@W-21933885: [MSDK Android] App Attestation Implementation (Significant Update To Avoid mockkStatic In IDPAuthCodeHelperTest.kt)

Author: JohnsonEricAtSalesforce

CLAUDE.md

@@ -126,6 +126,52 @@ See [README.md](README.md) for basic setup. Commands below are for contributors
 - **Test data cleanup**: Every test must clean up created soups, user accounts, and cached data. Use `@Before`/`@After` rigorously.
 - **Test credentials**: Tests requiring authentication need `test_credentials.json` in `shared/test/`.
 
+### Firebase Test Lab Considerations
+
+**CRITICAL: MockK `mockkStatic()` Does Not Work on Firebase Test Lab**
+
+Firebase Test Lab silently disables MockK's static mocking, causing tests to execute real implementations. Tests pass locally but timeout (60s) on Firebase with `UncompletedCoroutinesError` as real network/Google Play Services calls execute.
+
+**Root Cause:** Firebase's SELinux policies block MockK bytecode instrumentation, APK re-signing breaks inline mocking agent, and real Google Play Services execute unexpected calls.
+
+**DO NOT USE:**
+```kotlin
+mockkStatic(OAuth2::class)  // ❌ Fails silently on Firebase
+```
+
+**REQUIRED ALTERNATIVES:**
+
+1. **Parameter Injection (Simplest):**
+```kotlin
+// Add parameter with default value pointing to static method
+fun myFunction(
+    helper: (String) -> Int = { StaticClass.staticMethod(it) }
+) {
+    val result = helper("input")
+}
+
+// Test injects mock lambda
+myFunction(helper = { "mock result" })
+```
+
+2. **TypeAlias for Complex Static Methods:**
+```kotlin
+// Define function type
+typealias GetAuthUrl = (Boolean, URI, String, String) -> URI?
+
+// Use as parameter with default calling static method
+suspend fun authorize(
+    getAuthUrl: GetAuthUrl = { a, b, c, d -> OAuth2.getAuthUrl(a, b, c, d) }
+) { /* ... */ }
+
+// Test injects simple mock
+authorize(getAuthUrl = { _, _, _, _ -> URI("mock://url") })
+```
+
+**Rule:** Never use `mockkStatic()` in instrumented tests. Always use parameter injection to enable mocking.
+
+---
+
 ### What to Test for Each Library
 
 **SalesforceSDK (Core)**:

libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/idp/IDPAuthCodeHelper.kt

@@ -31,7 +31,7 @@ import android.webkit.WebResourceRequest
 import android.webkit.WebView
 import android.webkit.WebViewClient
 import androidx.annotation.VisibleForTesting
-import com.salesforce.androidsdk.R
+import com.salesforce.androidsdk.R.string.oauth_display_type
 import com.salesforce.androidsdk.accounts.UserAccount
 import com.salesforce.androidsdk.app.SalesforceSDKManager
 import com.salesforce.androidsdk.auth.AppAttestationClient
@@ -105,51 +105,48 @@ internal class IDPAuthCodeHelper @VisibleForTesting internal constructor(
 
     /**
      * Compute relative path of authorization url for SP
-     * @param salesforceSDKManager The Salesforce SDK manager instance. This
+     * @param authorizationUrlProvider Gets the Salesforce OAuth2 authorization
+     * URL. This parameter is intended for testing purposes only. Defaults to
+     * OAuth2.getAuthorizationUrl for production use
+     * @param salesforceSdkManager The Salesforce SDK manager instance. This
      * parameter is intended for testing purposes only. Defaults to the
      * singleton instance for production use
-     * @return authorization relative path
+     * @return The authorization relative path
      */
     @VisibleForTesting
     internal suspend fun getAuthorizationPathForSP(
-        salesforceSDKManager: SalesforceSDKManager = SalesforceSDKManager.getInstance(),
-        limitTest: Boolean = false,
+        authorizationUrlProvider: AuthorizationUrlProvider = { useWebServerAuthentication, useHybridAuthentication, loginServer, clientId, callbackUrl, scopes, loginHint, displayType, codeChallenge, additionalParams, sdkManager ->
+            getAuthorizationUrl(useWebServerAuthentication, useHybridAuthentication, loginServer, clientId, callbackUrl, scopes, loginHint, displayType, codeChallenge, additionalParams, sdkManager)
+        },
+        salesforceSdkManager: SalesforceSDKManager = SalesforceSDKManager.getInstance(),
     ): String? {
         SalesforceSDKLogger.d(TAG, "Getting authorization url")
-        val context = salesforceSDKManager.appContext
-        val useHybridAuthentication = salesforceSDKManager.useHybridAuthentication
+        val context = salesforceSdkManager.appContext
+        val useHybridAuthentication = salesforceSdkManager.useHybridAuthentication
 
-        // Add Salesforce Mobile App Attestation parameter to authorization URL if applicable.
-        if (limitTest) {
-            return null // LIMIT TEST 1
-        }
         val additionalParams = appAttestationClient?.run {
-//            val challenge = fetchMobileAppAttestationChallenge() // LIMIT TEST 1.1
-//            if (limitTest) {
-//                return null // LIMIT TEST 2
-//            }
-//            val attestation = createAppAttestation(challenge) ?: return@run null
-//            mapOf(ATTESTATION to attestation)
+            val challenge = fetchMobileAppAttestationChallenge()
+            val attestation = createAppAttestation(challenge) ?: return@run null
+            mapOf(ATTESTATION to attestation)
         }
 
-//        val authorizationUri = getAuthorizationUrl(
-//            true, // use web server flow
-//            useHybridAuthentication,
-//            URI(userAccount.loginServer),
-//            spConfig.oauthClientId,
-//            spConfig.oauthCallbackUrl,
-//            spConfig.oauthScopes,
-//            null, // Login Hint
-//            context.getString(R.string.oauth_display_type),
-//            codeChallenge,
-//            additionalParams,
-//            salesforceSDKManager
-//        )
-
-//        return authorizationUri?.let {
-//            it.path + (it.query?.let { query -> "?$query" } ?: "")
-//        } ?: null
-        return null
+        val authorizationUri = authorizationUrlProvider(
+            true, // Use web server flow
+            useHybridAuthentication,
+            URI(userAccount.loginServer),
+            spConfig.oauthClientId,
+            spConfig.oauthCallbackUrl,
+            spConfig.oauthScopes,
+            null, // Login Hint
+            context.getString(oauth_display_type),
+            codeChallenge,
+            additionalParams,
+            salesforceSdkManager
+        )
+
+        return authorizationUri?.let {
+            it.path + (it.query?.let { query -> "?$query" } ?: "")
+        }
     }
 
     fun getFrontdoorUrl(restClient:RestClient, redirectUri: String): String? {
@@ -239,4 +236,21 @@ internal class IDPAuthCodeHelper @VisibleForTesting internal constructor(
             IDPAuthCodeHelper(webView, userAccount, spConfig, codeChallenge, onResult).generateAuthCode()
         }
     }
-}
+}
+
+/**
+ * Computes a Salesforce OAuth authorization URL.
+ */
+typealias AuthorizationUrlProvider = (
+    useWebServerAuthentication: Boolean,
+    useHybridAuthentication: Boolean,
+    loginServer: URI,
+    clientId: String,
+    callbackUrl: String,
+    scopes: Array<String>,
+    loginHint: String?,
+    displayType: String,
+    codeChallenge: String,
+    additionalParams: Map<String, String>?,
+    salesforceSdkManager: SalesforceSDKManager
+) -> URI?