diff options
author | Jingwen Chen <jingwen@google.com> | 2023-04-11 08:49:01 +0000 |
---|---|---|
committer | Jingwen Chen <jingwen@google.com> | 2023-04-11 14:31:24 +0000 |
commit | 15dda997aaa7c7debfad1c8d540773628812167c (patch) | |
tree | f1e83de0bb132410c35328b216d2801ce5d8e084 /rules | |
parent | b62785c37949510da0bf433f3b9f1163ded4566d (diff) | |
download | bazel-15dda997aaa7c7debfad1c8d540773628812167c.tar.gz |
Revert "Revert "Override apex manifest package, android_app_cert..."
Revert submission 2529690-revert-2522075-tzdata-test-apex-bazel-RZRVOCMHXM
Reason for revert: fix-forward.
Reverted changes: /q/submissionid:2529690-revert-2522075-tzdata-test-apex-bazel-RZRVOCMHXM
Change-Id: I7dd40639b72054784ba8164307f2abeab5620ab1
Diffstat (limited to 'rules')
-rw-r--r-- | rules/android/android_app_certificate.bzl | 73 | ||||
-rw-r--r-- | rules/apex/apex.bzl | 25 | ||||
-rw-r--r-- | rules/apex/apex_key.bzl | 48 | ||||
-rw-r--r-- | rules/apex/apex_key_test.bzl | 37 | ||||
-rw-r--r-- | rules/apex/apex_test.bzl | 85 | ||||
-rw-r--r-- | rules/apex/testdata/BUILD | 10 | ||||
-rw-r--r-- | rules/apex/testdata/another.pk8 | 0 | ||||
-rw-r--r-- | rules/apex/testdata/another.x509.pem | 0 | ||||
-rw-r--r-- | rules/apex/testdata/devkey.avbpubkey | 0 | ||||
-rw-r--r-- | rules/apex/testdata/devkey.pem | 0 |
10 files changed, 229 insertions, 49 deletions
diff --git a/rules/android/android_app_certificate.bzl b/rules/android/android_app_certificate.bzl index 8b9f2422..84ab819f 100644 --- a/rules/android/android_app_certificate.bzl +++ b/rules/android/android_app_certificate.bzl @@ -13,6 +13,7 @@ # limitations under the License. load("@bazel_skylib//lib:paths.bzl", "paths") +load("@bazel_skylib//rules:common_settings.bzl", "BuildSettingInfo") load("//build/bazel/product_config:product_variables_providing_rule.bzl", "ProductVariablesDepsInfo", "ProductVariablesInfo") AndroidAppCertificateInfo = provider( @@ -24,9 +25,59 @@ AndroidAppCertificateInfo = provider( }, ) +def _search_cert_files(cert_name, cert_files_to_search): + pk8 = None + pem = None + for file in cert_files_to_search: + if file.basename == cert_name + ".pk8": + pk8 = file + elif file.basename == cert_name + ".x509.pem": + pem = file + if not pk8 or not pem: + fail("Could not find .x509.pem and/or .pk8 file with name '%s' in the following files: %s" % (cert_name, cert_files_to_search)) + return pk8, pem + +def _maybe_override(ctx, cert_name): + if not cert_name: + fail("cert_name cannot be None") + + cert_overrides = ctx.attr._product_variables[ProductVariablesInfo].CertificateOverrides + if not cert_overrides: + return cert_name, False + + apex_name = ctx.attr._apex_name[BuildSettingInfo].value + if not apex_name: + # Only override in the apex configuration, because the apex module name is used as the key for overriding + return cert_name, False + + matches = [o for o in cert_overrides if o.split(":")[0] == apex_name] + + if not matches: + # no matches, no override. + return cert_name, False + + if len(matches) > 1: + fail("unexpected multiple certificate overrides for %s in: %s" % (apex_name, matches)) + + # e.g. test1_com.android.tzdata:com.google.android.tzdata5.certificate + new_cert_name = matches[0].split(":")[1] + return new_cert_name.removesuffix(".certificate"), True + def _android_app_certificate_rule_impl(ctx): + cert_name = ctx.attr.certificate + pk8 = ctx.file.pk8 + pem = ctx.file.pem + + # Only override if the override mapping exists, otherwise we wouldn't be + # able to find the new certs. + overridden_cert_name, overridden = _maybe_override(ctx, cert_name) + if overridden: + cert_name = overridden_cert_name + cert_files_to_search = ctx.attr._product_variables[ProductVariablesDepsInfo].OverridingCertificateFiles + pk8, pem = _search_cert_files(cert_name, cert_files_to_search) + return [ - AndroidAppCertificateInfo(pem = ctx.file.pem, pk8 = ctx.file.pk8, key_name = ctx.attr.certificate), + AndroidAppCertificateInfo(pem = pem, pk8 = pk8, key_name = cert_name), ] _android_app_certificate = rule( @@ -35,6 +86,13 @@ _android_app_certificate = rule( "pem": attr.label(mandatory = True, allow_single_file = [".pem"]), "pk8": attr.label(mandatory = True, allow_single_file = [".pk8"]), "certificate": attr.string(mandatory = True), + "_apex_name": attr.label(default = "//build/bazel/rules/apex:apex_name"), + "_product_variables": attr.label( + default = "//build/bazel/product_config:product_vars", + ), + "_hardcoded_certs": attr.label( + default = "//build/make/target/product/security:android_certificate_directory", + ), }, ) @@ -75,15 +133,10 @@ def _android_app_certificate_with_default_cert_impl(ctx): else: cert_files_to_search = ctx.files._hardcoded_certs - pk8 = None - pem = None - for file in cert_files_to_search: - if file.basename == cert_name + ".pk8": - pk8 = file - elif file.basename == cert_name + ".x509.pem": - pem = file - if not pk8 or not pem: - fail("Could not find .x509.pem and/or .pk8 file with name '%s' in package '%s'" % (cert_name, cert_dir)) + cert_name, overridden = _maybe_override(ctx, cert_name) + if overridden: + cert_files_to_search = ctx.attr._product_variables[ProductVariablesDepsInfo].OverridingCertificateFiles + pk8, pem = _search_cert_files(cert_name, cert_files_to_search) return [ AndroidAppCertificateInfo( diff --git a/rules/apex/apex.bzl b/rules/apex/apex.bzl index 3f033d91..3cd5539f 100644 --- a/rules/apex/apex.bzl +++ b/rules/apex/apex.bzl @@ -451,6 +451,10 @@ def _run_apexer(ctx, apex_toolchain): # Override the package name, if it's expicitly specified if ctx.attr.package_name: args.add_all(["--override_apk_package_name", ctx.attr.package_name]) + else: + override_package_name = _override_manifest_package_name(ctx) + if override_package_name: + args.add_all(["--override_apk_package_name", override_package_name]) if ctx.attr.logging_parent: args.add_all(["--logging_parent", ctx.attr.logging_parent]) @@ -582,6 +586,24 @@ def _run_signapk(ctx, unsigned_file, signed_file, private_key, public_key, mnemo return signed_file +# See also getOverrideManifestPackageName +# https://cs.android.com/android/platform/superproject/+/master:build/soong/apex/builder.go;l=1000;drc=241e738c7156d928e9a993b15993cb3297face45 +def _override_manifest_package_name(ctx): + apex_name = ctx.attr.name + overrides = ctx.attr._product_variables[ProductVariablesInfo].ManifestPackageNameOverrides + if not overrides: + return None + + matches = [o for o in overrides if o.split(":")[0] == apex_name] + + if not matches: + return None + + if len(matches) > 1: + fail("unexpected multiple manifest package overrides for %s, %s" % (apex_name, matches)) + + return matches[0].split(":")[1] + # https://cs.android.com/android/platform/superproject/+/master:build/soong/android/config.go;drc=5ca657189aac546af0aafaba11bbc9c5d889eab3;l=1501 # In Soong, we don't check whether the current apex is part of Unbundled_apps. # Hence, we might simplify the logic by just checking product_vars["Unbundled_build"] @@ -738,7 +760,7 @@ def _apex_rule_impl(ctx): apexer_outputs = _run_apexer(ctx, apex_toolchain) unsigned_apex = apexer_outputs.unsigned_apex - apex_cert_info = ctx.attr.certificate[AndroidAppCertificateInfo] + apex_cert_info = ctx.attr.certificate[0][AndroidAppCertificateInfo] private_key = apex_cert_info.pk8 public_key = apex_cert_info.pem @@ -842,6 +864,7 @@ file mode, and cap is hexadecimal value for the capability.""", "certificate": attr.label( providers = [AndroidAppCertificateInfo], mandatory = True, + cfg = apex_transition, ), "min_sdk_version": attr.string( default = "current", diff --git a/rules/apex/apex_key.bzl b/rules/apex/apex_key.bzl index 36723c99..45e83f01 100644 --- a/rules/apex/apex_key.bzl +++ b/rules/apex/apex_key.bzl @@ -13,8 +13,7 @@ # limitations under the License. load("@bazel_skylib//lib:paths.bzl", "paths") -load("@soong_injection//product_config:product_variables.bzl", "product_vars") -load("//build/bazel/rules/android:android_app_certificate.bzl", "default_cert_directory") +load("//build/bazel/product_config:product_variables_providing_rule.bzl", "ProductVariablesDepsInfo", "ProductVariablesInfo") ApexKeyInfo = provider( "Info needed to sign APEX bundles", @@ -28,6 +27,18 @@ def _apex_key_rule_impl(ctx): public_key = ctx.file.public_key private_key = ctx.file.private_key + # If the DefaultAppCertificate directory is specified, then look for this + # key in that directory instead, with the exact same basenames for both the + # avbpubkey and pem files. + product_var_cert = ctx.attr._product_variables[ProductVariablesInfo].DefaultAppCertificate + cert_files_to_search = ctx.attr._product_variables[ProductVariablesDepsInfo].DefaultAppCertificateFiles + if product_var_cert and cert_files_to_search: + for f in cert_files_to_search: + if f.basename == ctx.file.public_key.basename: + public_key = f + elif f.basename == ctx.file.private_key.basename: + private_key = f + public_keyname = paths.split_extension(public_key.basename)[0] private_keyname = paths.split_extension(private_key.basename)[0] if public_keyname != private_keyname: @@ -39,7 +50,10 @@ def _apex_key_rule_impl(ctx): )) return [ - ApexKeyInfo(public_key = ctx.file.public_key, private_key = ctx.file.private_key), + ApexKeyInfo( + public_key = public_key, + private_key = private_key, + ), ] _apex_key = rule( @@ -47,12 +61,13 @@ _apex_key = rule( attrs = { "private_key": attr.label(mandatory = True, allow_single_file = True), "public_key": attr.label(mandatory = True, allow_single_file = True), + "_product_variables": attr.label( + default = "//build/bazel/product_config:product_vars", + ), }, ) -# Keep consistent with the ApexKeyDir product config lookup: -# https://cs.android.com/android/platform/superproject/+/master:build/soong/android/config.go;l=831-841;drc=652335ea7c2f8f281a1b93a1e1558960b6ad1b6f -def _get_key_label(label, name, default_cert): +def _get_key_label(label, name): if label and name: fail("Cannot use both {public,private}_key_name and {public,private}_key attributes together. " + "Use only one of them.") @@ -60,11 +75,8 @@ def _get_key_label(label, name, default_cert): if label: return label - if not default_cert or paths.dirname(default_cert) == default_cert_directory: - # Use the package_name of the macro callsite of this function. - return "//" + native.package_name() + ":" + name - - return "//" + paths.dirname(default_cert) + ":" + name + # Ensure that the name references the calling package's local BUILD target + return ":" + name def apex_key( name, @@ -72,22 +84,12 @@ def apex_key( private_key = None, public_key_name = None, private_key_name = None, - - # Product var dependency injection, for testing only. - # DefaultAppCertificate is lifted into a parameter to make it testable in - # analysis tests. - _DefaultAppCertificate = product_vars.get("DefaultAppCertificate"), # path/to/some/cert **kwargs): - # Ensure that only tests can set _DefaultAppCertificate. - if native.package_name() != "build/bazel/rules/apex" and \ - _DefaultAppCertificate != product_vars.get("DefaultAppCertificate"): - fail("Only Bazel's own tests can set apex_key._DefaultAppCertificate.") - # The keys are labels that point to either a file, or a target that provides # a single file (e.g. a filegroup or rule that provides the key itself only). _apex_key( name = name, - public_key = _get_key_label(public_key, public_key_name, _DefaultAppCertificate), - private_key = _get_key_label(private_key, private_key_name, _DefaultAppCertificate), + public_key = _get_key_label(public_key, public_key_name), + private_key = _get_key_label(private_key, private_key_name), **kwargs ) diff --git a/rules/apex/apex_key_test.bzl b/rules/apex/apex_key_test.bzl index 086cee25..fdd31a1b 100644 --- a/rules/apex/apex_key_test.bzl +++ b/rules/apex/apex_key_test.bzl @@ -38,11 +38,24 @@ apex_key_test = analysistest.make( }, ) +apex_key_with_default_app_cert_test = analysistest.make( + _apex_key_test, + attrs = { + "expected_private_key_short_path": attr.string(mandatory = True), + "expected_public_key_short_path": attr.string(mandatory = True), + }, + config_settings = { + # This product sets DefaultAppCertificate to build/bazel/rules/apex/testdata/devkey, + # so we expect the apex_key to look for key_name in build/bazel/rules/apex/testdata. + "//command_line_option:platforms": "@//build/bazel/tests/products:aosp_arm64_for_testing_with_overrides_and_app_cert", + }, +) + def _test_apex_key_file_targets_with_key_name_attribute(): name = "apex_key_file_targets_with_key_name_attribute" test_name = name + "_test" - private_key = name + ".priv" - public_key = name + ".pub" + private_key = name + ".pem" + public_key = name + ".avbpubkey" apex_key( name = name, @@ -62,22 +75,16 @@ def _test_apex_key_file_targets_with_key_name_attribute(): def _test_apex_key_file_targets_with_key_name_attribute_with_default_app_cert(): name = "apex_key_file_targets_with_key_attribute_with_default_app_cert" test_name = name + "_test" - private_key = "devkey.priv" - public_key = "devkey.pub" + private_key = "devkey.pem" + public_key = "devkey.avbpubkey" apex_key( name = name, private_key_name = private_key, public_key_name = public_key, - - # Corresponds to the DefaultAppCertificate soong variable. - # This is icky, but there's no simpler/better way to - # inject a different value for a product var loaded from - # @soong_injection and accessed within a macro. - _DefaultAppCertificate = "build/bazel/rules/apex/testdata/some_cert", ) - apex_key_test( + apex_key_with_default_app_cert_test( name = test_name, target_under_test = name, expected_private_key_short_path = "build/bazel/rules/apex/testdata/" + private_key, @@ -89,8 +96,8 @@ def _test_apex_key_file_targets_with_key_name_attribute_with_default_app_cert(): def _test_apex_key_file_targets_with_key_attribute(): name = "apex_key_file_targets_with_key_attribute" test_name = name + "_test" - private_key = name + ".priv" - public_key = name + ".pub" + private_key = name + ".pem" + public_key = name + ".avbpubkey" apex_key( name = name, @@ -112,8 +119,8 @@ def _test_apex_key_file_targets_with_key_attribute(): def _test_apex_key_generated_keys(): name = "apex_key_generated_keys" test_name = name + "_test" - private_key = name + ".priv" - public_key = name + ".pub" + private_key = name + ".pem" + public_key = name + ".avbpubkey" native.genrule( name = private_key, diff --git a/rules/apex/apex_test.bzl b/rules/apex/apex_test.bzl index 4a23162d..77f9d2a3 100644 --- a/rules/apex/apex_test.bzl +++ b/rules/apex/apex_test.bzl @@ -1063,6 +1063,53 @@ def _test_default_apex_manifest_version(): return test_name +action_args_with_overrides_test = analysistest.make( + _action_args_test, + attrs = _action_args_test_attrs, + config_settings = { + "//command_line_option:platforms": "@//build/bazel/tests/products:aosp_arm64_for_testing_with_overrides_and_app_cert", + }, +) + +def _test_package_name(): + name = "package_name" + test_name = name + "_test" + + test_apex( + name = name, + package_name = "my.package.name", + ) + + action_args_test( + name = test_name, + target_under_test = name, + action_mnemonic = "Apexer", + expected_args = [ + "--override_apk_package_name", + "my.package.name", + ], + ) + + return test_name + +def _test_package_name_override_from_config(): + name = "package_name_override_from_config" + test_name = name + "_test" + + test_apex(name = name) + + action_args_with_overrides_test( + name = test_name, + target_under_test = name, + action_mnemonic = "Apexer", + expected_args = [ + "--override_apk_package_name", + "another.package", + ], + ) + + return test_name + action_args_with_override_apex_manifest_default_version_test = analysistest.make( _action_args_test, attrs = _action_args_test_attrs, @@ -1235,6 +1282,17 @@ apex_certificate_test = analysistest.make( }, ) +apex_certificate_with_overrides_test = analysistest.make( + _apex_certificate_test, + attrs = { + "expected_pem_path": attr.string(), + "expected_pk8_path": attr.string(), + }, + config_settings = { + "//command_line_option:platforms": "@//build/bazel/tests/products:aosp_arm64_for_testing_with_overrides_and_app_cert", + }, +) + def _test_apex_certificate_none(): name = "apex_certificate_none" test_name = name + "_test" @@ -1296,6 +1354,30 @@ def _test_apex_certificate_label(): return test_name +def _test_apex_certificate_label_with_overrides(): + name = "apex_certificate_label_with_overrides" + test_name = name + "_test" + + android_app_certificate( + name = name + "_cert", + certificate = name, + tags = ["manual"], + ) + + test_apex( + name = name, + certificate = name + "_cert", + ) + + apex_certificate_with_overrides_test( + name = test_name, + target_under_test = name, + expected_pem_path = "build/bazel/rules/apex/testdata/another.x509.pem", + expected_pk8_path = "build/bazel/rules/apex/testdata/another.pk8", + ) + + return test_name + def _min_sdk_version_apex_inherit_test_impl(ctx): env = analysistest.begin(ctx) target_under_test = analysistest.target_under_test(env) @@ -2606,6 +2688,8 @@ def apex_test_suite(name): _test_apex_manifest_dependencies_selfcontained(), _test_apex_manifest_dependencies_cc_binary(), _test_logging_parent_flag(), + _test_package_name(), + _test_package_name_override_from_config(), _test_generate_file_contexts(), _test_default_apex_manifest_version(), _test_override_apex_manifest_version(), @@ -2614,6 +2698,7 @@ def apex_test_suite(name): _test_apex_certificate_none(), _test_apex_certificate_name(), _test_apex_certificate_label(), + _test_apex_certificate_label_with_overrides(), _test_min_sdk_version_apex_inherit(), _test_min_sdk_version_apex_inherit_override_min_sdk_tiramisu(), _test_apex_testonly_with_manifest(), diff --git a/rules/apex/testdata/BUILD b/rules/apex/testdata/BUILD index 488d96df..88dc8ea4 100644 --- a/rules/apex/testdata/BUILD +++ b/rules/apex/testdata/BUILD @@ -4,6 +4,16 @@ exports_files([ ]) filegroup( + name = "android_certificate_directory", + srcs = glob([ + "*.pk8", + "*.pem", + "*.avbpubkey", + ]), + visibility = ["//build/bazel:__subpackages__"], +) + +filegroup( name = "dev-keystore", srcs = ["devkey.keystore"], visibility = ["//visibility:public"], diff --git a/rules/apex/testdata/another.pk8 b/rules/apex/testdata/another.pk8 new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/rules/apex/testdata/another.pk8 diff --git a/rules/apex/testdata/another.x509.pem b/rules/apex/testdata/another.x509.pem new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/rules/apex/testdata/another.x509.pem diff --git a/rules/apex/testdata/devkey.avbpubkey b/rules/apex/testdata/devkey.avbpubkey new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/rules/apex/testdata/devkey.avbpubkey diff --git a/rules/apex/testdata/devkey.pem b/rules/apex/testdata/devkey.pem new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/rules/apex/testdata/devkey.pem |