Add App Check support to desktop Functions (#1225)

* Add App Check to desktop Functions

* File formatting

* Update Podfile

Author: a-maurice

app_check/integration_test/CMakeLists.txt

@@ -234,7 +234,7 @@ endif()
 # Add the Firebase libraries to the target using the function from the SDK.
 add_subdirectory(${FIREBASE_CPP_SDK_DIR} bin/ EXCLUDE_FROM_ALL)
 # Note that firebase_app needs to be last in the list.
-set(firebase_libs firebase_app_check firebase_database firebase_storage firebase_auth firebase_app)
+set(firebase_libs firebase_app_check firebase_database firebase_storage firebase_functions firebase_auth firebase_app)
 set(gtest_libs gtest gmock)
 target_link_libraries(${integration_test_target_name} ${firebase_libs}
   ${gtest_libs} ${ADDITIONAL_LIBS})

app_check/integration_test/Podfile

@@ -7,13 +7,17 @@ target 'integration_test' do
   pod 'Firebase/AppCheck', '10.5.0'
   pod 'Firebase/Database', '10.5.0'
   pod 'Firebase/Auth', '10.5.0'
+  pod 'Firebase/Storage', '10.5.0'
+  pod 'Firebase/Functions', '10.5.0'
 end
 
 target 'integration_test_tvos' do
   platform :tvos, '12.0'
   pod 'Firebase/AppCheck', '10.5.0'
   pod 'Firebase/Database', '10.5.0'
   pod 'Firebase/Auth', '10.5.0'
+  pod 'Firebase/Storage', '10.5.0'
+  pod 'Firebase/Functions', '10.5.0'
 end
 
 post_install do |installer|

app_check/integration_test/build.gradle

@@ -64,7 +64,8 @@ android {
         "-DFIREBASE_INCLUDE_APP_CHECK=ON",
         "-DFIREBASE_INCLUDE_AUTH=ON",
         "-DFIREBASE_INCLUDE_DATABASE=ON",
-        "-DFIREBASE_INCLUDE_STORAGE=ON"
+        "-DFIREBASE_INCLUDE_STORAGE=ON",
+        "-DFIREBASE_INCLUDE_FUNCTIONS=ON"
     }
   }
   externalNativeBuild.cmake {
@@ -85,6 +86,7 @@ firebaseCpp.dependencies {
   auth
   database
   storage
+  functions
 }
 
 apply plugin: 'com.google.gms.google-services'

app_check/integration_test/functions/README.md

@@ -0,0 +1,4 @@
+Cloud functions used by the integration test.
+Instructions to deploy:
+1. From the innermost functions directory run `npm install`
+2. From this directory, run `firebase deploy --only functions`

app_check/integration_test/functions/firebase.json

@@ -0,0 +1,4 @@
+{
+    "functions": {
+    }
+}

app_check/integration_test/functions/functions/index.js

@@ -0,0 +1,55 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const functions = require('firebase-functions');
+const admin = require('firebase-admin');
+admin.initializeApp(functions.config().firebase);
+
+// Adds two numbers to each other.
+exports.addNumbers = functions
+  .runWith({
+    enforceAppCheck: true  // Requests without valid App Check tokens will be rejected.
+  })
+  .https.onCall((data, context) => {
+    // context.app will be undefined if the request doesn't include an
+    // App Check token. (If the request includes an invalid App Check
+    // token, the request will be rejected with HTTP error 401.)
+    if (context.app == undefined) {
+      throw new functions.https.HttpsError(
+          'failed-precondition',
+          'The function must be called from an App Check verified app.')
+    }
+
+    // Numbers passed from the client.
+    const firstNumber = data.firstNumber;
+    const secondNumber = data.secondNumber;
+
+    // Checking that attributes are present and are numbers.
+    if (!Number.isFinite(firstNumber) || !Number.isFinite(secondNumber)) {
+      // Throwing an HttpsError so that the client gets the error details.
+      throw new functions.https.HttpsError('invalid-argument', 'The function ' +
+          'must be called with two arguments "firstNumber" and "secondNumber" ' +
+          'which must both be numbers.');
+    }
+
+    // returning result.
+    return {
+      firstNumber: firstNumber,
+      secondNumber: secondNumber,
+      operator: '+',
+      operationResult: firstNumber + secondNumber,
+    };
+  });

app_check/integration_test/functions/functions/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "functions",
+  "description": "Cloud Functions for Firebase",
+  "engines": {
+    "node": "16"
+  },
+  "main": "index.js",
+  "dependencies": {
+    "firebase-admin": "^11.5.0",
+    "firebase-functions": "^4.2.1"
+  },
+  "private": true
+}

app_check/integration_test/src/integration_test.cc

@@ -35,6 +35,7 @@
 #include "firebase/app_check/play_integrity_provider.h"
 #include "firebase/auth.h"
 #include "firebase/database.h"
+#include "firebase/functions.h"
 #include "firebase/internal/platform.h"
 #include "firebase/storage.h"
 #include "firebase/util.h"
@@ -115,6 +116,11 @@ class FirebaseAppCheckTest : public FirebaseTest {
   // Initialize everything needed for Storage tests.
   void InitializeAppAuthStorage();
 
+  // Initialize Firebase Functions.
+  void InitializeFunctions();
+  // Shut down Firebase Functions.
+  void TerminateFunctions();
+
   firebase::database::DatabaseReference CreateWorkingPath(
       bool suppress_cleanup = false);
 
@@ -126,6 +132,8 @@ class FirebaseAppCheckTest : public FirebaseTest {
   std::vector<firebase::database::DatabaseReference> cleanup_paths_;
 
   firebase::storage::Storage* storage_;
+
+  firebase::functions::Functions* functions_;
 };
 
 // Listens for token changed notifications
@@ -202,6 +210,7 @@ FirebaseAppCheckTest::FirebaseAppCheckTest()
       auth_(nullptr),
       database_(nullptr),
       storage_(nullptr),
+      functions_(nullptr),
       cleanup_paths_() {
   FindFirebaseConfig(FIREBASE_CONFIG_STRING);
 }
@@ -215,6 +224,7 @@ void FirebaseAppCheckTest::TearDown() {
   // Teardown all the products
   TerminateDatabase();
   TerminateStorage();
+  TerminateFunctions();
   TerminateAuth();
   TerminateAppCheck();
   TerminateApp();
@@ -349,6 +359,37 @@ void FirebaseAppCheckTest::InitializeAppAuthStorage() {
   InitializeStorage();
 }
 
+void FirebaseAppCheckTest::InitializeFunctions() {
+  LogDebug("Initializing Firebase Functions.");
+
+  ::firebase::ModuleInitializer initializer;
+  initializer.Initialize(
+      app_, &functions_, [](::firebase::App* app, void* target) {
+        LogDebug("Attempting to initialize Firebase Functions.");
+        ::firebase::InitResult result;
+        *reinterpret_cast<firebase::functions::Functions**>(target) =
+            firebase::functions::Functions::GetInstance(app, &result);
+        return result;
+      });
+
+  WaitForCompletion(initializer.InitializeLastResult(), "InitializeFunctions");
+
+  ASSERT_EQ(initializer.InitializeLastResult().error(), 0)
+      << initializer.InitializeLastResult().error_message();
+
+  LogDebug("Successfully initialized Firebase Functions.");
+}
+
+void FirebaseAppCheckTest::TerminateFunctions() {
+  if (functions_) {
+    LogDebug("Shutdown the Functions library.");
+    delete functions_;
+    functions_ = nullptr;
+  }
+
+  ProcessEvents(100);
+}
+
 void FirebaseAppCheckTest::SignIn() {
   if (auth_->current_user() != nullptr) {
     // Already signed in.
@@ -745,4 +786,39 @@ TEST_F(FirebaseAppCheckTest, TestStorageReadFileUnauthenticated) {
 }
 #endif  // !FIREBASE_PLATFORM_ANDROID
 
+TEST_F(FirebaseAppCheckTest, TestFunctionsSuccess) {
+  InitializeAppCheckWithDebug();
+  InitializeApp();
+  InitializeFunctions();
+  firebase::functions::HttpsCallableReference ref;
+  ref = functions_->GetHttpsCallable("addNumbers");
+  firebase::Variant data(firebase::Variant::EmptyMap());
+  data.map()["firstNumber"] = 5;
+  data.map()["secondNumber"] = 7;
+  firebase::Future<firebase::functions::HttpsCallableResult> future;
+  future = ref.Call(data);
+  WaitForCompletion(future, "CallFunction addnumbers",
+                    firebase::functions::kErrorNone);
+  firebase::Variant result = future.result()->data();
+  EXPECT_TRUE(result.is_map());
+  if (result.is_map()) {
+    EXPECT_EQ(result.map()["operationResult"], 12);
+  }
+}
+
+TEST_F(FirebaseAppCheckTest, TestFunctionsFailure) {
+  // Don't set up AppCheck
+  InitializeApp();
+  InitializeFunctions();
+  firebase::functions::HttpsCallableReference ref;
+  ref = functions_->GetHttpsCallable("addNumbers");
+  firebase::Variant data(firebase::Variant::EmptyMap());
+  data.map()["firstNumber"] = 6;
+  data.map()["secondNumber"] = 8;
+  firebase::Future<firebase::functions::HttpsCallableResult> future;
+  future = ref.Call(data);
+  WaitForCompletion(future, "CallFunction addnumbers",
+                    firebase::functions::kErrorUnauthenticated);
+}
+
 }  // namespace firebase_testapp_automated

functions/src/desktop/callable_reference_desktop.cc

@@ -331,8 +331,24 @@ Future<HttpsCallableResult> HttpsCallableReferenceInternal::Call(
   request_.set_future_handle(handle);
   request_.set_response(&response_);
 
-  // Start the request.
-  transport_.Perform(&request_, &response_, nullptr);
+  // Check for App Check token function
+  Future<std::string> app_check_future;
+  bool succeeded = functions_->app()->function_registry()->CallFunction(
+      ::firebase::internal::FnAppCheckGetTokenAsync, functions_->app(), nullptr,
+      &app_check_future);
+  if (succeeded && app_check_future.status() != kFutureStatusInvalid) {
+    // Perform the transform request on a completion
+    app_check_future.OnCompletion([&](const Future<std::string>& future_token) {
+      if (future_token.result()) {
+        request_.add_header("X-Firebase-AppCheck",
+                            future_token.result()->c_str());
+      }
+      transport_.Perform(&request_, &response_, nullptr);
+    });
+  } else {
+    // Start the request.
+    transport_.Perform(&request_, &response_, nullptr);
+  }
 
   return CallLastResult();
 }