feat(e2ei): add e2ei certificate manual enrollment (WPB-309) (#1840)

app/build.gradle.kts

@@ -188,6 +188,9 @@ dependencies {
     // Development dependencies
     debugImplementation(libs.leakCanary)
 
+    // oauth dependencies
+    implementation(libs.openIdAppOauth)
+
     // Internal, dev, beta and staging only tracking & logging
     devImplementation(libs.dataDog.core)
     internalImplementation(libs.dataDog.core)

app/src/main/AndroidManifest.xml

@@ -144,6 +144,12 @@
                 <data android:mimeType="image/*" />
             </intent-filter>
 
+            <intent-filter>
+                <action android:name="com.wire.android.internal.debug.HANDLE_AUTHORIZATION_RESPONSE" />
+
+                <category android:name="android.intent.category.DEFAULT" />
+            </intent-filter>
+
             <intent-filter>
                 <action android:name="android.intent.action.SEND_MULTIPLE" />
                 <category android:name="android.intent.category.DEFAULT" />
@@ -199,6 +205,34 @@
             </intent-filter>
         </activity>
 
+        <activity
+                android:name="net.openid.appauth.RedirectUriReceiverActivity"
+                android:exported="true"
+                tools:node="replace">
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+
+                <category android:name="android.intent.category.DEFAULT" />
+                <category android:name="android.intent.category.BROWSABLE" />
+
+                <data
+                        android:path="/oauth2redirect"
+                        android:host="e2ei"
+                        android:scheme="wire" />
+            </intent-filter>
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+
+                <category android:name="android.intent.category.DEFAULT" />
+                <category android:name="android.intent.category.BROWSABLE" />
+
+                <data
+                        android:path="/logout"
+                        android:host="e2ei"
+                        android:scheme="wire" />
+            </intent-filter>
+        </activity>
+
         <provider
                 android:name="androidx.startup.InitializationProvider"
                 android:authorities="${applicationId}.androidx-startup"

app/src/main/kotlin/com/wire/android/di/accountScoped/UserModule.kt

@@ -25,6 +25,7 @@ import com.wire.kalium.logic.feature.asset.DeleteAssetUseCase
 import com.wire.kalium.logic.feature.asset.GetAssetSizeLimitUseCase
 import com.wire.kalium.logic.feature.asset.GetAvatarAssetUseCase
 import com.wire.kalium.logic.feature.conversation.GetAllContactsNotInConversationUseCase
+import com.wire.kalium.logic.feature.e2ei.usecase.EnrollE2EIUseCase
 import com.wire.kalium.logic.feature.e2ei.usecase.GetE2eiCertificateUseCase
 import com.wire.kalium.logic.feature.publicuser.GetAllContactsUseCase
 import com.wire.kalium.logic.feature.publicuser.GetKnownUserUseCase
@@ -110,6 +111,11 @@ class UserModule {
     fun providePersistReadReceiptsStatusConfig(userScope: UserScope): PersistReadReceiptsStatusConfigUseCase =
         userScope.persistReadReceiptsStatusConfig
 
+    @ViewModelScoped
+    @Provides
+    fun provideEnrollE2EIUseCase(userScope: UserScope): EnrollE2EIUseCase =
+        userScope.enrollE2EI
+
     @ViewModelScoped
     @Provides
     fun provideObserveTypingIndicatorEnabled(userScope: UserScope): ObserveTypingIndicatorEnabledUseCase =

app/src/main/kotlin/com/wire/android/feature/e2ei/GetE2EICertificateUseCase.kt

@@ -0,0 +1,77 @@
+/*
+ * Wire
+ * Copyright (C) 2023 Wire Swiss GmbH
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ */
+package com.wire.android.feature.e2ei
+
+import android.content.Context
+import com.wire.android.util.dispatchers.DispatcherProvider
+import com.wire.android.util.extension.getActivity
+import com.wire.kalium.logic.CoreFailure
+import com.wire.kalium.logic.E2EIFailure
+import com.wire.kalium.logic.feature.e2ei.usecase.E2EIEnrollmentResult
+import com.wire.kalium.logic.feature.e2ei.usecase.EnrollE2EIUseCase
+import com.wire.kalium.logic.functional.Either
+import com.wire.kalium.logic.functional.fold
+import com.wire.kalium.logic.functional.map
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.SupervisorJob
+import kotlinx.coroutines.launch
+import javax.inject.Inject
+
+class GetE2EICertificateUseCase @Inject constructor(
+    private val enrollE2EI: EnrollE2EIUseCase,
+    val dispatcherProvider: DispatcherProvider
+) {
+
+    private val scope = CoroutineScope(SupervisorJob() + dispatcherProvider.default())
+    private lateinit var initialEnrollmentResult: E2EIEnrollmentResult.Initialized
+    lateinit var enrollmentResultHandler: (Either<E2EIFailure, E2EIEnrollmentResult>) -> Unit
+
+    operator fun invoke(context: Context, enrollmentResultHandler: (Either<CoreFailure, E2EIEnrollmentResult>) -> Unit) {
+        this.enrollmentResultHandler = enrollmentResultHandler
+        scope.launch {
+            enrollE2EI.initialEnrollment().fold({
+                enrollmentResultHandler(Either.Left(it))
+            }, {
+                if (it is E2EIEnrollmentResult.Initialized) {
+                    initialEnrollmentResult = it
+                    OAuthUseCase(context, it.target).launch(
+                        context.getActivity()!!.activityResultRegistry,
+                        ::oAuthResultHandler
+                    )
+                } else enrollmentResultHandler(Either.Right(it))
+            })
+        }
+    }
+
+    private fun oAuthResultHandler(oAuthResult: OAuthUseCase.OAuthResult) {
+        scope.launch {
+            when (oAuthResult) {
+                is OAuthUseCase.OAuthResult.Success -> {
+                    enrollE2EI.finalizeEnrollment(
+                        oAuthResult.idToken,
+                        initialEnrollmentResult
+                    ).map { enrollmentResultHandler(Either.Right(it)) }
+                }
+
+                is OAuthUseCase.OAuthResult.Failed -> {
+                    enrollmentResultHandler(Either.Left(E2EIFailure.FailedOAuth(oAuthResult.reason)))
+                }
+            }
+        }
+    }
+}

app/src/main/kotlin/com/wire/android/feature/e2ei/OAuthUseCase.kt

@@ -0,0 +1,207 @@
+/*
+ * Wire
+ * Copyright (C) 2023 Wire Swiss GmbH
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ */
+package com.wire.android.feature.e2ei
+
+import android.app.Activity
+import android.content.Context
+import android.content.Intent
+import android.net.Uri
+import android.util.Base64
+import androidx.activity.result.ActivityResult
+import androidx.activity.result.ActivityResultRegistry
+import androidx.activity.result.contract.ActivityResultContracts
+import com.wire.android.appLogger
+import com.wire.android.util.deeplink.DeepLinkProcessor
+import net.openid.appauth.AppAuthConfiguration
+import net.openid.appauth.AuthState
+import net.openid.appauth.AuthorizationException
+import net.openid.appauth.AuthorizationRequest
+import net.openid.appauth.AuthorizationResponse
+import net.openid.appauth.AuthorizationService
+import net.openid.appauth.AuthorizationServiceConfiguration
+import net.openid.appauth.ClientAuthentication
+import net.openid.appauth.ClientSecretBasic
+import net.openid.appauth.ResponseTypeValues
+import net.openid.appauth.browser.BrowserAllowList
+import net.openid.appauth.browser.VersionedBrowserMatcher
+import net.openid.appauth.connectivity.ConnectionBuilder
+import java.net.HttpURLConnection
+import java.net.URL
+import java.security.MessageDigest
+import java.security.SecureRandom
+import java.security.cert.X509Certificate
+import javax.net.ssl.HostnameVerifier
+import javax.net.ssl.HttpsURLConnection
+import javax.net.ssl.SSLContext
+import javax.net.ssl.TrustManager
+import javax.net.ssl.X509TrustManager
+
+class OAuthUseCase(context: Context, private val authUrl: String) {
+    private var authState: AuthState = AuthState()
+    private var authorizationService: AuthorizationService
+    private lateinit var authServiceConfig: AuthorizationServiceConfiguration
+
+    // todo: this is a temporary code to ignore ssl issues on the test environment, will be removed after the preparation of the environment
+    // region Ignore SSL for OAuth
+    val naiveTrustManager = object : X509TrustManager {
+        override fun getAcceptedIssuers(): Array<X509Certificate> = arrayOf()
+        override fun checkClientTrusted(certs: Array<X509Certificate>, authType: String) = Unit
+        override fun checkServerTrusted(certs: Array<X509Certificate>, authType: String) = Unit
+    }
+    val insecureSocketFactory = SSLContext.getInstance("SSL").apply {
+        val trustAllCerts = arrayOf<TrustManager>(naiveTrustManager)
+        init(null, trustAllCerts, SecureRandom())
+    }.socketFactory
+
+    private var insecureConnection = ConnectionBuilder() { uri ->
+        val url = URL(uri.toString())
+        val connection = url.openConnection() as HttpURLConnection
+        if (connection is HttpsURLConnection) {
+            connection.hostnameVerifier = HostnameVerifier { _, _ -> true }
+            connection.sslSocketFactory = insecureSocketFactory
+        }
+        connection
+    }
+    // endregion
+
+    private var appAuthConfiguration: AppAuthConfiguration = AppAuthConfiguration.Builder()
+        .setBrowserMatcher(
+            BrowserAllowList(
+                VersionedBrowserMatcher.CHROME_CUSTOM_TAB, VersionedBrowserMatcher.SAMSUNG_CUSTOM_TAB
+            )
+        )
+        .setConnectionBuilder(insecureConnection)
+        .setSkipIssuerHttpsCheck(true)
+        .build()
+
+    init {
+        authorizationService = AuthorizationService(context, appAuthConfiguration)
+    }
+
+    private fun getAuthorizationRequestIntent(): Intent = authorizationService.getAuthorizationRequestIntent(getAuthorizationRequest())
+
+    fun launch(activityResultRegistry: ActivityResultRegistry, resultHandler: (OAuthResult) -> Unit) {
+        val resultLauncher = activityResultRegistry.register(
+            OAUTH_ACTIVITY_RESULT_KEY, ActivityResultContracts.StartActivityForResult()
+        ) { result ->
+            handleActivityResult(result, resultHandler)
+        }
+        AuthorizationServiceConfiguration.fetchFromUrl(
+            Uri.parse(authUrl.plus(IDP_CONFIGURATION_PATH)),
+            { configuration, ex ->
+                if (ex == null) {
+                    authServiceConfig = configuration!!
+                    resultLauncher.launch(getAuthorizationRequestIntent())
+                } else {
+                    resultHandler(OAuthResult.Failed.InvalidActivityResult("Fetching the configurations failed! $ex"))
+                }
+            }, insecureConnection
+        )
+    }
+
+    private fun handleActivityResult(result: ActivityResult, resultHandler: (OAuthResult) -> Unit) {
+        if (result.resultCode == Activity.RESULT_OK) {
+            handleAuthorizationResponse(result.data!!, resultHandler)
+        } else {
+            resultHandler(OAuthResult.Failed.InvalidActivityResult(result.toString()))
+        }
+    }
+
+    private fun handleAuthorizationResponse(intent: Intent, resultHandler: (OAuthResult) -> Unit) {
+        val authorizationResponse: AuthorizationResponse? = AuthorizationResponse.fromIntent(intent)
+        val clientAuth: ClientAuthentication = ClientSecretBasic(CLIENT_SECRET)
+
+        val error = AuthorizationException.fromIntent(intent)
+
+        authState = AuthState(authorizationResponse, error)
+
+        val tokenExchangeRequest = authorizationResponse?.createTokenExchangeRequest()
+
+        tokenExchangeRequest?.let { request ->
+            authorizationService.performTokenRequest(request, clientAuth) { response, exception ->
+                if (exception != null) {
+                    authState = AuthState()
+                    resultHandler(OAuthResult.Failed(exception.toString()))
+                } else {
+                    if (response != null) {
+                        authState.update(response, exception)
+                        appLogger.i("OAuth idToken: ${response.idToken}")
+                        resultHandler(OAuthResult.Success(response.idToken.toString()))
+                    } else {
+                        resultHandler(OAuthResult.Failed.EmptyResponse)
+                    }
+                }
+            }
+        } ?: resultHandler(OAuthResult.Failed.Unknown)
+    }
+
+    private fun getAuthorizationRequest() = AuthorizationRequest.Builder(
+        authServiceConfig, CLIENT_ID, ResponseTypeValues.CODE, URL_AUTH_REDIRECT
+    ).setCodeVerifier().setScopes(SCOPE_OPENID, SCOPE_EMAIL, SCOPE_PROFILE).build()
+
+    private fun AuthorizationRequest.Builder.setCodeVerifier(): AuthorizationRequest.Builder {
+        val codeVerifier = getCodeVerifier()
+        setCodeVerifier(
+            codeVerifier, getCodeChallenge(codeVerifier), CODE_VERIFIER_CHALLENGE_METHOD
+        )
+        return this
+    }
+
+    @Suppress("MagicNumber")
+    private fun getCodeVerifier(): String {
+        val secureRandom = SecureRandom()
+        val bytes = ByteArray(64)
+        secureRandom.nextBytes(bytes)
+        return Base64.encodeToString(bytes, ENCODING)
+    }
+
+    private fun getCodeChallenge(codeVerifier: String): String {
+        val hash = MESSAGE_DIGEST.digest(codeVerifier.toByteArray())
+        return Base64.encodeToString(hash, ENCODING)
+    }
+
+    sealed class OAuthResult {
+        data class Success(val idToken: String) : OAuthResult()
+        open class Failed(val reason: String) : OAuthResult() {
+            object Unknown : Failed("Unknown")
+            class InvalidActivityResult(reason: String) : Failed(reason)
+            object EmptyResponse : Failed("Empty Response")
+        }
+    }
+
+    companion object {
+        const val OAUTH_ACTIVITY_RESULT_KEY = "OAuthActivityResult"
+
+        const val SCOPE_PROFILE = "profile"
+        const val SCOPE_EMAIL = "email"
+        const val SCOPE_OPENID = "openid"
+
+        // todo: clientId and the clientSecret will be replaced with the values from the BE once the BE provides them
+        const val CLIENT_ID = "wireapp"
+        const val CLIENT_SECRET = "dUpVSGx2dVdFdGQ0dmsxWGhDalQ0SldU"
+        const val CODE_VERIFIER_CHALLENGE_METHOD = "S256"
+        const val MESSAGE_DIGEST_ALGORITHM = "SHA-256"
+        val MESSAGE_DIGEST = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM)
+        const val ENCODING = Base64.URL_SAFE or Base64.NO_PADDING or Base64.NO_WRAP
+        val URL_AUTH_REDIRECT: Uri = Uri.Builder().scheme(DeepLinkProcessor.DEEP_LINK_SCHEME)
+            .authority(DeepLinkProcessor.E2EI_DEEPLINK_HOST)
+            .appendPath(DeepLinkProcessor.E2EI_DEEPLINK_OAUTH_REDIRECT_PATH).build()
+
+        const val IDP_CONFIGURATION_PATH = "/.well-known/openid-configuration"
+    }
+}

app/src/main/kotlin/com/wire/android/ui/common/WireDialog.kt

@@ -18,6 +18,8 @@
  *
  */
 
+@file:Suppress("MultiLineIfElse")
+
 package com.wire.android.ui.common
 
 import androidx.compose.foundation.layout.Box