Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License |
| 15 | */ |
| 16 | |
Andrew Scull | 507d11c | 2017-05-03 17:19:01 +0100 | [diff] [blame] | 17 | package com.android.server.locksettings; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 18 | |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 19 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_ALPHABETIC; |
| 20 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING; |
| 21 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED; |
| 22 | |
| 23 | import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 24 | import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_ENABLED_KEY; |
| 25 | import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY; |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 26 | |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 27 | import static org.mockito.Mockito.any; |
| 28 | import static org.mockito.Mockito.atLeastOnce; |
| 29 | import static org.mockito.Mockito.never; |
| 30 | import static org.mockito.Mockito.reset; |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 31 | import static org.mockito.Mockito.verify; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 32 | |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 33 | import android.app.admin.PasswordMetrics; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 34 | import android.os.RemoteException; |
| 35 | import android.os.UserHandle; |
Pavel Grafov | 57f1b66 | 2019-03-27 14:55:38 +0000 | [diff] [blame] | 36 | import android.platform.test.annotations.Presubmit; |
| 37 | |
| 38 | import androidx.test.filters.SmallTest; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 39 | |
| 40 | import com.android.internal.widget.LockPatternUtils; |
| 41 | import com.android.internal.widget.VerifyCredentialResponse; |
Andrew Scull | 507d11c | 2017-05-03 17:19:01 +0100 | [diff] [blame] | 42 | import com.android.server.locksettings.SyntheticPasswordManager.AuthenticationResult; |
| 43 | import com.android.server.locksettings.SyntheticPasswordManager.AuthenticationToken; |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 44 | import com.android.server.locksettings.SyntheticPasswordManager.PasswordData; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 45 | |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 46 | import org.mockito.ArgumentCaptor; |
| 47 | |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 48 | import java.util.ArrayList; |
| 49 | |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 50 | |
| 51 | /** |
Andrew Scull | 507d11c | 2017-05-03 17:19:01 +0100 | [diff] [blame] | 52 | * runtest frameworks-services -c com.android.server.locksettings.SyntheticPasswordTests |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 53 | */ |
Pavel Grafov | 57f1b66 | 2019-03-27 14:55:38 +0000 | [diff] [blame] | 54 | @SmallTest |
| 55 | @Presubmit |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 56 | public class SyntheticPasswordTests extends BaseLockSettingsServiceTests { |
| 57 | |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 58 | public static final byte[] PAYLOAD = new byte[] {1, 2, -1, -2, 55}; |
| 59 | public static final byte[] PAYLOAD2 = new byte[] {2, 3, -2, -3, 44, 1}; |
| 60 | |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 61 | @Override |
| 62 | protected void setUp() throws Exception { |
| 63 | super.setUp(); |
| 64 | } |
| 65 | |
| 66 | @Override |
| 67 | protected void tearDown() throws Exception { |
| 68 | super.tearDown(); |
| 69 | } |
| 70 | |
| 71 | public void testPasswordBasedSyntheticPassword() throws RemoteException { |
| 72 | final int USER_ID = 10; |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 73 | final byte[] password = "user-password".getBytes(); |
| 74 | final byte[] badPassword = "bad-password".getBytes(); |
Adrian Roos | 2adc263 | 2017-09-05 17:01:42 +0200 | [diff] [blame] | 75 | MockSyntheticPasswordManager manager = new MockSyntheticPasswordManager(mContext, mStorage, |
David Anderson | 28dea68 | 2019-02-20 13:37:51 -0800 | [diff] [blame] | 76 | mGateKeeperService, mUserManager, mPasswordSlotManager); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 77 | AuthenticationToken authToken = manager.newSyntheticPasswordAndSid(mGateKeeperService, null, |
| 78 | null, USER_ID); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 79 | long handle = manager.createPasswordBasedSyntheticPassword(mGateKeeperService, |
| 80 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, authToken, |
| 81 | PASSWORD_QUALITY_ALPHABETIC, USER_ID); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 82 | |
Rubin Xu | cf326f1 | 2017-11-15 11:55:35 +0000 | [diff] [blame] | 83 | AuthenticationResult result = manager.unwrapPasswordBasedSyntheticPassword( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 84 | mGateKeeperService, handle, password, USER_ID, null); |
| 85 | assertArrayEquals(result.authToken.deriveKeyStorePassword(), |
| 86 | authToken.deriveKeyStorePassword()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 87 | |
Rubin Xu | cf326f1 | 2017-11-15 11:55:35 +0000 | [diff] [blame] | 88 | result = manager.unwrapPasswordBasedSyntheticPassword(mGateKeeperService, handle, |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 89 | badPassword, USER_ID, null); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 90 | assertNull(result.authToken); |
| 91 | } |
| 92 | |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 93 | private void disableSyntheticPassword() throws RemoteException { |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 94 | mService.setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 0, UserHandle.USER_SYSTEM); |
| 95 | } |
| 96 | |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 97 | private void enableSyntheticPassword() throws RemoteException { |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 98 | mService.setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 1, UserHandle.USER_SYSTEM); |
| 99 | } |
| 100 | |
| 101 | private boolean hasSyntheticPassword(int userId) throws RemoteException { |
| 102 | return mService.getLong(SYNTHETIC_PASSWORD_HANDLE_KEY, 0, userId) != 0; |
| 103 | } |
| 104 | |
| 105 | public void testPasswordMigration() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 106 | final byte[] password = "testPasswordMigration-password".getBytes(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 107 | |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 108 | disableSyntheticPassword(); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 109 | mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 110 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 111 | long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
| 112 | final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 113 | enableSyntheticPassword(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 114 | // Performs migration |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 115 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 116 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 117 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 118 | assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 119 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 120 | |
| 121 | // SP-based verification |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 122 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password, |
| 123 | LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 124 | .getResponseCode()); |
| 125 | assertArrayNotEquals(primaryStorageKey, |
| 126 | mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 127 | } |
| 128 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 129 | protected void initializeCredentialUnderSP(byte[] password, int userId) throws RemoteException { |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 130 | enableSyntheticPassword(); |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 131 | int quality = password != null ? PASSWORD_QUALITY_ALPHABETIC |
| 132 | : PASSWORD_QUALITY_UNSPECIFIED; |
| 133 | int type = password != null ? LockPatternUtils.CREDENTIAL_TYPE_PASSWORD |
| 134 | : LockPatternUtils.CREDENTIAL_TYPE_NONE; |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 135 | mService.setLockCredential(password, type, null, quality, userId, false); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 136 | } |
| 137 | |
| 138 | public void testSyntheticPasswordChangeCredential() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 139 | final byte[] password = "testSyntheticPasswordChangeCredential-password".getBytes(); |
| 140 | final byte[] newPassword = "testSyntheticPasswordChangeCredential-newpassword".getBytes(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 141 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 142 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 143 | long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 144 | mService.setLockCredential(newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, password, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 145 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 146 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 147 | newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 148 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 149 | assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 150 | } |
| 151 | |
| 152 | public void testSyntheticPasswordVerifyCredential() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 153 | final byte[] password = "testSyntheticPasswordVerifyCredential-password".getBytes(); |
| 154 | final byte[] badPassword = "testSyntheticPasswordVerifyCredential-badpassword".getBytes(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 155 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 156 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 157 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 158 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 159 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 160 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 161 | assertEquals(VerifyCredentialResponse.RESPONSE_ERROR, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 162 | badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 163 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 164 | } |
| 165 | |
| 166 | public void testSyntheticPasswordClearCredential() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 167 | final byte[] password = "testSyntheticPasswordClearCredential-password".getBytes(); |
| 168 | final byte[] badPassword = "testSyntheticPasswordClearCredential-newpassword".getBytes(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 169 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 170 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 171 | long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
| 172 | // clear password |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 173 | mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, password, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 174 | PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID, false); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 175 | assertEquals(0 ,mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 176 | |
| 177 | // set a new password |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 178 | mService.setLockCredential(badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 179 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 180 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 181 | badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 182 | .getResponseCode()); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 183 | assertNotEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 184 | } |
| 185 | |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 186 | public void testSyntheticPasswordChangeCredentialKeepsAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 187 | final byte[] password = |
| 188 | "testSyntheticPasswordChangeCredentialKeepsAuthSecret-password".getBytes(); |
| 189 | final byte[] badPassword = |
| 190 | "testSyntheticPasswordChangeCredentialKeepsAuthSecret-new".getBytes(); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 191 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 192 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
| 193 | mService.setLockCredential(badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, password, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 194 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 195 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 196 | badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 197 | .getResponseCode()); |
| 198 | |
| 199 | // Check the same secret was passed each time |
| 200 | ArgumentCaptor<ArrayList<Byte>> secret = ArgumentCaptor.forClass(ArrayList.class); |
| 201 | verify(mAuthSecretService, atLeastOnce()).primaryUserCredential(secret.capture()); |
| 202 | assertEquals(1, secret.getAllValues().stream().distinct().count()); |
| 203 | } |
| 204 | |
| 205 | public void testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 206 | final byte[] password = |
| 207 | "testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret-password".getBytes(); |
| 208 | final byte[] newPassword = |
| 209 | "testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret-new".getBytes(); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 210 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 211 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 212 | reset(mAuthSecretService); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 213 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password, |
| 214 | LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 215 | .getResponseCode()); |
| 216 | verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class)); |
| 217 | } |
| 218 | |
| 219 | public void testSecondaryUserDoesNotPassAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 220 | final byte[] password = "testSecondaryUserDoesNotPassAuthSecret-password".getBytes(); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 221 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 222 | initializeCredentialUnderSP(password, SECONDARY_USER_ID); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 223 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 224 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, SECONDARY_USER_ID) |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 225 | .getResponseCode()); |
| 226 | verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class)); |
| 227 | } |
| 228 | |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 229 | public void testNoSyntheticPasswordOrCredentialDoesNotPassAuthSecret() throws RemoteException { |
| 230 | // Setting null doesn't create a synthetic password |
| 231 | initializeCredentialUnderSP(null, PRIMARY_USER_ID); |
| 232 | |
| 233 | reset(mAuthSecretService); |
| 234 | mService.onUnlockUser(PRIMARY_USER_ID); |
Rubin Xu | 340e5ba | 2019-05-14 16:10:03 +0100 | [diff] [blame] | 235 | flushHandlerTasks(); |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 236 | verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class)); |
| 237 | } |
| 238 | |
| 239 | public void testSyntheticPasswordAndCredentialDoesNotPassAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 240 | final byte[] password = "passwordForASyntheticPassword".getBytes(); |
| 241 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 242 | |
| 243 | reset(mAuthSecretService); |
| 244 | mService.onUnlockUser(PRIMARY_USER_ID); |
Rubin Xu | 340e5ba | 2019-05-14 16:10:03 +0100 | [diff] [blame] | 245 | flushHandlerTasks(); |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 246 | verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class)); |
| 247 | } |
| 248 | |
| 249 | public void testSyntheticPasswordButNoCredentialPassesAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 250 | final byte[] password = "getASyntheticPassword".getBytes(); |
| 251 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
| 252 | mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, password, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 253 | PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID, false); |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 254 | |
| 255 | reset(mAuthSecretService); |
| 256 | mService.onUnlockUser(PRIMARY_USER_ID); |
Rubin Xu | 340e5ba | 2019-05-14 16:10:03 +0100 | [diff] [blame] | 257 | flushHandlerTasks(); |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 258 | verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class)); |
| 259 | } |
| 260 | |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 261 | public void testManagedProfileUnifiedChallengeMigration() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 262 | final byte[] UnifiedPassword = "testManagedProfileUnifiedChallengeMigration-pwd".getBytes(); |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 263 | disableSyntheticPassword(); |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 264 | mService.setLockCredential(UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 265 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 266 | mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null); |
| 267 | final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
| 268 | final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID); |
| 269 | final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 270 | final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID); |
| 271 | assertTrue(primarySid != 0); |
| 272 | assertTrue(profileSid != 0); |
| 273 | assertTrue(profileSid != primarySid); |
| 274 | |
| 275 | // do migration |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 276 | enableSyntheticPassword(); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 277 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 278 | UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 279 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 280 | |
| 281 | // verify |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 282 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 283 | UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 284 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 285 | assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 286 | assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID)); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 287 | assertArrayNotEquals(primaryStorageKey, |
| 288 | mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 289 | assertArrayNotEquals(profileStorageKey, |
| 290 | mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID)); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 291 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 292 | assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID)); |
| 293 | } |
| 294 | |
| 295 | public void testManagedProfileSeparateChallengeMigration() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 296 | final byte[] primaryPassword = |
| 297 | "testManagedProfileSeparateChallengeMigration-primary".getBytes(); |
| 298 | final byte[] profilePassword = |
| 299 | "testManagedProfileSeparateChallengeMigration-profile".getBytes(); |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 300 | disableSyntheticPassword(); |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 301 | mService.setLockCredential(primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 302 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 303 | mService.setLockCredential(profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 304 | PASSWORD_QUALITY_ALPHABETIC, MANAGED_PROFILE_USER_ID, false); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 305 | final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
| 306 | final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID); |
| 307 | final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 308 | final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID); |
| 309 | assertTrue(primarySid != 0); |
| 310 | assertTrue(profileSid != 0); |
| 311 | assertTrue(profileSid != primarySid); |
| 312 | |
| 313 | // do migration |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 314 | enableSyntheticPassword(); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 315 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 316 | primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 317 | .getResponseCode()); |
| 318 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 319 | profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, |
| 320 | 0, MANAGED_PROFILE_USER_ID).getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 321 | |
| 322 | // verify |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 323 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 324 | primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 325 | .getResponseCode()); |
| 326 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 327 | profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, |
| 328 | 0, MANAGED_PROFILE_USER_ID).getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 329 | assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 330 | assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID)); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 331 | assertArrayNotEquals(primaryStorageKey, |
| 332 | mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 333 | assertArrayNotEquals(profileStorageKey, |
| 334 | mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID)); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 335 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 336 | assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID)); |
| 337 | } |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 338 | |
| 339 | public void testTokenBasedResetPassword() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 340 | final byte[] password = "password".getBytes(); |
| 341 | final byte[] pattern = "123654".getBytes(); |
| 342 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
| 343 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 344 | final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 345 | |
Rubin Xu | fc06773 | 2019-03-18 11:01:18 +0000 | [diff] [blame] | 346 | assertFalse(mService.hasPendingEscrowToken(PRIMARY_USER_ID)); |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 347 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 348 | assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | fc06773 | 2019-03-18 11:01:18 +0000 | [diff] [blame] | 349 | assertTrue(mService.hasPendingEscrowToken(PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 350 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 351 | mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 352 | PRIMARY_USER_ID).getResponseCode(); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 353 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | fc06773 | 2019-03-18 11:01:18 +0000 | [diff] [blame] | 354 | assertFalse(mService.hasPendingEscrowToken(PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 355 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 356 | mLocalService.setLockCredentialWithToken(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, |
| 357 | handle, token, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 358 | |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 359 | // Verify DPM gets notified about new device lock |
Rubin Xu | 340e5ba | 2019-05-14 16:10:03 +0100 | [diff] [blame] | 360 | flushHandlerTasks(); |
Pavel Grafov | 42904c1 | 2019-03-25 15:32:41 +0000 | [diff] [blame] | 361 | final PasswordMetrics metric = PasswordMetrics.computeForCredential( |
| 362 | LockPatternUtils.CREDENTIAL_TYPE_PATTERN, pattern); |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 363 | verify(mDevicePolicyManager).setActivePasswordState(metric, PRIMARY_USER_ID); |
| 364 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 365 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 366 | pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 367 | .getResponseCode()); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 368 | assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 369 | } |
| 370 | |
| 371 | public void testTokenBasedClearPassword() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 372 | final byte[] password = "password".getBytes(); |
| 373 | final byte[] pattern = "123654".getBytes(); |
| 374 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
| 375 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 376 | final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 377 | |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 378 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 379 | assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 380 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 381 | mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 382 | 0, PRIMARY_USER_ID).getResponseCode(); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 383 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 384 | |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 385 | mLocalService.setLockCredentialWithToken(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 386 | handle, token, PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID); |
Rubin Xu | 340e5ba | 2019-05-14 16:10:03 +0100 | [diff] [blame] | 387 | flushHandlerTasks(); // flush the unlockUser() call before changing password again |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 388 | mLocalService.setLockCredentialWithToken(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, |
| 389 | handle, token, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 390 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 391 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 392 | pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 393 | .getResponseCode()); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 394 | assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 395 | } |
| 396 | |
| 397 | public void testTokenBasedResetPasswordAfterCredentialChanges() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 398 | final byte[] password = "password".getBytes(); |
| 399 | final byte[] pattern = "123654".getBytes(); |
| 400 | final byte[] newPassword = "password".getBytes(); |
| 401 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
| 402 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 403 | final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 404 | |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 405 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 406 | assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 407 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 408 | mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 409 | 0, PRIMARY_USER_ID).getResponseCode(); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 410 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 411 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 412 | mService.setLockCredential(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, password, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 413 | PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID, false); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 414 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 415 | mLocalService.setLockCredentialWithToken(newPassword, |
| 416 | LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, handle, token, |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 417 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 418 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 419 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 420 | newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 421 | .getResponseCode()); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 422 | assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 423 | } |
| 424 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 425 | public void testEscrowTokenActivatedImmediatelyIfNoUserPasswordNeedsMigration() |
| 426 | throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 427 | final String token = "some-high-entropy-secure-token"; |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 428 | enableSyntheticPassword(); |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 429 | long handle = mLocalService.addEscrowToken(token.getBytes(), PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 430 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 431 | assertEquals(0, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 432 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 433 | } |
| 434 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 435 | public void testEscrowTokenActivatedImmediatelyIfNoUserPasswordNoMigration() |
| 436 | throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 437 | final String token = "some-high-entropy-secure-token"; |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 438 | initializeCredentialUnderSP(null, PRIMARY_USER_ID); |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 439 | long handle = mLocalService.addEscrowToken(token.getBytes(), PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 440 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 441 | assertEquals(0, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 442 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 443 | } |
| 444 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 445 | public void testEscrowTokenActivatedLaterWithUserPasswordNeedsMigration() |
| 446 | throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 447 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
| 448 | final byte[] password = "password".getBytes(); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 449 | // Set up pre-SP user password |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 450 | disableSyntheticPassword(); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 451 | mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 452 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 453 | enableSyntheticPassword(); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 454 | |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 455 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 456 | // Token not activated immediately since user password exists |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 457 | assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 458 | // Activate token (password gets migrated to SP at the same time) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 459 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 460 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 461 | .getResponseCode()); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 462 | // Verify token is activated |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 463 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 464 | } |
| 465 | |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 466 | public void testSetLockCredentialWithTokenFailsWithoutLockScreen() throws Exception { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 467 | final byte[] password = "password".getBytes(); |
| 468 | final byte[] pattern = "123654".getBytes(); |
| 469 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 470 | |
| 471 | mHasSecureLockScreen = false; |
| 472 | enableSyntheticPassword(); |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 473 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 474 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
| 475 | |
| 476 | try { |
| 477 | mLocalService.setLockCredentialWithToken(password, |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 478 | LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, handle, token, |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 479 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
| 480 | fail("An exception should have been thrown."); |
| 481 | } catch (UnsupportedOperationException e) { |
| 482 | // Success - the exception was expected. |
| 483 | } |
| 484 | assertFalse(mService.havePassword(PRIMARY_USER_ID)); |
| 485 | |
| 486 | try { |
| 487 | mLocalService.setLockCredentialWithToken(pattern, |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 488 | LockPatternUtils.CREDENTIAL_TYPE_PATTERN, handle, token, |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 489 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
| 490 | fail("An exception should have been thrown."); |
| 491 | } catch (UnsupportedOperationException e) { |
| 492 | // Success - the exception was expected. |
| 493 | } |
| 494 | assertFalse(mService.havePattern(PRIMARY_USER_ID)); |
| 495 | } |
| 496 | |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 497 | public void testgetHashFactorPrimaryUser() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 498 | final byte[] password = "password".getBytes(); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 499 | mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 500 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 501 | final byte[] hashFactor = mService.getHashFactor(password, PRIMARY_USER_ID); |
| 502 | assertNotNull(hashFactor); |
| 503 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 504 | mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 505 | password, PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID, false); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 506 | final byte[] newHashFactor = mService.getHashFactor(null, PRIMARY_USER_ID); |
| 507 | assertNotNull(newHashFactor); |
| 508 | // Hash factor should never change after password change/removal |
| 509 | assertArrayEquals(hashFactor, newHashFactor); |
| 510 | } |
| 511 | |
| 512 | public void testgetHashFactorManagedProfileUnifiedChallenge() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 513 | final byte[] pattern = "1236".getBytes(); |
| 514 | mService.setLockCredential(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 515 | null, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID, false); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 516 | mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null); |
| 517 | assertNotNull(mService.getHashFactor(null, MANAGED_PROFILE_USER_ID)); |
| 518 | } |
| 519 | |
| 520 | public void testgetHashFactorManagedProfileSeparateChallenge() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 521 | final byte[] primaryPassword = "primary".getBytes(); |
| 522 | final byte[] profilePassword = "profile".getBytes(); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 523 | mService.setLockCredential(primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 524 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 525 | mService.setLockCredential(profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 526 | PASSWORD_QUALITY_ALPHABETIC, MANAGED_PROFILE_USER_ID, false); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 527 | assertNotNull(mService.getHashFactor(profilePassword, MANAGED_PROFILE_USER_ID)); |
| 528 | } |
| 529 | |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 530 | public void testPasswordData_serializeDeserialize() { |
| 531 | PasswordData data = new PasswordData(); |
| 532 | data.scryptN = 11; |
| 533 | data.scryptR = 22; |
| 534 | data.scryptP = 33; |
| 535 | data.passwordType = CREDENTIAL_TYPE_PASSWORD; |
| 536 | data.salt = PAYLOAD; |
| 537 | data.passwordHandle = PAYLOAD2; |
| 538 | |
| 539 | PasswordData deserialized = PasswordData.fromBytes(data.toBytes()); |
| 540 | |
| 541 | assertEquals(11, deserialized.scryptN); |
| 542 | assertEquals(22, deserialized.scryptR); |
| 543 | assertEquals(33, deserialized.scryptP); |
| 544 | assertEquals(CREDENTIAL_TYPE_PASSWORD, deserialized.passwordType); |
| 545 | assertArrayEquals(PAYLOAD, deserialized.salt); |
| 546 | assertArrayEquals(PAYLOAD2, deserialized.passwordHandle); |
| 547 | } |
| 548 | |
| 549 | public void testPasswordData_deserialize() { |
| 550 | // Test that we can deserialize existing PasswordData and don't inadvertently change the |
| 551 | // wire format. |
| 552 | byte[] serialized = new byte[] { |
| 553 | 0, 0, 0, 2, /* CREDENTIAL_TYPE_PASSWORD */ |
| 554 | 11, /* scryptN */ |
| 555 | 22, /* scryptR */ |
| 556 | 33, /* scryptP */ |
| 557 | 0, 0, 0, 5, /* salt.length */ |
| 558 | 1, 2, -1, -2, 55, /* salt */ |
| 559 | 0, 0, 0, 6, /* passwordHandle.length */ |
| 560 | 2, 3, -2, -3, 44, 1, /* passwordHandle */ |
| 561 | }; |
| 562 | PasswordData deserialized = PasswordData.fromBytes(serialized); |
| 563 | |
| 564 | assertEquals(11, deserialized.scryptN); |
| 565 | assertEquals(22, deserialized.scryptR); |
| 566 | assertEquals(33, deserialized.scryptP); |
| 567 | assertEquals(CREDENTIAL_TYPE_PASSWORD, deserialized.passwordType); |
| 568 | assertArrayEquals(PAYLOAD, deserialized.salt); |
| 569 | assertArrayEquals(PAYLOAD2, deserialized.passwordHandle); |
| 570 | } |
| 571 | |
David Anderson | 6ebc25b | 2019-02-12 16:25:56 -0800 | [diff] [blame] | 572 | public void testGsiDisablesAuthSecret() throws RemoteException { |
| 573 | mGsiService.setIsGsiRunning(true); |
| 574 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 575 | final byte[] password = "testGsiDisablesAuthSecret-password".getBytes(); |
David Anderson | 6ebc25b | 2019-02-12 16:25:56 -0800 | [diff] [blame] | 576 | |
| 577 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
| 578 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 579 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 580 | .getResponseCode()); |
| 581 | verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class)); |
| 582 | } |
| 583 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 584 | // b/62213311 |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 585 | //TODO: add non-migration work profile case, and unify/un-unify transition. |
| 586 | //TODO: test token after user resets password |
| 587 | //TODO: test token based reset after unified work challenge |
| 588 | //TODO: test clear password after unified work challenge |
| 589 | } |