Add user affiliation APIs
Make setAffiliationIds public so that it can be used for COMP.
That way we can allow network logging and other features to
work on devices that have a DO and a managed profile.
Those features are currently restricted to single user devices but we'll
open them up to devices where all users are affiliated.
Also create a getter for that API.
Bug: 32326223
Test: m FrameworksServicesTests &&
adb install \
-r ${ANDROID_PRODUCT_OUT}/data/app/FrameworksServicesTests/FrameworksServicesTests.apk &&
adb shell am instrument -e class com.android.server.devicepolicy.DevicePolicyManagerTest \
-w com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Change-Id: Ie443be887a6ca61a7f7a07e137757dceab7eb3d3
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index c497cb1..86f42bc 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -213,6 +213,8 @@
private static final String TAG_ADMIN_BROADCAST_PENDING = "admin-broadcast-pending";
+ private static final String ATTR_ID = "id";
+
private static final String ATTR_VALUE = "value";
private static final String TAG_INITIALIZATION_BUNDLE = "initialization-bundle";
@@ -2367,7 +2369,7 @@
for (String id : policy.mAffiliationIds) {
out.startTag(null, TAG_AFFILIATION_ID);
- out.attribute(null, "id", id);
+ out.attribute(null, ATTR_ID, id);
out.endTag(null, TAG_AFFILIATION_ID);
}
@@ -2547,7 +2549,7 @@
} else if (DO_NOT_ASK_CREDENTIALS_ON_BOOT_XML.equals(tag)) {
policy.doNotAskCredentialsOnBoot = true;
} else if (TAG_AFFILIATION_ID.equals(tag)) {
- policy.mAffiliationIds.add(parser.getAttributeValue(null, "id"));
+ policy.mAffiliationIds.add(parser.getAttributeValue(null, ATTR_ID));
} else if (TAG_LAST_SECURITY_LOG_RETRIEVAL.equals(tag)) {
policy.mLastSecurityLogRetrievalTime = Long.parseLong(
parser.getAttributeValue(null, ATTR_VALUE));
@@ -8041,13 +8043,11 @@
public void setLockTaskPackages(ComponentName who, String[] packages)
throws SecurityException {
Preconditions.checkNotNull(who, "ComponentName is null");
+
synchronized (this) {
- ActiveAdmin deviceOwner = getActiveAdminWithPolicyForUidLocked(
- who, DeviceAdminInfo.USES_POLICY_DEVICE_OWNER, mInjector.binderGetCallingUid());
- ActiveAdmin profileOwner = getActiveAdminWithPolicyForUidLocked(
- who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER, mInjector.binderGetCallingUid());
- if (deviceOwner != null || (profileOwner != null && isAffiliatedUser())) {
- int userHandle = mInjector.userHandleGetCallingUserId();
+ getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
+ final int userHandle = mInjector.userHandleGetCallingUserId();
+ if (isUserAffiliatedWithDevice(userHandle)) {
setLockTaskPackagesLocked(userHandle, new ArrayList<>(Arrays.asList(packages)));
} else {
throw new SecurityException("Admin " + who +
@@ -9142,9 +9142,18 @@
@Override
public void setAffiliationIds(ComponentName admin, List<String> ids) {
- final Set<String> affiliationIds = new ArraySet<String>(ids);
- final int callingUserId = mInjector.userHandleGetCallingUserId();
+ if (!mHasFeature) {
+ return;
+ }
+ Preconditions.checkNotNull(admin);
+ Preconditions.checkCollectionElementsNotNull(ids, "ids");
+
+ final Set<String> affiliationIds = new ArraySet<String>(ids);
+ Preconditions.checkArgument(
+ !affiliationIds.contains(""), "ids must not contain empty strings");
+
+ final int callingUserId = mInjector.userHandleGetCallingUserId();
synchronized (this) {
getActiveAdminForCallerLocked(admin, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
getUserData(callingUserId).mAffiliationIds = affiliationIds;
@@ -9159,20 +9168,44 @@
}
@Override
- public boolean isAffiliatedUser() {
- final int callingUserId = mInjector.userHandleGetCallingUserId();
+ public List<String> getAffiliationIds(ComponentName admin) {
+ if (!mHasFeature) {
+ return Collections.emptyList();
+ }
+ Preconditions.checkNotNull(admin);
synchronized (this) {
- if (mOwners.getDeviceOwnerUserId() == callingUserId) {
- // The user that the DO is installed on is always affiliated.
- return true;
- }
- final ComponentName profileOwner = getProfileOwner(callingUserId);
- if (profileOwner == null
- || !profileOwner.getPackageName().equals(mOwners.getDeviceOwnerPackageName())) {
+ getActiveAdminForCallerLocked(admin, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
+ return new ArrayList<String>(
+ getUserData(mInjector.userHandleGetCallingUserId()).mAffiliationIds);
+ }
+ }
+
+ @Override
+ public boolean isAffiliatedUser() {
+ return isUserAffiliatedWithDevice(mInjector.userHandleGetCallingUserId());
+ }
+
+ private boolean isUserAffiliatedWithDevice(int userId) {
+ synchronized (this) {
+ if (!mOwners.hasDeviceOwner()) {
return false;
}
- final Set<String> userAffiliationIds = getUserData(callingUserId).mAffiliationIds;
+ if (userId == mOwners.getDeviceOwnerUserId()) {
+ // The user that the DO is installed on is always affiliated with the device.
+ return true;
+ }
+ if (userId == UserHandle.USER_SYSTEM) {
+ // The system user is always affiliated in a DO device, even if the DO is set on a
+ // different user. This could be the case if the DO is set in the primary user
+ // of a split user device.
+ return true;
+ }
+ final ComponentName profileOwner = getProfileOwner(userId);
+ if (profileOwner == null) {
+ return false;
+ }
+ final Set<String> userAffiliationIds = getUserData(userId).mAffiliationIds;
final Set<String> deviceAffiliationIds =
getUserData(UserHandle.USER_SYSTEM).mAffiliationIds;
for (String id : userAffiliationIds) {
diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
index e55cafb..ed37b80 100644
--- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
+++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
@@ -50,6 +50,7 @@
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -1643,6 +1644,7 @@
/**
* Test for:
* {@link DevicePolicyManager#setAffiliationIds}
+ * {@link DevicePolicyManager#getAffiliationIds}
* {@link DevicePolicyManager#isAffiliatedUser}
*/
public void testUserAffiliation() throws Exception {
@@ -1659,30 +1661,34 @@
dpm.setActiveAdmin(admin1, /* replace =*/ false);
assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
assertTrue(dpm.isAffiliatedUser());
+ assertTrue(dpm.getAffiliationIds(admin1).isEmpty());
- // Install a profile owner whose package name matches the device owner on a test user. Check
- // that the test user is unaffiliated.
+ // Install a profile owner. Check that the test user is unaffiliated.
mContext.binder.callingUid = DpmMockContext.CALLER_UID;
setAsProfileOwner(admin2);
assertFalse(dpm.isAffiliatedUser());
+ assertTrue(dpm.getAffiliationIds(admin2).isEmpty());
// Have the profile owner specify a set of affiliation ids. Check that the test user remains
// unaffiliated.
- final Set<String> userAffiliationIds = new ArraySet<>();
+ final List<String> userAffiliationIds = new ArrayList<>();
userAffiliationIds.add("red");
userAffiliationIds.add("green");
userAffiliationIds.add("blue");
dpm.setAffiliationIds(admin2, userAffiliationIds);
+ MoreAsserts.assertContentsInAnyOrder(dpm.getAffiliationIds(admin2), "red", "green", "blue");
assertFalse(dpm.isAffiliatedUser());
// Have the device owner specify a set of affiliation ids that do not intersect with those
// specified by the profile owner. Check that the test user remains unaffiliated.
- final Set<String> deviceAffiliationIds = new ArraySet<>();
+ final List<String> deviceAffiliationIds = new ArrayList<>();
deviceAffiliationIds.add("cyan");
deviceAffiliationIds.add("yellow");
deviceAffiliationIds.add("magenta");
mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
dpm.setAffiliationIds(admin1, deviceAffiliationIds);
+ MoreAsserts.assertContentsInAnyOrder(
+ dpm.getAffiliationIds(admin1), "cyan", "yellow", "magenta");
mContext.binder.callingUid = DpmMockContext.CALLER_UID;
assertFalse(dpm.isAffiliatedUser());
@@ -1690,19 +1696,13 @@
// specified by the device owner. Check that the test user becomes affiliated.
userAffiliationIds.add("yellow");
dpm.setAffiliationIds(admin2, userAffiliationIds);
+ MoreAsserts.assertContentsInAnyOrder(
+ dpm.getAffiliationIds(admin2), "red", "green", "blue", "yellow");
assertTrue(dpm.isAffiliatedUser());
- // Change the profile owner to one whose package name does not match the device owner. Check
- // that the test user is not affiliated anymore.
- dpm.clearProfileOwner(admin2);
- final ComponentName admin = new ComponentName("test", "test");
-
- setUpPackageManagerForFakeAdmin(admin, DpmMockContext.CALLER_UID,
- /* enabledSetting =*/ PackageManager.COMPONENT_ENABLED_STATE_ENABLED,
- /* appTargetSdk = */ null, admin2);
-
- dpm.setActiveAdmin(admin, /* refreshing =*/ true, DpmMockContext.CALLER_USER_HANDLE);
- assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
+ // Clear affiliation ids for the profile owner. The user becomes unaffiliated.
+ dpm.setAffiliationIds(admin2, Collections.emptyList());
+ assertTrue(dpm.getAffiliationIds(admin2).isEmpty());
assertFalse(dpm.isAffiliatedUser());
// Check that the system user remains affiliated.