Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2016 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package com.android.server.connectivity; |
| 18 | |
| 19 | import static android.content.pm.UserInfo.FLAG_ADMIN; |
| 20 | import static android.content.pm.UserInfo.FLAG_MANAGED_PROFILE; |
| 21 | import static android.content.pm.UserInfo.FLAG_PRIMARY; |
| 22 | import static android.content.pm.UserInfo.FLAG_RESTRICTED; |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 23 | import static org.mockito.AdditionalMatchers.*; |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 24 | import static org.mockito.Mockito.*; |
| 25 | |
| 26 | import android.annotation.UserIdInt; |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 27 | import android.app.AppOpsManager; |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 28 | import android.app.NotificationManager; |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 29 | import android.content.Context; |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 30 | import android.content.pm.ApplicationInfo; |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 31 | import android.content.pm.PackageManager; |
Charles He | 3673863 | 2017-05-15 17:07:18 +0100 | [diff] [blame] | 32 | import android.content.pm.ResolveInfo; |
| 33 | import android.content.pm.ServiceInfo; |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 34 | import android.content.pm.UserInfo; |
Charles He | 3da6a1f | 2017-08-16 13:14:13 +0100 | [diff] [blame] | 35 | import android.content.res.Resources; |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 36 | import android.net.NetworkInfo.DetailedState; |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 37 | import android.net.UidRange; |
Charles He | 3673863 | 2017-05-15 17:07:18 +0100 | [diff] [blame] | 38 | import android.net.VpnService; |
| 39 | import android.os.Build.VERSION_CODES; |
| 40 | import android.os.Bundle; |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 41 | import android.os.INetworkManagementService; |
| 42 | import android.os.Looper; |
| 43 | import android.os.UserHandle; |
| 44 | import android.os.UserManager; |
| 45 | import android.test.AndroidTestCase; |
| 46 | import android.test.suitebuilder.annotation.SmallTest; |
| 47 | import android.util.ArrayMap; |
| 48 | import android.util.ArraySet; |
| 49 | |
Charles He | 3da6a1f | 2017-08-16 13:14:13 +0100 | [diff] [blame] | 50 | import com.android.internal.R; |
Robin Lee | c3736bc | 2017-03-10 16:19:54 +0000 | [diff] [blame] | 51 | import com.android.internal.net.VpnConfig; |
| 52 | |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 53 | import org.mockito.Answers; |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 54 | import org.mockito.InOrder; |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 55 | import org.mockito.Mock; |
| 56 | import org.mockito.MockitoAnnotations; |
| 57 | |
Charles He | 3673863 | 2017-05-15 17:07:18 +0100 | [diff] [blame] | 58 | import java.util.ArrayList; |
| 59 | import java.util.Arrays; |
| 60 | import java.util.Collections; |
| 61 | import java.util.Map; |
| 62 | import java.util.Set; |
| 63 | |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 64 | /** |
| 65 | * Tests for {@link Vpn}. |
| 66 | * |
| 67 | * Build, install and run with: |
Charles He | 3673863 | 2017-05-15 17:07:18 +0100 | [diff] [blame] | 68 | * runtest --path java/com/android/server/connectivity/VpnTest.java |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 69 | */ |
| 70 | public class VpnTest extends AndroidTestCase { |
| 71 | private static final String TAG = "VpnTest"; |
| 72 | |
| 73 | // Mock users |
| 74 | static final UserInfo primaryUser = new UserInfo(27, "Primary", FLAG_ADMIN | FLAG_PRIMARY); |
| 75 | static final UserInfo secondaryUser = new UserInfo(15, "Secondary", FLAG_ADMIN); |
| 76 | static final UserInfo restrictedProfileA = new UserInfo(40, "RestrictedA", FLAG_RESTRICTED); |
| 77 | static final UserInfo restrictedProfileB = new UserInfo(42, "RestrictedB", FLAG_RESTRICTED); |
| 78 | static final UserInfo managedProfileA = new UserInfo(45, "ManagedA", FLAG_MANAGED_PROFILE); |
| 79 | static { |
| 80 | restrictedProfileA.restrictedProfileParentId = primaryUser.id; |
| 81 | restrictedProfileB.restrictedProfileParentId = secondaryUser.id; |
| 82 | managedProfileA.profileGroupId = primaryUser.id; |
| 83 | } |
| 84 | |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 85 | /** |
| 86 | * Names and UIDs for some fake packages. Important points: |
| 87 | * - UID is ordered increasing. |
| 88 | * - One pair of packages have consecutive UIDs. |
| 89 | */ |
| 90 | static final String[] PKGS = {"com.example", "org.example", "net.example", "web.vpn"}; |
| 91 | static final int[] PKG_UIDS = {66, 77, 78, 400}; |
| 92 | |
| 93 | // Mock packages |
| 94 | static final Map<String, Integer> mPackages = new ArrayMap<>(); |
| 95 | static { |
| 96 | for (int i = 0; i < PKGS.length; i++) { |
| 97 | mPackages.put(PKGS[i], PKG_UIDS[i]); |
| 98 | } |
| 99 | } |
| 100 | |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 101 | @Mock(answer = Answers.RETURNS_DEEP_STUBS) private Context mContext; |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 102 | @Mock private UserManager mUserManager; |
| 103 | @Mock private PackageManager mPackageManager; |
| 104 | @Mock private INetworkManagementService mNetService; |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 105 | @Mock private AppOpsManager mAppOps; |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 106 | @Mock private NotificationManager mNotificationManager; |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 107 | @Mock private Vpn.SystemServices mSystemServices; |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 108 | |
| 109 | @Override |
| 110 | public void setUp() throws Exception { |
| 111 | MockitoAnnotations.initMocks(this); |
Robin Lee | c3736bc | 2017-03-10 16:19:54 +0000 | [diff] [blame] | 112 | |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 113 | when(mContext.getPackageManager()).thenReturn(mPackageManager); |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 114 | setMockedPackages(mPackages); |
Robin Lee | c3736bc | 2017-03-10 16:19:54 +0000 | [diff] [blame] | 115 | |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 116 | when(mContext.getPackageName()).thenReturn(Vpn.class.getPackage().getName()); |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 117 | when(mContext.getSystemService(eq(Context.USER_SERVICE))).thenReturn(mUserManager); |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 118 | when(mContext.getSystemService(eq(Context.APP_OPS_SERVICE))).thenReturn(mAppOps); |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 119 | when(mContext.getSystemService(eq(Context.NOTIFICATION_SERVICE))) |
| 120 | .thenReturn(mNotificationManager); |
Charles He | 3da6a1f | 2017-08-16 13:14:13 +0100 | [diff] [blame] | 121 | when(mContext.getString(R.string.config_customVpnAlwaysOnDisconnectedDialogComponent)) |
| 122 | .thenReturn(Resources.getSystem().getString( |
| 123 | R.string.config_customVpnAlwaysOnDisconnectedDialogComponent)); |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 124 | |
| 125 | // Used by {@link Notification.Builder} |
| 126 | ApplicationInfo applicationInfo = new ApplicationInfo(); |
Charles He | 3673863 | 2017-05-15 17:07:18 +0100 | [diff] [blame] | 127 | applicationInfo.targetSdkVersion = VERSION_CODES.CUR_DEVELOPMENT; |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 128 | when(mContext.getApplicationInfo()).thenReturn(applicationInfo); |
| 129 | |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 130 | doNothing().when(mNetService).registerObserver(any()); |
| 131 | } |
| 132 | |
| 133 | @SmallTest |
| 134 | public void testRestrictedProfilesAreAddedToVpn() { |
| 135 | setMockedUsers(primaryUser, secondaryUser, restrictedProfileA, restrictedProfileB); |
| 136 | |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 137 | final Vpn vpn = createVpn(primaryUser.id); |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 138 | final Set<UidRange> ranges = vpn.createUserAndRestrictedProfilesRanges(primaryUser.id, |
| 139 | null, null); |
| 140 | |
| 141 | assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] { |
| 142 | UidRange.createForUser(primaryUser.id), |
| 143 | UidRange.createForUser(restrictedProfileA.id) |
| 144 | })), ranges); |
| 145 | } |
| 146 | |
| 147 | @SmallTest |
| 148 | public void testManagedProfilesAreNotAddedToVpn() { |
| 149 | setMockedUsers(primaryUser, managedProfileA); |
| 150 | |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 151 | final Vpn vpn = createVpn(primaryUser.id); |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 152 | final Set<UidRange> ranges = vpn.createUserAndRestrictedProfilesRanges(primaryUser.id, |
| 153 | null, null); |
| 154 | |
| 155 | assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] { |
| 156 | UidRange.createForUser(primaryUser.id) |
| 157 | })), ranges); |
| 158 | } |
| 159 | |
| 160 | @SmallTest |
| 161 | public void testAddUserToVpnOnlyAddsOneUser() { |
| 162 | setMockedUsers(primaryUser, restrictedProfileA, managedProfileA); |
| 163 | |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 164 | final Vpn vpn = createVpn(primaryUser.id); |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 165 | final Set<UidRange> ranges = new ArraySet<>(); |
| 166 | vpn.addUserToRanges(ranges, primaryUser.id, null, null); |
| 167 | |
| 168 | assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] { |
| 169 | UidRange.createForUser(primaryUser.id) |
| 170 | })), ranges); |
| 171 | } |
| 172 | |
| 173 | @SmallTest |
| 174 | public void testUidWhiteAndBlacklist() throws Exception { |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 175 | final Vpn vpn = createVpn(primaryUser.id); |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 176 | final UidRange user = UidRange.createForUser(primaryUser.id); |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 177 | final String[] packages = {PKGS[0], PKGS[1], PKGS[2]}; |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 178 | |
| 179 | // Whitelist |
| 180 | final Set<UidRange> allow = vpn.createUserAndRestrictedProfilesRanges(primaryUser.id, |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 181 | Arrays.asList(packages), null); |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 182 | assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] { |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 183 | new UidRange(user.start + PKG_UIDS[0], user.start + PKG_UIDS[0]), |
| 184 | new UidRange(user.start + PKG_UIDS[1], user.start + PKG_UIDS[2]) |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 185 | })), allow); |
| 186 | |
| 187 | // Blacklist |
| 188 | final Set<UidRange> disallow = vpn.createUserAndRestrictedProfilesRanges(primaryUser.id, |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 189 | null, Arrays.asList(packages)); |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 190 | assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] { |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 191 | new UidRange(user.start, user.start + PKG_UIDS[0] - 1), |
| 192 | new UidRange(user.start + PKG_UIDS[0] + 1, user.start + PKG_UIDS[1] - 1), |
| 193 | /* Empty range between UIDS[1] and UIDS[2], should be excluded, */ |
| 194 | new UidRange(user.start + PKG_UIDS[2] + 1, user.stop) |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 195 | })), disallow); |
| 196 | } |
| 197 | |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 198 | @SmallTest |
| 199 | public void testLockdownChangingPackage() throws Exception { |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 200 | final Vpn vpn = createVpn(primaryUser.id); |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 201 | final UidRange user = UidRange.createForUser(primaryUser.id); |
| 202 | |
| 203 | // Default state. |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 204 | assertUnblocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[1], user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]); |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 205 | |
| 206 | // Set always-on without lockdown. |
| 207 | assertTrue(vpn.setAlwaysOnPackage(PKGS[1], false)); |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 208 | assertUnblocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[1], user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]); |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 209 | |
| 210 | // Set always-on with lockdown. |
| 211 | assertTrue(vpn.setAlwaysOnPackage(PKGS[1], true)); |
| 212 | verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { |
| 213 | new UidRange(user.start, user.start + PKG_UIDS[1] - 1), |
| 214 | new UidRange(user.start + PKG_UIDS[1] + 1, user.stop) |
| 215 | })); |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 216 | assertBlocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]); |
| 217 | assertUnblocked(vpn, user.start + PKG_UIDS[1]); |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 218 | |
| 219 | // Switch to another app. |
| 220 | assertTrue(vpn.setAlwaysOnPackage(PKGS[3], true)); |
| 221 | verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[] { |
| 222 | new UidRange(user.start, user.start + PKG_UIDS[1] - 1), |
| 223 | new UidRange(user.start + PKG_UIDS[1] + 1, user.stop) |
| 224 | })); |
| 225 | verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { |
| 226 | new UidRange(user.start, user.start + PKG_UIDS[3] - 1), |
| 227 | new UidRange(user.start + PKG_UIDS[3] + 1, user.stop) |
| 228 | })); |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 229 | assertBlocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[1], user.start + PKG_UIDS[2]); |
| 230 | assertUnblocked(vpn, user.start + PKG_UIDS[3]); |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 231 | } |
| 232 | |
| 233 | @SmallTest |
| 234 | public void testLockdownAddingAProfile() throws Exception { |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 235 | final Vpn vpn = createVpn(primaryUser.id); |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 236 | setMockedUsers(primaryUser); |
| 237 | |
| 238 | // Make a copy of the restricted profile, as we're going to mark it deleted halfway through. |
| 239 | final UserInfo tempProfile = new UserInfo(restrictedProfileA.id, restrictedProfileA.name, |
| 240 | restrictedProfileA.flags); |
| 241 | tempProfile.restrictedProfileParentId = primaryUser.id; |
| 242 | |
| 243 | final UidRange user = UidRange.createForUser(primaryUser.id); |
| 244 | final UidRange profile = UidRange.createForUser(tempProfile.id); |
| 245 | |
| 246 | // Set lockdown. |
| 247 | assertTrue(vpn.setAlwaysOnPackage(PKGS[3], true)); |
| 248 | verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { |
| 249 | new UidRange(user.start, user.start + PKG_UIDS[3] - 1), |
| 250 | new UidRange(user.start + PKG_UIDS[3] + 1, user.stop) |
| 251 | })); |
| 252 | |
| 253 | // Verify restricted user isn't affected at first. |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 254 | assertUnblocked(vpn, profile.start + PKG_UIDS[0]); |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 255 | |
| 256 | // Add the restricted user. |
| 257 | setMockedUsers(primaryUser, tempProfile); |
| 258 | vpn.onUserAdded(tempProfile.id); |
| 259 | verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { |
| 260 | new UidRange(profile.start, profile.start + PKG_UIDS[3] - 1), |
| 261 | new UidRange(profile.start + PKG_UIDS[3] + 1, profile.stop) |
| 262 | })); |
| 263 | |
| 264 | // Remove the restricted user. |
| 265 | tempProfile.partial = true; |
| 266 | vpn.onUserRemoved(tempProfile.id); |
| 267 | verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[] { |
| 268 | new UidRange(profile.start, profile.start + PKG_UIDS[3] - 1), |
| 269 | new UidRange(profile.start + PKG_UIDS[3] + 1, profile.stop) |
| 270 | })); |
| 271 | } |
| 272 | |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 273 | @SmallTest |
Robin Lee | c3736bc | 2017-03-10 16:19:54 +0000 | [diff] [blame] | 274 | public void testLockdownRuleRepeatability() throws Exception { |
| 275 | final Vpn vpn = createVpn(primaryUser.id); |
| 276 | |
| 277 | // Given legacy lockdown is already enabled, |
| 278 | vpn.setLockdown(true); |
| 279 | verify(mNetService, times(1)).setAllowOnlyVpnForUids( |
| 280 | eq(true), aryEq(new UidRange[] {UidRange.createForUser(primaryUser.id)})); |
| 281 | |
| 282 | // Enabling legacy lockdown twice should do nothing. |
| 283 | vpn.setLockdown(true); |
| 284 | verify(mNetService, times(1)).setAllowOnlyVpnForUids(anyBoolean(), any(UidRange[].class)); |
| 285 | |
| 286 | // And disabling should remove the rules exactly once. |
| 287 | vpn.setLockdown(false); |
| 288 | verify(mNetService, times(1)).setAllowOnlyVpnForUids( |
| 289 | eq(false), aryEq(new UidRange[] {UidRange.createForUser(primaryUser.id)})); |
| 290 | |
| 291 | // Removing the lockdown again should have no effect. |
| 292 | vpn.setLockdown(false); |
| 293 | verify(mNetService, times(2)).setAllowOnlyVpnForUids(anyBoolean(), any(UidRange[].class)); |
| 294 | } |
| 295 | |
| 296 | @SmallTest |
| 297 | public void testLockdownRuleReversibility() throws Exception { |
| 298 | final Vpn vpn = createVpn(primaryUser.id); |
| 299 | |
| 300 | final UidRange[] entireUser = { |
| 301 | UidRange.createForUser(primaryUser.id) |
| 302 | }; |
| 303 | final UidRange[] exceptPkg0 = { |
| 304 | new UidRange(entireUser[0].start, entireUser[0].start + PKG_UIDS[0] - 1), |
| 305 | new UidRange(entireUser[0].start + PKG_UIDS[0] + 1, entireUser[0].stop) |
| 306 | }; |
| 307 | |
| 308 | final InOrder order = inOrder(mNetService); |
| 309 | |
| 310 | // Given lockdown is enabled with no package (legacy VPN), |
| 311 | vpn.setLockdown(true); |
| 312 | order.verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(entireUser)); |
| 313 | |
| 314 | // When a new VPN package is set the rules should change to cover that package. |
| 315 | vpn.prepare(null, PKGS[0]); |
| 316 | order.verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(entireUser)); |
| 317 | order.verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(exceptPkg0)); |
| 318 | |
| 319 | // When that VPN package is unset, everything should be undone again in reverse. |
| 320 | vpn.prepare(null, VpnConfig.LEGACY_VPN); |
| 321 | order.verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(exceptPkg0)); |
| 322 | order.verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(entireUser)); |
| 323 | } |
| 324 | |
| 325 | @SmallTest |
Charles He | 3673863 | 2017-05-15 17:07:18 +0100 | [diff] [blame] | 326 | public void testIsAlwaysOnPackageSupported() throws Exception { |
| 327 | final Vpn vpn = createVpn(primaryUser.id); |
| 328 | |
| 329 | ApplicationInfo appInfo = new ApplicationInfo(); |
| 330 | when(mPackageManager.getApplicationInfoAsUser(eq(PKGS[0]), anyInt(), eq(primaryUser.id))) |
| 331 | .thenReturn(appInfo); |
| 332 | |
| 333 | ServiceInfo svcInfo = new ServiceInfo(); |
| 334 | ResolveInfo resInfo = new ResolveInfo(); |
| 335 | resInfo.serviceInfo = svcInfo; |
| 336 | when(mPackageManager.queryIntentServicesAsUser(any(), eq(PackageManager.GET_META_DATA), |
| 337 | eq(primaryUser.id))) |
| 338 | .thenReturn(Collections.singletonList(resInfo)); |
| 339 | |
| 340 | // null package name should return false |
| 341 | assertFalse(vpn.isAlwaysOnPackageSupported(null)); |
| 342 | |
| 343 | // Pre-N apps are not supported |
| 344 | appInfo.targetSdkVersion = VERSION_CODES.M; |
| 345 | assertFalse(vpn.isAlwaysOnPackageSupported(PKGS[0])); |
| 346 | |
| 347 | // N+ apps are supported by default |
| 348 | appInfo.targetSdkVersion = VERSION_CODES.N; |
| 349 | assertTrue(vpn.isAlwaysOnPackageSupported(PKGS[0])); |
| 350 | |
| 351 | // Apps that opt out explicitly are not supported |
| 352 | appInfo.targetSdkVersion = VERSION_CODES.CUR_DEVELOPMENT; |
| 353 | Bundle metaData = new Bundle(); |
Charles He | c57a01c | 2017-08-15 15:30:22 +0100 | [diff] [blame] | 354 | metaData.putBoolean(VpnService.SERVICE_META_DATA_SUPPORTS_ALWAYS_ON, false); |
Charles He | 3673863 | 2017-05-15 17:07:18 +0100 | [diff] [blame] | 355 | svcInfo.metaData = metaData; |
| 356 | assertFalse(vpn.isAlwaysOnPackageSupported(PKGS[0])); |
| 357 | } |
| 358 | |
| 359 | @SmallTest |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 360 | public void testNotificationShownForAlwaysOnApp() { |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 361 | final UserHandle userHandle = UserHandle.of(primaryUser.id); |
| 362 | final Vpn vpn = createVpn(primaryUser.id); |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 363 | setMockedUsers(primaryUser); |
| 364 | |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 365 | final InOrder order = inOrder(mNotificationManager); |
| 366 | |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 367 | // Don't show a notification for regular disconnected states. |
| 368 | vpn.updateState(DetailedState.DISCONNECTED, TAG); |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 369 | order.verify(mNotificationManager, atLeastOnce()) |
| 370 | .cancelAsUser(anyString(), anyInt(), eq(userHandle)); |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 371 | |
| 372 | // Start showing a notification for disconnected once always-on. |
| 373 | vpn.setAlwaysOnPackage(PKGS[0], false); |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 374 | order.verify(mNotificationManager) |
| 375 | .notifyAsUser(anyString(), anyInt(), any(), eq(userHandle)); |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 376 | |
| 377 | // Stop showing the notification once connected. |
| 378 | vpn.updateState(DetailedState.CONNECTED, TAG); |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 379 | order.verify(mNotificationManager).cancelAsUser(anyString(), anyInt(), eq(userHandle)); |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 380 | |
| 381 | // Show the notification if we disconnect again. |
| 382 | vpn.updateState(DetailedState.DISCONNECTED, TAG); |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 383 | order.verify(mNotificationManager) |
| 384 | .notifyAsUser(anyString(), anyInt(), any(), eq(userHandle)); |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 385 | |
| 386 | // Notification should be cleared after unsetting always-on package. |
| 387 | vpn.setAlwaysOnPackage(null, false); |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 388 | order.verify(mNotificationManager).cancelAsUser(anyString(), anyInt(), eq(userHandle)); |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 389 | } |
| 390 | |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 391 | /** |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 392 | * Mock some methods of vpn object. |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 393 | */ |
Robin Lee | b8c2a2b | 2017-03-10 16:17:06 +0000 | [diff] [blame] | 394 | private Vpn createVpn(@UserIdInt int userId) { |
| 395 | return new Vpn(Looper.myLooper(), mContext, mNetService, userId, mSystemServices); |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 396 | } |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 397 | |
Tony Mak | de7f7d1 | 2016-06-30 11:19:20 +0100 | [diff] [blame] | 398 | private static void assertBlocked(Vpn vpn, int... uids) { |
| 399 | for (int uid : uids) { |
| 400 | assertTrue("Uid " + uid + " should be blocked", vpn.isBlockingUid(uid)); |
| 401 | } |
| 402 | } |
| 403 | |
| 404 | private static void assertUnblocked(Vpn vpn, int... uids) { |
| 405 | for (int uid : uids) { |
| 406 | assertFalse("Uid " + uid + " should not be blocked", vpn.isBlockingUid(uid)); |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 407 | } |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 408 | } |
| 409 | |
| 410 | /** |
| 411 | * Populate {@link #mUserManager} with a list of fake users. |
| 412 | */ |
| 413 | private void setMockedUsers(UserInfo... users) { |
| 414 | final Map<Integer, UserInfo> userMap = new ArrayMap<>(); |
| 415 | for (UserInfo user : users) { |
| 416 | userMap.put(user.id, user); |
| 417 | } |
| 418 | |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 419 | /** |
| 420 | * @see UserManagerService#getUsers(boolean) |
| 421 | */ |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 422 | doAnswer(invocation -> { |
Robin Lee | 17e6183 | 2016-05-09 13:46:28 +0100 | [diff] [blame] | 423 | final boolean excludeDying = (boolean) invocation.getArguments()[0]; |
| 424 | final ArrayList<UserInfo> result = new ArrayList<>(users.length); |
| 425 | for (UserInfo ui : users) { |
| 426 | if (!excludeDying || (ui.isEnabled() && !ui.partial)) { |
| 427 | result.add(ui); |
| 428 | } |
| 429 | } |
| 430 | return result; |
| 431 | }).when(mUserManager).getUsers(anyBoolean()); |
Robin Lee | 4d03abc | 2016-05-09 12:32:27 +0100 | [diff] [blame] | 432 | |
| 433 | doAnswer(invocation -> { |
| 434 | final int id = (int) invocation.getArguments()[0]; |
| 435 | return userMap.get(id); |
| 436 | }).when(mUserManager).getUserInfo(anyInt()); |
| 437 | |
| 438 | doAnswer(invocation -> { |
| 439 | final int id = (int) invocation.getArguments()[0]; |
| 440 | return (userMap.get(id).flags & UserInfo.FLAG_ADMIN) != 0; |
| 441 | }).when(mUserManager).canHaveRestrictedProfile(anyInt()); |
| 442 | } |
| 443 | |
| 444 | /** |
| 445 | * Populate {@link #mPackageManager} with a fake packageName-to-UID mapping. |
| 446 | */ |
| 447 | private void setMockedPackages(final Map<String, Integer> packages) { |
| 448 | try { |
| 449 | doAnswer(invocation -> { |
| 450 | final String appName = (String) invocation.getArguments()[0]; |
| 451 | final int userId = (int) invocation.getArguments()[1]; |
| 452 | return UserHandle.getUid(userId, packages.get(appName)); |
| 453 | }).when(mPackageManager).getPackageUidAsUser(anyString(), anyInt()); |
| 454 | } catch (Exception e) { |
| 455 | } |
| 456 | } |
| 457 | } |