Merge branch 'dev' into mchand/keystore-unwrap-fix

Author: Mohit Chandwani

azure-pipelines/pull-request-validation/common.yml

@@ -2,7 +2,7 @@
 # Variable: 'MOCK_API_URL' was defined in the Variables tab
 # Description: Assemble and run unit test
 name: $(date:yyyyMMdd)$(rev:.r)
-
+trigger: none
 variables:
   - group: devex-ciam-test
 

azure-pipelines/pull-request-validation/common4j.yml

@@ -3,7 +3,7 @@
 # Variable: 'MOCK_API_URL' was defined in the Variables tab
 # Uses Java 11
 name: $(date:yyyyMMdd)$(rev:.r)
-
+trigger: none
 variables:
   - group: devex-ciam-test
 

changelog.txt

@@ -1,8 +1,8 @@
 vNext
 ----------
 - [PATCH] Allow generating wrapping keys without PURPOSE_WRAP_KEY with Flight (#2633))
+- [MINOR] Pass Work Profile existence, OS Version, and Manufacturer to ESTS (#2627)
 - [MINOR] Add telemetry for the switch browser protocol (#2612)
-- [MINOR] Enable the new Broker discovery on MSAL by default (#2618)
 
 Version 21.0.0
 ----------

common/src/main/java/com/microsoft/identity/common/adal/internal/AuthenticationConstants.java

@@ -1161,6 +1161,18 @@ public static String computeMaxHostBrokerProtocol() {
          */
         public static final String LTW_APP_SHA512_DEBUG_SIGNATURE = "5PAhhZNSRRvq7vpTT5vrYJbSLh05AU8USf7oUTS239PEltebX87uGN7GhAe5244lJepwZ5RU4vu8N6ospXVOlg==";
 
+        /**
+         * Signing certificate thumbprint of the DEBUG-signed Microsoft Intune app.
+         * Generated with SHA-512.
+         */
+        public static final String INTUNE_APP_SHA512_DEBUG_SIGNATURE = "F+Tat7A/mlOJCzRYEmj9DgLRHU2Nb0VSQjgZEyAehqW9+cOT0oYjkT/fa33hYcVMwUzaSy0hUOVt9KQtyFRnVQ==";
+
+        /**
+         * Signing certificate thumbprint of the RELEASE-signed Microsoft Intune app.
+         * Generated with SHA-512.
+         */
+        public static final String INTUNE_APP_SHA512_RELEASE_SIGNATURE = "jPpMoaNvcxSLMX4yG4C3Gf86rtTqh33SqpuRKg4WOP+MnnpA52zZgvKLW76U4Cqqf68iaBk9W7k/jhciiSAtgQ==";
+
         /**
          * Teams IP Phones (Sakurai devices) is supported by Intune, but does not have a back button nor browser.
          * The only supported detection of this phone is the application install state.

common/src/main/java/com/microsoft/identity/common/components/AndroidPlatformComponentsFactory.java

@@ -36,6 +36,7 @@
 import com.microsoft.identity.common.internal.providers.oauth2.AndroidTaskStateGenerator;
 import com.microsoft.identity.common.internal.ui.AndroidAuthorizationStrategyFactory;
 import com.microsoft.identity.common.internal.ui.browser.AndroidBrowserSelector;
+import com.microsoft.identity.common.internal.util.WorkProfileUtil;
 import com.microsoft.identity.common.java.WarningType;
 import com.microsoft.identity.common.java.interfaces.IPlatformComponents;
 import com.microsoft.identity.common.java.interfaces.PlatformComponents;
@@ -67,6 +68,10 @@ public static synchronized void initializeGlobalStates(@NonNull final Context co
         if (!sGlobalStateInitalized) {
             HttpCache.initialize(context);
             Device.setDeviceMetadata(new AndroidDeviceMetadata());
+
+            // Denotes whether or not request is from personal profile but device has a Work Profile Available
+            Device.setIsInPersonalProfileButClouddpcWorkProfileAvailable(
+                    WorkProfileUtil.checkIfIsInPersonalProfileButClouddpcWorkProfileAvailable(context));
             Logger.setAndroidLogger();
 
             final File cacheDir = context.getCacheDir();

common/src/main/java/com/microsoft/identity/common/internal/activebrokerdiscovery/BrokerDiscoveryClient.kt

@@ -73,7 +73,30 @@ class BrokerDiscoveryClient(private val brokerCandidates: Set<BrokerData>,
         val dispatcher = Dispatchers.IO.limitedParallelism(10)
 
         const val ACTIVE_BROKER_PACKAGE_NAME_BUNDLE_KEY = "ACTIVE_BROKER_PACKAGE_NAME_BUNDLE_KEY"
-        const val ACTIVE_BROKER_SIGNING_CERTIFICATE_THUMBPRINT_BUNDLE_KEY = "ACTIVE_BROKER_SIGNING_CERTIFICATE_THUMBPRINT_BUNDLE_KEY"
+        const val ACTIVE_BROKER_SIGNING_CERTIFICATE_THUMBPRINT_BUNDLE_KEY =
+            "ACTIVE_BROKER_SIGNING_CERTIFICATE_THUMBPRINT_BUNDLE_KEY"
+
+        const val FORCE_TRIGGER_BROKER_DISCOVERY_BUNDLE_KEY =
+            "FORCE_TRIGGER_BROKER_DISCOVERY_BUNDLE_KEY"
+        const val FORCE_TRIGGER_BROKER_DISCOVERY_RESULT_EXECUTED_BUNDLE_KEY =
+            "FORCE_TRIGGER_BROKER_DISCOVERY_RESULT_EXECUTED_BUNDLE_KEY"
+
+        // the broker service is too old and doesn't support this API.
+        const val FORCE_TRIGGER_BROKER_DISCOVERY_RESULT_OPERATION_NOT_SUPPORTED =
+            "OPERATION_NOT_SUPPORTED"
+
+        // the broker service recognizes this API, but the feature is disabled (e.g. behind a flight).
+        const val FORCE_TRIGGER_BROKER_DISCOVERY_RESULT_OPERATION_DISABLED = "OPERATION_DISABLED"
+
+        // the broker app you're communicating to is not installed.
+        const val FORCE_TRIGGER_BROKER_DISCOVERY_PACKAGE_NOT_INSTALLED = "PACKAGE_NOT_INSTALLED"
+
+        // the broker service you're communicating to is not a valid broker app. (e.g. not signed by proper keys)
+        const val FORCE_TRIGGER_BROKER_DISCOVERY_NOT_VALID_BROKER = "NOT_VALID_BROKER"
+
+        // Unexpected error.
+        const val FORCE_TRIGGER_BROKER_DISCOVERY_RESULT_UNEXPECTED_ERROR = "UNEXPECTED_ERROR"
+
         const val ERROR_BUNDLE_KEY = "ERROR_BUNDLE_KEY"
 
         /**
@@ -93,13 +116,15 @@ class BrokerDiscoveryClient(private val brokerCandidates: Set<BrokerData>,
          * @param shouldStopQueryForAWhile  a method which, if invoked, will force [BrokerDiscoveryClient]
          *                                  to skip the IPC discovery process for a while.
          **/
-        internal suspend fun queryFromBroker(brokerCandidates: Set<BrokerData>,
-                                             ipcStrategy: IIpcStrategy,
-                                             isPackageInstalled: (BrokerData) -> Boolean,
-                                             isValidBroker: (BrokerData) -> Boolean
+        internal suspend fun queryFromBroker(
+            brokerCandidates: Set<BrokerData>,
+            ipcStrategy: IIpcStrategy,
+            isPackageInstalled: (BrokerData) -> Boolean,
+            isValidBroker: (BrokerData) -> Boolean
         ): BrokerData? {
             return coroutineScope {
-                val installedCandidates = brokerCandidates.filter(isPackageInstalled).filter(isValidBroker)
+                val installedCandidates =
+                    brokerCandidates.filter(isPackageInstalled).filter(isValidBroker)
                 val deferredResults = installedCandidates.map { candidate ->
                     async(dispatcher) {
                         return@async makeRequest(candidate, ipcStrategy)
@@ -109,8 +134,10 @@ class BrokerDiscoveryClient(private val brokerCandidates: Set<BrokerData>,
             }
         }
 
-        private fun makeRequest(candidate: BrokerData,
-                                ipcStrategy: IIpcStrategy): BrokerData? {
+        private fun makeRequest(
+            candidate: BrokerData,
+            ipcStrategy: IIpcStrategy
+        ): BrokerData? {
             val methodTag = "$TAG:makeRequest"
             val operationBundle = BrokerOperationBundle(
                 BrokerOperationBundle.Operation.BROKER_DISCOVERY_FROM_SDK,
@@ -120,19 +147,26 @@ class BrokerDiscoveryClient(private val brokerCandidates: Set<BrokerData>,
 
             return try {
                 val result = ipcStrategy.communicateToBroker(operationBundle)
-                extractResult(result)
+                extractResult(result, forceTriggerDiscoveryFlow = false)
             } catch (t: Throwable) {
                 if (t is BrokerCommunicationException &&
-                    BrokerCommunicationException.Category.OPERATION_NOT_SUPPORTED_ON_SERVER_SIDE == t.category) {
-                    Logger.info(methodTag,
-                        "Tried broker discovery on ${candidate}. It doesn't support the IPC mechanism.")
-                } else if (t is ClientException && ONLY_SUPPORTS_ACCOUNT_MANAGER_ERROR_CODE == t.errorCode){
-                    Logger.info(methodTag,
+                    BrokerCommunicationException.Category.OPERATION_NOT_SUPPORTED_ON_SERVER_SIDE == t.category
+                ) {
+                    Logger.info(
+                        methodTag,
+                        "Tried broker discovery on ${candidate}. It doesn't support the IPC mechanism."
+                    )
+                } else if (t is ClientException && ONLY_SUPPORTS_ACCOUNT_MANAGER_ERROR_CODE == t.errorCode) {
+                    Logger.info(
+                        methodTag,
                         "Tried broker discovery on ${candidate}. " +
-                                "The Broker side indicates that only AccountManager is supported.")
+                                "The Broker side indicates that only AccountManager is supported."
+                    )
                 } else {
-                    Logger.error(methodTag,
-                        "Tried broker discovery on ${candidate}, get an error", t)
+                    Logger.error(
+                        methodTag,
+                        "Tried broker discovery on ${candidate}, get an error", t
+                    )
                 }
                 null
             }
@@ -142,7 +176,8 @@ class BrokerDiscoveryClient(private val brokerCandidates: Set<BrokerData>,
          * Extract the result returned via the IPC operation
          **/
         @Throws(NoSuchElementException::class)
-        private fun extractResult(bundle: Bundle?): BrokerData? {
+        private fun extractResult(bundle: Bundle?,
+                                  forceTriggerDiscoveryFlow: Boolean): BrokerData? {
             if (bundle == null) {
                 return null
             }
@@ -152,33 +187,92 @@ class BrokerDiscoveryClient(private val brokerCandidates: Set<BrokerData>,
                 throw errorData as Throwable
             }
 
-            val pkgName = bundle.getString(ACTIVE_BROKER_PACKAGE_NAME_BUNDLE_KEY)?:
-                throw NoSuchElementException("ACTIVE_BROKER_PACKAGE_NAME_BUNDLE_KEY must not be null")
+            if (forceTriggerDiscoveryFlow &&
+                !bundle.containsKey(FORCE_TRIGGER_BROKER_DISCOVERY_RESULT_EXECUTED_BUNDLE_KEY)) {
+                throw ClientException(
+                    FORCE_TRIGGER_BROKER_DISCOVERY_RESULT_OPERATION_NOT_SUPPORTED,
+                    "Force Broker Discovery is not supported by the broker side. Please update the app."
+                )
+            }
+
+            val pkgName = bundle.getString(ACTIVE_BROKER_PACKAGE_NAME_BUNDLE_KEY)
+                ?: throw NoSuchElementException("ACTIVE_BROKER_PACKAGE_NAME_BUNDLE_KEY must not be null")
 
-            val signatureHash = bundle.getString(ACTIVE_BROKER_SIGNING_CERTIFICATE_THUMBPRINT_BUNDLE_KEY)?:
-                throw NoSuchElementException("ACTIVE_BROKER_SIGNING_CERTIFICATE_THUMBPRINT_BUNDLE_KEY must not be null")
+            val signatureHash =
+                bundle.getString(ACTIVE_BROKER_SIGNING_CERTIFICATE_THUMBPRINT_BUNDLE_KEY)
+                    ?: throw NoSuchElementException("ACTIVE_BROKER_SIGNING_CERTIFICATE_THUMBPRINT_BUNDLE_KEY must not be null")
 
             return BrokerData(pkgName, signatureHash)
         }
     }
 
     constructor(context: Context,
                 components: IPlatformComponents,
-                cache: IClientActiveBrokerCache): this(
+                cache: IClientActiveBrokerCache) : this(
         brokerCandidates = BrokerData.getKnownBrokerApps(),
         getActiveBrokerFromAccountManager = {
             AccountManagerBrokerDiscoveryUtil(context).getActiveBrokerFromAccountManager()
         },
         ipcStrategy = ContentProviderStrategy(context, components),
         cache = cache,
         isPackageInstalled = { brokerData ->
-            PackageHelper(context).
-            isPackageInstalledAndEnabled(brokerData.packageName)
+            PackageHelper(context).isPackageInstalledAndEnabled(brokerData.packageName)
         },
         isValidBroker = { brokerData ->
             BrokerValidator(context).isSignedByKnownKeys(brokerData)
         })
 
+    @kotlin.jvm.Throws(ClientException::class)
+    override fun forceBrokerRediscovery(brokerCandidate: BrokerData): BrokerData {
+        val methodTag = "$TAG:forceBrokerRediscovery"
+        return runBlocking {
+            classLevelLock.withLock {
+                try {
+                    if (!isPackageInstalled(brokerCandidate)) {
+                        throw ClientException(
+                            FORCE_TRIGGER_BROKER_DISCOVERY_PACKAGE_NOT_INSTALLED,
+                            "${brokerCandidate.packageName} is not installed."
+                        )
+                    }
+
+                    if (!isValidBroker(brokerCandidate)) {
+                        throw ClientException(
+                            FORCE_TRIGGER_BROKER_DISCOVERY_NOT_VALID_BROKER,
+                            "${brokerCandidate.packageName} is not signed with valid key."
+                        )
+                    }
+
+                    val operationBundle = BrokerOperationBundle(
+                        BrokerOperationBundle.Operation.BROKER_DISCOVERY_FROM_SDK,
+                        brokerCandidate.packageName,
+                        Bundle().apply {
+                            putBoolean(FORCE_TRIGGER_BROKER_DISCOVERY_BUNDLE_KEY, true)
+                        }
+                    )
+
+                    val bundleResult = ipcStrategy.communicateToBroker(operationBundle)
+                    val result = extractResult(bundleResult, forceTriggerDiscoveryFlow = true)
+                        ?: throw ClientException(
+                            FORCE_TRIGGER_BROKER_DISCOVERY_RESULT_UNEXPECTED_ERROR,
+                            "Result bundle should not be null."
+                        )
+                    cache.setCachedActiveBroker(result)
+                    return@runBlocking result
+                } catch (c: ClientException) {
+                    Logger.error(methodTag, "forceBrokerRediscovery Failed.", c)
+                    throw c
+                } catch (t: Throwable) {
+                    Logger.error(methodTag, "forceBrokerRediscovery Failed with unknown error.", t)
+                    throw ClientException(
+                        FORCE_TRIGGER_BROKER_DISCOVERY_RESULT_UNEXPECTED_ERROR,
+                        "Unexpected result: ${t.message}",
+                        t
+                    )
+                }
+            }
+        }
+    }
+
     override fun getActiveBroker(shouldSkipCache: Boolean): BrokerData? {
         return runBlocking {
             return@runBlocking getActiveBrokerAsync(shouldSkipCache)

common/src/main/java/com/microsoft/identity/common/internal/activebrokerdiscovery/BrokerDiscoveryClientFactory.kt

@@ -39,6 +39,11 @@ class BrokerDiscoveryClientFactory {
 
     companion object {
 
+        private val TAG = BrokerDiscoveryClientFactory::class.simpleName
+
+        @Volatile
+        private var IS_NEW_DISCOVERY_ENABLED = false
+
         @Volatile
         private var clientSdkInstance: IBrokerDiscoveryClient? = null
 
@@ -56,15 +61,20 @@ class BrokerDiscoveryClientFactory {
          **/
         @JvmStatic
         fun setNewBrokerDiscoveryEnabled(isEnabled: Boolean){
-            // noop
+            // If the flag changes, wipe the existing singleton.
+            if (isEnabled != IS_NEW_DISCOVERY_ENABLED) {
+                clientSdkInstance = null
+                brokerSdkInstance = null
+                IS_NEW_DISCOVERY_ENABLED = isEnabled
+            }
         }
 
         /**
          * Returns true if the new Broker discovery mechanism is enabled.
          **/
         @JvmStatic
         fun isNewBrokerDiscoveryEnabled(): Boolean {
-            return true;
+            return BuildConfig.newBrokerDiscoveryEnabledFlag || IS_NEW_DISCOVERY_ENABLED;
         }
 
         /**
@@ -116,7 +126,14 @@ class BrokerDiscoveryClientFactory {
         private fun getInstance(context: Context,
                                 platformComponents: IPlatformComponents,
                                 cache: IClientActiveBrokerCache) : IBrokerDiscoveryClient{
-            return BrokerDiscoveryClient(context, platformComponents, cache)
+            val methodTag = "$TAG:getInstance"
+            return if (isNewBrokerDiscoveryEnabled()) {
+                Logger.info(methodTag, "Broker Discovery is enabled. Use the new logic on the SDK side")
+                BrokerDiscoveryClient(context, platformComponents, cache)
+            } else {
+                Logger.info(methodTag, "Broker Discovery is disabled. Use AccountManager on the SDK side.")
+                LegacyBrokerDiscoveryClient(context)
+            }
         }
     }
 }

common/src/main/java/com/microsoft/identity/common/internal/activebrokerdiscovery/IBrokerDiscoveryClient.kt

@@ -23,6 +23,7 @@
 package com.microsoft.identity.common.internal.activebrokerdiscovery
 
 import com.microsoft.identity.common.internal.broker.BrokerData
+import com.microsoft.identity.common.java.exception.ClientException
 
 interface IBrokerDiscoveryClient {
 
@@ -35,4 +36,19 @@ interface IBrokerDiscoveryClient {
      * @return BrokerData package name and signature hash of the targeted app.
      * **/
     fun getActiveBroker(shouldSkipCache: Boolean = false) : BrokerData?
+
+    /**
+     * Force a broker app to figure out which broker app the SDK (MSAL/OneAuth)
+     * has to send its request to.
+     *
+     * This method will ignore the cache values on both SDK and broker side.
+     *
+     * Due to the nature of the method, the Android broker team will limit which app can invoke this method,
+     * and what circumstance it's allowed to do so (e.g. flight enabled for a certain tenant only).
+     * Please consult the Android broker team before use.
+     *
+     * @return BrokerData package name and signature hash of the targeted app.
+     * **/
+    @kotlin.jvm.Throws(ClientException::class)
+    fun forceBrokerRediscovery(brokerCandidate: BrokerData): BrokerData
 }

common/src/main/java/com/microsoft/identity/common/internal/activebrokerdiscovery/LegacyBrokerDiscoveryClient.kt

@@ -0,0 +1,41 @@
+//  Copyright (c) Microsoft Corporation.
+//  All rights reserved.
+//
+//  This code is licensed under the MIT License.
+//
+//  Permission is hereby granted, free of charge, to any person obtaining a copy
+//  of this software and associated documentation files(the "Software"), to deal
+//  in the Software without restriction, including without limitation the rights
+//  to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+//  copies of the Software, and to permit persons to whom the Software is
+//  furnished to do so, subject to the following conditions :
+//
+//  The above copyright notice and this permission notice shall be included in
+//  all copies or substantial portions of the Software.
+//
+//  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+//  THE SOFTWARE.
+package com.microsoft.identity.common.internal.activebrokerdiscovery
+
+import android.content.Context
+import com.microsoft.identity.common.internal.broker.BrokerData
+
+/**
+ * An [IBrokerDiscoveryClient] which is based on AccountManager.
+ **/
+class LegacyBrokerDiscoveryClient(val context: Context): IBrokerDiscoveryClient {
+
+    override fun getActiveBroker(shouldSkipCache: Boolean): BrokerData? {
+        return AccountManagerBrokerDiscoveryUtil(context)
+            .getActiveBrokerFromAccountManager()
+    }
+
+    override fun forceBrokerRediscovery(brokerCandidate: BrokerData): BrokerData {
+        throw UnsupportedOperationException("LegacyBrokerDiscoveryClient does not support forceBrokerRediscovery.")
+    }
+}