Merge dev into sjain/working/release/23.1.1

Author: Copilot

LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/authentication/LabApiAuthenticationClient.java

@@ -51,48 +51,47 @@ public class LabApiAuthenticationClient implements IAccessTokenSupplier {
     private final static int ATTEMPT_RETRY_WAIT = 3;
     private final String mLabCredential;
     private final String mLabCertPassword;
-    private final String mScope;
+    private final String defaultScope = LabConstants.DEFAULT_LAB_SCOPE;
     private final String mClientId;
 
-
     public LabApiAuthenticationClient(@NonNull final String labSecret) {
-        this(labSecret, null, null, null);
+        this(labSecret, null, null);
     }
 
     public LabApiAuthenticationClient(@NonNull final String labSecret, final String labCertPassword) {
-        this(labSecret, labCertPassword, null, null);
-    }
-
-    public LabApiAuthenticationClient(@NonNull final String labSecret, @NonNull final String scope, @NonNull final String clientId) {
-        this(labSecret, null, scope, clientId);
+        this(labSecret, labCertPassword, null);
     }
 
-    public LabApiAuthenticationClient(@NonNull final String labSecret, final String labCertPassword, final String scope, final String clientId) {
+    public LabApiAuthenticationClient(@NonNull final String labSecret, final String labCertPassword, final String clientId) {
         mLabCredential = labSecret;
         mLabCertPassword = labCertPassword;
-        mScope = scope != null ? scope : LabConstants.DEFAULT_LAB_SCOPE;
         mClientId = clientId != null ? clientId : LabConstants.DEFAULT_LAB_CLIENT_ID;
     }
 
     @Override
     public String getAccessToken() throws LabApiException {
-        return getAccessToken(DEFAULT_ACCESS_TOKEN_RETRIES);
+        return getAccessToken(DEFAULT_ACCESS_TOKEN_RETRIES, null);
+    }
+
+    public String getAccessTokenForCustomScope(final String scope) throws LabApiException {
+        return getAccessToken(DEFAULT_ACCESS_TOKEN_RETRIES, scope);
     }
 
     /**
      * Attempt to acquire an access token. Accepts a parameter to denote number of retries
      * @param retries how many times to attempt acquire access token before returning a failure.
+     * @param customScope the custom scope for which the access token is requested. If null, use the default scope.
      * @return an access token for Lab API
      * @throws LabApiException exception given back by Lab API
      */
-    public String getAccessToken(final int retries) throws LabApiException {
+    public String getAccessToken(final int retries, final String customScope) throws LabApiException {
 
         // Do this in a loop, if we get an exception or null result, try again
         for (int i = 1; i <= retries; i++) {
             System.out.printf(Locale.ENGLISH, "getAccessToken attempt #%d%n", i);
 
             try {
-                final String result = getAccessTokenInternal();
+                final String result = getAccessTokenInternal(customScope);
                 if (result != null) {
                     return result;
                 }
@@ -120,12 +119,19 @@ public String getAccessToken(final int retries) throws LabApiException {
         return null;
     }
 
-    private String getAccessTokenInternal() throws LabApiException {
+    private String getAccessTokenInternal(final String customScope) throws LabApiException {
+        final String authScope;
+        if (customScope != null) {
+            authScope = customScope;
+        } else {
+            authScope = defaultScope;
+        }
+
         final IConfidentialAuthClient confidentialAuthClient = new Msal4jAuthClient();
         final TokenParameters tokenParameters = TokenParameters.builder()
                 .clientId(mClientId)
                 .authority(AUTHORITY)
-                .scope(mScope)
+                .scope(authScope)
                 .build();
 
         final IAuthenticationResult authenticationResult;

LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/client/LabClient.java

@@ -61,9 +61,6 @@
 public class LabClient implements ILabClient {
 
     private final LabApiAuthenticationClient mLabApiAuthenticationClient;
-    private final LabApiAuthenticationClient mLabApiAuthenticationClientForKeyVault = new LabApiAuthenticationClient(
-            BuildConfig.LAB_CLIENT_SECRET, KEYVAULT_SCOPE, DEFAULT_LAB_CLIENT_ID
-    );
     private final long PASSWORD_RESET_WAIT_DURATION = TimeUnit.SECONDS.toMillis(65);
     private final long LAB_API_RETRY_WAIT = TimeUnit.SECONDS.toMillis(5);
 
@@ -229,10 +226,7 @@ private ILabAccount createTempAccountInternal(@NonNull final TempUserType tempUs
                 mLabApiAuthenticationClient.getAccessToken()
         );
 
-        final String createTempUserFunctionCode = getKeyVaultSecret(
-                CreateTempUserApi.AZURE_FUNCTION_CODE_SECRET_NAME
-        );
-        final CreateTempUserApi createTempUserApi = new CreateTempUserApi(createTempUserFunctionCode);
+        final CreateTempUserApi createTempUserApi = new CreateTempUserApi();
         createTempUserApi.getApiClient().setReadTimeout(TEMP_USER_API_READ_TIMEOUT);
         final TempUser tempUser;
 
@@ -311,7 +305,7 @@ public String getPasswordForGuestUser(LabGuestAccount guestUser) throws LabApiEx
     @Override
     public String getKeyVaultSecret(@NonNull final String secretName) throws LabApiException {
         Configuration.getKeyVaultApiClient().setAccessToken(
-                mLabApiAuthenticationClientForKeyVault.getAccessToken()
+                mLabApiAuthenticationClient.getAccessTokenForCustomScope(KEYVAULT_SCOPE)
         );
         final KeyVaultSecretsApi keyVaultSecretsApi = new KeyVaultSecretsApi();
 
@@ -329,14 +323,10 @@ public boolean deleteDevice(@NonNull final String upn,
         Configuration.getDefaultApiClient().setAccessToken(
                 mLabApiAuthenticationClient.getAccessToken()
         );
-
-        final String deleteDeviceFunctionCode = getKeyVaultSecret(
-                DeleteDeviceApi.AZURE_FUNCTION_CODE_SECRET_NAME
-        );
-        final DeleteDeviceApi deleteDeviceApi = new DeleteDeviceApi(deleteDeviceFunctionCode);
+        final DeleteDeviceApi deleteDeviceApi = new DeleteDeviceApi();
 
         try {
-            final CustomSuccessResponse successResponse = deleteDeviceApi.apiDeleteDeviceDelete(
+            final String successResponse = deleteDeviceApi.apiDeleteDeviceDelete(
                     upn, deviceId
             );
 
@@ -346,12 +336,12 @@ public boolean deleteDevice(@NonNull final String upn,
 
             // we probably need a more sophisticated logger integrated into LabApi
             // for now this is fine
-            System.out.println(successResponse.getResult());
+            System.out.println(successResponse);
 
             final String expectedResult = String.format(
                     "Device : %s, successfully deleted from AAD.", deviceId
             );
-            return expectedResult.equalsIgnoreCase(successResponse.getResult());
+            return expectedResult.equalsIgnoreCase(successResponse);
         } catch (final com.microsoft.identity.internal.test.labapi.ApiException ex) {
             throw new LabApiException(
                     LabError.FAILED_TO_DELETE_DEVICE, ex,
@@ -435,10 +425,10 @@ private String getPassword(final String credentialVaultKeyName) throws LabApiExc
 
     @Override
     public boolean resetPassword(@NonNull final String upn) throws LabApiException {
-        final String resetApiFunctionCode = getKeyVaultSecret(
-                ResetApi.AZURE_FUNCTION_CODE_SECRET_NAME
+        Configuration.getDefaultApiClient().setAccessToken(
+                mLabApiAuthenticationClient.getAccessToken()
         );
-        final ResetApi resetApi = new ResetApi(resetApiFunctionCode);
+        final ResetApi resetApi = new ResetApi();
         try {
             final CustomSuccessResponse resetResponse = resetApi.apiResetPut(upn, ResetOperation.PASSWORD.toString());
             if (resetResponse == null) {
@@ -512,10 +502,7 @@ public boolean enablePolicy(@NonNull final String upn, @NonNull final Protection
         Configuration.getDefaultApiClient().setAccessToken(
                 mLabApiAuthenticationClient.getAccessToken()
         );
-        final String enablePolicyFunctionCode = getKeyVaultSecret(
-                EnablePolicyApi.AZURE_FUNCTION_CODE_SECRET_NAME
-        );
-        final EnablePolicyApi enablePolicyApi = new EnablePolicyApi(enablePolicyFunctionCode);
+        final EnablePolicyApi enablePolicyApi = new EnablePolicyApi();
         try {
             final CustomSuccessResponse enablePolicyResult = enablePolicyApi.apiEnablePolicyPut(upn, policy.toString());
             final String expectedResult = (policy + " Enabled for user : " + upn).toLowerCase();
@@ -537,10 +524,10 @@ public boolean enablePolicy(@NonNull final String upn, @NonNull final Protection
      * @return boolean value indicating policy is disabled or not for the upn.
      */
     public boolean disablePolicy(@NonNull final String upn, @NonNull final ProtectionPolicy policy) throws LabApiException {
-        final String disablePolicyFunctionCode = getKeyVaultSecret(
-                DisablePolicyApi.AZURE_FUNCTION_CODE_SECRET_NAME
+        Configuration.getDefaultApiClient().setAccessToken(
+                mLabApiAuthenticationClient.getAccessToken()
         );
-        final DisablePolicyApi disablePolicyApi = new DisablePolicyApi(disablePolicyFunctionCode);
+        final DisablePolicyApi disablePolicyApi = new DisablePolicyApi();
         try {
             final CustomSuccessResponse disablePolicyResponse = disablePolicyApi.apiDisablePolicyPut(upn, policy.toString());
             final String expectedResult = (policy + " Disabled for user : " + upn).toLowerCase();

LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/constants/LabConstants.java

@@ -163,8 +163,8 @@ static final class TempUserPolicy {
     }
 
     static final class ResetOperation {
-        public static final String MFA = "MFA";
-        public static final String PASSWORD = "Password";
+        public static final String MFA = "mfa";
+        public static final String PASSWORD = "password";
     }
 
     static final class HasAltId {

LabApiUtilities/src/test/com/microsoft/identity/labapi/utilities/client/LabClientTest.java

@@ -171,7 +171,6 @@ public void canCreateMAMCATempUser() {
     }
 
     @Test
-    @Ignore
     public void canResetPassword() {
         try {
             final ILabAccount labAccount = mLabClient.createTempAccount(TempUserType.BASIC);
@@ -183,7 +182,6 @@ public void canResetPassword() {
     }
 
     @Test
-    @Ignore
     public void canEnablePolicy() {
         try {
             final ILabAccount labAccount = mLabClient.createTempAccount(TempUserType.BASIC);
@@ -195,7 +193,6 @@ public void canEnablePolicy() {
     }
 
     @Test
-    @Ignore
     public void canDisablePolicy() {
         try {
             final ILabAccount labAccount = mLabClient.createTempAccount(TempUserType.MAM_CA);

azure-pipelines/continuous-delivery/common-cd.yml

@@ -16,7 +16,9 @@ variables:
     versionNumber: ${{ variables.customVersion }}
 
 pool:
-  name: Hosted Windows 2019 with VS2019
+  name: MSSecurity-1ES-Build-Agents-Pool
+  image: MSSecurity-1ES-Windows-2022
+  os: windows
 jobs:
 # Key Vault
 - job: keyvault_phase

changelog.txt

@@ -3,6 +3,15 @@ Version 23.1.1
 - [PATCH] Share SharedPreferencesInMemoryCache across instances of BrokerOAuth2TokenCache (#2813)
 - [PATCH] Use SharedPreferencesInMemoryCache implementation in Broker (#2802)
 
+Version 23.1.0
+----------
+- [MINOR] Determine whether broker app opts out from battery optimization (#2819)
+- [MINOR] Cache Active Broker In Memory (BrokerDiscoveryClient) (#2817)
+- [MINOR] Enable Broker Discovery by default in MSAL/Broker API (#2818)
+- [MINOR] Share SharedPreferencesInMemoryCache across instances of BrokerOAuth2TokenCache
+- [MINOR] Use SharedPreferencesInMemoryCache implementation in Broker (#2802)
+- [MINOR] Fix for SDL violation in device pop scenarios, Fixes AB#3284510 (#2744)
+
 Version 23.1.0
 ----------
 - [MINOR] Add OpenTelemetry support for passkey operations (#2795)

common/src/androidTest/java/com/microsoft/identity/common/internal/platform/AndroidDevicePoPManagerEncryptionTests.java

@@ -24,19 +24,27 @@
 
 import android.os.Build;
 
+import androidx.annotation.NonNull;
 import androidx.test.core.app.ApplicationProvider;
 
 import com.microsoft.identity.common.java.crypto.IDevicePopManager;
 import com.microsoft.identity.common.java.exception.ClientException;
+import com.microsoft.identity.common.java.flighting.CommonFlight;
+import com.microsoft.identity.common.java.flighting.CommonFlightsManager;
+import com.microsoft.identity.common.java.flighting.IFlightsManager;
+import com.microsoft.identity.common.java.flighting.IFlightsProvider;
 
+import org.jetbrains.annotations.NotNull;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
+import org.mockito.Mockito;
 
 import java.io.IOException;
+import java.security.InvalidKeyException;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
@@ -92,6 +100,7 @@ public void setUp() throws ClientException {
     @After
     public void tearDown() {
         devicePopManager.clearAsymmetricKey();
+        CommonFlightsManager.INSTANCE.resetFlightsManager();
     }
 
     @Test
@@ -102,4 +111,46 @@ public void testEncryption() throws ClientException {
         Assert.assertEquals(DATA_TO_ENCRYPT, decryptedValue);
         Assert.assertNotEquals(DATA_TO_ENCRYPT, cipherText);
     }
+
+    @Test
+    public void testEncryption_Disabled() throws ClientException, CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException {
+        final IFlightsProvider mockFlightsProvider = Mockito.mock(IFlightsProvider.class);
+        Mockito.when(mockFlightsProvider.isFlightEnabled(CommonFlight.DISABLE_UNNECESSARY_CRYPTO_PURPOSES_FROM_DEVICE_POP_MANAGER))
+                .thenReturn(true);
+        // Create anonymous IFlightsManager
+        IFlightsManager anonymousFlightsManager = new IFlightsManager() {
+            @Override
+            public @NotNull IFlightsProvider getFlightsProvider(long waitForConfigsWithTimeoutInMs) {
+                return mockFlightsProvider;
+            }
+            @Override
+            public @NotNull IFlightsProvider getFlightsProviderForTenant(@NotNull String tenantId, long waitForConfigsWithTimeoutInMs) {
+                return mockFlightsProvider;
+            }
+            @Override
+            public @NotNull IFlightsProvider getFlightsProviderForTenant(@NotNull String tenantId) {
+                return mockFlightsProvider;
+            }
+            @NonNull
+            @Override
+            public IFlightsProvider getFlightsProvider() {
+                return mockFlightsProvider;
+            }
+        };
+
+        // Initialize CommonFlightsManager with the anonymous implementation
+        CommonFlightsManager.INSTANCE.initializeCommonFlightsManager(anonymousFlightsManager);
+        IDevicePopManager devicePopManager = new AndroidDevicePopManager(ApplicationProvider.getApplicationContext());
+        devicePopManager.generateAsymmetricKey();
+        try {
+            final String cipherText = devicePopManager.encrypt(cipher, DATA_TO_ENCRYPT);
+            devicePopManager.decrypt(cipher, cipherText);
+        } catch (Exception exception) {
+            Assert.assertTrue(exception instanceof ClientException);
+            Assert.assertTrue(exception.getCause().getCause().getMessage().contains("Incompatible purpose"));
+            return;
+        }
+        Assert.fail();
+
+    }
 }