Consider Firefox < 128 and != 115 as incompatible due to root CA expiration (#13502)

* Consider Firefox < 128 and != 115 as incompatible due to root CA expiration

For now, this only applies to compatibility checks, so this will cause
the add-on detail pages to show the "You need an updated version of Firefox"
warning and button to show up instead of the install button for those
users.

Author: diox

src/amo/constants.js

@@ -113,6 +113,8 @@ export const VISIBLE_ADDON_TYPES_MAPPING: {|
 
 // Incompatibility codes for clients that can't install an add-on.
 export const INCOMPATIBLE_FIREFOX_FOR_IOS = 'INCOMPATIBLE_FIREFOX_FOR_IOS';
+export const INCOMPATIBLE_OLD_ROOT_CERT_VERSION =
+  'INCOMPATIBLE_OLD_ROOT_CERT_VERSION';
 export const INCOMPATIBLE_OVER_MAX_VERSION = 'INCOMPATIBLE_OVER_MAX_VERSION';
 export const INCOMPATIBLE_NOT_FIREFOX = 'INCOMPATIBLE_NOT_FIREFOX';
 export const INCOMPATIBLE_UNDER_MIN_VERSION = 'INCOMPATIBLE_UNDER_MIN_VERSION';

src/amo/utils/compatibility.js

@@ -16,6 +16,7 @@ import {
   INCOMPATIBLE_ANDROID_UNSUPPORTED,
   INCOMPATIBLE_FIREFOX_FOR_IOS,
   INCOMPATIBLE_NOT_FIREFOX,
+  INCOMPATIBLE_OLD_ROOT_CERT_VERSION,
   INCOMPATIBLE_OVER_MAX_VERSION,
   INCOMPATIBLE_UNDER_MIN_VERSION,
   INCOMPATIBLE_UNSUPPORTED_PLATFORM,
@@ -77,6 +78,25 @@ export const isFirefox = ({
   return userAgentInfo.browser.name === 'Firefox';
 };
 
+export const isFirefoxWithOldRootCerts = ({
+  userAgentInfo,
+}: {|
+  userAgentInfo: UserAgentInfoType,
+|}): boolean => {
+  // If the userAgent is false there was likely a programming error.
+  invariant(userAgentInfo, 'userAgentInfo is required');
+
+  const majorAppVersion = parseInt(userAgentInfo.browser?.version, 10);
+
+  return (
+    isFirefox({ userAgentInfo }) &&
+    // Firefox 128 and higher or latest Firefox ESR 115 have the updated root.
+    // We can't single out ESR but excluding 115 entirely is good enough.
+    majorAppVersion < 128 &&
+    majorAppVersion !== 115
+  );
+};
+
 export const isDesktop = ({
   userAgentInfo,
 }: {|
@@ -173,6 +193,10 @@ export function isCompatibleWithUserAgent({
     };
   }
 
+  if (isFirefoxWithOldRootCerts({ userAgentInfo })) {
+    return { compatible: false, reason: INCOMPATIBLE_OLD_ROOT_CERT_VERSION };
+  }
+
   // Do version checks, if this add-on has minimum or maximum version
   // requirements.
   // The addons-moz-compare API is quite strange; a result of

tests/unit/amo/test_searchUtils.js

@@ -104,7 +104,7 @@ describe(__filename, () => {
     describe('when clientApp is CLIENT_APP_ANDROID', () => {
       it('does not set promoted and does not override compatibleWithVersion when browser is Firefox for Android', () => {
         const { state } = dispatchClientMetadata({
-          userAgent: userAgentsByPlatform.android.firefox70,
+          userAgent: userAgentsByPlatform.android.firefox136,
         });
 
         const newFilters = addVersionCompatibilityToFilters({
@@ -115,14 +115,14 @@ describe(__filename, () => {
         expect(newFilters).toEqual({
           addonType: ADDON_TYPE_EXTENSION,
           clientApp: CLIENT_APP_ANDROID,
-          compatibleWithVersion: '70.0',
+          compatibleWithVersion: '136.0',
           query: 'foo',
         });
       });
 
       it.each([
         // This works because it is Firefox Desktop.
-        userAgentsByPlatform.windows.firefox40,
+        userAgentsByPlatform.windows.firefox115,
         userAgentsByPlatform.mac.chrome41,
       ])(
         'does not set promoted but overrides compatibleWithVersion when browser is not Firefox for Android - userAgent: %s',