Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add regex checks to ensure Firebase analytics + Crashlytics stay disabled in the codebase. #1903

Closed
BenHenning opened this issue Sep 24, 2020 · 16 comments · Fixed by #4995
Closed
Assignees
Labels
bug End user-perceivable behaviors which are not desirable. good first issue This item is good for new contributors to make their pull request. Impact: Medium Moderate perceived user impact (non-blocking bugs and general improvements). Issue: Needs Clarification Indicates that an issue needs more detail in order to be able to be acted upon. Priority: Important This work item is really important to complete for its milestone, but it can be scoped out. Work: Medium The means to find the solution is clear, but it isn't at good-first-issue level yet. Z-ibt Temporary label for Ben to keep track of issues he's triaged.

Comments

@BenHenning
Copy link
Member

The Firebase activation parameters (https://github.com/oppia/oppia-android/blob/2d14066/app/src/main/AndroidManifest.xml#L17) shouldn't be enabled ever in develop. We should have a CI check to ensure these parameters are always off.

@BenHenning BenHenning added Type: Improvement Priority: Important This work item is really important to complete for its milestone, but it can be scoped out. labels Sep 24, 2020
@BenHenning BenHenning added this to the Beta milestone Sep 24, 2020
@BenHenning
Copy link
Member Author

@rt4914 maybe a SLoP candidate issue?

@rt4914
Copy link
Contributor

rt4914 commented Sep 24, 2020

@rt4914 maybe a SLoP candidate issue?

Yeah looks like one. I have mentioned 5 points for now.

@BenHenning BenHenning added the Hacktoberfest This is a suggested Hacktoberfest issue. label Oct 1, 2020
@Russ741
Copy link
Contributor

Russ741 commented Nov 8, 2020

Hey, may I give fixing this issue a shot?

@rt4914
Copy link
Contributor

rt4914 commented Nov 8, 2020

Hey, may I give fixing this issue a shot?

@Russ741 Sure. Thanks.

@Russ741
Copy link
Contributor

Russ741 commented Nov 9, 2020

@rt4914 I have a couple of questions, if you don't mind:

  • My understanding is that we want to enforce that firebase_analytics_collection_deactivated is true and firebase_crashlytics_collection_enabled is false on the develop branch - is this correct?
  • Do we still intend to have Firebase analytics enabled for releases? If so, how? (It looks like firebase_analytics_collection_deactivated can't be overridden at runtime)
  • Just for my own curiosity, why do we want to have Firebase deactivated for developer builds? Is it just to keep our analytics uncontaminated with weird non-prod crashes, etc.?
  • What kind of test would be appropriate? On one end, there's something crude like grep'ing AndroidManifest.xml, and on the other there's running the app and inspecting the FirebaseAnalytics object or something (it doesn't appear to have getters, though).

Also, if there's a good resource for me to read about our continuous integration setup, I'd very much appreciate a pointer to it.

@rt4914
Copy link
Contributor

rt4914 commented Nov 10, 2020

@rt4914 I have a couple of questions, if you don't mind:

  • My understanding is that we want to enforce that firebase_analytics_collection_deactivated is true and firebase_crashlytics_collection_enabled is false on the develop branch - is this correct?
  • Do we still intend to have Firebase analytics enabled for releases? If so, how? (It looks like firebase_analytics_collection_deactivated can't be overridden at runtime)
  • Just for my own curiosity, why do we want to have Firebase deactivated for developer builds? Is it just to keep our analytics uncontaminated with weird non-prod crashes, etc.?
  • What kind of test would be appropriate? On one end, there's something crude like grep'ing AndroidManifest.xml, and on the other there's running the app and inspecting the FirebaseAnalytics object or something (it doesn't appear to have getters, though).

Also, if there's a good resource for me to read about our continuous integration setup, I'd very much appreciate a pointer to it.

I think @vinitamurthi and @Sarthak2601 Would be able to answer this more correctly.

@Sarthak2601
Copy link
Contributor

Sarthak2601 commented Nov 10, 2020

@rt4914 I have a couple of questions, if you don't mind:

  • My understanding is that we want to enforce that firebase_analytics_collection_deactivated is true and firebase_crashlytics_collection_enabled is false on the develop branch - is this correct?

Yes, correct.

  • Do we still intend to have Firebase analytics enabled for releases? If so, how? (It looks like firebase_analytics_collection_deactivated can't be overridden at runtime)

Yes, we would enable it for releases. We'd probably reverse these values for other build variants using productFlavors (or manually, depends on what the team decides). However, enabling it for releases is outside the scope of this issue.

  • Just for my own curiosity, why do we want to have Firebase deactivated for developer builds? Is it just to keep our analytics uncontaminated with weird non-prod crashes, etc.?

Enabling data collection would mean collection of sensitive information of our contributors and the open source nature of the project makes it challenging for us to let them know as the information will be gathered even when they're just testing the app. To avoid this, we've deactivated the Firebase data collection.

  • What kind of test would be appropriate? On one end, there's something crude like grep'ing AndroidManifest.xml, and on the other there's running the app and inspecting the FirebaseAnalytics object or something (it doesn't appear to have getters, though).

This issue tracks the addition of a CI based check that will ensure that the value of these flags is not changed. I think this can be done via a python script but I'll defer to @vinitamurthi here.

Also, if there's a good resource for me to read about our continuous integration setup, I'd very much appreciate a pointer to it.

I'm not sure if I know about the documentation but you can checkout this file to see the workflow.

@vinitamurthi
Copy link
Contributor

I think @Sarthak2601 has answered most of the questions so I will talk about the last one:

What kind of test would be appropriate? On one end, there's something crude like grep'ing AndroidManifest.xml, and on the other there's running the app and inspecting the FirebaseAnalytics object or something (it doesn't appear to have getters, though).

Yes we want a check that can run in Circle CI. Basically we do want to just do a manifest check, but its not enough to just look up the current AndroidManifest.xml since multiple manifests can exist and the final app manifest may be different from what is specified in AndroidManifest.xml. So there are two ways I can think of :

  1. Build the app and create the apk. Look at the AndroidManifest.xml file of the built APK and do a grep on that
  2. You might be able to use the manifest merger tool to just figure out what the final manifest would be without actually building the APK. I haven't looked into this myself and I am not sure if we can correctly generate the same manifest as that which is created when building the apk, so I'm not sure how successful this approach will be, but its faster than building an APK so worth spending about 15-20 mins researching on this approach too.

Hope this helps!

@Russ741
Copy link
Contributor

Russ741 commented Nov 23, 2020

@vinitamurthi

Yes we want a check that can run in Circle CI.

I'm unfamiliar with Circle CI, so I did some reading about how it integrates with Github, and that suggests that it uses .circleci/config.yml.
I see said file in oppia/oppia, but not oppia/oppia-android (it appears to have been removed in #1449).

Do we use Circle CI for the Android client in some way that I'm missing?

@BenHenning
Copy link
Member Author

This should actually be running on GitHub actions (not CircleCI). The existing actions check could be used as a baseline for this: https://github.com/oppia/oppia-android/tree/develop/.github/workflows.

That being said, it would be better to wait until #1724 is resolved since that will make this much easier. Sorry for the confusion--this issue wasn't well defined when it was filed.

@BenHenning BenHenning removed Hacktoberfest This is a suggested Hacktoberfest issue. good second issue labels Dec 1, 2020
@BenHenning BenHenning changed the title Ensure Firebase activation parameters are disabled on developer builds Ensure Firebase activation parameters are disabled on developer builds [Blocked: #1724] Dec 1, 2020
@Broppia Broppia added dev_team Impact: Medium Moderate perceived user impact (non-blocking bugs and general improvements). labels Jul 29, 2022
@BenHenning BenHenning added Issue: Needs Clarification Indicates that an issue needs more detail in order to be able to be acted upon. Z-ibt Temporary label for Ben to keep track of issues he's triaged. issue_user_developer labels Sep 16, 2022
@BenHenning BenHenning removed this from the Beta milestone Sep 16, 2022
@seanlip seanlip added bug End user-perceivable behaviors which are not desirable. and removed issue_type_infrastructure labels Mar 28, 2023
@seanlip
Copy link
Member

seanlip commented Mar 29, 2023

#1724 is resolved. Should we get this fixed? It is the last thing remaining in the Performance Metrics project.

@BenHenning
Copy link
Member Author

BenHenning commented Apr 4, 2023

@seanlip I was actually thinking we could repurpose this to conditionally allow Firebase to be enabled in developer builds (#4390). We would want to implement either that or this long-term, but not both. I think, given that, we could implement this more immediately (since it's a regex check), and then remove the check once #4390 is addressed.

@seanlip
Copy link
Member

seanlip commented Apr 4, 2023

@BenHenning Either's OK with me -- could you please make the call on what to do here specifically and put it in the description at the top, so that folks know what to do? Also should we remove "[Blocked: #...]" from the title?

@seanlip
Copy link
Member

seanlip commented Apr 5, 2023

Per @BenHenning, the aim of this issue should be to add two regex checks to ensure that Firebase analytics + Crashlytics lines in the manifest are set to "off". Once that's done, this issue can be closed.

Note for contributors: docs about the regex check system can be found in https://github.com/oppia/oppia-android/wiki/Static-Analysis-Checks#generic-regex-pattern-matching-against-file-contents

@seanlip seanlip changed the title Ensure Firebase activation parameters are disabled on developer builds [Blocked: #1724] Add regex checks to ensure Firebase analytics + Crashlytics stay disabled in the codebase. Apr 5, 2023
@seanlip seanlip added the good first issue This item is good for new contributors to make their pull request. label Apr 5, 2023
@chrislee115
Copy link
Contributor

chrislee115 commented Apr 10, 2023

Can I be assigned this issue?

My approach:
add checks to file_content_validation_checks.textproto that looks something like (in develop branch):

file_content_checks {
filename_regex: ".+.xml"
prohibited_content_regex: "^\s*<meta-data\s+android:name\s*=\s*"firebase_analytics_collection_deactivated"\s*android:value\s*=\s*"false".+$"
failure_message: "Firebase analytics collection should always be deactivated in develop"
}
file_content_checks {
filename_regex: ".+.xml"
prohibited_content_regex: "^\s*<meta-data\s+android:name\s*=\s*"firebase_crashlytics_collection_enabled"\s*android:value\s*=\s*"true".+$"
failure_message: "Firebase crashlytics collection should always be deactivated in develop"
}

tested in regex101 -
https://regex101.com/r/l14O5J/1

aims to prohibit
firebase_analytics_collection_deactived=false
firebase_crashlytics_collection_enabled=true

@BenHenning
Copy link
Member Author

That seems like a really solid approach @chrislee115. Assigning over to you.

@adhiamboperes adhiamboperes added the Work: Medium The means to find the solution is clear, but it isn't at good-first-issue level yet. label May 24, 2023
BenHenning added a commit that referenced this issue May 31, 2023
…itly disab… (#4995)

<!-- READ ME FIRST: Please fill in the explanation section below and
check off every point from the Essential Checklist! -->
## Explanation
Fix #1903 

Adds a regex check in file content validation to ensure Firebase
analytics are disabled in the codebase. Both regex are tested in
https://regex101.com/r/l14O5J/1, https://regex101.com/r/QVHGxi/1 for
Firebase analytics, Crashlytics, respectively.
- "Fixes ##1903:" Adds a regex check that ensures that firebase
analytics and crashlytics are explicitly disabled in
AndroidManifest.xml, new pull requests based on
/pull/4944

Manual testing:
Case 1: firebase_analytis_collection_deactivated = false in
AndroidManifest.xml; want = true (line 19)

![image](https://github.com/oppia/oppia-android/assets/44930615/0da2895b-55ea-4d17-acb9-00cf0e3dbfbe)

Case 2: firebase_analytis_collection_deactivated = true not found in
AndroidManifest.xml; want = explicit line (line 19)

![image](https://github.com/oppia/oppia-android/assets/44930615/99ebcd4e-bb10-4e49-a1a1-141d8e2e7ae9)

Case 3: firebase_crashlytics_collection_enabled = true in
AndroidManifest.xml; want = false (line 20)

![image](https://github.com/oppia/oppia-android/assets/44930615/0f459eb0-4c34-46b9-baff-3a5efd99e320)

Case 4: firebase_crashlytics_collection_enabled = false not found in
AndroidManifest.xml; want = explicit line (line 20)

![image](https://github.com/oppia/oppia-android/assets/44930615/92f5d167-dc12-4cb1-a940-9d836cf7e7db)

Case 5: happy case

![image](https://github.com/oppia/oppia-android/assets/44930615/f38d4460-9d0a-4b5f-af7e-b2b8df31c3a8)

## Essential Checklist
<!-- Please tick the relevant boxes by putting an "x" in them. -->
- [x] The PR title and explanation each start with "Fix #bugnum: " (If
this PR fixes part of an issue, prefix the title with "Fix part of
#bugnum: ...".)
- [X] Any changes to
[scripts/assets](https://github.com/oppia/oppia-android/tree/develop/scripts/assets)
files have their rationale included in the PR explanation.
- [x] The PR follows the [style
guide](https://github.com/oppia/oppia-android/wiki/Coding-style-guide).
- [x] The PR does not contain any unnecessary code changes from Android
Studio
([reference](https://github.com/oppia/oppia-android/wiki/Guidance-on-submitting-a-PR#undo-unnecessary-changes)).
- [x] The PR is made from a branch that's **not** called "develop" and
is up-to-date with "develop".
- [] The PR is **assigned** to the appropriate reviewers
([reference](https://github.com/oppia/oppia-android/wiki/Guidance-on-submitting-a-PR#clarification-regarding-assignees-and-reviewers-section)).

---------

Co-authored-by: Ben Henning <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug End user-perceivable behaviors which are not desirable. good first issue This item is good for new contributors to make their pull request. Impact: Medium Moderate perceived user impact (non-blocking bugs and general improvements). Issue: Needs Clarification Indicates that an issue needs more detail in order to be able to be acted upon. Priority: Important This work item is really important to complete for its milestone, but it can be scoped out. Work: Medium The means to find the solution is clear, but it isn't at good-first-issue level yet. Z-ibt Temporary label for Ben to keep track of issues he's triaged.
Projects
None yet
10 participants