Update release/24.1.1 (#3087)

Co-authored-by: Azure DevOps Pipeline <build-agent@azuredevops.com>
Co-authored-by: fadidurah <fadidurah@microsoft.com>
Co-authored-by: Mohit <mchand@microsoft.com>
Co-authored-by: Cesar Acosta <cacosta333@hotmail.com>
Co-authored-by: Siddhi <siddhijain@microsoft.com>

Author: 6 people

changelog.txt

@@ -1,4 +1,8 @@
-vNext
+Version 24.1.1
+----------
+- [PATCH] Fix ABBA deadlock between AzureActiveDirectory and AzureActiveDirectoryAuthority class monitors by extracting polymorphic getAuthorityURL() calls outside synchronized scopes and removing unnecessary synchronized from ConcurrentHashMap read-only methods (#3082)
+
+Version 24.1.0
 ----------
 - [MINOR] Add sovereign cloud (Bleu/Delos/SovSG) instance discovery support with pre-seeded cloud metadata, cache-aware discovery routing, and ensureCloudDiscoveryForAuthority API (#3027)
 - [PATCH] Fix bug in Authority.getKnownAuthorityResult where cloud discovery failure would skip knownAuthorities check and fix thread safety in Authority.isKnownAuthority and getEquivalentConfiguredAuthority with synchronized block (#3027)

common/build.gradle

@@ -87,7 +87,7 @@ tasks.register("jacocoTestReport", JacocoReport) {
 
 // In dev, we want to keep the dependencies(common4j, broker4j, common) to 1.0.+ to be able to be consumed by daily dev pipeline.
 // In release/*, we change these to specific versions being consumed.
-def common4jVersion = "1.0.+"
+def common4jVersion = "24.1.1"
 if (project.hasProperty("distCommon4jVersion") && project.distCommon4jVersion != '') {
     common4jVersion = project.distCommon4jVersion
 }
@@ -96,6 +96,9 @@ boolean newBrokerDiscoveryEnabledFlag = project.hasProperty("newBrokerDiscoveryE
 boolean trustDebugBrokerFlag = project.hasProperty("trustDebugBrokerFlag")
 boolean bypassRedirectUriCheck = project.hasProperty("bypassRedirectUriCheck")
 
+def robolectricRepoUsername = System.getenv("ENV_VSTS_MVN_CRED_USERNAME") != null ? System.getenv("ENV_VSTS_MVN_CRED_USERNAME") : project.findProperty("vstsUsername")
+def robolectricRepoPassword = System.getenv("ENV_VSTS_MVN_CRED_ACCESSTOKEN") != null ? System.getenv("ENV_VSTS_MVN_CRED_ACCESSTOKEN") : project.findProperty("vstsMavenAccessToken")
+
 android {
     compileSdk rootProject.ext.compileSdkVersion
     defaultConfig {
@@ -160,6 +163,11 @@ android {
         unitTests.all {
             exclude 'com/microsoft/identity/common/integration'
             exclude 'com/microsoft/identity/common/ropc'
+            if (robolectricRepoUsername?.toString()?.trim() && robolectricRepoPassword?.toString()?.trim()) {
+                it.systemProperty("robolectric.dependency.repo.url", "https://identitydivision.pkgs.visualstudio.com/_packaging/NewAndroid/maven/v1")
+                it.systemProperty("robolectric.dependency.repo.username", robolectricRepoUsername)
+                it.systemProperty("robolectric.dependency.repo.password", robolectricRepoPassword)
+            }
         }
     }
 

common/src/main/java/com/microsoft/identity/common/internal/broker/PackageHelper.java

@@ -167,6 +167,10 @@ public boolean isPackageInstalledAndEnabled(final String packageName) {
         boolean enabled = false;
         try {
             final ApplicationInfo applicationInfo = mPackageManager.getApplicationInfo(packageName, 0);
+            if (applicationInfo == null) {
+                Logger.verbose(methodTag, packageName + " applicationInfo is null");
+                return false;
+            }
             if (CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(
                     CommonFlight.USE_ENABLED_SETTING_FOR_PACKAGE_CHECK)) {
                 try {
@@ -183,6 +187,7 @@ public boolean isPackageInstalledAndEnabled(final String packageName) {
             }
         } catch (NameNotFoundException e) {
             Logger.verbose(methodTag, packageName + " is not found");
+            return false;
         }
 
         Logger.verbose(methodTag, packageName + " is installed. enabled? [" + enabled + "]");

common/src/test/java/com/microsoft/identity/common/internal/broker/PackageHelperTest.java

@@ -0,0 +1,138 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.internal.broker;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import android.content.pm.ApplicationInfo;
+import android.content.pm.PackageManager;
+import android.content.pm.PackageManager.NameNotFoundException;
+
+import com.microsoft.identity.common.internal.mocks.MockCommonFlightsManager;
+import com.microsoft.identity.common.java.flighting.CommonFlight;
+import com.microsoft.identity.common.java.flighting.CommonFlightsManager;
+import com.microsoft.identity.common.java.flighting.IFlightsProvider;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.robolectric.RobolectricTestRunner;
+
+@RunWith(RobolectricTestRunner.class)
+public class PackageHelperTest {
+
+    private static final String TEST_PACKAGE = "com.example.test";
+
+    private PackageManager mockPackageManager;
+    private PackageHelper packageHelper;
+    private IFlightsProvider mockFlightsProvider;
+
+    @Before
+    public void setUp() {
+        mockPackageManager = mock(PackageManager.class);
+        packageHelper = new PackageHelper(mockPackageManager);
+
+        mockFlightsProvider = mock(IFlightsProvider.class);
+        when(mockFlightsProvider.isFlightEnabled(CommonFlight.USE_ENABLED_SETTING_FOR_PACKAGE_CHECK))
+                .thenReturn(false);
+
+        final MockCommonFlightsManager mockFlightsManager = new MockCommonFlightsManager();
+        mockFlightsManager.setMockCommonFlightsProvider(mockFlightsProvider);
+        CommonFlightsManager.INSTANCE.initializeCommonFlightsManager(mockFlightsManager);
+    }
+
+    @After
+    public void tearDown() {
+        CommonFlightsManager.INSTANCE.resetFlightsManager();
+    }
+
+    @Test
+    public void testIsPackageInstalledAndEnabled_packageNotFound_returnsFalse() throws Exception {
+        when(mockPackageManager.getApplicationInfo(TEST_PACKAGE, 0))
+                .thenThrow(new NameNotFoundException(TEST_PACKAGE));
+
+        assertFalse(packageHelper.isPackageInstalledAndEnabled(TEST_PACKAGE));
+    }
+
+    @Test
+    public void testIsPackageInstalledAndEnabled_applicationInfoNull_returnsFalse() throws Exception {
+        when(mockPackageManager.getApplicationInfo(TEST_PACKAGE, 0))
+                .thenReturn(null);
+
+        assertFalse(packageHelper.isPackageInstalledAndEnabled(TEST_PACKAGE));
+    }
+
+    @Test
+    public void testIsPackageInstalledAndEnabled_packageEnabled_returnsTrue() throws Exception {
+        final ApplicationInfo appInfo = new ApplicationInfo();
+        appInfo.enabled = true;
+        when(mockPackageManager.getApplicationInfo(TEST_PACKAGE, 0))
+                .thenReturn(appInfo);
+
+        assertTrue(packageHelper.isPackageInstalledAndEnabled(TEST_PACKAGE));
+    }
+
+    @Test
+    public void testIsPackageInstalledAndEnabled_packageDisabled_returnsFalse() throws Exception {
+        final ApplicationInfo appInfo = new ApplicationInfo();
+        appInfo.enabled = false;
+        when(mockPackageManager.getApplicationInfo(TEST_PACKAGE, 0))
+                .thenReturn(appInfo);
+
+        assertFalse(packageHelper.isPackageInstalledAndEnabled(TEST_PACKAGE));
+    }
+
+    @Test
+    public void testIsPackageInstalledAndEnabled_flightEnabled_usesEnabledSetting() throws Exception {
+        when(mockFlightsProvider.isFlightEnabled(CommonFlight.USE_ENABLED_SETTING_FOR_PACKAGE_CHECK))
+                .thenReturn(true);
+
+        final ApplicationInfo appInfo = new ApplicationInfo();
+        appInfo.enabled = false;
+        when(mockPackageManager.getApplicationInfo(TEST_PACKAGE, 0))
+                .thenReturn(appInfo);
+        when(mockPackageManager.getApplicationEnabledSetting(TEST_PACKAGE))
+                .thenReturn(PackageManager.COMPONENT_ENABLED_STATE_ENABLED);
+
+        assertTrue(packageHelper.isPackageInstalledAndEnabled(TEST_PACKAGE));
+    }
+
+    @Test
+    public void testIsPackageInstalledAndEnabled_flightEnabled_enabledSettingThrows_fallsBackToAppInfo() throws Exception {
+        when(mockFlightsProvider.isFlightEnabled(CommonFlight.USE_ENABLED_SETTING_FOR_PACKAGE_CHECK))
+                .thenReturn(true);
+
+        final ApplicationInfo appInfo = new ApplicationInfo();
+        appInfo.enabled = true;
+        when(mockPackageManager.getApplicationInfo(TEST_PACKAGE, 0))
+                .thenReturn(appInfo);
+        when(mockPackageManager.getApplicationEnabledSetting(TEST_PACKAGE))
+                .thenThrow(new IllegalArgumentException("test"));
+
+        assertTrue(packageHelper.isPackageInstalledAndEnabled(TEST_PACKAGE));
+    }
+}

common4j/src/main/com/microsoft/identity/common/java/authorities/Authority.java

@@ -318,40 +318,52 @@ public static void addKnownAuthorities(List<Authority> authorities) {
     }
 
     /**
-     * Authorities are either known by the developer and communicated to the library via configuration or they
-     * are known to Microsoft based on the list of clouds returned from:
+     * Clears all known authorities. For test use only.
+     */
+    // Visible for testing
+    static void clearKnownAuthorities() {
+        synchronized (sLock) {
+            knownAuthorities.clear();
+        }
+    }
+
+    /**
+     * Authorities are either known by the developer and communicated to the library via
+     * configuration, or they are known to Microsoft based on the cloud discovery metadata cache.
      *
      * @param authority Authority to check against.
      * @return True if the authority is known to Microsoft or defined in the configuration.
      */
     public static boolean isKnownAuthority(Authority authority) {
-        final String methodName = ":isKnownAuthority";
+        final String methodTag = TAG + ":isKnownAuthority";
         boolean knownToDeveloper = false;
         boolean knownToMicrosoft;
 
         if (authority == null) {
-            Logger.warn(
-                    TAG + methodName,
-                    "Authority is null"
-            );
+            Logger.warn(methodTag, "Authority is null");
+            return false;
+        }
+
+        // Resolve the authority URL outside any lock to avoid calling a potentially-
+        // synchronized polymorphic method (e.g. AzureActiveDirectoryAuthority.getAuthorityURL())
+        // while holding sLock, which could create a lock-ordering inversion.
+        final URL authorityUrl = authority.getAuthorityURL();
+
+        if (authorityUrl == null) {
+            Logger.warn(methodTag, "Authority URL is null");
             return false;
         }
 
-        if (BuildConfig.ALLOW_ONEBOX_AUTHORITIES && AzureActiveDirectoryEnvironment.ONEBOX_AUTHORITY.equals(authority.getAuthorityURL().getAuthority())) {
+        if (BuildConfig.ALLOW_ONEBOX_AUTHORITIES && AzureActiveDirectoryEnvironment.ONEBOX_AUTHORITY.equals(authorityUrl.getAuthority())) {
             return true; // onebox authorities are always considered to be known.
         }
 
-        //Check if authority was added to configuration
         synchronized (sLock) {
             for (final Authority currentAuthority : knownAuthorities) {
                 if (currentAuthority.mAuthorityUrlString != null &&
-                        authority.getAuthorityURL() != null &&
-                        authority.getAuthorityURL().getAuthority() != null &&
+                        authorityUrl.getAuthority() != null &&
                         currentAuthority.mAuthorityUrlString.toLowerCase(Locale.ROOT).contains(
-                                authority
-                                        .getAuthorityURL()
-                                        .getAuthority()
-                                        .toLowerCase(Locale.ROOT))) {
+                                authorityUrl.getAuthority().toLowerCase(Locale.ROOT))) {
                     knownToDeveloper = true;
                     break;
                 }
@@ -360,19 +372,14 @@ public static boolean isKnownAuthority(Authority authority) {
 
         // Check whether the authority is known to Microsoft or not.  Microsoft can recognize authorities that exist within public clouds.
         // Microsoft does not maintain a list of B2C authorities or a list of ADFS or 3rd party authorities (issuers).
-        knownToMicrosoft = AzureActiveDirectory.hasCloudHost(authority.getAuthorityURL());
+        knownToMicrosoft = AzureActiveDirectory.hasCloudHost(authorityUrl);
 
         final boolean isKnown = (knownToDeveloper || knownToMicrosoft);
 
-        Logger.verbose(
-                TAG + methodName,
-                "Authority is known to developer? [" + knownToDeveloper + "]"
-        );
-
-        Logger.verbose(
-                TAG + methodName,
-                "Authority is known to Microsoft? [" + knownToMicrosoft + "]"
-        );
+        Logger.verbose(methodTag,
+                "Authority is known to developer? [" + knownToDeveloper + "]");
+        Logger.verbose(methodTag,
+                "Authority is known to Microsoft? [" + knownToMicrosoft + "]");
 
         return isKnown;
     }
@@ -383,37 +390,43 @@ public static KnownAuthorityResult getKnownAuthorityResult(Authority authority)
                 methodTag,
                 "Getting known authority result..."
         );
-        ClientException clientException = null;
-        boolean known = false;
 
+        ClientException discoveryException = null;
         try {
             AzureActiveDirectory.ensureCloudDiscoveryForAuthority(authority);
             Logger.info(methodTag, "Cloud discovery complete.");
         } catch (final ClientException ex) {
             // Cloud discovery failed (e.g. network error).
             // Log but continue — the authority may still be known via hardcoded
             // metadata or developer configuration.
+            discoveryException = ex;
             Logger.warn(methodTag,
                     "Cloud discovery failed, will check hardcoded/configured authorities. Error: "
                             + ex.getErrorCode());
         }
 
-        if (!isKnownAuthority(authority)) {
-            clientException = new ClientException(
+        if (isKnownAuthority(authority)) {
+            Logger.info(methodTag, "Authority is known.");
+            return new KnownAuthorityResult(true, null);
+        }
+
+        // Authority is not known via any source.
+        if (discoveryException != null) {
+            // Discovery failed — propagate the original error
+            return new KnownAuthorityResult(false, discoveryException);
+        } else {
+            // Discovery succeeded but authority is not in any known list.
+            final ClientException clientException = new ClientException(
                     ClientException.UNKNOWN_AUTHORITY,
                     "Provided authority is not known.  MSAL will only make requests to known authorities"
             );
-        } else {
-            Logger.info(methodTag, "Cloud is known.");
-            known = true;
+            return new KnownAuthorityResult(false, clientException);
         }
-
-        return new KnownAuthorityResult(known, clientException);
     }
 
     public static class KnownAuthorityResult {
-        private boolean mKnown;
-        private ClientException mClientException;
+        private final boolean mKnown;
+        private final ClientException mClientException;
 
         KnownAuthorityResult(boolean known, ClientException exception) {
             mKnown = known;

common4j/src/main/com/microsoft/identity/common/java/authorities/AzureActiveDirectoryAuthority.java

@@ -71,7 +71,7 @@ public class AzureActiveDirectoryAuthority extends Authority {
 
     /** Gets {@link AzureActiveDirectoryCloud}, if the cloud metadata is already initialized. */
     @Nullable
-    private static synchronized AzureActiveDirectoryCloud getAzureActiveDirectoryCloud(
+    private static AzureActiveDirectoryCloud getAzureActiveDirectoryCloud(
             @NonNull final AzureActiveDirectoryAudience audience) {
         final String methodName = ":getAzureActiveDirectoryCloud";
 
@@ -175,7 +175,7 @@ public OAuth2Strategy createOAuth2Strategy(@NonNull final OAuth2StrategyParamete
      * @return true if both authorities belong to same cloud, otherwise false.
      */
     //@WorkerThread
-    public synchronized boolean isSameCloudAsAuthority(@NonNull final AzureActiveDirectoryAuthority authorityToCheck)
+    public boolean isSameCloudAsAuthority(@NonNull final AzureActiveDirectoryAuthority authorityToCheck)
             throws ClientException {
         // Cloud discovery is needed to make sure that we have preferred_network_host_name to cloud aliases mappings
         AzureActiveDirectory.ensureCloudDiscoveryForAuthority(this);