From 08a18bf74ae2c7609026e25e3f489a5bfec56d3b Mon Sep 17 00:00:00 2001
From: Paul Duffin <paulduffin@google.com>
Date: Fri, 1 Oct 2021 13:19:58 +0100
Subject: [PATCH] Always perform permitted package check when building a
 library

Previously, the permitted package check was designed to only be run
when building checkbuild. Although, that appears to now be broken.

This change uses a Validation dependency to ensure that the package
check is performed whenever the output file of a java_library is built
as part of the build. The package check runs in parallel with any other
rules that depend on the file.

Bug: 201753898
Test: - change the permitted_packages property in
        frameworks/base/test-mock so that the package check will fail.
      m out/soong/.intermediates/frameworks/base/test-mock/android.test.mock/android_common/package-check.stamp
      - as expected the package check failed.
      m droid
      - as expected the package check did not fail.
      # Made these changes then:
      m droid
      - as expected the package check now failed.
Change-Id: Id38fe280c79e5505ee4555b845c6da2ae6747bc4
---
 java/base.go | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/java/base.go b/java/base.go
index 579085b8a..7dd6c2d2b 100644
--- a/java/base.go
+++ b/java/base.go
@@ -1265,10 +1265,25 @@ func (j *Module) compile(ctx android.ModuleContext, aaptSrcJar android.Path) {
 
 	// Check package restrictions if necessary.
 	if len(j.properties.Permitted_packages) > 0 {
-		// Check packages and copy to package-checked file.
+		// Time stamp file created by the package check rule.
 		pkgckFile := android.PathForModuleOut(ctx, "package-check.stamp")
+
+		// Create a rule to copy the output jar to another path and add a validate dependency that
+		// will check that the jar only contains the permitted packages. The new location will become
+		// the output file of this module.
+		inputFile := outputFile
+		outputFile = android.PathForModuleOut(ctx, "package-check", jarName).OutputPath
+		ctx.Build(pctx, android.BuildParams{
+			Rule:   android.Cp,
+			Input:  inputFile,
+			Output: outputFile,
+			// Make sure that any dependency on the output file will cause ninja to run the package check
+			// rule.
+			Validation: pkgckFile,
+		})
+
+		// Check packages and create a timestamp file when complete.
 		CheckJarPackages(ctx, pkgckFile, outputFile, j.properties.Permitted_packages)
-		j.additionalCheckedModules = append(j.additionalCheckedModules, pkgckFile)
 
 		if ctx.Failed() {
 			return