Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 0ef8fcca4da4065d40c8f2c4251d1b247efb6913 / . / services / tests / servicestests / src / com / android / server / devicepolicy / DevicePolicyManagerTest.java
blob: 87569b7a6caab64dc2618df2f217328645b9a56b [file] [log] [blame]
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]16package com.android.server.devicepolicy;
17
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]18import android.Manifest.permission;
19import android.app.Activity;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]20import android.app.admin.DeviceAdminReceiver;
21import android.app.admin.DevicePolicyManager;
22import android.app.admin.DevicePolicyManagerInternal;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]23import android.content.BroadcastReceiver;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]24import android.content.ComponentName;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]25import android.content.pm.PackageManager;
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]26import android.net.wifi.WifiInfo;
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]27import android.os.Build.VERSION_CODES;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]28import android.os.Bundle;
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]29import android.os.Process;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]30import android.os.UserHandle;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]31import android.os.UserManager;
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]32import android.test.MoreAsserts;
Benjamin Franz6d009032016-01-25 18:56:38 +0000[diff] [blame]33import android.test.suitebuilder.annotation.SmallTest;
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]34import android.util.ArraySet;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]35import android.util.Pair;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]36
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]37import com.android.server.LocalServices;
38import com.android.server.SystemService;
39
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]40import org.mockito.ArgumentCaptor;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]41import org.mockito.invocation.InvocationOnMock;
42import org.mockito.stubbing.Answer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]43
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]44import java.util.ArrayList;
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]45import java.util.Arrays;
46import java.util.Collections;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]47import java.util.HashMap;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]48import java.util.List;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]49import java.util.Map;
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]50import java.util.Set;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]51
52import static org.mockito.Matchers.any;
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]53import static org.mockito.Matchers.anyInt;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]54import static org.mockito.Matchers.anyString;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]55import static org.mockito.Matchers.eq;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]56import static org.mockito.Matchers.isNull;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]57import static org.mockito.Mockito.doAnswer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]58import static org.mockito.Mockito.doReturn;
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]59import static org.mockito.Mockito.reset;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]60import static org.mockito.Mockito.times;
61import static org.mockito.Mockito.verify;
62import static org.mockito.Mockito.when;
63
64/**
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]65 * Tests for DevicePolicyManager( and DevicePolicyManagerService).
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]66 *
67 m FrameworksServicesTests &&
68 adb install \
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]69 -r ${ANDROID_PRODUCT_OUT}/data/app/FrameworksServicesTests/FrameworksServicesTests.apk &&
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]70 adb shell am instrument -e class com.android.server.devicepolicy.DevicePolicyManagerTest \
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]71 -w com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]72
73 (mmma frameworks/base/services/tests/servicestests/ for non-ninja build)
74 */
Benjamin Franz6d009032016-01-25 18:56:38 +0000[diff] [blame]75@SmallTest
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]76public class DevicePolicyManagerTest extends DpmTestBase {
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]77 private static final List<String> OWNER_SETUP_PERMISSIONS = Arrays.asList(
78 permission.MANAGE_DEVICE_ADMINS, permission.MANAGE_PROFILE_AND_DEVICE_OWNERS,
79 permission.MANAGE_USERS, permission.INTERACT_ACROSS_USERS_FULL);
80
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]81 private DpmMockContext mContext;
82 public DevicePolicyManager dpm;
83 public DevicePolicyManagerServiceTestable dpms;
84
85 @Override
86 protected void setUp() throws Exception {
87 super.setUp();
88
89 mContext = getContext();
90
91 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
92 .thenReturn(true);
93
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]94 initializeDpms();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]95
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]96 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
97 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
98 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_UID);
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]99 setUpPackageManagerForAdmin(adminNoPerm, DpmMockContext.CALLER_UID);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]100
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]101 setUpUserManager();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]102 }
103
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]104 private void initializeDpms() {
105 // Need clearCallingIdentity() to pass permission checks.
106 final long ident = mContext.binder.clearCallingIdentity();
107 try {
108 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
109
110 dpms = new DevicePolicyManagerServiceTestable(mContext, dataDir);
111
112 dpms.systemReady(SystemService.PHASE_LOCK_SETTINGS_READY);
113 dpms.systemReady(SystemService.PHASE_BOOT_COMPLETED);
114
115 dpm = new DevicePolicyManagerTestable(mContext, dpms);
116 } finally {
117 mContext.binder.restoreCallingIdentity(ident);
118 }
119 }
120
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]121 private void setUpUserManager() {
122 // Emulate UserManager.set/getApplicationRestriction().
123 final Map<Pair<String, UserHandle>, Bundle> appRestrictions = new HashMap<>();
124
125 // UM.setApplicationRestrictions() will save to appRestrictions.
126 doAnswer(new Answer<Void>() {
127 @Override
128 public Void answer(InvocationOnMock invocation) throws Throwable {
129 String pkg = (String) invocation.getArguments()[0];
130 Bundle bundle = (Bundle) invocation.getArguments()[1];
131 UserHandle user = (UserHandle) invocation.getArguments()[2];
132
133 appRestrictions.put(Pair.create(pkg, user), bundle);
134
135 return null;
136 }
137 }).when(mContext.userManager).setApplicationRestrictions(
138 anyString(), any(Bundle.class), any(UserHandle.class));
139
140 // UM.getApplicationRestrictions() will read from appRestrictions.
141 doAnswer(new Answer<Bundle>() {
142 @Override
143 public Bundle answer(InvocationOnMock invocation) throws Throwable {
144 String pkg = (String) invocation.getArguments()[0];
145 UserHandle user = (UserHandle) invocation.getArguments()[1];
146
147 return appRestrictions.get(Pair.create(pkg, user));
148 }
149 }).when(mContext.userManager).getApplicationRestrictions(
150 anyString(), any(UserHandle.class));
151
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]152 // Add the first secondary user.
153 mContext.addUser(DpmMockContext.CALLER_USER_HANDLE, 0);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]154 }
155
156 private void setAsProfileOwner(ComponentName admin) {
157 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
158 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
159
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]160 // PO needs to be an DA.
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]161 dpm.setActiveAdmin(admin, /* replace =*/ false);
162
163 // Fire!
164 assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
165
166 // Check
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]167 assertEquals(admin, dpm.getProfileOwnerAsUser(DpmMockContext.CALLER_USER_HANDLE));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]168 }
169
170 public void testHasNoFeature() throws Exception {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]171 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
172 .thenReturn(false);
173
174 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
175 new DevicePolicyManagerServiceTestable(mContext, dataDir);
176
177 // If the device has no DPMS feature, it shouldn't register the local service.
178 assertNull(LocalServices.getService(DevicePolicyManagerInternal.class));
179 }
180
181 /**
182 * Caller doesn't have proper permissions.
183 */
184 public void testSetActiveAdmin_SecurityException() {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]185 // 1. Failure cases.
186
187 // Caller doesn't have MANAGE_DEVICE_ADMINS.
188 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]189 dpm.setActiveAdmin(admin1, false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]190 fail("Didn't throw SecurityException");
191 } catch (SecurityException expected) {
192 }
193
194 // Caller has MANAGE_DEVICE_ADMINS, but for different user.
195 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
196 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]197 dpm.setActiveAdmin(admin1, false, DpmMockContext.CALLER_USER_HANDLE + 1);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]198 fail("Didn't throw SecurityException");
199 } catch (SecurityException expected) {
200 }
201 }
202
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]203 /**
204 * Test for:
205 * {@link DevicePolicyManager#setActiveAdmin}
206 * with replace=false and replace=true
207 * {@link DevicePolicyManager#isAdminActive}
208 * {@link DevicePolicyManager#isAdminActiveAsUser}
209 * {@link DevicePolicyManager#getActiveAdmins}
210 * {@link DevicePolicyManager#getActiveAdminsAsUser}
211 */
212 public void testSetActiveAdmin() throws Exception {
213 // 1. Make sure the caller has proper permissions.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]214 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
215
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]216 // 2. Call the API.
217 dpm.setActiveAdmin(admin1, /* replace =*/ false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]218
219 // 3. Verify internal calls.
220
221 // Check if the boradcast is sent.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]222 verify(mContext.spiedContext).sendBroadcastAsUser(
223 MockUtils.checkIntentAction(
224 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
225 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
226 verify(mContext.spiedContext).sendBroadcastAsUser(
227 MockUtils.checkIntentAction(
228 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_ENABLED),
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]229 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
230
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]231 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
232 eq(admin1.getPackageName()),
233 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
234 eq(PackageManager.DONT_KILL_APP),
235 eq(DpmMockContext.CALLER_USER_HANDLE),
236 anyString());
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]237
238 // TODO Verify other calls too.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]239
240 // Make sure it's active admin1.
241 assertTrue(dpm.isAdminActive(admin1));
242 assertFalse(dpm.isAdminActive(admin2));
243 assertFalse(dpm.isAdminActive(admin3));
244
245 // But not admin1 for a different user.
246
247 // For this to work, caller needs android.permission.INTERACT_ACROSS_USERS_FULL.
248 // (Because we're checking a different user's status from CALLER_USER_HANDLE.)
249 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
250
251 assertFalse(dpm.isAdminActiveAsUser(admin1, DpmMockContext.CALLER_USER_HANDLE + 1));
252 assertFalse(dpm.isAdminActiveAsUser(admin2, DpmMockContext.CALLER_USER_HANDLE + 1));
253
254 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
255
256 // Next, add one more admin.
257 // Before doing so, update the application info, now it's enabled.
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]258 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID,
259 PackageManager.COMPONENT_ENABLED_STATE_ENABLED);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]260
261 dpm.setActiveAdmin(admin2, /* replace =*/ false);
262
263 // Now we have two admins.
264 assertTrue(dpm.isAdminActive(admin1));
265 assertTrue(dpm.isAdminActive(admin2));
266 assertFalse(dpm.isAdminActive(admin3));
267
268 // Admin2 was already enabled, so setApplicationEnabledSetting() shouldn't have called
269 // again. (times(1) because it was previously called for admin1)
270 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
271 eq(admin1.getPackageName()),
272 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
273 eq(PackageManager.DONT_KILL_APP),
274 eq(DpmMockContext.CALLER_USER_HANDLE),
275 anyString());
276
277 // 4. Add the same admin1 again without replace, which should throw.
278 try {
279 dpm.setActiveAdmin(admin1, /* replace =*/ false);
280 fail("Didn't throw");
281 } catch (IllegalArgumentException expected) {
282 }
283
284 // 5. Add the same admin1 again with replace, which should succeed.
285 dpm.setActiveAdmin(admin1, /* replace =*/ true);
286
287 // TODO make sure it's replaced.
288
289 // 6. Test getActiveAdmins()
290 List<ComponentName> admins = dpm.getActiveAdmins();
291 assertEquals(2, admins.size());
292 assertEquals(admin1, admins.get(0));
293 assertEquals(admin2, admins.get(1));
294
295 // Another user has no admins.
296 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
297
298 assertEquals(0, DpmTestUtils.getListSizeAllowingNull(
299 dpm.getActiveAdminsAsUser(DpmMockContext.CALLER_USER_HANDLE + 1)));
300
301 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
302 }
303
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]304 public void testSetActiveAdmin_multiUsers() throws Exception {
305
306 final int ANOTHER_USER_ID = 100;
307 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 20456);
308
309 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
310
311 // Set up pacakge manager for the other user.
312 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]313
314 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
315
316 dpm.setActiveAdmin(admin1, /* replace =*/ false);
317
318 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
319 dpm.setActiveAdmin(admin2, /* replace =*/ false);
320
321
322 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
323 assertTrue(dpm.isAdminActive(admin1));
324 assertFalse(dpm.isAdminActive(admin2));
325
326 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
327 assertFalse(dpm.isAdminActive(admin1));
328 assertTrue(dpm.isAdminActive(admin2));
329 }
330
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]331 /**
332 * Test for:
333 * {@link DevicePolicyManager#setActiveAdmin}
334 * with replace=false
335 */
336 public void testSetActiveAdmin_twiceWithoutReplace() throws Exception {
337 // 1. Make sure the caller has proper permissions.
338 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
339
340 dpm.setActiveAdmin(admin1, /* replace =*/ false);
341 assertTrue(dpm.isAdminActive(admin1));
342
343 // Add the same admin1 again without replace, which should throw.
344 try {
345 dpm.setActiveAdmin(admin1, /* replace =*/ false);
346 fail("Didn't throw");
347 } catch (IllegalArgumentException expected) {
348 }
349 }
350
351 /**
352 * Test for:
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]353 * {@link DevicePolicyManager#setActiveAdmin} when the admin isn't protected with
354 * BIND_DEVICE_ADMIN.
355 */
356 public void testSetActiveAdmin_permissionCheck() throws Exception {
357 // 1. Make sure the caller has proper permissions.
358 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
359
360 try {
361 dpm.setActiveAdmin(adminNoPerm, /* replace =*/ false);
362 fail();
363 } catch (IllegalArgumentException expected) {
364 assertTrue(expected.getMessage().contains(permission.BIND_DEVICE_ADMIN));
365 }
366 assertFalse(dpm.isAdminActive(adminNoPerm));
367
368 // Change the target API level to MNC. Now it can be set as DA.
369 setUpPackageManagerForAdmin(adminNoPerm, DpmMockContext.CALLER_UID, null,
370 VERSION_CODES.M);
371 dpm.setActiveAdmin(adminNoPerm, /* replace =*/ false);
372 assertTrue(dpm.isAdminActive(adminNoPerm));
373
374 // TODO Test the "load from the file" case where DA will still be loaded even without
375 // BIND_DEVICE_ADMIN and target API is N.
376 }
377
378 /**
379 * Test for:
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]380 * {@link DevicePolicyManager#removeActiveAdmin}
381 */
382 public void testRemoveActiveAdmin_SecurityException() {
383 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
384
385 // Add admin.
386
387 dpm.setActiveAdmin(admin1, /* replace =*/ false);
388
389 assertTrue(dpm.isAdminActive(admin1));
390
391 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
392
393 // Directly call the DPMS method with a different userid, which should fail.
394 try {
395 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE + 1);
396 fail("Didn't throw SecurityException");
397 } catch (SecurityException expected) {
398 }
399
400 // Try to remove active admin with a different caller userid should fail too, without
401 // having MANAGE_DEVICE_ADMINS.
402 mContext.callerPermissions.clear();
403
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]404 // Change the caller, and call into DPMS directly with a different user-id.
405
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]406 mContext.binder.callingUid = 1234567;
407 try {
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]408 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]409 fail("Didn't throw SecurityException");
410 } catch (SecurityException expected) {
411 }
412 }
413
414 /**
415 * Test for:
416 * {@link DevicePolicyManager#removeActiveAdmin}
417 */
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]418 public void testRemoveActiveAdmin_fromDifferentUserWithINTERACT_ACROSS_USERS_FULL() {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]419 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
420
421 // Add admin1.
422
423 dpm.setActiveAdmin(admin1, /* replace =*/ false);
424
425 assertTrue(dpm.isAdminActive(admin1));
426 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
427
428 // Different user, but should work, because caller has proper permissions.
429 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]430
431 // Change the caller, and call into DPMS directly with a different user-id.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]432 mContext.binder.callingUid = 1234567;
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]433
434 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]435
436 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
437
438 // TODO DO Still can't be removed in this case.
439 }
440
441 /**
442 * Test for:
443 * {@link DevicePolicyManager#removeActiveAdmin}
444 */
445 public void testRemoveActiveAdmin_sameUserNoMANAGE_DEVICE_ADMINS() {
446 // Need MANAGE_DEVICE_ADMINS for setActiveAdmin. We'll remove it later.
447 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
448
449 // Add admin1.
450
451 dpm.setActiveAdmin(admin1, /* replace =*/ false);
452
453 assertTrue(dpm.isAdminActive(admin1));
454 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
455
456 // Broadcast from saveSettingsLocked().
457 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
458 MockUtils.checkIntentAction(
459 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
460 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
461
462 // Remove. No permissions, but same user, so it'll work.
463 mContext.callerPermissions.clear();
464 dpm.removeActiveAdmin(admin1);
465
466 final ArgumentCaptor<BroadcastReceiver> brCap =
467 ArgumentCaptor.forClass(BroadcastReceiver.class);
468
469 // Is removing now, but not removed yet.
470 assertTrue(dpm.isAdminActive(admin1));
471 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
472
473 verify(mContext.spiedContext).sendOrderedBroadcastAsUser(
474 MockUtils.checkIntentAction(
475 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_DISABLED),
476 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE),
477 isNull(String.class),
478 brCap.capture(),
479 eq(dpms.mHandler),
480 eq(Activity.RESULT_OK),
481 isNull(String.class),
482 isNull(Bundle.class));
483
484 brCap.getValue().onReceive(mContext, null);
485
486 assertFalse(dpm.isAdminActive(admin1));
487 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
488
489 // Again broadcast from saveSettingsLocked().
490 verify(mContext.spiedContext, times(2)).sendBroadcastAsUser(
491 MockUtils.checkIntentAction(
492 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
493 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
494
495 // TODO Check other internal calls.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]496 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]497
498 /**
499 * Test for: {@link DevicePolicyManager#setDeviceOwner} DO on system user installs
500 * successfully.
501 */
502 public void testSetDeviceOwner() throws Exception {
503 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]504 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]505 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
506 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
507
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]508 // In this test, change the caller user to "system".
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]509 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
510
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]511 // Make sure admin1 is installed on system user.
512 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]513
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]514 // Check various get APIs.
515 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ false);
516
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]517 // DO needs to be an DA.
518 dpm.setActiveAdmin(admin1, /* replace =*/ false);
519
520 // Fire!
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]521 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]522
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]523 // getDeviceOwnerComponent should return the admin1 component.
524 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
525 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
526
527 // Check various get APIs.
528 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ true);
529
530 // getDeviceOwnerComponent should *NOT* return the admin1 component for other users.
531 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
532 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
533 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
534
535 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
536
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]537 // Verify internal calls.
538 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
539 eq(admin1.getPackageName()));
540
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]541 // TODO We should check if the caller has called clearCallerIdentity().
542 verify(mContext.ibackupManager, times(1)).setBackupServiceActive(
543 eq(UserHandle.USER_SYSTEM), eq(false));
544
545 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
546 MockUtils.checkIntentAction(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED),
547 MockUtils.checkUserHandle(UserHandle.USER_SYSTEM));
548
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]549 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]550
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]551 // Try to set a profile owner on the same user, which should fail.
552 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
553 dpm.setActiveAdmin(admin2, /* refreshing= */ true, UserHandle.USER_SYSTEM);
554 try {
555 dpm.setProfileOwner(admin2, "owner-name", UserHandle.USER_SYSTEM);
556 fail("IllegalStateException not thrown");
557 } catch (IllegalStateException expected) {
558 assertTrue("Message was: " + expected.getMessage(),
559 expected.getMessage().contains("already has a device owner"));
560 }
561
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]562 // TODO Test getDeviceOwnerName() too. To do so, we need to change
563 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
564 }
565
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]566 private void checkGetDeviceOwnerInfoApi(DevicePolicyManager dpm, boolean hasDeviceOwner) {
567 final int origCallingUser = mContext.binder.callingUid;
568 final List origPermissions = new ArrayList(mContext.callerPermissions);
569 mContext.callerPermissions.clear();
570
571 mContext.callerPermissions.add(permission.MANAGE_USERS);
572
573 mContext.binder.callingUid = Process.SYSTEM_UID;
574
575 // TODO Test getDeviceOwnerName() too. To do so, we need to change
576 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
577 if (hasDeviceOwner) {
578 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
579 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
580 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
581
582 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
583 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
584 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
585 } else {
586 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
587 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
588 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
589
590 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
591 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
592 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
593 }
594
595 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
596 if (hasDeviceOwner) {
597 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
598 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
599 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
600
601 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
602 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
603 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
604 } else {
605 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
606 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
607 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
608
609 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
610 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
611 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
612 }
613
614 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
615 // Still with MANAGE_USERS.
616 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
617 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
618 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
619
620 if (hasDeviceOwner) {
621 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
622 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
623 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
624 } else {
625 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
626 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
627 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
628 }
629
630 mContext.binder.callingUid = Process.SYSTEM_UID;
631 mContext.callerPermissions.remove(permission.MANAGE_USERS);
632 // System can still call "OnAnyUser" without MANAGE_USERS.
633 if (hasDeviceOwner) {
634 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
635 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
636 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
637
638 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
639 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
640 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
641 } else {
642 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
643 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
644 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
645
646 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
647 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
648 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
649 }
650
651 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
652 // Still no MANAGE_USERS.
653 if (hasDeviceOwner) {
654 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
655 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
656 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
657 } else {
658 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
659 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
660 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
661 }
662
663 try {
664 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
665 fail();
666 } catch (SecurityException expected) {
667 }
668 try {
669 dpm.getDeviceOwnerComponentOnAnyUser();
670 fail();
671 } catch (SecurityException expected) {
672 }
673 try {
674 dpm.getDeviceOwnerUserId();
675 fail();
676 } catch (SecurityException expected) {
677 }
678 try {
679 dpm.getDeviceOwnerNameOnAnyUser();
680 fail();
681 } catch (SecurityException expected) {
682 }
683
684 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
685 // Still no MANAGE_USERS.
686 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
687 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
688 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
689
690 try {
691 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
692 fail();
693 } catch (SecurityException expected) {
694 }
695 try {
696 dpm.getDeviceOwnerComponentOnAnyUser();
697 fail();
698 } catch (SecurityException expected) {
699 }
700 try {
701 dpm.getDeviceOwnerUserId();
702 fail();
703 } catch (SecurityException expected) {
704 }
705 try {
706 dpm.getDeviceOwnerNameOnAnyUser();
707 fail();
708 } catch (SecurityException expected) {
709 }
710
711 // Restore.
712 mContext.binder.callingUid = origCallingUser;
713 mContext.callerPermissions.addAll(origPermissions);
714 }
715
716
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]717 /**
718 * Test for: {@link DevicePolicyManager#setDeviceOwner} Package doesn't exist.
719 */
720 public void testSetDeviceOwner_noSuchPackage() {
721 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]722 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]723 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
724 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
725
726 // Call from a process on the system user.
727 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
728
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]729 try {
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]730 dpm.setDeviceOwner(new ComponentName("a.b.c", ".def"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]731 fail("Didn't throw IllegalArgumentException");
732 } catch (IllegalArgumentException expected) {
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]733 assertTrue("Message was: " + expected.getMessage(),
734 expected.getMessage().contains("Invalid component"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]735 }
736 }
737
738 public void testSetDeviceOwner_failures() throws Exception {
739 // TODO Test more failure cases. Basically test all chacks in enforceCanSetDeviceOwner().
740 }
741
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]742 public void testClearDeviceOwner() throws Exception {
743 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]744 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]745 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
746 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
747
748 // Set admin1 as a DA to the secondary user.
749 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
750
751 dpm.setActiveAdmin(admin1, /* replace =*/ false);
752
753 // Set admin 1 as the DO to the system user.
754
755 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
756 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
757 dpm.setActiveAdmin(admin1, /* replace =*/ false);
758 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
759
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]760 // Verify internal calls.
761 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
762 eq(admin1.getPackageName()));
763
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]764 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]765
766 // Set up other mocks.
767 when(mContext.userManager.getUserRestrictions()).thenReturn(new Bundle());
768
769 // Now call clear.
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]770 doReturn(DpmMockContext.CALLER_SYSTEM_USER_UID).when(mContext.packageManager).getPackageUidAsUser(
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]771 eq(admin1.getPackageName()),
772 anyInt());
773 dpm.clearDeviceOwnerApp(admin1.getPackageName());
774
775 // Now DO shouldn't be set.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]776 assertNull(dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]777
778 // TODO Check other calls.
779 }
780
781 public void testClearDeviceOwner_fromDifferentUser() throws Exception {
782 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]783 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]784 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
785 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
786
787 // Set admin1 as a DA to the secondary user.
788 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
789
790 dpm.setActiveAdmin(admin1, /* replace =*/ false);
791
792 // Set admin 1 as the DO to the system user.
793
794 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
795 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
796 dpm.setActiveAdmin(admin1, /* replace =*/ false);
797 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
798
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]799 // Verify internal calls.
800 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
801 eq(admin1.getPackageName()));
802
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]803 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]804
805 // Now call clear from the secondary user, which should throw.
806 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
807
808 // Now call clear.
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]809 doReturn(DpmMockContext.CALLER_UID).when(mContext.packageManager).getPackageUidAsUser(
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]810 eq(admin1.getPackageName()),
811 anyInt());
812 try {
813 dpm.clearDeviceOwnerApp(admin1.getPackageName());
814 fail("Didn't throw");
815 } catch (SecurityException e) {
816 assertEquals("clearDeviceOwner can only be called by the device owner", e.getMessage());
817 }
818
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]819 // DO shouldn't be removed.
820 assertTrue(dpm.isDeviceManaged());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]821 }
822
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]823 public void testSetProfileOwner() throws Exception {
824 setAsProfileOwner(admin1);
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]825
826 // Try setting DO on the same user, which should fail.
827 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
828 dpm.setActiveAdmin(admin2, /* refreshing= */ true, DpmMockContext.CALLER_USER_HANDLE);
829 try {
830 dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE);
831 fail("IllegalStateException not thrown");
832 } catch (IllegalStateException expected) {
833 assertTrue("Message was: " + expected.getMessage(),
834 expected.getMessage().contains("already has a profile owner"));
835 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]836 }
837
838 public void testSetProfileOwner_failures() throws Exception {
839 // TODO Test more failure cases. Basically test all chacks in enforceCanSetProfileOwner().
840 }
841
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]842 public void testGetDeviceOwnerAdminLocked() throws Exception {
843 checkDeviceOwnerWithMultipleDeviceAdmins();
844 }
845
846 private void checkDeviceOwnerWithMultipleDeviceAdmins() throws Exception {
847 // In ths test, we use 3 users (system + 2 secondary users), set some device admins to them,
848 // set admin2 on CALLER_USER_HANDLE as DO, then call getDeviceOwnerAdminLocked() to
849 // make sure it gets the right component from the right user.
850
851 final int ANOTHER_USER_ID = 100;
852 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 456);
853
854 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
855
856 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]857 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]858 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
859 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
860
861 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
862
863 // Make sure the admin packge is installed to each user.
864 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
865 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_SYSTEM_USER_UID);
866
867 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
868 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
869
870 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
871
872
873 // Set active admins to the users.
874 dpm.setActiveAdmin(admin1, /* replace =*/ false);
875 dpm.setActiveAdmin(admin3, /* replace =*/ false);
876
877 dpm.setActiveAdmin(admin1, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
878 dpm.setActiveAdmin(admin2, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
879
880 dpm.setActiveAdmin(admin2, /* replace =*/ false, ANOTHER_USER_ID);
881
882 // Set DO on the first non-system user.
883 mContext.setUserRunning(DpmMockContext.CALLER_USER_HANDLE, true);
884 assertTrue(dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
885
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]886 assertEquals(admin2, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]887
888 // Then check getDeviceOwnerAdminLocked().
889 assertEquals(admin2, dpms.getDeviceOwnerAdminLocked().info.getComponent());
890 assertEquals(DpmMockContext.CALLER_UID, dpms.getDeviceOwnerAdminLocked().getUid());
891 }
892
893 /**
894 * This essentially tests
895 * {@code DevicePolicyManagerService.findOwnerComponentIfNecessaryLocked()}. (which is private.)
896 *
897 * We didn't use to persist the DO component class name, but now we do, and the above method
898 * finds the right component from a package name upon migration.
899 */
900 public void testDeviceOwnerMigration() throws Exception {
901 checkDeviceOwnerWithMultipleDeviceAdmins();
902
903 // Overwrite the device owner setting and clears the clas name.
904 dpms.mOwners.setDeviceOwner(
905 new ComponentName(admin2.getPackageName(), ""),
906 "owner-name", DpmMockContext.CALLER_USER_HANDLE);
907 dpms.mOwners.writeDeviceOwner();
908
909 // Make sure the DO component name doesn't have a class name.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]910 assertEquals("", dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false).getClassName());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]911
912 // Then create a new DPMS to have it load the settings from files.
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]913 when(mContext.userManager.getUserRestrictions(any(UserHandle.class)))
914 .thenReturn(new Bundle());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]915 initializeDpms();
916
917 // Now the DO component name is a full name.
918 // *BUT* because both admin1 and admin2 belong to the same package, we think admin1 is the
919 // DO.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]920 assertEquals(admin1, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]921 }
922
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]923 public void testSetGetApplicationRestriction() {
924 setAsProfileOwner(admin1);
925
926 {
927 Bundle rest = new Bundle();
928 rest.putString("KEY_STRING", "Foo1");
929 dpm.setApplicationRestrictions(admin1, "pkg1", rest);
930 }
931
932 {
933 Bundle rest = new Bundle();
934 rest.putString("KEY_STRING", "Foo2");
935 dpm.setApplicationRestrictions(admin1, "pkg2", rest);
936 }
937
938 {
939 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg1");
940 assertNotNull(returned);
941 assertEquals(returned.size(), 1);
942 assertEquals(returned.get("KEY_STRING"), "Foo1");
943 }
944
945 {
946 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg2");
947 assertNotNull(returned);
948 assertEquals(returned.size(), 1);
949 assertEquals(returned.get("KEY_STRING"), "Foo2");
950 }
951
952 dpm.setApplicationRestrictions(admin1, "pkg2", new Bundle());
953 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg2").size());
954 }
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]955
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]956 public void testApplicationRestrictionsManagingApp() throws Exception {
957 setAsProfileOwner(admin1);
958
959 final String appRestrictionsManagerPackage = "com.google.app.restrictions.manager";
960 final int appRestrictionsManagerAppId = 20987;
961 final int appRestrictionsManagerUid = UserHandle.getUid(
962 DpmMockContext.CALLER_USER_HANDLE, appRestrictionsManagerAppId);
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]963 doReturn(appRestrictionsManagerUid).when(mContext.packageManager).getPackageUidAsUser(
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]964 eq(appRestrictionsManagerPackage),
965 eq(DpmMockContext.CALLER_USER_HANDLE));
966 mContext.binder.callingUid = appRestrictionsManagerUid;
967
968 // appRestrictionsManager package shouldn't be able to manage restrictions as the PO hasn't
969 // delegated that permission yet.
970 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
971 Bundle rest = new Bundle();
972 rest.putString("KEY_STRING", "Foo1");
973 try {
974 dpm.setApplicationRestrictions(null, "pkg1", rest);
975 fail("Didn't throw expected SecurityException");
976 } catch (SecurityException expected) {
977 MoreAsserts.assertContainsRegex(
978 "caller cannot manage application restrictions", expected.getMessage());
979 }
980 try {
981 dpm.getApplicationRestrictions(null, "pkg1");
982 fail("Didn't throw expected SecurityException");
983 } catch (SecurityException expected) {
984 MoreAsserts.assertContainsRegex(
985 "caller cannot manage application restrictions", expected.getMessage());
986 }
987
988 // Check via the profile owner that no restrictions were set.
989 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
990 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
991
992 // Let appRestrictionsManagerPackage manage app restrictions
993 dpm.setApplicationRestrictionsManagingPackage(admin1, appRestrictionsManagerPackage);
994 assertEquals(appRestrictionsManagerPackage,
995 dpm.getApplicationRestrictionsManagingPackage(admin1));
996
997 // Now that package should be able to set and retrieve app restrictions.
998 mContext.binder.callingUid = appRestrictionsManagerUid;
999 assertTrue(dpm.isCallerApplicationRestrictionsManagingPackage());
1000 dpm.setApplicationRestrictions(null, "pkg1", rest);
1001 Bundle returned = dpm.getApplicationRestrictions(null, "pkg1");
1002 assertEquals(1, returned.size(), 1);
1003 assertEquals("Foo1", returned.get("KEY_STRING"));
1004
1005 // The same app running on a separate user shouldn't be able to manage app restrictions.
1006 mContext.binder.callingUid = UserHandle.getUid(
1007 UserHandle.USER_SYSTEM, appRestrictionsManagerAppId);
1008 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1009 try {
1010 dpm.setApplicationRestrictions(null, "pkg1", rest);
1011 fail("Didn't throw expected SecurityException");
1012 } catch (SecurityException expected) {
1013 MoreAsserts.assertContainsRegex(
1014 "caller cannot manage application restrictions", expected.getMessage());
1015 }
1016
1017 // The DPM is still able to manage app restrictions, even if it allowed another app to do it
1018 // too.
1019 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1020 assertEquals(returned, dpm.getApplicationRestrictions(admin1, "pkg1"));
1021 dpm.setApplicationRestrictions(admin1, "pkg1", null);
1022 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
1023
1024 // Removing the ability for the package to manage app restrictions.
1025 dpm.setApplicationRestrictionsManagingPackage(admin1, null);
1026 assertNull(dpm.getApplicationRestrictionsManagingPackage(admin1));
1027 mContext.binder.callingUid = appRestrictionsManagerUid;
1028 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1029 try {
1030 dpm.setApplicationRestrictions(null, "pkg1", null);
1031 fail("Didn't throw expected SecurityException");
1032 } catch (SecurityException expected) {
1033 MoreAsserts.assertContainsRegex(
1034 "caller cannot manage application restrictions", expected.getMessage());
1035 }
1036 }
1037
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1038 public void testSetUserRestriction_asDo() throws Exception {
1039 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]1040 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1041 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1042 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1043
1044 // First, set DO.
1045
1046 // Call from a process on the system user.
1047 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1048
1049 // Make sure admin1 is installed on system user.
1050 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1051
1052 // Call.
1053 dpm.setActiveAdmin(admin1, /* replace =*/ false, UserHandle.USER_SYSTEM);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]1054 assertTrue(dpm.setDeviceOwner(admin1, "owner-name",
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1055 UserHandle.USER_SYSTEM));
1056
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1057 DpmTestUtils.assertRestrictions(
1058 DpmTestUtils.newRestrictions(),
1059 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1060 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1061 DpmTestUtils.assertRestrictions(
1062 DpmTestUtils.newRestrictions(),
1063 dpm.getUserRestrictions(admin1)
1064 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1065
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1066 reset(mContext.userManagerInternal);
1067
1068 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1069 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1070 eq(UserHandle.USER_SYSTEM),
1071 MockUtils.checkUserRestrictions(),
1072 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1073 );
1074 reset(mContext.userManagerInternal);
1075
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1076 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1077 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1078 eq(UserHandle.USER_SYSTEM),
1079 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1080 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1081 );
1082 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1083
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1084 DpmTestUtils.assertRestrictions(
1085 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1086 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1087 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1088 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1089 DpmTestUtils.assertRestrictions(
1090 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1091 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1092 dpm.getUserRestrictions(admin1)
1093 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1094
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1095 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1096 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1097 eq(UserHandle.USER_SYSTEM),
1098 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1099 MockUtils.checkUserRestrictions()
1100 );
1101 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1102
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1103 DpmTestUtils.assertRestrictions(
1104 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1105 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1106 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1107 DpmTestUtils.assertRestrictions(
1108 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1109 dpm.getUserRestrictions(admin1)
1110 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1111
1112 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1113 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1114 eq(UserHandle.USER_SYSTEM),
1115 MockUtils.checkUserRestrictions(),
1116 MockUtils.checkUserRestrictions()
1117 );
1118 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1119
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1120 DpmTestUtils.assertRestrictions(
1121 DpmTestUtils.newRestrictions(),
1122 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1123 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1124 DpmTestUtils.assertRestrictions(
1125 DpmTestUtils.newRestrictions(),
1126 dpm.getUserRestrictions(admin1)
1127 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1128
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1129 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE are PO restrictions, but when
1130 // DO sets them, the scope is global.
1131 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1132 reset(mContext.userManagerInternal);
1133 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1134 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1135 eq(UserHandle.USER_SYSTEM),
1136 MockUtils.checkUserRestrictions(),
1137 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1138 UserManager.DISALLOW_UNMUTE_MICROPHONE)
1139 );
1140 reset(mContext.userManagerInternal);
1141
1142 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1143 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1144
1145
1146 // More tests.
1147 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1148 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1149 eq(UserHandle.USER_SYSTEM),
1150 MockUtils.checkUserRestrictions(),
1151 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1152 );
1153 reset(mContext.userManagerInternal);
1154
1155 dpm.addUserRestriction(admin1, UserManager.DISALLOW_FUN);
1156 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1157 eq(UserHandle.USER_SYSTEM),
1158 MockUtils.checkUserRestrictions(),
1159 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1160 UserManager.DISALLOW_ADD_USER)
1161 );
1162 reset(mContext.userManagerInternal);
1163
1164 dpm.setCameraDisabled(admin1, true);
1165 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1166 eq(UserHandle.USER_SYSTEM),
1167 // DISALLOW_CAMERA will be applied to both local and global.
1168 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1169 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1170 UserManager.DISALLOW_CAMERA, UserManager.DISALLOW_ADD_USER)
1171 );
1172 reset(mContext.userManagerInternal);
1173
1174 // Set up another DA and let it disable camera. Now DISALLOW_CAMERA will only be applied
1175 // locally.
1176 dpm.setCameraDisabled(admin1, false);
1177 reset(mContext.userManagerInternal);
1178
1179 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
1180 dpm.setActiveAdmin(admin2, /* replace =*/ false, UserHandle.USER_SYSTEM);
1181 dpm.setCameraDisabled(admin2, true);
1182
1183 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1184 eq(UserHandle.USER_SYSTEM),
1185 // DISALLOW_CAMERA will be applied to both local and global.
1186 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1187 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1188 UserManager.DISALLOW_ADD_USER)
1189 );
1190 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1191 // TODO Make sure restrictions are written to the file.
1192 }
1193
1194 public void testSetUserRestriction_asPo() {
1195 setAsProfileOwner(admin1);
1196
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1197 DpmTestUtils.assertRestrictions(
1198 DpmTestUtils.newRestrictions(),
1199 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1200 .ensureUserRestrictions()
1201 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1202
1203 dpm.addUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1204 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1205 eq(DpmMockContext.CALLER_USER_HANDLE),
1206 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES),
1207 isNull(Bundle.class)
1208 );
1209 reset(mContext.userManagerInternal);
1210
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1211 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1212 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1213 eq(DpmMockContext.CALLER_USER_HANDLE),
1214 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1215 UserManager.DISALLOW_OUTGOING_CALLS),
1216 isNull(Bundle.class)
1217 );
1218 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1219
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1220 DpmTestUtils.assertRestrictions(
1221 DpmTestUtils.newRestrictions(
1222 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1223 UserManager.DISALLOW_OUTGOING_CALLS
1224 ),
1225 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1226 .ensureUserRestrictions()
1227 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1228 DpmTestUtils.assertRestrictions(
1229 DpmTestUtils.newRestrictions(
1230 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1231 UserManager.DISALLOW_OUTGOING_CALLS
1232 ),
1233 dpm.getUserRestrictions(admin1)
1234 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1235
1236 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1237 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1238 eq(DpmMockContext.CALLER_USER_HANDLE),
1239 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1240 isNull(Bundle.class)
1241 );
1242 reset(mContext.userManagerInternal);
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1243
1244 DpmTestUtils.assertRestrictions(
1245 DpmTestUtils.newRestrictions(
1246 UserManager.DISALLOW_OUTGOING_CALLS
1247 ),
1248 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1249 .ensureUserRestrictions()
1250 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1251 DpmTestUtils.assertRestrictions(
1252 DpmTestUtils.newRestrictions(
1253 UserManager.DISALLOW_OUTGOING_CALLS
1254 ),
1255 dpm.getUserRestrictions(admin1)
1256 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1257
1258 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1259 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1260 eq(DpmMockContext.CALLER_USER_HANDLE),
1261 MockUtils.checkUserRestrictions(),
1262 isNull(Bundle.class)
1263 );
1264 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1265
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1266 DpmTestUtils.assertRestrictions(
1267 DpmTestUtils.newRestrictions(),
1268 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1269 .ensureUserRestrictions()
1270 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1271 DpmTestUtils.assertRestrictions(
1272 DpmTestUtils.newRestrictions(),
1273 dpm.getUserRestrictions(admin1)
1274 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1275
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1276 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE can be set by PO too, even
1277 // though when DO sets them they'll be applied globally.
1278 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1279 reset(mContext.userManagerInternal);
1280 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1281 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1282 eq(DpmMockContext.CALLER_USER_HANDLE),
1283 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1284 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1285 isNull(Bundle.class)
1286 );
1287 reset(mContext.userManagerInternal);
1288
1289 dpm.setCameraDisabled(admin1, true);
1290 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1291 eq(DpmMockContext.CALLER_USER_HANDLE),
1292 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA,
1293 UserManager.DISALLOW_ADJUST_VOLUME,
1294 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1295 isNull(Bundle.class)
1296 );
1297 reset(mContext.userManagerInternal);
1298
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1299 // TODO Make sure restrictions are written to the file.
1300 }
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]1301
1302 public void testGetMacAddress() throws Exception {
1303 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1304 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1305 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1306
1307 // In this test, change the caller user to "system".
1308 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1309
1310 // Make sure admin1 is installed on system user.
1311 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1312
1313 // Test 1. Caller doesn't have DO or DA.
1314 try {
1315 dpm.getWifiMacAddress();
1316 fail();
1317 } catch (SecurityException e) {
1318 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1319 }
1320
1321 // DO needs to be an DA.
1322 dpm.setActiveAdmin(admin1, /* replace =*/ false);
1323 assertTrue(dpm.isAdminActive(admin1));
1324
1325 // Test 2. Caller has DA, but not DO.
1326 try {
1327 dpm.getWifiMacAddress();
1328 fail();
1329 } catch (SecurityException e) {
1330 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1331 }
1332
1333 // Test 3. Caller has PO, but not DO.
1334 assertTrue(dpm.setProfileOwner(admin1, null, UserHandle.USER_SYSTEM));
1335 try {
1336 dpm.getWifiMacAddress();
1337 fail();
1338 } catch (SecurityException e) {
1339 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1340 }
1341
1342 // Remove PO.
1343 dpm.clearProfileOwner(admin1);
1344
1345 // Test 4, Caller is DO now.
1346 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1347
1348 // 4-1. But no WifiInfo.
1349 assertNull(dpm.getWifiMacAddress());
1350
1351 // 4-2. Returns WifiInfo, but with the default MAC.
1352 when(mContext.wifiManager.getConnectionInfo()).thenReturn(new WifiInfo());
1353 assertNull(dpm.getWifiMacAddress());
1354
1355 // 4-3. With a real MAC address.
1356 final WifiInfo wi = new WifiInfo();
1357 wi.setMacAddress("11:22:33:44:55:66");
1358 when(mContext.wifiManager.getConnectionInfo()).thenReturn(wi);
1359 assertEquals("11:22:33:44:55:66", dpm.getWifiMacAddress());
1360 }
Mahaver Chopraf8373b52015-12-23 14:42:18 +0000[diff] [blame]1361
1362 public void testRebootCanOnlyBeCalledByDeviceOwner() throws Exception {
1363 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1364 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1365
1366 // In this test, change the caller user to "system".
1367 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1368
1369 // Make sure admin1 is installed on system user.
1370 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1371
1372 // Set admin1 as DA.
1373 dpm.setActiveAdmin(admin1, false);
1374 assertTrue(dpm.isAdminActive(admin1));
1375 try {
1376 dpm.reboot(admin1);
1377 fail("DA calls DPM.reboot(), did not throw expected SecurityException");
1378 } catch (SecurityException expected) {
1379 MoreAsserts.assertContainsRegex("does not own the device", expected.getMessage());
1380 }
1381
1382 // Set admin1 as PO.
1383 assertTrue(dpm.setProfileOwner(admin1, null, UserHandle.USER_SYSTEM));
1384 try {
1385 dpm.reboot(admin1);
1386 fail("PO calls DPM.reboot(), did not throw expected SecurityException");
1387 } catch (SecurityException expected) {
1388 MoreAsserts.assertContainsRegex("does not own the device", expected.getMessage());
1389 }
1390
1391 // Remove PO and add DO.
1392 dpm.clearProfileOwner(admin1);
1393 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1394
1395 dpm.reboot(admin1);
1396 }
Kenny Guy06de4e72015-12-22 12:07:39 +0000[diff] [blame]1397
1398 public void testSetGetSupportText() {
1399 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1400 dpm.setActiveAdmin(admin1, true);
1401 dpm.setActiveAdmin(admin2, true);
1402 mContext.callerPermissions.remove(permission.MANAGE_DEVICE_ADMINS);
1403
1404 // Null default support messages.
1405 {
1406 assertNull(dpm.getLongSupportMessage(admin1));
1407 assertNull(dpm.getShortSupportMessage(admin1));
1408 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1409 assertNull(dpm.getShortSupportMessageForUser(admin1,
1410 DpmMockContext.CALLER_USER_HANDLE));
1411 assertNull(dpm.getLongSupportMessageForUser(admin1,
1412 DpmMockContext.CALLER_USER_HANDLE));
1413 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1414 }
1415
1416 // Only system can call the per user versions.
1417 {
1418 try {
1419 dpm.getShortSupportMessageForUser(admin1,
1420 DpmMockContext.CALLER_USER_HANDLE);
1421 fail("Only system should be able to call getXXXForUser versions");
1422 } catch (SecurityException expected) {
1423 MoreAsserts.assertContainsRegex("message for user", expected.getMessage());
1424 }
1425 try {
1426 dpm.getLongSupportMessageForUser(admin1,
1427 DpmMockContext.CALLER_USER_HANDLE);
1428 fail("Only system should be able to call getXXXForUser versions");
1429 } catch (SecurityException expected) {
1430 MoreAsserts.assertContainsRegex("message for user", expected.getMessage());
1431 }
1432 }
1433
1434 // Can't set message for admin in another uid.
1435 {
1436 mContext.binder.callingUid = DpmMockContext.CALLER_UID + 1;
1437 try {
1438 dpm.setShortSupportMessage(admin1, "Some text");
1439 fail("Admins should only be able to change their own support text.");
1440 } catch (SecurityException expected) {
1441 MoreAsserts.assertContainsRegex("is not owned by uid", expected.getMessage());
1442 }
1443 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1444 }
1445
1446 // Set/Get short returns what it sets and other admins text isn't changed.
1447 {
1448 final String supportText = "Some text to test with.";
1449 dpm.setShortSupportMessage(admin1, supportText);
1450 assertEquals(supportText, dpm.getShortSupportMessage(admin1));
1451 assertNull(dpm.getLongSupportMessage(admin1));
1452 assertNull(dpm.getShortSupportMessage(admin2));
1453
1454 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1455 assertEquals(supportText, dpm.getShortSupportMessageForUser(admin1,
1456 DpmMockContext.CALLER_USER_HANDLE));
1457 assertNull(dpm.getShortSupportMessageForUser(admin2,
1458 DpmMockContext.CALLER_USER_HANDLE));
1459 assertNull(dpm.getLongSupportMessageForUser(admin1,
1460 DpmMockContext.CALLER_USER_HANDLE));
1461 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1462
1463 dpm.setShortSupportMessage(admin1, null);
1464 assertNull(dpm.getShortSupportMessage(admin1));
1465 }
1466
1467 // Set/Get long returns what it sets and other admins text isn't changed.
1468 {
1469 final String supportText = "Some text to test with.\nWith more text.";
1470 dpm.setLongSupportMessage(admin1, supportText);
1471 assertEquals(supportText, dpm.getLongSupportMessage(admin1));
1472 assertNull(dpm.getShortSupportMessage(admin1));
1473 assertNull(dpm.getLongSupportMessage(admin2));
1474
1475 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1476 assertEquals(supportText, dpm.getLongSupportMessageForUser(admin1,
1477 DpmMockContext.CALLER_USER_HANDLE));
1478 assertNull(dpm.getLongSupportMessageForUser(admin2,
1479 DpmMockContext.CALLER_USER_HANDLE));
1480 assertNull(dpm.getShortSupportMessageForUser(admin1,
1481 DpmMockContext.CALLER_USER_HANDLE));
1482 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1483
1484 dpm.setLongSupportMessage(admin1, null);
1485 assertNull(dpm.getLongSupportMessage(admin1));
1486 }
1487 }
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]1488
1489 /**
1490 * Test for:
1491 * {@link DevicePolicyManager#setAffiliationIds}
1492 * {@link DevicePolicyManager#isAffiliatedUser}
1493 */
1494 public void testUserAffiliation() throws Exception {
1495 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1496 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1497 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1498
1499 // Check that the system user is unaffiliated.
1500 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1501 assertFalse(dpm.isAffiliatedUser());
1502
1503 // Set a device owner on the system user. Check that the system user becomes affiliated.
1504 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1505 dpm.setActiveAdmin(admin1, /* replace =*/ false);
1506 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
1507 assertTrue(dpm.isAffiliatedUser());
1508
1509 // Install a profile owner whose package name matches the device owner on a test user. Check
1510 // that the test user is unaffiliated.
1511 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1512 setAsProfileOwner(admin2);
1513 assertFalse(dpm.isAffiliatedUser());
1514
1515 // Have the profile owner specify a set of affiliation ids. Check that the test user remains
1516 // unaffiliated.
1517 final Set<String> userAffiliationIds = new ArraySet<>();
1518 userAffiliationIds.add("red");
1519 userAffiliationIds.add("green");
1520 userAffiliationIds.add("blue");
1521 dpm.setAffiliationIds(admin2, userAffiliationIds);
1522 assertFalse(dpm.isAffiliatedUser());
1523
1524 // Have the device owner specify a set of affiliation ids that do not intersect with those
1525 // specified by the profile owner. Check that the test user remains unaffiliated.
1526 final Set<String> deviceAffiliationIds = new ArraySet<>();
1527 deviceAffiliationIds.add("cyan");
1528 deviceAffiliationIds.add("yellow");
1529 deviceAffiliationIds.add("magenta");
1530 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1531 dpm.setAffiliationIds(admin1, deviceAffiliationIds);
1532 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1533 assertFalse(dpm.isAffiliatedUser());
1534
1535 // Have the profile owner specify a set of affiliation ids that intersect with those
1536 // specified by the device owner. Check that the test user becomes affiliated.
1537 userAffiliationIds.add("yellow");
1538 dpm.setAffiliationIds(admin2, userAffiliationIds);
1539 assertTrue(dpm.isAffiliatedUser());
1540
1541 // Change the profile owner to one whose package name does not match the device owner. Check
1542 // that the test user is not affiliated anymore.
1543 dpm.clearProfileOwner(admin2);
1544 final ComponentName admin = new ComponentName("test", "test");
1545 markPackageAsInstalled(admin.getPackageName(), null, DpmMockContext.CALLER_USER_HANDLE);
1546 assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
1547 assertFalse(dpm.isAffiliatedUser());
1548
1549 // Check that the system user remains affiliated.
1550 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1551 assertTrue(dpm.isAffiliatedUser());
1552 }
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]1553
1554 public void testGetUserProvisioningState_defaultResult() {
1555 assertEquals(DevicePolicyManager.STATE_USER_UNMANAGED, dpm.getUserProvisioningState());
1556 }
1557
1558 public void testSetUserProvisioningState_permission() throws Exception {
1559 setupProfileOwner();
1560 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1561
1562 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1563 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1564 }
1565
1566 public void testSetUserProvisioningState_unprivileged() throws Exception {
1567 setupProfileOwner();
1568 try {
1569 dpm.setUserProvisioningState(DevicePolicyManager.STATE_USER_SETUP_FINALIZED,
1570 DpmMockContext.CALLER_USER_HANDLE);
1571 fail("Expected SecurityException");
1572 } catch (SecurityException expected) {
1573 }
1574 }
1575
1576 public void testSetUserProvisioningState_noManagement() {
1577 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1578 try {
1579 dpm.setUserProvisioningState(DevicePolicyManager.STATE_USER_SETUP_FINALIZED,
1580 DpmMockContext.CALLER_USER_HANDLE);
1581 fail("IllegalStateException expected");
1582 } catch (IllegalStateException e) {
1583 MoreAsserts.assertContainsRegex("change provisioning state unless a .* owner is set",
1584 e.getMessage());
1585 }
1586 assertEquals(DevicePolicyManager.STATE_USER_UNMANAGED, dpm.getUserProvisioningState());
1587 }
1588
1589 public void testSetUserProvisioningState_deviceOwnerFromSetupWizard() throws Exception {
1590 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1591 setupDeviceOwner();
1592 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1593
1594 exerciseUserProvisioningTransitions(UserHandle.USER_SYSTEM,
1595 DevicePolicyManager.STATE_USER_SETUP_COMPLETE,
1596 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1597 }
1598
1599 public void testSetUserProvisioningState_deviceOwnerFromSetupWizardAlternative()
1600 throws Exception {
1601 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1602 setupDeviceOwner();
1603 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1604
1605 exerciseUserProvisioningTransitions(UserHandle.USER_SYSTEM,
1606 DevicePolicyManager.STATE_USER_SETUP_INCOMPLETE,
1607 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1608 }
1609
1610 public void testSetUserProvisioningState_deviceOwnerWithoutSetupWizard() throws Exception {
1611 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1612 setupDeviceOwner();
1613 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1614
1615 exerciseUserProvisioningTransitions(UserHandle.USER_SYSTEM,
1616 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1617 }
1618
1619 public void testSetUserProvisioningState_managedProfileFromSetupWizard_primaryUser()
1620 throws Exception {
1621 setupProfileOwner();
1622 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1623
1624 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1625 DevicePolicyManager.STATE_USER_PROFILE_COMPLETE,
1626 DevicePolicyManager.STATE_USER_UNMANAGED);
1627 }
1628
1629 public void testSetUserProvisioningState_managedProfileFromSetupWizard_managedProfile()
1630 throws Exception {
1631 setupProfileOwner();
1632 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1633
1634 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1635 DevicePolicyManager.STATE_USER_SETUP_COMPLETE,
1636 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1637 }
1638
1639 public void testSetUserProvisioningState_managedProfileWithoutSetupWizard() throws Exception {
1640 setupProfileOwner();
1641 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1642
1643 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1644 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1645 }
1646
1647 public void testSetUserProvisioningState_illegalTransitionOutOfFinalized1() throws Exception {
1648 setupProfileOwner();
1649 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1650
1651 try {
1652 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1653 DevicePolicyManager.STATE_USER_SETUP_FINALIZED,
1654 DevicePolicyManager.STATE_USER_UNMANAGED);
1655 fail("Expected IllegalStateException");
1656 } catch (IllegalStateException e) {
1657 MoreAsserts.assertContainsRegex("Cannot move to user provisioning state",
1658 e.getMessage());
1659 }
1660 }
1661
1662 public void testSetUserProvisioningState_illegalTransitionToAnotherInProgressState()
1663 throws Exception {
1664 setupProfileOwner();
1665 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1666
1667 try {
1668 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1669 DevicePolicyManager.STATE_USER_SETUP_INCOMPLETE,
1670 DevicePolicyManager.STATE_USER_SETUP_COMPLETE);
1671 fail("Expected IllegalStateException");
1672 } catch (IllegalStateException e) {
1673 MoreAsserts.assertContainsRegex("Cannot move to user provisioning state",
1674 e.getMessage());
1675 }
1676 }
1677
1678 private void exerciseUserProvisioningTransitions(int userId, int... states) {
1679 assertEquals(DevicePolicyManager.STATE_USER_UNMANAGED, dpm.getUserProvisioningState());
1680 for (int state : states) {
1681 dpm.setUserProvisioningState(state, userId);
1682 assertEquals(state, dpm.getUserProvisioningState());
1683 }
1684 }
1685
1686 private void setupProfileOwner() throws Exception {
1687 mContext.callerPermissions.addAll(OWNER_SETUP_PERMISSIONS);
1688
1689 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
1690 dpm.setActiveAdmin(admin1, false);
1691 assertTrue(dpm.setProfileOwner(admin1, null, DpmMockContext.CALLER_USER_HANDLE));
1692
1693 mContext.callerPermissions.removeAll(OWNER_SETUP_PERMISSIONS);
1694 }
1695
1696 private void setupDeviceOwner() throws Exception {
1697 mContext.callerPermissions.addAll(OWNER_SETUP_PERMISSIONS);
1698
1699 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1700 dpm.setActiveAdmin(admin1, false);
1701 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1702
1703 mContext.callerPermissions.removeAll(OWNER_SETUP_PERMISSIONS);
1704 }
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1705}