Merge branch 'master' into davidmotson.release_job_fix

Author: rlazo

.github/workflows/semver-check.yml

@@ -0,0 +1,17 @@
+name: Semver Check
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - 'releases/**'
+
+jobs:
+  build-artifacts:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Perform gradle build
+        run: |
+          ./gradlew semverCheckForRelease -PpublishConfigFilePath=release.cfg -PpublishMode=RELEASE

.github/workflows/sessions-e2e.yml

@@ -1,7 +1,9 @@
 name: Firebase Sessions E2E Tests
 
 on:
-  workflow_dispatch: # allow triggering the workflow manually
+  schedule:
+    - cron: 24 */4 * * *  # every 4 hours at 24 minutes past the hour
+  workflow_dispatch:     # allow triggering the workflow manually
 
 concurrency:
   group: ${{ github.workflow }}
@@ -10,29 +12,33 @@ env:
   SESSIONS_E2E_GOOGLE_SERVICES: ${{ secrets.SESSIONS_E2E_GOOGLE_SERVICES }}
 
 jobs:
-  build:
+  test:
 
     runs-on: ubuntu-latest
 
     steps:
-    - name: Checkout firebase-sessions
-      uses: actions/checkout@v3
-      with:
-        ref: 'firebase-sessions'
-
-    - name: set up JDK 11
-      uses: actions/setup-java@v3
-      with:
-        java-version: '11'
-        distribution: 'temurin'
-        cache: gradle
-
-    - name: Add google-services.json
-      run: |
-        echo $SESSIONS_E2E_GOOGLE_SERVICES | base64 -d > google-services.json
-
-    - name: Grant execute permission for gradlew
-      run: chmod +x gradlew
-
-    - name: Run sessions end-to-end tests
-      run: ./gradlew firebase-sessions:deviceCheck withErrorProne -PtargetBackend="prod"
+      - name: Checkout firebase-sessions
+        uses: actions/checkout@v3
+        with:
+          ref: 'firebase-sessions'
+
+      - name: set up JDK 11
+        uses: actions/setup-java@v3
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+          cache: gradle
+
+      - name: Add google-services.json
+        run: |
+          echo $SESSIONS_E2E_GOOGLE_SERVICES | base64 -d > google-services.json
+
+      - uses: google-github-actions/auth@v0
+        with:
+          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+      - uses: google-github-actions/setup-gcloud@v0
+      - name: Run sessions end-to-end tests
+        env:
+          FTL_RESULTS_BUCKET: fireescape
+        run: |
+          ./gradlew :firebase-sessions:test-app:deviceCheck withErrorProne -PtargetBackend="prod"

appcheck/firebase-appcheck/CHANGELOG.md

@@ -1,4 +1,6 @@
 # Unreleased
+* [feature] Added `getLimtedUseAppCheckToken()` for obtaining limited-use tokens
+  for protecting non-Firebase backends.
 
 # 16.1.2
 * [unchanged] Updated to keep [app_check] SDK versions aligned.

appcheck/firebase-appcheck/api.txt

@@ -21,6 +21,7 @@ package com.google.firebase.appcheck {
     method @NonNull public abstract com.google.android.gms.tasks.Task<com.google.firebase.appcheck.AppCheckToken> getAppCheckToken(boolean);
     method @NonNull public static com.google.firebase.appcheck.FirebaseAppCheck getInstance();
     method @NonNull public static com.google.firebase.appcheck.FirebaseAppCheck getInstance(@NonNull com.google.firebase.FirebaseApp);
+    method @NonNull public abstract com.google.android.gms.tasks.Task<com.google.firebase.appcheck.AppCheckToken> getLimitedUseAppCheckToken();
     method public abstract void installAppCheckProviderFactory(@NonNull com.google.firebase.appcheck.AppCheckProviderFactory);
     method public abstract void installAppCheckProviderFactory(@NonNull com.google.firebase.appcheck.AppCheckProviderFactory, boolean);
     method public abstract void removeAppCheckListener(@NonNull com.google.firebase.appcheck.FirebaseAppCheck.AppCheckListener);

appcheck/firebase-appcheck/src/main/java/com/google/firebase/appcheck/FirebaseAppCheck.java

@@ -75,10 +75,29 @@ public abstract void installAppCheckProviderFactory(
    * Requests a Firebase App Check token. This method should be used ONLY if you need to authorize
    * requests to a non-Firebase backend. Requests to Firebase backends are authorized automatically
    * if configured.
+   *
+   * <p>If your non-Firebase backend exposes sensitive or expensive endpoints that has low traffic
+   * volume, consider protecting it with <a
+   * href=https://firebase.google.com/docs/app-check/custom-resource-backend#replay-protection>Replay
+   * Protection</a>. In this case, use the #getLimitedUseAppCheckToken() instead to obtain a
+   * limited-use token.
    */
   @NonNull
   public abstract Task<AppCheckToken> getAppCheckToken(boolean forceRefresh);
 
+  /**
+   * Requests a Firebase App Check token. This method should be used ONLY if you need to authorize
+   * requests to a non-Firebase backend.
+   *
+   * <p>Returns limited-use tokens that are intended for use with your non-Firebase backend
+   * endpoints that are protected with <a
+   * href=https://firebase.google.com/docs/app-check/custom-resource-backend#replay-protection>Replay
+   * Protection</a>. This method does not affect the token generation behavior of the
+   * #getAppCheckToken() method.
+   */
+  @NonNull
+  public abstract Task<AppCheckToken> getLimitedUseAppCheckToken();
+
   /**
    * Registers an {@link AppCheckListener} to changes in the token state. This method should be used
    * ONLY if you need to authorize requests to a non-Firebase backend. Requests to Firebase backends

appcheck/firebase-appcheck/src/main/java/com/google/firebase/appcheck/internal/DefaultFirebaseAppCheck.java

@@ -229,6 +229,19 @@ public Task<AppCheckToken> getAppCheckToken(boolean forceRefresh) {
         });
   }
 
+  @NonNull
+  @Override
+  public Task<AppCheckToken> getLimitedUseAppCheckToken() {
+    if (appCheckProvider == null) {
+      return Tasks.forException(new FirebaseException("No AppCheckProvider installed."));
+    }
+
+    // We explicitly do not call the fetchTokenFromProvider helper method, as that method includes
+    // side effects such as notifying listeners, updating the cached token, and scheduling token
+    // refresh.
+    return appCheckProvider.getToken();
+  }
+
   /** Fetches an {@link AppCheckToken} via the installed {@link AppCheckProvider}. */
   Task<AppCheckToken> fetchTokenFromProvider() {
     return appCheckProvider

appcheck/firebase-appcheck/src/test/java/com/google/firebase/appcheck/internal/DefaultFirebaseAppCheckTest.java

@@ -228,6 +228,13 @@ public void testGetAppCheckToken_noFactoryInstalled_taskFails() throws Exception
     assertThat(tokenTask.isSuccessful()).isFalse();
   }
 
+  @Test
+  public void testGetLimitedUseAppCheckToken_noFactoryInstalled_taskFails() throws Exception {
+    Task<AppCheckToken> tokenTask = defaultFirebaseAppCheck.getLimitedUseAppCheckToken();
+    assertThat(tokenTask.isComplete()).isTrue();
+    assertThat(tokenTask.isSuccessful()).isFalse();
+  }
+
   @Test
   public void testGetToken_factoryInstalled_proxiesToAppCheckFactory() {
     defaultFirebaseAppCheck.installAppCheckProviderFactory(mockAppCheckProviderFactory);
@@ -396,4 +403,23 @@ public void testGetAppCheckToken_existingInvalidToken_requestsNewToken() {
 
     verify(mockAppCheckProvider).getToken();
   }
+
+  @Test
+  public void testGetLimitedUseAppCheckToken_noExistingToken_requestsNewToken() {
+    defaultFirebaseAppCheck.installAppCheckProviderFactory(mockAppCheckProviderFactory);
+
+    defaultFirebaseAppCheck.getLimitedUseAppCheckToken();
+
+    verify(mockAppCheckProvider).getToken();
+  }
+
+  @Test
+  public void testGetLimitedUseAppCheckToken_existingToken_requestsNewToken() {
+    defaultFirebaseAppCheck.setCachedToken(validDefaultAppCheckToken);
+    defaultFirebaseAppCheck.installAppCheckProviderFactory(mockAppCheckProviderFactory);
+
+    defaultFirebaseAppCheck.getLimitedUseAppCheckToken();
+
+    verify(mockAppCheckProvider).getToken();
+  }
 }

appcheck/firebase-appcheck/test-app/src/main/java/com/googletest/firebase/appcheck/MainActivity.java

@@ -47,6 +47,7 @@ public class MainActivity extends AppCompatActivity {
   private Button installSafetyNetButton;
   private Button installDebugButton;
   private Button getAppCheckTokenButton;
+  private Button getLimitedUseTokenButton;
   private Button listStorageFilesButton;
 
   @Override
@@ -74,7 +75,7 @@ private void initFirebase() {
         new AppCheckListener() {
           @Override
           public void onAppCheckTokenChanged(@NonNull AppCheckToken token) {
-            Log.d(TAG, "onAppCheckTokenChanged");
+            Log.d(TAG, "onAppCheckTokenChanged: " + token.getToken());
           }
         };
 
@@ -86,6 +87,7 @@ private void initViews() {
     installSafetyNetButton = findViewById(R.id.install_safety_net_app_check_button);
     installDebugButton = findViewById(R.id.install_debug_app_check_button);
     getAppCheckTokenButton = findViewById(R.id.exchange_app_check_button);
+    getLimitedUseTokenButton = findViewById(R.id.limited_use_app_check_button);
     listStorageFilesButton = findViewById(R.id.storage_list_files_button);
 
     setOnClickListeners();
@@ -134,20 +136,55 @@ public void onClick(View v) {
                 new OnSuccessListener<AppCheckToken>() {
                   @Override
                   public void onSuccess(AppCheckToken appCheckToken) {
-                    Log.d(TAG, "Successfully retrieved AppCheck token.");
-                    showToast("Successfully retrieved AppCheck token.");
+                    // Note: Logging App Check tokens is bad practice and should NEVER be done in a
+                    // production application. We log the token here in our unpublished test
+                    // application for easier debugging.
+                    Log.d(
+                        TAG, "Successfully retrieved App Check token: " + appCheckToken.getToken());
+                    showToast("Successfully retrieved App Check token.");
                   }
                 });
             task.addOnFailureListener(
                 new OnFailureListener() {
                   @Override
                   public void onFailure(@NonNull Exception e) {
-                    Log.d(TAG, "AppCheck token exchange failed with error: " + e.getMessage());
-                    showToast("AppCheck token exchange failed.");
+                    Log.d(TAG, "App Check token exchange failed with error: " + e.getMessage());
+                    showToast("App Check token exchange failed.");
                   }
                 });
           }
         });
+
+    getLimitedUseTokenButton.setOnClickListener(
+        new OnClickListener() {
+          @Override
+          public void onClick(View v) {
+            Task<AppCheckToken> task = firebaseAppCheck.getLimitedUseAppCheckToken();
+            task.addOnSuccessListener(
+                new OnSuccessListener<AppCheckToken>() {
+                  @Override
+                  public void onSuccess(AppCheckToken appCheckToken) {
+                    // Note: Logging App Check tokens is bad practice and should NEVER be done in a
+                    // production application. We log the token here in our unpublished test
+                    // application for easier debugging.
+                    Log.d(
+                        TAG,
+                        "Successfully retrieved limited-use App Check token: "
+                            + appCheckToken.getToken());
+                    showToast("Successfully retrieved limited-use App Check token.");
+                  }
+                });
+            task.addOnFailureListener(
+                new OnFailureListener() {
+                  @Override
+                  public void onFailure(@NonNull Exception e) {
+                    Log.d(TAG, "App Check token exchange failed with error: " + e.getMessage());
+                    showToast("App Check token exchange failed.");
+                  }
+                });
+          }
+        });
+
     listStorageFilesButton.setOnClickListener(
         new OnClickListener() {
           @Override

appcheck/firebase-appcheck/test-app/src/main/res/layout/activity_main.xml

@@ -26,6 +26,11 @@
       android:layout_width="wrap_content"
       android:layout_height="wrap_content"
       android:text="@string/exchange_app_check_button_text"/>
+  <Button
+      android:id="@+id/limited_use_app_check_button"
+      android:layout_width="wrap_content"
+      android:layout_height="wrap_content"
+      android:text="@string/limited_use_app_check_button_text"/>
   <Button
       android:id="@+id/storage_list_files_button"
       android:layout_width="wrap_content"

appcheck/firebase-appcheck/test-app/src/main/res/values/strings.xml

@@ -3,6 +3,7 @@
   <string name="install_play_integrity_app_check_button_text">Install PlayIntegrityAppCheckProvider</string>
   <string name="install_safety_net_app_check_button_text">Install SafetyNetAppCheckProvider</string>
   <string name="install_debug_app_check_button_text">Install DebugAppCheckProvider</string>
-  <string name="exchange_app_check_button_text">Exchange attestation for App Check token</string>
+  <string name="exchange_app_check_button_text">Get App Check token</string>
+  <string name="limited_use_app_check_button_text">Get limited-use App Check token</string>
   <string name="storage_list_files_button_text">List Cloud Storage files with App Check token</string>
 </resources>

build.gradle

@@ -36,7 +36,7 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.google.protobuf:protobuf-gradle-plugin:0.8.14'
+        classpath 'com.google.protobuf:protobuf-gradle-plugin:0.9.2'
         classpath 'net.ltgt.gradle:gradle-errorprone-plugin:1.3.0'
         classpath 'gradle.plugin.com.github.sherter.google-java-format:google-java-format-gradle-plugin:0.9'
         classpath 'com.google.gms:google-services:4.3.15'

buildSrc/build.gradle.kts

@@ -40,26 +40,31 @@ ktfmt {
     googleStyle()
 }
 
+java {
+    sourceCompatibility = JavaVersion.VERSION_1_8
+    targetCompatibility = JavaVersion.VERSION_1_8
+}
+
 dependencies {
     // Firebase performance plugin, it should be added here because of how gradle dependency
     // resolution works, otherwise it breaks Fireperf Test Apps.
     // See https://github.com/gradle/gradle/issues/12286
     implementation("com.google.firebase:perf-plugin:$perfPluginVersion")
-
     implementation("com.google.auto.value:auto-value-annotations:1.8.1")
     annotationProcessor("com.google.auto.value:auto-value:1.6.5")
     implementation(kotlin("gradle-plugin", "1.7.10"))
     implementation("org.json:json:20210307")
 
     implementation("org.eclipse.aether:aether-api:1.0.0.v20140518")
     implementation("org.eclipse.aether:aether-util:1.0.0.v20140518")
+    implementation("org.ow2.asm:asm-tree:9.5")
     implementation("org.eclipse.aether:aether-impl:1.0.0.v20140518")
     implementation("org.eclipse.aether:aether-connector-basic:1.0.0.v20140518")
     implementation("org.eclipse.aether:aether-transport-file:1.0.0.v20140518")
     implementation("org.eclipse.aether:aether-transport-http:1.0.0.v20140518")
     implementation("org.eclipse.aether:aether-transport-wagon:1.0.0.v20140518")
     implementation("org.apache.maven:maven-aether-provider:3.1.0")
-    
+
     implementation("org.eclipse.jgit:org.eclipse.jgit:6.3.0.202209071007-r")
 
     implementation("com.google.code.gson:gson:2.8.9")
@@ -110,9 +115,3 @@ tasks.withType<Test> {
     val enablePluginTests: String? by rootProject
     enabled = enablePluginTests == "true"
 }
-
-tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile>().configureEach {
-    kotlinOptions {
-        jvmTarget = "11"
-    }
-}

buildSrc/src/main/java/com/google/firebase/gradle/plugins/FirebaseLibraryPlugin.kt

@@ -96,11 +96,12 @@ class FirebaseLibraryPlugin : BaseFirebaseLibraryPlugin() {
       aarAndroidFile.value(true)
       filePath.value(project.file("semver/previous.aar").absolutePath)
     }
-
+    val artifact = firebaseLibrary.artifactId.get()
+    val releaseAar = if (artifact.contains("-ktx")) "ktx-release.aar" else "${artifact}-release.aar"
     project.tasks.register<Copy>("extractCurrentClasses") {
       dependsOn("bundleReleaseAar")
 
-      from(project.zipTree("build/outputs/aar/${firebaseLibrary.artifactId.get()}-release.aar"))
+      from(project.zipTree("build/outputs/aar/${releaseAar}"))
       into(project.file("semver/current-version"))
     }
     project.tasks.register<Copy>("extractPreviousClasses") {

buildSrc/src/main/java/com/google/firebase/gradle/plugins/ci/Coverage.java

@@ -36,7 +36,7 @@ public static void apply(FirebaseLibraryExtension firebaseLibrary) {
     JacocoPluginExtension jacoco = project.getExtensions().getByType(JacocoPluginExtension.class);
 
     jacoco.setToolVersion("0.8.8");
-    jacoco.setReportsDir(reportsDir);
+    jacoco.getReportsDirectory().set(reportsDir);
     project
         .getTasks()
         .withType(

buildSrc/src/main/java/com/google/firebase/gradle/plugins/license/GenerateLicensesTask.java

@@ -32,7 +32,7 @@
 import org.gradle.api.tasks.Input;
 import org.gradle.api.tasks.OutputDirectory;
 import org.gradle.api.tasks.TaskAction;
-import org.gradle.api.tasks.incremental.IncrementalTaskInputs;
+import org.gradle.work.InputChanges;
 
 abstract class GenerateLicensesTask extends DefaultTask {
   private static final int NEW_LINE_LENGTH = "\n".getBytes().length;
@@ -56,7 +56,7 @@ public GenerateLicensesTask() {
   }
 
   @TaskAction
-  void execute(IncrementalTaskInputs inputs) {
+  void execute(InputChanges inputs) {
     Set<URI> licenseUris = new HashSet<URI>();
     for (ThirdPartyLicensesExtension.CustomLicense license : getadditionalLicenses()) {
       licenseUris.addAll(license.licenseUris);