Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / d5b036014d632c7c28f8499f39bafd4b95ac49d1^! / . / services
commitd5b036014d632c7c28f8499f39bafd4b95ac49d1[log] [tgz]
authorNicolas Prevot <nprevot@google.com>Tue Dec 06 13:32:22 2016 +0000
committerNicolas Prevot <nprevot@google.com>Wed Dec 14 15:15:10 2016 +0000
treeb875ada9aa0c3defe7b16b5c59e23a8315cac40c
parent235117ac2123cf46438132a8fa67ac886e38b7ce [diff]
Use affiliation ids when checking bind target users.

BUG:32764274
Test: adb shell am instrument -e class
com.android.server.devicepolicy.DevicePolicyManagerTest -w
com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner

Change-Id: Ic79b58dcb583b1d9eb9e7af0d1501cf8cfd0ee86

diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index aafc432..0727743 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

@@ -9702,9 +9702,8 @@
             final int callingUserId = mInjector.userHandleGetCallingUserId();
             final boolean isCallerDeviceOwner = isDeviceOwner(callingOwner);
             final boolean isCallerManagedProfile = isManagedProfile(callingUserId);
-            if (!isCallerDeviceOwner && !isCallerManagedProfile
-                    /* STOPSHIP(b/32326223) Reinstate when setAffiliationIds is public
-                    ||   !isAffiliatedUser(callingUserId) */) {
+            if ((!isCallerDeviceOwner && !isCallerManagedProfile)
+                    || !isUserAffiliatedWithDevice(callingUserId)) {
                 return targetUsers;
             }
 
@@ -9724,8 +9723,7 @@
 
                         // Both must be the same package and be affiliated in order to bind.
                         if (callingOwnerPackage.equals(targetOwnerPackage)
-                            /* STOPSHIP(b/32326223) Reinstate when setAffiliationIds is public
-                               && isAffiliatedUser(userId)*/) {
+                               && isUserAffiliatedWithDevice(userId)) {
                             targetUsers.add(UserHandle.of(userId));
                         }
                     }

diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
index 0c00886..81a01d8 100644
--- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
+++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

@@ -2664,8 +2664,26 @@
         final int ANOTHER_USER_ID = 36;
         mContext.addUser(ANOTHER_USER_ID, 0);
 
+        // Since the managed profile is not affiliated, they should not be allowed to talk to each
+        // other.
+        targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);
+        MoreAsserts.assertEmpty(targetUsers);
+
+        mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID;
+        targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);
+        MoreAsserts.assertEmpty(targetUsers);
+
+        // Setting affiliation ids
+        final List<String> userAffiliationIds = Arrays.asList("some.affiliation-id");
+        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
+        dpm.setAffiliationIds(admin1, userAffiliationIds);
+
+        mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID;
+        dpm.setAffiliationIds(admin1, userAffiliationIds);
+
         // Calling from device owner admin, the result list should just contain the managed
         // profile user id.
+        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
         targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);
         MoreAsserts.assertContentsInAnyOrder(targetUsers, UserHandle.of(MANAGED_PROFILE_USER_ID));
 
@@ -2674,6 +2692,18 @@
         mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID;
         targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);
         MoreAsserts.assertContentsInAnyOrder(targetUsers, UserHandle.SYSTEM);
+
+        // Changing affiliation ids in one
+        dpm.setAffiliationIds(admin1, Arrays.asList("some-different-affiliation-id"));
+
+        // Since the managed profile is not affiliated any more, they should not be allowed to talk
+        // to each other.
+        targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);
+        MoreAsserts.assertEmpty(targetUsers);
+
+        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
+        targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);
+        MoreAsserts.assertEmpty(targetUsers);
     }
 
     public void testGetBindDeviceAdminTargetUsers_differentPackage() throws Exception {
@@ -2688,8 +2718,16 @@
                 new ComponentName("another.package", "whatever.class");
         addManagedProfile(adminDifferentPackage, MANAGED_PROFILE_ADMIN_UID, admin2);
 
+        // Setting affiliation ids
+        final List<String> userAffiliationIds = Arrays.asList("some-affiliation-id");
+        dpm.setAffiliationIds(admin1, userAffiliationIds);
+
+        mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID;
+        dpm.setAffiliationIds(adminDifferentPackage, userAffiliationIds);
+
         // Calling from device owner admin, we should get zero bind device admin target users as
         // their packages are different.
+        mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
         List<UserHandle> targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1);
         MoreAsserts.assertEmpty(targetUsers);