Support metadata filtering (#1568)

* Support metadata filtering

* Provide MDG filter files

* Fix issue of missing file

* Fix uri problem

* Whitelist everything if no whitelist file is provided

Author: vmutafov

test-app/app/build.gradle

@@ -734,6 +734,11 @@ task collectAllJars {
     }
 }
 
+task copyMetadataFilters(type: Copy) {
+    from "$rootDir/whitelist.mdg", "$rootDir/blacklist.mdg"
+    into "$BUILD_TOOLS_PATH"
+}
+
 task copyMetadata {
     doLast {
         copy {
@@ -748,6 +753,8 @@ task buildMetadata(type: BuildToolTask) {
         dependsOn ':android-metadata-generator:jar'
     }
 
+    dependsOn copyMetadataFilters
+
     // As some external gradle plugins can reorder the execution order of the tasks it may happen that buildMetadata is executed after merge{Debug/Release}Assets
     // in that case the metadata won't be included in the result apk and it will crash, so to avoid this we are adding the copyMetadata task which will manually copy
     // the metadata files in the merge assets folder and they will be added to the result apk
@@ -924,6 +931,8 @@ task cleanSbg(type: Delete) {
 
 task cleanMdg(type: Delete) {
     delete "$BUILD_TOOLS_PATH/$MDG_OUTPUT_DIR",
+            "$BUILD_TOOLS_PATH/whitelist.mdg",
+            "$BUILD_TOOLS_PATH/blacklist.mdg",
             "$BUILD_TOOLS_PATH/$MDG_JAVA_DEPENDENCIES",
             "$METADATA_OUT_PATH"
 }

test-app/build-tools/android-metadata-generator/build.gradle

@@ -48,6 +48,10 @@ dependencies {
     compile 'com.google.code.gson:gson:2.8.5'
     compile group: 'org.jetbrains.kotlinx', name: 'kotlinx-metadata-jvm', version: '0.1.0'
     compile files("./src/libs/dx.jar")
+
+    testCompile 'junit:junit:4.13'
+    testCompile 'org.mockito:mockito-core:3.0.0'
+    implementation 'junit:junit:4.12'
 }
 
 task copyNecessaryFiles {

test-app/build-tools/android-metadata-generator/src/src/com/telerik/metadata/Builder.java

@@ -17,6 +17,9 @@
 import com.telerik.metadata.parsing.kotlin.extensions.bytecode.BytecodeExtensionFunctionsCollector;
 import com.telerik.metadata.parsing.kotlin.metadata.ClassMetadataParser;
 import com.telerik.metadata.parsing.kotlin.metadata.bytecode.BytecodeClassMetadataParser;
+import com.telerik.metadata.security.MetadataSecurityViolationException;
+import com.telerik.metadata.security.classes.SecuredClassRepository;
+import com.telerik.metadata.security.classes.SecuredNativeClassDescriptor;
 import com.telerik.metadata.storage.functions.FunctionsStorage;
 import com.telerik.metadata.storage.functions.extensions.ExtensionFunctionsStorage;
 
@@ -48,26 +51,26 @@ static TreeNode build(List<String> paths) throws Exception {
                 if (file.isFile()) {
                     if (path.endsWith(".jar")) {
                         JarFile jar = JarFile.readJar(path);
-                        ClassRepo.addToCache(jar);
+                        SecuredClassRepository.INSTANCE.addToCache(jar);
                     }
                 } else if (file.isDirectory()) {
                     ClassDirectory dir = ClassDirectory.readDirectory(path);
-                    ClassRepo.addToCache(dir);
+                    SecuredClassRepository.INSTANCE.addToCache(dir);
                 }
             }
         }
 
         TreeNode root = TreeNode.getRoot();
 
-        String[] classNames = ClassRepo.getClassNames();
+        String[] classNames = SecuredClassRepository.INSTANCE.getClassNames();
 
         for (String className : classNames) {
             try {
-                NativeClassDescriptor clazz = ClassRepo.findClass(className);
-                if (clazz == null) {
-                    throw new ClassNotFoundException("Class " + className + " not found in the input android libraries.");
+                SecuredNativeClassDescriptor clazz = SecuredClassRepository.INSTANCE.findClass(className);
+                if (!clazz.isUsageAllowed()) {
+                    throwMetadataSecurityViolationException(className);
                 } else {
-                    tryCollectKotlinExtensionFunctions(clazz);
+                    tryCollectKotlinExtensionFunctions(clazz.getNativeDescriptor());
                 }
             } catch (Throwable e) {
                 System.out.println("Skip " + className);
@@ -86,11 +89,11 @@ static TreeNode build(List<String> paths) throws Exception {
                 // our class path API 17
                 // Class<?> clazz = Class.forName(className, false, loader);
 
-                NativeClassDescriptor clazz = ClassRepo.findClass(className);
-                if (clazz == null) {
-                    throw new ClassNotFoundException("Class " + className + " not found in the input android libraries.");
+                SecuredNativeClassDescriptor clazz = SecuredClassRepository.INSTANCE.findClass(className);
+                if (!clazz.isUsageAllowed()) {
+                    throwMetadataSecurityViolationException(className);
                 } else {
-                    generate(clazz, root);
+                    generate(clazz.getNativeDescriptor(), root);
                 }
             } catch (Throwable e) {
                 System.out.println("Skip " + className);
@@ -103,6 +106,10 @@ static TreeNode build(List<String> paths) throws Exception {
         return root;
     }
 
+    private static void throwMetadataSecurityViolationException(String className){
+        throw new MetadataSecurityViolationException("Class " + className + " could not be used!");
+    }
+
     private static void tryCollectKotlinExtensionFunctions(NativeClassDescriptor classDescriptor) {
         if (classDescriptor instanceof KotlinClassDescriptor) {
             ExtensionFunctionsCollector extensionFunctionsCollector = new BytecodeExtensionFunctionsCollector(new BytecodeClassMetadataParser());
@@ -319,8 +326,10 @@ private static void getFieldsFromImplementedInterfaces(NativeClassDescriptor cla
         String[] implementedInterfacesNames = clazz.getInterfaceNames();
         if (implementedInterfacesNames.length > 0) {
             for (String currInterface : implementedInterfacesNames) {
-                interfaceClass = ClassRepo.findClass(currInterface);
-                if (interfaceClass != null) {
+                SecuredNativeClassDescriptor securedNativeClassDescriptor = SecuredClassRepository.INSTANCE.findClass(currInterface);
+
+                if (securedNativeClassDescriptor.isUsageAllowed()) {
+                    interfaceClass = securedNativeClassDescriptor.getNativeDescriptor();
                     fields = interfaceClass.getFields();
 
                     // If the interface iteself extends other interfaces - add their fields too
@@ -361,14 +370,14 @@ private static TreeNode getOrCreateNode(TreeNode root, NativeTypeDescriptor type
             node = createArrayNode(root, typeName);
         } else {
             String name = ClassUtil.getCanonicalName(type.getSignature());
-            NativeClassDescriptor clazz = ClassRepo.findClass(name);
+            SecuredNativeClassDescriptor clazz = SecuredClassRepository.INSTANCE.findNearestAllowedClass(name);
 
             // if clazz is not found in the ClassRepo, the method/field being analyzed will be skipped
-            if (clazz == null) {
+            if (!clazz.isUsageAllowed()) {
                 return null;
             }
 
-            node = getOrCreateNode(root, clazz, null);
+            node = getOrCreateNode(root, clazz.getNativeDescriptor(), null);
         }
 
         return node;
@@ -451,10 +460,11 @@ private static TreeNode getOrCreateNode(TreeNode root, NativeClassDescriptor cla
         if (node.baseClassNode == null) {
             NativeClassDescriptor baseClass = null;
             if (predefinedSuperClassname != null) {
-                baseClass = ClassUtil.getClassByName(predefinedSuperClassname);
+                SecuredNativeClassDescriptor securedNativeClassDescriptor = SecuredClassRepository.INSTANCE.findNearestAllowedClass(predefinedSuperClassname);
+                baseClass = securedNativeClassDescriptor.isUsageAllowed() ? securedNativeClassDescriptor.getNativeDescriptor() : null;
             } else {
                 baseClass = clazz.isInterface()
-                        ? ClassUtil.getClassByName("java.lang.Object")
+                        ? SecuredClassRepository.INSTANCE.findClass("java.lang.Object").getNativeDescriptor() // java.lang.Object should always be available
                         : ClassUtil.getSuperclass(clazz);
             }
             if (baseClass != null) {
@@ -505,13 +515,17 @@ private static TreeNode createArrayNode(TreeNode root, String className)
                 child.nodeType = node.nodeType;
                 child.arrayElement = node;
             } else {
-                NativeClassDescriptor clazz = ClassRepo.findClass(name);
-                child.nodeType = clazz.isInterface() ? TreeNode.Interface
-                        : TreeNode.Class;
-                if (clazz.isStatic()) {
-                    child.nodeType |= TreeNode.Static;
+                SecuredNativeClassDescriptor securedNativeClassDescriptor = SecuredClassRepository.INSTANCE.findNearestAllowedClass(name);
+                if (securedNativeClassDescriptor.isUsageAllowed()) {
+                    NativeClassDescriptor nativeClassDescriptor = securedNativeClassDescriptor.getNativeDescriptor();
+                    child.nodeType = nativeClassDescriptor.isInterface() ? TreeNode.Interface
+                            : TreeNode.Class;
+                    if (nativeClassDescriptor.isStatic()) {
+                        child.nodeType |= TreeNode.Static;
+                    }
+                    child.arrayElement = getOrCreateNode(root, nativeClassDescriptor, null);
                 }
-                child.arrayElement = getOrCreateNode(root, clazz, null);
+
             }
         }
 

test-app/build-tools/android-metadata-generator/src/src/com/telerik/metadata/ClassRepo.java

@@ -3,55 +3,53 @@
 import com.telerik.metadata.parsing.NativeClassDescriptor;
 import com.telerik.metadata.parsing.NativeMethodDescriptor;
 import com.telerik.metadata.parsing.NativeTypeDescriptor;
+import com.telerik.metadata.security.classes.SecuredClassRepository;
+import com.telerik.metadata.security.classes.SecuredNativeClassDescriptor;
 
 import java.util.ArrayList;
 
 public class ClassUtil {
     private ClassUtil() {
     }
 
-    public static boolean isPrimitive(NativeClassDescriptor clazz) {
-        boolean isPrimitive = !clazz.isClass() && !clazz.isEnum()
-                              && !clazz.isInterface();
-        return isPrimitive;
+    static boolean isPrimitive(NativeClassDescriptor clazz) {
+        return !clazz.isClass() && !clazz.isEnum()
+                && !clazz.isInterface();
     }
 
-    public static boolean isPrimitive(NativeTypeDescriptor type) {
-        boolean isPrimitive = type.equals(NativeTypeDescriptor.Companion.getBOOLEAN())
-                              || type.equals(NativeTypeDescriptor.Companion.getCHAR()) || type.equals(NativeTypeDescriptor.Companion.getBYTE())
-                              || type.equals(NativeTypeDescriptor.Companion.getSHORT()) || type.equals(NativeTypeDescriptor.Companion.getINT())
-                              || type.equals(NativeTypeDescriptor.Companion.getLONG()) || type.equals(NativeTypeDescriptor.Companion.getFLOAT())
-                              || type.equals(NativeTypeDescriptor.Companion.getDOUBLE()) || type.equals(NativeTypeDescriptor.Companion.getVOID());
+    static boolean isPrimitive(NativeTypeDescriptor type) {
 
-        return isPrimitive;
+        return type.equals(NativeTypeDescriptor.Companion.getBOOLEAN())
+                || type.equals(NativeTypeDescriptor.Companion.getCHAR()) || type.equals(NativeTypeDescriptor.Companion.getBYTE())
+                || type.equals(NativeTypeDescriptor.Companion.getSHORT()) || type.equals(NativeTypeDescriptor.Companion.getINT())
+                || type.equals(NativeTypeDescriptor.Companion.getLONG()) || type.equals(NativeTypeDescriptor.Companion.getFLOAT())
+                || type.equals(NativeTypeDescriptor.Companion.getDOUBLE()) || type.equals(NativeTypeDescriptor.Companion.getVOID());
     }
 
-    public static boolean isPrimitive(String name) {
-        boolean isPrimitive = name.equals("C") || name.equals("Z")
-                              || name.equals("B") || name.equals("S") || name.equals("I")
-                              || name.equals("J") || name.equals("F") || name.equals("D")
-                              || name.equals("V");
-        return isPrimitive;
+    static boolean isPrimitive(String name) {
+        return name.equals("C") || name.equals("Z")
+                || name.equals("B") || name.equals("S") || name.equals("I")
+                || name.equals("J") || name.equals("F") || name.equals("D")
+                || name.equals("V");
     }
 
-    public static boolean isArray(NativeClassDescriptor clazz) {
-        boolean isArray = isArray(clazz.getClassName());
-        return isArray;
+    static boolean isArray(NativeClassDescriptor clazz) {
+        return isArray(clazz.getClassName());
     }
 
-    public static boolean isArray(String className) {
-        boolean isArray = className.startsWith("[");
-        return isArray;
+    static boolean isArray(String className) {
+        return className.startsWith("[");
     }
 
-    public static NativeClassDescriptor getEnclosingClass(NativeClassDescriptor clazz) {
+    static NativeClassDescriptor getEnclosingClass(NativeClassDescriptor clazz) {
         NativeClassDescriptor enclosingClass = null;
 
         String className = clazz.getClassName();
         int idx = className.lastIndexOf("$");
         if (idx > 0) {
             String name = className.substring(0, idx);
-            enclosingClass = ClassRepo.findClass(name);
+            SecuredNativeClassDescriptor securedNativeClassDescriptor = SecuredClassRepository.INSTANCE.findClass(name);
+            enclosingClass = securedNativeClassDescriptor.isUsageAllowed() ? securedNativeClassDescriptor.getNativeDescriptor() : null;
         }
 
         return enclosingClass;
@@ -67,7 +65,7 @@ public static String getSimpleName(NativeClassDescriptor clazz) {
         return simpleName;
     }
 
-    public static NativeMethodDescriptor[] getAllMethods(NativeClassDescriptor clazz) {
+    static NativeMethodDescriptor[] getAllMethods(NativeClassDescriptor clazz) {
         ArrayList<NativeMethodDescriptor> methods = new ArrayList<NativeMethodDescriptor>();
         NativeClassDescriptor currentClass = clazz;
         while (currentClass != null) {
@@ -86,25 +84,21 @@ public static String getCanonicalName(String className) {
         String canonicalName;
         if (className.startsWith("L") && className.endsWith(";")) {
             canonicalName = className.substring(1, className.length() - 1)
-                            .replace('/', '.');
+                    .replace('/', '.');
         } else {
             canonicalName = className;
         }
         return canonicalName;
     }
 
-    public static NativeClassDescriptor getSuperclass(NativeClassDescriptor clazz) {
+    static NativeClassDescriptor getSuperclass(NativeClassDescriptor clazz) {
         NativeClassDescriptor superClass = null;
         if (!clazz.getClassName().equals("java.lang.Object")) {
             String superClassName = clazz.getSuperclassName();
-            superClass = ClassRepo.findClass(superClassName);
+            SecuredNativeClassDescriptor securedNativeClassDescriptor = SecuredClassRepository.INSTANCE.findNearestAllowedClass(superClassName);
+            superClass = securedNativeClassDescriptor.isUsageAllowed() ? securedNativeClassDescriptor.getNativeDescriptor() : null;
         }
         return superClass;
     }
 
-    public static NativeClassDescriptor getClassByName(String className) {
-        NativeClassDescriptor clazz = ClassRepo.findClass(className);
-        return clazz;
-    }
-
 }

test-app/build-tools/android-metadata-generator/src/src/com/telerik/metadata/ClassUtil.java

@@ -1,6 +1,7 @@
 package com.telerik.metadata;
 
 import com.telerik.metadata.analytics.AnalyticsConfiguration;
+import com.telerik.metadata.security.filtering.input.user.UserPatternsCollection;
 
 import java.io.BufferedReader;
 import java.io.File;
@@ -17,12 +18,16 @@ public class Generator {
     private static final String ANALYTICS_ARGUMENT_BEGINNING = "analyticsFilePath=";
     private static final String MDG_OUTPUT_DIR = "mdg-output-dir.txt";
     private static final String MDG_JAVA_DEPENDENCIES = "mdg-java-dependencies.txt";
+    private static final String MDG_WHITELIST = "whitelist.mdg";
+    private static final String MDG_BLACKLIST = "blacklist.mdg";
 
     /**
      * @param args
      */
     public static void main(String[] args) {
         enableAnalyticsBasedOnArgs(args);
+        UserPatternsCollection.INSTANCE.populateWhitelistEntriesFromFile(MDG_WHITELIST);
+        UserPatternsCollection.INSTANCE.populateBlacklistEntriesFromFile(MDG_BLACKLIST);
 
         try {
             String metadataOutputDir;

test-app/build-tools/android-metadata-generator/src/src/com/telerik/metadata/Generator.java

@@ -1,6 +1,7 @@
 package com.telerik.metadata.parsing;
 
-import com.telerik.metadata.ClassRepo;
+import com.telerik.metadata.security.classes.SecuredClassRepository;
+import com.telerik.metadata.security.classes.SecuredNativeClassDescriptor;
 
 import java.util.HashSet;
 import java.util.Set;
@@ -25,13 +26,15 @@ private HashSet<NativeMethodDescriptor> getAllDefaultMethodsFromImplementedInter
         String[] implementedInterfacesNames = clazz.getInterfaceNames();
 
         for (String implementedInterfaceName : implementedInterfacesNames) {
-            NativeClassDescriptor interfaceClass = ClassRepo.findClass(implementedInterfaceName);
+            SecuredNativeClassDescriptor securedNativeClassDescriptor = SecuredClassRepository.INSTANCE.findClass(implementedInterfaceName);
 
-            if (interfaceClass == null) {
+            if (!securedNativeClassDescriptor.isUsageAllowed()) {
                 System.out.println(String.format("WARNING: Skipping interface %s implemented in %s as it cannot be resolved", implementedInterfaceName, clazz.getClassName()));
                 continue;
             }
 
+            NativeClassDescriptor interfaceClass = securedNativeClassDescriptor.getNativeDescriptor();
+
             for (NativeMethodDescriptor md : interfaceClass.getMethods()) {
                 if (!md.isStatic() && !md.isAbstract()) {
                     collectedDefaultMethods.add(md);