Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 1a5ee776ee51ae6fba30c8f3b33e26eb7f9dedc6 / . / services / tests / servicestests / src / com / android / server / devicepolicy / DevicePolicyManagerTest.java
blob: 4a87e5b36124d8458974524bce7364d98e26d146 [file] [log] [blame]
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]16package com.android.server.devicepolicy;
17
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]18import android.Manifest.permission;
19import android.app.Activity;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]20import android.app.admin.DeviceAdminReceiver;
21import android.app.admin.DevicePolicyManager;
22import android.app.admin.DevicePolicyManagerInternal;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]23import android.content.BroadcastReceiver;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]24import android.content.ComponentName;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]25import android.content.pm.PackageManager;
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]26import android.net.wifi.WifiInfo;
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]27import android.os.Build.VERSION_CODES;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]28import android.os.Bundle;
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]29import android.os.Process;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]30import android.os.UserHandle;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]31import android.os.UserManager;
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]32import android.test.MoreAsserts;
Benjamin Franz6d009032016-01-25 18:56:38 +0000[diff] [blame]33import android.test.suitebuilder.annotation.SmallTest;
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]34import android.util.ArraySet;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]35import android.util.Pair;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]36
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]37import com.android.server.LocalServices;
38import com.android.server.SystemService;
39
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]40import org.mockito.ArgumentCaptor;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]41import org.mockito.invocation.InvocationOnMock;
42import org.mockito.stubbing.Answer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]43
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]44import java.util.ArrayList;
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]45import java.util.Arrays;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]46import java.util.HashMap;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]47import java.util.List;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]48import java.util.Map;
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]49import java.util.Set;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]50
51import static org.mockito.Matchers.any;
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]52import static org.mockito.Matchers.anyInt;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]53import static org.mockito.Matchers.anyString;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]54import static org.mockito.Matchers.eq;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]55import static org.mockito.Matchers.isNull;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]56import static org.mockito.Mockito.doAnswer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]57import static org.mockito.Mockito.doReturn;
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]58import static org.mockito.Mockito.reset;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]59import static org.mockito.Mockito.times;
60import static org.mockito.Mockito.verify;
61import static org.mockito.Mockito.when;
62
63/**
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]64 * Tests for DevicePolicyManager( and DevicePolicyManagerService).
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]65 *
66 m FrameworksServicesTests &&
67 adb install \
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]68 -r ${ANDROID_PRODUCT_OUT}/data/app/FrameworksServicesTests/FrameworksServicesTests.apk &&
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]69 adb shell am instrument -e class com.android.server.devicepolicy.DevicePolicyManagerTest \
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]70 -w com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]71
72 (mmma frameworks/base/services/tests/servicestests/ for non-ninja build)
73 */
Benjamin Franz6d009032016-01-25 18:56:38 +0000[diff] [blame]74@SmallTest
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]75public class DevicePolicyManagerTest extends DpmTestBase {
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]76 private static final List<String> OWNER_SETUP_PERMISSIONS = Arrays.asList(
77 permission.MANAGE_DEVICE_ADMINS, permission.MANAGE_PROFILE_AND_DEVICE_OWNERS,
78 permission.MANAGE_USERS, permission.INTERACT_ACROSS_USERS_FULL);
79
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]80 private DpmMockContext mContext;
81 public DevicePolicyManager dpm;
82 public DevicePolicyManagerServiceTestable dpms;
83
84 @Override
85 protected void setUp() throws Exception {
86 super.setUp();
87
88 mContext = getContext();
89
90 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
91 .thenReturn(true);
92
Makoto Onuki1a5ee772016-02-12 15:34:57 -0800[diff] [blame^]93 // By default, pretend all users are running and unlocked.
94 when(mContext.userManager.isUserUnlocked(anyInt())).thenReturn(true);
95
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]96 initializeDpms();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]97
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]98 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
99 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
100 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_UID);
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]101 setUpPackageManagerForAdmin(adminNoPerm, DpmMockContext.CALLER_UID);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]102
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]103 setUpUserManager();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]104 }
105
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]106 private void initializeDpms() {
107 // Need clearCallingIdentity() to pass permission checks.
108 final long ident = mContext.binder.clearCallingIdentity();
109 try {
110 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
111
112 dpms = new DevicePolicyManagerServiceTestable(mContext, dataDir);
113
114 dpms.systemReady(SystemService.PHASE_LOCK_SETTINGS_READY);
115 dpms.systemReady(SystemService.PHASE_BOOT_COMPLETED);
116
117 dpm = new DevicePolicyManagerTestable(mContext, dpms);
118 } finally {
119 mContext.binder.restoreCallingIdentity(ident);
120 }
121 }
122
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]123 private void setUpUserManager() {
124 // Emulate UserManager.set/getApplicationRestriction().
125 final Map<Pair<String, UserHandle>, Bundle> appRestrictions = new HashMap<>();
126
127 // UM.setApplicationRestrictions() will save to appRestrictions.
128 doAnswer(new Answer<Void>() {
129 @Override
130 public Void answer(InvocationOnMock invocation) throws Throwable {
131 String pkg = (String) invocation.getArguments()[0];
132 Bundle bundle = (Bundle) invocation.getArguments()[1];
133 UserHandle user = (UserHandle) invocation.getArguments()[2];
134
135 appRestrictions.put(Pair.create(pkg, user), bundle);
136
137 return null;
138 }
139 }).when(mContext.userManager).setApplicationRestrictions(
140 anyString(), any(Bundle.class), any(UserHandle.class));
141
142 // UM.getApplicationRestrictions() will read from appRestrictions.
143 doAnswer(new Answer<Bundle>() {
144 @Override
145 public Bundle answer(InvocationOnMock invocation) throws Throwable {
146 String pkg = (String) invocation.getArguments()[0];
147 UserHandle user = (UserHandle) invocation.getArguments()[1];
148
149 return appRestrictions.get(Pair.create(pkg, user));
150 }
151 }).when(mContext.userManager).getApplicationRestrictions(
152 anyString(), any(UserHandle.class));
153
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]154 // Add the first secondary user.
155 mContext.addUser(DpmMockContext.CALLER_USER_HANDLE, 0);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]156 }
157
158 private void setAsProfileOwner(ComponentName admin) {
159 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
160 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
161
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]162 // PO needs to be an DA.
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]163 dpm.setActiveAdmin(admin, /* replace =*/ false);
164
165 // Fire!
166 assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
167
168 // Check
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]169 assertEquals(admin, dpm.getProfileOwnerAsUser(DpmMockContext.CALLER_USER_HANDLE));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]170 }
171
172 public void testHasNoFeature() throws Exception {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]173 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
174 .thenReturn(false);
175
176 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
177 new DevicePolicyManagerServiceTestable(mContext, dataDir);
178
179 // If the device has no DPMS feature, it shouldn't register the local service.
180 assertNull(LocalServices.getService(DevicePolicyManagerInternal.class));
181 }
182
183 /**
184 * Caller doesn't have proper permissions.
185 */
186 public void testSetActiveAdmin_SecurityException() {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]187 // 1. Failure cases.
188
189 // Caller doesn't have MANAGE_DEVICE_ADMINS.
190 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]191 dpm.setActiveAdmin(admin1, false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]192 fail("Didn't throw SecurityException");
193 } catch (SecurityException expected) {
194 }
195
196 // Caller has MANAGE_DEVICE_ADMINS, but for different user.
197 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
198 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]199 dpm.setActiveAdmin(admin1, false, DpmMockContext.CALLER_USER_HANDLE + 1);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]200 fail("Didn't throw SecurityException");
201 } catch (SecurityException expected) {
202 }
203 }
204
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]205 /**
206 * Test for:
207 * {@link DevicePolicyManager#setActiveAdmin}
208 * with replace=false and replace=true
209 * {@link DevicePolicyManager#isAdminActive}
210 * {@link DevicePolicyManager#isAdminActiveAsUser}
211 * {@link DevicePolicyManager#getActiveAdmins}
212 * {@link DevicePolicyManager#getActiveAdminsAsUser}
213 */
214 public void testSetActiveAdmin() throws Exception {
215 // 1. Make sure the caller has proper permissions.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]216 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
217
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]218 // 2. Call the API.
219 dpm.setActiveAdmin(admin1, /* replace =*/ false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]220
221 // 3. Verify internal calls.
222
223 // Check if the boradcast is sent.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]224 verify(mContext.spiedContext).sendBroadcastAsUser(
225 MockUtils.checkIntentAction(
226 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
227 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
228 verify(mContext.spiedContext).sendBroadcastAsUser(
229 MockUtils.checkIntentAction(
230 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_ENABLED),
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]231 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
232
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]233 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
234 eq(admin1.getPackageName()),
235 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
236 eq(PackageManager.DONT_KILL_APP),
237 eq(DpmMockContext.CALLER_USER_HANDLE),
238 anyString());
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]239
240 // TODO Verify other calls too.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]241
242 // Make sure it's active admin1.
243 assertTrue(dpm.isAdminActive(admin1));
244 assertFalse(dpm.isAdminActive(admin2));
245 assertFalse(dpm.isAdminActive(admin3));
246
247 // But not admin1 for a different user.
248
249 // For this to work, caller needs android.permission.INTERACT_ACROSS_USERS_FULL.
250 // (Because we're checking a different user's status from CALLER_USER_HANDLE.)
251 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
252
253 assertFalse(dpm.isAdminActiveAsUser(admin1, DpmMockContext.CALLER_USER_HANDLE + 1));
254 assertFalse(dpm.isAdminActiveAsUser(admin2, DpmMockContext.CALLER_USER_HANDLE + 1));
255
256 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
257
258 // Next, add one more admin.
259 // Before doing so, update the application info, now it's enabled.
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]260 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID,
261 PackageManager.COMPONENT_ENABLED_STATE_ENABLED);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]262
263 dpm.setActiveAdmin(admin2, /* replace =*/ false);
264
265 // Now we have two admins.
266 assertTrue(dpm.isAdminActive(admin1));
267 assertTrue(dpm.isAdminActive(admin2));
268 assertFalse(dpm.isAdminActive(admin3));
269
270 // Admin2 was already enabled, so setApplicationEnabledSetting() shouldn't have called
271 // again. (times(1) because it was previously called for admin1)
272 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
273 eq(admin1.getPackageName()),
274 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
275 eq(PackageManager.DONT_KILL_APP),
276 eq(DpmMockContext.CALLER_USER_HANDLE),
277 anyString());
278
279 // 4. Add the same admin1 again without replace, which should throw.
280 try {
281 dpm.setActiveAdmin(admin1, /* replace =*/ false);
282 fail("Didn't throw");
283 } catch (IllegalArgumentException expected) {
284 }
285
286 // 5. Add the same admin1 again with replace, which should succeed.
287 dpm.setActiveAdmin(admin1, /* replace =*/ true);
288
289 // TODO make sure it's replaced.
290
291 // 6. Test getActiveAdmins()
292 List<ComponentName> admins = dpm.getActiveAdmins();
293 assertEquals(2, admins.size());
294 assertEquals(admin1, admins.get(0));
295 assertEquals(admin2, admins.get(1));
296
297 // Another user has no admins.
298 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
299
300 assertEquals(0, DpmTestUtils.getListSizeAllowingNull(
301 dpm.getActiveAdminsAsUser(DpmMockContext.CALLER_USER_HANDLE + 1)));
302
303 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
304 }
305
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]306 public void testSetActiveAdmin_multiUsers() throws Exception {
307
308 final int ANOTHER_USER_ID = 100;
309 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 20456);
310
311 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
312
313 // Set up pacakge manager for the other user.
314 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]315
316 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
317
318 dpm.setActiveAdmin(admin1, /* replace =*/ false);
319
320 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
321 dpm.setActiveAdmin(admin2, /* replace =*/ false);
322
323
324 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
325 assertTrue(dpm.isAdminActive(admin1));
326 assertFalse(dpm.isAdminActive(admin2));
327
328 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
329 assertFalse(dpm.isAdminActive(admin1));
330 assertTrue(dpm.isAdminActive(admin2));
331 }
332
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]333 /**
334 * Test for:
335 * {@link DevicePolicyManager#setActiveAdmin}
336 * with replace=false
337 */
338 public void testSetActiveAdmin_twiceWithoutReplace() throws Exception {
339 // 1. Make sure the caller has proper permissions.
340 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
341
342 dpm.setActiveAdmin(admin1, /* replace =*/ false);
343 assertTrue(dpm.isAdminActive(admin1));
344
345 // Add the same admin1 again without replace, which should throw.
346 try {
347 dpm.setActiveAdmin(admin1, /* replace =*/ false);
348 fail("Didn't throw");
349 } catch (IllegalArgumentException expected) {
350 }
351 }
352
353 /**
354 * Test for:
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]355 * {@link DevicePolicyManager#setActiveAdmin} when the admin isn't protected with
356 * BIND_DEVICE_ADMIN.
357 */
358 public void testSetActiveAdmin_permissionCheck() throws Exception {
359 // 1. Make sure the caller has proper permissions.
360 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
361
362 try {
363 dpm.setActiveAdmin(adminNoPerm, /* replace =*/ false);
364 fail();
365 } catch (IllegalArgumentException expected) {
366 assertTrue(expected.getMessage().contains(permission.BIND_DEVICE_ADMIN));
367 }
368 assertFalse(dpm.isAdminActive(adminNoPerm));
369
370 // Change the target API level to MNC. Now it can be set as DA.
371 setUpPackageManagerForAdmin(adminNoPerm, DpmMockContext.CALLER_UID, null,
372 VERSION_CODES.M);
373 dpm.setActiveAdmin(adminNoPerm, /* replace =*/ false);
374 assertTrue(dpm.isAdminActive(adminNoPerm));
375
376 // TODO Test the "load from the file" case where DA will still be loaded even without
377 // BIND_DEVICE_ADMIN and target API is N.
378 }
379
380 /**
381 * Test for:
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]382 * {@link DevicePolicyManager#removeActiveAdmin}
383 */
384 public void testRemoveActiveAdmin_SecurityException() {
385 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
386
387 // Add admin.
388
389 dpm.setActiveAdmin(admin1, /* replace =*/ false);
390
391 assertTrue(dpm.isAdminActive(admin1));
392
393 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
394
395 // Directly call the DPMS method with a different userid, which should fail.
396 try {
397 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE + 1);
398 fail("Didn't throw SecurityException");
399 } catch (SecurityException expected) {
400 }
401
402 // Try to remove active admin with a different caller userid should fail too, without
403 // having MANAGE_DEVICE_ADMINS.
404 mContext.callerPermissions.clear();
405
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]406 // Change the caller, and call into DPMS directly with a different user-id.
407
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]408 mContext.binder.callingUid = 1234567;
409 try {
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]410 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]411 fail("Didn't throw SecurityException");
412 } catch (SecurityException expected) {
413 }
414 }
415
416 /**
Makoto Onuki1a5ee772016-02-12 15:34:57 -0800[diff] [blame^]417 * {@link DevicePolicyManager#removeActiveAdmin} should fail with the user is not unlocked
418 * (because we can't send the remove broadcast).
419 */
420 public void testRemoveActiveAdmin_userNotRunningOrLocked() {
421 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
422
423 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
424
425 // Add admin.
426
427 dpm.setActiveAdmin(admin1, /* replace =*/ false);
428
429 assertTrue(dpm.isAdminActive(admin1));
430
431 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
432
433 // 1. User not unlocked.
434 when(mContext.userManager.isUserUnlocked(eq(DpmMockContext.CALLER_USER_HANDLE)))
435 .thenReturn(false);
436 try {
437 dpm.removeActiveAdmin(admin1);
438 fail("Didn't throw IllegalStateException");
439 } catch (IllegalStateException expected) {
440 MoreAsserts.assertContainsRegex(
441 "User must be running and unlocked", expected.getMessage());
442 }
443
444 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
445
446 // 2. User unlocked.
447 when(mContext.userManager.isUserUnlocked(eq(DpmMockContext.CALLER_USER_HANDLE)))
448 .thenReturn(true);
449
450 dpm.removeActiveAdmin(admin1);
451
452 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
453 }
454
455 /**
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]456 * Test for:
457 * {@link DevicePolicyManager#removeActiveAdmin}
458 */
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]459 public void testRemoveActiveAdmin_fromDifferentUserWithINTERACT_ACROSS_USERS_FULL() {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]460 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
461
462 // Add admin1.
463
464 dpm.setActiveAdmin(admin1, /* replace =*/ false);
465
466 assertTrue(dpm.isAdminActive(admin1));
467 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
468
469 // Different user, but should work, because caller has proper permissions.
470 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]471
472 // Change the caller, and call into DPMS directly with a different user-id.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]473 mContext.binder.callingUid = 1234567;
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]474
475 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]476
477 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
478
479 // TODO DO Still can't be removed in this case.
480 }
481
482 /**
483 * Test for:
484 * {@link DevicePolicyManager#removeActiveAdmin}
485 */
486 public void testRemoveActiveAdmin_sameUserNoMANAGE_DEVICE_ADMINS() {
487 // Need MANAGE_DEVICE_ADMINS for setActiveAdmin. We'll remove it later.
488 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
489
490 // Add admin1.
491
492 dpm.setActiveAdmin(admin1, /* replace =*/ false);
493
494 assertTrue(dpm.isAdminActive(admin1));
495 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
496
497 // Broadcast from saveSettingsLocked().
498 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
499 MockUtils.checkIntentAction(
500 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
501 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
502
503 // Remove. No permissions, but same user, so it'll work.
504 mContext.callerPermissions.clear();
505 dpm.removeActiveAdmin(admin1);
506
507 final ArgumentCaptor<BroadcastReceiver> brCap =
508 ArgumentCaptor.forClass(BroadcastReceiver.class);
509
510 // Is removing now, but not removed yet.
511 assertTrue(dpm.isAdminActive(admin1));
512 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
513
514 verify(mContext.spiedContext).sendOrderedBroadcastAsUser(
515 MockUtils.checkIntentAction(
516 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_DISABLED),
517 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE),
518 isNull(String.class),
519 brCap.capture(),
520 eq(dpms.mHandler),
521 eq(Activity.RESULT_OK),
522 isNull(String.class),
523 isNull(Bundle.class));
524
525 brCap.getValue().onReceive(mContext, null);
526
527 assertFalse(dpm.isAdminActive(admin1));
528 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
529
530 // Again broadcast from saveSettingsLocked().
531 verify(mContext.spiedContext, times(2)).sendBroadcastAsUser(
532 MockUtils.checkIntentAction(
533 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
534 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
535
536 // TODO Check other internal calls.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]537 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]538
539 /**
540 * Test for: {@link DevicePolicyManager#setDeviceOwner} DO on system user installs
541 * successfully.
542 */
543 public void testSetDeviceOwner() throws Exception {
544 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]545 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]546 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
547 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
548
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]549 // In this test, change the caller user to "system".
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]550 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
551
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]552 // Make sure admin1 is installed on system user.
553 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]554
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]555 // Check various get APIs.
556 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ false);
557
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]558 // DO needs to be an DA.
559 dpm.setActiveAdmin(admin1, /* replace =*/ false);
560
561 // Fire!
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]562 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]563
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]564 // getDeviceOwnerComponent should return the admin1 component.
565 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
566 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
567
568 // Check various get APIs.
569 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ true);
570
571 // getDeviceOwnerComponent should *NOT* return the admin1 component for other users.
572 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
573 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
574 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
575
576 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
577
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]578 // Verify internal calls.
579 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
580 eq(admin1.getPackageName()));
581
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]582 // TODO We should check if the caller has called clearCallerIdentity().
583 verify(mContext.ibackupManager, times(1)).setBackupServiceActive(
584 eq(UserHandle.USER_SYSTEM), eq(false));
585
586 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
587 MockUtils.checkIntentAction(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED),
588 MockUtils.checkUserHandle(UserHandle.USER_SYSTEM));
589
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]590 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]591
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]592 // Try to set a profile owner on the same user, which should fail.
593 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
594 dpm.setActiveAdmin(admin2, /* refreshing= */ true, UserHandle.USER_SYSTEM);
595 try {
596 dpm.setProfileOwner(admin2, "owner-name", UserHandle.USER_SYSTEM);
597 fail("IllegalStateException not thrown");
598 } catch (IllegalStateException expected) {
599 assertTrue("Message was: " + expected.getMessage(),
600 expected.getMessage().contains("already has a device owner"));
601 }
602
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame]603 // DO admin can't be deactivated.
604 dpm.removeActiveAdmin(admin1);
605 assertTrue(dpm.isAdminActive(admin1));
606
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]607 // TODO Test getDeviceOwnerName() too. To do so, we need to change
608 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
609 }
610
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]611 private void checkGetDeviceOwnerInfoApi(DevicePolicyManager dpm, boolean hasDeviceOwner) {
612 final int origCallingUser = mContext.binder.callingUid;
613 final List origPermissions = new ArrayList(mContext.callerPermissions);
614 mContext.callerPermissions.clear();
615
616 mContext.callerPermissions.add(permission.MANAGE_USERS);
617
618 mContext.binder.callingUid = Process.SYSTEM_UID;
619
620 // TODO Test getDeviceOwnerName() too. To do so, we need to change
621 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
622 if (hasDeviceOwner) {
623 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
624 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
625 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
626
627 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
628 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
629 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
630 } else {
631 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
632 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
633 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
634
635 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
636 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
637 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
638 }
639
640 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
641 if (hasDeviceOwner) {
642 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
643 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
644 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
645
646 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
647 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
648 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
649 } else {
650 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
651 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
652 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
653
654 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
655 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
656 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
657 }
658
659 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
660 // Still with MANAGE_USERS.
661 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
662 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
663 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
664
665 if (hasDeviceOwner) {
666 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
667 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
668 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
669 } else {
670 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
671 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
672 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
673 }
674
675 mContext.binder.callingUid = Process.SYSTEM_UID;
676 mContext.callerPermissions.remove(permission.MANAGE_USERS);
677 // System can still call "OnAnyUser" without MANAGE_USERS.
678 if (hasDeviceOwner) {
679 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
680 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
681 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
682
683 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
684 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
685 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
686 } else {
687 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
688 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
689 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
690
691 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
692 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
693 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
694 }
695
696 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
697 // Still no MANAGE_USERS.
698 if (hasDeviceOwner) {
699 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
700 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
701 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
702 } else {
703 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
704 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
705 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
706 }
707
708 try {
709 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
710 fail();
711 } catch (SecurityException expected) {
712 }
713 try {
714 dpm.getDeviceOwnerComponentOnAnyUser();
715 fail();
716 } catch (SecurityException expected) {
717 }
718 try {
719 dpm.getDeviceOwnerUserId();
720 fail();
721 } catch (SecurityException expected) {
722 }
723 try {
724 dpm.getDeviceOwnerNameOnAnyUser();
725 fail();
726 } catch (SecurityException expected) {
727 }
728
729 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
730 // Still no MANAGE_USERS.
731 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
732 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
733 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
734
735 try {
736 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
737 fail();
738 } catch (SecurityException expected) {
739 }
740 try {
741 dpm.getDeviceOwnerComponentOnAnyUser();
742 fail();
743 } catch (SecurityException expected) {
744 }
745 try {
746 dpm.getDeviceOwnerUserId();
747 fail();
748 } catch (SecurityException expected) {
749 }
750 try {
751 dpm.getDeviceOwnerNameOnAnyUser();
752 fail();
753 } catch (SecurityException expected) {
754 }
755
756 // Restore.
757 mContext.binder.callingUid = origCallingUser;
758 mContext.callerPermissions.addAll(origPermissions);
759 }
760
761
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]762 /**
763 * Test for: {@link DevicePolicyManager#setDeviceOwner} Package doesn't exist.
764 */
765 public void testSetDeviceOwner_noSuchPackage() {
766 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]767 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]768 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
769 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
770
771 // Call from a process on the system user.
772 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
773
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]774 try {
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]775 dpm.setDeviceOwner(new ComponentName("a.b.c", ".def"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]776 fail("Didn't throw IllegalArgumentException");
777 } catch (IllegalArgumentException expected) {
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]778 assertTrue("Message was: " + expected.getMessage(),
779 expected.getMessage().contains("Invalid component"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]780 }
781 }
782
783 public void testSetDeviceOwner_failures() throws Exception {
784 // TODO Test more failure cases. Basically test all chacks in enforceCanSetDeviceOwner().
785 }
786
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]787 public void testClearDeviceOwner() throws Exception {
788 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]789 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]790 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
791 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
792
793 // Set admin1 as a DA to the secondary user.
794 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
795
796 dpm.setActiveAdmin(admin1, /* replace =*/ false);
797
798 // Set admin 1 as the DO to the system user.
799
800 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
801 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
802 dpm.setActiveAdmin(admin1, /* replace =*/ false);
803 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
804
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]805 // Verify internal calls.
806 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
807 eq(admin1.getPackageName()));
808
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]809 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]810
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame]811 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
812
813 assertTrue(dpm.isAdminActive(admin1));
814 assertFalse(dpm.isRemovingAdmin(admin1, UserHandle.USER_SYSTEM));
815
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]816 // Set up other mocks.
817 when(mContext.userManager.getUserRestrictions()).thenReturn(new Bundle());
818
819 // Now call clear.
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]820 doReturn(DpmMockContext.CALLER_SYSTEM_USER_UID).when(mContext.packageManager).getPackageUidAsUser(
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]821 eq(admin1.getPackageName()),
822 anyInt());
Makoto Onuki1a5ee772016-02-12 15:34:57 -0800[diff] [blame^]823
824 // But first pretend the user is locked. Then it should fail.
825 when(mContext.userManager.isUserUnlocked(anyInt())).thenReturn(false);
826 try {
827 dpm.clearDeviceOwnerApp(admin1.getPackageName());
828 fail("Didn't throw IllegalStateException");
829 } catch (IllegalStateException expected) {
830 MoreAsserts.assertContainsRegex(
831 "User must be running and unlocked", expected.getMessage());
832 }
833
834 when(mContext.userManager.isUserUnlocked(anyInt())).thenReturn(true);
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame]835 reset(mContext.userManagerInternal);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]836 dpm.clearDeviceOwnerApp(admin1.getPackageName());
837
838 // Now DO shouldn't be set.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]839 assertNull(dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]840
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame]841 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
842 eq(UserHandle.USER_SYSTEM),
843 MockUtils.checkUserRestrictions(),
844 MockUtils.checkUserRestrictions()
845 );
846
847 assertTrue(dpm.isAdminActive(admin1));
848 assertTrue(dpm.isRemovingAdmin(admin1, UserHandle.USER_SYSTEM));
849
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]850 // TODO Check other calls.
851 }
852
853 public void testClearDeviceOwner_fromDifferentUser() throws Exception {
854 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]855 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]856 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
857 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
858
859 // Set admin1 as a DA to the secondary user.
860 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
861
862 dpm.setActiveAdmin(admin1, /* replace =*/ false);
863
864 // Set admin 1 as the DO to the system user.
865
866 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
867 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
868 dpm.setActiveAdmin(admin1, /* replace =*/ false);
869 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
870
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]871 // Verify internal calls.
872 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
873 eq(admin1.getPackageName()));
874
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]875 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]876
877 // Now call clear from the secondary user, which should throw.
878 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
879
880 // Now call clear.
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]881 doReturn(DpmMockContext.CALLER_UID).when(mContext.packageManager).getPackageUidAsUser(
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]882 eq(admin1.getPackageName()),
883 anyInt());
884 try {
885 dpm.clearDeviceOwnerApp(admin1.getPackageName());
886 fail("Didn't throw");
887 } catch (SecurityException e) {
888 assertEquals("clearDeviceOwner can only be called by the device owner", e.getMessage());
889 }
890
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]891 // DO shouldn't be removed.
892 assertTrue(dpm.isDeviceManaged());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]893 }
894
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]895 public void testSetProfileOwner() throws Exception {
896 setAsProfileOwner(admin1);
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]897
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame]898 // PO admin can't be deactivated.
899 dpm.removeActiveAdmin(admin1);
900 assertTrue(dpm.isAdminActive(admin1));
901
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]902 // Try setting DO on the same user, which should fail.
903 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
904 dpm.setActiveAdmin(admin2, /* refreshing= */ true, DpmMockContext.CALLER_USER_HANDLE);
905 try {
906 dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE);
907 fail("IllegalStateException not thrown");
908 } catch (IllegalStateException expected) {
909 assertTrue("Message was: " + expected.getMessage(),
910 expected.getMessage().contains("already has a profile owner"));
911 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]912 }
913
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame]914 public void testClearProfileOwner() throws Exception {
915 setAsProfileOwner(admin1);
916
917 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
918
919 assertTrue(dpm.isProfileOwnerApp(admin1.getPackageName()));
920 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
921
Makoto Onuki1a5ee772016-02-12 15:34:57 -0800[diff] [blame^]922 // First try when the user is locked, which should fail.
923 when(mContext.userManager.isUserUnlocked(anyInt()))
924 .thenReturn(false);
925 try {
926 dpm.clearProfileOwner(admin1);
927 fail("Didn't throw IllegalStateException");
928 } catch (IllegalStateException expected) {
929 MoreAsserts.assertContainsRegex(
930 "User must be running and unlocked", expected.getMessage());
931 }
932 // Clear, really.
933 when(mContext.userManager.isUserUnlocked(anyInt()))
934 .thenReturn(true);
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame]935 dpm.clearProfileOwner(admin1);
936
937 // Check
938 assertFalse(dpm.isProfileOwnerApp(admin1.getPackageName()));
939 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
940 }
941
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]942 public void testSetProfileOwner_failures() throws Exception {
943 // TODO Test more failure cases. Basically test all chacks in enforceCanSetProfileOwner().
944 }
945
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]946 public void testGetDeviceOwnerAdminLocked() throws Exception {
947 checkDeviceOwnerWithMultipleDeviceAdmins();
948 }
949
950 private void checkDeviceOwnerWithMultipleDeviceAdmins() throws Exception {
951 // In ths test, we use 3 users (system + 2 secondary users), set some device admins to them,
952 // set admin2 on CALLER_USER_HANDLE as DO, then call getDeviceOwnerAdminLocked() to
953 // make sure it gets the right component from the right user.
954
955 final int ANOTHER_USER_ID = 100;
956 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 456);
957
958 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
959
960 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]961 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]962 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
963 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
964
965 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
966
967 // Make sure the admin packge is installed to each user.
968 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
969 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_SYSTEM_USER_UID);
970
971 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
972 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
973
974 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
975
976
977 // Set active admins to the users.
978 dpm.setActiveAdmin(admin1, /* replace =*/ false);
979 dpm.setActiveAdmin(admin3, /* replace =*/ false);
980
981 dpm.setActiveAdmin(admin1, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
982 dpm.setActiveAdmin(admin2, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
983
984 dpm.setActiveAdmin(admin2, /* replace =*/ false, ANOTHER_USER_ID);
985
986 // Set DO on the first non-system user.
987 mContext.setUserRunning(DpmMockContext.CALLER_USER_HANDLE, true);
988 assertTrue(dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
989
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]990 assertEquals(admin2, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]991
992 // Then check getDeviceOwnerAdminLocked().
993 assertEquals(admin2, dpms.getDeviceOwnerAdminLocked().info.getComponent());
994 assertEquals(DpmMockContext.CALLER_UID, dpms.getDeviceOwnerAdminLocked().getUid());
995 }
996
997 /**
998 * This essentially tests
999 * {@code DevicePolicyManagerService.findOwnerComponentIfNecessaryLocked()}. (which is private.)
1000 *
1001 * We didn't use to persist the DO component class name, but now we do, and the above method
1002 * finds the right component from a package name upon migration.
1003 */
1004 public void testDeviceOwnerMigration() throws Exception {
1005 checkDeviceOwnerWithMultipleDeviceAdmins();
1006
1007 // Overwrite the device owner setting and clears the clas name.
1008 dpms.mOwners.setDeviceOwner(
1009 new ComponentName(admin2.getPackageName(), ""),
1010 "owner-name", DpmMockContext.CALLER_USER_HANDLE);
1011 dpms.mOwners.writeDeviceOwner();
1012
1013 // Make sure the DO component name doesn't have a class name.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]1014 assertEquals("", dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false).getClassName());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]1015
1016 // Then create a new DPMS to have it load the settings from files.
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1017 when(mContext.userManager.getUserRestrictions(any(UserHandle.class)))
1018 .thenReturn(new Bundle());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]1019 initializeDpms();
1020
1021 // Now the DO component name is a full name.
1022 // *BUT* because both admin1 and admin2 belong to the same package, we think admin1 is the
1023 // DO.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]1024 assertEquals(admin1, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]1025 }
1026
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]1027 public void testSetGetApplicationRestriction() {
1028 setAsProfileOwner(admin1);
1029
1030 {
1031 Bundle rest = new Bundle();
1032 rest.putString("KEY_STRING", "Foo1");
1033 dpm.setApplicationRestrictions(admin1, "pkg1", rest);
1034 }
1035
1036 {
1037 Bundle rest = new Bundle();
1038 rest.putString("KEY_STRING", "Foo2");
1039 dpm.setApplicationRestrictions(admin1, "pkg2", rest);
1040 }
1041
1042 {
1043 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg1");
1044 assertNotNull(returned);
1045 assertEquals(returned.size(), 1);
1046 assertEquals(returned.get("KEY_STRING"), "Foo1");
1047 }
1048
1049 {
1050 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg2");
1051 assertNotNull(returned);
1052 assertEquals(returned.size(), 1);
1053 assertEquals(returned.get("KEY_STRING"), "Foo2");
1054 }
1055
1056 dpm.setApplicationRestrictions(admin1, "pkg2", new Bundle());
1057 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg2").size());
1058 }
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1059
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]1060 public void testApplicationRestrictionsManagingApp() throws Exception {
1061 setAsProfileOwner(admin1);
1062
1063 final String appRestrictionsManagerPackage = "com.google.app.restrictions.manager";
1064 final int appRestrictionsManagerAppId = 20987;
1065 final int appRestrictionsManagerUid = UserHandle.getUid(
1066 DpmMockContext.CALLER_USER_HANDLE, appRestrictionsManagerAppId);
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]1067 doReturn(appRestrictionsManagerUid).when(mContext.packageManager).getPackageUidAsUser(
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]1068 eq(appRestrictionsManagerPackage),
1069 eq(DpmMockContext.CALLER_USER_HANDLE));
1070 mContext.binder.callingUid = appRestrictionsManagerUid;
1071
1072 // appRestrictionsManager package shouldn't be able to manage restrictions as the PO hasn't
1073 // delegated that permission yet.
1074 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1075 Bundle rest = new Bundle();
1076 rest.putString("KEY_STRING", "Foo1");
1077 try {
1078 dpm.setApplicationRestrictions(null, "pkg1", rest);
1079 fail("Didn't throw expected SecurityException");
1080 } catch (SecurityException expected) {
1081 MoreAsserts.assertContainsRegex(
1082 "caller cannot manage application restrictions", expected.getMessage());
1083 }
1084 try {
1085 dpm.getApplicationRestrictions(null, "pkg1");
1086 fail("Didn't throw expected SecurityException");
1087 } catch (SecurityException expected) {
1088 MoreAsserts.assertContainsRegex(
1089 "caller cannot manage application restrictions", expected.getMessage());
1090 }
1091
1092 // Check via the profile owner that no restrictions were set.
1093 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1094 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
1095
1096 // Let appRestrictionsManagerPackage manage app restrictions
1097 dpm.setApplicationRestrictionsManagingPackage(admin1, appRestrictionsManagerPackage);
1098 assertEquals(appRestrictionsManagerPackage,
1099 dpm.getApplicationRestrictionsManagingPackage(admin1));
1100
1101 // Now that package should be able to set and retrieve app restrictions.
1102 mContext.binder.callingUid = appRestrictionsManagerUid;
1103 assertTrue(dpm.isCallerApplicationRestrictionsManagingPackage());
1104 dpm.setApplicationRestrictions(null, "pkg1", rest);
1105 Bundle returned = dpm.getApplicationRestrictions(null, "pkg1");
1106 assertEquals(1, returned.size(), 1);
1107 assertEquals("Foo1", returned.get("KEY_STRING"));
1108
1109 // The same app running on a separate user shouldn't be able to manage app restrictions.
1110 mContext.binder.callingUid = UserHandle.getUid(
1111 UserHandle.USER_SYSTEM, appRestrictionsManagerAppId);
1112 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1113 try {
1114 dpm.setApplicationRestrictions(null, "pkg1", rest);
1115 fail("Didn't throw expected SecurityException");
1116 } catch (SecurityException expected) {
1117 MoreAsserts.assertContainsRegex(
1118 "caller cannot manage application restrictions", expected.getMessage());
1119 }
1120
1121 // The DPM is still able to manage app restrictions, even if it allowed another app to do it
1122 // too.
1123 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1124 assertEquals(returned, dpm.getApplicationRestrictions(admin1, "pkg1"));
1125 dpm.setApplicationRestrictions(admin1, "pkg1", null);
1126 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
1127
1128 // Removing the ability for the package to manage app restrictions.
1129 dpm.setApplicationRestrictionsManagingPackage(admin1, null);
1130 assertNull(dpm.getApplicationRestrictionsManagingPackage(admin1));
1131 mContext.binder.callingUid = appRestrictionsManagerUid;
1132 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1133 try {
1134 dpm.setApplicationRestrictions(null, "pkg1", null);
1135 fail("Didn't throw expected SecurityException");
1136 } catch (SecurityException expected) {
1137 MoreAsserts.assertContainsRegex(
1138 "caller cannot manage application restrictions", expected.getMessage());
1139 }
1140 }
1141
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1142 public void testSetUserRestriction_asDo() throws Exception {
1143 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]1144 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1145 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1146 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1147
1148 // First, set DO.
1149
1150 // Call from a process on the system user.
1151 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1152
1153 // Make sure admin1 is installed on system user.
1154 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1155
1156 // Call.
1157 dpm.setActiveAdmin(admin1, /* replace =*/ false, UserHandle.USER_SYSTEM);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]1158 assertTrue(dpm.setDeviceOwner(admin1, "owner-name",
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1159 UserHandle.USER_SYSTEM));
1160
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1161 DpmTestUtils.assertRestrictions(
1162 DpmTestUtils.newRestrictions(),
1163 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1164 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1165 DpmTestUtils.assertRestrictions(
1166 DpmTestUtils.newRestrictions(),
1167 dpm.getUserRestrictions(admin1)
1168 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1169
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1170 reset(mContext.userManagerInternal);
1171
1172 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1173 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1174 eq(UserHandle.USER_SYSTEM),
1175 MockUtils.checkUserRestrictions(),
1176 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1177 );
1178 reset(mContext.userManagerInternal);
1179
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1180 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1181 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1182 eq(UserHandle.USER_SYSTEM),
1183 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1184 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1185 );
1186 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1187
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1188 DpmTestUtils.assertRestrictions(
1189 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1190 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1191 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1192 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1193 DpmTestUtils.assertRestrictions(
1194 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1195 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1196 dpm.getUserRestrictions(admin1)
1197 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1198
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1199 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1200 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1201 eq(UserHandle.USER_SYSTEM),
1202 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1203 MockUtils.checkUserRestrictions()
1204 );
1205 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1206
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1207 DpmTestUtils.assertRestrictions(
1208 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1209 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1210 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1211 DpmTestUtils.assertRestrictions(
1212 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1213 dpm.getUserRestrictions(admin1)
1214 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1215
1216 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1217 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1218 eq(UserHandle.USER_SYSTEM),
1219 MockUtils.checkUserRestrictions(),
1220 MockUtils.checkUserRestrictions()
1221 );
1222 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1223
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1224 DpmTestUtils.assertRestrictions(
1225 DpmTestUtils.newRestrictions(),
1226 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1227 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1228 DpmTestUtils.assertRestrictions(
1229 DpmTestUtils.newRestrictions(),
1230 dpm.getUserRestrictions(admin1)
1231 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1232
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1233 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE are PO restrictions, but when
1234 // DO sets them, the scope is global.
1235 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1236 reset(mContext.userManagerInternal);
1237 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1238 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1239 eq(UserHandle.USER_SYSTEM),
1240 MockUtils.checkUserRestrictions(),
1241 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1242 UserManager.DISALLOW_UNMUTE_MICROPHONE)
1243 );
1244 reset(mContext.userManagerInternal);
1245
1246 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1247 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1248
1249
1250 // More tests.
1251 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1252 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1253 eq(UserHandle.USER_SYSTEM),
1254 MockUtils.checkUserRestrictions(),
1255 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1256 );
1257 reset(mContext.userManagerInternal);
1258
1259 dpm.addUserRestriction(admin1, UserManager.DISALLOW_FUN);
1260 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1261 eq(UserHandle.USER_SYSTEM),
1262 MockUtils.checkUserRestrictions(),
1263 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1264 UserManager.DISALLOW_ADD_USER)
1265 );
1266 reset(mContext.userManagerInternal);
1267
1268 dpm.setCameraDisabled(admin1, true);
1269 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1270 eq(UserHandle.USER_SYSTEM),
1271 // DISALLOW_CAMERA will be applied to both local and global.
1272 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1273 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1274 UserManager.DISALLOW_CAMERA, UserManager.DISALLOW_ADD_USER)
1275 );
1276 reset(mContext.userManagerInternal);
1277
1278 // Set up another DA and let it disable camera. Now DISALLOW_CAMERA will only be applied
1279 // locally.
1280 dpm.setCameraDisabled(admin1, false);
1281 reset(mContext.userManagerInternal);
1282
1283 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
1284 dpm.setActiveAdmin(admin2, /* replace =*/ false, UserHandle.USER_SYSTEM);
1285 dpm.setCameraDisabled(admin2, true);
1286
1287 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1288 eq(UserHandle.USER_SYSTEM),
1289 // DISALLOW_CAMERA will be applied to both local and global.
1290 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1291 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1292 UserManager.DISALLOW_ADD_USER)
1293 );
1294 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1295 // TODO Make sure restrictions are written to the file.
1296 }
1297
1298 public void testSetUserRestriction_asPo() {
1299 setAsProfileOwner(admin1);
1300
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1301 DpmTestUtils.assertRestrictions(
1302 DpmTestUtils.newRestrictions(),
1303 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1304 .ensureUserRestrictions()
1305 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1306
1307 dpm.addUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1308 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1309 eq(DpmMockContext.CALLER_USER_HANDLE),
1310 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES),
1311 isNull(Bundle.class)
1312 );
1313 reset(mContext.userManagerInternal);
1314
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1315 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1316 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1317 eq(DpmMockContext.CALLER_USER_HANDLE),
1318 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1319 UserManager.DISALLOW_OUTGOING_CALLS),
1320 isNull(Bundle.class)
1321 );
1322 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1323
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1324 DpmTestUtils.assertRestrictions(
1325 DpmTestUtils.newRestrictions(
1326 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1327 UserManager.DISALLOW_OUTGOING_CALLS
1328 ),
1329 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1330 .ensureUserRestrictions()
1331 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1332 DpmTestUtils.assertRestrictions(
1333 DpmTestUtils.newRestrictions(
1334 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1335 UserManager.DISALLOW_OUTGOING_CALLS
1336 ),
1337 dpm.getUserRestrictions(admin1)
1338 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1339
1340 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1341 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1342 eq(DpmMockContext.CALLER_USER_HANDLE),
1343 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1344 isNull(Bundle.class)
1345 );
1346 reset(mContext.userManagerInternal);
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1347
1348 DpmTestUtils.assertRestrictions(
1349 DpmTestUtils.newRestrictions(
1350 UserManager.DISALLOW_OUTGOING_CALLS
1351 ),
1352 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1353 .ensureUserRestrictions()
1354 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1355 DpmTestUtils.assertRestrictions(
1356 DpmTestUtils.newRestrictions(
1357 UserManager.DISALLOW_OUTGOING_CALLS
1358 ),
1359 dpm.getUserRestrictions(admin1)
1360 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1361
1362 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1363 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1364 eq(DpmMockContext.CALLER_USER_HANDLE),
1365 MockUtils.checkUserRestrictions(),
1366 isNull(Bundle.class)
1367 );
1368 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1369
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1370 DpmTestUtils.assertRestrictions(
1371 DpmTestUtils.newRestrictions(),
1372 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1373 .ensureUserRestrictions()
1374 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1375 DpmTestUtils.assertRestrictions(
1376 DpmTestUtils.newRestrictions(),
1377 dpm.getUserRestrictions(admin1)
1378 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1379
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1380 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE can be set by PO too, even
1381 // though when DO sets them they'll be applied globally.
1382 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1383 reset(mContext.userManagerInternal);
1384 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1385 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1386 eq(DpmMockContext.CALLER_USER_HANDLE),
1387 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1388 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1389 isNull(Bundle.class)
1390 );
1391 reset(mContext.userManagerInternal);
1392
1393 dpm.setCameraDisabled(admin1, true);
1394 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1395 eq(DpmMockContext.CALLER_USER_HANDLE),
1396 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA,
1397 UserManager.DISALLOW_ADJUST_VOLUME,
1398 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1399 isNull(Bundle.class)
1400 );
1401 reset(mContext.userManagerInternal);
1402
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1403 // TODO Make sure restrictions are written to the file.
1404 }
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]1405
1406 public void testGetMacAddress() throws Exception {
1407 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1408 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1409 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1410
1411 // In this test, change the caller user to "system".
1412 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1413
1414 // Make sure admin1 is installed on system user.
1415 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1416
1417 // Test 1. Caller doesn't have DO or DA.
1418 try {
1419 dpm.getWifiMacAddress();
1420 fail();
1421 } catch (SecurityException e) {
1422 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1423 }
1424
1425 // DO needs to be an DA.
1426 dpm.setActiveAdmin(admin1, /* replace =*/ false);
1427 assertTrue(dpm.isAdminActive(admin1));
1428
1429 // Test 2. Caller has DA, but not DO.
1430 try {
1431 dpm.getWifiMacAddress();
1432 fail();
1433 } catch (SecurityException e) {
1434 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1435 }
1436
1437 // Test 3. Caller has PO, but not DO.
1438 assertTrue(dpm.setProfileOwner(admin1, null, UserHandle.USER_SYSTEM));
1439 try {
1440 dpm.getWifiMacAddress();
1441 fail();
1442 } catch (SecurityException e) {
1443 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1444 }
1445
1446 // Remove PO.
1447 dpm.clearProfileOwner(admin1);
1448
1449 // Test 4, Caller is DO now.
1450 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1451
1452 // 4-1. But no WifiInfo.
1453 assertNull(dpm.getWifiMacAddress());
1454
1455 // 4-2. Returns WifiInfo, but with the default MAC.
1456 when(mContext.wifiManager.getConnectionInfo()).thenReturn(new WifiInfo());
1457 assertNull(dpm.getWifiMacAddress());
1458
1459 // 4-3. With a real MAC address.
1460 final WifiInfo wi = new WifiInfo();
1461 wi.setMacAddress("11:22:33:44:55:66");
1462 when(mContext.wifiManager.getConnectionInfo()).thenReturn(wi);
1463 assertEquals("11:22:33:44:55:66", dpm.getWifiMacAddress());
1464 }
Mahaver Chopraf8373b52015-12-23 14:42:18 +0000[diff] [blame]1465
1466 public void testRebootCanOnlyBeCalledByDeviceOwner() throws Exception {
1467 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1468 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1469
1470 // In this test, change the caller user to "system".
1471 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1472
1473 // Make sure admin1 is installed on system user.
1474 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1475
1476 // Set admin1 as DA.
1477 dpm.setActiveAdmin(admin1, false);
1478 assertTrue(dpm.isAdminActive(admin1));
1479 try {
1480 dpm.reboot(admin1);
1481 fail("DA calls DPM.reboot(), did not throw expected SecurityException");
1482 } catch (SecurityException expected) {
1483 MoreAsserts.assertContainsRegex("does not own the device", expected.getMessage());
1484 }
1485
1486 // Set admin1 as PO.
1487 assertTrue(dpm.setProfileOwner(admin1, null, UserHandle.USER_SYSTEM));
1488 try {
1489 dpm.reboot(admin1);
1490 fail("PO calls DPM.reboot(), did not throw expected SecurityException");
1491 } catch (SecurityException expected) {
1492 MoreAsserts.assertContainsRegex("does not own the device", expected.getMessage());
1493 }
1494
1495 // Remove PO and add DO.
1496 dpm.clearProfileOwner(admin1);
1497 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1498
1499 dpm.reboot(admin1);
1500 }
Kenny Guy06de4e72015-12-22 12:07:39 +0000[diff] [blame]1501
1502 public void testSetGetSupportText() {
1503 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1504 dpm.setActiveAdmin(admin1, true);
1505 dpm.setActiveAdmin(admin2, true);
1506 mContext.callerPermissions.remove(permission.MANAGE_DEVICE_ADMINS);
1507
1508 // Null default support messages.
1509 {
1510 assertNull(dpm.getLongSupportMessage(admin1));
1511 assertNull(dpm.getShortSupportMessage(admin1));
1512 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1513 assertNull(dpm.getShortSupportMessageForUser(admin1,
1514 DpmMockContext.CALLER_USER_HANDLE));
1515 assertNull(dpm.getLongSupportMessageForUser(admin1,
1516 DpmMockContext.CALLER_USER_HANDLE));
1517 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1518 }
1519
1520 // Only system can call the per user versions.
1521 {
1522 try {
1523 dpm.getShortSupportMessageForUser(admin1,
1524 DpmMockContext.CALLER_USER_HANDLE);
1525 fail("Only system should be able to call getXXXForUser versions");
1526 } catch (SecurityException expected) {
1527 MoreAsserts.assertContainsRegex("message for user", expected.getMessage());
1528 }
1529 try {
1530 dpm.getLongSupportMessageForUser(admin1,
1531 DpmMockContext.CALLER_USER_HANDLE);
1532 fail("Only system should be able to call getXXXForUser versions");
1533 } catch (SecurityException expected) {
1534 MoreAsserts.assertContainsRegex("message for user", expected.getMessage());
1535 }
1536 }
1537
1538 // Can't set message for admin in another uid.
1539 {
1540 mContext.binder.callingUid = DpmMockContext.CALLER_UID + 1;
1541 try {
1542 dpm.setShortSupportMessage(admin1, "Some text");
1543 fail("Admins should only be able to change their own support text.");
1544 } catch (SecurityException expected) {
1545 MoreAsserts.assertContainsRegex("is not owned by uid", expected.getMessage());
1546 }
1547 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1548 }
1549
1550 // Set/Get short returns what it sets and other admins text isn't changed.
1551 {
1552 final String supportText = "Some text to test with.";
1553 dpm.setShortSupportMessage(admin1, supportText);
1554 assertEquals(supportText, dpm.getShortSupportMessage(admin1));
1555 assertNull(dpm.getLongSupportMessage(admin1));
1556 assertNull(dpm.getShortSupportMessage(admin2));
1557
1558 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1559 assertEquals(supportText, dpm.getShortSupportMessageForUser(admin1,
1560 DpmMockContext.CALLER_USER_HANDLE));
1561 assertNull(dpm.getShortSupportMessageForUser(admin2,
1562 DpmMockContext.CALLER_USER_HANDLE));
1563 assertNull(dpm.getLongSupportMessageForUser(admin1,
1564 DpmMockContext.CALLER_USER_HANDLE));
1565 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1566
1567 dpm.setShortSupportMessage(admin1, null);
1568 assertNull(dpm.getShortSupportMessage(admin1));
1569 }
1570
1571 // Set/Get long returns what it sets and other admins text isn't changed.
1572 {
1573 final String supportText = "Some text to test with.\nWith more text.";
1574 dpm.setLongSupportMessage(admin1, supportText);
1575 assertEquals(supportText, dpm.getLongSupportMessage(admin1));
1576 assertNull(dpm.getShortSupportMessage(admin1));
1577 assertNull(dpm.getLongSupportMessage(admin2));
1578
1579 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1580 assertEquals(supportText, dpm.getLongSupportMessageForUser(admin1,
1581 DpmMockContext.CALLER_USER_HANDLE));
1582 assertNull(dpm.getLongSupportMessageForUser(admin2,
1583 DpmMockContext.CALLER_USER_HANDLE));
1584 assertNull(dpm.getShortSupportMessageForUser(admin1,
1585 DpmMockContext.CALLER_USER_HANDLE));
1586 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1587
1588 dpm.setLongSupportMessage(admin1, null);
1589 assertNull(dpm.getLongSupportMessage(admin1));
1590 }
1591 }
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]1592
1593 /**
1594 * Test for:
1595 * {@link DevicePolicyManager#setAffiliationIds}
1596 * {@link DevicePolicyManager#isAffiliatedUser}
1597 */
1598 public void testUserAffiliation() throws Exception {
1599 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1600 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1601 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1602
1603 // Check that the system user is unaffiliated.
1604 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1605 assertFalse(dpm.isAffiliatedUser());
1606
1607 // Set a device owner on the system user. Check that the system user becomes affiliated.
1608 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1609 dpm.setActiveAdmin(admin1, /* replace =*/ false);
1610 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
1611 assertTrue(dpm.isAffiliatedUser());
1612
1613 // Install a profile owner whose package name matches the device owner on a test user. Check
1614 // that the test user is unaffiliated.
1615 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1616 setAsProfileOwner(admin2);
1617 assertFalse(dpm.isAffiliatedUser());
1618
1619 // Have the profile owner specify a set of affiliation ids. Check that the test user remains
1620 // unaffiliated.
1621 final Set<String> userAffiliationIds = new ArraySet<>();
1622 userAffiliationIds.add("red");
1623 userAffiliationIds.add("green");
1624 userAffiliationIds.add("blue");
1625 dpm.setAffiliationIds(admin2, userAffiliationIds);
1626 assertFalse(dpm.isAffiliatedUser());
1627
1628 // Have the device owner specify a set of affiliation ids that do not intersect with those
1629 // specified by the profile owner. Check that the test user remains unaffiliated.
1630 final Set<String> deviceAffiliationIds = new ArraySet<>();
1631 deviceAffiliationIds.add("cyan");
1632 deviceAffiliationIds.add("yellow");
1633 deviceAffiliationIds.add("magenta");
1634 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1635 dpm.setAffiliationIds(admin1, deviceAffiliationIds);
1636 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1637 assertFalse(dpm.isAffiliatedUser());
1638
1639 // Have the profile owner specify a set of affiliation ids that intersect with those
1640 // specified by the device owner. Check that the test user becomes affiliated.
1641 userAffiliationIds.add("yellow");
1642 dpm.setAffiliationIds(admin2, userAffiliationIds);
1643 assertTrue(dpm.isAffiliatedUser());
1644
1645 // Change the profile owner to one whose package name does not match the device owner. Check
1646 // that the test user is not affiliated anymore.
1647 dpm.clearProfileOwner(admin2);
1648 final ComponentName admin = new ComponentName("test", "test");
1649 markPackageAsInstalled(admin.getPackageName(), null, DpmMockContext.CALLER_USER_HANDLE);
1650 assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
1651 assertFalse(dpm.isAffiliatedUser());
1652
1653 // Check that the system user remains affiliated.
1654 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1655 assertTrue(dpm.isAffiliatedUser());
1656 }
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]1657
1658 public void testGetUserProvisioningState_defaultResult() {
1659 assertEquals(DevicePolicyManager.STATE_USER_UNMANAGED, dpm.getUserProvisioningState());
1660 }
1661
1662 public void testSetUserProvisioningState_permission() throws Exception {
1663 setupProfileOwner();
1664 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1665
1666 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1667 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1668 }
1669
1670 public void testSetUserProvisioningState_unprivileged() throws Exception {
1671 setupProfileOwner();
1672 try {
1673 dpm.setUserProvisioningState(DevicePolicyManager.STATE_USER_SETUP_FINALIZED,
1674 DpmMockContext.CALLER_USER_HANDLE);
1675 fail("Expected SecurityException");
1676 } catch (SecurityException expected) {
1677 }
1678 }
1679
1680 public void testSetUserProvisioningState_noManagement() {
1681 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1682 try {
1683 dpm.setUserProvisioningState(DevicePolicyManager.STATE_USER_SETUP_FINALIZED,
1684 DpmMockContext.CALLER_USER_HANDLE);
1685 fail("IllegalStateException expected");
1686 } catch (IllegalStateException e) {
1687 MoreAsserts.assertContainsRegex("change provisioning state unless a .* owner is set",
1688 e.getMessage());
1689 }
1690 assertEquals(DevicePolicyManager.STATE_USER_UNMANAGED, dpm.getUserProvisioningState());
1691 }
1692
1693 public void testSetUserProvisioningState_deviceOwnerFromSetupWizard() throws Exception {
1694 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1695 setupDeviceOwner();
1696 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1697
1698 exerciseUserProvisioningTransitions(UserHandle.USER_SYSTEM,
1699 DevicePolicyManager.STATE_USER_SETUP_COMPLETE,
1700 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1701 }
1702
1703 public void testSetUserProvisioningState_deviceOwnerFromSetupWizardAlternative()
1704 throws Exception {
1705 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1706 setupDeviceOwner();
1707 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1708
1709 exerciseUserProvisioningTransitions(UserHandle.USER_SYSTEM,
1710 DevicePolicyManager.STATE_USER_SETUP_INCOMPLETE,
1711 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1712 }
1713
1714 public void testSetUserProvisioningState_deviceOwnerWithoutSetupWizard() throws Exception {
1715 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1716 setupDeviceOwner();
1717 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1718
1719 exerciseUserProvisioningTransitions(UserHandle.USER_SYSTEM,
1720 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1721 }
1722
1723 public void testSetUserProvisioningState_managedProfileFromSetupWizard_primaryUser()
1724 throws Exception {
1725 setupProfileOwner();
1726 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1727
1728 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1729 DevicePolicyManager.STATE_USER_PROFILE_COMPLETE,
1730 DevicePolicyManager.STATE_USER_UNMANAGED);
1731 }
1732
1733 public void testSetUserProvisioningState_managedProfileFromSetupWizard_managedProfile()
1734 throws Exception {
1735 setupProfileOwner();
1736 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1737
1738 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1739 DevicePolicyManager.STATE_USER_SETUP_COMPLETE,
1740 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1741 }
1742
1743 public void testSetUserProvisioningState_managedProfileWithoutSetupWizard() throws Exception {
1744 setupProfileOwner();
1745 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1746
1747 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1748 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1749 }
1750
1751 public void testSetUserProvisioningState_illegalTransitionOutOfFinalized1() throws Exception {
1752 setupProfileOwner();
1753 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1754
1755 try {
1756 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1757 DevicePolicyManager.STATE_USER_SETUP_FINALIZED,
1758 DevicePolicyManager.STATE_USER_UNMANAGED);
1759 fail("Expected IllegalStateException");
1760 } catch (IllegalStateException e) {
1761 MoreAsserts.assertContainsRegex("Cannot move to user provisioning state",
1762 e.getMessage());
1763 }
1764 }
1765
1766 public void testSetUserProvisioningState_illegalTransitionToAnotherInProgressState()
1767 throws Exception {
1768 setupProfileOwner();
1769 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1770
1771 try {
1772 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1773 DevicePolicyManager.STATE_USER_SETUP_INCOMPLETE,
1774 DevicePolicyManager.STATE_USER_SETUP_COMPLETE);
1775 fail("Expected IllegalStateException");
1776 } catch (IllegalStateException e) {
1777 MoreAsserts.assertContainsRegex("Cannot move to user provisioning state",
1778 e.getMessage());
1779 }
1780 }
1781
1782 private void exerciseUserProvisioningTransitions(int userId, int... states) {
1783 assertEquals(DevicePolicyManager.STATE_USER_UNMANAGED, dpm.getUserProvisioningState());
1784 for (int state : states) {
1785 dpm.setUserProvisioningState(state, userId);
1786 assertEquals(state, dpm.getUserProvisioningState());
1787 }
1788 }
1789
1790 private void setupProfileOwner() throws Exception {
1791 mContext.callerPermissions.addAll(OWNER_SETUP_PERMISSIONS);
1792
1793 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
1794 dpm.setActiveAdmin(admin1, false);
1795 assertTrue(dpm.setProfileOwner(admin1, null, DpmMockContext.CALLER_USER_HANDLE));
1796
1797 mContext.callerPermissions.removeAll(OWNER_SETUP_PERMISSIONS);
1798 }
1799
1800 private void setupDeviceOwner() throws Exception {
1801 mContext.callerPermissions.addAll(OWNER_SETUP_PERMISSIONS);
1802
1803 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1804 dpm.setActiveAdmin(admin1, false);
1805 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1806
1807 mContext.callerPermissions.removeAll(OWNER_SETUP_PERMISSIONS);
1808 }
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1809}