Merge branch 'dev' into mchand/openid-issuer-validation

Author: Mohit

changelog.txt

@@ -1,6 +1,9 @@
 vNext
 ----------
 - [MINOR] Add Open Id configuration issuer validation reporting in OpenIdProviderConfigurationClient (#2751)
+- [MINOR] Implement TenantUtil (#2761)
+- [MAJOR] Update proguard rules in common (#2756)
+- [MINOR] Add query parameter for Android Release OS Version (#2754)
 - [MINOR] Add client scenario to JwtRequestBody (#2755)
 
 Version 22.1.0

common/build.gradle

@@ -174,6 +174,7 @@ dependencies {
     implementation "androidx.credentials:credentials-play-services-auth:$rootProject.ext.AndroidCredentialsVersion"
     implementation "com.google.android.gms:play-services-fido:$rootProject.ext.LegacyFidoApiVersion"
     implementation "com.google.android.libraries.identity.googleid:googleid:$rootProject.ext.GoogleIdVersion"
+    implementation "com.github.stephenc.jcip:jcip-annotations:$rootProject.ext.jcipAnnotationVersion"
 
     constraints {
         implementation ("com.squareup.okio:okio:3.4.0") {

common/consumer-rules.pro

@@ -17,7 +17,33 @@
 #}
 
 ##---------------Begin: proguard configuration for Common  --------
-# Intentionally blank, left to consumers of common to implement.
+# keep with optmizations and shrinking, but do not obfuscate
+-keep,allowoptimization,allowshrinking class !com.microsoft.identity.common.java.nativeauth.**, !com.microsoft.identity.common.nativeauth.**, com.microsoft.identity.** { *; }
+-keep class * extends com.microsoft.identity.common.java.authorities.Authority { *; }
+-keep class * extends com.microsoft.identity.common.java.authorities.AzureActiveDirectoryAudience { *; }
+-keep class * extends com.microsoft.identity.common.java.cache.ICacheRecord { *; }
+-keep class * extends com.microsoft.identity.common.java.cache.ITokenCacheItem { *; }
+-keep class * extends com.microsoft.identity.common.java.authscheme.AbstractAuthenticationScheme { *; }
+-keep class com.microsoft.identity.common.internal.broker.AuthUxJsonPayload { *; }
+
+
+#For Android Credential Manager: https://developer.android.com/training/sign-in/passkeys#proguard
+-if class androidx.credentials.CredentialManager
+-keep class androidx.credentials.playservices.** {
+  *;
+}
+
+# Runtime annotations
+-keep class net.jcip.annotations.GuardedBy
+-keep class net.jcip.annotations.Immutable
+-keep class net.jcip.annotations.ThreadSafe
+
+# Compile time annotations
+-dontwarn edu.umd.cs.findbugs.annotations.NonNull
+-dontwarn edu.umd.cs.findbugs.annotations.Nullable
+-dontwarn edu.umd.cs.findbugs.annotations.SuppressFBWarnings
+
+-keepattributes SourceFile,LineNumberTable
 
 ##---------------Begin: proguard configuration for Nimbus  ----------
 # Intentionally blank, left to consumers of common to implement.
@@ -28,7 +54,7 @@
 ##---------------Begin: proguard configuration for Gson  --------
 # Gson uses generic type information stored in a class file when working with fields. Proguard
 # removes such information by default, so configure it to keep all of it.
--keepattributes Signature
+-keepattributes Signature,SourceFile,LineNumberTable
 
 # For using GSON @Expose annotation
 -keepattributes *Annotation*
@@ -37,26 +63,27 @@
 -dontwarn sun.misc.**
 #-keep class com.google.gson.stream.** { *; }
 
-# Application classes that will be serialized/deserialized over Gson
--keep class com.google.gson.examples.android.model.** { <fields>; }
-
 # Prevent proguard from stripping interface information from TypeAdapter, TypeAdapterFactory,
 # JsonSerializer, JsonDeserializer instances (so they can be used in @JsonAdapter)
 -keep class * extends com.google.gson.TypeAdapter
 -keep class * implements com.google.gson.TypeAdapterFactory
 -keep class * implements com.google.gson.JsonSerializer
 -keep class * implements com.google.gson.JsonDeserializer
+-keep class com.google.gson.reflect.TypeToken { *; }
+-keep class * extends com.google.gson.reflect.TypeToken { *; }
 
+##---------------Begin: proguard configuration for OpenTelemetry  --------
 # keep everything in this package from being removed or renamed
 -keep class io.opentelemetry.** { *; }
 
 # Prevent R8 from leaving Data object members always null
--keepclassmembers,allowobfuscation class * {
+-keepclassmembers class com.microsoft.identity.** {
   @com.google.gson.annotations.SerializedName <fields>;
+  @com.squareup.moshi.Json <fields>;
 }
 
-#For Android Credential Manager: https://developer.android.com/training/sign-in/passkeys#proguard
--if class androidx.credentials.CredentialManager
--keep class androidx.credentials.playservices.** {
-  *;
-}
+## Other
+# Compile time annotation
+-dontwarn com.google.auto.value.AutoValue$CopyAnnotations
+-dontwarn com.google.auto.value.AutoValue
+-dontwarn com.google.auto.value.extension.memoized.Memoized

common/src/main/java/com/microsoft/identity/common/base64/AndroidBase64.kt

@@ -22,6 +22,7 @@
 // THE SOFTWARE.
 package com.microsoft.identity.common.base64
 
+import androidx.annotation.Keep
 import com.microsoft.identity.common.java.base64.Base64Flags
 import com.microsoft.identity.common.java.base64.Base64Util
 import com.microsoft.identity.common.java.base64.IBase64
@@ -33,8 +34,9 @@ import com.microsoft.identity.common.java.base64.IBase64
  * you'll need to make change in [Base64Util] too.
  *
  * see [Base64Util] for more info.
+ * This is called using reflection from [Base64Util], hence the @Keep annotation.
  **/
-
+@Keep
 class AndroidBase64 : IBase64 {
 
     override fun encode(input: ByteArray, vararg flags: Base64Flags): ByteArray {

common/src/main/java/com/microsoft/identity/common/internal/platform/AndroidDeviceMetadata.java

@@ -73,11 +73,16 @@ public String getCpu() {
 
     @Override
     public @NonNull String getOsForMats() {
-        return android.os.Build.VERSION.RELEASE;
+        return getAndroidReleaseOs();
     }
 
     @Override
     public @NonNull String getOsForDrs() {
+        return getAndroidReleaseOs();
+    }
+
+    @Override
+    public @NonNull String getAndroidReleaseOs() {
         return android.os.Build.VERSION.RELEASE;
     }
 

common/src/main/java/com/microsoft/identity/common/internal/util/AndroidKeyStoreUtil.java

@@ -55,6 +55,7 @@
 
 import edu.umd.cs.findbugs.annotations.Nullable;
 import io.opentelemetry.api.common.Attributes;
+import io.opentelemetry.api.common.AttributesBuilder;
 import io.opentelemetry.api.metrics.LongCounter;
 import lombok.NonNull;
 
@@ -84,6 +85,11 @@ public class AndroidKeyStoreUtil {
      */
     private static final String ANDROID_KEY_STORE_TYPE = "AndroidKeyStore";
 
+    /**
+     * Max length of stack trace to search for a keystore exception
+     */
+    private static int KEYSTORE_EXCEPTION_CAUSE_CHAIN_MAX_DEPTH = 20;
+
     private AndroidKeyStoreUtil() {
     }
 
@@ -447,12 +453,11 @@ public static synchronized SecretKey unwrap(@NonNull final byte[] wrappedKeyBlob
                 exception
         );
         if (exception instanceof InvalidKeyException) {
-            final Attributes attributes = Attributes.builder()
+            final Attributes attributes = createAttributesBuilderFromInvalidKeyException((InvalidKeyException) exception)
                     .put(AttributeName.keystore_operation.name(), "unwrap")
                     .put(AttributeName.error_code.name(), errCode)
-                    .put(AttributeName.error_type.name(), clientException.getClass().getSimpleName())
-                    .put(AttributeName.keystore_exception_stack_trace.name(), ThrowableUtil.getStackTraceAsString(clientException))
                     .build();
+
             sFailedAndroidKeyStoreUnwrapOperationCount.add(1, attributes);
         }
         Logger.error(
@@ -464,4 +469,65 @@ public static synchronized SecretKey unwrap(@NonNull final byte[] wrappedKeyBlob
         throw clientException;
     }
 
+    /**
+     * Populate attributes from an InvalidKeyException, attempting to extract details from a nested
+     * KeyStoreException if available (API Level 33+).
+     */
+    private static AttributesBuilder createAttributesBuilderFromInvalidKeyException(final InvalidKeyException exception) {
+        String ksMessage;
+        final String errorType;
+        final String ksNumericErrorCode;
+
+        // Check API Level before attempting to extract KeyStoreException details
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+            final android.security.KeyStoreException keyStoreException = findKeyStoreException(exception);
+            if (keyStoreException != null) {
+                ksMessage = keyStoreException.getMessage();
+                if (ksMessage == null) {
+                    ksMessage = "Keystore exception found, no error message";
+                }
+                errorType = "KeyStoreException";
+                ksNumericErrorCode = String.valueOf(keyStoreException.getNumericErrorCode());
+            } else {
+                ksMessage = "No keystore exception found";
+                errorType = "InvalidKeyException";
+                ksNumericErrorCode = "";
+            }
+        } else {
+            ksMessage = "API Level below 33, keystore exception not available";
+            errorType = "InvalidKeyException";
+            ksNumericErrorCode = "";
+        }
+
+        return Attributes.builder()
+                .put(AttributeName.error_type.name(), errorType)
+                .put(AttributeName.keystore_exception_stack_trace.name(), ThrowableUtil.getStackTraceAsString(exception))
+                .put(AttributeName.keystore_exception_message.name(), ksMessage)
+                .put(AttributeName.keystore_numeric_error_code.name(), ksNumericErrorCode);
+    }
+
+    /**
+     * Searches the causal chain of the given throwable for an instance of
+     * {@link android.security.KeyStoreException}.
+     *
+     * @param throwable The throwable to search.
+     * @return The found KeyStoreException, or null if none was found or the API level is below 33.
+     */
+    private static @Nullable android.security.KeyStoreException findKeyStoreException(@NonNull Throwable throwable) {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+            // Check up to a max depth to avoid infinite loops in case of circular references
+            int count = 0;
+            while (throwable != null && count < KEYSTORE_EXCEPTION_CAUSE_CHAIN_MAX_DEPTH) {
+                if (throwable instanceof android.security.KeyStoreException) {
+                    return (android.security.KeyStoreException) throwable;
+                }
+                throwable = throwable.getCause();
+                count++;
+            }
+
+            return null;
+        } else {
+            return null;
+        }
+    }
 }

common4j/src/main/com/microsoft/identity/common/java/opentelemetry/AttributeName.java

@@ -305,6 +305,16 @@ public enum AttributeName {
      */
     keystore_exception_stack_trace,
 
+    /**
+     * Indicates the exception message from a Android KeyStore operation exception.
+     */
+    keystore_exception_message,
+
+    /**
+     * Indicates the error code from a Android KeyStore operation exception.
+     */
+    keystore_numeric_error_code,
+
     /**
      * Indicates the new nonce found in the eSTS request.
      */

common4j/src/main/com/microsoft/identity/common/java/platform/Device.java

@@ -214,6 +214,25 @@ public static String getOsForDrs() {
         }
     }
 
+    /**
+     * Get the Android Release OS of this device
+     *
+     * @return a String representing the Android Release OS information
+     */
+    @NonNull
+    @GuardedBy("sLock")
+    public static String getAndroidReleaseOs() {
+        sLock.readLock().lock();
+        try {
+            if (sDeviceMetadata != null) {
+                return sDeviceMetadata.getAndroidReleaseOs();
+            }
+            return NOT_SET;
+        } finally {
+            sLock.readLock().unlock();
+        }
+    }
+
     /**
      * Gets the manufacturer of the current device.
      *

common4j/src/main/com/microsoft/identity/common/java/platform/IDeviceMetadata.java

@@ -66,6 +66,14 @@ public interface IDeviceMetadata {
     @NonNull
     String getOsForMats();
 
+    /**
+     * Get the Android Release OS of this device (i.e 14, 15, 16).
+     *
+     * @return a String representing the Release OS information
+     */
+    @NonNull
+    String getAndroidReleaseOs();
+
     /**
      * Get the model name of this device.
      *

common4j/src/main/com/microsoft/identity/common/java/providers/microsoft/MicrosoftAuthorizationRequest.java

@@ -119,6 +119,12 @@ public abstract class MicrosoftAuthorizationRequest<T extends MicrosoftAuthoriza
     @SerializedName("x-client-OS")
     private final String mDiagnosticOS;
 
+    @Expose()
+    @Getter
+    @Accessors(prefix = "m")
+    @SerializedName("x-client-ReleaseOS")
+    private final String mDiagnosticReleaseOS;
+
     @Expose()
     @Getter
     @Accessors(prefix = "m")
@@ -186,9 +192,11 @@ protected MicrosoftAuthorizationRequest(@SuppressWarnings(WarningType.rawtype_wa
         // If the flight is enabled, set the fields
         if (CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.ENABLE_AM_API_WORKPROFILE_EXTRA_QUERY_PARAMETERS)) {
             mDiagnosticMN = Device.getManufacturer();
+            mDiagnosticReleaseOS = Device.getAndroidReleaseOs();
             mWorkProfileAvailable = Device.isInPersonalProfileButClouddpcWorkProfileAvailable();
         } else {
             mDiagnosticMN = null;
+            mDiagnosticReleaseOS = null;
             mWorkProfileAvailable = null;
         }
     }