Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License |
| 15 | */ |
| 16 | |
Andrew Scull | 507d11c | 2017-05-03 17:19:01 +0100 | [diff] [blame] | 17 | package com.android.server.locksettings; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 18 | |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 19 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_ALPHABETIC; |
| 20 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING; |
| 21 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED; |
| 22 | |
| 23 | import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 24 | import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_ENABLED_KEY; |
| 25 | import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY; |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 26 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 27 | import static org.junit.Assert.assertEquals; |
| 28 | import static org.junit.Assert.assertFalse; |
| 29 | import static org.junit.Assert.assertNotNull; |
| 30 | import static org.junit.Assert.assertNull; |
| 31 | import static org.junit.Assert.assertTrue; |
| 32 | import static org.junit.Assert.fail; |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 33 | import static org.mockito.Mockito.any; |
| 34 | import static org.mockito.Mockito.atLeastOnce; |
| 35 | import static org.mockito.Mockito.never; |
| 36 | import static org.mockito.Mockito.reset; |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 37 | import static org.mockito.Mockito.verify; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 38 | |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 39 | import android.app.admin.PasswordMetrics; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 40 | import android.os.RemoteException; |
| 41 | import android.os.UserHandle; |
Pavel Grafov | 57f1b66 | 2019-03-27 14:55:38 +0000 | [diff] [blame] | 42 | import android.platform.test.annotations.Presubmit; |
| 43 | |
| 44 | import androidx.test.filters.SmallTest; |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 45 | import androidx.test.runner.AndroidJUnit4; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 46 | |
| 47 | import com.android.internal.widget.LockPatternUtils; |
| 48 | import com.android.internal.widget.VerifyCredentialResponse; |
Andrew Scull | 507d11c | 2017-05-03 17:19:01 +0100 | [diff] [blame] | 49 | import com.android.server.locksettings.SyntheticPasswordManager.AuthenticationResult; |
| 50 | import com.android.server.locksettings.SyntheticPasswordManager.AuthenticationToken; |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 51 | import com.android.server.locksettings.SyntheticPasswordManager.PasswordData; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 52 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 53 | import org.junit.Test; |
| 54 | import org.junit.runner.RunWith; |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 55 | import org.mockito.ArgumentCaptor; |
| 56 | |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 57 | import java.util.ArrayList; |
| 58 | |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 59 | |
| 60 | /** |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 61 | * atest FrameworksServicesTests:SyntheticPasswordTests |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 62 | */ |
Pavel Grafov | 57f1b66 | 2019-03-27 14:55:38 +0000 | [diff] [blame] | 63 | @SmallTest |
| 64 | @Presubmit |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 65 | @RunWith(AndroidJUnit4.class) |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 66 | public class SyntheticPasswordTests extends BaseLockSettingsServiceTests { |
| 67 | |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 68 | public static final byte[] PAYLOAD = new byte[] {1, 2, -1, -2, 55}; |
| 69 | public static final byte[] PAYLOAD2 = new byte[] {2, 3, -2, -3, 44, 1}; |
| 70 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 71 | @Test |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 72 | public void testPasswordBasedSyntheticPassword() throws RemoteException { |
| 73 | final int USER_ID = 10; |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 74 | final byte[] password = "user-password".getBytes(); |
| 75 | final byte[] badPassword = "bad-password".getBytes(); |
Adrian Roos | 2adc263 | 2017-09-05 17:01:42 +0200 | [diff] [blame] | 76 | MockSyntheticPasswordManager manager = new MockSyntheticPasswordManager(mContext, mStorage, |
David Anderson | 28dea68 | 2019-02-20 13:37:51 -0800 | [diff] [blame] | 77 | mGateKeeperService, mUserManager, mPasswordSlotManager); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 78 | AuthenticationToken authToken = manager.newSyntheticPasswordAndSid(mGateKeeperService, null, |
| 79 | null, USER_ID); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 80 | long handle = manager.createPasswordBasedSyntheticPassword(mGateKeeperService, |
| 81 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, authToken, |
| 82 | PASSWORD_QUALITY_ALPHABETIC, USER_ID); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 83 | |
Rubin Xu | cf326f1 | 2017-11-15 11:55:35 +0000 | [diff] [blame] | 84 | AuthenticationResult result = manager.unwrapPasswordBasedSyntheticPassword( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 85 | mGateKeeperService, handle, password, USER_ID, null); |
| 86 | assertArrayEquals(result.authToken.deriveKeyStorePassword(), |
| 87 | authToken.deriveKeyStorePassword()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 88 | |
Rubin Xu | cf326f1 | 2017-11-15 11:55:35 +0000 | [diff] [blame] | 89 | result = manager.unwrapPasswordBasedSyntheticPassword(mGateKeeperService, handle, |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 90 | badPassword, USER_ID, null); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 91 | assertNull(result.authToken); |
| 92 | } |
| 93 | |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 94 | private void disableSyntheticPassword() throws RemoteException { |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 95 | mService.setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 0, UserHandle.USER_SYSTEM); |
| 96 | } |
| 97 | |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 98 | private void enableSyntheticPassword() throws RemoteException { |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 99 | mService.setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 1, UserHandle.USER_SYSTEM); |
| 100 | } |
| 101 | |
| 102 | private boolean hasSyntheticPassword(int userId) throws RemoteException { |
| 103 | return mService.getLong(SYNTHETIC_PASSWORD_HANDLE_KEY, 0, userId) != 0; |
| 104 | } |
| 105 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 106 | @Test |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 107 | public void testPasswordMigration() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 108 | final byte[] password = "testPasswordMigration-password".getBytes(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 109 | |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 110 | disableSyntheticPassword(); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 111 | mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 112 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 113 | long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
| 114 | final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 115 | enableSyntheticPassword(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 116 | // Performs migration |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 117 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 118 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 119 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 120 | assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 121 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 122 | |
| 123 | // SP-based verification |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 124 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password, |
| 125 | LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 126 | .getResponseCode()); |
| 127 | assertArrayNotEquals(primaryStorageKey, |
| 128 | mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 129 | } |
| 130 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 131 | protected void initializeCredentialUnderSP(byte[] password, int userId) throws RemoteException { |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 132 | enableSyntheticPassword(); |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 133 | int quality = password != null ? PASSWORD_QUALITY_ALPHABETIC |
| 134 | : PASSWORD_QUALITY_UNSPECIFIED; |
| 135 | int type = password != null ? LockPatternUtils.CREDENTIAL_TYPE_PASSWORD |
| 136 | : LockPatternUtils.CREDENTIAL_TYPE_NONE; |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 137 | mService.setLockCredential(password, type, null, quality, userId, false); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 138 | } |
| 139 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 140 | @Test |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 141 | public void testSyntheticPasswordChangeCredential() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 142 | final byte[] password = "testSyntheticPasswordChangeCredential-password".getBytes(); |
| 143 | final byte[] newPassword = "testSyntheticPasswordChangeCredential-newpassword".getBytes(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 144 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 145 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 146 | long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 147 | mService.setLockCredential(newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, password, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 148 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 149 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 150 | newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 151 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 152 | assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 153 | } |
| 154 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 155 | @Test |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 156 | public void testSyntheticPasswordVerifyCredential() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 157 | final byte[] password = "testSyntheticPasswordVerifyCredential-password".getBytes(); |
| 158 | final byte[] badPassword = "testSyntheticPasswordVerifyCredential-badpassword".getBytes(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 159 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 160 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 161 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 162 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 163 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 164 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 165 | assertEquals(VerifyCredentialResponse.RESPONSE_ERROR, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 166 | badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 167 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 168 | } |
| 169 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 170 | @Test |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 171 | public void testSyntheticPasswordClearCredential() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 172 | final byte[] password = "testSyntheticPasswordClearCredential-password".getBytes(); |
| 173 | final byte[] badPassword = "testSyntheticPasswordClearCredential-newpassword".getBytes(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 174 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 175 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 176 | long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
| 177 | // clear password |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 178 | mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, password, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 179 | PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID, false); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 180 | assertEquals(0 ,mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 181 | |
| 182 | // set a new password |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 183 | mService.setLockCredential(badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 184 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 185 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 186 | badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 187 | .getResponseCode()); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 188 | assertNotEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 189 | } |
| 190 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 191 | @Test |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 192 | public void testSyntheticPasswordChangeCredentialKeepsAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 193 | final byte[] password = |
| 194 | "testSyntheticPasswordChangeCredentialKeepsAuthSecret-password".getBytes(); |
| 195 | final byte[] badPassword = |
| 196 | "testSyntheticPasswordChangeCredentialKeepsAuthSecret-new".getBytes(); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 197 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 198 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
| 199 | mService.setLockCredential(badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, password, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 200 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 201 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 202 | badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 203 | .getResponseCode()); |
| 204 | |
| 205 | // Check the same secret was passed each time |
| 206 | ArgumentCaptor<ArrayList<Byte>> secret = ArgumentCaptor.forClass(ArrayList.class); |
| 207 | verify(mAuthSecretService, atLeastOnce()).primaryUserCredential(secret.capture()); |
| 208 | assertEquals(1, secret.getAllValues().stream().distinct().count()); |
| 209 | } |
| 210 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 211 | @Test |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 212 | public void testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 213 | final byte[] password = |
| 214 | "testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret-password".getBytes(); |
| 215 | final byte[] newPassword = |
| 216 | "testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret-new".getBytes(); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 217 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 218 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 219 | reset(mAuthSecretService); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 220 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password, |
| 221 | LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 222 | .getResponseCode()); |
| 223 | verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class)); |
| 224 | } |
| 225 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 226 | @Test |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 227 | public void testSecondaryUserDoesNotPassAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 228 | final byte[] password = "testSecondaryUserDoesNotPassAuthSecret-password".getBytes(); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 229 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 230 | initializeCredentialUnderSP(password, SECONDARY_USER_ID); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 231 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 232 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, SECONDARY_USER_ID) |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 233 | .getResponseCode()); |
| 234 | verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class)); |
| 235 | } |
| 236 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 237 | @Test |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 238 | public void testNoSyntheticPasswordOrCredentialDoesNotPassAuthSecret() throws RemoteException { |
| 239 | // Setting null doesn't create a synthetic password |
| 240 | initializeCredentialUnderSP(null, PRIMARY_USER_ID); |
| 241 | |
| 242 | reset(mAuthSecretService); |
| 243 | mService.onUnlockUser(PRIMARY_USER_ID); |
Rubin Xu | 340e5ba | 2019-05-14 16:10:03 +0100 | [diff] [blame] | 244 | flushHandlerTasks(); |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 245 | verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class)); |
| 246 | } |
| 247 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 248 | @Test |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 249 | public void testSyntheticPasswordAndCredentialDoesNotPassAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 250 | final byte[] password = "passwordForASyntheticPassword".getBytes(); |
| 251 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 252 | |
| 253 | reset(mAuthSecretService); |
| 254 | mService.onUnlockUser(PRIMARY_USER_ID); |
Rubin Xu | 340e5ba | 2019-05-14 16:10:03 +0100 | [diff] [blame] | 255 | flushHandlerTasks(); |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 256 | verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class)); |
| 257 | } |
| 258 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 259 | @Test |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 260 | public void testSyntheticPasswordButNoCredentialPassesAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 261 | final byte[] password = "getASyntheticPassword".getBytes(); |
| 262 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
| 263 | mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, password, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 264 | PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID, false); |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 265 | |
| 266 | reset(mAuthSecretService); |
| 267 | mService.onUnlockUser(PRIMARY_USER_ID); |
Rubin Xu | 340e5ba | 2019-05-14 16:10:03 +0100 | [diff] [blame] | 268 | flushHandlerTasks(); |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 269 | verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class)); |
| 270 | } |
| 271 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 272 | @Test |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 273 | public void testManagedProfileUnifiedChallengeMigration() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 274 | final byte[] UnifiedPassword = "testManagedProfileUnifiedChallengeMigration-pwd".getBytes(); |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 275 | disableSyntheticPassword(); |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 276 | mService.setLockCredential(UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 277 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 278 | mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null); |
| 279 | final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
| 280 | final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID); |
| 281 | final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 282 | final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID); |
| 283 | assertTrue(primarySid != 0); |
| 284 | assertTrue(profileSid != 0); |
| 285 | assertTrue(profileSid != primarySid); |
| 286 | |
| 287 | // do migration |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 288 | enableSyntheticPassword(); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 289 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 290 | UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 291 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 292 | |
| 293 | // verify |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 294 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 295 | UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 296 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 297 | assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 298 | assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID)); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 299 | assertArrayNotEquals(primaryStorageKey, |
| 300 | mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 301 | assertArrayNotEquals(profileStorageKey, |
| 302 | mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID)); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 303 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 304 | assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID)); |
| 305 | } |
| 306 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 307 | @Test |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 308 | public void testManagedProfileSeparateChallengeMigration() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 309 | final byte[] primaryPassword = |
| 310 | "testManagedProfileSeparateChallengeMigration-primary".getBytes(); |
| 311 | final byte[] profilePassword = |
| 312 | "testManagedProfileSeparateChallengeMigration-profile".getBytes(); |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 313 | disableSyntheticPassword(); |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 314 | mService.setLockCredential(primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 315 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 316 | mService.setLockCredential(profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 317 | PASSWORD_QUALITY_ALPHABETIC, MANAGED_PROFILE_USER_ID, false); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 318 | final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
| 319 | final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID); |
| 320 | final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 321 | final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID); |
| 322 | assertTrue(primarySid != 0); |
| 323 | assertTrue(profileSid != 0); |
| 324 | assertTrue(profileSid != primarySid); |
| 325 | |
| 326 | // do migration |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 327 | enableSyntheticPassword(); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 328 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 329 | primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 330 | .getResponseCode()); |
| 331 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 332 | profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, |
| 333 | 0, MANAGED_PROFILE_USER_ID).getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 334 | |
| 335 | // verify |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 336 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 337 | primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 338 | .getResponseCode()); |
| 339 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 340 | profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, |
| 341 | 0, MANAGED_PROFILE_USER_ID).getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 342 | assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 343 | assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID)); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 344 | assertArrayNotEquals(primaryStorageKey, |
| 345 | mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 346 | assertArrayNotEquals(profileStorageKey, |
| 347 | mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID)); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 348 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 349 | assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID)); |
| 350 | } |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 351 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 352 | @Test |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 353 | public void testTokenBasedResetPassword() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 354 | final byte[] password = "password".getBytes(); |
| 355 | final byte[] pattern = "123654".getBytes(); |
| 356 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
| 357 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 358 | final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 359 | |
Rubin Xu | fc06773 | 2019-03-18 11:01:18 +0000 | [diff] [blame] | 360 | assertFalse(mService.hasPendingEscrowToken(PRIMARY_USER_ID)); |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 361 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 362 | assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | fc06773 | 2019-03-18 11:01:18 +0000 | [diff] [blame] | 363 | assertTrue(mService.hasPendingEscrowToken(PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 364 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 365 | mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 366 | PRIMARY_USER_ID).getResponseCode(); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 367 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | fc06773 | 2019-03-18 11:01:18 +0000 | [diff] [blame] | 368 | assertFalse(mService.hasPendingEscrowToken(PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 369 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 370 | mLocalService.setLockCredentialWithToken(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, |
| 371 | handle, token, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 372 | |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 373 | // Verify DPM gets notified about new device lock |
Rubin Xu | 340e5ba | 2019-05-14 16:10:03 +0100 | [diff] [blame] | 374 | flushHandlerTasks(); |
Pavel Grafov | 42904c1 | 2019-03-25 15:32:41 +0000 | [diff] [blame] | 375 | final PasswordMetrics metric = PasswordMetrics.computeForCredential( |
| 376 | LockPatternUtils.CREDENTIAL_TYPE_PATTERN, pattern); |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 377 | verify(mDevicePolicyManager).setActivePasswordState(metric, PRIMARY_USER_ID); |
| 378 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 379 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 380 | pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 381 | .getResponseCode()); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 382 | assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 383 | } |
| 384 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 385 | @Test |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 386 | public void testTokenBasedClearPassword() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 387 | final byte[] password = "password".getBytes(); |
| 388 | final byte[] pattern = "123654".getBytes(); |
| 389 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
| 390 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 391 | final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 392 | |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 393 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 394 | assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 395 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 396 | mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 397 | 0, PRIMARY_USER_ID).getResponseCode(); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 398 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 399 | |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 400 | mLocalService.setLockCredentialWithToken(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 401 | handle, token, PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID); |
Rubin Xu | 340e5ba | 2019-05-14 16:10:03 +0100 | [diff] [blame] | 402 | flushHandlerTasks(); // flush the unlockUser() call before changing password again |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 403 | mLocalService.setLockCredentialWithToken(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, |
| 404 | handle, token, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 405 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 406 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 407 | pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 408 | .getResponseCode()); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 409 | assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 410 | } |
| 411 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 412 | @Test |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 413 | public void testTokenBasedResetPasswordAfterCredentialChanges() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 414 | final byte[] password = "password".getBytes(); |
| 415 | final byte[] pattern = "123654".getBytes(); |
| 416 | final byte[] newPassword = "password".getBytes(); |
| 417 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
| 418 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 419 | final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 420 | |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 421 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 422 | assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 423 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 424 | mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 425 | 0, PRIMARY_USER_ID).getResponseCode(); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 426 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 427 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 428 | mService.setLockCredential(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, password, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 429 | PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID, false); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 430 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 431 | mLocalService.setLockCredentialWithToken(newPassword, |
| 432 | LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, handle, token, |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 433 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 434 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 435 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 436 | newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 437 | .getResponseCode()); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 438 | assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 439 | } |
| 440 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 441 | @Test |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 442 | public void testEscrowTokenActivatedImmediatelyIfNoUserPasswordNeedsMigration() |
| 443 | throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 444 | final String token = "some-high-entropy-secure-token"; |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 445 | enableSyntheticPassword(); |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 446 | long handle = mLocalService.addEscrowToken(token.getBytes(), PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 447 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 448 | assertEquals(0, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 449 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 450 | } |
| 451 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 452 | @Test |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 453 | public void testEscrowTokenActivatedImmediatelyIfNoUserPasswordNoMigration() |
| 454 | throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 455 | final String token = "some-high-entropy-secure-token"; |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 456 | initializeCredentialUnderSP(null, PRIMARY_USER_ID); |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 457 | long handle = mLocalService.addEscrowToken(token.getBytes(), PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 458 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 459 | assertEquals(0, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 460 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 461 | } |
| 462 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 463 | @Test |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 464 | public void testEscrowTokenActivatedLaterWithUserPasswordNeedsMigration() |
| 465 | throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 466 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
| 467 | final byte[] password = "password".getBytes(); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 468 | // Set up pre-SP user password |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 469 | disableSyntheticPassword(); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 470 | mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 471 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 472 | enableSyntheticPassword(); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 473 | |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 474 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 475 | // Token not activated immediately since user password exists |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 476 | assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 477 | // Activate token (password gets migrated to SP at the same time) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 478 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 479 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 480 | .getResponseCode()); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 481 | // Verify token is activated |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 482 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 483 | } |
| 484 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 485 | @Test |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 486 | public void testSetLockCredentialWithTokenFailsWithoutLockScreen() throws Exception { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 487 | final byte[] password = "password".getBytes(); |
| 488 | final byte[] pattern = "123654".getBytes(); |
| 489 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 490 | |
| 491 | mHasSecureLockScreen = false; |
| 492 | enableSyntheticPassword(); |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 493 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 494 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
| 495 | |
| 496 | try { |
| 497 | mLocalService.setLockCredentialWithToken(password, |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 498 | LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, handle, token, |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 499 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
| 500 | fail("An exception should have been thrown."); |
| 501 | } catch (UnsupportedOperationException e) { |
| 502 | // Success - the exception was expected. |
| 503 | } |
| 504 | assertFalse(mService.havePassword(PRIMARY_USER_ID)); |
| 505 | |
| 506 | try { |
| 507 | mLocalService.setLockCredentialWithToken(pattern, |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 508 | LockPatternUtils.CREDENTIAL_TYPE_PATTERN, handle, token, |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 509 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
| 510 | fail("An exception should have been thrown."); |
| 511 | } catch (UnsupportedOperationException e) { |
| 512 | // Success - the exception was expected. |
| 513 | } |
| 514 | assertFalse(mService.havePattern(PRIMARY_USER_ID)); |
| 515 | } |
| 516 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 517 | @Test |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 518 | public void testgetHashFactorPrimaryUser() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 519 | final byte[] password = "password".getBytes(); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 520 | mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 521 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 522 | final byte[] hashFactor = mService.getHashFactor(password, PRIMARY_USER_ID); |
| 523 | assertNotNull(hashFactor); |
| 524 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 525 | mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 526 | password, PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID, false); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 527 | final byte[] newHashFactor = mService.getHashFactor(null, PRIMARY_USER_ID); |
| 528 | assertNotNull(newHashFactor); |
| 529 | // Hash factor should never change after password change/removal |
| 530 | assertArrayEquals(hashFactor, newHashFactor); |
| 531 | } |
| 532 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 533 | @Test |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 534 | public void testgetHashFactorManagedProfileUnifiedChallenge() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 535 | final byte[] pattern = "1236".getBytes(); |
| 536 | mService.setLockCredential(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 537 | null, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID, false); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 538 | mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null); |
| 539 | assertNotNull(mService.getHashFactor(null, MANAGED_PROFILE_USER_ID)); |
| 540 | } |
| 541 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 542 | @Test |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 543 | public void testgetHashFactorManagedProfileSeparateChallenge() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 544 | final byte[] primaryPassword = "primary".getBytes(); |
| 545 | final byte[] profilePassword = "profile".getBytes(); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 546 | mService.setLockCredential(primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 547 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID, false); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 548 | mService.setLockCredential(profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Irina Dumitrescu | c90674d | 2019-02-28 17:34:19 +0000 | [diff] [blame] | 549 | PASSWORD_QUALITY_ALPHABETIC, MANAGED_PROFILE_USER_ID, false); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 550 | assertNotNull(mService.getHashFactor(profilePassword, MANAGED_PROFILE_USER_ID)); |
| 551 | } |
| 552 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 553 | @Test |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 554 | public void testPasswordData_serializeDeserialize() { |
| 555 | PasswordData data = new PasswordData(); |
| 556 | data.scryptN = 11; |
| 557 | data.scryptR = 22; |
| 558 | data.scryptP = 33; |
| 559 | data.passwordType = CREDENTIAL_TYPE_PASSWORD; |
| 560 | data.salt = PAYLOAD; |
| 561 | data.passwordHandle = PAYLOAD2; |
| 562 | |
| 563 | PasswordData deserialized = PasswordData.fromBytes(data.toBytes()); |
| 564 | |
| 565 | assertEquals(11, deserialized.scryptN); |
| 566 | assertEquals(22, deserialized.scryptR); |
| 567 | assertEquals(33, deserialized.scryptP); |
| 568 | assertEquals(CREDENTIAL_TYPE_PASSWORD, deserialized.passwordType); |
| 569 | assertArrayEquals(PAYLOAD, deserialized.salt); |
| 570 | assertArrayEquals(PAYLOAD2, deserialized.passwordHandle); |
| 571 | } |
| 572 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 573 | @Test |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 574 | public void testPasswordData_deserialize() { |
| 575 | // Test that we can deserialize existing PasswordData and don't inadvertently change the |
| 576 | // wire format. |
| 577 | byte[] serialized = new byte[] { |
| 578 | 0, 0, 0, 2, /* CREDENTIAL_TYPE_PASSWORD */ |
| 579 | 11, /* scryptN */ |
| 580 | 22, /* scryptR */ |
| 581 | 33, /* scryptP */ |
| 582 | 0, 0, 0, 5, /* salt.length */ |
| 583 | 1, 2, -1, -2, 55, /* salt */ |
| 584 | 0, 0, 0, 6, /* passwordHandle.length */ |
| 585 | 2, 3, -2, -3, 44, 1, /* passwordHandle */ |
| 586 | }; |
| 587 | PasswordData deserialized = PasswordData.fromBytes(serialized); |
| 588 | |
| 589 | assertEquals(11, deserialized.scryptN); |
| 590 | assertEquals(22, deserialized.scryptR); |
| 591 | assertEquals(33, deserialized.scryptP); |
| 592 | assertEquals(CREDENTIAL_TYPE_PASSWORD, deserialized.passwordType); |
| 593 | assertArrayEquals(PAYLOAD, deserialized.salt); |
| 594 | assertArrayEquals(PAYLOAD2, deserialized.passwordHandle); |
| 595 | } |
| 596 | |
Kenny Root | d01bb41 | 2019-11-22 09:34:03 -0800 | [diff] [blame] | 597 | @Test |
David Anderson | 6ebc25b | 2019-02-12 16:25:56 -0800 | [diff] [blame] | 598 | public void testGsiDisablesAuthSecret() throws RemoteException { |
| 599 | mGsiService.setIsGsiRunning(true); |
| 600 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 601 | final byte[] password = "testGsiDisablesAuthSecret-password".getBytes(); |
David Anderson | 6ebc25b | 2019-02-12 16:25:56 -0800 | [diff] [blame] | 602 | |
| 603 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
| 604 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 605 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 606 | .getResponseCode()); |
| 607 | verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class)); |
| 608 | } |
| 609 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 610 | // b/62213311 |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 611 | //TODO: add non-migration work profile case, and unify/un-unify transition. |
| 612 | //TODO: test token after user resets password |
| 613 | //TODO: test token based reset after unified work challenge |
| 614 | //TODO: test clear password after unified work challenge |
| 615 | } |