For #9644: restrict deps to specific repositories (#9649)

* For #9644: remove unnecessary leanplum maven repository. The docs say it is [1] "only needed for Android SDK versions below 4.3.0". That is API 18 and our min SDK is 21. [1]: https://docs.leanplum.com/reference#android-setup * For #9644: move buildscript block from :app to root project. This will reduce the amount of duplication we need in specifying restricted dependencies and centralize repository definitions. Since we're a one project app, it shouldn't have a significant impact on performance. * For #9644: restrict dependencies following FFTV config. However, there is a resolution error to be fixed in the next commit. This is verbatim from FFTV except I removed the no-op "improve security if code is refactored incorrectly" lines: these lines rarely changed and I'm not that concerned. It might be better to simplify the configuration. Source: 62a2fa680c/buildSrc/src/main/java/org/mozilla/gradle/Dependencies.kt (L7) 62a2fa680c/build.gradle (L31) * For #9644: restrict firebase deps to google repo. This fixes the resolution error from the previous PR.
2020-04-15 10:54:36 -07:00 · 2020-04-15 10:54:36 -07:00 · f0464b9e72
parent c7b123cfea
commit f0464b9e72
3 changed files with 87 additions and 22 deletions
--- a/app/build.gradle
+++ b/app/build.gradle
@ -1,19 +1,3 @@
-// Allow installing Gradle plugins from the Mozilla Maven repositories
-buildscript {
-    repositories {
-        maven {
-            url "https://nightly.maven.mozilla.org/maven2"
-        }
-        maven {
-            url "https://maven.mozilla.org/maven2"
-        }
-
-        dependencies {
-            classpath "org.mozilla.components:tooling-glean-gradle:${Versions.mozilla_android_components}"
-        }
-    }
-}
-
 plugins {
    id "com.jetbrains.python.envs" version "0.0.26"
 }
--- a/build.gradle
+++ b/build.gradle
@ -1,10 +1,43 @@
 // Top-level build file where you can add configuration options common to all sub-projects/modules.

 buildscript {
+    // This logic is duplicated in the allprojects block: I don't know how to fix that.
    repositories {
-        google()
-        jcenter()
+        maven {
+            url "https://nightly.maven.mozilla.org/maven2"
+            content {
+                // Improve performance: only check moz maven for mozilla deps.
+                includeGroupByRegex RepoMatching.mozilla
+            }
+        }
+        maven {
+            url "https://maven.mozilla.org/maven2"
+            content {
+                // Improve performance: only check moz maven for mozilla deps.
+                includeGroupByRegex RepoMatching.mozilla
+            }
+        }
+        google() {
+            content {
+                // Improve performance: only check google maven for mozilla deps.
+                includeGroupByRegex RepoMatching.androidx
+                includeGroupByRegex RepoMatching.comGoogleAndroid
+                includeGroupByRegex RepoMatching.comGoogleFirebase
+                includeGroupByRegex RepoMatching.comAndroid
+            }
+        }
+        jcenter() {
+            content {
+                // Improve security: don't search deps with known repos.
+                excludeGroupByRegex RepoMatching.mozilla
+                excludeGroupByRegex RepoMatching.androidx
+                excludeGroupByRegex RepoMatching.comGoogleAndroid
+                excludeGroupByRegex RepoMatching.comGoogleFirebase
+                excludeGroupByRegex RepoMatching.comAndroid
+            }
+        }
    }
+
    dependencies {
        classpath Deps.tools_androidgradle
        classpath Deps.tools_kotlingradle
@ -12,6 +45,8 @@ buildscript {
        classpath Deps.allopen
        classpath Deps.osslicenses_plugin

+        classpath "org.mozilla.components:tooling-glean-gradle:${Versions.mozilla_android_components}"
+
        // NOTE: Do not place your application dependencies here; they belong
        // in the individual module build.gradle files
    }
@ -22,19 +57,43 @@ plugins {
 }

 allprojects {
+    // This logic is duplicated in the buildscript block: I don't know how to fix that.
    repositories {
-        google()
        maven {
            url "https://nightly.maven.mozilla.org/maven2"
+            content {
+                // Improve performance: only check moz maven for mozilla deps.
+                includeGroupByRegex RepoMatching.mozilla
+            }
        }
        maven {
            url "https://maven.mozilla.org/maven2"
+            content {
+                // Improve performance: only check moz maven for mozilla deps.
+                includeGroupByRegex RepoMatching.mozilla
+            }
        }
-        maven {
-            url "https://repo.leanplum.com/"
+        google() {
+            content {
+                // Improve performance: only check google maven for google deps.
+                includeGroupByRegex RepoMatching.androidx
+                includeGroupByRegex RepoMatching.comGoogleAndroid
+                includeGroupByRegex RepoMatching.comGoogleFirebase
+                includeGroupByRegex RepoMatching.comAndroid
+            }
+        }
+        jcenter() {
+            content {
+                // Improve security: don't search deps with known repos.
+                excludeGroupByRegex RepoMatching.mozilla
+                excludeGroupByRegex RepoMatching.androidx
+                excludeGroupByRegex RepoMatching.comGoogleAndroid
+                excludeGroupByRegex RepoMatching.comGoogleFirebase
+                excludeGroupByRegex RepoMatching.comAndroid
+            }
        }
-        jcenter()
    }
+
    tasks.withType(org.jetbrains.kotlin.gradle.tasks.KotlinCompile).all {
        kotlinOptions.jvmTarget = "1.8"
        kotlinOptions.allWarningsAsErrors = true
--- a/buildSrc/src/main/java/Dependencies.kt
+++ b/buildSrc/src/main/java/Dependencies.kt
@ -213,3 +213,25 @@ object Deps {
    const val junitParams = "org.junit.jupiter:junit-jupiter-params:${Versions.junit}"
    const val junitEngine = "org.junit.jupiter:junit-jupiter-engine:${Versions.junit}"
 }
+
+/**
+ * Functionality to limit specific dependencies to specific repositories. These are typically expected to be used by
+ * dependency group name (i.e. with `include/excludeGroup`). For additional info, see:
+ * https://docs.gradle.org/current/userguide/declaring_repositories.html#sec::matching_repositories_to_dependencies
+ *
+ * Note: I wanted to nest this in Deps but for some reason gradle can't find it so it's top-level now. :|
+ */
+object RepoMatching {
+    const val mozilla = "org\\.mozilla\\..*"
+    const val androidx = "androidx\\..*"
+    const val comAndroid = "com\\.android\\..*"
+    const val comGoogleFirebase = "com\\.google\\.firebase"
+
+    /**
+     * A matcher for com.google.android.* with one exception: the espresso-contrib dependency includes the
+     * accessibility-test-framework dependency, which is not available in the google repo. As such, we must
+     * explicitly exclude it from this regex so it can be found on jcenter. Note that the transitive dependency
+     * com.google.guava is also not available on google's repo.
+     */
+    const val comGoogleAndroid = "com\\.google\\.android\\.(?!apps\\.common\\.testing\\.accessibility\\.framework).*"
+}