Revert "Revert "Override apex manifest package, android_app_cert..."

Revert submission 2529690-revert-2522075-tzdata-test-apex-bazel-RZRVOCMHXM

Reason for revert: fix-forward.

Reverted changes: /q/submissionid:2529690-revert-2522075-tzdata-test-apex-bazel-RZRVOCMHXM

Change-Id: I7dd40639b72054784ba8164307f2abeab5620ab1

10 files changed, 229 insertions, 49 deletions

diff --git a/rules/android/android_app_certificate.bzl b/rules/android/android_app_certificate.bzl
index 8b9f2422..84ab819f 100644
--- a/rules/android/android_app_certificate.bzl
+++ b/rules/android/android_app_certificate.bzl
@@ -13,6 +13,7 @@
 # limitations under the License.
 
 load("@bazel_skylib//lib:paths.bzl", "paths")
+load("@bazel_skylib//rules:common_settings.bzl", "BuildSettingInfo")
 load("//build/bazel/product_config:product_variables_providing_rule.bzl", "ProductVariablesDepsInfo", "ProductVariablesInfo")
 
 AndroidAppCertificateInfo = provider(
@@ -24,9 +25,59 @@ AndroidAppCertificateInfo = provider(
     },
 )
 
+def _search_cert_files(cert_name, cert_files_to_search):
+    pk8 = None
+    pem = None
+    for file in cert_files_to_search:
+        if file.basename == cert_name + ".pk8":
+            pk8 = file
+        elif file.basename == cert_name + ".x509.pem":
+            pem = file
+    if not pk8 or not pem:
+        fail("Could not find .x509.pem and/or .pk8 file with name '%s' in the following files: %s" % (cert_name, cert_files_to_search))
+    return pk8, pem
+
+def _maybe_override(ctx, cert_name):
+    if not cert_name:
+        fail("cert_name cannot be None")
+
+    cert_overrides = ctx.attr._product_variables[ProductVariablesInfo].CertificateOverrides
+    if not cert_overrides:
+        return cert_name, False
+
+    apex_name = ctx.attr._apex_name[BuildSettingInfo].value
+    if not apex_name:
+        # Only override in the apex configuration, because the apex module name is used as the key for overriding
+        return cert_name, False
+
+    matches = [o for o in cert_overrides if o.split(":")[0] == apex_name]
+
+    if not matches:
+        # no matches, no override.
+        return cert_name, False
+
+    if len(matches) > 1:
+        fail("unexpected multiple certificate overrides for %s in: %s" % (apex_name, matches))
+
+    # e.g. test1_com.android.tzdata:com.google.android.tzdata5.certificate
+    new_cert_name = matches[0].split(":")[1]
+    return new_cert_name.removesuffix(".certificate"), True
+
 def _android_app_certificate_rule_impl(ctx):
+    cert_name = ctx.attr.certificate
+    pk8 = ctx.file.pk8
+    pem = ctx.file.pem
+
+    # Only override if the override mapping exists, otherwise we wouldn't be
+    # able to find the new certs.
+    overridden_cert_name, overridden = _maybe_override(ctx, cert_name)
+    if overridden:
+        cert_name = overridden_cert_name
+        cert_files_to_search = ctx.attr._product_variables[ProductVariablesDepsInfo].OverridingCertificateFiles
+        pk8, pem = _search_cert_files(cert_name, cert_files_to_search)
+
     return [
-        AndroidAppCertificateInfo(pem = ctx.file.pem, pk8 = ctx.file.pk8, key_name = ctx.attr.certificate),
+        AndroidAppCertificateInfo(pem = pem, pk8 = pk8, key_name = cert_name),
     ]
 
 _android_app_certificate = rule(
@@ -35,6 +86,13 @@ _android_app_certificate = rule(
         "pem": attr.label(mandatory = True, allow_single_file = [".pem"]),
         "pk8": attr.label(mandatory = True, allow_single_file = [".pk8"]),
         "certificate": attr.string(mandatory = True),
+        "_apex_name": attr.label(default = "//build/bazel/rules/apex:apex_name"),
+        "_product_variables": attr.label(
+            default = "//build/bazel/product_config:product_vars",
+        ),
+        "_hardcoded_certs": attr.label(
+            default = "//build/make/target/product/security:android_certificate_directory",
+        ),
     },
 )
 
@@ -75,15 +133,10 @@ def _android_app_certificate_with_default_cert_impl(ctx):
     else:
         cert_files_to_search = ctx.files._hardcoded_certs
 
-    pk8 = None
-    pem = None
-    for file in cert_files_to_search:
-        if file.basename == cert_name + ".pk8":
-            pk8 = file
-        elif file.basename == cert_name + ".x509.pem":
-            pem = file
-    if not pk8 or not pem:
-        fail("Could not find .x509.pem and/or .pk8 file with name '%s' in package '%s'" % (cert_name, cert_dir))
+    cert_name, overridden = _maybe_override(ctx, cert_name)
+    if overridden:
+        cert_files_to_search = ctx.attr._product_variables[ProductVariablesDepsInfo].OverridingCertificateFiles
+    pk8, pem = _search_cert_files(cert_name, cert_files_to_search)
 
     return [
         AndroidAppCertificateInfo(
diff --git a/rules/apex/apex.bzl b/rules/apex/apex.bzl
index 3f033d91..3cd5539f 100644
--- a/rules/apex/apex.bzl
+++ b/rules/apex/apex.bzl
@@ -451,6 +451,10 @@ def _run_apexer(ctx, apex_toolchain):
     # Override the package name, if it's expicitly specified
     if ctx.attr.package_name:
         args.add_all(["--override_apk_package_name", ctx.attr.package_name])
+    else:
+        override_package_name = _override_manifest_package_name(ctx)
+        if override_package_name:
+            args.add_all(["--override_apk_package_name", override_package_name])
 
     if ctx.attr.logging_parent:
         args.add_all(["--logging_parent", ctx.attr.logging_parent])
@@ -582,6 +586,24 @@ def _run_signapk(ctx, unsigned_file, signed_file, private_key, public_key, mnemo
 
     return signed_file
 
+# See also getOverrideManifestPackageName
+# https://cs.android.com/android/platform/superproject/+/master:build/soong/apex/builder.go;l=1000;drc=241e738c7156d928e9a993b15993cb3297face45
+def _override_manifest_package_name(ctx):
+    apex_name = ctx.attr.name
+    overrides = ctx.attr._product_variables[ProductVariablesInfo].ManifestPackageNameOverrides
+    if not overrides:
+        return None
+
+    matches = [o for o in overrides if o.split(":")[0] == apex_name]
+
+    if not matches:
+        return None
+
+    if len(matches) > 1:
+        fail("unexpected multiple manifest package overrides for %s, %s" % (apex_name, matches))
+
+    return matches[0].split(":")[1]
+
 # https://cs.android.com/android/platform/superproject/+/master:build/soong/android/config.go;drc=5ca657189aac546af0aafaba11bbc9c5d889eab3;l=1501
 # In Soong, we don't check whether the current apex is part of Unbundled_apps.
 # Hence, we might simplify the logic by just checking product_vars["Unbundled_build"]
@@ -738,7 +760,7 @@ def _apex_rule_impl(ctx):
     apexer_outputs = _run_apexer(ctx, apex_toolchain)
     unsigned_apex = apexer_outputs.unsigned_apex
 
-    apex_cert_info = ctx.attr.certificate[AndroidAppCertificateInfo]
+    apex_cert_info = ctx.attr.certificate[0][AndroidAppCertificateInfo]
     private_key = apex_cert_info.pk8
     public_key = apex_cert_info.pem
 
@@ -842,6 +864,7 @@ file mode, and cap is hexadecimal value for the capability.""",
         "certificate": attr.label(
             providers = [AndroidAppCertificateInfo],
             mandatory = True,
+            cfg = apex_transition,
         ),
         "min_sdk_version": attr.string(
             default = "current",
diff --git a/rules/apex/apex_key.bzl b/rules/apex/apex_key.bzl
index 36723c99..45e83f01 100644
--- a/rules/apex/apex_key.bzl
+++ b/rules/apex/apex_key.bzl
@@ -13,8 +13,7 @@
 # limitations under the License.
 
 load("@bazel_skylib//lib:paths.bzl", "paths")
-load("@soong_injection//product_config:product_variables.bzl", "product_vars")
-load("//build/bazel/rules/android:android_app_certificate.bzl", "default_cert_directory")
+load("//build/bazel/product_config:product_variables_providing_rule.bzl", "ProductVariablesDepsInfo", "ProductVariablesInfo")
 
 ApexKeyInfo = provider(
     "Info needed to sign APEX bundles",
@@ -28,6 +27,18 @@ def _apex_key_rule_impl(ctx):
     public_key = ctx.file.public_key
     private_key = ctx.file.private_key
 
+    # If the DefaultAppCertificate directory is specified, then look for this
+    # key in that directory instead, with the exact same basenames for both the
+    # avbpubkey and pem files.
+    product_var_cert = ctx.attr._product_variables[ProductVariablesInfo].DefaultAppCertificate
+    cert_files_to_search = ctx.attr._product_variables[ProductVariablesDepsInfo].DefaultAppCertificateFiles
+    if product_var_cert and cert_files_to_search:
+        for f in cert_files_to_search:
+            if f.basename == ctx.file.public_key.basename:
+                public_key = f
+            elif f.basename == ctx.file.private_key.basename:
+                private_key = f
+
     public_keyname = paths.split_extension(public_key.basename)[0]
     private_keyname = paths.split_extension(private_key.basename)[0]
     if public_keyname != private_keyname:
@@ -39,7 +50,10 @@ def _apex_key_rule_impl(ctx):
         ))
 
     return [
-        ApexKeyInfo(public_key = ctx.file.public_key, private_key = ctx.file.private_key),
+        ApexKeyInfo(
+            public_key = public_key,
+            private_key = private_key,
+        ),
     ]
 
 _apex_key = rule(
@@ -47,12 +61,13 @@ _apex_key = rule(
     attrs = {
         "private_key": attr.label(mandatory = True, allow_single_file = True),
         "public_key": attr.label(mandatory = True, allow_single_file = True),
+        "_product_variables": attr.label(
+            default = "//build/bazel/product_config:product_vars",
+        ),
     },
 )
 
-# Keep consistent with the ApexKeyDir product config lookup:
-# https://cs.android.com/android/platform/superproject/+/master:build/soong/android/config.go;l=831-841;drc=652335ea7c2f8f281a1b93a1e1558960b6ad1b6f
-def _get_key_label(label, name, default_cert):
+def _get_key_label(label, name):
     if label and name:
         fail("Cannot use both {public,private}_key_name and {public,private}_key attributes together. " +
              "Use only one of them.")
@@ -60,11 +75,8 @@ def _get_key_label(label, name, default_cert):
     if label:
         return label
 
-    if not default_cert or paths.dirname(default_cert) == default_cert_directory:
-        # Use the package_name of the macro callsite of this function.
-        return "//" + native.package_name() + ":" + name
-
-    return "//" + paths.dirname(default_cert) + ":" + name
+    # Ensure that the name references the calling package's local BUILD target
+    return ":" + name
 
 def apex_key(
         name,
@@ -72,22 +84,12 @@ def apex_key(
         private_key = None,
         public_key_name = None,
         private_key_name = None,
-
-        # Product var dependency injection, for testing only.
-        # DefaultAppCertificate is lifted into a parameter to make it testable in
-        # analysis tests.
-        _DefaultAppCertificate = product_vars.get("DefaultAppCertificate"),  # path/to/some/cert
         **kwargs):
-    # Ensure that only tests can set _DefaultAppCertificate.
-    if native.package_name() != "build/bazel/rules/apex" and \
-       _DefaultAppCertificate != product_vars.get("DefaultAppCertificate"):
-        fail("Only Bazel's own tests can set apex_key._DefaultAppCertificate.")
-
     # The keys are labels that point to either a file, or a target that provides
     # a single file (e.g. a filegroup or rule that provides the key itself only).
     _apex_key(
         name = name,
-        public_key = _get_key_label(public_key, public_key_name, _DefaultAppCertificate),
-        private_key = _get_key_label(private_key, private_key_name, _DefaultAppCertificate),
+        public_key = _get_key_label(public_key, public_key_name),
+        private_key = _get_key_label(private_key, private_key_name),
         **kwargs
     )
diff --git a/rules/apex/apex_key_test.bzl b/rules/apex/apex_key_test.bzl
index 086cee25..fdd31a1b 100644
--- a/rules/apex/apex_key_test.bzl
+++ b/rules/apex/apex_key_test.bzl
@@ -38,11 +38,24 @@ apex_key_test = analysistest.make(
     },
 )
 
+apex_key_with_default_app_cert_test = analysistest.make(
+    _apex_key_test,
+    attrs = {
+        "expected_private_key_short_path": attr.string(mandatory = True),
+        "expected_public_key_short_path": attr.string(mandatory = True),
+    },
+    config_settings = {
+        # This product sets DefaultAppCertificate to build/bazel/rules/apex/testdata/devkey,
+        # so we expect the apex_key to look for key_name in build/bazel/rules/apex/testdata.
+        "//command_line_option:platforms": "@//build/bazel/tests/products:aosp_arm64_for_testing_with_overrides_and_app_cert",
+    },
+)
+
 def _test_apex_key_file_targets_with_key_name_attribute():
     name = "apex_key_file_targets_with_key_name_attribute"
     test_name = name + "_test"
-    private_key = name + ".priv"
-    public_key = name + ".pub"
+    private_key = name + ".pem"
+    public_key = name + ".avbpubkey"
 
     apex_key(
         name = name,
@@ -62,22 +75,16 @@ def _test_apex_key_file_targets_with_key_name_attribute():
 def _test_apex_key_file_targets_with_key_name_attribute_with_default_app_cert():
     name = "apex_key_file_targets_with_key_attribute_with_default_app_cert"
     test_name = name + "_test"
-    private_key = "devkey.priv"
-    public_key = "devkey.pub"
+    private_key = "devkey.pem"
+    public_key = "devkey.avbpubkey"
 
     apex_key(
         name = name,
         private_key_name = private_key,
         public_key_name = public_key,
-
-        # Corresponds to the DefaultAppCertificate soong variable.
-        # This is icky, but there's no simpler/better way to
-        # inject a different value for a product var loaded from
-        # @soong_injection and accessed within a macro.
-        _DefaultAppCertificate = "build/bazel/rules/apex/testdata/some_cert",
     )
 
-    apex_key_test(
+    apex_key_with_default_app_cert_test(
         name = test_name,
         target_under_test = name,
         expected_private_key_short_path = "build/bazel/rules/apex/testdata/" + private_key,
@@ -89,8 +96,8 @@ def _test_apex_key_file_targets_with_key_name_attribute_with_default_app_cert():
 def _test_apex_key_file_targets_with_key_attribute():
     name = "apex_key_file_targets_with_key_attribute"
     test_name = name + "_test"
-    private_key = name + ".priv"
-    public_key = name + ".pub"
+    private_key = name + ".pem"
+    public_key = name + ".avbpubkey"
 
     apex_key(
         name = name,
@@ -112,8 +119,8 @@ def _test_apex_key_file_targets_with_key_attribute():
 def _test_apex_key_generated_keys():
     name = "apex_key_generated_keys"
     test_name = name + "_test"
-    private_key = name + ".priv"
-    public_key = name + ".pub"
+    private_key = name + ".pem"
+    public_key = name + ".avbpubkey"
 
     native.genrule(
         name = private_key,
diff --git a/rules/apex/apex_test.bzl b/rules/apex/apex_test.bzl
index 4a23162d..77f9d2a3 100644
--- a/rules/apex/apex_test.bzl
+++ b/rules/apex/apex_test.bzl
@@ -1063,6 +1063,53 @@ def _test_default_apex_manifest_version():
 
     return test_name
 
+action_args_with_overrides_test = analysistest.make(
+    _action_args_test,
+    attrs = _action_args_test_attrs,
+    config_settings = {
+        "//command_line_option:platforms": "@//build/bazel/tests/products:aosp_arm64_for_testing_with_overrides_and_app_cert",
+    },
+)
+
+def _test_package_name():
+    name = "package_name"
+    test_name = name + "_test"
+
+    test_apex(
+        name = name,
+        package_name = "my.package.name",
+    )
+
+    action_args_test(
+        name = test_name,
+        target_under_test = name,
+        action_mnemonic = "Apexer",
+        expected_args = [
+            "--override_apk_package_name",
+            "my.package.name",
+        ],
+    )
+
+    return test_name
+
+def _test_package_name_override_from_config():
+    name = "package_name_override_from_config"
+    test_name = name + "_test"
+
+    test_apex(name = name)
+
+    action_args_with_overrides_test(
+        name = test_name,
+        target_under_test = name,
+        action_mnemonic = "Apexer",
+        expected_args = [
+            "--override_apk_package_name",
+            "another.package",
+        ],
+    )
+
+    return test_name
+
 action_args_with_override_apex_manifest_default_version_test = analysistest.make(
     _action_args_test,
     attrs = _action_args_test_attrs,
@@ -1235,6 +1282,17 @@ apex_certificate_test = analysistest.make(
     },
 )
 
+apex_certificate_with_overrides_test = analysistest.make(
+    _apex_certificate_test,
+    attrs = {
+        "expected_pem_path": attr.string(),
+        "expected_pk8_path": attr.string(),
+    },
+    config_settings = {
+        "//command_line_option:platforms": "@//build/bazel/tests/products:aosp_arm64_for_testing_with_overrides_and_app_cert",
+    },
+)
+
 def _test_apex_certificate_none():
     name = "apex_certificate_none"
     test_name = name + "_test"
@@ -1296,6 +1354,30 @@ def _test_apex_certificate_label():
 
     return test_name
 
+def _test_apex_certificate_label_with_overrides():
+    name = "apex_certificate_label_with_overrides"
+    test_name = name + "_test"
+
+    android_app_certificate(
+        name = name + "_cert",
+        certificate = name,
+        tags = ["manual"],
+    )
+
+    test_apex(
+        name = name,
+        certificate = name + "_cert",
+    )
+
+    apex_certificate_with_overrides_test(
+        name = test_name,
+        target_under_test = name,
+        expected_pem_path = "build/bazel/rules/apex/testdata/another.x509.pem",
+        expected_pk8_path = "build/bazel/rules/apex/testdata/another.pk8",
+    )
+
+    return test_name
+
 def _min_sdk_version_apex_inherit_test_impl(ctx):
     env = analysistest.begin(ctx)
     target_under_test = analysistest.target_under_test(env)
@@ -2606,6 +2688,8 @@ def apex_test_suite(name):
             _test_apex_manifest_dependencies_selfcontained(),
             _test_apex_manifest_dependencies_cc_binary(),
             _test_logging_parent_flag(),
+            _test_package_name(),
+            _test_package_name_override_from_config(),
             _test_generate_file_contexts(),
             _test_default_apex_manifest_version(),
             _test_override_apex_manifest_version(),
@@ -2614,6 +2698,7 @@ def apex_test_suite(name):
             _test_apex_certificate_none(),
             _test_apex_certificate_name(),
             _test_apex_certificate_label(),
+            _test_apex_certificate_label_with_overrides(),
             _test_min_sdk_version_apex_inherit(),
             _test_min_sdk_version_apex_inherit_override_min_sdk_tiramisu(),
             _test_apex_testonly_with_manifest(),
diff --git a/rules/apex/testdata/BUILD b/rules/apex/testdata/BUILD
index 488d96df..88dc8ea4 100644
--- a/rules/apex/testdata/BUILD
+++ b/rules/apex/testdata/BUILD
@@ -4,6 +4,16 @@ exports_files([
 ])
 
 filegroup(
+    name = "android_certificate_directory",
+    srcs = glob([
+        "*.pk8",
+        "*.pem",
+        "*.avbpubkey",
+    ]),
+    visibility = ["//build/bazel:__subpackages__"],
+)
+
+filegroup(
     name = "dev-keystore",
     srcs = ["devkey.keystore"],
     visibility = ["//visibility:public"],
diff --git a/rules/apex/testdata/another.pk8 b/rules/apex/testdata/another.pk8
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/rules/apex/testdata/another.pk8
diff --git a/rules/apex/testdata/another.x509.pem b/rules/apex/testdata/another.x509.pem
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/rules/apex/testdata/another.x509.pem
diff --git a/rules/apex/testdata/devkey.avbpubkey b/rules/apex/testdata/devkey.avbpubkey
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/rules/apex/testdata/devkey.avbpubkey
diff --git a/rules/apex/testdata/devkey.pem b/rules/apex/testdata/devkey.pem
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/rules/apex/testdata/devkey.pem