dong-cg
diff --git a/‎libraries/botbuilder-core/botbuilder/core/bot_framework_adapter.py
Lines changed: 1 addition & 1 deletion b/‎libraries/botbuilder-core/botbuilder/core/bot_framework_adapter.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎libraries/botframework-connector/botframework/connector/auth/channel_validation.py
Lines changed: 4 additions & 4 deletions b/‎libraries/botframework-connector/botframework/connector/auth/channel_validation.py
Lines changed: 4 additions & 4 deletions
diff --git a/‎libraries/botframework-connector/botframework/connector/auth/emulator_validation.py
Lines changed: 2 additions & 2 deletions b/‎libraries/botframework-connector/botframework/connector/auth/emulator_validation.py
Lines changed: 2 additions & 2 deletions
diff --git a/‎libraries/botframework-connector/botframework/connector/auth/endorsements_validator.py
Lines changed: 31 additions & 0 deletions b/‎libraries/botframework-connector/botframework/connector/auth/endorsements_validator.py
Lines changed: 31 additions & 0 deletions
diff --git a/‎libraries/botframework-connector/botframework/connector/auth/jwt_token_extractor.py
Lines changed: 9 additions & 10 deletions b/‎libraries/botframework-connector/botframework/connector/auth/jwt_token_extractor.py
Lines changed: 9 additions & 10 deletions
diff --git a/‎libraries/botframework-connector/botframework/connector/auth/jwt_token_validation.py
Lines changed: 19 additions & 8 deletions b/‎libraries/botframework-connector/botframework/connector/auth/jwt_token_validation.py
Lines changed: 19 additions & 8 deletions
@@ -99,7 +99,7 @@ async def authenticate_request(self, request: Activity, auth_header: str):
         :param auth_header:
         :return:
         """
-        await JwtTokenValidation.assert_valid_activity(request, auth_header, self._credential_provider)
+        await JwtTokenValidation.authenticate_request(request, auth_header, self._credential_provider)
 
     def create_context(self, activity):
         """
 
@@ -22,7 +22,7 @@ class ChannelValidation:
     )
 
     @staticmethod
-    async def authenticate_token_service_url(auth_header: str, credentials: CredentialProvider, service_url: str) -> ClaimsIdentity:
+    async def authenticate_token_service_url(auth_header: str, credentials: CredentialProvider, service_url: str, channel_id: str) -> ClaimsIdentity:
         """ Validate the incoming Auth Header
 
         Validate the incoming Auth Header as a token sent from the Bot Framework Service.
@@ -39,7 +39,7 @@ async def authenticate_token_service_url(auth_header: str, credentials: Credenti
         :raises Exception:
         """
         identity = await asyncio.ensure_future(
-            ChannelValidation.authenticate_token(auth_header, credentials))
+            ChannelValidation.authenticate_token(auth_header, credentials, channel_id))
 
         service_url_claim = identity.get_claim_value(ChannelValidation.SERVICE_URL_CLAIM)
         if service_url_claim != service_url:
@@ -49,7 +49,7 @@ async def authenticate_token_service_url(auth_header: str, credentials: Credenti
         return identity
 
     @staticmethod
-    async def authenticate_token(auth_header: str, credentials: CredentialProvider) -> ClaimsIdentity:
+    async def authenticate_token(auth_header: str, credentials: CredentialProvider, channel_id: str) -> ClaimsIdentity:
         """ Validate the incoming Auth Header
 
         Validate the incoming Auth Header as a token sent from the Bot Framework Service.
@@ -69,7 +69,7 @@ async def authenticate_token(auth_header: str, credentials: CredentialProvider)
             Constants.ALLOWED_SIGNING_ALGORITHMS)
 
         identity = await asyncio.ensure_future(
-            token_extractor.get_identity_from_auth_header(auth_header))
+            token_extractor.get_identity_from_auth_header(auth_header, channel_id))
         if not identity:
             # No valid identity. Not Authorized.
             raise Exception('Unauthorized. No valid identity.')
 
@@ -81,7 +81,7 @@ def is_token_from_emulator(auth_header: str) -> bool:
         return True
 
     @staticmethod
-    async def authenticate_emulator_token(auth_header: str, credentials: CredentialProvider) -> ClaimsIdentity:
+    async def authenticate_emulator_token(auth_header: str, credentials: CredentialProvider, channel_id: str) -> ClaimsIdentity:
         """ Validate the incoming Auth Header
 
 <
67ED
span class=pl-s>        Validate the incoming Auth Header as a token sent from the Bot Framework Service.
@@ -101,7 +101,7 @@ async def authenticate_emulator_token(auth_header: str, credentials: CredentialP
             Constants.ALLOWED_SIGNING_ALGORITHMS)
 
         identity = await asyncio.ensure_future(
-            token_extractor.get_identity_from_auth_header(auth_header))
+            token_extractor.get_identity_from_auth_header(auth_header, channel_id))
         if not identity:
             # No valid identity. Not Authorized.
             raise Exception('Unauthorized. No valid identity.')
 
@@ -0,0 +1,31 @@
+from typing import List
+
+class EndorsementsValidator():
+    @staticmethod
+    def validate(channel_id: str, endorsements: List[str]):
+        # If the Activity came in and doesn't have a Channel ID then it's making no 
+        # assertions as to who endorses it. This means it should pass. 
+        if not channel_id:
+            return True
+
+        if endorsements == None:
+            raise ValueError('Argument endorsements is null.')
+
+        # The Call path to get here is: 
+        # JwtTokenValidation.AuthenticateRequest
+        #  ->
+        #   JwtTokenValidation.ValidateAuthHeader
+        #    ->                                         
+        #      ChannelValidation.AuthenticateChannelToken
+        #       -> 
+        #          JWTTokenExtractor
+
+        # Does the set of endorsements match the channelId that was passed in? 
+
+        # ToDo: Consider moving this to a HashSet instead of a string
+        # array, to make lookups O(1) instead of O(N). To give a sense 
+        # of scope, tokens from WebChat have about 10 endorsements, and 
+        # tokens coming from Teams have about 20. 
+
+        endorsementPresent = channel_id in endorsements
+        return endorsementPresent
@@ -6,15 +6,15 @@
 import jwt
 from .claims_identity import ClaimsIdentity
 from .verify_options import VerifyOptions
+from .endorsements_validator import EndorsementsValidator
 
 class JwtTokenExtractor:
     metadataCache = {}
 
-    def __init__(self, validationParams: VerifyOptions, metadata_url: str, allowedAlgorithms: list, validator=None):
+    def __init__(self, validationParams: VerifyOptions, metadata_url: str, allowedAlgorithms: list):
         self.validation_parameters = validationParams
         self.validation_parameters.algorithms = allowedAlgorithms
         self.open_id_metadata = JwtTokenExtractor.get_open_id_metadata(metadata_url)
-        self.validator = validator if validator is not None else lambda x: True
 
     @staticmethod
     def get_open_id_metadata(metadata_url: str):
@@ -24,15 +24,15 @@ def get_open_id_metadata(metadata_url: str):
             JwtTokenExtractor.metadataCache.setdefault(metadata_url, metadata)
         return metadata
 
-    async def get_identity_from_auth_header(self, auth_header: str) -> ClaimsIdentity:
+    async def get_identity_from_auth_header(self, auth_header: str, channel_id: str) -> ClaimsIdentity:
         if not auth_header:
             return None
         parts = auth_header.split(" ")
         if len(parts) == 2:
-            return await self.get_identity(parts[0], parts[1])
+            return await self.get_identity(parts[0], parts[1], channel_id)
         return None
 
-    async def get_identity(self, schema: str, parameter: str) -> ClaimsIdentity:
+    async def get_identity(self, schema: str, parameter: str, channel_id) -> ClaimsIdentity:
         # No header in correct scheme or no token
         if schema != "Bearer" or not parameter:
             return None
@@ -42,7 +42,7 @@ async def get_identity(self, schema: str, parameter: str) -> ClaimsIdentity:
             return None
 
         try:
-            return await self._validate_token(parameter)
+            return await self._validate_token(parameter, channel_id)
         except:
             raise
 
@@ -54,7 +54,7 @@ def _has_allowed_issuer(self, jwt_token: str) -> bool:
 
         return issuer is self.validation_parameters.issuer
 
-    async def _validate_token(self, jwt_token: str) -> ClaimsIdentity:
+    async def _validate_token(self, jwt_token: str, channel_id: str) -> ClaimsIdentity:
         headers = jwt.get_unverified_header(jwt_token)
 
         # Update the signing tokens from the last refresh
@@ -65,9 +65,8 @@ async def _validate_token(self, jwt_token: str) -> ClaimsIdentity:
         if headers.get("alg", None) not in self.validation_parameters.algorithms:
             raise Exception('Token signing algorithm not in allowed list')
 
-        if self.validator is not None:
-            if not self.validator(metadata.endorsements):
-                raise Exception('Could not validate endorsement key')
+        if not EndorsementsValidator.validate(channel_id, metadata.endorsements):
+            raise Exception('Could not validate endorsement key')
 
         options = {
             'verify_aud': False,
 
@@ -4,12 +4,13 @@
 from .channel_validation import ChannelValidation
 from .microsoft_app_credentials import MicrosoftAppCredentials
 from .credential_provider import CredentialProvider
+from .claims_identity import ClaimsIdentity
 
 class JwtTokenValidation:
 
     @staticmethod
-    async def assert_valid_activity(activity: Activity, auth_header: str, credentials: CredentialProvider):
-        """Validates the security tokens required by the Bot Framework Protocol. Throws on any exceptions.
+    async def authenticate_request(activity: Activity, auth_header: str, credentials: CredentialProvider) -> ClaimsIdentity:
+        """Authenticates the request and sets the service url in the set of trusted urls.
         
         :param activity: The incoming Activity from the Bot Framework or the Emulator
         :type activity: ~botframework.connector.models.Activity
@@ -30,12 +31,22 @@ async def assert_valid_activity(activity: Activity, auth_header: str, credential
             # No Auth Header. Auth is required. Request is not authorized.
             raise Exception('Unauthorized Access. Request is not authorized')
 
-        using_emulator = EmulatorValidation.is_token_from_emulator(auth_header)
-        if using_emulator:
-            await EmulatorValidation.authenticate_emulator_token(auth_header, credentials)
-        else:
-            await ChannelValidation.authenticate_token_service_url(
-                auth_header, credentials, activity.service_url)
+        claims_identity = await JwtTokenValidation.validate_auth_header(auth_header, credentials, activity.channel_id, activity.service_url)
 
         # On the standard Auth path, we need to trust the URL that was incoming.
         MicrosoftAppCredentials.trust_service_url(activity.service_url)
+
+        return claims_identity
+    
+    @staticmethod
+    async def validate_auth_header(auth_header: str, credentials: CredentialProvider, channel_id: str, service_url: str = None) -> ClaimsIdentity:
+        if not auth_header:
+            raise ValueError('argument auth_header is null')
+        using_emulator = EmulatorValidation.is_token_from_emulator(auth_header)
+        if using_emulator:
+            return await EmulatorValidation.authenticate_emulator_token(auth_header, credentials, channel_id)
+        else:
+            if service_url:
+                return await ChannelValidation.authenticate_token_service_url(auth_header, credentials, service_url, channel_id)
+            else:
+                return await ChannelValidation.authenticate_token(auth_header, credentials, channel_id)