Camera permission request behavior changes for QR + PIN Auth, Fixes AB#3032520 (#2524)

There is a new CELA requirement to change the behavior of the camera
permission request for QR + PIN Auth.

The current behavior is that once we get the camera permission for the
app we never ask again.
The change is to ask every time we need to use the camera.

In addition to this change we move some functionality to the new class
CameraPermissionRequest and did some update on the name of the
functions.


[AB#3032520](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3032520)

Author: p3dr0rv

changelog.txt

@@ -1,5 +1,6 @@
 vNext
 ----------
+- [MINOR] Camera permission request behavior changes for QR + PIN Auth (#2524)
 - [MINOR] Migrate Base64 away from Msebera httpclient (#2389)
 - [PATCH] Provide empty image when no video is present on QR +PIN auth (#2424)
 - [MINOR] On GetPreferredAuthMethod return NONE when Authenticator is not installed (#2523)

common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/CameraPermissionRequest.kt

@@ -0,0 +1,100 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.internal.providers.oauth2
+
+import android.os.Build
+import android.webkit.PermissionRequest
+import com.microsoft.identity.common.logging.Logger
+
+/**
+ * Class responsible for handling camera permission requests.
+ * Note: This class is compatible only with API level 21 and above;
+ * functionality will not behave as expected on lower versions.
+ */
+class CameraPermissionRequest(private val mCameraPermissionRequest: PermissionRequest) {
+    /**
+     * Check if the permission was granted.
+     *
+     * @return true if the permission is granted.
+     */
+    var isGranted = false
+        private set
+
+    /**
+     * Call this method to grant the permission to access the camera resource.
+     * The granted permission is only valid for the current WebView.
+     *
+     *
+     * Note: This method is only available on API level 21 or higher.
+     */
+    fun grant() {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
+            val cameraResource = arrayOf(
+                PermissionRequest.RESOURCE_VIDEO_CAPTURE
+            )
+            mCameraPermissionRequest.grant(cameraResource)
+        }
+        isGranted = true
+    }
+
+    /**
+     * Call this method to deny the permission to access the camera resource.
+     *
+     *
+     * Note: This method is only available on API level 21 or higher.
+     */
+    fun deny() {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
+            mCameraPermissionRequest.deny()
+        }
+        isGranted = false
+    }
+
+    companion object {
+        private val TAG = CameraPermissionRequest::class.java.simpleName
+
+        /**
+         * Determines whatever if the given permission request is for the camera resource.
+         *
+         *
+         * Note: This method is only available on API level 21 or higher.
+         * Devices running on lower API levels will not be able to grant or deny camera permission requests.
+         * getResources() method is only available on API level 21 or higher.
+         *
+         * @param request The permission request.
+         * @return true if the given permission request is for camera, false otherwise.
+         */
+        @JvmStatic
+        fun isValidRequest(request: PermissionRequest): Boolean {
+            val methodTag = "$TAG:validateRequest"
+            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
+                return request.resources.size == 1 && PermissionRequest.RESOURCE_VIDEO_CAPTURE == request.resources[0]
+            }
+            Logger.warn(
+                methodTag, "PermissionRequest.getResources() method is not available on API:"
+                        + Build.VERSION.SDK_INT + ". We cannot determine if the request is for camera."
+            )
+            return false
+        }
+    }
+}

common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/WebViewAuthorizationFragment.java

@@ -116,7 +116,7 @@ public class WebViewAuthorizationFragment extends AuthorizationFragment {
 
     private boolean webViewZoomEnabled;
 
-    private PermissionRequest mCameraPermissionRequest;
+    private CameraPermissionRequest mCameraPermissionRequest;
 
     // This is used by LegacyFido2ApiManager to launch a PendingIntent received by the legacy API.
     private ActivityResultLauncher<LegacyFido2ApiObject> mFidoLauncher;
@@ -277,29 +277,29 @@ public void onPermissionRequest(final PermissionRequest request) {
                 // We can only grant or deny permissions for video capture/camera.
                 // To avoid unintentionally granting requests for not defined permissions
                 // we check if the request is for camera.
-                if (!isPermissionRequestForCamera(request)) {
+                if (!CameraPermissionRequest.isValidRequest(request)) {
                     Logger.warn(methodTag, "Permission request is not for camera.");
                     request.deny();
                     return;
                 }
                 // There is a issue in ESTS UX where it sends multiple camera permission requests.
                 // So, if there is already a camera permission request in progress we handle it here.
                 if (mCameraPermissionRequest != null) {
-                    handleRepeatedRequests(request);
+                    Logger.info(methodTag, "Repeated request, granted? " + mCameraPermissionRequest.isGranted());
+                    handleRepeatedCameraRequests(request);
                     return;
                 }
                 Logger.info(methodTag, "New camera request.");
-                mCameraPermissionRequest = request;
-                if (isCameraPermissionGranted()) {
+                mCameraPermissionRequest = new CameraPermissionRequest(request);
+                // If the OS level permission was granted previously,
+                // we show the rationale to confirm the consent with the current user.
+                // Otherwise, show the system prompt.
+                if (isAppCameraPermissionGranted()) {
                     Logger.info(methodTag, "Camera permission already granted.");
-                    acceptCameraRequest();
-                } else if (shouldShowRequestPermissionRationale(Manifest.permission.CAMERA)) {
-                    Logger.info(methodTag, "Show camera rationale.");
                     showCameraRationale();
                 } else {
-                    requestCameraPermissionFromUser();
+                    requestCameraPermission();
                 }
-
             }
 
             @Override
@@ -323,47 +323,12 @@ public Bitmap getDefaultVideoPoster() {
      *
      * @param request The permission request.
      */
-    @RequiresApi(api = Build.VERSION_CODES.LOLLIPOP)
-    private void handleRepeatedRequests(@NonNull final PermissionRequest request) {
-        final String methodTag = TAG + ":handleRepeatedRequests";
-        if (isCameraPermissionGranted()) {
-            Logger.info(methodTag, "Repeated request, granting the permission.");
-            final String[] cameraPermission = new String[] {
-                    PermissionRequest.RESOURCE_VIDEO_CAPTURE
-            };
-            request.grant(cameraPermission);
+    private void handleRepeatedCameraRequests(@NonNull final PermissionRequest request) {
+        final CameraPermissionRequest duplicatedRequest = new CameraPermissionRequest(request);
+        if (mCameraPermissionRequest.isGranted()) {
+            duplicatedRequest.grant();
         } else {
-            Logger.info(methodTag, "Repeated request, denying the permission");
-            request.deny();
-        }
-    }
-
-    /**
-     * Call this method to grant the permission to access the camera resource.
-     * The granted permission is only valid for the current WebView.
-     * <p>
-     * Note: This method is only available on API level 21 or higher.
-     */
-    private void acceptCameraRequest() {
-        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
-            final String[] cameraPermission = new String[] {
-                    PermissionRequest.RESOURCE_VIDEO_CAPTURE
-            };
-            if (mCameraPermissionRequest != null) {
-                mCameraPermissionRequest.grant(cameraPermission);
-            }
-        }
-    }
-
-    /**
-     * Call this method to deny the permission to access the camera resource.
-     * <p>
-     * Note: This method is only available on API level 21 or higher.
-     */
-    private void denyCameraRequest() {
-        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP &&
-                mCameraPermissionRequest != null) {
-            mCameraPermissionRequest.deny();
+            duplicatedRequest.deny();
         }
     }
 
@@ -372,50 +337,32 @@ private void denyCameraRequest() {
      *
      * @return true if the camera permission has been granted, false otherwise.
      */
-    private boolean isCameraPermissionGranted() {
+    private boolean isAppCameraPermissionGranted() {
         return ContextCompat.checkSelfPermission(requireContext(), Manifest.permission.CAMERA)
                 == PackageManager.PERMISSION_GRANTED;
     }
 
-    /**
-     * Determines whatever if the given permission request is for the camera resource.
-     * <p>
-     * Note: This method is only available on API level 21 or higher.
-     * Devices running on lower API levels will not be able to grant or deny camera permission requests.
-     * getResources() method is only available on API level 21 or higher.
-     *
-     * @param request The permission request.
-     * @return true if the given permission request is for camera, false otherwise.
-     */
-    private boolean isPermissionRequestForCamera(final PermissionRequest request) {
-        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
-            return request.getResources().length == 1 &&
-                    PermissionRequest.RESOURCE_VIDEO_CAPTURE.equals(request.getResources()[0]);
-        }
-        Logger.warn(TAG, "PermissionRequest.getResources() method is not available on API:"
-                + Build.VERSION.SDK_INT + ". We cannot determine if the request is for camera.");
-        return false;
-    }
-
     private final ActivityResultLauncher<String> cameraRequestActivity = registerForActivityResult(
             new ActivityResultContracts.RequestPermission(),
             permissionGranted   -> {
                 Logger.info(TAG, "Camera permission granted: " + permissionGranted);
                 if (permissionGranted) {
-                    acceptCameraRequest();
+                    mCameraPermissionRequest.grant();
                 }
                 else {
-                    denyCameraRequest();
+                    mCameraPermissionRequest.deny();
                 }
             }
     );
 
     /**
      * Launches the camera permission request for the app.
+     * Note: if the permission was already granted or denied,
+     * the user will not be prompted and it will go directly to the callback.
+     * Using the current state of the permission.
+     *
      */
-    private void requestCameraPermissionFromUser() {
-        final String methodTAG = TAG + ":requestCameraPermissionFromUser";
-        Logger.info(methodTAG, "Requesting camera permission.");
+    private void requestCameraPermission() {
         cameraRequestActivity.launch(Manifest.permission.CAMERA);
     }
 
@@ -429,12 +376,11 @@ private void showCameraRationale() {
         builder.setMessage(R.string.qr_code_rationale_message)
                 .setTitle(R.string.qr_code_rationale_header)
                 .setCancelable(false)
-                .setPositiveButton(R.string.qr_code_rationale_allow, (dialog, id) -> requestCameraPermissionFromUser())
-                .setNegativeButton(R.string.qr_code_rationale_block, (dialog, id) -> denyCameraRequest());
+                .setPositiveButton(R.string.qr_code_rationale_allow, (dialog, id) -> requestCameraPermission())
+                .setNegativeButton(R.string.qr_code_rationale_block, (dialog, id) -> mCameraPermissionRequest.deny());
         builder.show();
     }
 
-
     /**
      * Loads starting authorization request url into WebView.
      */