Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 8e708ff38048e75f700365e686898e62942fb2e2 / . / services / tests / servicestests / src / com / android / server / locksettings / SyntheticPasswordTests.java
blob: d9b13209d28c2bd9a2da308ea1fa1e24ba425649 [file] [log] [blame]
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]1/*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
15 */
16
Andrew Scull507d11c2017-05-03 17:19:01 +0100[diff] [blame]17package com.android.server.locksettings;
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]18
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]19import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_ALPHABETIC;
20import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING;
21import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;
22
23import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD;
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]24import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_ENABLED_KEY;
25import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY;
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]26
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]27import static org.junit.Assert.assertEquals;
28import static org.junit.Assert.assertFalse;
29import static org.junit.Assert.assertNotNull;
30import static org.junit.Assert.assertNull;
31import static org.junit.Assert.assertTrue;
32import static org.junit.Assert.fail;
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]33import static org.mockito.Mockito.any;
34import static org.mockito.Mockito.atLeastOnce;
35import static org.mockito.Mockito.never;
36import static org.mockito.Mockito.reset;
Rubin Xu7cf45092017-08-28 11:47:35 +0100[diff] [blame]37import static org.mockito.Mockito.verify;
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]38
Rubin Xu7cf45092017-08-28 11:47:35 +0100[diff] [blame]39import android.app.admin.PasswordMetrics;
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]40import android.os.RemoteException;
41import android.os.UserHandle;
Pavel Grafov57f1b662019-03-27 14:55:38 +0000[diff] [blame]42import android.platform.test.annotations.Presubmit;
43
44import androidx.test.filters.SmallTest;
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]45import androidx.test.runner.AndroidJUnit4;
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]46
47import com.android.internal.widget.LockPatternUtils;
48import com.android.internal.widget.VerifyCredentialResponse;
Andrew Scull507d11c2017-05-03 17:19:01 +0100[diff] [blame]49import com.android.server.locksettings.SyntheticPasswordManager.AuthenticationResult;
50import com.android.server.locksettings.SyntheticPasswordManager.AuthenticationToken;
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]51import com.android.server.locksettings.SyntheticPasswordManager.PasswordData;
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]52
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]53import org.junit.Test;
54import org.junit.runner.RunWith;
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]55import org.mockito.ArgumentCaptor;
56
Lenka Trochtova66c492a2018-12-06 11:29:21 +0100[diff] [blame]57import java.util.ArrayList;
58
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]59
60/**
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]61 * atest FrameworksServicesTests:SyntheticPasswordTests
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]62 */
Pavel Grafov57f1b662019-03-27 14:55:38 +0000[diff] [blame]63@SmallTest
64@Presubmit
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]65@RunWith(AndroidJUnit4.class)
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]66public class SyntheticPasswordTests extends BaseLockSettingsServiceTests {
67
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]68 public static final byte[] PAYLOAD = new byte[] {1, 2, -1, -2, 55};
69 public static final byte[] PAYLOAD2 = new byte[] {2, 3, -2, -3, 44, 1};
70
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]71 @Test
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]72 public void testPasswordBasedSyntheticPassword() throws RemoteException {
73 final int USER_ID = 10;
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]74 final byte[] password = "user-password".getBytes();
75 final byte[] badPassword = "bad-password".getBytes();
Adrian Roos2adc2632017-09-05 17:01:42 +0200[diff] [blame]76 MockSyntheticPasswordManager manager = new MockSyntheticPasswordManager(mContext, mStorage,
David Anderson28dea682019-02-20 13:37:51 -0800[diff] [blame]77 mGateKeeperService, mUserManager, mPasswordSlotManager);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]78 AuthenticationToken authToken = manager.newSyntheticPasswordAndSid(mGateKeeperService, null,
79 null, USER_ID);
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]80 long handle = manager.createPasswordBasedSyntheticPassword(mGateKeeperService,
81 password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, authToken,
82 PASSWORD_QUALITY_ALPHABETIC, USER_ID);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]83
Rubin Xucf326f12017-11-15 11:55:35 +0000[diff] [blame]84 AuthenticationResult result = manager.unwrapPasswordBasedSyntheticPassword(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]85 mGateKeeperService, handle, password, USER_ID, null);
86 assertArrayEquals(result.authToken.deriveKeyStorePassword(),
87 authToken.deriveKeyStorePassword());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]88
Rubin Xucf326f12017-11-15 11:55:35 +0000[diff] [blame]89 result = manager.unwrapPasswordBasedSyntheticPassword(mGateKeeperService, handle,
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]90 badPassword, USER_ID, null);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]91 assertNull(result.authToken);
92 }
93
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]94 private void disableSyntheticPassword() throws RemoteException {
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]95 mService.setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 0, UserHandle.USER_SYSTEM);
96 }
97
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]98 private void enableSyntheticPassword() throws RemoteException {
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]99 mService.setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 1, UserHandle.USER_SYSTEM);
100 }
101
102 private boolean hasSyntheticPassword(int userId) throws RemoteException {
103 return mService.getLong(SYNTHETIC_PASSWORD_HANDLE_KEY, 0, userId) != 0;
104 }
105
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]106 @Test
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]107 public void testPasswordMigration() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]108 final byte[] password = "testPasswordMigration-password".getBytes();
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]109
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]110 disableSyntheticPassword();
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]111 mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]112 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]113 long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
114 final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]115 enableSyntheticPassword();
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]116 // Performs migration
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]117 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]118 password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]119 .getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]120 assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
121 assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));
122
123 // SP-based verification
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]124 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password,
125 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]126 .getResponseCode());
127 assertArrayNotEquals(primaryStorageKey,
128 mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]129 }
130
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]131 protected void initializeCredentialUnderSP(byte[] password, int userId) throws RemoteException {
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]132 enableSyntheticPassword();
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]133 int quality = password != null ? PASSWORD_QUALITY_ALPHABETIC
134 : PASSWORD_QUALITY_UNSPECIFIED;
135 int type = password != null ? LockPatternUtils.CREDENTIAL_TYPE_PASSWORD
136 : LockPatternUtils.CREDENTIAL_TYPE_NONE;
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]137 mService.setLockCredential(password, type, null, quality, userId, false);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]138 }
139
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]140 @Test
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]141 public void testSyntheticPasswordChangeCredential() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]142 final byte[] password = "testSyntheticPasswordChangeCredential-password".getBytes();
143 final byte[] newPassword = "testSyntheticPasswordChangeCredential-newpassword".getBytes();
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]144
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]145 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]146 long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]147 mService.setLockCredential(newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, password,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]148 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]149 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]150 newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]151 .getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]152 assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
153 }
154
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]155 @Test
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]156 public void testSyntheticPasswordVerifyCredential() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]157 final byte[] password = "testSyntheticPasswordVerifyCredential-password".getBytes();
158 final byte[] badPassword = "testSyntheticPasswordVerifyCredential-badpassword".getBytes();
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]159
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]160 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]161 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]162 password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]163 .getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]164
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]165 assertEquals(VerifyCredentialResponse.RESPONSE_ERROR, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]166 badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
167 .getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]168 }
169
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]170 @Test
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]171 public void testSyntheticPasswordClearCredential() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]172 final byte[] password = "testSyntheticPasswordClearCredential-password".getBytes();
173 final byte[] badPassword = "testSyntheticPasswordClearCredential-newpassword".getBytes();
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]174
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]175 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]176 long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
177 // clear password
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]178 mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, password,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]179 PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID, false);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]180 assertEquals(0 ,mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
181
182 // set a new password
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]183 mService.setLockCredential(badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]184 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]185 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]186 badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
187 .getResponseCode());
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]188 assertNotEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]189 }
190
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]191 @Test
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]192 public void testSyntheticPasswordChangeCredentialKeepsAuthSecret() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]193 final byte[] password =
194 "testSyntheticPasswordChangeCredentialKeepsAuthSecret-password".getBytes();
195 final byte[] badPassword =
196 "testSyntheticPasswordChangeCredentialKeepsAuthSecret-new".getBytes();
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]197
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]198 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
199 mService.setLockCredential(badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, password,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]200 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]201 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]202 badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]203 .getResponseCode());
204
205 // Check the same secret was passed each time
206 ArgumentCaptor<ArrayList<Byte>> secret = ArgumentCaptor.forClass(ArrayList.class);
207 verify(mAuthSecretService, atLeastOnce()).primaryUserCredential(secret.capture());
208 assertEquals(1, secret.getAllValues().stream().distinct().count());
209 }
210
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]211 @Test
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]212 public void testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]213 final byte[] password =
214 "testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret-password".getBytes();
215 final byte[] newPassword =
216 "testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret-new".getBytes();
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]217
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]218 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]219 reset(mAuthSecretService);
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]220 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password,
221 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]222 .getResponseCode());
223 verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class));
224 }
225
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]226 @Test
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]227 public void testSecondaryUserDoesNotPassAuthSecret() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]228 final byte[] password = "testSecondaryUserDoesNotPassAuthSecret-password".getBytes();
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]229
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]230 initializeCredentialUnderSP(password, SECONDARY_USER_ID);
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]231 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]232 password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, SECONDARY_USER_ID)
Andrew Sculle6527c12018-01-05 18:33:58 +0000[diff] [blame]233 .getResponseCode());
234 verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class));
235 }
236
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]237 @Test
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]238 public void testNoSyntheticPasswordOrCredentialDoesNotPassAuthSecret() throws RemoteException {
239 // Setting null doesn't create a synthetic password
240 initializeCredentialUnderSP(null, PRIMARY_USER_ID);
241
242 reset(mAuthSecretService);
243 mService.onUnlockUser(PRIMARY_USER_ID);
Rubin Xu340e5ba2019-05-14 16:10:03 +0100[diff] [blame]244 flushHandlerTasks();
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]245 verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class));
246 }
247
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]248 @Test
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]249 public void testSyntheticPasswordAndCredentialDoesNotPassAuthSecret() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]250 final byte[] password = "passwordForASyntheticPassword".getBytes();
251 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]252
253 reset(mAuthSecretService);
254 mService.onUnlockUser(PRIMARY_USER_ID);
Rubin Xu340e5ba2019-05-14 16:10:03 +0100[diff] [blame]255 flushHandlerTasks();
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]256 verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class));
257 }
258
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]259 @Test
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]260 public void testSyntheticPasswordButNoCredentialPassesAuthSecret() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]261 final byte[] password = "getASyntheticPassword".getBytes();
262 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
263 mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, password,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]264 PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID, false);
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]265
266 reset(mAuthSecretService);
267 mService.onUnlockUser(PRIMARY_USER_ID);
Rubin Xu340e5ba2019-05-14 16:10:03 +0100[diff] [blame]268 flushHandlerTasks();
Andrew Scullf49794b2018-04-13 12:01:25 +0100[diff] [blame]269 verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class));
270 }
271
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]272 @Test
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]273 public void testManagedProfileUnifiedChallengeMigration() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]274 final byte[] UnifiedPassword = "testManagedProfileUnifiedChallengeMigration-pwd".getBytes();
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]275 disableSyntheticPassword();
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]276 mService.setLockCredential(UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]277 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]278 mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null);
279 final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
280 final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID);
281 final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
282 final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID);
283 assertTrue(primarySid != 0);
284 assertTrue(profileSid != 0);
285 assertTrue(profileSid != primarySid);
286
287 // do migration
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]288 enableSyntheticPassword();
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]289 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
290 UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
291 .getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]292
293 // verify
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]294 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
295 UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
296 .getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]297 assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
298 assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID));
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]299 assertArrayNotEquals(primaryStorageKey,
300 mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
301 assertArrayNotEquals(profileStorageKey,
302 mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID));
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]303 assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));
304 assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID));
305 }
306
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]307 @Test
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]308 public void testManagedProfileSeparateChallengeMigration() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]309 final byte[] primaryPassword =
310 "testManagedProfileSeparateChallengeMigration-primary".getBytes();
311 final byte[] profilePassword =
312 "testManagedProfileSeparateChallengeMigration-profile".getBytes();
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]313 disableSyntheticPassword();
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]314 mService.setLockCredential(primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]315 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]316 mService.setLockCredential(profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]317 PASSWORD_QUALITY_ALPHABETIC, MANAGED_PROFILE_USER_ID, false);
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]318 final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID);
319 final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID);
320 final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
321 final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID);
322 assertTrue(primarySid != 0);
323 assertTrue(profileSid != 0);
324 assertTrue(profileSid != primarySid);
325
326 // do migration
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]327 enableSyntheticPassword();
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]328 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
329 primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
330 .getResponseCode());
331 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
332 profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD,
333 0, MANAGED_PROFILE_USER_ID).getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]334
335 // verify
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]336 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
337 primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
338 .getResponseCode());
339 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
340 profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD,
341 0, MANAGED_PROFILE_USER_ID).getResponseCode());
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]342 assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
343 assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID));
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]344 assertArrayNotEquals(primaryStorageKey,
345 mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
346 assertArrayNotEquals(profileStorageKey,
347 mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID));
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]348 assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));
349 assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID));
350 }
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]351
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]352 @Test
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]353 public void testTokenBasedResetPassword() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]354 final byte[] password = "password".getBytes();
355 final byte[] pattern = "123654".getBytes();
356 final byte[] token = "some-high-entropy-secure-token".getBytes();
357 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]358 final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
359
Rubin Xufc067732019-03-18 11:01:18 +0000[diff] [blame]360 assertFalse(mService.hasPendingEscrowToken(PRIMARY_USER_ID));
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]361 long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null);
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]362 assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xufc067732019-03-18 11:01:18 +0000[diff] [blame]363 assertTrue(mService.hasPendingEscrowToken(PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]364
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]365 mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0,
Rubin Xu7cf45092017-08-28 11:47:35 +0100[diff] [blame]366 PRIMARY_USER_ID).getResponseCode();
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]367 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xufc067732019-03-18 11:01:18 +0000[diff] [blame]368 assertFalse(mService.hasPendingEscrowToken(PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]369
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]370 mLocalService.setLockCredentialWithToken(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN,
371 handle, token, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]372
Rubin Xu7cf45092017-08-28 11:47:35 +0100[diff] [blame]373 // Verify DPM gets notified about new device lock
Rubin Xu340e5ba2019-05-14 16:10:03 +0100[diff] [blame]374 flushHandlerTasks();
Pavel Grafov42904c12019-03-25 15:32:41 +0000[diff] [blame]375 final PasswordMetrics metric = PasswordMetrics.computeForCredential(
376 LockPatternUtils.CREDENTIAL_TYPE_PATTERN, pattern);
Rubin Xu7cf45092017-08-28 11:47:35 +0100[diff] [blame]377 verify(mDevicePolicyManager).setActivePasswordState(metric, PRIMARY_USER_ID);
378
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]379 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]380 pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]381 .getResponseCode());
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]382 assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
383 }
384
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]385 @Test
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]386 public void testTokenBasedClearPassword() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]387 final byte[] password = "password".getBytes();
388 final byte[] pattern = "123654".getBytes();
389 final byte[] token = "some-high-entropy-secure-token".getBytes();
390 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]391 final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
392
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]393 long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null);
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]394 assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]395
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]396 mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD,
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]397 0, PRIMARY_USER_ID).getResponseCode();
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]398 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]399
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]400 mLocalService.setLockCredentialWithToken(null, LockPatternUtils.CREDENTIAL_TYPE_NONE,
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]401 handle, token, PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID);
Rubin Xu340e5ba2019-05-14 16:10:03 +0100[diff] [blame]402 flushHandlerTasks(); // flush the unlockUser() call before changing password again
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]403 mLocalService.setLockCredentialWithToken(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN,
404 handle, token, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]405
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]406 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]407 pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]408 .getResponseCode());
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]409 assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
410 }
411
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]412 @Test
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]413 public void testTokenBasedResetPasswordAfterCredentialChanges() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]414 final byte[] password = "password".getBytes();
415 final byte[] pattern = "123654".getBytes();
416 final byte[] newPassword = "password".getBytes();
417 final byte[] token = "some-high-entropy-secure-token".getBytes();
418 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]419 final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID);
420
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]421 long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null);
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]422 assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]423
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]424 mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD,
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]425 0, PRIMARY_USER_ID).getResponseCode();
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]426 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]427
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]428 mService.setLockCredential(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, password,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]429 PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID, false);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]430
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]431 mLocalService.setLockCredentialWithToken(newPassword,
432 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, handle, token,
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]433 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID);
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]434
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]435 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]436 newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]437 .getResponseCode());
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]438 assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID));
439 }
440
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]441 @Test
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]442 public void testEscrowTokenActivatedImmediatelyIfNoUserPasswordNeedsMigration()
443 throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]444 final String token = "some-high-entropy-secure-token";
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]445 enableSyntheticPassword();
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]446 long handle = mLocalService.addEscrowToken(token.getBytes(), PRIMARY_USER_ID, null);
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]447 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]448 assertEquals(0, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
449 assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));
450 }
451
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]452 @Test
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]453 public void testEscrowTokenActivatedImmediatelyIfNoUserPasswordNoMigration()
454 throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]455 final String token = "some-high-entropy-secure-token";
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]456 initializeCredentialUnderSP(null, PRIMARY_USER_ID);
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]457 long handle = mLocalService.addEscrowToken(token.getBytes(), PRIMARY_USER_ID, null);
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]458 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xuf095f832017-01-31 15:23:34 +0000[diff] [blame]459 assertEquals(0, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID));
460 assertTrue(hasSyntheticPassword(PRIMARY_USER_ID));
461 }
462
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]463 @Test
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]464 public void testEscrowTokenActivatedLaterWithUserPasswordNeedsMigration()
465 throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]466 final byte[] token = "some-high-entropy-secure-token".getBytes();
467 final byte[] password = "password".getBytes();
Rubin Xu128180b2017-04-12 18:02:44 +0100[diff] [blame]468 // Set up pre-SP user password
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]469 disableSyntheticPassword();
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]470 mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]471 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Rubin Xu16c823e2017-06-27 14:44:58 +0100[diff] [blame]472 enableSyntheticPassword();
Rubin Xu128180b2017-04-12 18:02:44 +0100[diff] [blame]473
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]474 long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null);
Rubin Xu128180b2017-04-12 18:02:44 +0100[diff] [blame]475 // Token not activated immediately since user password exists
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]476 assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xu128180b2017-04-12 18:02:44 +0100[diff] [blame]477 // Activate token (password gets migrated to SP at the same time)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]478 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]479 password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]480 .getResponseCode());
Rubin Xu128180b2017-04-12 18:02:44 +0100[diff] [blame]481 // Verify token is activated
Rubin Xufcd49f92017-08-24 18:21:52 +0100[diff] [blame]482 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
Rubin Xu128180b2017-04-12 18:02:44 +0100[diff] [blame]483 }
484
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]485 @Test
Lenka Trochtova66c492a2018-12-06 11:29:21 +0100[diff] [blame]486 public void testSetLockCredentialWithTokenFailsWithoutLockScreen() throws Exception {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]487 final byte[] password = "password".getBytes();
488 final byte[] pattern = "123654".getBytes();
489 final byte[] token = "some-high-entropy-secure-token".getBytes();
Lenka Trochtova66c492a2018-12-06 11:29:21 +0100[diff] [blame]490
491 mHasSecureLockScreen = false;
492 enableSyntheticPassword();
Ram Periathiruvadi32d53552019-02-19 13:25:46 -0800[diff] [blame]493 long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null);
Lenka Trochtova66c492a2018-12-06 11:29:21 +0100[diff] [blame]494 assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID));
495
496 try {
497 mLocalService.setLockCredentialWithToken(password,
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]498 LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, handle, token,
Lenka Trochtova66c492a2018-12-06 11:29:21 +0100[diff] [blame]499 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID);
500 fail("An exception should have been thrown.");
501 } catch (UnsupportedOperationException e) {
502 // Success - the exception was expected.
503 }
504 assertFalse(mService.havePassword(PRIMARY_USER_ID));
505
506 try {
507 mLocalService.setLockCredentialWithToken(pattern,
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]508 LockPatternUtils.CREDENTIAL_TYPE_PATTERN, handle, token,
Lenka Trochtova66c492a2018-12-06 11:29:21 +0100[diff] [blame]509 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID);
510 fail("An exception should have been thrown.");
511 } catch (UnsupportedOperationException e) {
512 // Success - the exception was expected.
513 }
514 assertFalse(mService.havePattern(PRIMARY_USER_ID));
515 }
516
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]517 @Test
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]518 public void testgetHashFactorPrimaryUser() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]519 final byte[] password = "password".getBytes();
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]520 mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]521 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]522 final byte[] hashFactor = mService.getHashFactor(password, PRIMARY_USER_ID);
523 assertNotNull(hashFactor);
524
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]525 mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]526 password, PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID, false);
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]527 final byte[] newHashFactor = mService.getHashFactor(null, PRIMARY_USER_ID);
528 assertNotNull(newHashFactor);
529 // Hash factor should never change after password change/removal
530 assertArrayEquals(hashFactor, newHashFactor);
531 }
532
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]533 @Test
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]534 public void testgetHashFactorManagedProfileUnifiedChallenge() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]535 final byte[] pattern = "1236".getBytes();
536 mService.setLockCredential(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]537 null, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID, false);
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]538 mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null);
539 assertNotNull(mService.getHashFactor(null, MANAGED_PROFILE_USER_ID));
540 }
541
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]542 @Test
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]543 public void testgetHashFactorManagedProfileSeparateChallenge() throws RemoteException {
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]544 final byte[] primaryPassword = "primary".getBytes();
545 final byte[] profilePassword = "profile".getBytes();
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]546 mService.setLockCredential(primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]547 PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false);
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]548 mService.setLockCredential(profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null,
Irina Dumitrescuc90674d2019-02-28 17:34:19 +0000[diff] [blame]549 PASSWORD_QUALITY_ALPHABETIC, MANAGED_PROFILE_USER_ID, false);
Rubin Xu4ed98982018-05-23 14:27:53 +0100[diff] [blame]550 assertNotNull(mService.getHashFactor(profilePassword, MANAGED_PROFILE_USER_ID));
551 }
552
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]553 @Test
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]554 public void testPasswordData_serializeDeserialize() {
555 PasswordData data = new PasswordData();
556 data.scryptN = 11;
557 data.scryptR = 22;
558 data.scryptP = 33;
559 data.passwordType = CREDENTIAL_TYPE_PASSWORD;
560 data.salt = PAYLOAD;
561 data.passwordHandle = PAYLOAD2;
562
563 PasswordData deserialized = PasswordData.fromBytes(data.toBytes());
564
565 assertEquals(11, deserialized.scryptN);
566 assertEquals(22, deserialized.scryptR);
567 assertEquals(33, deserialized.scryptP);
568 assertEquals(CREDENTIAL_TYPE_PASSWORD, deserialized.passwordType);
569 assertArrayEquals(PAYLOAD, deserialized.salt);
570 assertArrayEquals(PAYLOAD2, deserialized.passwordHandle);
571 }
572
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]573 @Test
Adrian Roos7374d3a2017-03-31 14:14:53 -0700[diff] [blame]574 public void testPasswordData_deserialize() {
575 // Test that we can deserialize existing PasswordData and don't inadvertently change the
576 // wire format.
577 byte[] serialized = new byte[] {
578 0, 0, 0, 2, /* CREDENTIAL_TYPE_PASSWORD */
579 11, /* scryptN */
580 22, /* scryptR */
581 33, /* scryptP */
582 0, 0, 0, 5, /* salt.length */
583 1, 2, -1, -2, 55, /* salt */
584 0, 0, 0, 6, /* passwordHandle.length */
585 2, 3, -2, -3, 44, 1, /* passwordHandle */
586 };
587 PasswordData deserialized = PasswordData.fromBytes(serialized);
588
589 assertEquals(11, deserialized.scryptN);
590 assertEquals(22, deserialized.scryptR);
591 assertEquals(33, deserialized.scryptP);
592 assertEquals(CREDENTIAL_TYPE_PASSWORD, deserialized.passwordType);
593 assertArrayEquals(PAYLOAD, deserialized.salt);
594 assertArrayEquals(PAYLOAD2, deserialized.passwordHandle);
595 }
596
Kenny Rootd01bb412019-11-22 09:34:03 -0800[diff] [blame]597 @Test
David Anderson6ebc25b2019-02-12 16:25:56 -0800[diff] [blame]598 public void testGsiDisablesAuthSecret() throws RemoteException {
599 mGsiService.setIsGsiRunning(true);
600
Rich Canningsf64ec632019-02-21 12:40:36 -0800[diff] [blame]601 final byte[] password = "testGsiDisablesAuthSecret-password".getBytes();
David Anderson6ebc25b2019-02-12 16:25:56 -0800[diff] [blame]602
603 initializeCredentialUnderSP(password, PRIMARY_USER_ID);
604 assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(
605 password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID)
606 .getResponseCode());
607 verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class));
608 }
609
Andrew Scull7f4ff4c2018-01-05 18:33:58 +0000[diff] [blame]610 // b/62213311
Rubin Xu3bf722a2016-12-15 16:07:38 +0000[diff] [blame]611 //TODO: add non-migration work profile case, and unify/un-unify transition.
612 //TODO: test token after user resets password
613 //TODO: test token based reset after unified work challenge
614 //TODO: test clear password after unified work challenge
615}