Added error handling when webcp redirects have browser protocol, Fixes AB#3385536 (#2767)

Issue : There is a recent change made in WebCP side to pass browser
protocol redirects for China market urls, 3rd part MDM urls and also the
Url to playstore launch for installing CP. This is an unexpected change
on their side and we did not have proper handling for these cases.

Fix : 
1. Added try/catch block around the operations in processWebsiteRequest
method.
2. Returning MDM_FLOW as the result instead of CANCELLED result
currently being returned when we open link in a browser for webcp urls.
3. Added telemetry for operations in processWebsiteRequest method.
4. Made some minor improvements in AzureActiveDirectoryWebViewClient
class to avoid duplicate code for getting broker package name from url.

Related broker with just an attribute added :
AzureAD/ad-accounts-for-android#3228

Fixes
[AB#3385536](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3385536)

Author: somalaya

changelog.txt

@@ -9,6 +9,7 @@ vNext
 - [MINOR] Add client scenario to JwtRequestBody (#2755)
 - [MINOR] Awaiting MFA Delegate now automatically returns the AuthMethods to be used when calling MFA Challenge (#2764)
 - [MINOR] SDK now handles SMS as strong authentication method #2766
+- [MINOR] Added error handling when webcp redirects have browser protocol #2767
 
 Version 22.1.0
 ----------

common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java

@@ -92,6 +92,7 @@
 import java.util.concurrent.TimeUnit;
 
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.AMAZON_APP_REDIRECT_PREFIX;
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.AZURE_AUTHENTICATOR_APP_PACKAGE_NAME;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.COMPANY_PORTAL_APP_PACKAGE_NAME;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.IPPHONE_APP_PACKAGE_NAME;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.IPPHONE_APP_SHA512_RELEASE_SIGNATURE;
@@ -130,9 +131,9 @@ public class AzureActiveDirectoryWebViewClient extends OAuth2WebViewClient {
     private HashMap<String, String> mRequestHeaders;
     private String mRequestUrl;
     private boolean mAuthUxJavaScriptInterfaceAdded = false;
-    private boolean mIsWebCpInWebViewFeatureEnabled = false;
+    private boolean mInWebCpFlow = false;
 
-    private String mUtid;
+    private final String mUtid;
 
     public AzureActiveDirectoryWebViewClient(@NonNull final Activity activity,
                                              @NonNull final IAuthorizationCompletionCallback completionCallback,
@@ -338,10 +339,10 @@ else if (isRedirectUrl(formattedURL)) {
             } else if (CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.ENABLE_ATTACH_PRT_HEADER_WHEN_CROSS_CLOUD) && isCrossCloudRedirect(formattedURL)) {
                 Logger.info(methodTag,"Navigation contains cross cloud redirect.");
                 processCrossCloudRedirect(view, url);
-            } else if (mIsWebCpInWebViewFeatureEnabled && isWebCpEnrollmentUrl(url)) {
+            } else if (mInWebCpFlow && isWebCpEnrollmentUrl(url)) {
                 Logger.info(methodTag,"Navigation contains web cp enrollment url.");
                 processWebCpEnrollmentUrl(view, url);
-            } else if (mIsWebCpInWebViewFeatureEnabled && isWebCpAuthorizeUrl(url)) {
+            } else if (mInWebCpFlow && isWebCpAuthorizeUrl(url)) {
                 processWebCpAuthorize(view, url);
             }  else if (isDeviceCaRequest(url) && isHttpsScheme(url) && isWebCpInWebviewFeatureEnabled(url)) {
                 // Special handling for device CA requests due to a corner case in eSTS for webapps/confidential clients, which should be handled by the WebView.
@@ -574,19 +575,78 @@ private void processSwitchBrowserRequest(@NonNull final String url) {
         }
     }
 
-    private void processWebsiteRequest(@NonNull final WebView view, @NonNull final String url) {
+    @VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+    protected void processWebsiteRequest(@NonNull final WebView view, @NonNull final String url) {
         final String methodTag = TAG + ":processWebsiteRequest";
         view.stopLoading();
+        final SpanContext spanContext = getActivity() instanceof AuthorizationActivity ? ((AuthorizationActivity) getActivity()).getSpanContext() : null;
+        final Span span = spanContext != null ?
+                OTelUtility.createSpanFromParent(SpanName.ProcessWebsiteRequest.name(), spanContext) : OTelUtility.createSpan(SpanName.ProcessWebsiteRequest.name());
+        span.setAttribute(AttributeName.is_in_web_cp_flow.name(), mInWebCpFlow);
+        try (final Scope scope = SpanExtension.makeCurrentSpan(span)) {
+            if (isDeviceCaRequest(url)) {
+                processDeviceCaRequest(view, url);
+                span.setStatus(StatusCode.OK);
+                return;
+            }
 
-        if (isDeviceCaRequest(url)) {
-           processDeviceCaRequest(view, url);
-        } else {
-            Logger.info(methodTag, "Not a device CA request. Redirecting to browser.");
-            openLinkInBrowser(url);
-            returnResult(RawAuthorizationResult.ResultCode.CANCELLED);
+            if (isRedirectToPlaystoreToInstallCp(url) && mInWebCpFlow) {
+                handlePlaystoreLaunchUrlFromWebCp(url);
+                span.setStatus(StatusCode.OK);
+                return;
+            }
+
+            // Default case: redirect to browser
+            handleBrowserRedirect(methodTag, url);
+            span.setStatus(StatusCode.OK);
+        } catch (final Throwable throwable) {
+            Logger.error(methodTag, "Failed to open link in browser.", throwable);
+            span.recordException(throwable);
+            span.setStatus(StatusCode.ERROR);
+            returnError(ErrorStrings.UNEXPECTED_ERROR, "No browser found to open the link.");
+        } finally {
+            span.end();
         }
     }
 
+    /**
+     * Handles the default browser redirect case for website requests.
+     * @param methodTag The method tag for logging
+     * @param url The URL to open in browser
+     */
+    private void handleBrowserRedirect(@NonNull final String methodTag, @NonNull final String url) {
+        Logger.info(methodTag, "Not a device CA request. Redirecting to browser.");
+        openLinkInBrowser(url);
+        final RawAuthorizationResult.ResultCode resultCode = mInWebCpFlow
+                ? RawAuthorizationResult.ResultCode.MDM_FLOW
+                : RawAuthorizationResult.ResultCode.CANCELLED;
+
+        Logger.info(methodTag, "Returning result code: " + resultCode);
+        returnResult(resultCode);
+    }
+
+    // Handles Playstore launch URLs originating from WebCP, specifically for installing the Company Portal app.
+    private void handlePlaystoreLaunchUrlFromWebCp(@NonNull final String url) {
+        final String methodTag = TAG + ":handlePlaystoreLaunchUrlFromWebCp";
+        Logger.info(methodTag, "Handling playstore launch URL from WebCP.");
+        SpanExtension.current().setAttribute(AttributeName.is_redirect_to_playstore_launch_from_webcp.name(), true);
+        openLinkInBrowser(url);
+        returnResult(RawAuthorizationResult.ResultCode.MDM_FLOW);
+    }
+
+    /**
+     * Checks if it is a redirect to Playstore to install Company Portal app.
+     * @param url The URL to check.
+     * @return true if it is a redirect to Playstore to install Company Portal app.
+     */
+    private boolean isRedirectToPlaystoreToInstallCp(@NonNull final String url) {
+       if (url.contains(PLAY_STORE_INSTALL_APP_PREFIX + COMPANY_PORTAL_APP_PACKAGE_NAME)) {
+           Logger.info(TAG, "Redirect to Playstore to install Company Portal app.");
+           return true;
+       }
+       return false;
+    }
+
     /**
      * Processed device CA requests detected in the web flow.
      * @param view The {@link WebView} instance in which the request originated.
@@ -679,10 +739,11 @@ protected boolean isWebCpInWebviewFeatureEnabled(@NonNull final String originalU
             final int waitForFlightsTimeOut = CommonFlightsManager.INSTANCE.getFlightsProvider().getIntValue(CommonFlight.WEB_CP_WAIT_TIMEOUT_FOR_FLIGHTS);
             final boolean isWebCpFlightEnabled = CommonFlightsManager.INSTANCE.getFlightsProviderForTenant(homeTenantId, waitForFlightsTimeOut).isFlightEnabled(CommonFlight.ENABLE_WEB_CP_IN_WEBVIEW);
             SpanExtension.current().setAttribute(AttributeName.web_cp_flight_get_time.name(), (System.currentTimeMillis() - webCpGetFlightStartTime));
+
             if (isWebCpFlightEnabled) {
                 // Directly enabled via flight rollout.
                 Logger.info(methodTag, "WebCP in WebView feature is enabled.");
-                mIsWebCpInWebViewFeatureEnabled = true;
+                mInWebCpFlow = true;
                 return true;
             }
 
@@ -755,12 +816,11 @@ private boolean processPlayStoreURL(@NonNull final WebView view, @NonNull final
 
         view.stopLoading();
         if (!(url.startsWith(PLAY_STORE_INSTALL_PREFIX + COMPANY_PORTAL_APP_PACKAGE_NAME))
-                && !(url.startsWith(PLAY_STORE_INSTALL_PREFIX + AuthenticationConstants.Broker.AZURE_AUTHENTICATOR_APP_PACKAGE_NAME))) {
+                && !(url.startsWith(PLAY_STORE_INSTALL_PREFIX + AZURE_AUTHENTICATOR_APP_PACKAGE_NAME))) {
             Logger.info(methodTag, "The URI is either trying to open an unknown application or contains unknown query parameters");
             return false;
         }
-        final String appPackageName = (url.contains(COMPANY_PORTAL_APP_PACKAGE_NAME) ?
-                COMPANY_PORTAL_APP_PACKAGE_NAME : AuthenticationConstants.Broker.AZURE_AUTHENTICATOR_APP_PACKAGE_NAME);
+        final String appPackageName = getBrokerAppPackageNameFromUrl(url);
         Logger.info(methodTag, "Request to open PlayStore to install package : '" + appPackageName + "'");
 
         try {
@@ -779,21 +839,13 @@ private boolean processPlayStoreURL(@NonNull final WebView view, @NonNull final
     private boolean processPlayStoreURLForBrokerApps(@NonNull final WebView view, @NonNull final String url) {
         final String methodTag = TAG + ":processPlayStoreURL";
 
-        final String appPackageName = (url.contains(COMPANY_PORTAL_APP_PACKAGE_NAME) ?
-                COMPANY_PORTAL_APP_PACKAGE_NAME : AuthenticationConstants.Broker.AZURE_AUTHENTICATOR_APP_PACKAGE_NAME);
+        final String appPackageName = getBrokerAppPackageNameFromUrl(url);
         Logger.info(methodTag, "Request to open PlayStore to install package : '" + appPackageName + "'");
 
         try {
             final Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(PLAY_STORE_INSTALL_APP_PREFIX + appPackageName));
-            intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK);
             getActivity().startActivity(intent);
             view.stopLoading();
-            if (appPackageName.equalsIgnoreCase(COMPANY_PORTAL_APP_PACKAGE_NAME) && (mIsWebCpInWebViewFeatureEnabled)) {
-                // If the flight for webcp is enabled, we will return the result code to the activity to indicate that the MDM flow has started.
-                // Note that this is only for CP app as we are not aware of any other flows (other than webcp) reaching this code path.
-                returnResult(RawAuthorizationResult.ResultCode.MDM_FLOW);
-            }
-
             return true;
         } catch (final ActivityNotFoundException e) {
             //if GooglePlay is not present on the device.
@@ -839,7 +891,8 @@ private void processAmazonAppUri(@NonNull final String url) {
         Logger.info(methodTag, "Sent Intent to launch Amazon app");
     }
 
-    private void openLinkInBrowser(final String url) {
+    @VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+    protected void openLinkInBrowser(final String url) {
         final String methodTag = TAG + ":openLinkInBrowser";
         Logger.info(methodTag, "Try to open url link in browser");
         final String link = url
@@ -910,7 +963,7 @@ private void processInvalidRedirectUri(@NonNull final WebView view,
         final String methodTag = TAG + ":processInvalidRedirectUri";
 
         Logger.error(methodTag, "The RedirectUri is not as expected.", null);
-        Logger.errorPII(methodTag,String.format("Received %s and expected %s", url, mRedirectUrl), null);
+        Logger.errorPII(methodTag, String.format("Received %s and expected %s", url, mRedirectUrl), null);
         returnError(ErrorStrings.DEVELOPER_REDIRECTURI_INVALID,
                 String.format("The RedirectUri is not as expected. Received %s and expected %s", url,
                         mRedirectUrl));
@@ -1138,4 +1191,22 @@ public void finalizeBeforeSendingResult(@NonNull final RawAuthorizationResult re
         ((AbstractSmartcardCertBasedAuthChallengeHandler<?>)mCertBasedAuthChallengeHandler).promptSmartcardRemovalForResult(callback);
     }
 
+    /**
+     * Extracts the broker app package name from the given URL.
+     * Supports all known broker apps. Returns the first match found.
+     * If no known broker app is found, logs a warning and returns an empty string.
+     *
+     * @param url The URL to inspect.
+     * @return The broker app package name, or empty string if not found.
+     */
+    private String getBrokerAppPackageNameFromUrl(@NonNull final String url) {
+        for (final BrokerData brokerData : BrokerData.getAllBrokers()) {
+            if (url.contains(brokerData.getPackageName())) {
+                return brokerData.getPackageName();
+            }
+        }
+        Logger.warn(TAG + ":getBrokerAppPackageNameFromUrl", "No known broker app package name found in URL: " + url);
+        return "";
+    }
+
 }