@W-21933885: [MSDK Android] App Attestation Implementation

.github/workflows/reusable-lib-workflow.yaml

@@ -27,6 +27,10 @@ jobs:
       - name: Install Dependencies
         env:
           TEST_CREDENTIALS: ${{ secrets.TEST_CREDENTIALS }}
+          # On PR runs, only SalesforceReact consumes the bundled index.android.bundle,
+          # so skip the yarn install + react-native bundle step for every other lib to
+          # save ~3-5 min per matrix job. Nightly runs still produce the bundle.
+          SKIP_REACT_NATIVE_BUNDLE: ${{ (inputs.is_pr && inputs.lib != 'SalesforceReact') && '1' || '0' }}
         run: |
           ./install.sh
           echo $TEST_CREDENTIALS > ./shared/test/test_credentials.json
@@ -68,6 +72,42 @@ jobs:
         run: |
           ./gradlew libs:${{ inputs.lib }}:assembleAndroidTest
           ./gradlew native:NativeSampleApps:RestExplorer:assembleDebug
+      - name: Run Unit Tests
+        if: success() || failure()
+        continue-on-error: true
+        run: ./gradlew libs:${{ inputs.lib }}:testDebugUnitTest --continue
+      - name: Publish Unit Test Results
+        uses: EnricoMi/publish-unit-test-result-action@v2
+        if: success() || failure()
+        with:
+          check_name: ${{ inputs.lib }} Unit Test Results
+          files: |
+            libs/${{ inputs.lib }}/build/test-results/testDebugUnitTest/*.xml
+          comment_mode: off
+          fail_on: nothing
+      - name: Archive Unit Test Results
+        uses: actions/upload-artifact@v4
+        if: success() || failure()
+        with:
+          name: unit-test-results-${{ inputs.lib }}
+          path: libs/${{ inputs.lib }}/build/test-results/testDebugUnitTest/*.xml
+      - name: Generate Unit Test Coverage Report
+        if: success() || failure()
+        run: ./gradlew libs:${{ inputs.lib }}:unitTestCoverageReport
+      - uses: codecov/codecov-action@v5
+        if: success() || failure()
+        with:
+          files: libs/${{ inputs.lib }}/build/reports/jacoco/unitTestCoverageReport/unitTestCoverageReport.xml
+          flags: ${{ inputs.lib }}-unit-tests
+          name: ${{ inputs.lib }}-unit-test-coverage
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      - name: Archive Unit Test Coverage Report
+        uses: actions/upload-artifact@v4
+        if: success() || failure()
+        with:
+          name: unit-test-coverage-${{ inputs.lib }}
+          path: libs/${{ inputs.lib }}/build/reports/jacoco/unitTestCoverageReport/
       - uses: 'google-github-actions/auth@v2'
         if: success() || failure()
         with:
@@ -109,7 +149,6 @@ jobs:
 
           if $IS_PR ; then
             LEVELS_TO_TEST=$PR_API_VERSION
-            RETRIES=1
           fi
 
           # Build test-targets-for-shard arguments from config file

CLAUDE.md

@@ -126,6 +126,52 @@ See [README.md](README.md) for basic setup. Commands below are for contributors
 - **Test data cleanup**: Every test must clean up created soups, user accounts, and cached data. Use `@Before`/`@After` rigorously.
 - **Test credentials**: Tests requiring authentication need `test_credentials.json` in `shared/test/`.
 
+### Firebase Test Lab Considerations
+
+**CRITICAL: MockK `mockkStatic()` Does Not Work on Firebase Test Lab**
+
+Firebase Test Lab silently disables MockK's static mocking, causing tests to execute real implementations. Tests pass locally but timeout (60s) on Firebase with `UncompletedCoroutinesError` as real network/Google Play Services calls execute.
+
+**Root Cause:** Firebase's SELinux policies block MockK bytecode instrumentation, APK re-signing breaks inline mocking agent, and real Google Play Services execute unexpected calls.
+
+**DO NOT USE:**
+```kotlin
+mockkStatic(OAuth2::class)  // ❌ Fails silently on Firebase
+```
+
+**REQUIRED ALTERNATIVES:**
+
+1. **Parameter Injection (Simplest):**
+```kotlin
+// Add parameter with default value pointing to static method
+fun myFunction(
+    helper: (String) -> Int = { StaticClass.staticMethod(it) }
+) {
+    val result = helper("input")
+}
+
+// Test injects mock lambda
+myFunction(helper = { "mock result" })
+```
+
+2. **TypeAlias for Complex Static Methods:**
+```kotlin
+// Define function type
+typealias GetAuthUrl = (Boolean, URI, String, String) -> URI?
+
+// Use as parameter with default calling static method
+suspend fun authorize(
+    getAuthUrl: GetAuthUrl = { a, b, c, d -> OAuth2.getAuthUrl(a, b, c, d) }
+) { /* ... */ }
+
+// Test injects simple mock
+authorize(getAuthUrl = { _, _, _, _ -> URI("mock://url") })
+```
+
+**Rule:** Never use `mockkStatic()` in instrumented tests. Always use parameter injection to enable mocking.
+
+---
+
 ### What to Test for Each Library
 
 **SalesforceSDK (Core)**:

hybrid/HybridSampleApps/AccountEditor/build.gradle.kts

@@ -32,7 +32,7 @@ android {
 
     packaging {
         resources {
-            excludes += setOf("META-INF/LICENSE", "META-INF/LICENSE.txt", "META-INF/DEPENDENCIES", "META-INF/NOTICE")
+            excludes += setOf("META-INF/LICENSE", "META-INF/LICENSE.txt", "META-INF/DEPENDENCIES", "META-INF/NOTICE", "AndroidManifest.xml")
         }
     }
 

hybrid/HybridSampleApps/MobileSyncExplorerHybrid/build.gradle.kts

@@ -32,7 +32,7 @@ android {
 
     packaging {
         resources {
-            excludes += setOf("META-INF/LICENSE", "META-INF/LICENSE.txt", "META-INF/DEPENDENCIES", "META-INF/NOTICE")
+            excludes += setOf("META-INF/LICENSE", "META-INF/LICENSE.txt", "META-INF/DEPENDENCIES", "META-INF/NOTICE", "AndroidManifest.xml")
         }
     }
 

install.sh

@@ -13,12 +13,17 @@ git submodule update
 git -C external/shared checkout -- samples/mobilesyncexplorer/bootconfig.json samples/accounteditor/bootconfig.json 2>/dev/null || true
 
 # get react native
-pushd "libs/SalesforceReact"
-rm -rf node_modules
-rm yarn.lock
-yarn install
-./node_modules/.bin/react-native bundle --platform android --dev true --entry-file node_modules/react-native-force/test/alltests.js --bundle-output ../test/SalesforceReactTest/assets/index.android.bundle --assets-dest ../test/SalesforceReactTest/assets/
-popd
+# Set SKIP_REACT_NATIVE_BUNDLE=1 to skip the yarn install and bundle step for
+# jobs that do not consume libs/test/SalesforceReactTest/assets/index.android.bundle.
+# Default behavior is unchanged (the bundle is produced).
+if [ "${SKIP_REACT_NATIVE_BUNDLE:-0}" != "1" ]; then
+    pushd "libs/SalesforceReact"
+    rm -rf node_modules
+    rm yarn.lock
+    yarn install
+    ./node_modules/.bin/react-native bundle --platform android --dev true --entry-file node_modules/react-native-force/test/alltests.js --bundle-output ../test/SalesforceReactTest/assets/index.android.bundle --assets-dest ../test/SalesforceReactTest/assets/
+    popd
+fi
 
 # Apply bootconfig placeholder substitution. Usage:
 #   apply_bootconfig_paths [sample_file] path1 path2 ...

libs/SalesforceAnalytics/src/com/salesforce/androidsdk/analytics/logger/FileLogger.java

@@ -67,8 +67,18 @@ public FileLogger(Context context, String componentName) throws IOException {
         this.context = context;
         this.componentName = componentName;
         readFileLoggerPrefs();
-        final File filename = new File(context.getFilesDir(), componentName + LOG_SUFFIX);
-        file = new QueueFile(filename);
+        try {
+            final File filesDir = context.getFilesDir();
+            if (filesDir == null) {
+                // This can happen in test environments (e.g., Robolectric) where file system is not available
+                throw new IOException("Context.getFilesDir() returned null - file system not available");
+            }
+            final File filename = new File(filesDir, componentName + LOG_SUFFIX);
+            file = new QueueFile(filename);
+        } catch (NullPointerException e) {
+            // File constructor can throw NPE in test environments even if filesDir is not null
+            throw new IOException("Failed to create log file - file system not available", e);
+        }
     }
 
     /**

libs/SalesforceAnalytics/src/com/salesforce/androidsdk/analytics/logger/SalesforceLogger.java

@@ -514,7 +514,12 @@ private void readLoggerPrefs() {
             storeLoggerPrefs(level);
         }
         final String logLevelString = sp.getString(componentName, level.toString());
-        logLevel = Level.valueOf(logLevelString);
+        try {
+            logLevel = Level.valueOf(logLevelString);
+        } catch (IllegalArgumentException e) {
+            // This can happen in test environments (e.g., Robolectric)
+            logLevel = level;
+        }
     }
 
     /**

libs/SalesforceSDK/build.gradle.kts

@@ -23,6 +23,7 @@ dependencies {
     api("androidx.browser:browser:1.8.0") // Update requires API 36 compileSdk
     api("androidx.work:work-runtime-ktx:2.10.3")
 
+    implementation("com.google.android.play:integrity:1.6.0")
     implementation("com.google.accompanist:accompanist-drawablepainter:0.37.3")
     implementation("com.google.android.material:material:1.13.0")  // remove this when all xml is gone
     implementation("androidx.appcompat:appcompat:1.7.1")
@@ -55,6 +56,14 @@ dependencies {
     androidTestImplementation("androidx.arch.core:core-testing:2.2.0")
     androidTestImplementation("androidx.compose.ui:ui-test-junit4:$composeVersion")
     androidTestImplementation("io.mockk:mockk-android:1.14.0") // Update requires Kotlin 2
+
+    testImplementation("junit:junit:4.13.2")
+    testImplementation("io.mockk:mockk:1.14.0") // Update requires Kotlin 2
+    testImplementation("org.jetbrains.kotlinx:kotlinx-coroutines-test:1.8.1") // Update requires Kotlin 2
+    testImplementation("androidx.test:core:1.7.0")
+    testImplementation("androidx.test.ext:junit:1.3.0")
+    testImplementation("androidx.arch.core:core-testing:2.2.0")
+    testImplementation("org.robolectric:robolectric:4.14.1")
 }
 
 android {
@@ -78,27 +87,35 @@ android {
     sourceSets {
         getByName("main") {
             manifest.srcFile("AndroidManifest.xml")
-            java.srcDirs(arrayOf("src"))
-            resources.srcDirs(arrayOf("src"))
-            aidl.srcDirs(arrayOf("src"))
-            renderscript.srcDirs(arrayOf("src"))
+            // Non-standard layout: production code is in src/com and src/debug (excludes src/test and src/androidTest)
+            java.srcDirs(arrayOf("src/com", "src/debug"))
+            resources.srcDirs(arrayOf("src/com", "src/debug"))
+            aidl.srcDirs(arrayOf("src/com", "src/debug"))
+            renderscript.srcDirs(arrayOf("src/com", "src/debug"))
             res.srcDirs(arrayOf("res"))
             assets.srcDirs(arrayOf("assets"))
         }
 
         getByName("androidTest") {
-            setRoot("../test/SalesforceSDKTest")
+            // Manifest is in standard location: src/androidTest/AndroidManifest.xml
+            // Test code remains in external ../test/SalesforceSDKTest directory
             java.srcDirs(arrayOf("../test/SalesforceSDKTest/src"))
             resources.srcDirs(arrayOf("../test/SalesforceSDKTest/src"))
             res.srcDirs(arrayOf("../test/SalesforceSDKTest/res"))
             @Suppress("UnstableApiUsage")
             assets.directories.add("../../shared/test")
         }
+
+        getByName("test") {
+            // Standard layout for JVM unit tests: src/test/kotlin
+            java.srcDirs(arrayOf("src/test/kotlin"))
+            resources.srcDirs(arrayOf("src/test/resources"))
+        }
     }
 
     packaging {
         resources {
-            excludes += setOf("META-INF/LICENSE*", "META-INF/LICENSE.txt", "META-INF/DEPENDENCIES", "META-INF/NOTICE")
+            excludes += setOf("META-INF/LICENSE*", "META-INF/LICENSE.txt", "META-INF/DEPENDENCIES", "META-INF/NOTICE", "AndroidManifest.xml")
         }
     }
 
@@ -142,6 +159,34 @@ android {
         classDirectories.setFrom(javaTree, kotlinTree)
         executionData.setFrom(fileTree("$rootDir/firebase") { setIncludes(arrayListOf("**/coverage.ec")) })
     }
+
+    val unitTestCoverage: TaskProvider<JacocoReport> = tasks.register<JacocoReport>("unitTestCoverageReport") {
+        group = "Coverage"
+        description = "Generate JaCoCo coverage report for unit tests."
+        dependsOn("testDebugUnitTest")
+    }
+
+    unitTestCoverage {
+        reports {
+            xml.required = true
+            html.required = true
+        }
+
+        sourceDirectories.setFrom(files("${project.projectDir}/src", "${project.projectDir}/src/debug"))
+        val fileFilter = arrayListOf("**/R.class", "**/R$*.class", "**/BuildConfig.*", "**/Manifest*.*", "**/*Test*.*", "android/**/*.*")
+        val javaTree = fileTree("${project.projectDir}/build/intermediates/javac/debug") { setExcludes(fileFilter) }
+        val kotlinTree = fileTree("${project.projectDir}/build/tmp/kotlin-classes/debug") { setExcludes(fileFilter) }
+        classDirectories.setFrom(javaTree, kotlinTree)
+        executionData.setFrom(fileTree("${project.projectDir}/build/jacoco") { setIncludes(arrayListOf("testDebugUnitTest.exec")) })
+    }
+}
+
+// Configure JaCoCo for unit tests
+tasks.withType<Test> {
+    configure<JacocoTaskExtension> {
+        isIncludeNoLocationClasses = true
+        excludes = listOf("jdk.internal.*")
+    }
 }
 
 kotlin {

libs/SalesforceSDK/src/com/salesforce/androidsdk/app/SalesforceSDKManager.kt

@@ -89,6 +89,7 @@ import com.salesforce.androidsdk.app.Features.FEATURE_BROWSER_LOGIN
 import com.salesforce.androidsdk.app.Features.FEATURE_NATIVE_LOGIN
 import com.salesforce.androidsdk.app.SalesforceSDKManager.Theme.DARK
 import com.salesforce.androidsdk.app.SalesforceSDKManager.Theme.SYSTEM_DEFAULT
+import com.salesforce.androidsdk.auth.AppAttestationClient
 import com.salesforce.androidsdk.auth.AuthenticatorService.KEY_INSTANCE_URL
 import com.salesforce.androidsdk.auth.HttpAccess
 import com.salesforce.androidsdk.auth.HttpAccess.DEFAULT
@@ -226,6 +227,54 @@ open class SalesforceSDKManager protected constructor(
      */
     val loginActivityClass: Class<out Activity> = nativeLoginActivity ?: webViewLoginActivityClass
 
+    /**
+     * The client side implementation of the Salesforce App Attestation External
+     * Client App (ECA) Plugin or null when app attestation is disabled.
+     *
+     * This property is not intended for public use outside of Salesforce Mobile
+     * SDK
+     *
+     * TODO: Make this Kotlin-internal once it is no longer referenced by Java. ECJ20260420
+     */
+    @Volatile
+    var appAttestationClient: AppAttestationClient? = null
+        @VisibleForTesting
+        internal set
+
+    /** Lock object for synchronized access to the app Attestation Client */
+    private val appAttestationClientLock = Any()
+
+    /**
+     * Updates the Salesforce App Attestation ECA Plugin Client for the selected
+     * login server and matching Google Cloud Project ID.  When using App
+     * Attestation, this value must match the linked Google Cloud Project ID
+     * for the app in Google Play Console's Play Integrity API and provided to
+     * the Salesforce App Attestation External Client App Plugin.
+     *
+     * @param apiHostName The Salesforce App Attestation External Client App
+     * (ECA) Plugin Challenge API Host Name.  This usually matches the selected
+     * login server
+     * @param googleCloudProjectId The Google Cloud Project ID or null to
+     * disable Salesforce App Attestation
+     */
+    fun updateAppAttestationClient(
+        apiHostName: String,
+        googleCloudProjectId: Long? = null
+    ) {
+        synchronized(appAttestationClientLock) {
+            appAttestationClient = googleCloudProjectId?.let { appAttestationGoogleCloudProjectId ->
+                AppAttestationClient(
+                    context = appContext,
+                    apiHostName = apiHostName,
+                    deviceId = deviceId,
+                    googleCloudProjectId = appAttestationGoogleCloudProjectId,
+                    remoteAccessConsumerKey = getBootConfig(appContext).remoteAccessConsumerKey,
+                    restClient = clientManager.peekUnauthenticatedRestClient()
+                )
+            }
+        }
+    }
+
     /**
      * ViewModel Factory the SDK will use in LoginActivity and composable functions.  Setting this will allow for
      * visual customization without overriding LoginActivity.