Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 6d009037271b487b45716c3a1f72037b89de6d75 / . / services / tests / servicestests / src / com / android / server / devicepolicy / DevicePolicyManagerTest.java
blob: 622106f788f49cf2ef7a5606be0fab03b23c3ca2 [file] [log] [blame]
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]16package com.android.server.devicepolicy;
17
18import com.android.server.LocalServices;
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]19import com.android.server.SystemService;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]20
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]21import android.Manifest.permission;
22import android.app.Activity;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]23import android.app.admin.DeviceAdminReceiver;
24import android.app.admin.DevicePolicyManager;
25import android.app.admin.DevicePolicyManagerInternal;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]26import android.content.BroadcastReceiver;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]27import android.content.ComponentName;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]28import android.content.pm.PackageManager;
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]29import android.net.wifi.WifiInfo;
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]30import android.os.Build;
31import android.os.Build.VERSION_CODES;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]32import android.os.Bundle;
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]33import android.os.Process;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]34import android.os.UserHandle;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]35import android.os.UserManager;
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]36import android.test.MoreAsserts;
Benjamin Franz6d009032016-01-25 18:56:38 +0000[diff] [blame^]37import android.test.suitebuilder.annotation.SmallTest;
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]38import android.util.ArraySet;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]39import android.util.Pair;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]40
41import org.mockito.ArgumentCaptor;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]42import org.mockito.invocation.InvocationOnMock;
43import org.mockito.stubbing.Answer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]44
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]45import java.util.ArrayList;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]46import java.util.HashMap;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]47import java.util.List;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]48import java.util.Map;
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]49import java.util.Set;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]50
51import static org.mockito.Matchers.any;
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]52import static org.mockito.Matchers.anyInt;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]53import static org.mockito.Matchers.anyString;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]54import static org.mockito.Matchers.eq;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]55import static org.mockito.Matchers.isNull;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]56import static org.mockito.Mockito.doAnswer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]57import static org.mockito.Mockito.doReturn;
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]58import static org.mockito.Mockito.reset;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]59import static org.mockito.Mockito.times;
60import static org.mockito.Mockito.verify;
61import static org.mockito.Mockito.when;
62
63/**
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]64 * Tests for DevicePolicyManager( and DevicePolicyManagerService).
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]65 *
66 m FrameworksServicesTests &&
67 adb install \
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]68 -r out/target/product/hammerhead/data/app/FrameworksServicesTests/FrameworksServicesTests.apk &&
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]69 adb shell am instrument -e class com.android.server.devicepolicy.DevicePolicyManagerTest \
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]70 -w com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]71
72 (mmma frameworks/base/services/tests/servicestests/ for non-ninja build)
73 */
Benjamin Franz6d009032016-01-25 18:56:38 +0000[diff] [blame^]74@SmallTest
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]75public class DevicePolicyManagerTest extends DpmTestBase {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]76 private DpmMockContext mContext;
77 public DevicePolicyManager dpm;
78 public DevicePolicyManagerServiceTestable dpms;
79
80 @Override
81 protected void setUp() throws Exception {
82 super.setUp();
83
84 mContext = getContext();
85
86 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
87 .thenReturn(true);
88
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]89 initializeDpms();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]90
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]91 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
92 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
93 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_UID);
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]94 setUpPackageManagerForAdmin(adminNoPerm, DpmMockContext.CALLER_UID);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]95
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]96 setUpUserManager();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]97 }
98
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]99 private void initializeDpms() {
100 // Need clearCallingIdentity() to pass permission checks.
101 final long ident = mContext.binder.clearCallingIdentity();
102 try {
103 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
104
105 dpms = new DevicePolicyManagerServiceTestable(mContext, dataDir);
106
107 dpms.systemReady(SystemService.PHASE_LOCK_SETTINGS_READY);
108 dpms.systemReady(SystemService.PHASE_BOOT_COMPLETED);
109
110 dpm = new DevicePolicyManagerTestable(mContext, dpms);
111 } finally {
112 mContext.binder.restoreCallingIdentity(ident);
113 }
114 }
115
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]116 private void setUpUserManager() {
117 // Emulate UserManager.set/getApplicationRestriction().
118 final Map<Pair<String, UserHandle>, Bundle> appRestrictions = new HashMap<>();
119
120 // UM.setApplicationRestrictions() will save to appRestrictions.
121 doAnswer(new Answer<Void>() {
122 @Override
123 public Void answer(InvocationOnMock invocation) throws Throwable {
124 String pkg = (String) invocation.getArguments()[0];
125 Bundle bundle = (Bundle) invocation.getArguments()[1];
126 UserHandle user = (UserHandle) invocation.getArguments()[2];
127
128 appRestrictions.put(Pair.create(pkg, user), bundle);
129
130 return null;
131 }
132 }).when(mContext.userManager).setApplicationRestrictions(
133 anyString(), any(Bundle.class), any(UserHandle.class));
134
135 // UM.getApplicationRestrictions() will read from appRestrictions.
136 doAnswer(new Answer<Bundle>() {
137 @Override
138 public Bundle answer(InvocationOnMock invocation) throws Throwable {
139 String pkg = (String) invocation.getArguments()[0];
140 UserHandle user = (UserHandle) invocation.getArguments()[1];
141
142 return appRestrictions.get(Pair.create(pkg, user));
143 }
144 }).when(mContext.userManager).getApplicationRestrictions(
145 anyString(), any(UserHandle.class));
146
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]147 // Add the first secondary user.
148 mContext.addUser(DpmMockContext.CALLER_USER_HANDLE, 0);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]149 }
150
151 private void setAsProfileOwner(ComponentName admin) {
152 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
153 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
154
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]155 // PO needs to be an DA.
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]156 dpm.setActiveAdmin(admin, /* replace =*/ false);
157
158 // Fire!
159 assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
160
161 // Check
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]162 assertEquals(admin, dpm.getProfileOwnerAsUser(DpmMockContext.CALLER_USER_HANDLE));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]163 }
164
165 public void testHasNoFeature() throws Exception {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]166 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
167 .thenReturn(false);
168
169 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
170 new DevicePolicyManagerServiceTestable(mContext, dataDir);
171
172 // If the device has no DPMS feature, it shouldn't register the local service.
173 assertNull(LocalServices.getService(DevicePolicyManagerInternal.class));
174 }
175
176 /**
177 * Caller doesn't have proper permissions.
178 */
179 public void testSetActiveAdmin_SecurityException() {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]180 // 1. Failure cases.
181
182 // Caller doesn't have MANAGE_DEVICE_ADMINS.
183 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]184 dpm.setActiveAdmin(admin1, false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]185 fail("Didn't throw SecurityException");
186 } catch (SecurityException expected) {
187 }
188
189 // Caller has MANAGE_DEVICE_ADMINS, but for different user.
190 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
191 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]192 dpm.setActiveAdmin(admin1, false, DpmMockContext.CALLER_USER_HANDLE + 1);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]193 fail("Didn't throw SecurityException");
194 } catch (SecurityException expected) {
195 }
196 }
197
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]198 /**
199 * Test for:
200 * {@link DevicePolicyManager#setActiveAdmin}
201 * with replace=false and replace=true
202 * {@link DevicePolicyManager#isAdminActive}
203 * {@link DevicePolicyManager#isAdminActiveAsUser}
204 * {@link DevicePolicyManager#getActiveAdmins}
205 * {@link DevicePolicyManager#getActiveAdminsAsUser}
206 */
207 public void testSetActiveAdmin() throws Exception {
208 // 1. Make sure the caller has proper permissions.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]209 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
210
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]211 // 2. Call the API.
212 dpm.setActiveAdmin(admin1, /* replace =*/ false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]213
214 // 3. Verify internal calls.
215
216 // Check if the boradcast is sent.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]217 verify(mContext.spiedContext).sendBroadcastAsUser(
218 MockUtils.checkIntentAction(
219 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
220 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
221 verify(mContext.spiedContext).sendBroadcastAsUser(
222 MockUtils.checkIntentAction(
223 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_ENABLED),
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]224 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
225
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]226 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
227 eq(admin1.getPackageName()),
228 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
229 eq(PackageManager.DONT_KILL_APP),
230 eq(DpmMockContext.CALLER_USER_HANDLE),
231 anyString());
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]232
233 // TODO Verify other calls too.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]234
235 // Make sure it's active admin1.
236 assertTrue(dpm.isAdminActive(admin1));
237 assertFalse(dpm.isAdminActive(admin2));
238 assertFalse(dpm.isAdminActive(admin3));
239
240 // But not admin1 for a different user.
241
242 // For this to work, caller needs android.permission.INTERACT_ACROSS_USERS_FULL.
243 // (Because we're checking a different user's status from CALLER_USER_HANDLE.)
244 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
245
246 assertFalse(dpm.isAdminActiveAsUser(admin1, DpmMockContext.CALLER_USER_HANDLE + 1));
247 assertFalse(dpm.isAdminActiveAsUser(admin2, DpmMockContext.CALLER_USER_HANDLE + 1));
248
249 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
250
251 // Next, add one more admin.
252 // Before doing so, update the application info, now it's enabled.
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]253 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID,
254 PackageManager.COMPONENT_ENABLED_STATE_ENABLED);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]255
256 dpm.setActiveAdmin(admin2, /* replace =*/ false);
257
258 // Now we have two admins.
259 assertTrue(dpm.isAdminActive(admin1));
260 assertTrue(dpm.isAdminActive(admin2));
261 assertFalse(dpm.isAdminActive(admin3));
262
263 // Admin2 was already enabled, so setApplicationEnabledSetting() shouldn't have called
264 // again. (times(1) because it was previously called for admin1)
265 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
266 eq(admin1.getPackageName()),
267 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
268 eq(PackageManager.DONT_KILL_APP),
269 eq(DpmMockContext.CALLER_USER_HANDLE),
270 anyString());
271
272 // 4. Add the same admin1 again without replace, which should throw.
273 try {
274 dpm.setActiveAdmin(admin1, /* replace =*/ false);
275 fail("Didn't throw");
276 } catch (IllegalArgumentException expected) {
277 }
278
279 // 5. Add the same admin1 again with replace, which should succeed.
280 dpm.setActiveAdmin(admin1, /* replace =*/ true);
281
282 // TODO make sure it's replaced.
283
284 // 6. Test getActiveAdmins()
285 List<ComponentName> admins = dpm.getActiveAdmins();
286 assertEquals(2, admins.size());
287 assertEquals(admin1, admins.get(0));
288 assertEquals(admin2, admins.get(1));
289
290 // Another user has no admins.
291 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
292
293 assertEquals(0, DpmTestUtils.getListSizeAllowingNull(
294 dpm.getActiveAdminsAsUser(DpmMockContext.CALLER_USER_HANDLE + 1)));
295
296 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
297 }
298
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]299 public void testSetActiveAdmin_multiUsers() throws Exception {
300
301 final int ANOTHER_USER_ID = 100;
302 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 20456);
303
304 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
305
306 // Set up pacakge manager for the other user.
307 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]308
309 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
310
311 dpm.setActiveAdmin(admin1, /* replace =*/ false);
312
313 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
314 dpm.setActiveAdmin(admin2, /* replace =*/ false);
315
316
317 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
318 assertTrue(dpm.isAdminActive(admin1));
319 assertFalse(dpm.isAdminActive(admin2));
320
321 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
322 assertFalse(dpm.isAdminActive(admin1));
323 assertTrue(dpm.isAdminActive(admin2));
324 }
325
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]326 /**
327 * Test for:
328 * {@link DevicePolicyManager#setActiveAdmin}
329 * with replace=false
330 */
331 public void testSetActiveAdmin_twiceWithoutReplace() throws Exception {
332 // 1. Make sure the caller has proper permissions.
333 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
334
335 dpm.setActiveAdmin(admin1, /* replace =*/ false);
336 assertTrue(dpm.isAdminActive(admin1));
337
338 // Add the same admin1 again without replace, which should throw.
339 try {
340 dpm.setActiveAdmin(admin1, /* replace =*/ false);
341 fail("Didn't throw");
342 } catch (IllegalArgumentException expected) {
343 }
344 }
345
346 /**
347 * Test for:
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]348 * {@link DevicePolicyManager#setActiveAdmin} when the admin isn't protected with
349 * BIND_DEVICE_ADMIN.
350 */
351 public void testSetActiveAdmin_permissionCheck() throws Exception {
352 // 1. Make sure the caller has proper permissions.
353 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
354
355 try {
356 dpm.setActiveAdmin(adminNoPerm, /* replace =*/ false);
357 fail();
358 } catch (IllegalArgumentException expected) {
359 assertTrue(expected.getMessage().contains(permission.BIND_DEVICE_ADMIN));
360 }
361 assertFalse(dpm.isAdminActive(adminNoPerm));
362
363 // Change the target API level to MNC. Now it can be set as DA.
364 setUpPackageManagerForAdmin(adminNoPerm, DpmMockContext.CALLER_UID, null,
365 VERSION_CODES.M);
366 dpm.setActiveAdmin(adminNoPerm, /* replace =*/ false);
367 assertTrue(dpm.isAdminActive(adminNoPerm));
368
369 // TODO Test the "load from the file" case where DA will still be loaded even without
370 // BIND_DEVICE_ADMIN and target API is N.
371 }
372
373 /**
374 * Test for:
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]375 * {@link DevicePolicyManager#removeActiveAdmin}
376 */
377 public void testRemoveActiveAdmin_SecurityException() {
378 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
379
380 // Add admin.
381
382 dpm.setActiveAdmin(admin1, /* replace =*/ false);
383
384 assertTrue(dpm.isAdminActive(admin1));
385
386 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
387
388 // Directly call the DPMS method with a different userid, which should fail.
389 try {
390 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE + 1);
391 fail("Didn't throw SecurityException");
392 } catch (SecurityException expected) {
393 }
394
395 // Try to remove active admin with a different caller userid should fail too, without
396 // having MANAGE_DEVICE_ADMINS.
397 mContext.callerPermissions.clear();
398
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]399 // Change the caller, and call into DPMS directly with a different user-id.
400
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]401 mContext.binder.callingUid = 1234567;
402 try {
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]403 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]404 fail("Didn't throw SecurityException");
405 } catch (SecurityException expected) {
406 }
407 }
408
409 /**
410 * Test for:
411 * {@link DevicePolicyManager#removeActiveAdmin}
412 */
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]413 public void testRemoveActiveAdmin_fromDifferentUserWithINTERACT_ACROSS_USERS_FULL() {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]414 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
415
416 // Add admin1.
417
418 dpm.setActiveAdmin(admin1, /* replace =*/ false);
419
420 assertTrue(dpm.isAdminActive(admin1));
421 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
422
423 // Different user, but should work, because caller has proper permissions.
424 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]425
426 // Change the caller, and call into DPMS directly with a different user-id.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]427 mContext.binder.callingUid = 1234567;
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]428
429 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]430
431 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
432
433 // TODO DO Still can't be removed in this case.
434 }
435
436 /**
437 * Test for:
438 * {@link DevicePolicyManager#removeActiveAdmin}
439 */
440 public void testRemoveActiveAdmin_sameUserNoMANAGE_DEVICE_ADMINS() {
441 // Need MANAGE_DEVICE_ADMINS for setActiveAdmin. We'll remove it later.
442 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
443
444 // Add admin1.
445
446 dpm.setActiveAdmin(admin1, /* replace =*/ false);
447
448 assertTrue(dpm.isAdminActive(admin1));
449 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
450
451 // Broadcast from saveSettingsLocked().
452 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
453 MockUtils.checkIntentAction(
454 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
455 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
456
457 // Remove. No permissions, but same user, so it'll work.
458 mContext.callerPermissions.clear();
459 dpm.removeActiveAdmin(admin1);
460
461 final ArgumentCaptor<BroadcastReceiver> brCap =
462 ArgumentCaptor.forClass(BroadcastReceiver.class);
463
464 // Is removing now, but not removed yet.
465 assertTrue(dpm.isAdminActive(admin1));
466 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
467
468 verify(mContext.spiedContext).sendOrderedBroadcastAsUser(
469 MockUtils.checkIntentAction(
470 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_DISABLED),
471 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE),
472 isNull(String.class),
473 brCap.capture(),
474 eq(dpms.mHandler),
475 eq(Activity.RESULT_OK),
476 isNull(String.class),
477 isNull(Bundle.class));
478
479 brCap.getValue().onReceive(mContext, null);
480
481 assertFalse(dpm.isAdminActive(admin1));
482 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
483
484 // Again broadcast from saveSettingsLocked().
485 verify(mContext.spiedContext, times(2)).sendBroadcastAsUser(
486 MockUtils.checkIntentAction(
487 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
488 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
489
490 // TODO Check other internal calls.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]491 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]492
493 /**
494 * Test for: {@link DevicePolicyManager#setDeviceOwner} DO on system user installs
495 * successfully.
496 */
497 public void testSetDeviceOwner() throws Exception {
498 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]499 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]500 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
501 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
502
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]503 // In this test, change the caller user to "system".
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]504 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
505
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]506 // Make sure admin1 is installed on system user.
507 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]508
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]509 // Check various get APIs.
510 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ false);
511
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]512 // DO needs to be an DA.
513 dpm.setActiveAdmin(admin1, /* replace =*/ false);
514
515 // Fire!
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]516 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]517
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]518 // getDeviceOwnerComponent should return the admin1 component.
519 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
520 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
521
522 // Check various get APIs.
523 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ true);
524
525 // getDeviceOwnerComponent should *NOT* return the admin1 component for other users.
526 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
527 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
528 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
529
530 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
531
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]532 // Verify internal calls.
533 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
534 eq(admin1.getPackageName()));
535
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]536 // TODO We should check if the caller has called clearCallerIdentity().
537 verify(mContext.ibackupManager, times(1)).setBackupServiceActive(
538 eq(UserHandle.USER_SYSTEM), eq(false));
539
540 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
541 MockUtils.checkIntentAction(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED),
542 MockUtils.checkUserHandle(UserHandle.USER_SYSTEM));
543
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]544 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]545
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]546 // Try to set a profile owner on the same user, which should fail.
547 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
548 dpm.setActiveAdmin(admin2, /* refreshing= */ true, UserHandle.USER_SYSTEM);
549 try {
550 dpm.setProfileOwner(admin2, "owner-name", UserHandle.USER_SYSTEM);
551 fail("IllegalStateException not thrown");
552 } catch (IllegalStateException expected) {
553 assertTrue("Message was: " + expected.getMessage(),
554 expected.getMessage().contains("already has a device owner"));
555 }
556
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]557 // TODO Test getDeviceOwnerName() too. To do so, we need to change
558 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
559 }
560
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]561 private void checkGetDeviceOwnerInfoApi(DevicePolicyManager dpm, boolean hasDeviceOwner) {
562 final int origCallingUser = mContext.binder.callingUid;
563 final List origPermissions = new ArrayList(mContext.callerPermissions);
564 mContext.callerPermissions.clear();
565
566 mContext.callerPermissions.add(permission.MANAGE_USERS);
567
568 mContext.binder.callingUid = Process.SYSTEM_UID;
569
570 // TODO Test getDeviceOwnerName() too. To do so, we need to change
571 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
572 if (hasDeviceOwner) {
573 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
574 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
575 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
576
577 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
578 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
579 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
580 } else {
581 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
582 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
583 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
584
585 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
586 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
587 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
588 }
589
590 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
591 if (hasDeviceOwner) {
592 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
593 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
594 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
595
596 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
597 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
598 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
599 } else {
600 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
601 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
602 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
603
604 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
605 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
606 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
607 }
608
609 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
610 // Still with MANAGE_USERS.
611 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
612 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
613 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
614
615 if (hasDeviceOwner) {
616 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
617 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
618 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
619 } else {
620 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
621 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
622 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
623 }
624
625 mContext.binder.callingUid = Process.SYSTEM_UID;
626 mContext.callerPermissions.remove(permission.MANAGE_USERS);
627 // System can still call "OnAnyUser" without MANAGE_USERS.
628 if (hasDeviceOwner) {
629 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
630 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
631 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
632
633 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
634 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
635 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
636 } else {
637 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
638 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
639 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
640
641 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
642 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
643 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
644 }
645
646 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
647 // Still no MANAGE_USERS.
648 if (hasDeviceOwner) {
649 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
650 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
651 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
652 } else {
653 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
654 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
655 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
656 }
657
658 try {
659 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
660 fail();
661 } catch (SecurityException expected) {
662 }
663 try {
664 dpm.getDeviceOwnerComponentOnAnyUser();
665 fail();
666 } catch (SecurityException expected) {
667 }
668 try {
669 dpm.getDeviceOwnerUserId();
670 fail();
671 } catch (SecurityException expected) {
672 }
673 try {
674 dpm.getDeviceOwnerNameOnAnyUser();
675 fail();
676 } catch (SecurityException expected) {
677 }
678
679 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
680 // Still no MANAGE_USERS.
681 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
682 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
683 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
684
685 try {
686 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
687 fail();
688 } catch (SecurityException expected) {
689 }
690 try {
691 dpm.getDeviceOwnerComponentOnAnyUser();
692 fail();
693 } catch (SecurityException expected) {
694 }
695 try {
696 dpm.getDeviceOwnerUserId();
697 fail();
698 } catch (SecurityException expected) {
699 }
700 try {
701 dpm.getDeviceOwnerNameOnAnyUser();
702 fail();
703 } catch (SecurityException expected) {
704 }
705
706 // Restore.
707 mContext.binder.callingUid = origCallingUser;
708 mContext.callerPermissions.addAll(origPermissions);
709 }
710
711
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]712 /**
713 * Test for: {@link DevicePolicyManager#setDeviceOwner} Package doesn't exist.
714 */
715 public void testSetDeviceOwner_noSuchPackage() {
716 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]717 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]718 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
719 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
720
721 // Call from a process on the system user.
722 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
723
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]724 try {
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]725 dpm.setDeviceOwner(new ComponentName("a.b.c", ".def"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]726 fail("Didn't throw IllegalArgumentException");
727 } catch (IllegalArgumentException expected) {
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]728 assertTrue("Message was: " + expected.getMessage(),
729 expected.getMessage().contains("Invalid component"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]730 }
731 }
732
733 public void testSetDeviceOwner_failures() throws Exception {
734 // TODO Test more failure cases. Basically test all chacks in enforceCanSetDeviceOwner().
735 }
736
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]737 public void testClearDeviceOwner() throws Exception {
738 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]739 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]740 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
741 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
742
743 // Set admin1 as a DA to the secondary user.
744 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
745
746 dpm.setActiveAdmin(admin1, /* replace =*/ false);
747
748 // Set admin 1 as the DO to the system user.
749
750 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
751 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
752 dpm.setActiveAdmin(admin1, /* replace =*/ false);
753 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
754
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]755 // Verify internal calls.
756 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
757 eq(admin1.getPackageName()));
758
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]759 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]760
761 // Set up other mocks.
762 when(mContext.userManager.getUserRestrictions()).thenReturn(new Bundle());
763
764 // Now call clear.
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]765 doReturn(DpmMockContext.CALLER_SYSTEM_USER_UID).when(mContext.packageManager).getPackageUidAsUser(
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]766 eq(admin1.getPackageName()),
767 anyInt());
768 dpm.clearDeviceOwnerApp(admin1.getPackageName());
769
770 // Now DO shouldn't be set.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]771 assertNull(dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]772
773 // TODO Check other calls.
774 }
775
776 public void testClearDeviceOwner_fromDifferentUser() throws Exception {
777 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]778 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]779 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
780 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
781
782 // Set admin1 as a DA to the secondary user.
783 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
784
785 dpm.setActiveAdmin(admin1, /* replace =*/ false);
786
787 // Set admin 1 as the DO to the system user.
788
789 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
790 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
791 dpm.setActiveAdmin(admin1, /* replace =*/ false);
792 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
793
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]794 // Verify internal calls.
795 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
796 eq(admin1.getPackageName()));
797
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]798 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]799
800 // Now call clear from the secondary user, which should throw.
801 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
802
803 // Now call clear.
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]804 doReturn(DpmMockContext.CALLER_UID).when(mContext.packageManager).getPackageUidAsUser(
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]805 eq(admin1.getPackageName()),
806 anyInt());
807 try {
808 dpm.clearDeviceOwnerApp(admin1.getPackageName());
809 fail("Didn't throw");
810 } catch (SecurityException e) {
811 assertEquals("clearDeviceOwner can only be called by the device owner", e.getMessage());
812 }
813
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]814 // DO shouldn't be removed.
815 assertTrue(dpm.isDeviceManaged());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]816 }
817
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]818 public void testSetProfileOwner() throws Exception {
819 setAsProfileOwner(admin1);
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]820
821 // Try setting DO on the same user, which should fail.
822 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
823 dpm.setActiveAdmin(admin2, /* refreshing= */ true, DpmMockContext.CALLER_USER_HANDLE);
824 try {
825 dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE);
826 fail("IllegalStateException not thrown");
827 } catch (IllegalStateException expected) {
828 assertTrue("Message was: " + expected.getMessage(),
829 expected.getMessage().contains("already has a profile owner"));
830 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]831 }
832
833 public void testSetProfileOwner_failures() throws Exception {
834 // TODO Test more failure cases. Basically test all chacks in enforceCanSetProfileOwner().
835 }
836
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]837 public void testGetDeviceOwnerAdminLocked() throws Exception {
838 checkDeviceOwnerWithMultipleDeviceAdmins();
839 }
840
841 private void checkDeviceOwnerWithMultipleDeviceAdmins() throws Exception {
842 // In ths test, we use 3 users (system + 2 secondary users), set some device admins to them,
843 // set admin2 on CALLER_USER_HANDLE as DO, then call getDeviceOwnerAdminLocked() to
844 // make sure it gets the right component from the right user.
845
846 final int ANOTHER_USER_ID = 100;
847 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 456);
848
849 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
850
851 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]852 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]853 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
854 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
855
856 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
857
858 // Make sure the admin packge is installed to each user.
859 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
860 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_SYSTEM_USER_UID);
861
862 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
863 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
864
865 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
866
867
868 // Set active admins to the users.
869 dpm.setActiveAdmin(admin1, /* replace =*/ false);
870 dpm.setActiveAdmin(admin3, /* replace =*/ false);
871
872 dpm.setActiveAdmin(admin1, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
873 dpm.setActiveAdmin(admin2, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
874
875 dpm.setActiveAdmin(admin2, /* replace =*/ false, ANOTHER_USER_ID);
876
877 // Set DO on the first non-system user.
878 mContext.setUserRunning(DpmMockContext.CALLER_USER_HANDLE, true);
879 assertTrue(dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
880
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]881 assertEquals(admin2, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]882
883 // Then check getDeviceOwnerAdminLocked().
884 assertEquals(admin2, dpms.getDeviceOwnerAdminLocked().info.getComponent());
885 assertEquals(DpmMockContext.CALLER_UID, dpms.getDeviceOwnerAdminLocked().getUid());
886 }
887
888 /**
889 * This essentially tests
890 * {@code DevicePolicyManagerService.findOwnerComponentIfNecessaryLocked()}. (which is private.)
891 *
892 * We didn't use to persist the DO component class name, but now we do, and the above method
893 * finds the right component from a package name upon migration.
894 */
895 public void testDeviceOwnerMigration() throws Exception {
896 checkDeviceOwnerWithMultipleDeviceAdmins();
897
898 // Overwrite the device owner setting and clears the clas name.
899 dpms.mOwners.setDeviceOwner(
900 new ComponentName(admin2.getPackageName(), ""),
901 "owner-name", DpmMockContext.CALLER_USER_HANDLE);
902 dpms.mOwners.writeDeviceOwner();
903
904 // Make sure the DO component name doesn't have a class name.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]905 assertEquals("", dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false).getClassName());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]906
907 // Then create a new DPMS to have it load the settings from files.
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]908 when(mContext.userManager.getUserRestrictions(any(UserHandle.class)))
909 .thenReturn(new Bundle());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]910 initializeDpms();
911
912 // Now the DO component name is a full name.
913 // *BUT* because both admin1 and admin2 belong to the same package, we think admin1 is the
914 // DO.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]915 assertEquals(admin1, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]916 }
917
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]918 public void testSetGetApplicationRestriction() {
919 setAsProfileOwner(admin1);
920
921 {
922 Bundle rest = new Bundle();
923 rest.putString("KEY_STRING", "Foo1");
924 dpm.setApplicationRestrictions(admin1, "pkg1", rest);
925 }
926
927 {
928 Bundle rest = new Bundle();
929 rest.putString("KEY_STRING", "Foo2");
930 dpm.setApplicationRestrictions(admin1, "pkg2", rest);
931 }
932
933 {
934 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg1");
935 assertNotNull(returned);
936 assertEquals(returned.size(), 1);
937 assertEquals(returned.get("KEY_STRING"), "Foo1");
938 }
939
940 {
941 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg2");
942 assertNotNull(returned);
943 assertEquals(returned.size(), 1);
944 assertEquals(returned.get("KEY_STRING"), "Foo2");
945 }
946
947 dpm.setApplicationRestrictions(admin1, "pkg2", new Bundle());
948 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg2").size());
949 }
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]950
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]951 public void testApplicationRestrictionsManagingApp() throws Exception {
952 setAsProfileOwner(admin1);
953
954 final String appRestrictionsManagerPackage = "com.google.app.restrictions.manager";
955 final int appRestrictionsManagerAppId = 20987;
956 final int appRestrictionsManagerUid = UserHandle.getUid(
957 DpmMockContext.CALLER_USER_HANDLE, appRestrictionsManagerAppId);
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]958 doReturn(appRestrictionsManagerUid).when(mContext.packageManager).getPackageUidAsUser(
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]959 eq(appRestrictionsManagerPackage),
960 eq(DpmMockContext.CALLER_USER_HANDLE));
961 mContext.binder.callingUid = appRestrictionsManagerUid;
962
963 // appRestrictionsManager package shouldn't be able to manage restrictions as the PO hasn't
964 // delegated that permission yet.
965 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
966 Bundle rest = new Bundle();
967 rest.putString("KEY_STRING", "Foo1");
968 try {
969 dpm.setApplicationRestrictions(null, "pkg1", rest);
970 fail("Didn't throw expected SecurityException");
971 } catch (SecurityException expected) {
972 MoreAsserts.assertContainsRegex(
973 "caller cannot manage application restrictions", expected.getMessage());
974 }
975 try {
976 dpm.getApplicationRestrictions(null, "pkg1");
977 fail("Didn't throw expected SecurityException");
978 } catch (SecurityException expected) {
979 MoreAsserts.assertContainsRegex(
980 "caller cannot manage application restrictions", expected.getMessage());
981 }
982
983 // Check via the profile owner that no restrictions were set.
984 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
985 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
986
987 // Let appRestrictionsManagerPackage manage app restrictions
988 dpm.setApplicationRestrictionsManagingPackage(admin1, appRestrictionsManagerPackage);
989 assertEquals(appRestrictionsManagerPackage,
990 dpm.getApplicationRestrictionsManagingPackage(admin1));
991
992 // Now that package should be able to set and retrieve app restrictions.
993 mContext.binder.callingUid = appRestrictionsManagerUid;
994 assertTrue(dpm.isCallerApplicationRestrictionsManagingPackage());
995 dpm.setApplicationRestrictions(null, "pkg1", rest);
996 Bundle returned = dpm.getApplicationRestrictions(null, "pkg1");
997 assertEquals(1, returned.size(), 1);
998 assertEquals("Foo1", returned.get("KEY_STRING"));
999
1000 // The same app running on a separate user shouldn't be able to manage app restrictions.
1001 mContext.binder.callingUid = UserHandle.getUid(
1002 UserHandle.USER_SYSTEM, appRestrictionsManagerAppId);
1003 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1004 try {
1005 dpm.setApplicationRestrictions(null, "pkg1", rest);
1006 fail("Didn't throw expected SecurityException");
1007 } catch (SecurityException expected) {
1008 MoreAsserts.assertContainsRegex(
1009 "caller cannot manage application restrictions", expected.getMessage());
1010 }
1011
1012 // The DPM is still able to manage app restrictions, even if it allowed another app to do it
1013 // too.
1014 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1015 assertEquals(returned, dpm.getApplicationRestrictions(admin1, "pkg1"));
1016 dpm.setApplicationRestrictions(admin1, "pkg1", null);
1017 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
1018
1019 // Removing the ability for the package to manage app restrictions.
1020 dpm.setApplicationRestrictionsManagingPackage(admin1, null);
1021 assertNull(dpm.getApplicationRestrictionsManagingPackage(admin1));
1022 mContext.binder.callingUid = appRestrictionsManagerUid;
1023 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1024 try {
1025 dpm.setApplicationRestrictions(null, "pkg1", null);
1026 fail("Didn't throw expected SecurityException");
1027 } catch (SecurityException expected) {
1028 MoreAsserts.assertContainsRegex(
1029 "caller cannot manage application restrictions", expected.getMessage());
1030 }
1031 }
1032
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1033 public void testSetUserRestriction_asDo() throws Exception {
1034 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]1035 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1036 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1037 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1038
1039 // First, set DO.
1040
1041 // Call from a process on the system user.
1042 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1043
1044 // Make sure admin1 is installed on system user.
1045 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1046
1047 // Call.
1048 dpm.setActiveAdmin(admin1, /* replace =*/ false, UserHandle.USER_SYSTEM);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]1049 assertTrue(dpm.setDeviceOwner(admin1, "owner-name",
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1050 UserHandle.USER_SYSTEM));
1051
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1052 DpmTestUtils.assertRestrictions(
1053 DpmTestUtils.newRestrictions(),
1054 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1055 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1056 DpmTestUtils.assertRestrictions(
1057 DpmTestUtils.newRestrictions(),
1058 dpm.getUserRestrictions(admin1)
1059 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1060
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1061 reset(mContext.userManagerInternal);
1062
1063 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1064 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1065 eq(UserHandle.USER_SYSTEM),
1066 MockUtils.checkUserRestrictions(),
1067 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1068 );
1069 reset(mContext.userManagerInternal);
1070
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1071 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1072 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1073 eq(UserHandle.USER_SYSTEM),
1074 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1075 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1076 );
1077 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1078
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1079 DpmTestUtils.assertRestrictions(
1080 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1081 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1082 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1083 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1084 DpmTestUtils.assertRestrictions(
1085 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1086 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1087 dpm.getUserRestrictions(admin1)
1088 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1089
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1090 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1091 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1092 eq(UserHandle.USER_SYSTEM),
1093 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1094 MockUtils.checkUserRestrictions()
1095 );
1096 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1097
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1098 DpmTestUtils.assertRestrictions(
1099 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1100 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1101 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1102 DpmTestUtils.assertRestrictions(
1103 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1104 dpm.getUserRestrictions(admin1)
1105 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1106
1107 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1108 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1109 eq(UserHandle.USER_SYSTEM),
1110 MockUtils.checkUserRestrictions(),
1111 MockUtils.checkUserRestrictions()
1112 );
1113 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1114
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1115 DpmTestUtils.assertRestrictions(
1116 DpmTestUtils.newRestrictions(),
1117 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1118 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1119 DpmTestUtils.assertRestrictions(
1120 DpmTestUtils.newRestrictions(),
1121 dpm.getUserRestrictions(admin1)
1122 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1123
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1124 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE are PO restrictions, but when
1125 // DO sets them, the scope is global.
1126 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1127 reset(mContext.userManagerInternal);
1128 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1129 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1130 eq(UserHandle.USER_SYSTEM),
1131 MockUtils.checkUserRestrictions(),
1132 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1133 UserManager.DISALLOW_UNMUTE_MICROPHONE)
1134 );
1135 reset(mContext.userManagerInternal);
1136
1137 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1138 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1139
1140
1141 // More tests.
1142 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1143 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1144 eq(UserHandle.USER_SYSTEM),
1145 MockUtils.checkUserRestrictions(),
1146 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1147 );
1148 reset(mContext.userManagerInternal);
1149
1150 dpm.addUserRestriction(admin1, UserManager.DISALLOW_FUN);
1151 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1152 eq(UserHandle.USER_SYSTEM),
1153 MockUtils.checkUserRestrictions(),
1154 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1155 UserManager.DISALLOW_ADD_USER)
1156 );
1157 reset(mContext.userManagerInternal);
1158
1159 dpm.setCameraDisabled(admin1, true);
1160 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1161 eq(UserHandle.USER_SYSTEM),
1162 // DISALLOW_CAMERA will be applied to both local and global.
1163 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1164 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1165 UserManager.DISALLOW_CAMERA, UserManager.DISALLOW_ADD_USER)
1166 );
1167 reset(mContext.userManagerInternal);
1168
1169 // Set up another DA and let it disable camera. Now DISALLOW_CAMERA will only be applied
1170 // locally.
1171 dpm.setCameraDisabled(admin1, false);
1172 reset(mContext.userManagerInternal);
1173
1174 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
1175 dpm.setActiveAdmin(admin2, /* replace =*/ false, UserHandle.USER_SYSTEM);
1176 dpm.setCameraDisabled(admin2, true);
1177
1178 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1179 eq(UserHandle.USER_SYSTEM),
1180 // DISALLOW_CAMERA will be applied to both local and global.
1181 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1182 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1183 UserManager.DISALLOW_ADD_USER)
1184 );
1185 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1186 // TODO Make sure restrictions are written to the file.
1187 }
1188
1189 public void testSetUserRestriction_asPo() {
1190 setAsProfileOwner(admin1);
1191
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1192 DpmTestUtils.assertRestrictions(
1193 DpmTestUtils.newRestrictions(),
1194 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1195 .ensureUserRestrictions()
1196 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1197
1198 dpm.addUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1199 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1200 eq(DpmMockContext.CALLER_USER_HANDLE),
1201 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES),
1202 isNull(Bundle.class)
1203 );
1204 reset(mContext.userManagerInternal);
1205
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1206 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1207 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1208 eq(DpmMockContext.CALLER_USER_HANDLE),
1209 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1210 UserManager.DISALLOW_OUTGOING_CALLS),
1211 isNull(Bundle.class)
1212 );
1213 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1214
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1215 DpmTestUtils.assertRestrictions(
1216 DpmTestUtils.newRestrictions(
1217 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1218 UserManager.DISALLOW_OUTGOING_CALLS
1219 ),
1220 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1221 .ensureUserRestrictions()
1222 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1223 DpmTestUtils.assertRestrictions(
1224 DpmTestUtils.newRestrictions(
1225 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1226 UserManager.DISALLOW_OUTGOING_CALLS
1227 ),
1228 dpm.getUserRestrictions(admin1)
1229 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1230
1231 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1232 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1233 eq(DpmMockContext.CALLER_USER_HANDLE),
1234 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1235 isNull(Bundle.class)
1236 );
1237 reset(mContext.userManagerInternal);
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1238
1239 DpmTestUtils.assertRestrictions(
1240 DpmTestUtils.newRestrictions(
1241 UserManager.DISALLOW_OUTGOING_CALLS
1242 ),
1243 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1244 .ensureUserRestrictions()
1245 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1246 DpmTestUtils.assertRestrictions(
1247 DpmTestUtils.newRestrictions(
1248 UserManager.DISALLOW_OUTGOING_CALLS
1249 ),
1250 dpm.getUserRestrictions(admin1)
1251 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1252
1253 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1254 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1255 eq(DpmMockContext.CALLER_USER_HANDLE),
1256 MockUtils.checkUserRestrictions(),
1257 isNull(Bundle.class)
1258 );
1259 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1260
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1261 DpmTestUtils.assertRestrictions(
1262 DpmTestUtils.newRestrictions(),
1263 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1264 .ensureUserRestrictions()
1265 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1266 DpmTestUtils.assertRestrictions(
1267 DpmTestUtils.newRestrictions(),
1268 dpm.getUserRestrictions(admin1)
1269 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1270
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1271 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE can be set by PO too, even
1272 // though when DO sets them they'll be applied globally.
1273 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1274 reset(mContext.userManagerInternal);
1275 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1276 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1277 eq(DpmMockContext.CALLER_USER_HANDLE),
1278 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1279 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1280 isNull(Bundle.class)
1281 );
1282 reset(mContext.userManagerInternal);
1283
1284 dpm.setCameraDisabled(admin1, true);
1285 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1286 eq(DpmMockContext.CALLER_USER_HANDLE),
1287 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA,
1288 UserManager.DISALLOW_ADJUST_VOLUME,
1289 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1290 isNull(Bundle.class)
1291 );
1292 reset(mContext.userManagerInternal);
1293
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1294 // TODO Make sure restrictions are written to the file.
1295 }
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]1296
1297 public void testGetMacAddress() throws Exception {
1298 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1299 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1300 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1301
1302 // In this test, change the caller user to "system".
1303 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1304
1305 // Make sure admin1 is installed on system user.
1306 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1307
1308 // Test 1. Caller doesn't have DO or DA.
1309 try {
1310 dpm.getWifiMacAddress();
1311 fail();
1312 } catch (SecurityException e) {
1313 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1314 }
1315
1316 // DO needs to be an DA.
1317 dpm.setActiveAdmin(admin1, /* replace =*/ false);
1318 assertTrue(dpm.isAdminActive(admin1));
1319
1320 // Test 2. Caller has DA, but not DO.
1321 try {
1322 dpm.getWifiMacAddress();
1323 fail();
1324 } catch (SecurityException e) {
1325 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1326 }
1327
1328 // Test 3. Caller has PO, but not DO.
1329 assertTrue(dpm.setProfileOwner(admin1, null, UserHandle.USER_SYSTEM));
1330 try {
1331 dpm.getWifiMacAddress();
1332 fail();
1333 } catch (SecurityException e) {
1334 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1335 }
1336
1337 // Remove PO.
1338 dpm.clearProfileOwner(admin1);
1339
1340 // Test 4, Caller is DO now.
1341 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1342
1343 // 4-1. But no WifiInfo.
1344 assertNull(dpm.getWifiMacAddress());
1345
1346 // 4-2. Returns WifiInfo, but with the default MAC.
1347 when(mContext.wifiManager.getConnectionInfo()).thenReturn(new WifiInfo());
1348 assertNull(dpm.getWifiMacAddress());
1349
1350 // 4-3. With a real MAC address.
1351 final WifiInfo wi = new WifiInfo();
1352 wi.setMacAddress("11:22:33:44:55:66");
1353 when(mContext.wifiManager.getConnectionInfo()).thenReturn(wi);
1354 assertEquals("11:22:33:44:55:66", dpm.getWifiMacAddress());
1355 }
Mahaver Chopraf8373b52015-12-23 14:42:18 +0000[diff] [blame]1356
1357 public void testRebootCanOnlyBeCalledByDeviceOwner() throws Exception {
1358 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1359 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1360
1361 // In this test, change the caller user to "system".
1362 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1363
1364 // Make sure admin1 is installed on system user.
1365 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1366
1367 // Set admin1 as DA.
1368 dpm.setActiveAdmin(admin1, false);
1369 assertTrue(dpm.isAdminActive(admin1));
1370 try {
1371 dpm.reboot(admin1);
1372 fail("DA calls DPM.reboot(), did not throw expected SecurityException");
1373 } catch (SecurityException expected) {
1374 MoreAsserts.assertContainsRegex("does not own the device", expected.getMessage());
1375 }
1376
1377 // Set admin1 as PO.
1378 assertTrue(dpm.setProfileOwner(admin1, null, UserHandle.USER_SYSTEM));
1379 try {
1380 dpm.reboot(admin1);
1381 fail("PO calls DPM.reboot(), did not throw expected SecurityException");
1382 } catch (SecurityException expected) {
1383 MoreAsserts.assertContainsRegex("does not own the device", expected.getMessage());
1384 }
1385
1386 // Remove PO and add DO.
1387 dpm.clearProfileOwner(admin1);
1388 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1389
1390 dpm.reboot(admin1);
1391 }
Kenny Guy06de4e72015-12-22 12:07:39 +0000[diff] [blame]1392
1393 public void testSetGetSupportText() {
1394 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1395 dpm.setActiveAdmin(admin1, true);
1396 dpm.setActiveAdmin(admin2, true);
1397 mContext.callerPermissions.remove(permission.MANAGE_DEVICE_ADMINS);
1398
1399 // Null default support messages.
1400 {
1401 assertNull(dpm.getLongSupportMessage(admin1));
1402 assertNull(dpm.getShortSupportMessage(admin1));
1403 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1404 assertNull(dpm.getShortSupportMessageForUser(admin1,
1405 DpmMockContext.CALLER_USER_HANDLE));
1406 assertNull(dpm.getLongSupportMessageForUser(admin1,
1407 DpmMockContext.CALLER_USER_HANDLE));
1408 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1409 }
1410
1411 // Only system can call the per user versions.
1412 {
1413 try {
1414 dpm.getShortSupportMessageForUser(admin1,
1415 DpmMockContext.CALLER_USER_HANDLE);
1416 fail("Only system should be able to call getXXXForUser versions");
1417 } catch (SecurityException expected) {
1418 MoreAsserts.assertContainsRegex("message for user", expected.getMessage());
1419 }
1420 try {
1421 dpm.getLongSupportMessageForUser(admin1,
1422 DpmMockContext.CALLER_USER_HANDLE);
1423 fail("Only system should be able to call getXXXForUser versions");
1424 } catch (SecurityException expected) {
1425 MoreAsserts.assertContainsRegex("message for user", expected.getMessage());
1426 }
1427 }
1428
1429 // Can't set message for admin in another uid.
1430 {
1431 mContext.binder.callingUid = DpmMockContext.CALLER_UID + 1;
1432 try {
1433 dpm.setShortSupportMessage(admin1, "Some text");
1434 fail("Admins should only be able to change their own support text.");
1435 } catch (SecurityException expected) {
1436 MoreAsserts.assertContainsRegex("is not owned by uid", expected.getMessage());
1437 }
1438 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1439 }
1440
1441 // Set/Get short returns what it sets and other admins text isn't changed.
1442 {
1443 final String supportText = "Some text to test with.";
1444 dpm.setShortSupportMessage(admin1, supportText);
1445 assertEquals(supportText, dpm.getShortSupportMessage(admin1));
1446 assertNull(dpm.getLongSupportMessage(admin1));
1447 assertNull(dpm.getShortSupportMessage(admin2));
1448
1449 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1450 assertEquals(supportText, dpm.getShortSupportMessageForUser(admin1,
1451 DpmMockContext.CALLER_USER_HANDLE));
1452 assertNull(dpm.getShortSupportMessageForUser(admin2,
1453 DpmMockContext.CALLER_USER_HANDLE));
1454 assertNull(dpm.getLongSupportMessageForUser(admin1,
1455 DpmMockContext.CALLER_USER_HANDLE));
1456 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1457
1458 dpm.setShortSupportMessage(admin1, null);
1459 assertNull(dpm.getShortSupportMessage(admin1));
1460 }
1461
1462 // Set/Get long returns what it sets and other admins text isn't changed.
1463 {
1464 final String supportText = "Some text to test with.\nWith more text.";
1465 dpm.setLongSupportMessage(admin1, supportText);
1466 assertEquals(supportText, dpm.getLongSupportMessage(admin1));
1467 assertNull(dpm.getShortSupportMessage(admin1));
1468 assertNull(dpm.getLongSupportMessage(admin2));
1469
1470 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1471 assertEquals(supportText, dpm.getLongSupportMessageForUser(admin1,
1472 DpmMockContext.CALLER_USER_HANDLE));
1473 assertNull(dpm.getLongSupportMessageForUser(admin2,
1474 DpmMockContext.CALLER_USER_HANDLE));
1475 assertNull(dpm.getShortSupportMessageForUser(admin1,
1476 DpmMockContext.CALLER_USER_HANDLE));
1477 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1478
1479 dpm.setLongSupportMessage(admin1, null);
1480 assertNull(dpm.getLongSupportMessage(admin1));
1481 }
1482 }
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]1483
1484 /**
1485 * Test for:
1486 * {@link DevicePolicyManager#setAffiliationIds}
1487 * {@link DevicePolicyManager#isAffiliatedUser}
1488 */
1489 public void testUserAffiliation() throws Exception {
1490 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1491 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1492 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1493
1494 // Check that the system user is unaffiliated.
1495 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1496 assertFalse(dpm.isAffiliatedUser());
1497
1498 // Set a device owner on the system user. Check that the system user becomes affiliated.
1499 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1500 dpm.setActiveAdmin(admin1, /* replace =*/ false);
1501 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
1502 assertTrue(dpm.isAffiliatedUser());
1503
1504 // Install a profile owner whose package name matches the device owner on a test user. Check
1505 // that the test user is unaffiliated.
1506 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1507 setAsProfileOwner(admin2);
1508 assertFalse(dpm.isAffiliatedUser());
1509
1510 // Have the profile owner specify a set of affiliation ids. Check that the test user remains
1511 // unaffiliated.
1512 final Set<String> userAffiliationIds = new ArraySet<>();
1513 userAffiliationIds.add("red");
1514 userAffiliationIds.add("green");
1515 userAffiliationIds.add("blue");
1516 dpm.setAffiliationIds(admin2, userAffiliationIds);
1517 assertFalse(dpm.isAffiliatedUser());
1518
1519 // Have the device owner specify a set of affiliation ids that do not intersect with those
1520 // specified by the profile owner. Check that the test user remains unaffiliated.
1521 final Set<String> deviceAffiliationIds = new ArraySet<>();
1522 deviceAffiliationIds.add("cyan");
1523 deviceAffiliationIds.add("yellow");
1524 deviceAffiliationIds.add("magenta");
1525 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1526 dpm.setAffiliationIds(admin1, deviceAffiliationIds);
1527 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1528 assertFalse(dpm.isAffiliatedUser());
1529
1530 // Have the profile owner specify a set of affiliation ids that intersect with those
1531 // specified by the device owner. Check that the test user becomes affiliated.
1532 userAffiliationIds.add("yellow");
1533 dpm.setAffiliationIds(admin2, userAffiliationIds);
1534 assertTrue(dpm.isAffiliatedUser());
1535
1536 // Change the profile owner to one whose package name does not match the device owner. Check
1537 // that the test user is not affiliated anymore.
1538 dpm.clearProfileOwner(admin2);
1539 final ComponentName admin = new ComponentName("test", "test");
1540 markPackageAsInstalled(admin.getPackageName(), null, DpmMockContext.CALLER_USER_HANDLE);
1541 assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
1542 assertFalse(dpm.isAffiliatedUser());
1543
1544 // Check that the system user remains affiliated.
1545 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1546 assertTrue(dpm.isAffiliatedUser());
1547 }
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1548}