From c7b4a634ca49b71c6b514540477e9bc907f5c5eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20Su=C3=A1rez?= <axsuarez@microsoft.com>
Date: Mon, 22 Feb 2021 15:15:24 -0800
Subject: [PATCH 1/2] Create SkillClaimsValidation.md

---
 doc/SkillClaimsValidation.md | 51 ++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 doc/SkillClaimsValidation.md

diff --git a/doc/SkillClaimsValidation.md b/doc/SkillClaimsValidation.md
new file mode 100644
index 000000000..95cd1bf6e
--- /dev/null
+++ b/doc/SkillClaimsValidation.md
@@ -0,0 +1,51 @@
+# HowTo: Block all Skill Claims
+
+Write a class that conforms to the `ValidateClaims` interface and throws an exception if the claims are skill claims:
+```python
+class AllowedSkillsClaimsValidator:
+
+    config_key = "ALLOWED_CALLERS"
+
+    def __init__(self, config: DefaultConfig):
+        if not config:
+            raise TypeError(
+                "AllowedSkillsClaimsValidator: config object cannot be None."
+            )
+
+        # ALLOWED_CALLERS is the setting in config.py file
+        # that consists of the list of parent bot ids that are allowed to access the skill
+        # to add a new parent bot simply go to the AllowedCallers and add
+        # the parent bot's microsoft app id to the list
+        caller_list = getattr(config, self.config_key)
+        if caller_list is None:
+            raise TypeError(f'"{self.config_key}" not found in configuration.')
+        self._allowed_callers = caller_list
+
+    @property
+        def claims_validator(self) -> Callable[[List[Dict]], Awaitable]:
+            async def allow_callers_claims_validator(claims: Dict[str, object]):
+                if skillValidation.is_skill_claim(claims):
+                    raise PermissionError(
+                        f'Received a request from a bot with an app ID of "{app_id}".'
+                        f" To enable requests from this caller, add the app ID to your configuration file."
+                    )
+
+                return
+
+        return allow_callers_claims_validator
+```
+
+Update `BotFrameworkAdapter` instantiation, to pass the `AuthenticationConfiguration` constructor the function defined above:
+```python
+AUTH_CONFIG = AuthenticationConfiguration(
+    claims_validator=AllowedSkillsClaimsValidator(CONFIG).claims_validator
+)
+SETTINGS = BotFrameworkAdapterSettings(
+    ...,
+    auth_configuration=AUTH_CONFIG,
+)
+ADAPTER = BotFrameworkAdapter(
+    ...,
+    SETTINGS,
+)
+```

From 360deb132920a20fd3caa72e8f6e5fe1bf9bdad8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20Su=C3=A1rez?= <axsuarez@microsoft.com>
Date: Mon, 22 Feb 2021 15:18:10 -0800
Subject: [PATCH 2/2] Fixing error message

---
 doc/SkillClaimsValidation.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/doc/SkillClaimsValidation.md b/doc/SkillClaimsValidation.md
index 95cd1bf6e..ee55c2894 100644
--- a/doc/SkillClaimsValidation.md
+++ b/doc/SkillClaimsValidation.md
@@ -26,8 +26,7 @@ class AllowedSkillsClaimsValidator:
             async def allow_callers_claims_validator(claims: Dict[str, object]):
                 if skillValidation.is_skill_claim(claims):
                     raise PermissionError(
-                        f'Received a request from a bot with an app ID of "{app_id}".'
-                        f" To enable requests from this caller, add the app ID to your configuration file."
+                        "Invalid call from a skill."
                     )
 
                 return