commit 6322093fc389d820336ee71d9d06fb3ce4bdd1b0
author Alex Johnston <acjohnston@google.com> Thu Sep 26 10:10:51 2019 +0100
committer Alex Johnston <acjohnston@google.com> Thu Sep 26 10:10:51 2019 +0100
tree 6d76b608d08fc1222cd67cabd2b085693529160a
parent 5f6c76dd8c022a9e5123ac21782bd2a0001be043

Clear the password reset token when the device owner is removed.

Bug: 130026113
Test: Atest DevicePolicyManagerTest
      Atest MixedManagedProfileOwnerTest
      manual testing

Change-Id: I635fbb3fdf55a8c64b561752d74855fb83678109

services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
index d900910..a25e40f 100644
--- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
+++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
@@ -1212,6 +1212,45 @@
         assertTrue(dpm.isDeviceManaged());
     }
 
+    /**
+     * Test for: {@link DevicePolicyManager#clearDeviceOwnerApp(String)}
+     *
+     * Validates that when the device owner is removed, the reset password token is cleared
+     */
+    public void testClearDeviceOwner_clearResetPasswordToken() throws Exception {
+        mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
+        mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
+        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
+
+        // Install admin1 on system user
+        setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
+
+        // Set admin1 to active admin and device owner
+        dpm.setActiveAdmin(admin1, /* replace =*/ false);
+        dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM);
+
+        // Add reset password token
+        final long handle = 12000;
+        final byte[] token = new byte[32];
+        when(getServices().lockPatternUtils.addEscrowToken(eq(token), eq(UserHandle.USER_SYSTEM),
+                nullable(EscrowTokenStateChangeCallback.class)))
+                .thenReturn(handle);
+        assertTrue(dpm.setResetPasswordToken(admin1, token));
+
+        // Assert reset password token is active
+        when(getServices().lockPatternUtils.isEscrowTokenActive(eq(handle),
+                eq(UserHandle.USER_SYSTEM)))
+                .thenReturn(true);
+        assertTrue(dpm.isResetPasswordTokenActive(admin1));
+
+        // Remove the device owner
+        dpm.clearDeviceOwnerApp(admin1.getPackageName());
+
+        // Verify password reset password token was removed
+        verify(getServices().lockPatternUtils).removeEscrowToken(eq(handle),
+                eq(UserHandle.USER_SYSTEM));
+    }
+
     public void testSetProfileOwner() throws Exception {
         setAsProfileOwner(admin1);