Implement Play Integrity attestation flow.

Author: rosalyntan

appcheck/firebase-appcheck-playintegrity/src/main/java/com/google/firebase/appcheck/playintegrity/internal/GeneratePlayIntegrityChallengeRequest.java

@@ -0,0 +1,35 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.firebase.appcheck.playintegrity.internal;
+
+import androidx.annotation.NonNull;
+import org.json.JSONException;
+import org.json.JSONObject;
+
+/**
+ * Client-side model of the GeneratePlayIntegrityChallengeRequest payload from the Firebase App
+ * Check Token Exchange API.
+ */
+public class GeneratePlayIntegrityChallengeRequest {
+
+  public GeneratePlayIntegrityChallengeRequest() {}
+
+  @NonNull
+  public String toJsonString() throws JSONException {
+    JSONObject jsonObject = new JSONObject();
+
+    return jsonObject.toString();
+  }
+}

appcheck/firebase-appcheck-playintegrity/src/main/java/com/google/firebase/appcheck/playintegrity/internal/GeneratePlayIntegrityChallengeResponse.java

@@ -0,0 +1,63 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.firebase.appcheck.playintegrity.internal;
+
+import static com.google.android.gms.common.internal.Preconditions.checkNotNull;
+import static com.google.android.gms.common.util.Strings.emptyToNull;
+
+import androidx.annotation.NonNull;
+import androidx.annotation.VisibleForTesting;
+import org.json.JSONException;
+import org.json.JSONObject;
+
+/**
+ * Client-side model of the GeneratePlayIntegrityChallengeResponse payload from the Firebase App
+ * Check Token Exchange API.
+ */
+public class GeneratePlayIntegrityChallengeResponse {
+
+  @VisibleForTesting static final String CHALLENGE_KEY = "challenge";
+  @VisibleForTesting static final String TIME_TO_LIVE_KEY = "ttl";
+
+  private String challenge;
+  private String timeToLive;
+
+  @NonNull
+  public static GeneratePlayIntegrityChallengeResponse fromJsonString(@NonNull String jsonString)
+      throws JSONException {
+    JSONObject jsonObject = new JSONObject(jsonString);
+    String challenge = emptyToNull(jsonObject.optString(CHALLENGE_KEY));
+    String timeToLive = emptyToNull(jsonObject.optString(TIME_TO_LIVE_KEY));
+    return new GeneratePlayIntegrityChallengeResponse(challenge, timeToLive);
+  }
+
+  private GeneratePlayIntegrityChallengeResponse(
+      @NonNull String challenge, @NonNull String timeToLive) {
+    checkNotNull(challenge);
+    checkNotNull(timeToLive);
+    this.challenge = challenge;
+    this.timeToLive = timeToLive;
+  }
+
+  @NonNull
+  public String getChallenge() {
+    return challenge;
+  }
+
+  @NonNull
+  public String getTimeToLive() {
+    return timeToLive;
+  }
+}

appcheck/firebase-appcheck-playintegrity/src/main/java/com/google/firebase/appcheck/playintegrity/internal/PlayIntegrityAppCheckProvider.java

@@ -19,6 +19,10 @@
 import com.google.android.gms.tasks.Continuation;
 import com.google.android.gms.tasks.Task;
 import com.google.android.gms.tasks.Tasks;
+import com.google.android.play.core.integrity.IntegrityManager;
+import com.google.android.play.core.integrity.IntegrityManagerFactory;
+import com.google.android.play.core.integrity.IntegrityTokenRequest;
+import com.google.android.play.core.integrity.IntegrityTokenResponse;
 import com.google.firebase.FirebaseApp;
 import com.google.firebase.appcheck.AppCheckProvider;
 import com.google.firebase.appcheck.AppCheckToken;
@@ -33,19 +37,26 @@ public class PlayIntegrityAppCheckProvider implements AppCheckProvider {
 
   private static final String UTF_8 = "UTF-8";
 
+  private final IntegrityManager integrityManager;
   private final NetworkClient networkClient;
   private final ExecutorService backgroundExecutor;
   private final RetryManager retryManager;
 
   public PlayIntegrityAppCheckProvider(@NonNull FirebaseApp firebaseApp) {
-    this(new NetworkClient(firebaseApp), Executors.newCachedThreadPool(), new RetryManager());
+    this(
+        IntegrityManagerFactory.create(firebaseApp.getApplicationContext()),
+        new NetworkClient(firebaseApp),
+        Executors.newCachedThreadPool(),
+        new RetryManager());
   }
 
   @VisibleForTesting
   PlayIntegrityAppCheckProvider(
+      @NonNull IntegrityManager integrityManager,
       @NonNull NetworkClient networkClient,
       @NonNull ExecutorService backgroundExecutor,
       @NonNull RetryManager retryManager) {
+    this.integrityManager = integrityManager;
     this.networkClient = networkClient;
     this.backgroundExecutor = backgroundExecutor;
     this.retryManager = retryManager;
@@ -54,24 +65,60 @@ public PlayIntegrityAppCheckProvider(@NonNull FirebaseApp firebaseApp) {
   @NonNull
   @Override
   public Task<AppCheckToken> getToken() {
-    // TODO(rosalyntan): Obtain the Play Integrity challenge nonce.
-    ExchangePlayIntegrityTokenRequest request =
-        new ExchangePlayIntegrityTokenRequest("placeholder");
-    Task<AppCheckTokenResponse> networkTask =
+    return getPlayIntegrityAttestation()
+        .continueWithTask(
+            new Continuation<IntegrityTokenResponse, Task<AppCheckTokenResponse>>() {
+              @Override
+              public Task<AppCheckTokenResponse> then(@NonNull Task<IntegrityTokenResponse> task) {
+                if (task.isSuccessful()) {
+                  ExchangePlayIntegrityTokenRequest request =
+                      new ExchangePlayIntegrityTokenRequest(task.getResult().token());
+                  return Tasks.call(
+                      backgroundExecutor,
+                      () ->
+                          networkClient.exchangeAttestationForAppCheckToken(
+                              request.toJsonString().getBytes(UTF_8),
+                              NetworkClient.PLAY_INTEGRITY,
+                              retryManager));
+                }
+                return Tasks.forException(task.getException());
+              }
+            })
+        .continueWithTask(
+            new Continuation<AppCheckTokenResponse, Task<AppCheckToken>>() {
+              @Override
+              public Task<AppCheckToken> then(@NonNull Task<AppCheckTokenResponse> task) {
+                if (task.isSuccessful()) {
+                  return Tasks.forResult(
+                      DefaultAppCheckToken.constructFromAppCheckTokenResponse(task.getResult()));
+                }
+                // TODO: Surface more error details.
+                return Tasks.forException(task.getException());
+              }
+            });
+  }
+
+  @NonNull
+  Task<IntegrityTokenResponse> getPlayIntegrityAttestation() {
+    GeneratePlayIntegrityChallengeRequest generateChallengeRequest =
+        new GeneratePlayIntegrityChallengeRequest();
+    Task<GeneratePlayIntegrityChallengeResponse> generateChallengeTask =
         Tasks.call(
             backgroundExecutor,
             () ->
-                networkClient.exchangeAttestationForAppCheckToken(
-                    request.toJsonString().getBytes(UTF_8),
-                    NetworkClient.PLAY_INTEGRITY,
-                    retryManager));
-    return networkTask.continueWithTask(
-        new Continuation<AppCheckTokenResponse, Task<AppCheckToken>>() {
+                GeneratePlayIntegrityChallengeResponse.fromJsonString(
+                    networkClient.generatePlayIntegrityChallenge(
+                        generateChallengeRequest.toJsonString().getBytes(UTF_8), retryManager)));
+    return generateChallengeTask.continueWithTask(
+        new Continuation<GeneratePlayIntegrityChallengeResponse, Task<IntegrityTokenResponse>>() {
           @Override
-          public Task<AppCheckToken> then(@NonNull Task<AppCheckTokenResponse> task) {
+          public Task<IntegrityTokenResponse> then(
+              @NonNull Task<GeneratePlayIntegrityChallengeResponse> task) {
             if (task.isSuccessful()) {
-              return Tasks.forResult(
-                  DefaultAppCheckToken.constructFromAppCheckTokenResponse(task.getResult()));
+              return integrityManager.requestIntegrityToken(
+                  IntegrityTokenRequest.builder()
+                      .setNonce(task.getResult().getChallenge())
+                      .build());
             }
             // TODO: Surface more error details.
             return Tasks.forException(task.getException());

appcheck/firebase-appcheck/src/main/java/com/google/firebase/appcheck/internal/NetworkClient.java

@@ -142,7 +142,7 @@ public String generatePlayIntegrityChallenge(
   }
 
   private String makeNetworkRequest(
-      URL url, @NonNull byte[] requestBytes, @NonNull RetryManager retryManager)
+      @NonNull URL url, @NonNull byte[] requestBytes, @NonNull RetryManager retryManager)
       throws FirebaseException, IOException, JSONException {
     HttpURLConnection urlConnection = createHttpUrlConnection(url);