Add an opt-out DisableTelemetry option in the OpenID Connect middleware (#1140)

2017-03-13 18:02:59 +01:00 · 2017-03-13 18:02:59 +01:00 · 32dd435c6e
parent 9de5519c8b
commit 32dd435c6e
5 changed files with 61 additions and 3 deletions
--- a/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs
+++ b/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs
@ -161,6 +161,7 @@ namespace Microsoft.AspNetCore.Authentication.OpenIdConnect

            var message = new OpenIdConnectMessage()
            {
+                EnableTelemetryParameters = !Options.DisableTelemetry,
                IssuerAddress = _configuration?.EndSessionEndpoint ?? string.Empty,

                // Redirect back to SigneOutCallbackPath first before user agent is redirected to actual post logout redirect uri
@ -309,6 +310,7 @@ namespace Microsoft.AspNetCore.Authentication.OpenIdConnect
            var message = new OpenIdConnectMessage
            {
                ClientId = Options.ClientId,
+                EnableTelemetryParameters = !Options.DisableTelemetry,
                IssuerAddress = _configuration?.AuthorizationEndpoint ?? string.Empty,
                RedirectUri = BuildRedirectUri(Options.CallbackPath),
                Resource = Options.Resource,
@ -1023,6 +1025,7 @@ namespace Microsoft.AspNetCore.Authentication.OpenIdConnect
                ClientSecret = Options.ClientSecret,
                Code = authorizationResponse.Code,
                GrantType = OpenIdConnectGrantTypes.AuthorizationCode,
+                EnableTelemetryParameters = !Options.DisableTelemetry,
                RedirectUri = properties.Items[OpenIdConnectDefaults.RedirectUriForCodePropertiesKey]
            };

--- a/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectOptions.cs
+++ b/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectOptions.cs
@ -241,5 +241,12 @@ namespace Microsoft.AspNetCore.Builder
        /// This is disabled by default.
        /// </summary>
        public bool SkipUnrecognizedRequests { get; set; } = false;
+
+        /// <summary>
+        /// Indicates whether telemetry should be disabled. When this feature is enabled,
+        /// the assembly version of the Microsoft IdentityModel packages is sent to the
+        /// remote OpenID Connect provider as an authorization/logout request parameter.
+        /// </summary>
+        public bool DisableTelemetry { get; set; }
    }
 }
--- a/test/Microsoft.AspNetCore.Authentication.Test/OpenIdConnect/OpenIdConnectChallengeTests.cs
+++ b/test/Microsoft.AspNetCore.Authentication.Test/OpenIdConnect/OpenIdConnectChallengeTests.cs
@ -35,7 +35,23 @@ namespace Microsoft.AspNetCore.Authentication.Tests.OpenIdConnect
                OpenIdConnectParameterNames.ResponseType,
                OpenIdConnectParameterNames.ResponseMode,
                OpenIdConnectParameterNames.Scope,
-                OpenIdConnectParameterNames.RedirectUri);
+                OpenIdConnectParameterNames.RedirectUri,
+                OpenIdConnectParameterNames.SkuTelemetry,
+                OpenIdConnectParameterNames.VersionTelemetry);
+        }
+
+        [Fact]
+        public async Task AuthorizationRequestDoesNotIncludeTelemetryParametersWhenDisabled()
+        {
+            var settings = new TestSettings(opt => opt.DisableTelemetry = true);
+
+            var server = settings.CreateTestServer();
+            var transaction = await server.SendAsync(ChallengeEndpoint);
+
+            var res = transaction.Response;
+            Assert.Equal(HttpStatusCode.Redirect, res.StatusCode);
+            Assert.DoesNotContain(OpenIdConnectParameterNames.SkuTelemetry, res.Headers.Location.Query);
+            Assert.DoesNotContain(OpenIdConnectParameterNames.VersionTelemetry, res.Headers.Location.Query);
        }

        /*
@ -58,7 +74,7 @@ namespace Microsoft.AspNetCore.Authentication.Tests.OpenIdConnect
        </body>
        */
        [Fact]
-        public async Task ChallengeIssueedCorrectlyForFormPost()
+        public async Task ChallengeIssuedCorrectlyForFormPost()
        {
            var settings = new TestSettings(
                opt => opt.AuthenticationMethod = OpenIdConnectRedirectBehavior.FormPost);
--- a/test/Microsoft.AspNetCore.Authentication.Test/OpenIdConnect/OpenIdConnectMiddlewareTests.cs
+++ b/test/Microsoft.AspNetCore.Authentication.Test/OpenIdConnect/OpenIdConnectMiddlewareTests.cs
@ -46,7 +46,25 @@ namespace Microsoft.AspNetCore.Authentication.Tests.OpenIdConnect
            Assert.Equal(HttpStatusCode.Redirect, res.StatusCode);
            Assert.NotNull(res.Headers.Location);

-            setting.ValidateSignoutRedirect(transaction.Response.Headers.Location);
+            setting.ValidateSignoutRedirect(
+                transaction.Response.Headers.Location,
+                OpenIdConnectParameterNames.SkuTelemetry,
+                OpenIdConnectParameterNames.VersionTelemetry);
+        }
+
+        [Fact]
+        public async Task EndSessionRequestDoesNotIncludeTelemetryParametersWhenDisabled()
+        {
+            var setting = new TestSettings(opt => opt.DisableTelemetry = true);
+
+            var server = setting.CreateTestServer();
+
+            var transaction = await server.SendAsync(DefaultHost + TestServerBuilder.Signout);
+            var res = transaction.Response;
+
+            Assert.Equal(HttpStatusCode.Redirect, res.StatusCode);
+            Assert.DoesNotContain(OpenIdConnectParameterNames.SkuTelemetry, res.Headers.Location.Query);
+            Assert.DoesNotContain(OpenIdConnectParameterNames.VersionTelemetry, res.Headers.Location.Query);
        }

        [Fact]
--- a/test/Microsoft.AspNetCore.Authentication.Test/OpenIdConnect/TestSettings.cs
+++ b/test/Microsoft.AspNetCore.Authentication.Test/OpenIdConnect/TestSettings.cs
@ -5,6 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Linq;
+using System.Reflection;
 using System.Text;
 using System.Text.Encodings.Web;
 using System.Xml.Linq;
@ -152,6 +153,12 @@ namespace Microsoft.AspNetCore.Authentication.Tests.OpenIdConnect
                    case OpenIdConnectParameterNames.State:
                        ValidateState(actualValues, errors, htmlEncoded);
                        break;
+                    case OpenIdConnectParameterNames.SkuTelemetry:
+                        ValidateSkuTelemetry(actualValues, errors, htmlEncoded);
+                        break;
+                    case OpenIdConnectParameterNames.VersionTelemetry:
+                        ValidateVersionTelemetry(actualValues, errors, htmlEncoded);
+                        break;
                    default:
                        throw new InvalidOperationException($"Unknown parameter \"{paramToValidate}\".");
                }
@ -201,6 +208,13 @@ namespace Microsoft.AspNetCore.Authentication.Tests.OpenIdConnect
        private void ValidateState(IDictionary<string, string> actualQuery, ICollection<string> errors, bool htmlEncoded) =>
            ValidateQueryParameter(OpenIdConnectParameterNames.State, ExpectedState, actualQuery, errors, htmlEncoded);

+        private void ValidateSkuTelemetry(IDictionary<string, string> actualQuery, ICollection<string> errors, bool htmlEncoded) =>
+            ValidateQueryParameter(OpenIdConnectParameterNames.SkuTelemetry, "ID_NET", actualQuery, errors, htmlEncoded);
+
+        private void ValidateVersionTelemetry(IDictionary<string, string> actualQuery, ICollection<string> errors, bool htmlEncoded) =>
+            ValidateQueryParameter(OpenIdConnectParameterNames.VersionTelemetry,
+                typeof(OpenIdConnectMessage).GetTypeInfo().Assembly.GetName().Version.ToString(), actualQuery, errors, htmlEncoded);
+
        private void ValidateQueryParameter(
            string parameterName,
            string expectedValue,