Add X-Android-Package and X-Android-Cert headers. (#2980)

* Add X-Android-Package and X-Android-Cert headers.

* Update unit tests.

Author: rosalyntan

appcheck/firebase-appcheck/src/main/java/com/google/firebase/appcheck/internal/NetworkClient.java

@@ -16,9 +16,14 @@
 
 import static com.google.android.gms.common.internal.Preconditions.checkNotNull;
 
+import android.content.Context;
+import android.content.pm.PackageManager.NameNotFoundException;
+import android.util.Log;
 import androidx.annotation.IntDef;
 import androidx.annotation.NonNull;
 import androidx.annotation.VisibleForTesting;
+import com.google.android.gms.common.util.AndroidUtilsLight;
+import com.google.android.gms.common.util.Hex;
 import com.google.firebase.FirebaseApp;
 import com.google.firebase.FirebaseException;
 import com.google.firebase.appcheck.FirebaseAppCheck;
@@ -40,6 +45,8 @@
  */
 public class NetworkClient {
 
+  private static final String TAG = NetworkClient.class.getName();
+
   private static final String SAFETY_NET_EXCHANGE_URL_TEMPLATE =
       "https://firebaseappcheck.googleapis.com/v1beta/projects/%s/apps/%s:exchangeSafetyNetToken?key=%s";
   private static final String DEBUG_EXCHANGE_URL_TEMPLATE =
@@ -49,7 +56,10 @@ public class NetworkClient {
   private static final String UTF_8 = "UTF-8";
   @VisibleForTesting static final String X_FIREBASE_CLIENT = "X-Firebase-Client";
   @VisibleForTesting static final String X_FIREBASE_CLIENT_LOG_TYPE = "X-Firebase-Client-Log-Type";
+  @VisibleForTesting static final String X_ANDROID_PACKAGE = "X-Android-Package";
+  @VisibleForTesting static final String X_ANDROID_CERT = "X-Android-Cert";
 
+  private final Context context;
   private final DefaultFirebaseAppCheck firebaseAppCheck;
   private final String apiKey;
   private final String appId;
@@ -65,6 +75,7 @@ public class NetworkClient {
 
   public NetworkClient(@NonNull FirebaseApp firebaseApp) {
     checkNotNull(firebaseApp);
+    this.context = firebaseApp.getApplicationContext();
     this.firebaseAppCheck = (DefaultFirebaseAppCheck) FirebaseAppCheck.getInstance(firebaseApp);
     this.apiKey = firebaseApp.getOptions().getApiKey();
     this.appId = firebaseApp.getOptions().getApplicationId();
@@ -97,6 +108,10 @@ public AppCheckTokenResponse exchangeAttestationForAppCheckToken(
             X_FIREBASE_CLIENT_LOG_TYPE, firebaseAppCheck.getHeartbeatCode());
       }
 
+      // Headers for Android API key restrictions.
+      urlConnection.setRequestProperty(X_ANDROID_PACKAGE, context.getPackageName());
+      urlConnection.setRequestProperty(X_ANDROID_CERT, getFingerprintHashForPackage());
+
       try (OutputStream out =
           new BufferedOutputStream(urlConnection.getOutputStream(), requestBytes.length)) {
         out.write(requestBytes, /* off= */ 0, requestBytes.length);
@@ -130,6 +145,23 @@ public AppCheckTokenResponse exchangeAttestationForAppCheckToken(
     }
   }
 
+  /** Gets the Android package's SHA-1 fingerprint. */
+  private String getFingerprintHashForPackage() {
+    byte[] hash;
+
+    try {
+      hash = AndroidUtilsLight.getPackageCertificateHashBytes(context, context.getPackageName());
+      if (hash == null) {
+        Log.e(TAG, "Could not get fingerprint hash for package: " + context.getPackageName());
+        return null;
+      }
+      return Hex.bytesToStringUppercase(hash, /* zeroTerminated= */ false);
+    } catch (NameNotFoundException e) {
+      Log.e(TAG, "No such package: " + context.getPackageName(), e);
+      return null;
+    }
+  }
+
   private static String getUrlTemplate(@AttestationTokenType int tokenType) {
     switch (tokenType) {
       case SAFETY_NET:

appcheck/firebase-appcheck/src/test/java/com/google/firebase/appcheck/internal/NetworkClientTest.java

@@ -20,10 +20,13 @@
 import static com.google.firebase.appcheck.internal.HttpErrorResponse.CODE_KEY;
 import static com.google.firebase.appcheck.internal.HttpErrorResponse.ERROR_KEY;
 import static com.google.firebase.appcheck.internal.HttpErrorResponse.MESSAGE_KEY;
+import static com.google.firebase.appcheck.internal.NetworkClient.X_ANDROID_CERT;
+import static com.google.firebase.appcheck.internal.NetworkClient.X_ANDROID_PACKAGE;
 import static com.google.firebase.appcheck.internal.NetworkClient.X_FIREBASE_CLIENT;
 import static com.google.firebase.appcheck.internal.NetworkClient.X_FIREBASE_CLIENT_LOG_TYPE;
 import static org.junit.Assert.assertThrows;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;
@@ -116,13 +119,7 @@ public void exchangeSafetyNetToken_successResponse_returnsAppCheckTokenResponse(
     verify(networkClient).createHttpUrlConnection(expectedUrl);
     verify(outputStream)
         .write(JSON_REQUEST.getBytes(), /* off= */ 0, JSON_REQUEST.getBytes().length);
-
-    String userAgent = ((DefaultFirebaseAppCheck) FirebaseAppCheck.getInstance()).getUserAgent();
-    String heartBeatCode =
-        ((DefaultFirebaseAppCheck) FirebaseAppCheck.getInstance()).getHeartbeatCode();
-    verify(mockHttpUrlConnection).setRequestProperty(X_FIREBASE_CLIENT, userAgent);
-    verify(mockHttpUrlConnection).setRequestProperty(X_FIREBASE_CLIENT_LOG_TYPE, heartBeatCode);
-    assertThat(userAgent).contains(SDK_NAME);
+    verifyRequestHeaders();
   }
 
   @Test
@@ -146,13 +143,7 @@ public void exchangeSafetyNetToken_errorResponse_throwsException() throws Except
     verify(networkClient).createHttpUrlConnection(expectedUrl);
     verify(outputStream)
         .write(JSON_REQUEST.getBytes(), /* off= */ 0, JSON_REQUEST.getBytes().length);
-
-    String userAgent = ((DefaultFirebaseAppCheck) FirebaseAppCheck.getInstance()).getUserAgent();
-    String heartBeatCode =
-        ((DefaultFirebaseAppCheck) FirebaseAppCheck.getInstance()).getHeartbeatCode();
-    verify(mockHttpUrlConnection).setRequestProperty(X_FIREBASE_CLIENT, userAgent);
-    verify(mockHttpUrlConnection).setRequestProperty(X_FIREBASE_CLIENT_LOG_TYPE, heartBeatCode);
-    assertThat(userAgent).contains(SDK_NAME);
+    verifyRequestHeaders();
   }
 
   @Test
@@ -174,13 +165,7 @@ public void exchangeDebugToken_successResponse_returnsAppCheckTokenResponse() th
     verify(networkClient).createHttpUrlConnection(expectedUrl);
     verify(outputStream)
         .write(JSON_REQUEST.getBytes(), /* off= */ 0, JSON_REQUEST.getBytes().length);
-
-    String userAgent = ((DefaultFirebaseAppCheck) FirebaseAppCheck.getInstance()).getUserAgent();
-    String heartBeatCode =
-        ((DefaultFirebaseAppCheck) FirebaseAppCheck.getInstance()).getHeartbeatCode();
-    verify(mockHttpUrlConnection).setRequestProperty(X_FIREBASE_CLIENT, userAgent);
-    verify(mockHttpUrlConnection).setRequestProperty(X_FIREBASE_CLIENT_LOG_TYPE, heartBeatCode);
-    assertThat(userAgent).contains(SDK_NAME);
+    verifyRequestHeaders();
   }
 
   @Test
@@ -204,13 +189,7 @@ public void exchangeDebugToken_errorResponse_throwsException() throws Exception
     verify(networkClient).createHttpUrlConnection(expectedUrl);
     verify(outputStream)
         .write(JSON_REQUEST.getBytes(), /* off= */ 0, JSON_REQUEST.getBytes().length);
-
-    String userAgent = ((DefaultFirebaseAppCheck) FirebaseAppCheck.getInstance()).getUserAgent();
-    String heartBeatCode =
-        ((DefaultFirebaseAppCheck) FirebaseAppCheck.getInstance()).getHeartbeatCode();
-    verify(mockHttpUrlConnection).setRequestProperty(X_FIREBASE_CLIENT, userAgent);
-    verify(mockHttpUrlConnection).setRequestProperty(X_FIREBASE_CLIENT_LOG_TYPE, heartBeatCode);
-    assertThat(userAgent).contains(SDK_NAME);
+    verifyRequestHeaders();
   }
 
   @Test
@@ -222,6 +201,20 @@ public void exchangeUnknownAttestation_throwsException() {
                 JSON_REQUEST.getBytes(), NetworkClient.UNKNOWN));
   }
 
+  private void verifyRequestHeaders() {
+    String userAgent = ((DefaultFirebaseAppCheck) FirebaseAppCheck.getInstance()).getUserAgent();
+    String heartBeatCode =
+        ((DefaultFirebaseAppCheck) FirebaseAppCheck.getInstance()).getHeartbeatCode();
+
+    verify(mockHttpUrlConnection).setRequestProperty(X_FIREBASE_CLIENT, userAgent);
+    verify(mockHttpUrlConnection).setRequestProperty(X_FIREBASE_CLIENT_LOG_TYPE, heartBeatCode);
+    verify(mockHttpUrlConnection)
+        .setRequestProperty(
+            X_ANDROID_PACKAGE, ApplicationProvider.getApplicationContext().getPackageName());
+    verify(mockHttpUrlConnection).setRequestProperty(eq(X_ANDROID_CERT), any());
+    assertThat(userAgent).contains(SDK_NAME);
+  }
+
   private static JSONObject createAttestationResponse() throws Exception {
     JSONObject responseBodyJson = new JSONObject();
     responseBodyJson.put(ATTESTATION_TOKEN_KEY, ATTESTATION_TOKEN);