merge dev into feature/mfa-otp

Author: nilo-ms

changelog.txt

@@ -1,5 +1,12 @@
 vNext
 ----------
+- [MINOR] Implement TenantUtil (#2761)
+- [MAJOR] Update proguard rules in common (#2756)
+- [MINOR] Add query parameter for Android Release OS Version (#2754)
+- [MINOR] Add client scenario to JwtRequestBody (#2755)
+
+Version 22.1.0
+----------
 - [PATCH] Fix Switch browser back stack (#2750)
 - [MINOR] Move ests telemetry behind feature flag (#2742)
 - [MINOR] Update Broker ATS flow for Resource Account (#2704)

common/build.gradle

@@ -174,6 +174,7 @@ dependencies {
     implementation "androidx.credentials:credentials-play-services-auth:$rootProject.ext.AndroidCredentialsVersion"
     implementation "com.google.android.gms:play-services-fido:$rootProject.ext.LegacyFidoApiVersion"
     implementation "com.google.android.libraries.identity.googleid:googleid:$rootProject.ext.GoogleIdVersion"
+    implementation "com.github.stephenc.jcip:jcip-annotations:$rootProject.ext.jcipAnnotationVersion"
 
     constraints {
         implementation ("com.squareup.okio:okio:3.4.0") {

common/consumer-rules.pro

@@ -17,7 +17,33 @@
 #}
 
 ##---------------Begin: proguard configuration for Common  --------
-# Intentionally blank, left to consumers of common to implement.
+# keep with optmizations and shrinking, but do not obfuscate
+-keep,allowoptimization,allowshrinking class !com.microsoft.identity.common.java.nativeauth.**, !com.microsoft.identity.common.nativeauth.**, com.microsoft.identity.** { *; }
+-keep class * extends com.microsoft.identity.common.java.authorities.Authority { *; }
+-keep class * extends com.microsoft.identity.common.java.authorities.AzureActiveDirectoryAudience { *; }
+-keep class * extends com.microsoft.identity.common.java.cache.ICacheRecord { *; }
+-keep class * extends com.microsoft.identity.common.java.cache.ITokenCacheItem { *; }
+-keep class * extends com.microsoft.identity.common.java.authscheme.AbstractAuthenticationScheme { *; }
+-keep class com.microsoft.identity.common.internal.broker.AuthUxJsonPayload { *; }
+
+
+#For Android Credential Manager: https://developer.android.com/training/sign-in/passkeys#proguard
+-if class androidx.credentials.CredentialManager
+-keep class androidx.credentials.playservices.** {
+  *;
+}
+
+# Runtime annotations
+-keep class net.jcip.annotations.GuardedBy
+-keep class net.jcip.annotations.Immutable
+-keep class net.jcip.annotations.ThreadSafe
+
+# Compile time annotations
+-dontwarn edu.umd.cs.findbugs.annotations.NonNull
+-dontwarn edu.umd.cs.findbugs.annotations.Nullable
+-dontwarn edu.umd.cs.findbugs.annotations.SuppressFBWarnings
+
+-keepattributes SourceFile,LineNumberTable
 
 ##---------------Begin: proguard configuration for Nimbus  ----------
 # Intentionally blank, left to consumers of common to implement.
@@ -28,7 +54,7 @@
 ##---------------Begin: proguard configuration for Gson  --------
 # Gson uses generic type information stored in a class file when working with fields. Proguard
 # removes such information by default, so configure it to keep all of it.
--keepattributes Signature
+-keepattributes Signature,SourceFile,LineNumberTable
 
 # For using GSON @Expose annotation
 -keepattributes *Annotation*
@@ -37,26 +63,27 @@
 -dontwarn sun.misc.**
 #-keep class com.google.gson.stream.** { *; }
 
-# Application classes that will be serialized/deserialized over Gson
--keep class com.google.gson.examples.android.model.** { <fields>; }
-
 # Prevent proguard from stripping interface information from TypeAdapter, TypeAdapterFactory,
 # JsonSerializer, JsonDeserializer instances (so they can be used in @JsonAdapter)
 -keep class * extends com.google.gson.TypeAdapter
 -keep class * implements com.google.gson.TypeAdapterFactory
 -keep class * implements com.google.gson.JsonSerializer
 -keep class * implements com.google.gson.JsonDeserializer
+-keep class com.google.gson.reflect.TypeToken { *; }
+-keep class * extends com.google.gson.reflect.TypeToken { *; }
 
+##---------------Begin: proguard configuration for OpenTelemetry  --------
 # keep everything in this package from being removed or renamed
 -keep class io.opentelemetry.** { *; }
 
 # Prevent R8 from leaving Data object members always null
--keepclassmembers,allowobfuscation class * {
+-keepclassmembers class com.microsoft.identity.** {
   @com.google.gson.annotations.SerializedName <fields>;
+  @com.squareup.moshi.Json <fields>;
 }
 
-#For Android Credential Manager: https://developer.android.com/training/sign-in/passkeys#proguard
--if class androidx.credentials.CredentialManager
--keep class androidx.credentials.playservices.** {
-  *;
-}
+## Other
+# Compile time annotation
+-dontwarn com.google.auto.value.AutoValue$CopyAnnotations
+-dontwarn com.google.auto.value.AutoValue
+-dontwarn com.google.auto.value.extension.memoized.Memoized

common/src/main/java/com/microsoft/identity/common/base64/AndroidBase64.kt

@@ -22,6 +22,7 @@
 // THE SOFTWARE.
 package com.microsoft.identity.common.base64
 
+import androidx.annotation.Keep
 import com.microsoft.identity.common.java.base64.Base64Flags
 import com.microsoft.identity.common.java.base64.Base64Util
 import com.microsoft.identity.common.java.base64.IBase64
@@ -33,8 +34,9 @@ import com.microsoft.identity.common.java.base64.IBase64
  * you'll need to make change in [Base64Util] too.
  *
  * see [Base64Util] for more info.
+ * This is called using reflection from [Base64Util], hence the @Keep annotation.
  **/
-
+@Keep
 class AndroidBase64 : IBase64 {
 
     override fun encode(input: ByteArray, vararg flags: Base64Flags): ByteArray {

common/src/main/java/com/microsoft/identity/common/internal/platform/AndroidDeviceMetadata.java

@@ -73,11 +73,16 @@ public String getCpu() {
 
     @Override
     public @NonNull String getOsForMats() {
-        return android.os.Build.VERSION.RELEASE;
+        return getAndroidReleaseOs();
     }
 
     @Override
     public @NonNull String getOsForDrs() {
+        return getAndroidReleaseOs();
+    }
+
+    @Override
+    public @NonNull String getAndroidReleaseOs() {
         return android.os.Build.VERSION.RELEASE;
     }
 

common/src/main/java/com/microsoft/identity/common/internal/util/AndroidKeyStoreUtil.java

@@ -55,6 +55,7 @@
 
 import edu.umd.cs.findbugs.annotations.Nullable;
 import io.opentelemetry.api.common.Attributes;
+import io.opentelemetry.api.common.AttributesBuilder;
 import io.opentelemetry.api.metrics.LongCounter;
 import lombok.NonNull;
 
@@ -84,6 +85,11 @@ public class AndroidKeyStoreUtil {
      */
     private static final String ANDROID_KEY_STORE_TYPE = "AndroidKeyStore";
 
+    /**
+     * Max length of stack trace to search for a keystore exception
+     */
+    private static int KEYSTORE_EXCEPTION_CAUSE_CHAIN_MAX_DEPTH = 20;
+
     private AndroidKeyStoreUtil() {
     }
 
@@ -447,12 +453,11 @@ public static synchronized SecretKey unwrap(@NonNull final byte[] wrappedKeyBlob
                 exception
         );
         if (exception instanceof InvalidKeyException) {
-            final Attributes attributes = Attributes.builder()
+            final Attributes attributes = createAttributesBuilderFromInvalidKeyException((InvalidKeyException) exception)
                     .put(AttributeName.keystore_operation.name(), "unwrap")
                     .put(AttributeName.error_code.name(), errCode)
-                    .put(AttributeName.error_type.name(), clientException.getClass().getSimpleName())
-                    .put(AttributeName.keystore_exception_stack_trace.name(), ThrowableUtil.getStackTraceAsString(clientException))
                     .build();
+
             sFailedAndroidKeyStoreUnwrapOperationCount.add(1, attributes);
         }
         Logger.error(
@@ -464,4 +469,65 @@ public static synchronized SecretKey unwrap(@NonNull final byte[] wrappedKeyBlob
         throw clientException;
     }
 
+    /**
+     * Populate attributes from an InvalidKeyException, attempting to extract details from a nested
+     * KeyStoreException if available (API Level 33+).
+     */
+    private static AttributesBuilder createAttributesBuilderFromInvalidKeyException(final InvalidKeyException exception) {
+        String ksMessage;
+        final String errorType;
+        final String ksNumericErrorCode;
+
+        // Check API Level before attempting to extract KeyStoreException details
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+            final android.security.KeyStoreException keyStoreException = findKeyStoreException(exception);
+            if (keyStoreException != null) {
+                ksMessage = keyStoreException.getMessage();
+                if (ksMessage == null) {
+                    ksMessage = "Keystore exception found, no error message";
+                }
+                errorType = "KeyStoreException";
+                ksNumericErrorCode = String.valueOf(keyStoreException.getNumericErrorCode());
+            } else {
+                ksMessage = "No keystore exception found";
+                errorType = "InvalidKeyException";
+                ksNumericErrorCode = "";
+            }
+        } else {
+            ksMessage = "API Level below 33, keystore exception not available";
+            errorType = "InvalidKeyException";
+            ksNumericErrorCode = "";
+        }
+
+        return Attributes.builder()
+                .put(AttributeName.error_type.name(), errorType)
+                .put(AttributeName.keystore_exception_stack_trace.name(), ThrowableUtil.getStackTraceAsString(exception))
+                .put(AttributeName.keystore_exception_message.name(), ksMessage)
+                .put(AttributeName.keystore_numeric_error_code.name(), ksNumericErrorCode);
+    }
+
+    /**
+     * Searches the causal chain of the given throwable for an instance of
+     * {@link android.security.KeyStoreException}.
+     *
+     * @param throwable The throwable to search.
+     * @return The found KeyStoreException, or null if none was found or the API level is below 33.
+     */
+    private static @Nullable android.security.KeyStoreException findKeyStoreException(@NonNull Throwable throwable) {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+            // Check up to a max depth to avoid infinite loops in case of circular references
+            int count = 0;
+            while (throwable != null && count < KEYSTORE_EXCEPTION_CAUSE_CHAIN_MAX_DEPTH) {
+                if (throwable instanceof android.security.KeyStoreException) {
+                    return (android.security.KeyStoreException) throwable;
+                }
+                throwable = throwable.getCause();
+                count++;
+            }
+
+            return null;
+        } else {
+            return null;
+        }
+    }
 }

common4j/src/main/com/microsoft/identity/common/java/commands/parameters/BrokerResourceAccountCommandParameters.java

@@ -28,6 +28,7 @@
 
 import lombok.EqualsAndHashCode;
 import lombok.Getter;
+import lombok.NonNull;
 import lombok.experimental.SuperBuilder;
 
 /**
@@ -37,15 +38,54 @@
 @Getter
 @SuperBuilder(toBuilder = true)
 @EqualsAndHashCode(callSuper = true)
-public class BrokerResourceAccountCommandParameters extends ResourceAccountCommandParameters {
+public class BrokerResourceAccountCommandParameters extends ResourceAccountCommandParameters
+        implements IBrokerTokenCommandParameters {
+    /**
+     * UID of the calling application process as seen by the Broker.
+     */
     @Expose
     private final int callerUid;
 
+    /**
+     * Version name/code of the calling application that initiated the request.
+     */
     @Expose
     private final String callerAppVersion;
 
+    /**
+     * Version of the Broker executing this request.
+     */
     @Expose
     private final String brokerVersion;
 
+    /**
+     * The AAD tenant id (home tenant) for the user account this request is for. It
+     * is derived from the {@link #getHomeAccountId()} value and is used
+     */
+    @Expose
+    @NonNull
+    private final String homeTenantId;
+
+    /**
+     * The user id in home tenant retrieved from {@link #getHomeAccountId()}.
+     */
+    @NonNull
+    private final String localAccountId;
+
+    /**
+     * {@link IBrokerAccount} if already present, otherwise null.
+     */
     private final IBrokerAccount brokerAccount;
+
+    /**
+     * The protocol version that was negotiated between the calling app / library
+     * and the Broker.
+     */
+    @Expose
+    private final String negotiatedBrokerProtocolVersion;
+
+    /**
+     * For this parameter class it is always {@link BrokerRequestType#REGULAR} as this request is not started in broker.
+     */
+    private final BrokerRequestType requestType = BrokerRequestType.REGULAR;
 }

common4j/src/main/com/microsoft/identity/common/java/jwt/AbstractJwtRequest.java

@@ -62,6 +62,7 @@ public static class ClaimNames {
         public static final String JWE_CRYPTO = "jwe_crypto";
         public static final String SESSION_KEY_CRYPTO = "session_key_crypto";
         public static final String PURPOSE = "purpose";
+        public static final String CLIENT_SCENARIO = "client_scenario";
     }
 
     @SerializedName(ClaimNames.REFRESH_TOKEN)

common4j/src/main/com/microsoft/identity/common/java/jwt/JwtRequestBody.java

@@ -88,6 +88,9 @@ public final class JwtRequestBody extends AbstractJwtRequest {
     @SerializedName(ClaimNames.PURPOSE)
     private String mPurpose;
 
+    @SerializedName(ClaimNames.CLIENT_SCENARIO)
+    private String mClientScenario;
+
     public void setIat(final long iat) {
         mIat = String.valueOf(iat);
     }

common4j/src/main/com/microsoft/identity/common/java/opentelemetry/AttributeName.java

@@ -305,6 +305,16 @@ public enum AttributeName {
      */
     keystore_exception_stack_trace,
 
+    /**
+     * Indicates the exception message from a Android KeyStore operation exception.
+     */
+    keystore_exception_message,
+
+    /**
+     * Indicates the error code from a Android KeyStore operation exception.
+     */
+    keystore_numeric_error_code,
+
     /**
      * Indicates the new nonce found in the eSTS request.
      */