From 3c2a6e78516e3b18833f32ca9b73743ae0dc3c9e Mon Sep 17 00:00:00 2001 From: Steven Wong Date: Thu, 25 Jul 2024 22:24:54 +0800 Subject: [PATCH 1/4] Update codeowner file with new GitHub team name --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 60f116c0..7958e8bd 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -* @auth0/dx-sdks-engineer +* @auth0/project-dx-sdks-engineer-codeowner From 77aa8b129e5f62b601d96f8f217058731e3cb1ac Mon Sep 17 00:00:00 2001 From: Prince Mathew <17837162+pmathew92@users.noreply.github.com> Date: Wed, 4 Sep 2024 15:34:44 +0530 Subject: [PATCH 2/4] Replaced pull_request_target with pull_request to fix the workflow security issue (#473) --- .github/workflows/pr-title-checker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-title-checker.yml b/.github/workflows/pr-title-checker.yml index bf2170c2..a8b96bf8 100644 --- a/.github/workflows/pr-title-checker.yml +++ b/.github/workflows/pr-title-checker.yml @@ -1,6 +1,6 @@ name: "PR Title Checker" on: - pull_request_target: + pull_request: types: - opened - edited From 66ad9ffe47d92e0a2d2efcb17a919384c1b64d24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20F=C3=A9ron?= Date: Wed, 9 Oct 2024 08:56:53 +0200 Subject: [PATCH 3/4] Use java.time.Instant instead of java.text.SimpleDateFormat (#469) --- .../request_handlers/api/LoginApiRequestHandler.kt | 6 +----- .../request_handlers/api/LoginWithOtpApiRequestHandler.kt | 6 +----- .../request_handlers/api/RenewApiRequestHandler.kt | 7 +------ .../credentials_manager/GetCredentialsRequestHandler.kt | 7 +------ .../credentials_manager/SaveCredentialsRequestHandler.kt | 8 +++----- .../web_auth/LoginWebAuthRequestHandler.kt | 6 +----- 6 files changed, 8 insertions(+), 32 deletions(-) diff --git a/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/LoginApiRequestHandler.kt b/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/LoginApiRequestHandler.kt index ba5409bf..b84fb6e3 100644 --- a/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/LoginApiRequestHandler.kt +++ b/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/LoginApiRequestHandler.kt @@ -8,7 +8,6 @@ import com.auth0.auth0_flutter.request_handlers.MethodCallRequest import com.auth0.auth0_flutter.toMap import com.auth0.auth0_flutter.utils.assertHasProperties import io.flutter.plugin.common.MethodChannel -import java.text.SimpleDateFormat import java.util.* private const val AUTH_LOGIN_METHOD = "auth#login" @@ -54,10 +53,7 @@ class LoginApiRequestHandler : ApiRequestHandler { override fun onSuccess(credentials: Credentials) { val scope = credentials.scope?.split(" ") ?: listOf() - val sdf = - SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'", Locale.US) - - val formattedDate = sdf.format(credentials.expiresAt) + val formattedDate = credentials.expiresAt.toInstant().toString() result.success( mapOf( "accessToken" to credentials.accessToken, diff --git a/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/LoginWithOtpApiRequestHandler.kt b/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/LoginWithOtpApiRequestHandler.kt index c3c8f6a1..62e22668 100644 --- a/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/LoginWithOtpApiRequestHandler.kt +++ b/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/LoginWithOtpApiRequestHandler.kt @@ -8,7 +8,6 @@ import com.auth0.auth0_flutter.request_handlers.MethodCallRequest import com.auth0.auth0_flutter.toMap import com.auth0.auth0_flutter.utils.assertHasProperties import io.flutter.plugin.common.MethodChannel -import java.text.SimpleDateFormat import java.util.* private const val AUTH_LOGIN_OTP_METHOD = "auth#loginOtp" @@ -42,10 +41,7 @@ class LoginWithOtpApiRequestHandler: ApiRequestHandler { override fun onSuccess(credentials: Credentials) { val scope = credentials.scope?.split(" ") ?: listOf() - val sdf = - SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'", Locale.US) - - val formattedDate = sdf.format(credentials.expiresAt) + var formattedDate = credentials.expiresAt.toInstant().toString() result.success( mapOf( "accessToken" to credentials.accessToken, diff --git a/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/RenewApiRequestHandler.kt b/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/RenewApiRequestHandler.kt index 62d43643..3fc5dc38 100644 --- a/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/RenewApiRequestHandler.kt +++ b/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/api/RenewApiRequestHandler.kt @@ -8,8 +8,6 @@ import com.auth0.auth0_flutter.request_handlers.MethodCallRequest import com.auth0.auth0_flutter.toMap import com.auth0.auth0_flutter.utils.assertHasProperties import io.flutter.plugin.common.MethodChannel -import java.text.SimpleDateFormat -import java.util.Locale private const val AUTH_RENEW_METHOD = "auth#renew" @@ -46,10 +44,7 @@ class RenewApiRequestHandler : ApiRequestHandler { override fun onSuccess(credentials: Credentials) { val scope = credentials.scope?.split(" ") ?: listOf() - val sdf = - SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'", Locale.US) - - val formattedDate = sdf.format(credentials.expiresAt) + val formattedDate = credentials.expiresAt.toInstant().toString(); result.success( mapOf( diff --git a/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/credentials_manager/GetCredentialsRequestHandler.kt b/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/credentials_manager/GetCredentialsRequestHandler.kt index 31549dae..664d5ea2 100644 --- a/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/credentials_manager/GetCredentialsRequestHandler.kt +++ b/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/credentials_manager/GetCredentialsRequestHandler.kt @@ -8,7 +8,6 @@ import com.auth0.android.result.Credentials import com.auth0.auth0_flutter.request_handlers.MethodCallRequest import com.auth0.auth0_flutter.toMap import io.flutter.plugin.common.MethodChannel -import java.text.SimpleDateFormat import java.util.* class GetCredentialsRequestHandler : CredentialsManagerRequestHandler { @@ -38,11 +37,7 @@ class GetCredentialsRequestHandler : CredentialsManagerRequestHandler { override fun onSuccess(credentials: Credentials) { val scopes = credentials.scope?.split(" ") ?: listOf() - val sdf = - SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'", Locale.US) - - val formattedDate = sdf.format(credentials.expiresAt) - + val formattedDate = credentials.expiresAt.toInstant().toString() result.success( mapOf( "accessToken" to credentials.accessToken, diff --git a/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/credentials_manager/SaveCredentialsRequestHandler.kt b/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/credentials_manager/SaveCredentialsRequestHandler.kt index 6a395c53..5955f0bc 100644 --- a/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/credentials_manager/SaveCredentialsRequestHandler.kt +++ b/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/credentials_manager/SaveCredentialsRequestHandler.kt @@ -6,8 +6,7 @@ import com.auth0.android.result.Credentials import com.auth0.auth0_flutter.request_handlers.MethodCallRequest import com.auth0.auth0_flutter.utils.assertHasProperties import io.flutter.plugin.common.MethodChannel -import java.text.SimpleDateFormat -import java.time.LocalDate +import java.time.Instant import java.util.* @@ -32,15 +31,14 @@ class SaveCredentialsRequestHandler : CredentialsManagerRequestHandler { scope = scopes.joinToString(separator = " ") } - val format = SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'", Locale.US) - val date = format.parse(credentials.get("expiresAt") as String) + val instant = Instant.parse(credentials.get("expiresAt") as String) credentialsManager.saveCredentials(Credentials( credentials.get("idToken") as String, credentials.get("accessToken") as String, credentials.get("tokenType") as String, credentials.get("refreshToken") as String?, - date, + Date.from(instant), scope, )) result.success(true) diff --git a/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/web_auth/LoginWebAuthRequestHandler.kt b/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/web_auth/LoginWebAuthRequestHandler.kt index 0251a172..b11ab41f 100644 --- a/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/web_auth/LoginWebAuthRequestHandler.kt +++ b/auth0_flutter/android/src/main/kotlin/com/auth0/auth0_flutter/request_handlers/web_auth/LoginWebAuthRequestHandler.kt @@ -8,7 +8,6 @@ import com.auth0.android.result.Credentials import com.auth0.auth0_flutter.request_handlers.MethodCallRequest import com.auth0.auth0_flutter.toMap import io.flutter.plugin.common.MethodChannel -import java.text.SimpleDateFormat import java.util.* class LoginWebAuthRequestHandler(private val builderResolver: (MethodCallRequest) -> WebAuthProvider.Builder) : WebAuthRequestHandler { @@ -69,10 +68,7 @@ class LoginWebAuthRequestHandler(private val builderResolver: (MethodCallRequest override fun onSuccess(credentials: Credentials) { // Success! Access token and ID token are presents val scopes = credentials.scope?.split(" ") ?: listOf() - val sdf = - SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'", Locale.US) - - val formattedDate = sdf.format(credentials.expiresAt) + val formattedDate = credentials.expiresAt.toInstant().toString() result.success( mapOf( From 7951822f5f247bcaaa83c882dea86eb5d3acbcdf Mon Sep 17 00:00:00 2001 From: Prince Mathew <17837162+pmathew92@users.noreply.github.com> Date: Thu, 31 Oct 2024 13:43:13 +0530 Subject: [PATCH 4/4] Adding ReversingLabs workflow (#478) --- .github/actions/rl-scanner/action.yml | 73 +++++++++++++++++++++++++ .github/workflows/main.yml | 16 ------ .github/workflows/publish-af.yml | 18 +++++++ .github/workflows/publish-afpi.yml | 18 +++++++ .github/workflows/rl-scanner.yml | 76 +++++++++++++++++++++++++++ 5 files changed, 185 insertions(+), 16 deletions(-) create mode 100644 .github/actions/rl-scanner/action.yml create mode 100644 .github/workflows/rl-scanner.yml diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml new file mode 100644 index 00000000..bc3f1022 --- /dev/null +++ b/.github/actions/rl-scanner/action.yml @@ -0,0 +1,73 @@ + +name: 'RL-Security-Scanner' +description: 'Runs the Reversing Labs scanner on a specified artifact.' +inputs: + artifact-path: + description: 'Path to the artifact to be scanned.' + required: true + version: + description: 'Version of the artifact.' + required: true + + +runs: + using: 'composite' + steps: + - name: Set up python + uses: actions/setup-python@v4 + with: + python-version: '3.10' + + - name: Install Python dependencies + shell: bash + run: | + pip install boto3 requests + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }} + aws-region: 'us-east-1' + mask-aws-account-id: true + + - name: Install RL Wrapper + shell: bash + run: | + pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" + + - name: Run RL Scanner + shell: bash + env: + RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }} + PYTHONUNBUFFERED: 1 + run: | + if [ ! -f "${{ inputs.artifact-path }}" ]; then + echo "Artifact not found: ${{ inputs.artifact-path }}" + exit 1 + fi + + rl-wrapper \ + --artifact "${{ inputs.artifact-path }}" \ + --version "${{ inputs.version }}" \ + --name "${{ github.event.repository.name }}" \ + --repository "${{ github.repository }}" \ + --commit "${{ github.sha }}" \ + --build-env "github_actions" \ + --suppress_output + + # Check the outcome of the scanner + if [ $? -ne 0 ]; then + echo "RL Scanner failed." + echo "scan-status=failed" >> $GITHUB_ENV + exit 1 + else + echo "RL Scanner passed." + echo "scan-status=success" >> $GITHUB_ENV + fi + +outputs: + scan-status: + description: 'The outcome of the scan process.' + value: ${{ env.scan-status }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5ab3b24f..8014c86b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -18,16 +18,9 @@ env: java: 11 jobs: - authorize: - name: Authorize - environment: ${{ github.event.pull_request.head.repo.fork && 'external' || 'internal' }} - runs-on: ubuntu-latest - steps: - - run: true analyze-auth0_flutter: name: Analyze auth0_flutter Flutter package - needs: authorize runs-on: ubuntu-latest steps: @@ -51,7 +44,6 @@ jobs: analyze-auth0_flutter_platform_interface: name: Analyze auth0_flutter_platform_interface Flutter package - needs: authorize runs-on: ubuntu-latest steps: @@ -71,7 +63,6 @@ jobs: test-auth0_flutter: name: Test auth0_flutter Flutter package - needs: authorize runs-on: ubuntu-latest steps: @@ -103,7 +94,6 @@ jobs: test-auth0_flutter_platform_interface: name: Test auth0_flutter_platform_interface Flutter package - needs: authorize runs-on: ubuntu-latest steps: @@ -129,7 +119,6 @@ jobs: test-ios-unit: name: Run native iOS unit tests using Xcode ${{ matrix.xcode }} - needs: authorize runs-on: macos-13 environment: ${{ github.event.pull_request.head.repo.fork && 'external' || 'internal' }} @@ -172,7 +161,6 @@ jobs: test-ios-smoke: name: Run native iOS smoke tests using Xcode ${{ matrix.xcode }} - needs: authorize runs-on: macos-13-large environment: ${{ github.event.pull_request.head.repo.fork && 'external' || 'internal' }} @@ -207,7 +195,6 @@ jobs: test-macos-unit: name: Run native macOS unit tests using Xcode ${{ matrix.xcode }} - needs: authorize runs-on: macos-13 environment: ${{ github.event.pull_request.head.repo.fork && 'external' || 'internal' }} @@ -244,7 +231,6 @@ jobs: test-macos-smoke: name: Run native macOS smoke tests using Xcode ${{ matrix.xcode }} - needs: authorize runs-on: macos-13 environment: ${{ github.event.pull_request.head.repo.fork && 'external' || 'internal' }} @@ -279,7 +265,6 @@ jobs: test-android-unit: name: Run native Android unit tests - needs: authorize runs-on: ubuntu-latest environment: ${{ github.event.pull_request.head.repo.fork && 'external' || 'internal' }} @@ -318,7 +303,6 @@ jobs: # test-android-smoke: # name: Run native Android smoke tests using API-level ${{ matrix.android-api }} - # needs: authorize # runs-on: macos-latest-xl # environment: ${{ github.event.pull_request.head.repo.fork && 'external' || 'internal' }} diff --git a/.github/workflows/publish-af.yml b/.github/workflows/publish-af.yml index 3d0f90a1..538dbe69 100644 --- a/.github/workflows/publish-af.yml +++ b/.github/workflows/publish-af.yml @@ -5,13 +5,31 @@ on: tags: - 'af-v[0-9]+.[0-9]+.[0-9]+*' +permissions: + contents: write + id-token: write + env: flutter: '3.x' jobs: + rl-scanner: + uses: ./.github/workflows/rl-scanner.yml + with: + flutter: '3.x' + artifact-name: 'auth0-flutter-af.zip' + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + publish: name: Publish auth0_flutter to pub.dev environment: ${{ github.event.pull_request.head.repo.fork && 'external' || 'internal' }} + needs: rl-scanner runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/publish-afpi.yml b/.github/workflows/publish-afpi.yml index 56147aeb..1bf1b467 100644 --- a/.github/workflows/publish-afpi.yml +++ b/.github/workflows/publish-afpi.yml @@ -5,13 +5,31 @@ on: tags: - 'afpi-v[0-9]+.[0-9]+.[0-9]+*' +permissions: + contents: write + id-token: write + env: flutter: '3.x' jobs: + rl-scanner: + uses: ./.github/workflows/rl-scanner.yml + with: + flutter: '3.x' + artifact-name: 'auth0-flutter-afpi.zip' + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + publish: name: Publish auth0_flutter_platform_interface to pub.dev environment: ${{ github.event.pull_request.head.repo.fork && 'external' || 'internal' }} + needs: rl-scanner runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml new file mode 100644 index 00000000..9036866f --- /dev/null +++ b/.github/workflows/rl-scanner.yml @@ -0,0 +1,76 @@ +name: RL-Secure-Workflow + +on: + workflow_call: + inputs: + flutter: + required: true + type: string + artifact-name: + required: true + type: string + secrets: + RLSECURE_LICENSE: + required: true + RLSECURE_SITE_KEY: + required: true + SIGNAL_HANDLER_TOKEN: + required: true + PRODSEC_TOOLS_USER: + required: true + PRODSEC_TOOLS_TOKEN: + required: true + PRODSEC_TOOLS_ARN: + required: true + + + +jobs: + rl-scanner: + name: Run Reversing Labs Scanner + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + runs-on: ubuntu-latest + outputs: + scan-status: ${{ steps.rl-scan-conclusion.outcome }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha || github.ref }} + + - name: Set up Flutter + uses: subosito/flutter-action@2783a3f08e1baf891508463f8c6653c258246225 + with: + flutter-version: ${{ inputs.flutter }} + channel: stable + cache: true + + - name: Build package + shell: bash + run: | + zip -r ${{ inputs.artifact-name }} ./* + + - name: Get Artifact Version + id: get_version + run: | + version=$(awk -F"'" '/const String version/ {print $2}' auth0_flutter/lib/src/version.dart) + echo "version=$version" >> $GITHUB_OUTPUT + + + - name: Run Reversing Labs Scanner + id: rl-scan-conclusion + uses: ./.github/actions/rl-scanner + with: + artifact-path: "$(pwd)/${{ inputs.artifact-name }}" + version: "${{ steps.get_version.outputs.version }}" + env: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + - name: Output scan result + run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV