Configure debug broker support in release mode

AzureAD · Dec 9, 2021 · 734a563 · 734a563
1 parent 44768f5
commit 734a563
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/changelog.txt b/changelog.txt
@@ -64,6 +64,7 @@ V.Next
 - [PATCH] Support SSO token api (#1543)
 - [MINOR] Add flighting parameters to commmandParameters (#1562)
 - [MINOR] Hook telemetry to LocalAuthenticationResult and BaseException (#1636)
+- [PATCH] Throw RuntimeException when debug brokers are trusted in RELEASE mode (#1651)
 
 Version 3.6.3
 ----------

diff --git a/common/src/main/java/com/microsoft/identity/common/internal/broker/BrokerValidator.java b/common/src/main/java/com/microsoft/identity/common/internal/broker/BrokerValidator.java
@@ -60,7 +60,7 @@ public class BrokerValidator {
 
     public static void setShouldTrustDebugBrokers(final boolean shouldTrustDebugBrokers) {
         if (!BuildConfig.DEBUG && shouldTrustDebugBrokers) {
-            Logger.warn(TAG, "You are forcing to trust debug brokers in non-debug builds.");
+            throw new RuntimeException("Cannot trust debug brokers in non-debug builds.");
         }
         BrokerValidator.sShouldTrustDebugBrokers = shouldTrustDebugBrokers;
     }
@@ -150,6 +150,7 @@ public Set<BrokerData> getValidBrokers() {
 
     /**
      * Get an iterator of access to valid broker signatures.
+     *
      * @return an iterator of access to valid broker signatures.
      */
     public Iterator<String> getValidBrokerSignatures() {
@@ -232,7 +233,7 @@ public static boolean isValidBrokerRedirect(@Nullable final String redirectUri,
             final PackageHelper info = new PackageHelper(context.getPackageManager());
             final String signatureDigest = info.getCurrentSignatureForPackage(packageName);
             if (BrokerData.MICROSOFT_AUTHENTICATOR_PROD.signatureHash.equals(signatureDigest)
-                || BrokerData.MICROSOFT_AUTHENTICATOR_DEBUG.signatureHash.equals(signatureDigest)) {
+                    || BrokerData.MICROSOFT_AUTHENTICATOR_DEBUG.signatureHash.equals(signatureDigest)) {
                 // If the caller is the Authenticator, check if the redirect uri matches with either
                 // the one generated with package name and signature or broker redirect uri.
                 isValidBrokerRedirect |= StringUtil.equalsIgnoreCase(redirectUri, AuthenticationConstants.Broker.BROKER_REDIRECT_URI);

diff --git a/common/src/test/java/com/microsoft/identity/common/internal/BrokerValidatorTests.java b/common/src/test/java/com/microsoft/identity/common/internal/BrokerValidatorTests.java
@@ -24,14 +24,17 @@
 
 import androidx.test.core.app.ApplicationProvider;
 
+import com.microsoft.identity.common.BuildConfig;
 import com.microsoft.identity.common.internal.broker.BrokerData;
 import com.microsoft.identity.common.internal.broker.BrokerValidator;
 
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
+import org.junit.function.ThrowingRunnable;
 import org.junit.runner.RunWith;
 import org.robolectric.RobolectricTestRunner;
+import org.robolectric.util.ReflectionHelpers;
 
 import java.util.Set;
 
@@ -68,4 +71,15 @@ public void testGetValidBrokersInReleaseMode() {
         Assert.assertTrue(brokerData.contains(BrokerData.MICROSOFT_AUTHENTICATOR_PROD));
     }
 
+    @Test
+    public void testDebugBrokersInReleaseMode() {
+        ReflectionHelpers.setStaticField(BuildConfig.class, "DEBUG", false);
+        Assert.assertThrows("Cannot trust debug brokers in non-debug builds.", RuntimeException.class, new ThrowingRunnable() {
+            @Override
+            public void run() throws Throwable {
+                BrokerValidator.setShouldTrustDebugBrokers(true);
+            }
+        });
+    }
+
 }