Introduce the SandboxedSdkToolbox.

This binary will be used to: - Generate manifests for APKs consuming sandboxed SDKs. - Generate client sources for communicating with sandboxed SDKs. - Extract API descriptors from SDKs - Generate XML metadata for APKs using SDKs in compatibility mode. For now, only the manifest generation command is available. This change also adds the binary to the toolchain, future rules will invoke it when consuming sandboxed SDKs. PiperOrigin-RevId: 555376579 Change-Id: Id746e1489f8f717f7e389b585b66ed2e4103c386
bazelbuild · Aug 10, 2023 · 545a301 · 545a301
1 parent df22114
commit 545a301
Show file tree

Hide file tree

Showing 18 changed files with 615 additions and 1 deletion.
diff --git a/defs.bzl b/defs.bzl
@@ -33,8 +33,13 @@ def rules_android_workspace():
     maven_install(
         name = "rules_android_maven",
         artifacts = [
-            "com.android.tools.build:bundletool:1.6.1",
+            "com.android.tools.build:bundletool:1.15.2",
             "com.android.tools.build:gradle:8.0.1",
+            "com.google.guava:guava:32.1.2-jre",
+            "com.google.protobuf:protobuf-java-util:3.9.2",
+            "com.google.truth:truth:1.1.5",
+            "info.picocli:picocli:4.7.4",
+            "junit:junit:4.13.2",
         ],
         repositories = [
             "https://maven.google.com",

diff --git a/kokoro/presubmit/kokoro_presubmit.sh b/kokoro/presubmit/kokoro_presubmit.sh
@@ -62,6 +62,11 @@ COMMON_ARGS=(
   "--experimental_google_legacy_api"
   "--experimental_enable_android_migration_apis"
   "--build_tests_only"
+  # Java tests use language version at least 11, but they might depend on
+  # libraries that were built for Java 17.
+  "--java_language_version=11"
+  "--java_runtime_version=17"
+  "--test_output=errors"
 )
 
 # Go to rules_android workspace and run relevant tests.
@@ -73,6 +78,7 @@ cd "${KOKORO_ARTIFACTS_DIR}/git/rules_android"
 
 "$bazel" test "${COMMON_ARGS[@]}" //src/common/golang/... \
   //src/tools/ak/... \
+  //src/tools/javatests/... \
   //src/tools/jdeps/... \
   //test/...
 

diff --git a/src/tools/java/com/google/devtools/build/android/sandboxedsdktoolbox/BUILD b/src/tools/java/com/google/devtools/build/android/sandboxedsdktoolbox/BUILD
@@ -0,0 +1,35 @@
+# Common tools for managing sandboxed SDKs.
+# Sandboxed SDKs are libraries that are released separately from Android apps and can run in the
+# Privacy Sandbox.
+
+package(
+    default_applicable_licenses = ["//:license"],
+    default_visibility = ["//src:__subpackages__"],
+)
+
+package_group(
+    name = "sandboxed_sdk_toolbox_packages",
+    packages = [
+        "//src/tools/java/com/google/devtools/build/android/sandboxedsdktoolbox/...",
+    ],
+)
+
+licenses(["notice"])
+
+java_library(
+    name = "sandboxed_sdk_toolbox_lib",
+    srcs = glob(["*.java"]),
+    deps = [
+        "//src/tools/java/com/google/devtools/build/android/sandboxedsdktoolbox/sdkdependenciesmanifest",
+        "@rules_android_maven//:info_picocli_picocli",
+    ],
+)
+
+java_binary(
+    name = "sandboxed_sdk_toolbox",
+    main_class = "com.google.devtools.build.android.sandboxedsdktoolbox.SandboxedSdkToolbox",
+    visibility = ["//visibility:public"],
+    runtime_deps = [
+        ":sandboxed_sdk_toolbox_lib",
+    ],
+)
diff --git a/...tools/java/com/google/devtools/build/android/sandboxedsdktoolbox/SandboxedSdkToolbox.java b/...tools/java/com/google/devtools/build/android/sandboxedsdktoolbox/SandboxedSdkToolbox.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2023 The Bazel Authors. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.google.devtools.build.android.sandboxedsdktoolbox;
+
+import com.google.devtools.build.android.sandboxedsdktoolbox.sdkdependenciesmanifest.GenerateSdkDependenciesManifestCommand;
+import picocli.CommandLine;
+import picocli.CommandLine.Command;
+
+/** Entrypoint for the Sandboxed SDK Toolbox binary. */
+@Command(
+    name = "sandboxed-sdk-toolbox",
+    subcommands = {
+      GenerateSdkDependenciesManifestCommand.class,
+    })
+public final class SandboxedSdkToolbox {
+
+  public static final CommandLine create() {
+    return new CommandLine(new SandboxedSdkToolbox());
+  }
+
+  public static final void main(String[] args) {
+    SandboxedSdkToolbox.create().execute(args);
+  }
+
+  private SandboxedSdkToolbox() {}
+}
diff --git a/src/tools/java/com/google/devtools/build/android/sandboxedsdktoolbox/config/BUILD b/src/tools/java/com/google/devtools/build/android/sandboxedsdktoolbox/config/BUILD
@@ -0,0 +1,17 @@
+# Utilities for SDK module config proto message.
+
+package(
+    default_applicable_licenses = ["//:license"],
+    default_visibility = ["//src:__subpackages__"],
+)
+
+licenses(["notice"])
+
+java_library(
+    name = "config",
+    srcs = glob(["*.java"]),
+    deps = [
+        "@rules_android_maven//:com_android_tools_build_bundletool",
+        "@rules_android_maven//:com_google_protobuf_protobuf_java_util",
+    ],
+)
diff --git a/...a/com/google/devtools/build/android/sandboxedsdktoolbox/config/SdkModulesConfigUtils.java b/...a/com/google/devtools/build/android/sandboxedsdktoolbox/config/SdkModulesConfigUtils.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2023 The Bazel Authors. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.google.devtools.build.android.sandboxedsdktoolbox.config;
+
+import com.android.bundle.SdkModulesConfigOuterClass.SdkModulesConfig;
+import com.android.tools.build.bundletool.model.RuntimeEnabledSdkVersionEncoder;
+import com.google.protobuf.util.JsonFormat;
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+/** Utilities for creating and extracting information from {@link SdkModulesConfig} messages. */
+public final class SdkModulesConfigUtils {
+
+  public static SdkModulesConfig readFromJsonFile(Path configPath) {
+    var builder = SdkModulesConfig.newBuilder();
+    try {
+      JsonFormat.parser().merge(Files.newBufferedReader(configPath), builder);
+      return builder.build();
+    } catch (IOException e) {
+      throw new UncheckedIOException("Failed to parse SDK Module Config.", e);
+    }
+  }
+
+  public static long getVersionMajor(SdkModulesConfig config) {
+    return RuntimeEnabledSdkVersionEncoder.encodeSdkMajorAndMinorVersion(
+        config.getSdkVersion().getMajor(), config.getSdkVersion().getMinor());
+  }
+
+  private SdkModulesConfigUtils() {}
+}
diff --git a/...ools/build/android/sandboxedsdktoolbox/sdkdependenciesmanifest/AndroidManifestWriter.java b/...ools/build/android/sandboxedsdktoolbox/sdkdependenciesmanifest/AndroidManifestWriter.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright 2023 The Bazel Authors. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.google.devtools.build.android.sandboxedsdktoolbox.sdkdependenciesmanifest;
+
+import static com.google.devtools.build.android.sandboxedsdktoolbox.config.SdkModulesConfigUtils.getVersionMajor;
+
+import com.android.bundle.SdkModulesConfigOuterClass.SdkModulesConfig;
+import com.google.common.collect.ImmutableSet;
+import java.io.BufferedOutputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.file.Path;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.OutputKeys;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+/** Writes an Android manifest that lists SDK dependencies for an app. */
+final class AndroidManifestWriter {
+
+  private static final String ANDROID_NAME_ATTRIBUTE = "android:name";
+  private static final String ANDROID_VERSION_MAJOR_ATTRIBUTE = "android:versionMajor";
+  private static final String ANDROID_CERTIFICATE_DIGEST_ATTRIBUTE = "android:certDigest";
+  private static final String APPLICATION_ELEMENT_NAME = "application";
+  private static final String MANIFEST_ELEMENT_NAME = "manifest";
+  private static final String MANIFEST_NAMESPACE_URI = "http://schemas.android.com/apk/res/android";
+  private static final String MANIFEST_NAMESPACE_NAME = "xmlns:android";
+  private static final String MANIFEST_PACKAGE_ATTRIBUTE = "package";
+  private static final String SDK_DEPENDENCY_ELEMENT_NAME = "uses-sdk-library";
+
+  static void writeManifest(
+      String packageName,
+      String certificateDigest,
+      ImmutableSet<SdkModulesConfig> configs,
+      Path outputPath) {
+    var root = newEmptyDocument();
+
+    Element manifestNode = root.createElement(MANIFEST_ELEMENT_NAME);
+    manifestNode.setAttribute(MANIFEST_NAMESPACE_NAME, MANIFEST_NAMESPACE_URI);
+    manifestNode.setAttribute(MANIFEST_PACKAGE_ATTRIBUTE, packageName);
+    root.appendChild(manifestNode);
+
+    Element applicationNode = root.createElement(APPLICATION_ELEMENT_NAME);
+    manifestNode.appendChild(applicationNode);
+
+    for (SdkModulesConfig config : configs) {
+      Element sdkDependencyElement = root.createElement(SDK_DEPENDENCY_ELEMENT_NAME);
+      sdkDependencyElement.setAttribute(ANDROID_NAME_ATTRIBUTE, config.getSdkPackageName());
+      sdkDependencyElement.setAttribute(
+          ANDROID_VERSION_MAJOR_ATTRIBUTE, Long.toString(getVersionMajor(config)));
+      sdkDependencyElement.setAttribute(ANDROID_CERTIFICATE_DIGEST_ATTRIBUTE, certificateDigest);
+      applicationNode.appendChild(sdkDependencyElement);
+    }
+
+    writeDocument(root, outputPath);
+  }
+
+  private static Document newEmptyDocument() {
+    try {
+      return DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
+    } catch (ParserConfigurationException e) {
+      throw new IllegalStateException("Failed to create new XML document.", e);
+    }
+  }
+
+  private static void writeDocument(Document document, Path outputPath) {
+    try (var outputStream = new BufferedOutputStream(new FileOutputStream(outputPath.toFile()))) {
+      var transformer = TransformerFactory.newInstance().newTransformer();
+      transformer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
+      transformer.setOutputProperty(OutputKeys.METHOD, "xml");
+      transformer.setOutputProperty(OutputKeys.INDENT, "yes");
+      transformer.transform(new DOMSource(document), new StreamResult(outputStream));
+    } catch (TransformerException | IOException e) {
+      throw new IllegalStateException("Failed to write manifest.", e);
+    }
+  }
+
+  private AndroidManifestWriter() {}
+}
diff --git a/.../java/com/google/devtools/build/android/sandboxedsdktoolbox/sdkdependenciesmanifest/BUILD b/.../java/com/google/devtools/build/android/sandboxedsdktoolbox/sdkdependenciesmanifest/BUILD
@@ -0,0 +1,19 @@
+# Command for generating an SDK dependencies Android manifest.
+
+package(
+    default_applicable_licenses = ["//:license"],
+    default_visibility = ["//src:__subpackages__"],
+)
+
+licenses(["notice"])
+
+java_library(
+    name = "sdkdependenciesmanifest",
+    srcs = glob(["*.java"]),
+    deps = [
+        "//src/tools/java/com/google/devtools/build/android/sandboxedsdktoolbox/config",
+        "@rules_android_maven//:com_android_tools_build_bundletool",
+        "@rules_android_maven//:com_google_guava_guava",
+        "@rules_android_maven//:info_picocli_picocli",
+    ],
+)
diff --git a/...build/android/sandboxedsdktoolbox/sdkdependenciesmanifest/CertificateDigestGenerator.java b/...build/android/sandboxedsdktoolbox/sdkdependenciesmanifest/CertificateDigestGenerator.java
@@ -0,0 +1,65 @@
+/*
+ * Copyright 2023 The Bazel Authors. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.google.devtools.build.android.sandboxedsdktoolbox.sdkdependenciesmanifest;
+
+import static java.util.stream.Collectors.joining;
+
+import com.google.common.hash.Hashing;
+import com.google.common.io.ByteSource;
+import com.google.common.primitives.Bytes;
+import java.io.BufferedInputStream;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+
+/** Generates a SHA256 digest of a signing certificate. */
+final class CertificateDigestGenerator {
+
+  static final String generateCertificateDigest(
+      Path keystorePath, String keystorePassword, String keystoreAlias) {
+    var certificate = readCertificate(keystorePath, keystorePassword, keystoreAlias);
+    return getCertificateDigest(certificate);
+  }
+
+  private static X509Certificate readCertificate(
+      Path keystorePath, String keystorePassword, String keystoreAlias) {
+    try (var keystoreInputStream = new BufferedInputStream(Files.newInputStream(keystorePath))) {
+      var keystore = KeyStore.getInstance("JKS");
+      keystore.load(keystoreInputStream, keystorePassword.toCharArray());
+      return (X509Certificate) keystore.getCertificate(keystoreAlias);
+    } catch (GeneralSecurityException | IOException e) {
+      throw new IllegalStateException("Failed to read certificate", e);
+    }
+  }
+
+  private static String getCertificateDigest(X509Certificate certificate) {
+    try {
+      return Bytes.asList(
+              ByteSource.wrap(certificate.getEncoded()).hash(Hashing.sha256()).asBytes())
+          .stream()
+          .map(b -> String.format("%02X", b))
+          .collect(joining(":"));
+    } catch (CertificateEncodingException | IOException e) {
+      throw new IllegalStateException("Failed to generate certificate digest", e);
+    }
+  }
+
+  private CertificateDigestGenerator() {}
+}