Correct test-only Android verification branches

complexspaces · complexspaces · commit a0e5cc57fe9b · 2023-09-02T14:05:37.000-05:00
Previously, the BuildConfig field used was not being evaluated at
compile-time like we expected. This resulted in test-only branches not
being eliminated by `javac` and remaining in the final artifact.

This both makes both auditing for correctness harder and inhibits more
future test-only code stripping, so we correct it by providing a more
narrowly scoped, and constant, boolean determined at build time based
off if any tests are being ran. This allows `javac` to remove test
branches entirely like we want.
diff --git a/android/rustls-platform-verifier/build.gradle b/android/rustls-platform-verifier/build.gradle
@@ -3,6 +3,8 @@ plugins {
     id 'org.jetbrains.kotlin.android'
 }
 
+def isTest = gradle.startParameter.taskNames.any { it.contains("Test") }
+
 static def getOsArch() {
     final String hostArch = System.getProperty("os.arch")
 
@@ -28,6 +30,8 @@ android {
         minSdk 22
         targetSdk 33
 
+        buildConfigField "boolean", "TEST", "$isTest"
+
         testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
     }
 
diff --git a/android/rustls-platform-verifier/src/main/java/org/rustls/platformverifier/CertificateVerifier.kt b/android/rustls-platform-verifier/src/main/java/org/rustls/platformverifier/CertificateVerifier.kt
@@ -105,7 +105,7 @@ internal object CertificateVerifier {
 
     @JvmStatic
     private fun addMockRoot(root: ByteArray) {
-        if (!BuildConfig.DEBUG) {
+        if (!BuildConfig.TEST) {
             throw Exception("attempted to add a mock root outside a test!")
         }
 
@@ -222,10 +222,10 @@ internal object CertificateVerifier {
         // We select them as follows:
         // - If built for release, only use the system trust manager. This should let all test-related
         // code be optimized out.
-        // - If built for debug:
+        // - If built for tests:
         //      - If the mock CA store has any values, use the mock trust manager.
         //      - Otherwise, use the system trust manager.
-        val (trustManager, keystore) = if (!BuildConfig.DEBUG) {
+        val (trustManager, keystore) = if (!BuildConfig.TEST) {
             val trustManager =
                 systemTrustManager.value ?: return VerificationResult(StatusCode.Unavailable)
             Pair(trustManager, systemKeystore)
@@ -256,7 +256,7 @@ internal object CertificateVerifier {
         // TEST ONLY: Mock test suite cannot attempt to check revocation status if no OSCP data has been stapled,
         // because Android requires certificates to an specify OCSP responder for network fetch in this case.
         // If in testing w/o OCSP stapled, short-circuit here - only prior checks apply.
-        if ((mockKeystore.size() != 0) && (ocspResponse == null)) {
+        if (BuildConfig.TEST && (mockKeystore.size() != 0) && (ocspResponse == null)) {
             return VerificationResult(StatusCode.Ok)
         }
 

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,8 @@ plugins {`
`3`	`3`	`id 'org.jetbrains.kotlin.android'`
`4`	`4`	`}`
`5`	`5`
	`6`	`+def isTest = gradle.startParameter.taskNames.any { it.contains("Test") }`
	`7`	`+`
`6`	`8`	`static def getOsArch() {`
`7`	`9`	`final String hostArch = System.getProperty("os.arch")`
`8`	`10`
`@@ -28,6 +30,8 @@ android {`
`28`	`30`	`minSdk 22`
`29`	`31`	`targetSdk 33`
`30`	`32`
	`33`	`+ buildConfigField "boolean", "TEST", "$isTest"`
	`34`	`+`
`31`	`35`	`testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"`
`32`	`36`	`}`
`33`	`37`