Update latest core dependencies (#69)

OKTA-798204 Update latest core dependencies

General dependency maintanence:
Update core dependencies.
Update AGP, gradlewrapper and Kotlin.
Remove OWASP check due to increase CI time without a API key.

README.md

@@ -59,10 +59,17 @@ See the [Push Sample App] for a complete implementation.
 
 ### Installation
 
-Add the Okta Devices SDK dependency to your build.gradle file:
+Add the Okta Devices SDK dependency to your build.gradle file and enable Java 8+ API desugaring support:
 
 ```kotlin
-implementation("com.okta.devices:devices-push:1.1.0")
+compileOptions {
+    isCoreLibraryDesugaringEnabled = true
+    sourceCompatibility = JavaVersion.VERSION_17
+    targetCompatibility = JavaVersion.VERSION_17
+}
+
+coreLibraryDesugaring("com.android.tools:desugar_jdk_libs:2.1.0")
+implementation("com.okta.devices:devices-push:1.1.1")
 ```
 
 ## Usage

build.gradle.kts

@@ -1,31 +1,36 @@
 // Top-level build file where you can add configuration options common to all sub-projects/modules.
 plugins {
-    id("com.android.application") version "8.3.2" apply false
-    id("com.android.library") version "8.3.2" apply false
+    id("com.android.application") version "8.5.2" apply false
+    id("com.android.library") version "8.5.2" apply false
     id("org.jetbrains.kotlin.android") version Version.kotlin apply false
     id("org.jetbrains.dokka") version "1.9.20" apply false
-    id("com.google.gms.google-services") version "4.4.1" apply false
-    id("org.jetbrains.kotlinx.kover") version "0.7.6" apply false
-    id("org.sonarqube") version "4.4.1.3373" apply true
-    id("io.gitlab.arturbosch.detekt") version "1.23.5" apply false
+    id("com.google.gms.google-services") version "4.4.2" apply false
+    id("org.jetbrains.kotlinx.kover") version "0.8.3" apply false
+    id("org.sonarqube") version "5.1.0.4882" apply true
+    id("io.gitlab.arturbosch.detekt") version "1.23.6" apply false
 }
 
 buildscript {
     configurations.all {
         resolutionStrategy {
             force("com.fasterxml.woodstox:woodstox-core:6.6.1")
             force("com.fasterxml.jackson.core:jackson-core:2.17.2")
+            // https://issuetracker.google.com/issues/340202290
+            // AGP introduced incompatible bc versions. Forces the version that AGP uses.
+            // 1.7.1 has vulns, but these vulns are not included in the binary since this is used by buildscript
+            force("org.bouncycastle:bcprov-jdk18on:1.71")
+            force("org.bouncycastle:bcpkix-jdk18on:1.71")
         }
     }
 }
 
 allprojects {
     configurations.all {
         resolutionStrategy {
-            force("com.squareup.okio:okio:3.5.0")
+            force("com.squareup.okio:okio:3.9.0")
             force("org.bouncycastle:bcprov-jdk18on:1.78.1")
-            force("org.json:json:20230618")
-            force("com.google.guava:guava:32.1.2-jre")
+            force("org.json:json:20240303")
+            force("com.google.guava:guava:33.3.0-jre")
             force("androidx.room:room-runtime:${Version.room}")
         }
     }

buildSrc/build.gradle.kts

@@ -14,5 +14,5 @@ repositories {
 
 dependencies {
     implementation("com.diffplug.spotless:spotless-plugin-gradle:6.25.0")
-    implementation("org.owasp:dependency-check-gradle:9.1.0")
+    implementation("org.owasp:dependency-check-gradle:9.2.0")
 }

buildSrc/src/main/java/DevicesConfig.kt

@@ -13,7 +13,7 @@ object DevicesConfig {
     const val pushSampleAppVersionCode = 1
     const val pushSampleAppVersionName = "1.0.0"
 
-    const val devicesPushVersion = "1.1.0"
+    const val devicesPushVersion = "1.1.1"
 
     data class OssrhCredentials(
         val ossrhUsername: String,

buildSrc/src/main/java/Version.kt

@@ -2,16 +2,15 @@
  * Version variables
  */
 object Version {
-    const val kotlin = "1.9.23"
-    const val kotlinSerialization = "1.6.3"
-    const val coroutine = "1.8.0"
+    const val kotlin = "2.0.20"
+    const val kotlinSerialization = "1.7.1"
+    const val coroutine = "1.8.1"
     const val room = "2.6.1"
-    const val extJunit = "1.1.5"
-    const val archLifecycleVersion = "2.7.0"
-    const val compose = "1.6.6"
-    const val composeCompiler = "1.5.12"
-    const val devicesAuthenticator = "0.0.15"
-    const val devicesCore = "0.0.15"
-    const val devicesStorage = "0.0.15"
-    const val devicesFakeServer = "0.0.15"
+    const val extJunit = "1.2.1"
+    const val archLifecycleVersion = "2.8.4"
+    const val compose = "1.6.8"
+    const val devicesAuthenticator = "1.0.41"
+    const val devicesCore = "1.0.41"
+    const val devicesStorage = "1.0.41"
+    const val devicesFakeServer = "1.0.41"
 }

devices-push/build.gradle.kts

@@ -24,10 +24,10 @@ android {
     defaultConfig {
         minSdk = DevicesConfig.minSdkVersion
         testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
-        buildConfigField("String", "VERSION_NAME", "\"${DevicesConfig.devicesPushVersion}\"")
     }
 
     compileOptions {
+        isCoreLibraryDesugaringEnabled = true
         sourceCompatibility = JavaVersion.VERSION_17
         targetCompatibility = JavaVersion.VERSION_17
     }
@@ -57,6 +57,7 @@ android {
 }
 
 dependencies {
+    coreLibraryDesugaring("com.android.tools:desugar_jdk_libs:2.1.0")
     api("com.okta.devices:devices-authenticator:${Version.devicesAuthenticator}")
     implementation("com.okta.devices:devices-core:${Version.devicesCore}") {
         exclude(group = "com.google.android.gms", module = "play-services-safetynet")
@@ -65,12 +66,11 @@ dependencies {
 
     implementation("androidx.lifecycle:lifecycle-runtime-ktx:${Version.archLifecycleVersion}")
     implementation("androidx.biometric:biometric:1.2.0-alpha05")
-    implementation("org.jetbrains.kotlin:kotlin-stdlib:${Version.kotlin}")
     implementation("org.jetbrains.kotlinx:kotlinx-coroutines-android:${Version.coroutine}")
-    implementation("androidx.core:core-ktx:1.13.0")
-    implementation("io.jsonwebtoken:jjwt-api:0.11.5")
-    runtimeOnly("io.jsonwebtoken:jjwt-impl:0.11.5")
-    runtimeOnly("io.jsonwebtoken:jjwt-orgjson:0.11.5") {
+    implementation("androidx.core:core-ktx:1.13.1")
+    implementation("io.jsonwebtoken:jjwt-api:0.12.6")
+    runtimeOnly("io.jsonwebtoken:jjwt-impl:0.12.6")
+    runtimeOnly("io.jsonwebtoken:jjwt-orgjson:0.12.6") {
         exclude(group = "org.json", module = "json") // provided by Android natively
     }
     implementation("com.squareup.okhttp3:okhttp:4.12.0")
@@ -85,9 +85,9 @@ dependencies {
     testImplementation("org.jetbrains.kotlinx:kotlinx-coroutines-test:${Version.coroutine}")
     testImplementation("junit:junit:4.13.2")
     testImplementation("androidx.test.ext:junit-ktx:${Version.extJunit}")
-    testImplementation("org.robolectric:robolectric:4.12.1")
+    testImplementation("org.robolectric:robolectric:4.13")
     testImplementation("com.squareup.okhttp3:mockwebserver:4.12.0")
-    testImplementation("io.mockk:mockk:1.13.10")
+    testImplementation("io.mockk:mockk:1.13.12")
     testImplementation("org.hamcrest:hamcrest-library:2.2")
     testImplementation("org.jetbrains.kotlinx:kotlinx-serialization-json:${Version.kotlinSerialization}")
     testImplementation("org.jetbrains.kotlinx:kotlinx-serialization-properties:${Version.kotlinSerialization}")

devices-push/src/main/java/com/okta/devices/push/PushAuthenticatorBuilder.kt

@@ -99,6 +99,8 @@ class PushAuthenticatorBuilder internal constructor(context: Application) {
                 else -> DiskEncryptionType.NONE
             }
         }
+
+        override fun managementHint(): String? = null
     }
 
     private val deviceKeyStore = lazy { DeviceKeyStoreImpl() }
@@ -148,7 +150,7 @@ class PushAuthenticatorBuilder internal constructor(context: Application) {
         }
 
         if (deviceStore == null) {
-            deviceStore = AuthenticatorDatabase.instance(context, passphrase?.let { EncryptionOption.SQLCipher(it) } ?: EncryptionOption.None)
+            deviceStore = AuthenticatorDatabase.instance(context, passphrase?.let { EncryptionOption.SQLCipher.create(it).getOrThrow() } ?: EncryptionOption.None)
         }
 
         return Modules(

devices-push/src/test/java/com/okta/devices/push/MyAccountPushAuthenticatorTest.kt

@@ -277,7 +277,7 @@ class MyAccountPushAuthenticatorTest : BaseTest() {
         }
         assertThat(methodUpdated.userVerificationKeys, notNullValue())
         assertThat(currentMethod.userVerificationKeys, nullValue())
-        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(methodUpdated.userVerificationKeys?.getUserVerificationKey()?.keyId)), `is`(true))
+        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(methodUpdated.userVerificationKeys?.bioOnlyKey?.keyId)), `is`(true))
         // Only difference is the uv key. so copy the new key to check other fields are same
         assertThat(methodUpdated, `is`(currentMethod.copy(userVerificationKeys = methodUpdated.userVerificationKeys)))
     }
@@ -306,9 +306,9 @@ class MyAccountPushAuthenticatorTest : BaseTest() {
         }
         assertThat(methodUpdated.userVerificationKeys, notNullValue())
         assertThat(currentMethod.userVerificationKeys, notNullValue())
-        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(methodUpdated.userVerificationKeys?.getUserVerificationKey()?.keyId)), `is`(true))
+        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(methodUpdated.userVerificationKeys?.bioOnlyKey?.keyId)), `is`(true))
         // check the previous uv key is removed
-        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(currentMethod.userVerificationKeys?.getUserVerificationKey()?.keyId)), `is`(false))
+        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(currentMethod.userVerificationKeys?.bioOnlyKey?.keyId)), `is`(false))
         // Only difference is the uv key. so copy the new key to check other fields are same
         assertThat(methodUpdated, `is`(currentMethod.copy(userVerificationKeys = methodUpdated.userVerificationKeys)))
     }
@@ -338,7 +338,7 @@ class MyAccountPushAuthenticatorTest : BaseTest() {
         assertThat(methodUpdated.userVerificationKeys, nullValue())
         assertThat(currentMethod.userVerificationKeys, notNullValue())
         // check the key is deleted from keystore
-        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(currentMethod.userVerificationKeys?.getUserVerificationKey()?.keyId)), `is`(false))
+        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(currentMethod.userVerificationKeys?.bioOnlyKey?.keyId)), `is`(false))
         // Only difference is the uv key. so copy the new key to check other fields are same
         assertThat(methodUpdated, `is`(currentMethod.copy(userVerificationKeys = methodUpdated.userVerificationKeys)))
     }
@@ -1589,7 +1589,7 @@ class MyAccountPushAuthenticatorTest : BaseTest() {
         val authToken = enrollment.retrieveMaintenanceToken(listOf("okta.myAccount.appAuthenticator.maintenance.manage")).getOrThrow()
 
         // assert
-        Jwts.parserBuilder().setSigningKey(testKeyStore.serverKeyPair.public).build().parse(authToken.token)
+        Jwts.parser().verifyWith(testKeyStore.serverKeyPair.public).build().parseSignedClaims(authToken.token)
     }
 
     @Test

devices-push/src/test/java/com/okta/devices/push/PushAuthenticatorTest.kt

@@ -265,7 +265,7 @@ class PushAuthenticatorTest : BaseTest() {
         }
         assertThat(methodUpdated.userVerificationKeys, notNullValue())
         assertThat(currentMethod.userVerificationKeys, nullValue())
-        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(methodUpdated.userVerificationKeys?.getUserVerificationKey()?.keyId)), `is`(true))
+        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(methodUpdated.userVerificationKeys?.bioOnlyKey?.keyId)), `is`(true))
         // Only difference is the uv key. so copy the new key to check other fields are same
         assertThat(methodUpdated, `is`(currentMethod.copy(userVerificationKeys = methodUpdated.userVerificationKeys)))
     }
@@ -294,9 +294,9 @@ class PushAuthenticatorTest : BaseTest() {
         }
         assertThat(methodUpdated.userVerificationKeys, notNullValue())
         assertThat(currentMethod.userVerificationKeys, notNullValue())
-        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(methodUpdated.userVerificationKeys?.getUserVerificationKey()?.keyId)), `is`(true))
+        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(methodUpdated.userVerificationKeys?.bioOnlyKey?.keyId)), `is`(true))
         // check the previous uv key is removed
-        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(currentMethod.userVerificationKeys?.getUserVerificationKey()?.keyId)), `is`(false))
+        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(currentMethod.userVerificationKeys?.bioOnlyKey?.keyId)), `is`(false))
         // Only difference is the uv key. so copy the new key to check other fields are same
         assertThat(methodUpdated, `is`(currentMethod.copy(userVerificationKeys = methodUpdated.userVerificationKeys)))
     }
@@ -326,7 +326,7 @@ class PushAuthenticatorTest : BaseTest() {
         assertThat(methodUpdated.userVerificationKeys, nullValue())
         assertThat(currentMethod.userVerificationKeys, notNullValue())
         // check the key is deleted from keystore
-        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(currentMethod.userVerificationKeys?.getUserVerificationKey()?.keyId)), `is`(false))
+        assertThat(testKeyStore.testSigner.deviceKeyStore.containsAlias(checkNotNull(currentMethod.userVerificationKeys?.bioOnlyKey?.keyId)), `is`(false))
         // Only difference is the uv key. so copy the new key to check other fields are same
         assertThat(methodUpdated, `is`(currentMethod.copy(userVerificationKeys = methodUpdated.userVerificationKeys)))
     }

devices-push/src/test/java/com/okta/devices/push/domain/ChallengeInformationTest.kt

@@ -76,10 +76,10 @@ class ChallengeInformationTest : BaseTest() {
             serverKey, serverKid, issuer, authenticatorEnrollmentId, methodEnrollmentId, aud,
             iat, nbf, exp, method, transactionId, transactionType, bindingMessage, transactionTime, clientLocation, clientOs,
             riskLevel, challengeTextItems, unusualActivities, requestReferrer, appInstanceName,
-            userMediationChallenge, userVerificationChallenge, requiredSignals, requiredSignalProviders,
+            userMediationChallenge, userVerificationChallenge, emptyList(), requiredSignals, requiredSignalProviders,
             loginHint, orgId, userId
         )
-        val claims = Jwts.parserBuilder().setSigningKey(serverPubKey).build().parseClaimsJws(pushJws).body
+        val claims = Jwts.parser().verifyWith(serverPubKey).build().parseSignedClaims(pushJws).payload
 
         // act
         val challengeInfo = ChallengeInformation.parse(claims)

gradle.properties

@@ -17,10 +17,9 @@ org.gradle.jvmargs=-Xmx2048M -Dfile.encoding=UTF-8 -Dkotlin.daemon.jvm.options\=
 android.useAndroidX=true
 # Kotlin code style for this project: "official" or "obsolete":
 kotlin.code.style=official
-# Enables namespacing of each library's R class so that its R class includes only the
+# Enables namespacing of each library's R class so that its R class includes only the:
 # resources declared in the library itself and none from the library's dependencies,
 # thereby reducing the size of the R class for that library
 android.nonTransitiveRClass=true
 android.enableR8.fullMode=true
-android.defaults.buildfeatures.buildconfig=true
 android.nonFinalResIds=false

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

gradlew.bat

@@ -43,11 +43,11 @@ set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
 if %ERRORLEVEL% equ 0 goto execute
 
-echo.
-echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
-echo.
-echo Please set the JAVA_HOME variable in your environment to match the
-echo location of your Java installation.
+echo. 1>&2
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
 
 goto fail
 
@@ -57,11 +57,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 
 if exist "%JAVA_EXE%" goto execute
 
-echo.
-echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
-echo.
-echo Please set the JAVA_HOME variable in your environment to match the
-echo location of your Java installation.
+echo. 1>&2
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
 
 goto fail