Consider Firefox < 128 and != 115 as incompatible due to root CA expiration (#13502)

* Consider Firefox < 128 and != 115 as incompatible due to root CA expiration

For now, this only applies to compatibility checks, so this will cause
the add-on detail pages to show the "You need an updated version of Firefox"
warning and button to show up instead of the install button for those
users.

Author: diox

src/amo/constants.js

@@ -113,6 +113,8 @@ export const VISIBLE_ADDON_TYPES_MAPPING: {|
 
 // Incompatibility codes for clients that can't install an add-on.
 export const INCOMPATIBLE_FIREFOX_FOR_IOS = 'INCOMPATIBLE_FIREFOX_FOR_IOS';
+export const INCOMPATIBLE_OLD_ROOT_CERT_VERSION =
+  'INCOMPATIBLE_OLD_ROOT_CERT_VERSION';
 export const INCOMPATIBLE_OVER_MAX_VERSION = 'INCOMPATIBLE_OVER_MAX_VERSION';
 export const INCOMPATIBLE_NOT_FIREFOX = 'INCOMPATIBLE_NOT_FIREFOX';
 export const INCOMPATIBLE_UNDER_MIN_VERSION = 'INCOMPATIBLE_UNDER_MIN_VERSION';

src/amo/utils/compatibility.js

@@ -16,6 +16,7 @@ import {
   INCOMPATIBLE_ANDROID_UNSUPPORTED,
   INCOMPATIBLE_FIREFOX_FOR_IOS,
   INCOMPATIBLE_NOT_FIREFOX,
+  INCOMPATIBLE_OLD_ROOT_CERT_VERSION,
   INCOMPATIBLE_OVER_MAX_VERSION,
   INCOMPATIBLE_UNDER_MIN_VERSION,
   INCOMPATIBLE_UNSUPPORTED_PLATFORM,
@@ -77,6 +78,25 @@ export const isFirefox = ({
   return userAgentInfo.browser.name === 'Firefox';
 };
 
+export const isFirefoxWithOldRootCerts = ({
+  userAgentInfo,
+}: {|
+  userAgentInfo: UserAgentInfoType,
+|}): boolean => {
+  // If the userAgent is false there was likely a programming error.
+  invariant(userAgentInfo, 'userAgentInfo is required');
+
+  const majorAppVersion = parseInt(userAgentInfo.browser?.version, 10);
+
+  return (
+    isFirefox({ userAgentInfo }) &&
+    // Firefox 128 and higher or latest Firefox ESR 115 have the updated root.
+    // We can't single out ESR but excluding 115 entirely is good enough.
+    majorAppVersion < 128 &&
+    majorAppVersion !== 115
+  );
+};
+
 export const isDesktop = ({
   userAgentInfo,
 }: {|
@@ -173,6 +193,10 @@ export function isCompatibleWithUserAgent({
     };
   }
 
+  if (isFirefoxWithOldRootCerts({ userAgentInfo })) {
+    return { compatible: false, reason: INCOMPATIBLE_OLD_ROOT_CERT_VERSION };
+  }
+
   // Do version checks, if this add-on has minimum or maximum version
   // requirements.
   // The addons-moz-compare API is quite strange; a result of

tests/unit/amo/test_searchUtils.js

@@ -104,7 +104,7 @@ describe(__filename, () => {
     describe('when clientApp is CLIENT_APP_ANDROID', () => {
       it('does not set promoted and does not override compatibleWithVersion when browser is Firefox for Android', () => {
         const { state } = dispatchClientMetadata({
-          userAgent: userAgentsByPlatform.android.firefox70,
+          userAgent: userAgentsByPlatform.android.firefox136,
         });
 
         const newFilters = addVersionCompatibilityToFilters({
@@ -115,14 +115,14 @@ describe(__filename, () => {
         expect(newFilters).toEqual({
           addonType: ADDON_TYPE_EXTENSION,
           clientApp: CLIENT_APP_ANDROID,
-          compatibleWithVersion: '70.0',
+          compatibleWithVersion: '136.0',
           query: 'foo',
         });
       });
 
       it.each([
         // This works because it is Firefox Desktop.
-        userAgentsByPlatform.windows.firefox40,
+        userAgentsByPlatform.windows.firefox115,
         userAgentsByPlatform.mac.chrome41,
       ])(
         'does not set promoted but overrides compatibleWithVersion when browser is not Firefox for Android - userAgent: %s',

tests/unit/amo/utils/test_compatibility.js

@@ -9,6 +9,7 @@ import {
   INCOMPATIBLE_ANDROID_UNSUPPORTED,
   INCOMPATIBLE_FIREFOX_FOR_IOS,
   INCOMPATIBLE_NOT_FIREFOX,
+  INCOMPATIBLE_OLD_ROOT_CERT_VERSION,
   INCOMPATIBLE_OVER_MAX_VERSION,
   INCOMPATIBLE_UNDER_MIN_VERSION,
   INCOMPATIBLE_UNSUPPORTED_PLATFORM,
@@ -27,6 +28,7 @@ import {
   isFirefox,
   isFirefoxForAndroid,
   isFirefoxForIOS,
+  isFirefoxWithOldRootCerts,
 } from 'amo/utils/compatibility';
 import {
   createFakeLocation,
@@ -90,6 +92,40 @@ describe(__filename, () => {
     });
   });
 
+  describe('isFirefoxWithOldRootCerts', () => {
+    it.each([
+      ...userAgents.androidWebkit,
+      ...userAgents.chromeAndroid,
+      ...userAgents.chrome,
+    ])('returns false for %s', (userAgent) => {
+      expect(
+        isFirefoxWithOldRootCerts({ userAgentInfo: UAParser(userAgent) }),
+      ).toEqual(false);
+    });
+
+    it.each([
+      userAgentsByPlatform.windows.firefox115,
+      userAgentsByPlatform.mac.firefox128,
+      userAgentsByPlatform.mac.firefox136,
+      userAgentsByPlatform.android.firefox136,
+    ])('returns false for %s', (userAgent) => {
+      expect(
+        isFirefoxWithOldRootCerts({ userAgentInfo: UAParser(userAgent) }),
+      ).toEqual(false);
+    });
+
+    it.each([
+      userAgentsByPlatform.windows.firefox40,
+      userAgentsByPlatform.mac.firefox69,
+      userAgentsByPlatform.linux.firefox10,
+      userAgentsByPlatform.android.firefox70,
+    ])('returns true for %s', (userAgent) => {
+      expect(
+        isFirefoxWithOldRootCerts({ userAgentInfo: UAParser(userAgent) }),
+      ).toEqual(true);
+    });
+  });
+
   describe('isDesktop', () => {
     it.each([...userAgents.chrome, ...userAgents.firefox])(
       'returns true for %s',
@@ -112,7 +148,7 @@ describe(__filename, () => {
     const _isCompatibleWithUserAgent = ({
       addon = createInternalAddonWithLang(fakeAddon),
       currentVersion = createInternalVersionWithLang(fakeAddon.current_version),
-      userAgentInfo = UAParser(userAgentsByPlatform.windows.firefox40),
+      userAgentInfo = UAParser(userAgentsByPlatform.windows.firefox115),
       ...rest
     }) => {
       return isCompatibleWithUserAgent({
@@ -126,7 +162,7 @@ describe(__filename, () => {
     it('is compatible with Firefox', () => {
       expect(
         _isCompatibleWithUserAgent({
-          userAgentInfo: UAParser(userAgents.firefox[0]),
+          userAgentInfo: UAParser(userAgentsByPlatform.windows.firefox115),
         }),
       ).toEqual({ compatible: true, reason: null });
     });
@@ -141,24 +177,10 @@ describe(__filename, () => {
       });
     });
 
-    it('is compatible with Firefox for Android, when promoted', () => {
-      userAgents.firefoxAndroid.forEach((userAgent) => {
-        expect(
-          _isCompatibleWithUserAgent({
-            addon: createInternalAddonWithLang({
-              ...fakeAddon,
-              promoted: { category: RECOMMENDED, apps: [CLIENT_APP_ANDROID] },
-            }),
-            userAgentInfo: UAParser(userAgent),
-          }),
-        ).toEqual({ compatible: true, reason: null });
-      });
-    });
-
-    it('is compatible with Firefox >= 69', () => {
+    it('is compatible with Firefox >= 128', () => {
       expect(
         _isCompatibleWithUserAgent({
-          userAgentInfo: UAParser(userAgentsByPlatform.mac.firefox69),
+          userAgentInfo: UAParser(userAgentsByPlatform.mac.firefox128),
         }),
       ).toEqual({ compatible: true, reason: null });
     });
@@ -185,23 +207,23 @@ describe(__filename, () => {
       ).toEqual({ compatible: false, reason: INCOMPATIBLE_NOT_FIREFOX });
     });
 
-    it('should mark Firefox 10 as incompatible with a minVersion of 10.1', () => {
+    it('should mark Firefox 128 as incompatible with a minVersion of 128.1', () => {
       const userAgentInfo = {
-        browser: { name: 'Firefox', version: '10.0' },
+        browser: { name: 'Firefox', version: '128.0' },
         os: { name: 'Windows' },
       };
       expect(
         _isCompatibleWithUserAgent({
-          minVersion: '10.1',
+          minVersion: '128.1',
           userAgentInfo,
         }),
       ).toEqual({ compatible: false, reason: INCOMPATIBLE_UNDER_MIN_VERSION });
     });
 
-    it('should mark Firefox 24 as compatible with a maxVersion of 8', () => {
+    it('should mark Firefox 115 as compatible with a maxVersion of 8', () => {
       // https://github.com/mozilla/addons-frontend/issues/2074
       const userAgentInfo = {
-        browser: { name: 'Firefox', version: '24.0' },
+        browser: { name: 'Firefox', version: '115.0' },
         os: { name: 'Windows' },
       };
       expect(
@@ -218,7 +240,7 @@ describe(__filename, () => {
 
     it('should mark Firefox as compatible when no min or max version', () => {
       const userAgentInfo = {
-        browser: { name: 'Firefox', version: '10.0' },
+        browser: { name: 'Firefox', version: '128.0' },
         os: { name: 'Windows' },
       };
       expect(
@@ -232,7 +254,7 @@ describe(__filename, () => {
       // WebExtensions are marked as having a maxVersion of "*" by addons-server
       // if their manifests don't contain explicit version information.
       const userAgentInfo = {
-        browser: { name: 'Firefox', version: '54.0' },
+        browser: { name: 'Firefox', version: '128.0' },
         os: { name: 'Windows' },
       };
       expect(
@@ -324,13 +346,44 @@ describe(__filename, () => {
             promoted: { category: RECOMMENDED, apps: [CLIENT_APP_ANDROID] },
           }),
           currentVersion,
-          userAgentInfo: UAParser(userAgentsByPlatform.android.firefox40Mobile),
+          userAgentInfo: UAParser(userAgentsByPlatform.android.firefox136),
         }),
       ).toEqual({
         compatible: false,
         reason: INCOMPATIBLE_ANDROID_UNSUPPORTED,
       });
     });
+
+    it('is incompatible with Firefox < 128 because of root cert expiration', () => {
+      const userAgentInfo = {
+        browser: { name: 'Firefox', version: '127.0' },
+        os: { name: 'Windows' },
+      };
+      // Would normally be considered compatible, but because Firefox is < 128
+      // (and not 115, see test below) it's not.
+      expect(
+        _isCompatibleWithUserAgent({
+          minVersion: '57.0',
+          userAgentInfo,
+        }),
+      ).toEqual({
+        compatible: false,
+        reason: INCOMPATIBLE_OLD_ROOT_CERT_VERSION,
+      });
+    });
+
+    it('is still compatible with Firefox 115', () => {
+      const userAgentInfo = {
+        browser: { name: 'Firefox', version: '115.0' },
+        os: { name: 'Windows' },
+      };
+      expect(
+        _isCompatibleWithUserAgent({
+          minVersion: '57.0',
+          userAgentInfo,
+        }),
+      ).toEqual({ compatible: true, reason: null });
+    });
   });
 
   describe('getCompatibleVersions', () => {
@@ -463,7 +516,7 @@ describe(__filename, () => {
     };
 
     it('returns true for Firefox (reason undefined when compatibile)', () => {
-      const { browser, os } = UAParser(userAgentsByPlatform.mac.firefox57);
+      const { browser, os } = UAParser(userAgentsByPlatform.mac.firefox136);
       const userAgentInfo = { browser, os };
       const clientApp = CLIENT_APP_FIREFOX;
       const currentVersion = createInternalVersionWithLang({
@@ -491,7 +544,7 @@ describe(__filename, () => {
     });
 
     it('returns maxVersion when set', () => {
-      const { browser, os } = UAParser(userAgents.firefox[0]);
+      const { browser, os } = UAParser(userAgentsByPlatform.mac.firefox136);
       const userAgentInfo = { browser, os };
 
       expect(
@@ -514,7 +567,7 @@ describe(__filename, () => {
     });
 
     it('returns minVersion when set', () => {
-      const { browser, os } = UAParser(userAgents.firefox[0]);
+      const { browser, os } = UAParser(userAgentsByPlatform.mac.firefox136);
       const userAgentInfo = { browser, os };
 
       expect(
@@ -565,7 +618,7 @@ describe(__filename, () => {
     });
 
     it('returns incompatible when currentVersion is null', () => {
-      const { browser, os } = UAParser(userAgents.firefox[0]);
+      const { browser, os } = UAParser(userAgentsByPlatform.mac.firefox136);
       const userAgentInfo = { browser, os };
       const clientApp = CLIENT_APP_FIREFOX;
 
@@ -584,7 +637,7 @@ describe(__filename, () => {
     });
 
     it('returns compatible if strict compatibility is off', () => {
-      const { browser, os } = UAParser(userAgents.firefox[4]);
+      const { browser, os } = UAParser(userAgentsByPlatform.mac.firefox136);
       const userAgentInfo = { browser, os };
 
       expect(
@@ -595,7 +648,7 @@ describe(__filename, () => {
             compatibility: {
               ...fakeAddon.current_version.compatibility,
               [CLIENT_APP_FIREFOX]: {
-                max: '56.*',
+                max: '135.*',
                 min: '24.0',
               },
             },
@@ -608,7 +661,7 @@ describe(__filename, () => {
     });
 
     it('returns incompatible if strict compatibility enabled', () => {
-      const { browser, os } = UAParser(userAgents.firefox[5]);
+      const { browser, os } = UAParser(userAgentsByPlatform.mac.firefox136);
       const userAgentInfo = { browser, os };
 
       expect(
@@ -619,7 +672,7 @@ describe(__filename, () => {
             compatibility: {
               ...fakeAddon.current_version.compatibility,
               [CLIENT_APP_FIREFOX]: {
-                max: '56.*',
+                max: '135.*',
                 min: '24.0',
               },
             },
@@ -635,7 +688,7 @@ describe(__filename, () => {
     });
 
     it('returns incompatible when add-on does not support client app', () => {
-      const { browser, os } = UAParser(userAgentsByPlatform.mac.firefox57);
+      const { browser, os } = UAParser(userAgentsByPlatform.mac.firefox136);
       const userAgentInfo = { browser, os };
 
       expect(
@@ -656,9 +709,7 @@ describe(__filename, () => {
     });
 
     it('returns correct reason when add-on is incompatible with android', () => {
-      const { browser, os } = UAParser(
-        userAgentsByPlatform.android.firefox40Mobile,
-      );
+      const { browser, os } = UAParser(userAgentsByPlatform.android.firefox136);
       const userAgentInfo = { browser, os };
 
       expect(
@@ -715,7 +766,7 @@ describe(__filename, () => {
         _correctedLocationForPlatform({
           clientApp: CLIENT_APP_FIREFOX,
           lang,
-          userAgentInfo: UAParser(userAgentsByPlatform.android.firefox40Mobile),
+          userAgentInfo: UAParser(userAgentsByPlatform.android.firefox136),
         }),
       ).toEqual(getMobileHomepageLink(lang));
     });
@@ -728,7 +779,7 @@ describe(__filename, () => {
           isHomePage: false,
           lang,
           location: createFakeLocation({ pathname: '/some/path' }),
-          userAgentInfo: UAParser(userAgentsByPlatform.android.firefox40Mobile),
+          userAgentInfo: UAParser(userAgentsByPlatform.android.firefox136),
         }),
       ).toEqual(null);
     });
@@ -739,7 +790,7 @@ describe(__filename, () => {
           clientApp: CLIENT_APP_ANDROID,
           isHomePage: true,
           location: createFakeLocation({ pathname: '/some/path' }),
-          userAgentInfo: UAParser(userAgentsByPlatform.android.firefox40Mobile),
+          userAgentInfo: UAParser(userAgentsByPlatform.android.firefox136),
         }),
       ).toEqual(null);
     });
@@ -750,7 +801,7 @@ describe(__filename, () => {
           clientApp: CLIENT_APP_ANDROID,
           isHomePage: false,
           location: createFakeLocation({ pathname: '/search/' }),
-          userAgentInfo: UAParser(userAgentsByPlatform.android.firefox40Mobile),
+          userAgentInfo: UAParser(userAgentsByPlatform.android.firefox136),
         }),
       ).toEqual(null);
     });
@@ -763,7 +814,7 @@ describe(__filename, () => {
         _correctedLocationForPlatform({
           clientApp: CLIENT_APP_ANDROID,
           location: createFakeLocation({ pathname, search }),
-          userAgentInfo: UAParser(userAgentsByPlatform.mac.firefox69),
+          userAgentInfo: UAParser(userAgentsByPlatform.mac.firefox136),
         }),
       ).toEqual(`/en-US/${CLIENT_APP_FIREFOX}/addon/slug/${search}`);
     });
@@ -779,7 +830,7 @@ describe(__filename, () => {
           clientApp: CLIENT_APP_ANDROID,
           lang: 'en-US',
           location: createFakeLocation({ pathname, search }),
-          userAgentInfo: UAParser(userAgentsByPlatform.mac.firefox69),
+          userAgentInfo: UAParser(userAgentsByPlatform.mac.firefox136),
         }),
       ).toEqual(`/en-US/${CLIENT_APP_FIREFOX}/addon/slug/${search}`);
     });
@@ -791,7 +842,7 @@ describe(__filename, () => {
         _correctedLocationForPlatform({
           clientApp: CLIENT_APP_ANDROID,
           location: createFakeLocation({ pathname }),
-          userAgentInfo: UAParser(userAgentsByPlatform.mac.firefox69),
+          userAgentInfo: UAParser(userAgentsByPlatform.mac.firefox136),
         }),
       ).toEqual(
         `/en-US/${CLIENT_APP_FIREFOX}/addon/awesome-android-extension/`,
@@ -802,7 +853,7 @@ describe(__filename, () => {
       expect(
         _correctedLocationForPlatform({
           clientApp: CLIENT_APP_FIREFOX,
-          userAgentInfo: UAParser(userAgentsByPlatform.mac.firefox69),
+          userAgentInfo: UAParser(userAgentsByPlatform.mac.firefox136),
         }),
       ).toEqual(null);
     });

tests/unit/helpers.js

@@ -806,6 +806,8 @@ export const userAgentsByPlatform = {
       Firefox/69.0`,
     firefox70: oneLine`Mozilla/5.0 (Android 9; Mobile; rv:70.0) Gecko/70.0
       Firefox/70.0`,
+    firefox136: oneLine`Mozilla/5.0 (Android 15; Mobile; rv:136.0) Gecko/136.0
+      Firefox/136.0`,
   },
   bsd: {
     firefox40FreeBSD: oneLine`Mozilla/5.0 (X11; FreeBSD amd64; rv:40.0)
@@ -842,6 +844,10 @@ export const userAgentsByPlatform = {
       Gecko/20100101 Firefox/61.0`,
     firefox69: oneLine`Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0)
       Gecko/20100101 Firefox/69.0`,
+    firefox128: oneLine`Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:128.0)
+      Gecko/20100101 Firefox/128.0`,
+    firefox136: oneLine`Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:136.0)
+      Gecko/20100101 Firefox/136.0`,
   },
   unix: {
     firefox51: oneLine`Mozilla/51.0.2 (X11; Unix x86_64; rv:29.0)
@@ -850,6 +856,8 @@ export const userAgentsByPlatform = {
   windows: {
     firefox40: oneLine`Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
       Gecko/20100101 Firefox/40.1`,
+    firefox115: oneLine`Mozilla/5.0 (Windows NT 6.1; WOW64; rv:115.0)
+      Gecko/20100101 Firefox/115.0`,
   },
 };