Add Play Integrity support to App Check (#3658)

* Initial App Check <> Play Integrity commit (#3607)

* Initial commit of App Check Play Integrity files.

* Added skeleton code for PlayIntegrityAppCheckProviderFactory and PlayIntegrityAppCheckProvider.

* Set version in gradle.properties to 16.0.0-beta01 for now.

* Updated wrong gradle.properties file in last commit.

* Implement Play Integrity token exchange. (#3613)

* Implement Play Integrity exchange.

* Update and add unit tests.

* Add @nonnull annotation.

* Implement Play Integrity attestation flow. (#3618)

* Add method to call the `GeneratePlayIntegrityChallenge` endpoint to `NetworkClient`.

* Implement Play Integrity attestation flow.

* Add project number to IntegrityTokenRequest.

* Fix `PlayIntegrityAppCheckProviderTest`s.

* Add unit tests.

* Address review comments.

* Update test app. (#3655)

* Update version in `gradle.properties`.

* Fix tests broken after merge.

* Address review comments.

* Address review comment.

Author: rosalyntan

appcheck/firebase-appcheck-playintegrity/firebase-appcheck-playintegrity.gradle

@@ -0,0 +1,56 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+plugins {
+    id 'firebase-library'
+}
+
+firebaseLibrary {
+    publishSources = true
+}
+
+android {
+    adbOptions {
+        timeOutInMs 60 * 1000
+    }
+
+    compileSdkVersion project.targetSdkVersion
+    defaultConfig {
+        targetSdkVersion project.targetSdkVersion
+        minSdkVersion project.minSdkVersion
+        versionName version
+        testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
+    }
+    compileOptions {
+        sourceCompatibility JavaVersion.VERSION_1_8
+        targetCompatibility JavaVersion.VERSION_1_8
+    }
+
+    testOptions.unitTests.includeAndroidResources = false
+}
+
+dependencies {
+    implementation project(':firebase-common')
+    implementation project(':firebase-components')
+    implementation project(':appcheck:firebase-appcheck')
+    implementation 'com.google.android.gms:play-services-base:18.0.1'
+    implementation 'com.google.android.gms:play-services-tasks:18.0.1'
+    implementation 'com.google.android.play:integrity:1.0.1'
+
+    testImplementation 'junit:junit:4.13.2'
+    testImplementation 'org.mockito:mockito-core:3.4.6'
+    testImplementation "com.google.truth:truth:$googleTruthVersion"
+    testImplementation "org.robolectric:robolectric:$robolectricVersion"
+    testImplementation 'androidx.test:core:1.4.0'
+}

appcheck/firebase-appcheck-playintegrity/gradle.properties

@@ -0,0 +1 @@
+version=16.0.0

appcheck/firebase-appcheck-playintegrity/src/main/AndroidManifest.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2022 Google LLC -->
+<!-- -->
+<!-- Licensed under the Apache License, Version 2.0 (the "License"); -->
+<!-- you may not use this file except in compliance with the License. -->
+<!-- You may obtain a copy of the License at -->
+<!-- -->
+<!--      http://www.apache.org/licenses/LICENSE-2.0 -->
+<!-- -->
+<!-- Unless required by applicable law or agreed to in writing, software -->
+<!-- distributed under the License is distributed on an "AS IS" BASIS, -->
+<!-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -->
+<!-- See the License for the specific language governing permissions and -->
+<!-- limitations under the License. -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.google.firebase.appcheck.playintegrity">
+  <!--Although the *SdkVersion is captured in gradle build files, this is required for non gradle builds-->
+  <!--<uses-sdk android:minSdkVersion="16"/>-->
+</manifest>

appcheck/firebase-appcheck-playintegrity/src/main/java/com/google/firebase/appcheck/playintegrity/PlayIntegrityAppCheckProviderFactory.java

@@ -0,0 +1,46 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.firebase.appcheck.playintegrity;
+
+import androidx.annotation.NonNull;
+import com.google.firebase.FirebaseApp;
+import com.google.firebase.appcheck.AppCheckProvider;
+import com.google.firebase.appcheck.AppCheckProviderFactory;
+import com.google.firebase.appcheck.playintegrity.internal.PlayIntegrityAppCheckProvider;
+
+/**
+ * Implementation of an {@link AppCheckProviderFactory} that builds {@link
+ * PlayIntegrityAppCheckProvider}s. This is the default implementation.
+ */
+public class PlayIntegrityAppCheckProviderFactory implements AppCheckProviderFactory {
+
+  private static final PlayIntegrityAppCheckProviderFactory instance =
+      new PlayIntegrityAppCheckProviderFactory();
+
+  /**
+   * Gets an instance of this class for installation into a {@link
+   * com.google.firebase.appcheck.FirebaseAppCheck} instance.
+   */
+  @NonNull
+  public static PlayIntegrityAppCheckProviderFactory getInstance() {
+    return instance;
+  }
+
+  @NonNull
+  @Override
+  public AppCheckProvider create(@NonNull FirebaseApp firebaseApp) {
+    return new PlayIntegrityAppCheckProvider(firebaseApp);
+  }
+}

appcheck/firebase-appcheck-playintegrity/src/main/java/com/google/firebase/appcheck/playintegrity/internal/ExchangePlayIntegrityTokenRequest.java

@@ -0,0 +1,43 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.firebase.appcheck.playintegrity.internal;
+
+import androidx.annotation.NonNull;
+import androidx.annotation.VisibleForTesting;
+import org.json.JSONException;
+import org.json.JSONObject;
+
+/**
+ * Client-side model of the ExchangePlayIntegrityTokenRequest payload from the Firebase App Check
+ * Token Exchange API.
+ */
+class ExchangePlayIntegrityTokenRequest {
+
+  @VisibleForTesting static final String PLAY_INTEGRITY_TOKEN_KEY = "playIntegrityToken";
+
+  private final String playIntegrityToken;
+
+  public ExchangePlayIntegrityTokenRequest(@NonNull String playIntegrityToken) {
+    this.playIntegrityToken = playIntegrityToken;
+  }
+
+  @NonNull
+  public String toJsonString() throws JSONException {
+    JSONObject jsonObject = new JSONObject();
+    jsonObject.put(PLAY_INTEGRITY_TOKEN_KEY, playIntegrityToken);
+
+    return jsonObject.toString();
+  }
+}

appcheck/firebase-appcheck-playintegrity/src/main/java/com/google/firebase/appcheck/playintegrity/internal/GeneratePlayIntegrityChallengeRequest.java

@@ -0,0 +1,35 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.firebase.appcheck.playintegrity.internal;
+
+import androidx.annotation.NonNull;
+import org.json.JSONObject;
+
+/**
+ * Client-side model of the GeneratePlayIntegrityChallengeRequest payload from the Firebase App
+ * Check Token Exchange API.
+ */
+class GeneratePlayIntegrityChallengeRequest {
+
+  public GeneratePlayIntegrityChallengeRequest() {}
+
+  @NonNull
+  public String toJsonString() {
+    JSONObject jsonObject = new JSONObject();
+
+    // GeneratePlayIntegrityChallenge takes an empty POST body since the app ID is in the URL.
+    return jsonObject.toString();
+  }
+}

appcheck/firebase-appcheck-playintegrity/src/main/java/com/google/firebase/appcheck/playintegrity/internal/GeneratePlayIntegrityChallengeResponse.java

@@ -0,0 +1,67 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.firebase.appcheck.playintegrity.internal;
+
+import static com.google.android.gms.common.internal.Preconditions.checkNotNull;
+import static com.google.android.gms.common.util.Strings.emptyToNull;
+
+import androidx.annotation.NonNull;
+import androidx.annotation.VisibleForTesting;
+import com.google.firebase.FirebaseException;
+import org.json.JSONException;
+import org.json.JSONObject;
+
+/**
+ * Client-side model of the GeneratePlayIntegrityChallengeResponse payload from the Firebase App
+ * Check Token Exchange API.
+ */
+class GeneratePlayIntegrityChallengeResponse {
+
+  @VisibleForTesting static final String CHALLENGE_KEY = "challenge";
+  @VisibleForTesting static final String TIME_TO_LIVE_KEY = "ttl";
+
+  private String challenge;
+  private String timeToLive;
+
+  @NonNull
+  public static GeneratePlayIntegrityChallengeResponse fromJsonString(@NonNull String jsonString)
+      throws FirebaseException, JSONException {
+    JSONObject jsonObject = new JSONObject(jsonString);
+    String challenge = emptyToNull(jsonObject.optString(CHALLENGE_KEY));
+    String timeToLive = emptyToNull(jsonObject.optString(TIME_TO_LIVE_KEY));
+    if (challenge == null || timeToLive == null) {
+      throw new FirebaseException("Unexpected server response.");
+    }
+    return new GeneratePlayIntegrityChallengeResponse(challenge, timeToLive);
+  }
+
+  private GeneratePlayIntegrityChallengeResponse(
+      @NonNull String challenge, @NonNull String timeToLive) {
+    checkNotNull(challenge);
+    checkNotNull(timeToLive);
+    this.challenge = challenge;
+    this.timeToLive = timeToLive;
+  }
+
+  @NonNull
+  public String getChallenge() {
+    return challenge;
+  }
+
+  @NonNull
+  public String getTimeToLive() {
+    return timeToLive;
+  }
+}

appcheck/firebase-appcheck-playintegrity/src/main/java/com/google/firebase/appcheck/playintegrity/internal/PlayIntegrityAppCheckProvider.java

@@ -0,0 +1,110 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.firebase.appcheck.playintegrity.internal;
+
+import androidx.annotation.NonNull;
+import androidx.annotation.VisibleForTesting;
+import com.google.android.gms.tasks.Task;
+import com.google.android.gms.tasks.Tasks;
+import com.google.android.play.core.integrity.IntegrityManager;
+import com.google.android.play.core.integrity.IntegrityManagerFactory;
+import com.google.android.play.core.integrity.IntegrityTokenRequest;
+import com.google.android.play.core.integrity.IntegrityTokenResponse;
+import com.google.firebase.FirebaseApp;
+import com.google.firebase.appcheck.AppCheckProvider;
+import com.google.firebase.appcheck.AppCheckToken;
+import com.google.firebase.appcheck.internal.DefaultAppCheckToken;
+import com.google.firebase.appcheck.internal.NetworkClient;
+import com.google.firebase.appcheck.internal.RetryManager;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+
+public class PlayIntegrityAppCheckProvider implements AppCheckProvider {
+
+  private static final String UTF_8 = "UTF-8";
+
+  private final String projectNumber;
+  private final IntegrityManager integrityManager;
+  private final NetworkClient networkClient;
+  private final ExecutorService backgroundExecutor;
+  private final RetryManager retryManager;
+
+  public PlayIntegrityAppCheckProvider(@NonNull FirebaseApp firebaseApp) {
+    this(
+        firebaseApp.getOptions().getGcmSenderId(),
+        IntegrityManagerFactory.create(firebaseApp.getApplicationContext()),
+        new NetworkClient(firebaseApp),
+        Executors.newCachedThreadPool(),
+        new RetryManager());
+  }
+
+  @VisibleForTesting
+  PlayIntegrityAppCheckProvider(
+      @NonNull String projectNumber,
+      @NonNull IntegrityManager integrityManager,
+      @NonNull NetworkClient networkClient,
+      @NonNull ExecutorService backgroundExecutor,
+      @NonNull RetryManager retryManager) {
+    this.projectNumber = projectNumber;
+    this.integrityManager = integrityManager;
+    this.networkClient = networkClient;
+    this.backgroundExecutor = backgroundExecutor;
+    this.retryManager = retryManager;
+  }
+
+  @NonNull
+  @Override
+  public Task<AppCheckToken> getToken() {
+    return getPlayIntegrityAttestation()
+        .onSuccessTask(
+            integrityTokenResponse -> {
+              ExchangePlayIntegrityTokenRequest request =
+                  new ExchangePlayIntegrityTokenRequest(integrityTokenResponse.token());
+              return Tasks.call(
+                  backgroundExecutor,
+                  () ->
+                      networkClient.exchangeAttestationForAppCheckToken(
+                          request.toJsonString().getBytes(UTF_8),
+                          NetworkClient.PLAY_INTEGRITY,
+                          retryManager));
+            })
+        .onSuccessTask(
+            appCheckTokenResponse -> {
+              return Tasks.forResult(
+                  DefaultAppCheckToken.constructFromAppCheckTokenResponse(appCheckTokenResponse));
+            });
+  }
+
+  @NonNull
+  private Task<IntegrityTokenResponse> getPlayIntegrityAttestation() {
+    GeneratePlayIntegrityChallengeRequest generateChallengeRequest =
+        new GeneratePlayIntegrityChallengeRequest();
+    Task<GeneratePlayIntegrityChallengeResponse> generateChallengeTask =
+        Tasks.call(
+            backgroundExecutor,
+            () ->
+                GeneratePlayIntegrityChallengeResponse.fromJsonString(
+                    networkClient.generatePlayIntegrityChallenge(
+                        generateChallengeRequest.toJsonString().getBytes(UTF_8), retryManager)));
+    return generateChallengeTask.onSuccessTask(
+        generatePlayIntegrityChallengeResponse -> {
+          return integrityManager.requestIntegrityToken(
+              IntegrityTokenRequest.builder()
+                  .setCloudProjectNumber(Long.parseLong(projectNumber))
+                  .setNonce(generatePlayIntegrityChallengeResponse.getChallenge())
+                  .build());
+        });
+  }
+}