request.Headers.TryGetValue(Constants.Headers.WebHookRequestOrigin, out StringValues requestOrigin);`
`101`	`101`	`if (requestOrigin.Count > 0)`
`102`	`102`	`{`
`103`		`- requestOrigins = requestOrigin;`
	`103`	`+ requestOrigins = requestOrigin.SelectMany(x => x.Split(Constants.HeaderSeparator, StringSplitOptions.RemoveEmptyEntries)).ToList();`
`104`	`104`	`return true;`
`105`	`105`	`}`
`106`	`106`	`}`