Add pre-auth override EAG attr and tests

Parameterize RobolectricBinderSecurityTest

Author: jdcormie

binder/build.gradle

@@ -72,6 +72,7 @@ dependencies {
     androidTestImplementation testFixtures(project(':grpc-core'))
 
     testFixturesImplementation libraries.guava.testlib
+    testFixturesImplementation testFixtures(project(':grpc-core'))
 }
 
 import net.ltgt.gradle.errorprone.CheckSeverity

binder/src/main/java/io/grpc/binder/ApiConstants.java

@@ -18,6 +18,8 @@
 
 import android.content.Intent;
 import android.os.UserHandle;
+import io.grpc.Attributes;
+import io.grpc.EquivalentAddressGroup;
 import io.grpc.ExperimentalApi;
 import io.grpc.NameResolver;
 
@@ -43,4 +45,15 @@ private ApiConstants() {}
    */
   public static final NameResolver.Args.Key<UserHandle> TARGET_ANDROID_USER =
       NameResolver.Args.Key.create("target-android-user");
+
+  /**
+   * Lets you override a Channel's pre-auth configuration (see {@link
+   * BinderChannelBuilder#preAuthorizeServers(boolean)} for a given {@link EquivalentAddressGroup}.
+   *
+   * <p>A {@link NameResolver} that discovers servers from an untrusted source like PackageManager
+   * can use this to force server pre-auth and prevent abuse.
+   */
+  @EquivalentAddressGroup.Attr
+  public static final Attributes.Key<Boolean> PRE_AUTH_SERVER_OVERRIDE =
+      Attributes.Key.create("pre-auth-server-override");
 }

binder/src/main/java/io/grpc/binder/internal/BinderTransport.java

@@ -19,6 +19,7 @@
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.util.concurrent.Futures.immediateFuture;
+import static io.grpc.binder.ApiConstants.PRE_AUTH_SERVER_OVERRIDE;
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
 
 import android.content.Context;
@@ -607,7 +608,9 @@ public BinderClientTransport(
       this.securityPolicy = factory.securityPolicy;
       this.offloadExecutor = offloadExecutorPool.getObject();
       this.readyTimeoutMillis = factory.readyTimeoutMillis;
-      this.preAuthorizeServer = factory.preAuthorizeServers;
+      Boolean preAuthServerOverride = options.getEagAttributes().get(PRE_AUTH_SERVER_OVERRIDE);
+      this.preAuthorizeServer =
+          preAuthServerOverride != null ? preAuthServerOverride : factory.preAuthorizeServers;
       numInUseStreams = new AtomicInteger();
       pingTracker = new PingTracker(Ticker.systemTicker(), (id) -> sendPing(id));
 

binder/src/test/java/io/grpc/binder/RobolectricBinderSecurityTest.java

@@ -22,7 +22,13 @@
 import static org.robolectric.Shadows.shadowOf;
 
 import android.app.Application;
+import android.content.pm.ApplicationInfo;
+import android.content.pm.PackageInfo;
+import android.content.pm.ServiceInfo;
 import androidx.test.core.app.ApplicationProvider;
+import androidx.test.core.content.pm.ApplicationInfoBuilder;
+import androidx.test.core.content.pm.PackageInfoBuilder;
+import com.google.common.collect.ImmutableList;
 import com.google.common.util.concurrent.Futures;
 import com.google.common.util.concurrent.ListenableFuture;
 import com.google.common.util.concurrent.SettableFuture;
@@ -46,11 +52,13 @@
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.robolectric.RobolectricTestRunner;
+import org.robolectric.ParameterizedRobolectricTestRunner;
+import org.robolectric.ParameterizedRobolectricTestRunner.Parameter;
+import org.robolectric.ParameterizedRobolectricTestRunner.Parameters;
 import org.robolectric.annotation.LooperMode;
 import org.robolectric.annotation.LooperMode.Mode;
 
-@RunWith(RobolectricTestRunner.class)
+@RunWith(ParameterizedRobolectricTestRunner.class)
 @LooperMode(Mode.INSTRUMENTATION_TEST)
 public final class RobolectricBinderSecurityTest {
 
@@ -62,10 +70,33 @@ public final class RobolectricBinderSecurityTest {
   private ManagedChannel channel;
   private Server server;
 
+  @Parameter public boolean preAuthServersParam;
+
+  @Parameters(name = "preAuthServersParam={0}")
+  public static ImmutableList<Boolean> data() {
+    return ImmutableList.of(true, false);
+  }
+
   @Before
   public void setUp() {
-    AndroidComponentAddress listenAddress =
-        AndroidComponentAddress.forRemoteComponent(context.getPackageName(), "HostService");
+    ApplicationInfo serverAppInfo = ApplicationInfoBuilder.newBuilder()
+        .setPackageName(context.getPackageName())
+        .build();
+    serverAppInfo.uid = android.os.Process.myUid();
+    PackageInfo serverPkgInfo = PackageInfoBuilder.newBuilder()
+        .setPackageName(serverAppInfo.packageName)
+        .setApplicationInfo(serverAppInfo)
+        .build();
+    shadowOf(context.getPackageManager()).installPackage(serverPkgInfo);
+
+    ServiceInfo serviceInfo = new ServiceInfo();
+    serviceInfo.name = "SomeService";
+    serviceInfo.packageName = serverAppInfo.packageName;
+    serviceInfo.applicationInfo = serverAppInfo;
+    shadowOf(context.getPackageManager()).addOrUpdateService(serviceInfo);
+
+    AndroidComponentAddress listenAddress = AndroidComponentAddress.forRemoteComponent(
+        serviceInfo.packageName, serviceInfo.name);
 
     MethodDescriptor<Empty, Empty> methodDesc = getMethodDescriptor();
     ServerCallHandler<Empty, Empty> callHandler =
@@ -110,6 +141,7 @@ public ListenableFuture<Status> checkAuthorizationAsync(int uid) {
             checkNotNull(binderReceiver.get()));
     channel =
         BinderChannelBuilder.forAddress(listenAddress, context)
+            .preAuthorizeServers(preAuthServersParam)
             .build();
   }
 

binder/src/test/java/io/grpc/binder/internal/RobolectricBinderTransportTest.java

@@ -16,33 +16,54 @@
 
 package io.grpc.binder.internal;
 
+import static com.google.common.truth.Truth.assertThat;
+import static java.util.concurrent.TimeUnit.MILLISECONDS;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.timeout;
+import static org.mockito.Mockito.verify;
 import static org.robolectric.Shadows.shadowOf;
 
 import android.app.Application;
 import android.content.Intent;
+import android.content.pm.ApplicationInfo;
+import android.content.pm.PackageInfo;
+import android.content.pm.ServiceInfo;
 import androidx.test.core.app.ApplicationProvider;
+import androidx.test.core.content.pm.ApplicationInfoBuilder;
+import androidx.test.core.content.pm.PackageInfoBuilder;
 import com.google.common.collect.ImmutableList;
+import io.grpc.Attributes;
 import io.grpc.ServerStreamTracer;
+import io.grpc.Status;
 import io.grpc.binder.AndroidComponentAddress;
+import io.grpc.binder.ApiConstants;
+import io.grpc.binder.AsyncSecurityPolicy;
+import io.grpc.binder.internal.SettableAsyncSecurityPolicy.AuthRequest;
 import io.grpc.internal.AbstractTransportTest;
 import io.grpc.internal.ClientTransportFactory.ClientTransportOptions;
 import io.grpc.internal.GrpcUtil;
 import io.grpc.internal.InternalServer;
 import io.grpc.internal.ManagedClientTransport;
 import io.grpc.internal.ObjectPool;
 import io.grpc.internal.SharedResourcePool;
+import java.util.Collections;
 import java.util.List;
 import java.util.concurrent.Executor;
 import java.util.concurrent.ScheduledExecutorService;
 import org.junit.Before;
 import org.junit.Ignore;
+import org.junit.Rule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnit;
+import org.mockito.junit.MockitoRule;
 import org.robolectric.ParameterizedRobolectricTestRunner;
 import org.robolectric.ParameterizedRobolectricTestRunner.Parameter;
 import org.robolectric.ParameterizedRobolectricTestRunner.Parameters;
 import org.robolectric.annotation.LooperMode;
 import org.robolectric.annotation.LooperMode.Mode;
+import org.robolectric.shadows.ShadowBinder;
 
 /**
  * All of the AbstractTransportTest cases applied to {@link BinderTransport} running in a
@@ -68,15 +89,44 @@ public final class RobolectricBinderTransportTest extends AbstractTransportTest
   private final ObjectPool<Executor> serverExecutorPool =
       SharedResourcePool.forResource(GrpcUtil.SHARED_CHANNEL_EXECUTOR);
 
+  @Rule public MockitoRule mocks = MockitoJUnit.rule();
+
+  @Mock AsyncSecurityPolicy mockClientSecurityPolicy;
+
+  ApplicationInfo serverAppInfo;
+  PackageInfo serverPkgInfo;
+  ServiceInfo serviceInfo;
+
   private int nextServerAddress;
 
-  @Parameter public boolean preAuthorizeServers;
+  @Parameter public boolean preAuthServersParam;
 
-  @Parameters(name = "preAuthorizeServers={0}")
+  @Parameters(name = "preAuthServersParam={0}")
   public static ImmutableList<Boolean> data() {
     return ImmutableList.of(true, false);
   }
 
+  @Override
+  public void setUp() {
+    serverAppInfo =
+        ApplicationInfoBuilder.newBuilder().setPackageName("the.server.package").build();
+    serverAppInfo.uid = android.os.Process.myUid();
+    serverPkgInfo =
+        PackageInfoBuilder.newBuilder()
+            .setPackageName(serverAppInfo.packageName)
+            .setApplicationInfo(serverAppInfo)
+            .build();
+    shadowOf(application.getPackageManager()).installPackage(serverPkgInfo);
+
+    serviceInfo = new ServiceInfo();
+    serviceInfo.name = "SomeService";
+    serviceInfo.packageName = serverAppInfo.packageName;
+    serviceInfo.applicationInfo = serverAppInfo;
+    shadowOf(application.getPackageManager()).addOrUpdateService(serviceInfo);
+
+    super.setUp();
+  }
+
   @Before
   public void requestRealisticBindServiceBehavior() {
     shadowOf(application).setBindServiceCallsOnServiceConnectedDirectly(false);
@@ -85,10 +135,11 @@ public void requestRealisticBindServiceBehavior() {
 
   @Override
   protected InternalServer newServer(List<ServerStreamTracer.Factory> streamTracerFactories) {
-    AndroidComponentAddress listenAddr = AndroidComponentAddress.forBindIntent(
-        new Intent()
-            .setClassName(application.getPackageName(), "HostService")
-            .setAction("io.grpc.action.BIND." + nextServerAddress++));
+    AndroidComponentAddress listenAddr =
+        AndroidComponentAddress.forBindIntent(
+            new Intent()
+                .setClassName(serviceInfo.packageName, serviceInfo.name)
+                .setAction("io.grpc.action.BIND." + nextServerAddress++));
 
     BinderServer binderServer =
         new BinderServer.Builder()
@@ -115,30 +166,101 @@ protected InternalServer newServer(
     return newServer(streamTracerFactories);
   }
 
+  BinderClientTransportFactory.Builder newClientTransportFactoryBuilder() {
+    return new BinderClientTransportFactory.Builder()
+        .setPreAuthorizeServers(preAuthServersParam)
+        .setSourceContext(application)
+        .setScheduledExecutorPool(executorServicePool)
+        .setOffloadExecutorPool(offloadExecutorPool);
+  }
+
+  BinderClientTransportBuilder newClientTransportBuilder() {
+    return new BinderClientTransportBuilder()
+        .setClientTransportFactory(newClientTransportFactoryBuilder().buildClientTransportFactory())
+        .setServerAddress(server.getListenSocketAddress());
+  }
+
   @Override
   protected ManagedClientTransport newClientTransport(InternalServer server) {
-    BinderClientTransportFactory.Builder builder =
-        new BinderClientTransportFactory.Builder()
-            .setPreAuthorizeServers(preAuthorizeServers)
-            .setSourceContext(application)
-            .setScheduledExecutorPool(executorServicePool)
-            .setOffloadExecutorPool(offloadExecutorPool);
-
     ClientTransportOptions options = new ClientTransportOptions();
     options.setEagAttributes(eagAttrs());
     options.setChannelLogger(transportLogger());
 
-    return new BinderTransport.BinderClientTransport(
-        builder.buildClientTransportFactory(),
-        (AndroidComponentAddress) server.getListenSocketAddress(),
-        options);
+    return newClientTransportBuilder()
+        .setServerAddress(server.getListenSocketAddress())
+        .setClientTransportOptions(options)
+        .build();
   }
 
   @Override
   protected String testAuthority(InternalServer server) {
     return ((AndroidComponentAddress) server.getListenSocketAddress()).getAuthority();
   }
 
+  @Test
+  public void clientAuthorizesServerUidsInOrder() throws Exception {
+    serverAppInfo.uid = 11111;
+    shadowOf(application.getPackageManager()).installPackage(serverPkgInfo);
+    shadowOf(application.getPackageManager()).addOrUpdateService(serviceInfo);
+    server = newServer(Collections.emptyList());
+    server.start(serverListener);
+
+    SettableAsyncSecurityPolicy securityPolicy = new SettableAsyncSecurityPolicy();
+    client =
+        newClientTransportBuilder()
+            .setClientTransportFactory(
+                newClientTransportFactoryBuilder()
+                    .setSecurityPolicy(securityPolicy)
+                    .buildClientTransportFactory())
+            .build();
+
+    // TODO(jdcormie): In real Android, Binder#getCallingUid is thread-local but Robolectric only
+    //  lets us fake value this *globally*. So the ShadowBinder#setCallingUid() here unrealistically
+    //  affects the server's view of the client's uid too. For now this doesn't matter because this
+    //  test never exercises server SecurityPolicy.
+    ShadowBinder.setCallingUid(22222); // UID of the server *process* which != serverAppInfo.uid.
+    runIfNotNull(client.start(mockClientTransportListener));
+
+    if (preAuthServersParam) {
+      AuthRequest preAuthRequest = securityPolicy.takeNextAuthRequest(TIMEOUT_MS, MILLISECONDS);
+      assertThat(preAuthRequest.uid).isEqualTo(serverAppInfo.uid);
+      verify(mockClientTransportListener, never()).transportReady();
+      preAuthRequest.setResult(Status.OK);
+    }
+
+    AuthRequest authRequest = securityPolicy.takeNextAuthRequest(TIMEOUT_MS, MILLISECONDS);
+    assertThat(authRequest.uid).isEqualTo(22222);
+    verify(mockClientTransportListener, never()).transportReady();
+    authRequest.setResult(Status.OK);
+
+    verify(mockClientTransportListener, timeout(TIMEOUT_MS)).transportReady();
+  }
+
+  @Test
+  public void eagAttributeCanOverrideChannelPreAuthServerSetting() throws Exception {
+    server.start(serverListener);
+    SettableAsyncSecurityPolicy securityPolicy = new SettableAsyncSecurityPolicy();
+    ClientTransportOptions options = new ClientTransportOptions();
+    options.setEagAttributes(
+        Attributes.newBuilder().set(ApiConstants.PRE_AUTH_SERVER_OVERRIDE, true).build());
+    client =
+        newClientTransportFactoryBuilder()
+            .setSecurityPolicy(securityPolicy)
+            .buildClientTransportFactory()
+            .newClientTransport(server.getListenSocketAddress(), options, null);
+    runIfNotNull(client.start(mockClientTransportListener));
+
+    AuthRequest preAuthRequest = securityPolicy.takeNextAuthRequest(TIMEOUT_MS, MILLISECONDS);
+    verify(mockClientTransportListener, never()).transportReady();
+    preAuthRequest.setResult(Status.OK);
+
+    AuthRequest authRequest = securityPolicy.takeNextAuthRequest(TIMEOUT_MS, MILLISECONDS);
+    verify(mockClientTransportListener, never()).transportReady();
+    authRequest.setResult(Status.OK);
+
+    verify(mockClientTransportListener, timeout(TIMEOUT_MS)).transportReady();
+  }
+
   @Test
   @Ignore("See BinderTransportTest#socketStats.")
   @Override