Auth: add package override support to getTokenWithAccount (#3278)

play-services-core/src/main/java/org/microg/gms/auth/AuthManagerServiceImpl.java

@@ -34,6 +34,7 @@
 
 import com.google.android.auth.IAuthManagerService;
 import com.google.android.gms.R;
+import com.google.android.gms.common.internal.CertData;
 import com.google.android.gms.auth.AccountChangeEventsRequest;
 import com.google.android.gms.auth.AccountChangeEventsResponse;
 import com.google.android.gms.auth.GetHubTokenInternalResponse;
@@ -42,8 +43,10 @@
 import com.google.android.gms.auth.TokenData;
 import com.google.android.gms.common.api.Scope;
 
+import org.microg.gms.auth.loginservice.AccountAuthenticator;
 import org.microg.gms.common.GooglePackagePermission;
 import org.microg.gms.common.PackageUtils;
+import org.microg.gms.utils.PackageManagerUtilsKt;
 
 import java.io.IOException;
 import java.util.ArrayList;
@@ -132,7 +135,75 @@ public Bundle getTokenWithAccount(Account account, String scope, Bundle extras)
          */
         scope = scope.replace("https://www.googleapis.com/auth/identity.plus.page.impersonation ", "");
 
-        AuthManager authManager = new AuthManager(context, account.name, packageName, scope);
+        String effectivePackageName = packageName;
+        if (extras.containsKey(AccountAuthenticator.KEY_OVERRIDE_PACKAGE)) {
+            String overridePackage = extras.getString(AccountAuthenticator.KEY_OVERRIDE_PACKAGE);
+            if (overridePackage != null && !overridePackage.isEmpty()) {
+                List<CertData> certs = PackageManagerUtilsKt.getCertificates(context.getPackageManager(), packageName);
+                if (certs.isEmpty()) {
+                    Log.w(TAG, "getTokenWithAccount: no certificates found for requesting package " + packageName);
+                    Bundle result = new Bundle();
+                    result.putString(KEY_ERROR, "NeedPermission");
+                    return result;
+                }
+                CertData requestingCert = certs.get(0);
+
+                byte[] overrideCertificateBytes = extras.getByteArray(AccountAuthenticator.KEY_OVERRIDE_CERTIFICATE);
+                CertData overrideCert = (overrideCertificateBytes != null) 
+                    ? new CertData(overrideCertificateBytes) 
+                    : requestingCert;
+
+                boolean isOverrideAllowed;
+                if (packageName.equals(context.getPackageName())) {
+                    isOverrideAllowed = true;
+                } else {
+                    String requestingDigestString = PackageManagerUtilsKt.toHexString(PackageManagerUtilsKt.digest(requestingCert, "SHA-256"), "");
+                    String overrideCertificateDigestString = PackageManagerUtilsKt.toHexString(PackageManagerUtilsKt.digest(overrideCert, "SHA-256"), "");
+                    String overrideUserDataKey = "override." + packageName + ":" + requestingDigestString + ":" + overridePackage + ":" + overrideCertificateDigestString;
+                    String hasOverride = AccountManager.get(context).getUserData(account, overrideUserDataKey);
+                    isOverrideAllowed = "1".equals(hasOverride);
+                }
+
+                if (isOverrideAllowed) {
+                    effectivePackageName = overridePackage;
+                    Log.d(TAG, "getTokenWithAccount: using package override " + packageName + " -> " + effectivePackageName);
+                } else {
+                    Bundle result = new Bundle();
+                    result.putString(KEY_ERROR, "NeedPermission");
+                    result.putString(KEY_ACCOUNT_NAME, account.name);
+                    result.putString(KEY_ACCOUNT_TYPE, account.type);
+
+                    Intent i = new Intent(context, AskPackageOverrideActivity.class);
+                    i.putExtra(KEY_ANDROID_PACKAGE_NAME, packageName);
+                    i.putExtra(KEY_ACCOUNT_TYPE, account.type);
+                    i.putExtra(KEY_ACCOUNT_NAME, account.name);
+                    i.putExtra(AccountAuthenticator.KEY_OVERRIDE_PACKAGE, overridePackage);
+                    i.putExtra(AccountAuthenticator.KEY_OVERRIDE_CERTIFICATE, overrideCert.getBytes());
+                    result.putParcelable(KEY_USER_RECOVERY_INTENT, i);
+                    return result;
+                }
+            }
+        }
+
+        AuthManager authManager = new AuthManager(context, account.name, effectivePackageName, scope);
+
+        if (!effectivePackageName.equals(packageName)) {
+            try {
+                byte[] overrideCertificateBytes = extras.getByteArray(AccountAuthenticator.KEY_OVERRIDE_CERTIFICATE);
+                CertData overrideCert;
+                if (overrideCertificateBytes != null) {
+                    overrideCert = new CertData(overrideCertificateBytes);
+                } else {
+                    List<CertData> certs = PackageManagerUtilsKt.getCertificates(context.getPackageManager(), packageName);
+                    overrideCert = certs.isEmpty() ? null : certs.get(0);
+                }
+                if (overrideCert != null) {
+                    authManager.setPackageSignature(PackageManagerUtilsKt.toHexString(PackageManagerUtilsKt.digest(overrideCert, "SHA-1"), ""));
+                }
+            } catch (Exception e) {
+                Log.w(TAG, "getTokenWithAccount: error setting override signature", e);
+            }
+        }
         if (extras.containsKey(KEY_DELEGATION_TYPE) && extras.getInt(KEY_DELEGATION_TYPE) != 0 ) {
             authManager.setDelegation(extras.getInt(KEY_DELEGATION_TYPE), extras.getString("delegatee_user_id"));
         }