Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 1acbb9c031c6eebde0fc5d84e3d939c2596a9de4 / . / services / tests / servicestests / src / com / android / server / locksettings / SyntheticPasswordTests.java
blob: 1cd590c39f49713af411ea5d9b5a653328fe1795 [file] [log] [blame]
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]1/*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
15 */
16
Andrew Scull507d11c2017-05-03 17:19:01 +0100[diff] [blame]17package com.android.server.locksettings;
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]18
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]19import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_ALPHABETIC;
20import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING;
21import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;
22
23import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD;
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]24import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_ENABLED_KEY;
25import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY;
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]26
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]27import static org.mockito.Mockito.any;
28import static org.mockito.Mockito.atLeastOnce;
29import static org.mockito.Mockito.never;
30import static org.mockito.Mockito.reset;
Rubin Xu7cf45092017-08-28 11:47:35 +0100[diff] [blame]31import static org.mockito.Mockito.verify;
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]32
Rubin Xu7cf45092017-08-28 11:47:35 +0100[diff] [blame]33import android.app.admin.PasswordMetrics;
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]34import android.os.RemoteException;
35import android.os.UserHandle;
Pavel Grafov57f1b662019-03-27 14:55:38 +0000[diff] [blame]36import android.platform.test.annotations.Presubmit;
37
38import androidx.test.filters.SmallTest;
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]39
40import com.android.internal.widget.LockPatternUtils;
41import com.android.internal.widget.VerifyCredentialResponse;
Andrew Scull507d11c2017-05-03 17:19:01 +0100[diff] [blame]42import com.android.server.locksettings.SyntheticPasswordManager.AuthenticationResult;
43import com.android.server.locksettings.SyntheticPasswordManager.AuthenticationToken;
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]44import com.android.server.locksettings.SyntheticPasswordManager.PasswordData;
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]45
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]46import org.mockito.ArgumentCaptor;
47
Lenka Trochtova66c492a2018-12-06 11:29:21 +0100[diff] [blame]48import java.util.ArrayList;
49
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]50
51/**
Andrew Scull507d11c2017-05-03 17:19:01 +0100[diff] [blame]52 * runtest frameworks-services -c com.android.server.locksettings.SyntheticPasswordTests
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]53 */
Pavel Grafov57f1b662019-03-27 14:55:38 +0000[diff] [blame]54@SmallTest
55@Presubmit
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]56public class SyntheticPasswordTests extends BaseLockSettingsServiceTests {
57
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]58 public static final byte[] PAYLOAD = new byte[] {1, 2, -1, -2, 55};
59 public static final byte[] PAYLOAD2 = new byte[] {2, 3, -2, -3, 44, 1};
60
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]61 @Override
62 protected void setUp() throws Exception {
63 super.setUp();
64 }
65
66 @Override
67 protected void tearDown() throws Exception {
68 super.tearDown();
69 }
70
71 public void testPasswordBasedSyntheticPassword() throws RemoteException {
72 final int USER_ID = 10;
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]73 final byte[] password = "user-password".getBytes();
74 final byte[] badPassword = "bad-password".getBytes();
Adrian Roos2adc2632017-09-05 17:01:42 +0200[diff] [blame]75 MockSyntheticPasswordManager manager = new MockSyntheticPasswordManager(mContext, mStorage,
David Anderson28dea682019-02-20 13:37:51 -0800[diff] [blame]76 mGateKeeperService, mUserManager, mPasswordSlotManager);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]77 AuthenticationToken authToken = manager.newSyntheticPasswordAndSid(mGateKeeperService, null,
78 null, USER_ID);
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]79 long handle = manager.createPasswordBasedSyntheticPassword(mGateKeeperService,
80 password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, authToken,
81 PASSWORD_QUALITY_ALPHABETIC, USER_ID);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]82
Rubin Xucf326f12017-11-15 11:55:35 +0000[diff] [blame]83 AuthenticationResult result = manager.unwrapPasswordBasedSyntheticPassword(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]84 mGateKeeperService, handle, password, USER_ID, null);
85 assertArrayEquals(result.authToken.deriveKeyStorePassword(),
86 authToken.deriveKeyStorePassword());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]87
Rubin Xucf326f12017-11-15 11:55:35 +0000[diff] [blame]88 result = manager.unwrapPasswordBasedSyntheticPassword(mGateKeeperService, handle,
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]89 badPassword, USER_ID, null);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]90 assertNull(result.authToken);
91 }
92
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]93 private void disableSyntheticPassword() throws RemoteException {
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]94 mService.setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 0, UserHandle.USER_SYSTEM);
95 }
96
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]97 private void enableSyntheticPassword() throws RemoteException {
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]98 mService.setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 1, UserHandle.USER_SYSTEM);
99 }
100
101 private boolean hasSyntheticPassword(int userId) throws RemoteException {
102 return mService.getLong(SYNTHETIC_PASSWORD_HANDLE_KEY, 0, userId) != 0;
103 }
104
105 public void testPasswordMigration() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]106 final byte[] password = "testPasswordMigration-password".getBytes();
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]107
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]108 disableSyntheticPassword();
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]109 mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]110 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]111 long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
112 final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]113 enableSyntheticPassword();
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]114 // Performs migration
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]115 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]116 password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]117 .getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]118 assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
119 assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));
120
121 // SP-based verification
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]122 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password,
123 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]124 .getResponseCode());
125 assertArrayNotEquals(primaryStorageKey,
126 mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]127 }
128
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]129 protected void initializeCredentialUnderSP(byte[] password, int userId) throws RemoteException {
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]130 enableSyntheticPassword();
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]131 int quality = password != null ? PASSWORD_QUALITY_ALPHABETIC
132 : PASSWORD_QUALITY_UNSPECIFIED;
133 int type = password != null ? LockPatternUtils.CREDENTIAL_TYPE_PASSWORD
134 : LockPatternUtils.CREDENTIAL_TYPE_NONE;
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]135 mService.setLockCredential(password, type, null, quality, userId, false);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]136 }
137
138 public void testSyntheticPasswordChangeCredential() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]139 final byte[] password = "testSyntheticPasswordChangeCredential-password".getBytes();
140 final byte[] newPassword = "testSyntheticPasswordChangeCredential-newpassword".getBytes();
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]141
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]142 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]143 long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]144 mService.setLockCredential(newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, password,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]145 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]146 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]147 newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]148 .getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]149 assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
150 }
151
152 public void testSyntheticPasswordVerifyCredential() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]153 final byte[] password = "testSyntheticPasswordVerifyCredential-password".getBytes();
154 final byte[] badPassword = "testSyntheticPasswordVerifyCredential-badpassword".getBytes();
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]155
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]156 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]157 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]158 password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]159 .getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]160
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]161 assertEquals(VerifyCredentialResponse.RESPONSE_ERROR, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]162 badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
163 .getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]164 }
165
166 public void testSyntheticPasswordClearCredential() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]167 final byte[] password = "testSyntheticPasswordClearCredential-password".getBytes();
168 final byte[] badPassword = "testSyntheticPasswordClearCredential-newpassword".getBytes();
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]169
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]170 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]171 long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
172 // clear password
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]173 mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, password,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]174 PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID, false);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]175 assertEquals(0 ,mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
176
177 // set a new password
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]178 mService.setLockCredential(badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]179 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]180 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]181 badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
182 .getResponseCode());
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]183 assertNotEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]184 }
185
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]186 public void testSyntheticPasswordChangeCredentialKeepsAuthSecret() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]187 final byte[] password =
188 "testSyntheticPasswordChangeCredentialKeepsAuthSecret-password".getBytes();
189 final byte[] badPassword =
190 "testSyntheticPasswordChangeCredentialKeepsAuthSecret-new".getBytes();
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]191
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]192 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
193 mService.setLockCredential(badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, password,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]194 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]195 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]196 badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]197 .getResponseCode());
198
199 // Check the same secret was passed each time
200 ArgumentCaptor<ArrayList<Byte>> secret = ArgumentCaptor.forClass(ArrayList.class);
201 verify(mAuthSecretService, atLeastOnce()).primaryUserCredential(secret.capture());
202 assertEquals(1, secret.getAllValues().stream().distinct().count());
203 }
204
205 public void testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]206 final byte[] password =
207 "testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret-password".getBytes();
208 final byte[] newPassword =
209 "testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret-new".getBytes();
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]210
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]211 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]212 reset(mAuthSecretService);
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]213 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password,
214 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]215 .getResponseCode());
216 verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class));
217 }
218
219 public void testSecondaryUserDoesNotPassAuthSecret() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]220 final byte[] password = "testSecondaryUserDoesNotPassAuthSecret-password".getBytes();
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]221
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]222 initializeCredentialUnderSP(password, SECONDARY_USER_ID);
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]223 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]224 password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, SECONDARY_USER_ID)
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]225 .getResponseCode());
226 verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class));
227 }
228
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]229 public void testNoSyntheticPasswordOrCredentialDoesNotPassAuthSecret() throws RemoteException {
230 // Setting null doesn't create a synthetic password
231 initializeCredentialUnderSP(null, PRIMARY_USER_ID);
232
233 reset(mAuthSecretService);
234 mService.onUnlockUser(PRIMARY_USER_ID);
Rubin Xu340e5ba2019-05-14 16:10:03 +0100[diff] [blame]235 flushHandlerTasks();
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]236 verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class));
237 }
238
239 public void testSyntheticPasswordAndCredentialDoesNotPassAuthSecret() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]240 final byte[] password = "passwordForASyntheticPassword".getBytes();
241 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]242
243 reset(mAuthSecretService);
244 mService.onUnlockUser(PRIMARY_USER_ID);
Rubin Xu340e5ba2019-05-14 16:10:03 +0100[diff] [blame]245 flushHandlerTasks();
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]246 verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class));
247 }
248
249 public void testSyntheticPasswordButNoCredentialPassesAuthSecret() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]250 final byte[] password = "getASyntheticPassword".getBytes();
251 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
252 mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, password,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]253 PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID, false);
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]254
255 reset(mAuthSecretService);
256 mService.onUnlockUser(PRIMARY_USER_ID);
Rubin Xu340e5ba2019-05-14 16:10:03 +0100[diff] [blame]257 flushHandlerTasks();
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]258 verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class));
259 }
260
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]261 public void testManagedProfileUnifiedChallengeMigration() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]262 final byte[] UnifiedPassword = "testManagedProfileUnifiedChallengeMigration-pwd".getBytes();
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]263 disableSyntheticPassword();
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]264 mService.setLockCredential(UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]265 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]266 mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null);
267 final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
268 final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID);
269 final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
270 final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID);
271 assertTrue(primarySid != 0);
272 assertTrue(profileSid != 0);
273 assertTrue(profileSid != primarySid);
274
275 // do migration
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]276 enableSyntheticPassword();
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]277 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
278 UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
279 .getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]280
281 // verify
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]282 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
283 UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
284 .getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]285 assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
286 assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID));
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]287 assertArrayNotEquals(primaryStorageKey,
288 mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
289 assertArrayNotEquals(profileStorageKey,
290 mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID));
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]291 assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));
292 assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID));
293 }
294
295 public void testManagedProfileSeparateChallengeMigration() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]296 final byte[] primaryPassword =
297 "testManagedProfileSeparateChallengeMigration-primary".getBytes();
298 final byte[] profilePassword =
299 "testManagedProfileSeparateChallengeMigration-profile".getBytes();
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]300 disableSyntheticPassword();
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]301 mService.setLockCredential(primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]302 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]303 mService.setLockCredential(profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]304 PASSWORD_QUALITY_ALPHABETIC, MANAGED_PROFILE_USER_ID, false);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]305 final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
306 final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID);
307 final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
308 final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID);
309 assertTrue(primarySid != 0);
310 assertTrue(profileSid != 0);
311 assertTrue(profileSid != primarySid);
312
313 // do migration
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]314 enableSyntheticPassword();
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]315 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
316 primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
317 .getResponseCode());
318 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
319 profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD,
320 0, MANAGED_PROFILE_USER_ID).getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]321
322 // verify
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]323 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
324 primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
325 .getResponseCode());
326 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
327 profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD,
328 0, MANAGED_PROFILE_USER_ID).getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]329 assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
330 assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID));
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]331 assertArrayNotEquals(primaryStorageKey,
332 mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
333 assertArrayNotEquals(profileStorageKey,
334 mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID));
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]335 assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));
336 assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID));
337 }
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]338
339 public void testTokenBasedResetPassword() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]340 final byte[] password = "password".getBytes();
341 final byte[] pattern = "123654".getBytes();
342 final byte[] token = "some-high-entropy-secure-token".getBytes();
343 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]344 final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
345
Rubin Xufc067732019-03-18 11:01:18 +0000[diff] [blame]346 assertFalse(mService.hasPendingEscrowToken(PRIMARY_USER_ID));
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]347 long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null);
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]348 assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xufc067732019-03-18 11:01:18 +0000[diff] [blame]349 assertTrue(mService.hasPendingEscrowToken(PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]350
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]351 mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0,
Rubin Xu7cf45092017-08-28 11:47:35 +0100[diff] [blame]352 PRIMARY_USER_ID).getResponseCode();
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]353 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xufc067732019-03-18 11:01:18 +0000[diff] [blame]354 assertFalse(mService.hasPendingEscrowToken(PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]355
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]356 mLocalService.setLockCredentialWithToken(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN,
357 handle, token, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]358
Rubin Xu7cf45092017-08-28 11:47:35 +0100[diff] [blame]359 // Verify DPM gets notified about new device lock
Rubin Xu340e5ba2019-05-14 16:10:03 +0100[diff] [blame]360 flushHandlerTasks();
Pavel Grafov42904c12019-03-25 15:32:41 +0000[diff] [blame]361 final PasswordMetrics metric = PasswordMetrics.computeForCredential(
362 LockPatternUtils.CREDENTIAL_TYPE_PATTERN, pattern);
Rubin Xu7cf45092017-08-28 11:47:35 +0100[diff] [blame]363 verify(mDevicePolicyManager).setActivePasswordState(metric, PRIMARY_USER_ID);
364
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]365 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]366 pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]367 .getResponseCode());
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]368 assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
369 }
370
371 public void testTokenBasedClearPassword() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]372 final byte[] password = "password".getBytes();
373 final byte[] pattern = "123654".getBytes();
374 final byte[] token = "some-high-entropy-secure-token".getBytes();
375 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]376 final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
377
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]378 long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null);
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]379 assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]380
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]381 mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD,
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]382 0, PRIMARY_USER_ID).getResponseCode();
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]383 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]384
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]385 mLocalService.setLockCredentialWithToken(null, LockPatternUtils.CREDENTIAL_TYPE_NONE,
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]386 handle, token, PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID);
Rubin Xu340e5ba2019-05-14 16:10:03 +0100[diff] [blame]387 flushHandlerTasks(); // flush the unlockUser() call before changing password again
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]388 mLocalService.setLockCredentialWithToken(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN,
389 handle, token, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]390
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]391 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]392 pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]393 .getResponseCode());
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]394 assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
395 }
396
397 public void testTokenBasedResetPasswordAfterCredentialChanges() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]398 final byte[] password = "password".getBytes();
399 final byte[] pattern = "123654".getBytes();
400 final byte[] newPassword = "password".getBytes();
401 final byte[] token = "some-high-entropy-secure-token".getBytes();
402 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]403 final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
404
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]405 long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null);
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]406 assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]407
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]408 mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD,
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]409 0, PRIMARY_USER_ID).getResponseCode();
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]410 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]411
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]412 mService.setLockCredential(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, password,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]413 PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID, false);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]414
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]415 mLocalService.setLockCredentialWithToken(newPassword,
416 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, handle, token,
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]417 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]418
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]419 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]420 newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]421 .getResponseCode());
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]422 assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
423 }
424
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]425 public void testEscrowTokenActivatedImmediatelyIfNoUserPasswordNeedsMigration()
426 throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]427 final String token = "some-high-entropy-secure-token";
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]428 enableSyntheticPassword();
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]429 long handle = mLocalService.addEscrowToken(token.getBytes(), PRIMARY_USER_ID, null);
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]430 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]431 assertEquals(0, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
432 assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));
433 }
434
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]435 public void testEscrowTokenActivatedImmediatelyIfNoUserPasswordNoMigration()
436 throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]437 final String token = "some-high-entropy-secure-token";
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]438 initializeCredentialUnderSP(null, PRIMARY_USER_ID);
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]439 long handle = mLocalService.addEscrowToken(token.getBytes(), PRIMARY_USER_ID, null);
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]440 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]441 assertEquals(0, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
442 assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));
443 }
444
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]445 public void testEscrowTokenActivatedLaterWithUserPasswordNeedsMigration()
446 throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]447 final byte[] token = "some-high-entropy-secure-token".getBytes();
448 final byte[] password = "password".getBytes();
Rubin Xu128180b2017-04-12 18:02:44 +0100[diff] [blame]449 // Set up pre-SP user password
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]450 disableSyntheticPassword();
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]451 mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]452 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]453 enableSyntheticPassword();
Rubin Xu128180b2017-04-12 18:02:44 +0100[diff] [blame]454
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]455 long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null);
Rubin Xu128180b2017-04-12 18:02:44 +0100[diff] [blame]456 // Token not activated immediately since user password exists
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]457 assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xu128180b2017-04-12 18:02:44 +0100[diff] [blame]458 // Activate token (password gets migrated to SP at the same time)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]459 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]460 password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]461 .getResponseCode());
Rubin Xu128180b2017-04-12 18:02:44 +0100[diff] [blame]462 // Verify token is activated
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]463 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xu128180b2017-04-12 18:02:44 +0100[diff] [blame]464 }
465
Lenka Trochtova66c492a2018-12-06 11:29:21 +0100[diff] [blame]466 public void testSetLockCredentialWithTokenFailsWithoutLockScreen() throws Exception {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]467 final byte[] password = "password".getBytes();
468 final byte[] pattern = "123654".getBytes();
469 final byte[] token = "some-high-entropy-secure-token".getBytes();
Lenka Trochtova66c492a2018-12-06 11:29:21 +0100[diff] [blame]470
471 mHasSecureLockScreen = false;
472 enableSyntheticPassword();
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]473 long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null);
Lenka Trochtova66c492a2018-12-06 11:29:21 +0100[diff] [blame]474 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
475
476 try {
477 mLocalService.setLockCredentialWithToken(password,
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]478 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, handle, token,
Lenka Trochtova66c492a2018-12-06 11:29:21 +0100[diff] [blame]479 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID);
480 fail("An exception should have been thrown.");
481 } catch (UnsupportedOperationException e) {
482 // Success - the exception was expected.
483 }
484 assertFalse(mService.havePassword(PRIMARY_USER_ID));
485
486 try {
487 mLocalService.setLockCredentialWithToken(pattern,
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]488 LockPatternUtils.CREDENTIAL_TYPE_PATTERN, handle, token,
Lenka Trochtova66c492a2018-12-06 11:29:21 +0100[diff] [blame]489 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID);
490 fail("An exception should have been thrown.");
491 } catch (UnsupportedOperationException e) {
492 // Success - the exception was expected.
493 }
494 assertFalse(mService.havePattern(PRIMARY_USER_ID));
495 }
496
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]497 public void testgetHashFactorPrimaryUser() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]498 final byte[] password = "password".getBytes();
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]499 mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]500 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]501 final byte[] hashFactor = mService.getHashFactor(password, PRIMARY_USER_ID);
502 assertNotNull(hashFactor);
503
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]504 mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]505 password, PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID, false);
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]506 final byte[] newHashFactor = mService.getHashFactor(null, PRIMARY_USER_ID);
507 assertNotNull(newHashFactor);
508 // Hash factor should never change after password change/removal
509 assertArrayEquals(hashFactor, newHashFactor);
510 }
511
512 public void testgetHashFactorManagedProfileUnifiedChallenge() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]513 final byte[] pattern = "1236".getBytes();
514 mService.setLockCredential(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]515 null, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID, false);
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]516 mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null);
517 assertNotNull(mService.getHashFactor(null, MANAGED_PROFILE_USER_ID));
518 }
519
520 public void testgetHashFactorManagedProfileSeparateChallenge() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]521 final byte[] primaryPassword = "primary".getBytes();
522 final byte[] profilePassword = "profile".getBytes();
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]523 mService.setLockCredential(primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]524 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]525 mService.setLockCredential(profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]526 PASSWORD_QUALITY_ALPHABETIC, MANAGED_PROFILE_USER_ID, false);
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]527 assertNotNull(mService.getHashFactor(profilePassword, MANAGED_PROFILE_USER_ID));
528 }
529
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]530 public void testPasswordData_serializeDeserialize() {
531 PasswordData data = new PasswordData();
532 data.scryptN = 11;
533 data.scryptR = 22;
534 data.scryptP = 33;
535 data.passwordType = CREDENTIAL_TYPE_PASSWORD;
536 data.salt = PAYLOAD;
537 data.passwordHandle = PAYLOAD2;
538
539 PasswordData deserialized = PasswordData.fromBytes(data.toBytes());
540
541 assertEquals(11, deserialized.scryptN);
542 assertEquals(22, deserialized.scryptR);
543 assertEquals(33, deserialized.scryptP);
544 assertEquals(CREDENTIAL_TYPE_PASSWORD, deserialized.passwordType);
545 assertArrayEquals(PAYLOAD, deserialized.salt);
546 assertArrayEquals(PAYLOAD2, deserialized.passwordHandle);
547 }
548
549 public void testPasswordData_deserialize() {
550 // Test that we can deserialize existing PasswordData and don't inadvertently change the
551 // wire format.
552 byte[] serialized = new byte[] {
553 0, 0, 0, 2, /* CREDENTIAL_TYPE_PASSWORD */
554 11, /* scryptN */
555 22, /* scryptR */
556 33, /* scryptP */
557 0, 0, 0, 5, /* salt.length */
558 1, 2, -1, -2, 55, /* salt */
559 0, 0, 0, 6, /* passwordHandle.length */
560 2, 3, -2, -3, 44, 1, /* passwordHandle */
561 };
562 PasswordData deserialized = PasswordData.fromBytes(serialized);
563
564 assertEquals(11, deserialized.scryptN);
565 assertEquals(22, deserialized.scryptR);
566 assertEquals(33, deserialized.scryptP);
567 assertEquals(CREDENTIAL_TYPE_PASSWORD, deserialized.passwordType);
568 assertArrayEquals(PAYLOAD, deserialized.salt);
569 assertArrayEquals(PAYLOAD2, deserialized.passwordHandle);
570 }
571
David Anderson6ebc25b2019-02-12 16:25:56 -0800[diff] [blame]572 public void testGsiDisablesAuthSecret() throws RemoteException {
573 mGsiService.setIsGsiRunning(true);
574
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]575 final byte[] password = "testGsiDisablesAuthSecret-password".getBytes();
David Anderson6ebc25b2019-02-12 16:25:56 -0800[diff] [blame]576
577 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
578 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
579 password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
580 .getResponseCode());
581 verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class));
582 }
583
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]584 // b/62213311
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]585 //TODO: add non-migration work profile case, and unify/un-unify transition.
586 //TODO: test token after user resets password
587 //TODO: test token based reset after unified work challenge
588 //TODO: test clear password after unified work challenge
589}