From cd0b745bea8f957b4934d6d308c9324b5927419b Mon Sep 17 00:00:00 2001
From: Tom Binder <tbinder@google.com>
Date: Wed, 12 Jun 2024 09:15:26 +0000
Subject: [PATCH] Add Oak Client Android app to Kokoro build and make it
 importable.

Change-Id: I4467412d5584abfd81689394949f137bc80714c3
---
 .github/workflows/build.yaml           |  1 +
 .gitignore                             |  3 +++
 buildconfigs/oak_client_android_app.sh | 17 +++++++++++++++++
 justfile                               | 14 +++++++++++++-
 kokoro/build_binaries_rust.sh          | 22 ++++++++++++----------
 5 files changed, 46 insertions(+), 11 deletions(-)
 create mode 100644 buildconfigs/oak_client_android_app.sh

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 79dca9904f2..50ea0d03e2d 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -18,6 +18,7 @@ jobs:
       matrix:
         buildconfig:
           - buildconfigs/key_xor_test_app.sh
+          - buildconfigs/oak_client_android_app.sh
           - buildconfigs/oak_containers_kernel.sh
           - buildconfigs/oak_containers_orchestrator.sh
           - buildconfigs/oak_containers_stage1.sh
diff --git a/.gitignore b/.gitignore
index 0c6ab02277d..5e2c3557c44 100644
--- a/.gitignore
+++ b/.gitignore
@@ -51,6 +51,9 @@ rust-project.json
 # Ignore downloaded temporary files, such as the trusted root CA certificates.
 /downloads/
 
+# Binary or other files generated during build, see `justfile`.
+/generated/
+
 # Ignore generated binary files.
 **/bin/
 # Except if it is source code in a vendored crate.
diff --git a/buildconfigs/oak_client_android_app.sh b/buildconfigs/oak_client_android_app.sh
new file mode 100644
index 00000000000..b18f7de64a5
--- /dev/null
+++ b/buildconfigs/oak_client_android_app.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+#
+# Build configuration for oak_client_android_app.
+#
+export PACKAGE_NAME=oak_client_android_app
+
+export BUILD_COMMAND=(
+  nix
+  develop
+  --command
+  just
+  oak_client_android_app
+)
+
+export SUBJECT_PATHS=(
+  generated/client_app.apk
+)
diff --git a/justfile b/justfile
index 27d8f236497..465fac2b2c0 100644
--- a/justfile
+++ b/justfile
@@ -62,6 +62,16 @@ oak_restricted_kernel_simple_io_init_rd_bin:
 oak_restricted_kernel_simple_io_init_rd_wrapper: oak_restricted_kernel_simple_io_init_rd_bin
     just restricted_kernel_bzimage_and_provenance_subjects oak_restricted_kernel_simple_io_init_rd
 
+oak_client_android_app:
+    bazel build --config=unsafe-fast-presubmit --compilation_mode opt \
+        //java/src/main/java/com/google/oak/client/android:client_app
+    # Copy out to a directory which does not change with bazel config and does
+    # not interfere with cargo. It should be reused for other targets as well.
+    mkdir --parents generated
+    cp --preserve=timestamps --no-preserve=mode \
+        bazel-bin/java/src/main/java/com/google/oak/client/android/client_app.apk \
+        generated
+
 stage0_bin:
     env --chdir=stage0_bin \
         cargo objcopy --release -- --output-target=binary \
@@ -179,7 +189,9 @@ all_ensure_no_std: (ensure_no_std "micro_rpc") (ensure_no_std "oak_attestation_v
 
 # Entry points for Kokoro CI.
 
-kokoro_build_binaries_rust: all_enclave_apps oak_restricted_kernel_bin oak_restricted_kernel_simple_io_init_rd_wrapper stage0_bin
+kokoro_build_binaries_rust: all_enclave_apps oak_restricted_kernel_bin \
+    oak_restricted_kernel_simple_io_init_rd_wrapper stage0_bin \
+    oak_client_android_app
 
 kokoro_oak_containers: all_oak_containers_binaries oak_functions_containers_container_bundle_tar
     OAK_CONTAINERS_BINARIES_ALREADY_BUILT=1 RUST_LOG="debug" cargo nextest run --all-targets --hide-progress-bar --package='oak_containers_hello_world_untrusted_app'
diff --git a/kokoro/build_binaries_rust.sh b/kokoro/build_binaries_rust.sh
index 0325f8404f4..abfc9b5b22e 100755
--- a/kokoro/build_binaries_rust.sh
+++ b/kokoro/build_binaries_rust.sh
@@ -20,24 +20,26 @@ touch "${KOKORO_ARTIFACTS_DIR}/binaries/git_commit_${KOKORO_GIT_COMMIT_oak:?}"
 # Copy the generated binaries to Placer. The timestamps are used to convey
 # the creation time.
 readonly generated_binaries=(
-    ./oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin
-    ./stage0_bin/target/x86_64-unknown-none/release/stage0_bin
-    ./enclave_apps/target/x86_64-unknown-none/release/key_xor_test_app
-    ./enclave_apps/target/x86_64-unknown-none/release/oak_echo_enclave_app
-    ./enclave_apps/target/x86_64-unknown-none/release/oak_echo_raw_enclave_app
-    ./enclave_apps/target/x86_64-unknown-none/release/oak_functions_enclave_app
-    ./enclave_apps/target/x86_64-unknown-none/release/oak_functions_insecure_enclave_app
-    ./enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator
+    enclave_apps/target/x86_64-unknown-none/release/key_xor_test_app
+    generated/client_app.apk
+    enclave_apps/target/x86_64-unknown-none/release/oak_echo_enclave_app
+    enclave_apps/target/x86_64-unknown-none/release/oak_echo_raw_enclave_app
+    enclave_apps/target/x86_64-unknown-none/release/oak_functions_enclave_app
+    enclave_apps/target/x86_64-unknown-none/release/oak_functions_insecure_enclave_app
+    enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator
+    oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin
+    stage0_bin/target/x86_64-unknown-none/release/stage0_bin
 )
 readonly binary_names=(
-    oak_restricted_kernel_simple_io_init_rd_wrapper_bin
-    stage0_bin
     key_xor_test_app
+    oak_client_android_app
     oak_echo_enclave_app
     oak_echo_raw_enclave_app
     oak_functions_enclave_app
     oak_functions_insecure_enclave_app
     oak_orchestrator
+    oak_restricted_kernel_simple_io_init_rd_wrapper_bin
+    stage0_bin
 )
 for i in "${!binary_names[@]}"; do
     cp --preserve=timestamps \