Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 4c052f237a108457fca3d3864c5654ebd4505111 / . / services / tests / servicestests / src / com / android / server / devicepolicy / DevicePolicyManagerTest.java
blob: 536fb70d9068503a128304d4f7f2080afc6f7581 [file] [log] [blame]
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]16package com.android.server.devicepolicy;
17
18import com.android.server.LocalServices;
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]19import com.android.server.SystemService;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]20
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]21import android.Manifest.permission;
22import android.app.Activity;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]23import android.app.admin.DeviceAdminReceiver;
24import android.app.admin.DevicePolicyManager;
25import android.app.admin.DevicePolicyManagerInternal;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]26import android.content.BroadcastReceiver;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]27import android.content.ComponentName;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]28import android.content.pm.PackageManager;
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]29import android.net.wifi.WifiInfo;
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]30import android.os.Build;
31import android.os.Build.VERSION_CODES;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]32import android.os.Bundle;
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]33import android.os.Process;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]34import android.os.UserHandle;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]35import android.os.UserManager;
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]36import android.test.MoreAsserts;
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame^]37import android.util.ArraySet;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]38import android.util.Pair;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]39
40import org.mockito.ArgumentCaptor;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]41import org.mockito.invocation.InvocationOnMock;
42import org.mockito.stubbing.Answer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]43
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]44import java.util.ArrayList;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]45import java.util.HashMap;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]46import java.util.List;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]47import java.util.Map;
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame^]48import java.util.Set;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]49
50import static org.mockito.Matchers.any;
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]51import static org.mockito.Matchers.anyInt;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]52import static org.mockito.Matchers.anyString;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]53import static org.mockito.Matchers.eq;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]54import static org.mockito.Matchers.isNull;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]55import static org.mockito.Mockito.doAnswer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]56import static org.mockito.Mockito.doReturn;
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]57import static org.mockito.Mockito.reset;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]58import static org.mockito.Mockito.times;
59import static org.mockito.Mockito.verify;
60import static org.mockito.Mockito.when;
61
62/**
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]63 * Tests for DevicePolicyManager( and DevicePolicyManagerService).
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]64 *
65 m FrameworksServicesTests &&
66 adb install \
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]67 -r out/target/product/hammerhead/data/app/FrameworksServicesTests/FrameworksServicesTests.apk &&
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]68 adb shell am instrument -e class com.android.server.devicepolicy.DevicePolicyManagerTest \
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]69 -w com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]70
71 (mmma frameworks/base/services/tests/servicestests/ for non-ninja build)
72 */
73public class DevicePolicyManagerTest extends DpmTestBase {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]74 private DpmMockContext mContext;
75 public DevicePolicyManager dpm;
76 public DevicePolicyManagerServiceTestable dpms;
77
78 @Override
79 protected void setUp() throws Exception {
80 super.setUp();
81
82 mContext = getContext();
83
84 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
85 .thenReturn(true);
86
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]87 initializeDpms();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]88
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]89 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
90 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
91 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_UID);
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]92 setUpPackageManagerForAdmin(adminNoPerm, DpmMockContext.CALLER_UID);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]93
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]94 setUpUserManager();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]95 }
96
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]97 private void initializeDpms() {
98 // Need clearCallingIdentity() to pass permission checks.
99 final long ident = mContext.binder.clearCallingIdentity();
100 try {
101 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
102
103 dpms = new DevicePolicyManagerServiceTestable(mContext, dataDir);
104
105 dpms.systemReady(SystemService.PHASE_LOCK_SETTINGS_READY);
106 dpms.systemReady(SystemService.PHASE_BOOT_COMPLETED);
107
108 dpm = new DevicePolicyManagerTestable(mContext, dpms);
109 } finally {
110 mContext.binder.restoreCallingIdentity(ident);
111 }
112 }
113
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]114 private void setUpUserManager() {
115 // Emulate UserManager.set/getApplicationRestriction().
116 final Map<Pair<String, UserHandle>, Bundle> appRestrictions = new HashMap<>();
117
118 // UM.setApplicationRestrictions() will save to appRestrictions.
119 doAnswer(new Answer<Void>() {
120 @Override
121 public Void answer(InvocationOnMock invocation) throws Throwable {
122 String pkg = (String) invocation.getArguments()[0];
123 Bundle bundle = (Bundle) invocation.getArguments()[1];
124 UserHandle user = (UserHandle) invocation.getArguments()[2];
125
126 appRestrictions.put(Pair.create(pkg, user), bundle);
127
128 return null;
129 }
130 }).when(mContext.userManager).setApplicationRestrictions(
131 anyString(), any(Bundle.class), any(UserHandle.class));
132
133 // UM.getApplicationRestrictions() will read from appRestrictions.
134 doAnswer(new Answer<Bundle>() {
135 @Override
136 public Bundle answer(InvocationOnMock invocation) throws Throwable {
137 String pkg = (String) invocation.getArguments()[0];
138 UserHandle user = (UserHandle) invocation.getArguments()[1];
139
140 return appRestrictions.get(Pair.create(pkg, user));
141 }
142 }).when(mContext.userManager).getApplicationRestrictions(
143 anyString(), any(UserHandle.class));
144
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]145 // Add the first secondary user.
146 mContext.addUser(DpmMockContext.CALLER_USER_HANDLE, 0);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]147 }
148
149 private void setAsProfileOwner(ComponentName admin) {
150 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
151 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
152
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]153 // PO needs to be an DA.
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]154 dpm.setActiveAdmin(admin, /* replace =*/ false);
155
156 // Fire!
157 assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
158
159 // Check
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]160 assertEquals(admin, dpm.getProfileOwnerAsUser(DpmMockContext.CALLER_USER_HANDLE));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]161 }
162
163 public void testHasNoFeature() throws Exception {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]164 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
165 .thenReturn(false);
166
167 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
168 new DevicePolicyManagerServiceTestable(mContext, dataDir);
169
170 // If the device has no DPMS feature, it shouldn't register the local service.
171 assertNull(LocalServices.getService(DevicePolicyManagerInternal.class));
172 }
173
174 /**
175 * Caller doesn't have proper permissions.
176 */
177 public void testSetActiveAdmin_SecurityException() {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]178 // 1. Failure cases.
179
180 // Caller doesn't have MANAGE_DEVICE_ADMINS.
181 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]182 dpm.setActiveAdmin(admin1, false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]183 fail("Didn't throw SecurityException");
184 } catch (SecurityException expected) {
185 }
186
187 // Caller has MANAGE_DEVICE_ADMINS, but for different user.
188 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
189 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]190 dpm.setActiveAdmin(admin1, false, DpmMockContext.CALLER_USER_HANDLE + 1);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]191 fail("Didn't throw SecurityException");
192 } catch (SecurityException expected) {
193 }
194 }
195
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]196 /**
197 * Test for:
198 * {@link DevicePolicyManager#setActiveAdmin}
199 * with replace=false and replace=true
200 * {@link DevicePolicyManager#isAdminActive}
201 * {@link DevicePolicyManager#isAdminActiveAsUser}
202 * {@link DevicePolicyManager#getActiveAdmins}
203 * {@link DevicePolicyManager#getActiveAdminsAsUser}
204 */
205 public void testSetActiveAdmin() throws Exception {
206 // 1. Make sure the caller has proper permissions.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]207 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
208
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]209 // 2. Call the API.
210 dpm.setActiveAdmin(admin1, /* replace =*/ false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]211
212 // 3. Verify internal calls.
213
214 // Check if the boradcast is sent.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]215 verify(mContext.spiedContext).sendBroadcastAsUser(
216 MockUtils.checkIntentAction(
217 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
218 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
219 verify(mContext.spiedContext).sendBroadcastAsUser(
220 MockUtils.checkIntentAction(
221 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_ENABLED),
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]222 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
223
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]224 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
225 eq(admin1.getPackageName()),
226 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
227 eq(PackageManager.DONT_KILL_APP),
228 eq(DpmMockContext.CALLER_USER_HANDLE),
229 anyString());
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]230
231 // TODO Verify other calls too.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]232
233 // Make sure it's active admin1.
234 assertTrue(dpm.isAdminActive(admin1));
235 assertFalse(dpm.isAdminActive(admin2));
236 assertFalse(dpm.isAdminActive(admin3));
237
238 // But not admin1 for a different user.
239
240 // For this to work, caller needs android.permission.INTERACT_ACROSS_USERS_FULL.
241 // (Because we're checking a different user's status from CALLER_USER_HANDLE.)
242 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
243
244 assertFalse(dpm.isAdminActiveAsUser(admin1, DpmMockContext.CALLER_USER_HANDLE + 1));
245 assertFalse(dpm.isAdminActiveAsUser(admin2, DpmMockContext.CALLER_USER_HANDLE + 1));
246
247 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
248
249 // Next, add one more admin.
250 // Before doing so, update the application info, now it's enabled.
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]251 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID,
252 PackageManager.COMPONENT_ENABLED_STATE_ENABLED);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]253
254 dpm.setActiveAdmin(admin2, /* replace =*/ false);
255
256 // Now we have two admins.
257 assertTrue(dpm.isAdminActive(admin1));
258 assertTrue(dpm.isAdminActive(admin2));
259 assertFalse(dpm.isAdminActive(admin3));
260
261 // Admin2 was already enabled, so setApplicationEnabledSetting() shouldn't have called
262 // again. (times(1) because it was previously called for admin1)
263 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
264 eq(admin1.getPackageName()),
265 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
266 eq(PackageManager.DONT_KILL_APP),
267 eq(DpmMockContext.CALLER_USER_HANDLE),
268 anyString());
269
270 // 4. Add the same admin1 again without replace, which should throw.
271 try {
272 dpm.setActiveAdmin(admin1, /* replace =*/ false);
273 fail("Didn't throw");
274 } catch (IllegalArgumentException expected) {
275 }
276
277 // 5. Add the same admin1 again with replace, which should succeed.
278 dpm.setActiveAdmin(admin1, /* replace =*/ true);
279
280 // TODO make sure it's replaced.
281
282 // 6. Test getActiveAdmins()
283 List<ComponentName> admins = dpm.getActiveAdmins();
284 assertEquals(2, admins.size());
285 assertEquals(admin1, admins.get(0));
286 assertEquals(admin2, admins.get(1));
287
288 // Another user has no admins.
289 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
290
291 assertEquals(0, DpmTestUtils.getListSizeAllowingNull(
292 dpm.getActiveAdminsAsUser(DpmMockContext.CALLER_USER_HANDLE + 1)));
293
294 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
295 }
296
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]297 public void testSetActiveAdmin_multiUsers() throws Exception {
298
299 final int ANOTHER_USER_ID = 100;
300 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 20456);
301
302 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
303
304 // Set up pacakge manager for the other user.
305 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]306
307 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
308
309 dpm.setActiveAdmin(admin1, /* replace =*/ false);
310
311 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
312 dpm.setActiveAdmin(admin2, /* replace =*/ false);
313
314
315 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
316 assertTrue(dpm.isAdminActive(admin1));
317 assertFalse(dpm.isAdminActive(admin2));
318
319 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
320 assertFalse(dpm.isAdminActive(admin1));
321 assertTrue(dpm.isAdminActive(admin2));
322 }
323
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]324 /**
325 * Test for:
326 * {@link DevicePolicyManager#setActiveAdmin}
327 * with replace=false
328 */
329 public void testSetActiveAdmin_twiceWithoutReplace() throws Exception {
330 // 1. Make sure the caller has proper permissions.
331 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
332
333 dpm.setActiveAdmin(admin1, /* replace =*/ false);
334 assertTrue(dpm.isAdminActive(admin1));
335
336 // Add the same admin1 again without replace, which should throw.
337 try {
338 dpm.setActiveAdmin(admin1, /* replace =*/ false);
339 fail("Didn't throw");
340 } catch (IllegalArgumentException expected) {
341 }
342 }
343
344 /**
345 * Test for:
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]346 * {@link DevicePolicyManager#setActiveAdmin} when the admin isn't protected with
347 * BIND_DEVICE_ADMIN.
348 */
349 public void testSetActiveAdmin_permissionCheck() throws Exception {
350 // 1. Make sure the caller has proper permissions.
351 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
352
353 try {
354 dpm.setActiveAdmin(adminNoPerm, /* replace =*/ false);
355 fail();
356 } catch (IllegalArgumentException expected) {
357 assertTrue(expected.getMessage().contains(permission.BIND_DEVICE_ADMIN));
358 }
359 assertFalse(dpm.isAdminActive(adminNoPerm));
360
361 // Change the target API level to MNC. Now it can be set as DA.
362 setUpPackageManagerForAdmin(adminNoPerm, DpmMockContext.CALLER_UID, null,
363 VERSION_CODES.M);
364 dpm.setActiveAdmin(adminNoPerm, /* replace =*/ false);
365 assertTrue(dpm.isAdminActive(adminNoPerm));
366
367 // TODO Test the "load from the file" case where DA will still be loaded even without
368 // BIND_DEVICE_ADMIN and target API is N.
369 }
370
371 /**
372 * Test for:
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]373 * {@link DevicePolicyManager#removeActiveAdmin}
374 */
375 public void testRemoveActiveAdmin_SecurityException() {
376 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
377
378 // Add admin.
379
380 dpm.setActiveAdmin(admin1, /* replace =*/ false);
381
382 assertTrue(dpm.isAdminActive(admin1));
383
384 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
385
386 // Directly call the DPMS method with a different userid, which should fail.
387 try {
388 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE + 1);
389 fail("Didn't throw SecurityException");
390 } catch (SecurityException expected) {
391 }
392
393 // Try to remove active admin with a different caller userid should fail too, without
394 // having MANAGE_DEVICE_ADMINS.
395 mContext.callerPermissions.clear();
396
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]397 // Change the caller, and call into DPMS directly with a different user-id.
398
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]399 mContext.binder.callingUid = 1234567;
400 try {
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]401 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]402 fail("Didn't throw SecurityException");
403 } catch (SecurityException expected) {
404 }
405 }
406
407 /**
408 * Test for:
409 * {@link DevicePolicyManager#removeActiveAdmin}
410 */
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]411 public void testRemoveActiveAdmin_fromDifferentUserWithINTERACT_ACROSS_USERS_FULL() {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]412 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
413
414 // Add admin1.
415
416 dpm.setActiveAdmin(admin1, /* replace =*/ false);
417
418 assertTrue(dpm.isAdminActive(admin1));
419 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
420
421 // Different user, but should work, because caller has proper permissions.
422 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]423
424 // Change the caller, and call into DPMS directly with a different user-id.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]425 mContext.binder.callingUid = 1234567;
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]426
427 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]428
429 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
430
431 // TODO DO Still can't be removed in this case.
432 }
433
434 /**
435 * Test for:
436 * {@link DevicePolicyManager#removeActiveAdmin}
437 */
438 public void testRemoveActiveAdmin_sameUserNoMANAGE_DEVICE_ADMINS() {
439 // Need MANAGE_DEVICE_ADMINS for setActiveAdmin. We'll remove it later.
440 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
441
442 // Add admin1.
443
444 dpm.setActiveAdmin(admin1, /* replace =*/ false);
445
446 assertTrue(dpm.isAdminActive(admin1));
447 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
448
449 // Broadcast from saveSettingsLocked().
450 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
451 MockUtils.checkIntentAction(
452 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
453 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
454
455 // Remove. No permissions, but same user, so it'll work.
456 mContext.callerPermissions.clear();
457 dpm.removeActiveAdmin(admin1);
458
459 final ArgumentCaptor<BroadcastReceiver> brCap =
460 ArgumentCaptor.forClass(BroadcastReceiver.class);
461
462 // Is removing now, but not removed yet.
463 assertTrue(dpm.isAdminActive(admin1));
464 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
465
466 verify(mContext.spiedContext).sendOrderedBroadcastAsUser(
467 MockUtils.checkIntentAction(
468 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_DISABLED),
469 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE),
470 isNull(String.class),
471 brCap.capture(),
472 eq(dpms.mHandler),
473 eq(Activity.RESULT_OK),
474 isNull(String.class),
475 isNull(Bundle.class));
476
477 brCap.getValue().onReceive(mContext, null);
478
479 assertFalse(dpm.isAdminActive(admin1));
480 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
481
482 // Again broadcast from saveSettingsLocked().
483 verify(mContext.spiedContext, times(2)).sendBroadcastAsUser(
484 MockUtils.checkIntentAction(
485 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
486 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
487
488 // TODO Check other internal calls.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]489 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]490
491 /**
492 * Test for: {@link DevicePolicyManager#setDeviceOwner} DO on system user installs
493 * successfully.
494 */
495 public void testSetDeviceOwner() throws Exception {
496 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]497 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]498 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
499 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
500
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]501 // In this test, change the caller user to "system".
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]502 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
503
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]504 // Make sure admin1 is installed on system user.
505 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]506
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]507 // Check various get APIs.
508 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ false);
509
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]510 // DO needs to be an DA.
511 dpm.setActiveAdmin(admin1, /* replace =*/ false);
512
513 // Fire!
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]514 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]515
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]516 // getDeviceOwnerComponent should return the admin1 component.
517 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
518 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
519
520 // Check various get APIs.
521 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ true);
522
523 // getDeviceOwnerComponent should *NOT* return the admin1 component for other users.
524 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
525 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
526 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
527
528 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
529
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]530 // Verify internal calls.
531 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
532 eq(admin1.getPackageName()));
533
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]534 // TODO We should check if the caller has called clearCallerIdentity().
535 verify(mContext.ibackupManager, times(1)).setBackupServiceActive(
536 eq(UserHandle.USER_SYSTEM), eq(false));
537
538 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
539 MockUtils.checkIntentAction(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED),
540 MockUtils.checkUserHandle(UserHandle.USER_SYSTEM));
541
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]542 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]543
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]544 // Try to set a profile owner on the same user, which should fail.
545 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
546 dpm.setActiveAdmin(admin2, /* refreshing= */ true, UserHandle.USER_SYSTEM);
547 try {
548 dpm.setProfileOwner(admin2, "owner-name", UserHandle.USER_SYSTEM);
549 fail("IllegalStateException not thrown");
550 } catch (IllegalStateException expected) {
551 assertTrue("Message was: " + expected.getMessage(),
552 expected.getMessage().contains("already has a device owner"));
553 }
554
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]555 // TODO Test getDeviceOwnerName() too. To do so, we need to change
556 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
557 }
558
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]559 private void checkGetDeviceOwnerInfoApi(DevicePolicyManager dpm, boolean hasDeviceOwner) {
560 final int origCallingUser = mContext.binder.callingUid;
561 final List origPermissions = new ArrayList(mContext.callerPermissions);
562 mContext.callerPermissions.clear();
563
564 mContext.callerPermissions.add(permission.MANAGE_USERS);
565
566 mContext.binder.callingUid = Process.SYSTEM_UID;
567
568 // TODO Test getDeviceOwnerName() too. To do so, we need to change
569 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
570 if (hasDeviceOwner) {
571 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
572 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
573 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
574
575 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
576 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
577 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
578 } else {
579 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
580 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
581 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
582
583 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
584 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
585 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
586 }
587
588 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
589 if (hasDeviceOwner) {
590 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
591 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
592 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
593
594 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
595 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
596 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
597 } else {
598 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
599 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
600 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
601
602 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
603 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
604 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
605 }
606
607 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
608 // Still with MANAGE_USERS.
609 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
610 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
611 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
612
613 if (hasDeviceOwner) {
614 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
615 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
616 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
617 } else {
618 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
619 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
620 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
621 }
622
623 mContext.binder.callingUid = Process.SYSTEM_UID;
624 mContext.callerPermissions.remove(permission.MANAGE_USERS);
625 // System can still call "OnAnyUser" without MANAGE_USERS.
626 if (hasDeviceOwner) {
627 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
628 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
629 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
630
631 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
632 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
633 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
634 } else {
635 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
636 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
637 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
638
639 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
640 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
641 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
642 }
643
644 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
645 // Still no MANAGE_USERS.
646 if (hasDeviceOwner) {
647 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
648 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
649 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
650 } else {
651 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
652 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
653 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
654 }
655
656 try {
657 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
658 fail();
659 } catch (SecurityException expected) {
660 }
661 try {
662 dpm.getDeviceOwnerComponentOnAnyUser();
663 fail();
664 } catch (SecurityException expected) {
665 }
666 try {
667 dpm.getDeviceOwnerUserId();
668 fail();
669 } catch (SecurityException expected) {
670 }
671 try {
672 dpm.getDeviceOwnerNameOnAnyUser();
673 fail();
674 } catch (SecurityException expected) {
675 }
676
677 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
678 // Still no MANAGE_USERS.
679 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
680 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
681 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
682
683 try {
684 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
685 fail();
686 } catch (SecurityException expected) {
687 }
688 try {
689 dpm.getDeviceOwnerComponentOnAnyUser();
690 fail();
691 } catch (SecurityException expected) {
692 }
693 try {
694 dpm.getDeviceOwnerUserId();
695 fail();
696 } catch (SecurityException expected) {
697 }
698 try {
699 dpm.getDeviceOwnerNameOnAnyUser();
700 fail();
701 } catch (SecurityException expected) {
702 }
703
704 // Restore.
705 mContext.binder.callingUid = origCallingUser;
706 mContext.callerPermissions.addAll(origPermissions);
707 }
708
709
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]710 /**
711 * Test for: {@link DevicePolicyManager#setDeviceOwner} Package doesn't exist.
712 */
713 public void testSetDeviceOwner_noSuchPackage() {
714 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]715 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]716 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
717 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
718
719 // Call from a process on the system user.
720 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
721
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]722 try {
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]723 dpm.setDeviceOwner(new ComponentName("a.b.c", ".def"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]724 fail("Didn't throw IllegalArgumentException");
725 } catch (IllegalArgumentException expected) {
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]726 assertTrue("Message was: " + expected.getMessage(),
727 expected.getMessage().contains("Invalid component"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]728 }
729 }
730
731 public void testSetDeviceOwner_failures() throws Exception {
732 // TODO Test more failure cases. Basically test all chacks in enforceCanSetDeviceOwner().
733 }
734
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]735 public void testClearDeviceOwner() throws Exception {
736 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]737 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]738 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
739 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
740
741 // Set admin1 as a DA to the secondary user.
742 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
743
744 dpm.setActiveAdmin(admin1, /* replace =*/ false);
745
746 // Set admin 1 as the DO to the system user.
747
748 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
749 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
750 dpm.setActiveAdmin(admin1, /* replace =*/ false);
751 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
752
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]753 // Verify internal calls.
754 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
755 eq(admin1.getPackageName()));
756
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]757 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]758
759 // Set up other mocks.
760 when(mContext.userManager.getUserRestrictions()).thenReturn(new Bundle());
761
762 // Now call clear.
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]763 doReturn(DpmMockContext.CALLER_SYSTEM_USER_UID).when(mContext.packageManager).getPackageUidAsUser(
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]764 eq(admin1.getPackageName()),
765 anyInt());
766 dpm.clearDeviceOwnerApp(admin1.getPackageName());
767
768 // Now DO shouldn't be set.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]769 assertNull(dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]770
771 // TODO Check other calls.
772 }
773
774 public void testClearDeviceOwner_fromDifferentUser() throws Exception {
775 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]776 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]777 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
778 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
779
780 // Set admin1 as a DA to the secondary user.
781 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
782
783 dpm.setActiveAdmin(admin1, /* replace =*/ false);
784
785 // Set admin 1 as the DO to the system user.
786
787 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
788 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
789 dpm.setActiveAdmin(admin1, /* replace =*/ false);
790 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
791
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]792 // Verify internal calls.
793 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
794 eq(admin1.getPackageName()));
795
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]796 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]797
798 // Now call clear from the secondary user, which should throw.
799 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
800
801 // Now call clear.
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]802 doReturn(DpmMockContext.CALLER_UID).when(mContext.packageManager).getPackageUidAsUser(
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]803 eq(admin1.getPackageName()),
804 anyInt());
805 try {
806 dpm.clearDeviceOwnerApp(admin1.getPackageName());
807 fail("Didn't throw");
808 } catch (SecurityException e) {
809 assertEquals("clearDeviceOwner can only be called by the device owner", e.getMessage());
810 }
811
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]812 // DO shouldn't be removed.
813 assertTrue(dpm.isDeviceManaged());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]814 }
815
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]816 public void testSetProfileOwner() throws Exception {
817 setAsProfileOwner(admin1);
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]818
819 // Try setting DO on the same user, which should fail.
820 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
821 dpm.setActiveAdmin(admin2, /* refreshing= */ true, DpmMockContext.CALLER_USER_HANDLE);
822 try {
823 dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE);
824 fail("IllegalStateException not thrown");
825 } catch (IllegalStateException expected) {
826 assertTrue("Message was: " + expected.getMessage(),
827 expected.getMessage().contains("already has a profile owner"));
828 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]829 }
830
831 public void testSetProfileOwner_failures() throws Exception {
832 // TODO Test more failure cases. Basically test all chacks in enforceCanSetProfileOwner().
833 }
834
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]835 public void testGetDeviceOwnerAdminLocked() throws Exception {
836 checkDeviceOwnerWithMultipleDeviceAdmins();
837 }
838
839 private void checkDeviceOwnerWithMultipleDeviceAdmins() throws Exception {
840 // In ths test, we use 3 users (system + 2 secondary users), set some device admins to them,
841 // set admin2 on CALLER_USER_HANDLE as DO, then call getDeviceOwnerAdminLocked() to
842 // make sure it gets the right component from the right user.
843
844 final int ANOTHER_USER_ID = 100;
845 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 456);
846
847 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
848
849 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]850 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]851 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
852 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
853
854 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
855
856 // Make sure the admin packge is installed to each user.
857 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
858 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_SYSTEM_USER_UID);
859
860 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
861 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
862
863 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
864
865
866 // Set active admins to the users.
867 dpm.setActiveAdmin(admin1, /* replace =*/ false);
868 dpm.setActiveAdmin(admin3, /* replace =*/ false);
869
870 dpm.setActiveAdmin(admin1, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
871 dpm.setActiveAdmin(admin2, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
872
873 dpm.setActiveAdmin(admin2, /* replace =*/ false, ANOTHER_USER_ID);
874
875 // Set DO on the first non-system user.
876 mContext.setUserRunning(DpmMockContext.CALLER_USER_HANDLE, true);
877 assertTrue(dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
878
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]879 assertEquals(admin2, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]880
881 // Then check getDeviceOwnerAdminLocked().
882 assertEquals(admin2, dpms.getDeviceOwnerAdminLocked().info.getComponent());
883 assertEquals(DpmMockContext.CALLER_UID, dpms.getDeviceOwnerAdminLocked().getUid());
884 }
885
886 /**
887 * This essentially tests
888 * {@code DevicePolicyManagerService.findOwnerComponentIfNecessaryLocked()}. (which is private.)
889 *
890 * We didn't use to persist the DO component class name, but now we do, and the above method
891 * finds the right component from a package name upon migration.
892 */
893 public void testDeviceOwnerMigration() throws Exception {
894 checkDeviceOwnerWithMultipleDeviceAdmins();
895
896 // Overwrite the device owner setting and clears the clas name.
897 dpms.mOwners.setDeviceOwner(
898 new ComponentName(admin2.getPackageName(), ""),
899 "owner-name", DpmMockContext.CALLER_USER_HANDLE);
900 dpms.mOwners.writeDeviceOwner();
901
902 // Make sure the DO component name doesn't have a class name.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]903 assertEquals("", dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false).getClassName());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]904
905 // Then create a new DPMS to have it load the settings from files.
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]906 when(mContext.userManager.getUserRestrictions(any(UserHandle.class)))
907 .thenReturn(new Bundle());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]908 initializeDpms();
909
910 // Now the DO component name is a full name.
911 // *BUT* because both admin1 and admin2 belong to the same package, we think admin1 is the
912 // DO.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]913 assertEquals(admin1, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]914 }
915
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]916 public void testSetGetApplicationRestriction() {
917 setAsProfileOwner(admin1);
918
919 {
920 Bundle rest = new Bundle();
921 rest.putString("KEY_STRING", "Foo1");
922 dpm.setApplicationRestrictions(admin1, "pkg1", rest);
923 }
924
925 {
926 Bundle rest = new Bundle();
927 rest.putString("KEY_STRING", "Foo2");
928 dpm.setApplicationRestrictions(admin1, "pkg2", rest);
929 }
930
931 {
932 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg1");
933 assertNotNull(returned);
934 assertEquals(returned.size(), 1);
935 assertEquals(returned.get("KEY_STRING"), "Foo1");
936 }
937
938 {
939 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg2");
940 assertNotNull(returned);
941 assertEquals(returned.size(), 1);
942 assertEquals(returned.get("KEY_STRING"), "Foo2");
943 }
944
945 dpm.setApplicationRestrictions(admin1, "pkg2", new Bundle());
946 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg2").size());
947 }
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]948
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]949 public void testApplicationRestrictionsManagingApp() throws Exception {
950 setAsProfileOwner(admin1);
951
952 final String appRestrictionsManagerPackage = "com.google.app.restrictions.manager";
953 final int appRestrictionsManagerAppId = 20987;
954 final int appRestrictionsManagerUid = UserHandle.getUid(
955 DpmMockContext.CALLER_USER_HANDLE, appRestrictionsManagerAppId);
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]956 doReturn(appRestrictionsManagerUid).when(mContext.packageManager).getPackageUidAsUser(
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]957 eq(appRestrictionsManagerPackage),
958 eq(DpmMockContext.CALLER_USER_HANDLE));
959 mContext.binder.callingUid = appRestrictionsManagerUid;
960
961 // appRestrictionsManager package shouldn't be able to manage restrictions as the PO hasn't
962 // delegated that permission yet.
963 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
964 Bundle rest = new Bundle();
965 rest.putString("KEY_STRING", "Foo1");
966 try {
967 dpm.setApplicationRestrictions(null, "pkg1", rest);
968 fail("Didn't throw expected SecurityException");
969 } catch (SecurityException expected) {
970 MoreAsserts.assertContainsRegex(
971 "caller cannot manage application restrictions", expected.getMessage());
972 }
973 try {
974 dpm.getApplicationRestrictions(null, "pkg1");
975 fail("Didn't throw expected SecurityException");
976 } catch (SecurityException expected) {
977 MoreAsserts.assertContainsRegex(
978 "caller cannot manage application restrictions", expected.getMessage());
979 }
980
981 // Check via the profile owner that no restrictions were set.
982 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
983 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
984
985 // Let appRestrictionsManagerPackage manage app restrictions
986 dpm.setApplicationRestrictionsManagingPackage(admin1, appRestrictionsManagerPackage);
987 assertEquals(appRestrictionsManagerPackage,
988 dpm.getApplicationRestrictionsManagingPackage(admin1));
989
990 // Now that package should be able to set and retrieve app restrictions.
991 mContext.binder.callingUid = appRestrictionsManagerUid;
992 assertTrue(dpm.isCallerApplicationRestrictionsManagingPackage());
993 dpm.setApplicationRestrictions(null, "pkg1", rest);
994 Bundle returned = dpm.getApplicationRestrictions(null, "pkg1");
995 assertEquals(1, returned.size(), 1);
996 assertEquals("Foo1", returned.get("KEY_STRING"));
997
998 // The same app running on a separate user shouldn't be able to manage app restrictions.
999 mContext.binder.callingUid = UserHandle.getUid(
1000 UserHandle.USER_SYSTEM, appRestrictionsManagerAppId);
1001 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1002 try {
1003 dpm.setApplicationRestrictions(null, "pkg1", rest);
1004 fail("Didn't throw expected SecurityException");
1005 } catch (SecurityException expected) {
1006 MoreAsserts.assertContainsRegex(
1007 "caller cannot manage application restrictions", expected.getMessage());
1008 }
1009
1010 // The DPM is still able to manage app restrictions, even if it allowed another app to do it
1011 // too.
1012 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1013 assertEquals(returned, dpm.getApplicationRestrictions(admin1, "pkg1"));
1014 dpm.setApplicationRestrictions(admin1, "pkg1", null);
1015 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
1016
1017 // Removing the ability for the package to manage app restrictions.
1018 dpm.setApplicationRestrictionsManagingPackage(admin1, null);
1019 assertNull(dpm.getApplicationRestrictionsManagingPackage(admin1));
1020 mContext.binder.callingUid = appRestrictionsManagerUid;
1021 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1022 try {
1023 dpm.setApplicationRestrictions(null, "pkg1", null);
1024 fail("Didn't throw expected SecurityException");
1025 } catch (SecurityException expected) {
1026 MoreAsserts.assertContainsRegex(
1027 "caller cannot manage application restrictions", expected.getMessage());
1028 }
1029 }
1030
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1031 public void testSetUserRestriction_asDo() throws Exception {
1032 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]1033 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1034 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1035 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1036
1037 // First, set DO.
1038
1039 // Call from a process on the system user.
1040 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1041
1042 // Make sure admin1 is installed on system user.
1043 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1044
1045 // Call.
1046 dpm.setActiveAdmin(admin1, /* replace =*/ false, UserHandle.USER_SYSTEM);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]1047 assertTrue(dpm.setDeviceOwner(admin1, "owner-name",
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1048 UserHandle.USER_SYSTEM));
1049
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1050 DpmTestUtils.assertRestrictions(
1051 DpmTestUtils.newRestrictions(),
1052 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1053 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1054 DpmTestUtils.assertRestrictions(
1055 DpmTestUtils.newRestrictions(),
1056 dpm.getUserRestrictions(admin1)
1057 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1058
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1059 reset(mContext.userManagerInternal);
1060
1061 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1062 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1063 eq(UserHandle.USER_SYSTEM),
1064 MockUtils.checkUserRestrictions(),
1065 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1066 );
1067 reset(mContext.userManagerInternal);
1068
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1069 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1070 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1071 eq(UserHandle.USER_SYSTEM),
1072 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1073 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1074 );
1075 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1076
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1077 DpmTestUtils.assertRestrictions(
1078 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1079 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1080 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1081 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1082 DpmTestUtils.assertRestrictions(
1083 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1084 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1085 dpm.getUserRestrictions(admin1)
1086 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1087
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1088 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1089 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1090 eq(UserHandle.USER_SYSTEM),
1091 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1092 MockUtils.checkUserRestrictions()
1093 );
1094 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1095
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1096 DpmTestUtils.assertRestrictions(
1097 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1098 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1099 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1100 DpmTestUtils.assertRestrictions(
1101 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1102 dpm.getUserRestrictions(admin1)
1103 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1104
1105 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1106 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1107 eq(UserHandle.USER_SYSTEM),
1108 MockUtils.checkUserRestrictions(),
1109 MockUtils.checkUserRestrictions()
1110 );
1111 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1112
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1113 DpmTestUtils.assertRestrictions(
1114 DpmTestUtils.newRestrictions(),
1115 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1116 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1117 DpmTestUtils.assertRestrictions(
1118 DpmTestUtils.newRestrictions(),
1119 dpm.getUserRestrictions(admin1)
1120 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1121
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1122 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE are PO restrictions, but when
1123 // DO sets them, the scope is global.
1124 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1125 reset(mContext.userManagerInternal);
1126 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1127 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1128 eq(UserHandle.USER_SYSTEM),
1129 MockUtils.checkUserRestrictions(),
1130 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1131 UserManager.DISALLOW_UNMUTE_MICROPHONE)
1132 );
1133 reset(mContext.userManagerInternal);
1134
1135 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1136 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1137
1138
1139 // More tests.
1140 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1141 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1142 eq(UserHandle.USER_SYSTEM),
1143 MockUtils.checkUserRestrictions(),
1144 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1145 );
1146 reset(mContext.userManagerInternal);
1147
1148 dpm.addUserRestriction(admin1, UserManager.DISALLOW_FUN);
1149 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1150 eq(UserHandle.USER_SYSTEM),
1151 MockUtils.checkUserRestrictions(),
1152 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1153 UserManager.DISALLOW_ADD_USER)
1154 );
1155 reset(mContext.userManagerInternal);
1156
1157 dpm.setCameraDisabled(admin1, true);
1158 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1159 eq(UserHandle.USER_SYSTEM),
1160 // DISALLOW_CAMERA will be applied to both local and global.
1161 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1162 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1163 UserManager.DISALLOW_CAMERA, UserManager.DISALLOW_ADD_USER)
1164 );
1165 reset(mContext.userManagerInternal);
1166
1167 // Set up another DA and let it disable camera. Now DISALLOW_CAMERA will only be applied
1168 // locally.
1169 dpm.setCameraDisabled(admin1, false);
1170 reset(mContext.userManagerInternal);
1171
1172 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
1173 dpm.setActiveAdmin(admin2, /* replace =*/ false, UserHandle.USER_SYSTEM);
1174 dpm.setCameraDisabled(admin2, true);
1175
1176 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1177 eq(UserHandle.USER_SYSTEM),
1178 // DISALLOW_CAMERA will be applied to both local and global.
1179 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1180 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1181 UserManager.DISALLOW_ADD_USER)
1182 );
1183 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1184 // TODO Make sure restrictions are written to the file.
1185 }
1186
1187 public void testSetUserRestriction_asPo() {
1188 setAsProfileOwner(admin1);
1189
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1190 DpmTestUtils.assertRestrictions(
1191 DpmTestUtils.newRestrictions(),
1192 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1193 .ensureUserRestrictions()
1194 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1195
1196 dpm.addUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1197 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1198 eq(DpmMockContext.CALLER_USER_HANDLE),
1199 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES),
1200 isNull(Bundle.class)
1201 );
1202 reset(mContext.userManagerInternal);
1203
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1204 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1205 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1206 eq(DpmMockContext.CALLER_USER_HANDLE),
1207 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1208 UserManager.DISALLOW_OUTGOING_CALLS),
1209 isNull(Bundle.class)
1210 );
1211 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1212
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1213 DpmTestUtils.assertRestrictions(
1214 DpmTestUtils.newRestrictions(
1215 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1216 UserManager.DISALLOW_OUTGOING_CALLS
1217 ),
1218 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1219 .ensureUserRestrictions()
1220 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1221 DpmTestUtils.assertRestrictions(
1222 DpmTestUtils.newRestrictions(
1223 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1224 UserManager.DISALLOW_OUTGOING_CALLS
1225 ),
1226 dpm.getUserRestrictions(admin1)
1227 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1228
1229 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1230 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1231 eq(DpmMockContext.CALLER_USER_HANDLE),
1232 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1233 isNull(Bundle.class)
1234 );
1235 reset(mContext.userManagerInternal);
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1236
1237 DpmTestUtils.assertRestrictions(
1238 DpmTestUtils.newRestrictions(
1239 UserManager.DISALLOW_OUTGOING_CALLS
1240 ),
1241 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1242 .ensureUserRestrictions()
1243 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1244 DpmTestUtils.assertRestrictions(
1245 DpmTestUtils.newRestrictions(
1246 UserManager.DISALLOW_OUTGOING_CALLS
1247 ),
1248 dpm.getUserRestrictions(admin1)
1249 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1250
1251 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1252 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1253 eq(DpmMockContext.CALLER_USER_HANDLE),
1254 MockUtils.checkUserRestrictions(),
1255 isNull(Bundle.class)
1256 );
1257 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1258
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1259 DpmTestUtils.assertRestrictions(
1260 DpmTestUtils.newRestrictions(),
1261 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1262 .ensureUserRestrictions()
1263 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1264 DpmTestUtils.assertRestrictions(
1265 DpmTestUtils.newRestrictions(),
1266 dpm.getUserRestrictions(admin1)
1267 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1268
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1269 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE can be set by PO too, even
1270 // though when DO sets them they'll be applied globally.
1271 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1272 reset(mContext.userManagerInternal);
1273 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1274 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1275 eq(DpmMockContext.CALLER_USER_HANDLE),
1276 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1277 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1278 isNull(Bundle.class)
1279 );
1280 reset(mContext.userManagerInternal);
1281
1282 dpm.setCameraDisabled(admin1, true);
1283 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1284 eq(DpmMockContext.CALLER_USER_HANDLE),
1285 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA,
1286 UserManager.DISALLOW_ADJUST_VOLUME,
1287 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1288 isNull(Bundle.class)
1289 );
1290 reset(mContext.userManagerInternal);
1291
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1292 // TODO Make sure restrictions are written to the file.
1293 }
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]1294
1295 public void testGetMacAddress() throws Exception {
1296 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1297 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1298 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1299
1300 // In this test, change the caller user to "system".
1301 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1302
1303 // Make sure admin1 is installed on system user.
1304 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1305
1306 // Test 1. Caller doesn't have DO or DA.
1307 try {
1308 dpm.getWifiMacAddress();
1309 fail();
1310 } catch (SecurityException e) {
1311 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1312 }
1313
1314 // DO needs to be an DA.
1315 dpm.setActiveAdmin(admin1, /* replace =*/ false);
1316 assertTrue(dpm.isAdminActive(admin1));
1317
1318 // Test 2. Caller has DA, but not DO.
1319 try {
1320 dpm.getWifiMacAddress();
1321 fail();
1322 } catch (SecurityException e) {
1323 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1324 }
1325
1326 // Test 3. Caller has PO, but not DO.
1327 assertTrue(dpm.setProfileOwner(admin1, null, UserHandle.USER_SYSTEM));
1328 try {
1329 dpm.getWifiMacAddress();
1330 fail();
1331 } catch (SecurityException e) {
1332 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1333 }
1334
1335 // Remove PO.
1336 dpm.clearProfileOwner(admin1);
1337
1338 // Test 4, Caller is DO now.
1339 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1340
1341 // 4-1. But no WifiInfo.
1342 assertNull(dpm.getWifiMacAddress());
1343
1344 // 4-2. Returns WifiInfo, but with the default MAC.
1345 when(mContext.wifiManager.getConnectionInfo()).thenReturn(new WifiInfo());
1346 assertNull(dpm.getWifiMacAddress());
1347
1348 // 4-3. With a real MAC address.
1349 final WifiInfo wi = new WifiInfo();
1350 wi.setMacAddress("11:22:33:44:55:66");
1351 when(mContext.wifiManager.getConnectionInfo()).thenReturn(wi);
1352 assertEquals("11:22:33:44:55:66", dpm.getWifiMacAddress());
1353 }
Mahaver Chopraf8373b52015-12-23 14:42:18 +0000[diff] [blame]1354
1355 public void testRebootCanOnlyBeCalledByDeviceOwner() throws Exception {
1356 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1357 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1358
1359 // In this test, change the caller user to "system".
1360 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1361
1362 // Make sure admin1 is installed on system user.
1363 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1364
1365 // Set admin1 as DA.
1366 dpm.setActiveAdmin(admin1, false);
1367 assertTrue(dpm.isAdminActive(admin1));
1368 try {
1369 dpm.reboot(admin1);
1370 fail("DA calls DPM.reboot(), did not throw expected SecurityException");
1371 } catch (SecurityException expected) {
1372 MoreAsserts.assertContainsRegex("does not own the device", expected.getMessage());
1373 }
1374
1375 // Set admin1 as PO.
1376 assertTrue(dpm.setProfileOwner(admin1, null, UserHandle.USER_SYSTEM));
1377 try {
1378 dpm.reboot(admin1);
1379 fail("PO calls DPM.reboot(), did not throw expected SecurityException");
1380 } catch (SecurityException expected) {
1381 MoreAsserts.assertContainsRegex("does not own the device", expected.getMessage());
1382 }
1383
1384 // Remove PO and add DO.
1385 dpm.clearProfileOwner(admin1);
1386 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1387
1388 dpm.reboot(admin1);
1389 }
Kenny Guy06de4e72015-12-22 12:07:39 +0000[diff] [blame]1390
1391 public void testSetGetSupportText() {
1392 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1393 dpm.setActiveAdmin(admin1, true);
1394 dpm.setActiveAdmin(admin2, true);
1395 mContext.callerPermissions.remove(permission.MANAGE_DEVICE_ADMINS);
1396
1397 // Null default support messages.
1398 {
1399 assertNull(dpm.getLongSupportMessage(admin1));
1400 assertNull(dpm.getShortSupportMessage(admin1));
1401 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1402 assertNull(dpm.getShortSupportMessageForUser(admin1,
1403 DpmMockContext.CALLER_USER_HANDLE));
1404 assertNull(dpm.getLongSupportMessageForUser(admin1,
1405 DpmMockContext.CALLER_USER_HANDLE));
1406 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1407 }
1408
1409 // Only system can call the per user versions.
1410 {
1411 try {
1412 dpm.getShortSupportMessageForUser(admin1,
1413 DpmMockContext.CALLER_USER_HANDLE);
1414 fail("Only system should be able to call getXXXForUser versions");
1415 } catch (SecurityException expected) {
1416 MoreAsserts.assertContainsRegex("message for user", expected.getMessage());
1417 }
1418 try {
1419 dpm.getLongSupportMessageForUser(admin1,
1420 DpmMockContext.CALLER_USER_HANDLE);
1421 fail("Only system should be able to call getXXXForUser versions");
1422 } catch (SecurityException expected) {
1423 MoreAsserts.assertContainsRegex("message for user", expected.getMessage());
1424 }
1425 }
1426
1427 // Can't set message for admin in another uid.
1428 {
1429 mContext.binder.callingUid = DpmMockContext.CALLER_UID + 1;
1430 try {
1431 dpm.setShortSupportMessage(admin1, "Some text");
1432 fail("Admins should only be able to change their own support text.");
1433 } catch (SecurityException expected) {
1434 MoreAsserts.assertContainsRegex("is not owned by uid", expected.getMessage());
1435 }
1436 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1437 }
1438
1439 // Set/Get short returns what it sets and other admins text isn't changed.
1440 {
1441 final String supportText = "Some text to test with.";
1442 dpm.setShortSupportMessage(admin1, supportText);
1443 assertEquals(supportText, dpm.getShortSupportMessage(admin1));
1444 assertNull(dpm.getLongSupportMessage(admin1));
1445 assertNull(dpm.getShortSupportMessage(admin2));
1446
1447 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1448 assertEquals(supportText, dpm.getShortSupportMessageForUser(admin1,
1449 DpmMockContext.CALLER_USER_HANDLE));
1450 assertNull(dpm.getShortSupportMessageForUser(admin2,
1451 DpmMockContext.CALLER_USER_HANDLE));
1452 assertNull(dpm.getLongSupportMessageForUser(admin1,
1453 DpmMockContext.CALLER_USER_HANDLE));
1454 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1455
1456 dpm.setShortSupportMessage(admin1, null);
1457 assertNull(dpm.getShortSupportMessage(admin1));
1458 }
1459
1460 // Set/Get long returns what it sets and other admins text isn't changed.
1461 {
1462 final String supportText = "Some text to test with.\nWith more text.";
1463 dpm.setLongSupportMessage(admin1, supportText);
1464 assertEquals(supportText, dpm.getLongSupportMessage(admin1));
1465 assertNull(dpm.getShortSupportMessage(admin1));
1466 assertNull(dpm.getLongSupportMessage(admin2));
1467
1468 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1469 assertEquals(supportText, dpm.getLongSupportMessageForUser(admin1,
1470 DpmMockContext.CALLER_USER_HANDLE));
1471 assertNull(dpm.getLongSupportMessageForUser(admin2,
1472 DpmMockContext.CALLER_USER_HANDLE));
1473 assertNull(dpm.getShortSupportMessageForUser(admin1,
1474 DpmMockContext.CALLER_USER_HANDLE));
1475 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1476
1477 dpm.setLongSupportMessage(admin1, null);
1478 assertNull(dpm.getLongSupportMessage(admin1));
1479 }
1480 }
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame^]1481
1482 /**
1483 * Test for:
1484 * {@link DevicePolicyManager#setAffiliationIds}
1485 * {@link DevicePolicyManager#isAffiliatedUser}
1486 */
1487 public void testUserAffiliation() throws Exception {
1488 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1489 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1490 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1491
1492 // Check that the system user is unaffiliated.
1493 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1494 assertFalse(dpm.isAffiliatedUser());
1495
1496 // Set a device owner on the system user. Check that the system user becomes affiliated.
1497 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1498 dpm.setActiveAdmin(admin1, /* replace =*/ false);
1499 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
1500 assertTrue(dpm.isAffiliatedUser());
1501
1502 // Install a profile owner whose package name matches the device owner on a test user. Check
1503 // that the test user is unaffiliated.
1504 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1505 setAsProfileOwner(admin2);
1506 assertFalse(dpm.isAffiliatedUser());
1507
1508 // Have the profile owner specify a set of affiliation ids. Check that the test user remains
1509 // unaffiliated.
1510 final Set<String> userAffiliationIds = new ArraySet<>();
1511 userAffiliationIds.add("red");
1512 userAffiliationIds.add("green");
1513 userAffiliationIds.add("blue");
1514 dpm.setAffiliationIds(admin2, userAffiliationIds);
1515 assertFalse(dpm.isAffiliatedUser());
1516
1517 // Have the device owner specify a set of affiliation ids that do not intersect with those
1518 // specified by the profile owner. Check that the test user remains unaffiliated.
1519 final Set<String> deviceAffiliationIds = new ArraySet<>();
1520 deviceAffiliationIds.add("cyan");
1521 deviceAffiliationIds.add("yellow");
1522 deviceAffiliationIds.add("magenta");
1523 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1524 dpm.setAffiliationIds(admin1, deviceAffiliationIds);
1525 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1526 assertFalse(dpm.isAffiliatedUser());
1527
1528 // Have the profile owner specify a set of affiliation ids that intersect with those
1529 // specified by the device owner. Check that the test user becomes affiliated.
1530 userAffiliationIds.add("yellow");
1531 dpm.setAffiliationIds(admin2, userAffiliationIds);
1532 assertTrue(dpm.isAffiliatedUser());
1533
1534 // Change the profile owner to one whose package name does not match the device owner. Check
1535 // that the test user is not affiliated anymore.
1536 dpm.clearProfileOwner(admin2);
1537 final ComponentName admin = new ComponentName("test", "test");
1538 markPackageAsInstalled(admin.getPackageName(), null, DpmMockContext.CALLER_USER_HANDLE);
1539 assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
1540 assertFalse(dpm.isAffiliatedUser());
1541
1542 // Check that the system user remains affiliated.
1543 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1544 assertTrue(dpm.isAffiliatedUser());
1545 }
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1546}