From 31b5e66a2356c59ee7b368e604907fd78f6ba3b8 Mon Sep 17 00:00:00 2001 From: Mohamad Jaara Date: Mon, 28 Aug 2023 10:13:10 +0200 Subject: [PATCH] feat: cert pinning (#2124) --- .../wire/android/di/KaliumConfigsModule.kt | 9 ++------ .../self/SelfUserProfileViewModel.kt | 5 ++--- .../kotlin/customization/FeatureConfigs.kt | 4 +++- .../main/kotlin/scripts/variants.gradle.kts | 19 +++++++++++++++-- default.json | 21 +++++++++++-------- kalium | 2 +- 6 files changed, 37 insertions(+), 23 deletions(-) diff --git a/app/src/main/kotlin/com/wire/android/di/KaliumConfigsModule.kt b/app/src/main/kotlin/com/wire/android/di/KaliumConfigsModule.kt index 16b9c5d908..0ae97d2d55 100644 --- a/app/src/main/kotlin/com/wire/android/di/KaliumConfigsModule.kt +++ b/app/src/main/kotlin/com/wire/android/di/KaliumConfigsModule.kt @@ -49,14 +49,8 @@ class KaliumConfigsModule { } return KaliumConfigs( - isChangeEmailEnabled = BuildConfig.ALLOW_CHANGE_OF_EMAIL, - isLoggingEnabled = BuildConfig.LOGGING_ENABLED, - blacklistHost = BuildConfig.DEFAULT_BACKEND_URL_BLACKLIST, fileRestrictionState = fileRestriction, forceConstantBitrateCalls = BuildConfig.FORCE_CONSTANT_BITRATE_CALLS, - developerFeaturesEnabled = BuildConfig.DEVELOPER_FEATURES_ENABLED, - enableBlacklist = BuildConfig.ENABLE_BLACKLIST, - maxAccount = BuildConfig.MAX_ACCOUNTS, // we use upsert, available from SQL3.24, which is supported from Android API30, so for older APIs we have to use SQLCipher shouldEncryptData = !BuildConfig.DEBUG || Build.VERSION.SDK_INT < Build.VERSION_CODES.R, lowerKeyPackageLimits = BuildConfig.PRIVATE_BUILD, @@ -69,7 +63,8 @@ class KaliumConfigsModule { wipeOnCookieInvalid = BuildConfig.WIPE_ON_COOKIE_INVALID, wipeOnDeviceRemoval = BuildConfig.WIPE_ON_DEVICE_REMOVAL, wipeOnRootedDevice = BuildConfig.WIPE_ON_ROOTED_DEVICE, - isWebSocketEnabledByDefault = isWebsocketEnabledByDefault(context) + isWebSocketEnabledByDefault = isWebsocketEnabledByDefault(context), + certPinningConfig = BuildConfig.CERTIFICATE_PINNING_CONFIG ) } } diff --git a/app/src/main/kotlin/com/wire/android/ui/userprofile/self/SelfUserProfileViewModel.kt b/app/src/main/kotlin/com/wire/android/ui/userprofile/self/SelfUserProfileViewModel.kt index 4913c0837a..949ff378e6 100644 --- a/app/src/main/kotlin/com/wire/android/ui/userprofile/self/SelfUserProfileViewModel.kt +++ b/app/src/main/kotlin/com/wire/android/ui/userprofile/self/SelfUserProfileViewModel.kt @@ -25,6 +25,7 @@ import androidx.compose.runtime.mutableStateOf import androidx.compose.runtime.setValue import androidx.lifecycle.ViewModel import androidx.lifecycle.viewModelScope +import com.wire.android.BuildConfig import com.wire.android.appLogger import com.wire.android.datastore.UserDataStore import com.wire.android.di.AuthServerConfigProvider @@ -56,7 +57,6 @@ import com.wire.kalium.logic.feature.user.IsReadOnlyAccountUseCase import com.wire.kalium.logic.feature.user.ObserveValidAccountsUseCase import com.wire.kalium.logic.feature.user.SelfServerConfigUseCase import com.wire.kalium.logic.feature.user.UpdateSelfAvailabilityStatusUseCase -import com.wire.kalium.logic.featureFlags.KaliumConfigs import dagger.hilt.android.lifecycle.HiltViewModel import kotlinx.coroutines.flow.SharingStarted import kotlinx.coroutines.flow.StateFlow @@ -85,7 +85,6 @@ class SelfUserProfileViewModel @Inject constructor( private val wireSessionImageLoader: WireSessionImageLoader, private val authServerConfigProvider: AuthServerConfigProvider, private val selfServerLinks: SelfServerConfigUseCase, - private val kaliumConfigs: KaliumConfigs, private val otherAccountMapper: OtherAccountMapper, private val observeEstablishedCalls: ObserveEstablishedCallsUseCase, private val accountSwitch: AccountSwitchUseCase, @@ -228,7 +227,7 @@ class SelfUserProfileViewModel @Inject constructor( fun tryToInitAddingAccount(onSucceeded: () -> Unit) { viewModelScope.launch { // the total number of accounts is otherAccounts + 1 for the current account - val canAddNewAccounts: Boolean = (userProfileState.otherAccounts.size + 1) < kaliumConfigs.maxAccount + val canAddNewAccounts: Boolean = (userProfileState.otherAccounts.size + 1) < BuildConfig.MAX_ACCOUNTS if (!canAddNewAccounts) { userProfileState = userProfileState.copy(maxAccountsReached = true) diff --git a/buildSrc/src/main/kotlin/customization/FeatureConfigs.kt b/buildSrc/src/main/kotlin/customization/FeatureConfigs.kt index e9da93f454..a97cc30572 100644 --- a/buildSrc/src/main/kotlin/customization/FeatureConfigs.kt +++ b/buildSrc/src/main/kotlin/customization/FeatureConfigs.kt @@ -22,6 +22,7 @@ enum class ConfigType(val type: String) { STRING("String"), BOOLEAN("Boolean"), INT("int"), + MapOfStringToListOfStrings("java.util.HashMap>") } enum class FeatureConfigs(val value: String, val configType: ConfigType) { @@ -88,6 +89,7 @@ enum class FeatureConfigs(val value: String, val configType: ConfigType) { DEFAULT_BACKEND_URL_BLACKLIST("default_backend_url_blacklist", ConfigType.STRING), DEFAULT_BACKEND_URL_WEBSITE("default_backend_url_website", ConfigType.STRING), DEFAULT_BACKEND_TITLE("default_backend_title", ConfigType.STRING), - // TODO: Add support for default proxy configs + CERTIFICATE_PINNING_CONFIG("cert_pinning_config", ConfigType.MapOfStringToListOfStrings), + // TODO: Add support for default proxy configs } diff --git a/buildSrc/src/main/kotlin/scripts/variants.gradle.kts b/buildSrc/src/main/kotlin/scripts/variants.gradle.kts index 79dffb708d..cff5b7a8f8 100644 --- a/buildSrc/src/main/kotlin/scripts/variants.gradle.kts +++ b/buildSrc/src/main/kotlin/scripts/variants.gradle.kts @@ -23,7 +23,6 @@ package scripts import com.android.build.api.dsl.ApplicationProductFlavor import com.android.build.api.dsl.ProductFlavor import customization.ConfigType -import customization.Customization import customization.Customization.getBuildtimeConfiguration import customization.FeatureConfigs import customization.FeatureFlags @@ -185,7 +184,8 @@ android { ) } - ConfigType.INT, ConfigType.BOOLEAN -> { + ConfigType.INT, + ConfigType.BOOLEAN -> { buildNonStringConfig( flavor, configs.configType.type, @@ -193,6 +193,21 @@ android { flavorMap[flavor.name]?.get(configs.value).toString() ) } + + ConfigType.MapOfStringToListOfStrings -> { + val map = flavorMap[flavor.name]?.get(configs.value) as? Map<*, *> + val mapString = map?.map { (key, value) -> + "\"$key\", java.util.Arrays.asList(${(value as? List<*>)?.joinToString { "\"$it\"" } ?: ""})".let { + "put($it);" + } + }?.joinToString(",\n") ?: "" + buildNonStringConfig( + flavor, + configs.configType.type, + configs.name, + "new java.util.HashMap>() {{\n$mapString\n}}" + ) + } } } } diff --git a/default.json b/default.json index 9278ba7cc4..e01ef32def 100644 --- a/default.json +++ b/default.json @@ -6,7 +6,15 @@ "logging_enabled": false, "application_is_private_build": false, "development_api_enabled": false, - "mls_support_enabled": false + "mls_support_enabled": false, + "cert_pinning_config": { + "sha256/fnBeCwh0imI9t46Onid49IwvsB5vcf7RCvafRRdCyRE=": [ + "**.prod-nginz-https.wire.com", + "**.prod-nginz-ssl.wire.com", + "**.prod-assets.wire.com", + "clientblacklist.wire.com" + ] + } }, "dev": { "application_id": "com.waz.zclient.dev", @@ -65,9 +73,8 @@ }, "application_name": "Wire", "allow_sso_authentication_option": true, - "url_support": "https://support.wire.com", - "allow_account_creation" : true, + "allow_account_creation": true, "max_accounts": 3, "enable_blacklist": true, "allow_email_change": true, @@ -75,7 +82,6 @@ "file_restriction_enabled": false, "file_restriction_list": "3gpp, aac, amr, avi, bmp, css, csv, dib, doc, docx, eml, flac, gif, html, ico, jfif, jpeg, jpg, jpg-large, key, m4a, m4v, md, midi, mkv, mov, mp3, mp4, mpeg, mpeg3, mpg, msg, ods, odt, ogg, pdf, pjp, pjpeg, png, pps, ppt, pptx, psd, pst, rtf, sql, svg, tex, tiff, txt, vcf, vid, wav, webm, webp, wmv, xls, xlsx, xml", "force_constant_bitrate_calls": false, - "mls_support_enabled": true, "encrypt_proteus_storage": false, "self_deleting_messages": true, @@ -83,22 +89,19 @@ "wipe_on_device_removal": false, "wipe_on_rooted_device": false, "websocket_enabled_by_default": false, - "firebase_push_sender_id": "782078216207", "firebase_app_id": "1:782078216207:android:d3db2443512d2055", "google_api_key": "AIzaSyBXtNKuX6GCKv2jDtsFImUaxCRL21DTLEQ", "fcm_project_id": "w966768976", - "report_bug_menu_item_enabled": true, "debug_screen_enabled": true, - "update_app_url": "https://wire.com/en/download/", - "default_backend_url_base_api": "https://prod-nginz-https.wire.com", "default_backend_url_accounts": "https://account.wire.com", "default_backend_url_base_websocket": "https://prod-nginz-ssl.wire.com", "default_backend_url_teams": "https://teams.wire.com", "default_backend_url_blacklist": "https://clientblacklist.wire.com/prod", "default_backend_url_website": "https://wire.com", - "default_backend_title": "wire-production" + "default_backend_title": "wire-production", + "cert_pinning_config": {} } diff --git a/kalium b/kalium index 0e15019dcf..b0db2a2b13 160000 --- a/kalium +++ b/kalium @@ -1 +1 @@ -Subproject commit 0e15019dcfdb42d63e6a1a7081ad4b143692036e +Subproject commit b0db2a2b13ef7452befb5bfb86e01841bace924b