Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 1acbb9c031c6eebde0fc5d84e3d939c2596a9de4 / . / services / tests / servicestests / src / com / android / server / locksettings / CachedSyntheticPasswordTests.java
blob: d2a914527880446fd16f14c5064bd662b8a5a72c [file] [log] [blame]
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]1/*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16package com.android.server.locksettings;
17
18import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_ALPHABETIC;
19import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;
20
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]21import static com.android.server.testutils.TestUtils.assertExpectException;
22
23import static org.mockito.Mockito.anyInt;
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]24import static org.mockito.Mockito.atLeastOnce;
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]25import static org.mockito.Mockito.verify;
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]26import static org.mockito.Mockito.when;
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]27
28import android.os.RemoteException;
Pavel Grafov57f1b662019-03-27 14:55:38 +0000[diff] [blame]29import android.platform.test.annotations.Presubmit;
30
31import androidx.test.filters.SmallTest;
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]32
33import com.android.internal.widget.LockPatternUtils;
34import com.android.internal.widget.VerifyCredentialResponse;
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]35
36import org.mockito.ArgumentCaptor;
37
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]38import java.util.ArrayList;
39
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]40/**
41 * Run the synthetic password tests with caching enabled.
42 *
43 * By default, those tests run without caching. Untrusted credential reset depends on caching so
44 * this class included those tests.
45 */
Pavel Grafov57f1b662019-03-27 14:55:38 +0000[diff] [blame]46@SmallTest
47@Presubmit
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]48public class CachedSyntheticPasswordTests extends SyntheticPasswordTests {
49
50 @Override
51 protected void setUp() throws Exception {
52 super.setUp();
53 enableSpCaching(true);
54 }
55
56 private void enableSpCaching(boolean enable) {
57 when(mDevicePolicyManagerInternal
58 .canUserHaveUntrustedCredentialReset(anyInt())).thenReturn(enable);
59 }
60
61 public void testSyntheticPasswordClearCredentialUntrusted() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]62 final byte[] password = "testSyntheticPasswordClearCredential-password".getBytes();
63 final byte[] newPassword = "testSyntheticPasswordClearCredential-newpassword".getBytes();
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]64
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]65 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]66 long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
67 // clear password
68 mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]69 PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID, true);
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]70 assertEquals(0, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
71
72 // set a new password
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]73 mService.setLockCredential(newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]74 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]75 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(newPassword,
76 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
77 .getResponseCode());
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]78 assertNotEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
79 }
80
81 public void testSyntheticPasswordChangeCredentialUntrusted() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]82 final byte[] password = "testSyntheticPasswordClearCredential-password".getBytes();
83 final byte[] newPassword = "testSyntheticPasswordClearCredential-newpassword".getBytes();
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]84
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]85 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]86 long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
87 // Untrusted change password
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]88 mService.setLockCredential(newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]89 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, true);
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]90 assertNotEquals(0, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
91 assertNotEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
92
93 // Verify the password
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]94 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(newPassword,
95 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID).getResponseCode());
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]96 }
97
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]98 public void testUntrustedCredentialChangeMaintainsAuthSecret() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]99 final byte[] password =
100 "testUntrustedCredentialChangeMaintainsAuthSecret-password".getBytes();
101 final byte[] newPassword =
102 "testUntrustedCredentialChangeMaintainsAuthSecret-newpassword".getBytes();
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]103
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]104 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]105 // Untrusted change password
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]106 mService.setLockCredential(newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]107 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, true);
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]108
109 // Verify the password
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]110 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(newPassword,
111 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
112 .getResponseCode());
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]113
114 // Ensure the same secret was passed each time
115 ArgumentCaptor<ArrayList<Byte>> secret = ArgumentCaptor.forClass(ArrayList.class);
116 verify(mAuthSecretService, atLeastOnce()).primaryUserCredential(secret.capture());
117 assertEquals(1, secret.getAllValues().stream().distinct().count());
118 }
119
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]120 public void testUntrustedCredentialChangeBlockedIfSpNotCached() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]121 final byte[] password =
122 "testUntrustedCredentialChangeBlockedIfSpNotCached-password".getBytes();
123 final byte[] newPassword =
124 "testUntrustedCredentialChangeBlockedIfSpNotCached-newpassword".getBytes();
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]125
126 // Disable caching for this test
127 enableSpCaching(false);
128
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]129 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]130 long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
131 // Untrusted change password
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]132 assertExpectException(
133 IllegalStateException.class,
134 /* messageRegex= */ "Untrusted credential reset not possible without cached SP",
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]135 () -> mService.setLockCredential(newPassword,
136 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]137 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, true));
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]138 assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
139
140 // Verify the new password doesn't work but the old one still does
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]141 assertEquals(VerifyCredentialResponse.RESPONSE_ERROR, mService.verifyCredential(newPassword,
142 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]143 .getResponseCode());
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]144 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password,
145 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull1416bd02018-01-05 18:33:58 +0000[diff] [blame]146 .getResponseCode());
147 }
148
149}