ForgeRock Android SDK 4.3.0 Release

.github/workflows/ci.yaml

@@ -19,6 +19,15 @@ jobs:
     secrets:
       SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
 
+  # Run Mend CLI Scan
+  mend-cli-scan:
+    name: Mend CLI Scan
+    uses: ./.github/workflows/mend-cli-scan.yaml
+    secrets:
+      MEND_EMAIL: ${{ secrets.MEND_EMAIL }}
+      MEND_USER_KEY: ${{ secrets.MEND_USER_KEY }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} 
+
   # Run Sonatype OSS Index Scan
   sonatype-ossindex:
     name: Scan for open source vulnerabilities (Sonatype OSS Index)
@@ -72,7 +81,7 @@ jobs:
     name: Publish SNAPSHOT release
     uses: ./.github/workflows/publish-snapshot.yaml
     if: (github.ref == 'refs/heads/develop' && github.event_name == 'push')
-    needs: [bitbar-results, sonatype-ossindex]
+    needs: [bitbar-results, sonatype-ossindex, mend-cli-scan]
     secrets:
       SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
       PUBLISHING_SIGNING_KEY_ID: ${{ secrets.PUBLISHING_SIGNING_KEY_ID }}

.github/workflows/mend-cli-scan.yaml

@@ -0,0 +1,107 @@
+name: Run Mend CLS Scan
+on:
+  workflow_call:
+    secrets:
+      MEND_EMAIL:
+        description: Mend email
+        required: true
+      MEND_USER_KEY:
+        description: Mend user key
+        required: true
+      SLACK_WEBHOOK:
+        description: Slack Notifier Incoming Webhook
+        required: true
+
+jobs:
+  mend-cli-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Clone the repo
+      - name: Clone the repository
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{github.event.pull_request.head.repo.full_name}}
+          fetch-depth: 0
+
+      # Setup JDK and cache and restore dependencies.
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+          cache: 'gradle'
+
+      # Setup Mend CLI
+      - name: Download and cache the Mend CLI executable
+        id: cache-mend
+        uses: actions/cache@v3
+        env:
+          mend-cache-name: cache-mend-executable
+        with:
+          path: /usr/local/bin/mend
+          key: ${{ runner.os }}-${{ env.mend-cache-name }}-${{ hashFiles('/usr/local/bin/mend') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ env.mend-cache-name }}-
+
+      # Download Mend CLI if it's not cached...
+      - if: ${{ steps.cache-mend.outputs.cache-hit != 'true' }}
+        name: Download Mend CLI executable (cache miss...)
+        continue-on-error: true
+        run: |
+          echo "Download Mend CLI executable (cache miss...)"
+          curl https://downloads.mend.io/cli/linux_amd64/mend -o /usr/local/bin/mend && chmod +x /usr/local/bin/mend
+
+      # Execute the Mend CLI scan
+      - name: Mend CLI Scan
+        env:
+          MEND_EMAIL: ${{secrets.MEND_EMAIL}}
+          MEND_USER_KEY: ${{secrets.MEND_USER_KEY}}
+          MEND_URL: ${{ vars.MEND_SERVER_URL }}
+        run: |
+            mend dep --no-color -s ${{ vars.MEND_PRODUCT_NAME }}//${{ vars.MEND_PROJECT_NAME }} -u > mend-scan-result.txt
+            echo "MEND_SCAN_URL=$(cat mend-scan-result.txt | grep -Eo '(http|https)://[a-zA-Z0-9./?!=_%:-\#]*')" >> $GITHUB_ENV
+            echo "MEND_SCAN_SUMMARY=$(cat mend-scan-result.txt | grep -Eoiw '(Detected [0-9]* vulnerabilities.*)')" >> $GITHUB_ENV
+            echo "MEND_CRITICAL_COUNT=$(cat mend-scan-result.txt | grep -Eoiw '(Detected [0-9]* vulnerabilities.*)' | grep -oi '[0-9]* Critical' | grep -o [0-9]*)" >> $GITHUB_ENV
+            echo "MEND_HIGH_COUNT=$(cat mend-scan-result.txt | grep -Eoiw '(Detected [0-9]* vulnerabilities.*)' | grep -oi '[0-9]* High' | grep -o [0-9]*)" >> $GITHUB_ENV
+
+      # Check for failures and set the outcome of the workflow
+      - name: Parse the result and set job status
+        if: always()
+        run: |
+          if [ '${{ env.MEND_CRITICAL_COUNT }}' -gt '0' ] || [ '${{ env.MEND_HIGH_COUNT }}' -gt '0' ]; then
+            exit 1
+          else
+            exit 0
+          fi
+
+      # Publish the result
+      - name: Mend Scan Result
+        uses: LouisBrunner/[email protected]
+        if: always()
+        with:
+          name: "Mend Scan Result"
+          token: ${{ secrets.GITHUB_TOKEN }}
+          conclusion: ${{ job.status }}
+          output_text_description_file: mend-scan-result.txt
+          output: |
+            {"title":"Mend Scan Result", "summary":"${{ job.status }}"}
+
+      # Send slack notification with result status
+      - name: Send slack notification
+        uses: 8398a7/action-slack@v3
+        with:
+          status: custom
+          fields: all
+          custom_payload: |
+            {
+              attachments: [{
+                title: 'ForgeRock Android SDK Mend Scan',
+                color: '${{ job.status }}' === 'success' ? 'good' : '${{ job.status }}' === 'failure' ? 'danger' : 'warning',
+                text: `\nStatus: ${{ job.status }}\nWorkflow: ${process.env.AS_WORKFLOW} -> ${process.env.AS_JOB}\nSummary: ${{ env.MEND_SCAN_SUMMARY }}\nScan URL: ${{ env.MEND_SCAN_URL }}`, 
+              }]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
+        if: always()

CHANGELOG.md

@@ -1,3 +1,16 @@
+## [4.3.0]
+#### Added
+- Added the ability to customize cookie headers in outgoing requests from the SDK [SDKS-2780]
+- Added the ability to insert custom claims when performing device signing verification [SDKS-2787]
+- Added client-side support for the `AppIntegrity` callback [SDKS-2631]
+
+
+#### Fixed
+- The SDK now uses `auth-per-use` keys for Device Binding [SDKS-2797]
+- Improved handling of WebAuthn cancellations [SDKS-2819]
+- Made `forgerock_url`, `forgerock_realm`, and `forgerock_cookie_name` params mandatory when dynamically configuring the SDK [SDKS-2782]
+- Addressed `woodstox-core:6.2.4` library security vulnerability (CVE-2022-40152) [SDKS-2751]
+
 ## [4.2.0]
 #### Added
 - Gradle 8 and JDK 17 support  [SDKS-2451]

build.gradle

@@ -26,8 +26,6 @@ buildscript {
         classpath "com.adarshr:gradle-test-logger-plugin:2.0.0"
         classpath 'com.google.gms:google-services:4.3.15'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
-        classpath "org.jetbrains.dokka:dokka-gradle-plugin:1.8.20"
-
         // NOTE: Do not place your application dependencies here; they belong
         // in the individual module build.gradle files
     }
@@ -36,15 +34,41 @@ buildscript {
 plugins {
     id('io.github.gradle-nexus.publish-plugin') version '1.1.0'
     id('org.sonatype.gradle.plugins.scan') version '2.4.0'
+    id("org.jetbrains.dokka") version "1.9.10"
 }
 
-apply plugin: "org.jetbrains.dokka"
 
 allprojects {
+    configurations.all {
+
+        resolutionStrategy {
+            // Due to vulnerability [CVE-2022-40152] from dokka project.
+            force 'com.fasterxml.jackson.module:jackson-module-kotlin:2.13.5'
+            force 'com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.13.5'
+            force 'com.fasterxml.jackson.core:jackson-databind:2.13.5'
+            // Junit test project
+            force 'junit:junit:4.13.2'
+            //Due to Vulnerability [CVE-2022-2390]: CWE-471 The product does not properly
+            // protect an assumed-immutable element from being modified by an attacker.
+            // on version < 18.0.1, this library is depended by most of the google libraries.
+            // and needs to be reviewed on upgrades
+            force 'com.google.android.gms:play-services-basement:18.1.0'
+            //Due to Vulnerability [CVE-2023-3635] CWE-681: Incorrect Conversion between Numeric Types
+            //on version < 3.4.0, this library is depended by okhttp, when okhttp upgrade, this needs
+            //to be reviewed
+            force 'com.squareup.okio:okio:3.4.0'
+            //Due to this https://github.com/powermock/powermock/issues/1125, we have to keep using an
+            //older version of mockito until mockito release a fix
+            force 'org.mockito:mockito-core:3.12.4'
+            // this is for the mockwebserver
+            force 'org.bouncycastle:bcprov-jdk15on:1.68'
+        }
+    }
     repositories {
         google()
         mavenCentral()
     }
+
 }
 
 subprojects {

config/kdoc.gradle

@@ -55,6 +55,13 @@ dokkaJavadoc {
     }
 }
 
+tasks.named("dokkaHtml").configure {
+    dependsOn("generateDebugRFile")
+    dependsOn("bundleLibCompileToJarDebug")
+    dependsOn("generateReleaseRFile")
+    dependsOn("bundleLibCompileToJarRelease")
+}
+
 dokkaHtml {
     dokkaSourceSets {
         named("main") {

forgerock-auth-ui/build.gradle

@@ -43,11 +43,6 @@ android {
 apply from: '../config/kdoc.gradle'
 apply from: '../config/publish.gradle'
 
-configurations.all {
-    resolutionStrategy {
-        force 'com.google.android.gms:play-services-basement:18.1.0'
-    }
-}
 
 dependencies {
 

forgerock-auth-ui/src/main/java/org/forgerock/android/auth/ui/CallbackFragmentFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019 - 2022 ForgeRock. All rights reserved.
+ * Copyright (c) 2019 - 2023 ForgeRock. All rights reserved.
  *
  * This software may be modified and distributed under the terms
  * of the MIT license. See the LICENSE file for details.
@@ -58,6 +58,7 @@ private CallbackFragmentFactory() {
         register(SuspendedTextOutputCallback.class, SuspendedTextOutputCallbackFragment.class);
         register(ReCaptchaCallback.class, ReCaptchaCallbackFragment.class);
         register(ConsentMappingCallback.class, ConsentMappingCallbackFragment.class);
+        register(AppIntegrityCallback.class, AppIntegrityCallbackFragment.class);
         register(DeviceProfileCallback.class, DeviceProfileCallbackFragment.class);
         register(DeviceBindingCallback.class, DeviceBindingCallbackFragment.class);
         register(DeviceSigningVerifierCallback.class, DeviceSigningVerifierCallbackFragment.class);

forgerock-auth-ui/src/main/java/org/forgerock/android/auth/ui/callback/AppIntegrityCallbackFragment.java

@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2023 ForgeRock. All rights reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+package org.forgerock.android.auth.ui.callback;
+
+
+import android.app.Activity;
+import android.os.Bundle;
+import android.view.LayoutInflater;
+import android.view.View;
+import android.view.ViewGroup;
+import android.widget.ProgressBar;
+import android.widget.TextView;
+
+import androidx.fragment.app.Fragment;
+
+import org.forgerock.android.auth.FRListener;
+import org.forgerock.android.auth.Logger;
+import org.forgerock.android.auth.callback.AppIntegrityCallback;
+import org.forgerock.android.auth.ui.R;
+
+import static android.view.View.GONE;
+
+/**
+ * A simple {@link Fragment} subclass.
+ */
+public class AppIntegrityCallbackFragment extends CallbackFragment<AppIntegrityCallback> {
+
+    private TextView message;
+    private ProgressBar progressBar;
+
+    public AppIntegrityCallbackFragment() {
+        // Required empty public constructor
+    }
+
+    @Override
+    public View onCreateView(LayoutInflater inflater, ViewGroup container,
+                             Bundle savedInstanceState) {
+
+
+        // Inflate the layout for this fragment
+        View view = inflater.inflate(R.layout.fragment_app_integrity_callback, container, false);
+        message = view.findViewById(R.id.message);
+        progressBar = view.findViewById(R.id.appIntegrityApiCallProgress);
+
+        if (node.getCallbacks().size() == 1) { //auto submit if there is one node
+            progressBar.setVisibility(View.VISIBLE);
+            message.setText("Performing " + callback.getRequestType() + " call...");
+        } else {
+            progressBar.setVisibility(GONE);
+            message.setVisibility(GONE);
+        }
+
+        proceed();
+        return view;
+    }
+
+    private void proceed() {
+        final Activity thisActivity = (Activity) this.getActivity();
+        callback.requestIntegrityToken(this.getContext(), new FRListener<Void>() {
+            @Override
+            public void onSuccess(Void result) {
+                thisActivity.runOnUiThread(new Runnable() {
+                    @Override
+                    public void run() {
+                        message.setVisibility(GONE);
+                        progressBar.setVisibility(GONE);
+                        if (node.getCallbacks().size() == 1) { //auto submit if there is one node
+                            next();
+                        }
+                    }
+                });
+            }
+
+            @Override
+            public void onException(Exception e) {
+                message.setVisibility(GONE);
+                progressBar.setVisibility(GONE);
+                Logger.error("AppIntegrityCallback", e.toString());
+                cancel(e);
+            }
+        });
+    }
+}

forgerock-auth-ui/src/main/res/layout/fragment_app_integrity_callback.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  ~ Copyright (c) 2019 - 2023 ForgeRock. All rights reserved.
+  ~
+  ~ This software may be modified and distributed under the terms
+  ~ of the MIT license. See the LICENSE file for details.
+  -->
+
+<androidx.constraintlayout.widget.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent"
+    tools:context=".callback.AppIntegrityCallbackFragment" android:id="@+id/frameLayout">
+
+    <TextView
+        android:id="@+id/message"
+        android:layout_width="wrap_content"
+        android:layout_height="wrap_content"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toTopOf="parent"/>
+
+    <ProgressBar
+        android:id="@+id/appIntegrityApiCallProgress"
+        style="?android:attr/progressBarStyle"
+        android:layout_width="wrap_content"
+        android:layout_height="wrap_content"
+        android:layout_marginBottom="8dp"
+        app:layout_constraintBottom_toTopOf="@+id/message"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent" />
+
+</androidx.constraintlayout.widget.ConstraintLayout>