commit bdcada976298716b9fb566fd6264e31098df4391
author Esteban Talavera <etalavera@google.com> Wed Feb 01 14:20:06 2017 +0000
committer Esteban Talavera <etalavera@google.com> Wed Feb 01 15:02:22 2017 +0000
tree 93a00eb8cb7f670312676d439c8962b09589b3e0
parent 8e332cc54b203a3fe7a014e506c3fcc07a60e539

Affiliated profile owners can set lock task packages

Mentioned that in the documentation, cleaned up the code
a bit and added unit tests

Bug: 34614754

Test: runtest -c com.android.server.devicepolicy.DevicePolicyManagerTest    frameworks-services
Change-Id: I91232bbe494398015094ab977c6a2adce339811f

services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
index f4e4e08..7df638c 100644
--- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
+++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
@@ -3332,6 +3332,75 @@
         MoreAsserts.assertEmpty(targetUsers);
     }
 
+    public void testLockTaskPackagesAllowedForAffiliatedUsers() throws Exception {
+        // Setup a device owner.
+        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
+        setupDeviceOwner();
+        // Lock task packages are updated when loading user data.
+        verify(mContext.iactivityManager)
+                .updateLockTaskPackages(eq(UserHandle.USER_SYSTEM), eq(new String[0]));
+
+        // Set up a managed profile managed by different package (package name shouldn't matter)
+        final int MANAGED_PROFILE_USER_ID = 15;
+        final int MANAGED_PROFILE_ADMIN_UID = UserHandle.getUid(MANAGED_PROFILE_USER_ID, 20456);
+        final ComponentName adminDifferentPackage =
+                new ComponentName("another.package", "whatever.class");
+        addManagedProfile(adminDifferentPackage, MANAGED_PROFILE_ADMIN_UID, admin2);
+        verify(mContext.iactivityManager)
+                .updateLockTaskPackages(eq(MANAGED_PROFILE_USER_ID), eq(new String[0]));
+
+        // The DO can still set lock task packages
+        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
+        final String[] doPackages = {"doPackage1", "doPackage2"};
+        dpm.setLockTaskPackages(admin1, doPackages);
+        MoreAsserts.assertEquals(doPackages, dpm.getLockTaskPackages(admin1));
+        assertTrue(dpm.isLockTaskPermitted("doPackage1"));
+        assertFalse(dpm.isLockTaskPermitted("anotherPackage"));
+        verify(mContext.iactivityManager)
+                .updateLockTaskPackages(eq(UserHandle.USER_SYSTEM), eq(doPackages));
+
+        // Managed profile is unaffiliated - shouldn't be able to setLockTaskPackages.
+        mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID;
+        final String[] poPackages = {"poPackage1", "poPackage2"};
+        try {
+            dpm.setLockTaskPackages(adminDifferentPackage, poPackages);
+            fail("Didn't throw expected security exception.");
+        } catch (SecurityException expected) {
+        }
+        try {
+            dpm.getLockTaskPackages(adminDifferentPackage);
+            fail("Didn't throw expected security exception.");
+        } catch (SecurityException expected) {
+        }
+        assertFalse(dpm.isLockTaskPermitted("doPackage1"));
+
+        // Setting same affiliation ids
+        final List<String> userAffiliationIds = Arrays.asList("some-affiliation-id");
+        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
+        dpm.setAffiliationIds(admin1, userAffiliationIds);
+
+        mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID;
+        dpm.setAffiliationIds(adminDifferentPackage, userAffiliationIds);
+
+        // Now the managed profile can set lock task packages.
+        dpm.setLockTaskPackages(adminDifferentPackage, poPackages);
+        MoreAsserts.assertEquals(poPackages, dpm.getLockTaskPackages(adminDifferentPackage));
+        assertTrue(dpm.isLockTaskPermitted("poPackage1"));
+        assertFalse(dpm.isLockTaskPermitted("doPackage2"));
+        verify(mContext.iactivityManager)
+                .updateLockTaskPackages(eq(MANAGED_PROFILE_USER_ID), eq(poPackages));
+
+        // Unaffiliate the profile, lock task mode no longer available on the profile.
+        dpm.setAffiliationIds(adminDifferentPackage, Collections.<String>emptyList());
+        assertFalse(dpm.isLockTaskPermitted("poPackage1"));
+        // Lock task packages cleared when loading user data and when the user becomes unaffiliated.
+        verify(mContext.iactivityManager, times(2))
+                .updateLockTaskPackages(eq(MANAGED_PROFILE_USER_ID), eq(new String[0]));
+
+        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
+        assertTrue(dpm.isLockTaskPermitted("doPackage1"));
+    }
+
     public void testIsDeviceManaged() throws Exception {
         mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
         setupDeviceOwner();