Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 90b896533eb6a8867e7951bbbdbbacd9b520199c / . / services / tests / servicestests / src / com / android / server / devicepolicy / DevicePolicyManagerTest.java
blob: 64f60d93628b821f6dbd3b5d365486d2b45c3bd8 [file] [log] [blame]
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]16package com.android.server.devicepolicy;
17
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]18import android.Manifest.permission;
19import android.app.Activity;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]20import android.app.admin.DeviceAdminReceiver;
21import android.app.admin.DevicePolicyManager;
22import android.app.admin.DevicePolicyManagerInternal;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]23import android.content.BroadcastReceiver;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]24import android.content.ComponentName;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]25import android.content.pm.PackageManager;
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]26import android.net.wifi.WifiInfo;
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]27import android.os.Build.VERSION_CODES;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]28import android.os.Bundle;
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]29import android.os.Process;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]30import android.os.UserHandle;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]31import android.os.UserManager;
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]32import android.test.MoreAsserts;
Benjamin Franz6d009032016-01-25 18:56:38 +0000[diff] [blame]33import android.test.suitebuilder.annotation.SmallTest;
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]34import android.util.ArraySet;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]35import android.util.Pair;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]36
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]37import com.android.server.LocalServices;
38import com.android.server.SystemService;
39
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]40import org.mockito.ArgumentCaptor;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]41import org.mockito.invocation.InvocationOnMock;
42import org.mockito.stubbing.Answer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]43
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]44import java.util.ArrayList;
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]45import java.util.Arrays;
46import java.util.Collections;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]47import java.util.HashMap;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]48import java.util.List;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]49import java.util.Map;
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]50import java.util.Set;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]51
52import static org.mockito.Matchers.any;
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]53import static org.mockito.Matchers.anyInt;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]54import static org.mockito.Matchers.anyString;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]55import static org.mockito.Matchers.eq;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]56import static org.mockito.Matchers.isNull;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]57import static org.mockito.Mockito.doAnswer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]58import static org.mockito.Mockito.doReturn;
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]59import static org.mockito.Mockito.reset;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]60import static org.mockito.Mockito.times;
61import static org.mockito.Mockito.verify;
62import static org.mockito.Mockito.when;
63
64/**
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]65 * Tests for DevicePolicyManager( and DevicePolicyManagerService).
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]66 *
67 m FrameworksServicesTests &&
68 adb install \
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]69 -r ${ANDROID_PRODUCT_OUT}/data/app/FrameworksServicesTests/FrameworksServicesTests.apk &&
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]70 adb shell am instrument -e class com.android.server.devicepolicy.DevicePolicyManagerTest \
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]71 -w com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]72
73 (mmma frameworks/base/services/tests/servicestests/ for non-ninja build)
74 */
Benjamin Franz6d009032016-01-25 18:56:38 +0000[diff] [blame]75@SmallTest
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]76public class DevicePolicyManagerTest extends DpmTestBase {
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]77 private static final List<String> OWNER_SETUP_PERMISSIONS = Arrays.asList(
78 permission.MANAGE_DEVICE_ADMINS, permission.MANAGE_PROFILE_AND_DEVICE_OWNERS,
79 permission.MANAGE_USERS, permission.INTERACT_ACROSS_USERS_FULL);
80
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]81 private DpmMockContext mContext;
82 public DevicePolicyManager dpm;
83 public DevicePolicyManagerServiceTestable dpms;
84
85 @Override
86 protected void setUp() throws Exception {
87 super.setUp();
88
89 mContext = getContext();
90
91 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
92 .thenReturn(true);
93
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]94 initializeDpms();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]95
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]96 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
97 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
98 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_UID);
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]99 setUpPackageManagerForAdmin(adminNoPerm, DpmMockContext.CALLER_UID);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]100
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]101 setUpUserManager();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]102 }
103
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]104 private void initializeDpms() {
105 // Need clearCallingIdentity() to pass permission checks.
106 final long ident = mContext.binder.clearCallingIdentity();
107 try {
108 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
109
110 dpms = new DevicePolicyManagerServiceTestable(mContext, dataDir);
111
112 dpms.systemReady(SystemService.PHASE_LOCK_SETTINGS_READY);
113 dpms.systemReady(SystemService.PHASE_BOOT_COMPLETED);
114
115 dpm = new DevicePolicyManagerTestable(mContext, dpms);
116 } finally {
117 mContext.binder.restoreCallingIdentity(ident);
118 }
119 }
120
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]121 private void setUpUserManager() {
122 // Emulate UserManager.set/getApplicationRestriction().
123 final Map<Pair<String, UserHandle>, Bundle> appRestrictions = new HashMap<>();
124
125 // UM.setApplicationRestrictions() will save to appRestrictions.
126 doAnswer(new Answer<Void>() {
127 @Override
128 public Void answer(InvocationOnMock invocation) throws Throwable {
129 String pkg = (String) invocation.getArguments()[0];
130 Bundle bundle = (Bundle) invocation.getArguments()[1];
131 UserHandle user = (UserHandle) invocation.getArguments()[2];
132
133 appRestrictions.put(Pair.create(pkg, user), bundle);
134
135 return null;
136 }
137 }).when(mContext.userManager).setApplicationRestrictions(
138 anyString(), any(Bundle.class), any(UserHandle.class));
139
140 // UM.getApplicationRestrictions() will read from appRestrictions.
141 doAnswer(new Answer<Bundle>() {
142 @Override
143 public Bundle answer(InvocationOnMock invocation) throws Throwable {
144 String pkg = (String) invocation.getArguments()[0];
145 UserHandle user = (UserHandle) invocation.getArguments()[1];
146
147 return appRestrictions.get(Pair.create(pkg, user));
148 }
149 }).when(mContext.userManager).getApplicationRestrictions(
150 anyString(), any(UserHandle.class));
151
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]152 // Add the first secondary user.
153 mContext.addUser(DpmMockContext.CALLER_USER_HANDLE, 0);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]154 }
155
156 private void setAsProfileOwner(ComponentName admin) {
157 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
158 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
159
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]160 // PO needs to be an DA.
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]161 dpm.setActiveAdmin(admin, /* replace =*/ false);
162
163 // Fire!
164 assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
165
166 // Check
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]167 assertEquals(admin, dpm.getProfileOwnerAsUser(DpmMockContext.CALLER_USER_HANDLE));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]168 }
169
170 public void testHasNoFeature() throws Exception {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]171 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
172 .thenReturn(false);
173
174 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
175 new DevicePolicyManagerServiceTestable(mContext, dataDir);
176
177 // If the device has no DPMS feature, it shouldn't register the local service.
178 assertNull(LocalServices.getService(DevicePolicyManagerInternal.class));
179 }
180
181 /**
182 * Caller doesn't have proper permissions.
183 */
184 public void testSetActiveAdmin_SecurityException() {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]185 // 1. Failure cases.
186
187 // Caller doesn't have MANAGE_DEVICE_ADMINS.
188 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]189 dpm.setActiveAdmin(admin1, false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]190 fail("Didn't throw SecurityException");
191 } catch (SecurityException expected) {
192 }
193
194 // Caller has MANAGE_DEVICE_ADMINS, but for different user.
195 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
196 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]197 dpm.setActiveAdmin(admin1, false, DpmMockContext.CALLER_USER_HANDLE + 1);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]198 fail("Didn't throw SecurityException");
199 } catch (SecurityException expected) {
200 }
201 }
202
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]203 /**
204 * Test for:
205 * {@link DevicePolicyManager#setActiveAdmin}
206 * with replace=false and replace=true
207 * {@link DevicePolicyManager#isAdminActive}
208 * {@link DevicePolicyManager#isAdminActiveAsUser}
209 * {@link DevicePolicyManager#getActiveAdmins}
210 * {@link DevicePolicyManager#getActiveAdminsAsUser}
211 */
212 public void testSetActiveAdmin() throws Exception {
213 // 1. Make sure the caller has proper permissions.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]214 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
215
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]216 // 2. Call the API.
217 dpm.setActiveAdmin(admin1, /* replace =*/ false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]218
219 // 3. Verify internal calls.
220
221 // Check if the boradcast is sent.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]222 verify(mContext.spiedContext).sendBroadcastAsUser(
223 MockUtils.checkIntentAction(
224 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
225 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
226 verify(mContext.spiedContext).sendBroadcastAsUser(
227 MockUtils.checkIntentAction(
228 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_ENABLED),
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]229 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
230
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]231 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
232 eq(admin1.getPackageName()),
233 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
234 eq(PackageManager.DONT_KILL_APP),
235 eq(DpmMockContext.CALLER_USER_HANDLE),
236 anyString());
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]237
238 // TODO Verify other calls too.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]239
240 // Make sure it's active admin1.
241 assertTrue(dpm.isAdminActive(admin1));
242 assertFalse(dpm.isAdminActive(admin2));
243 assertFalse(dpm.isAdminActive(admin3));
244
245 // But not admin1 for a different user.
246
247 // For this to work, caller needs android.permission.INTERACT_ACROSS_USERS_FULL.
248 // (Because we're checking a different user's status from CALLER_USER_HANDLE.)
249 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
250
251 assertFalse(dpm.isAdminActiveAsUser(admin1, DpmMockContext.CALLER_USER_HANDLE + 1));
252 assertFalse(dpm.isAdminActiveAsUser(admin2, DpmMockContext.CALLER_USER_HANDLE + 1));
253
254 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
255
256 // Next, add one more admin.
257 // Before doing so, update the application info, now it's enabled.
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]258 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID,
259 PackageManager.COMPONENT_ENABLED_STATE_ENABLED);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]260
261 dpm.setActiveAdmin(admin2, /* replace =*/ false);
262
263 // Now we have two admins.
264 assertTrue(dpm.isAdminActive(admin1));
265 assertTrue(dpm.isAdminActive(admin2));
266 assertFalse(dpm.isAdminActive(admin3));
267
268 // Admin2 was already enabled, so setApplicationEnabledSetting() shouldn't have called
269 // again. (times(1) because it was previously called for admin1)
270 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
271 eq(admin1.getPackageName()),
272 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
273 eq(PackageManager.DONT_KILL_APP),
274 eq(DpmMockContext.CALLER_USER_HANDLE),
275 anyString());
276
277 // 4. Add the same admin1 again without replace, which should throw.
278 try {
279 dpm.setActiveAdmin(admin1, /* replace =*/ false);
280 fail("Didn't throw");
281 } catch (IllegalArgumentException expected) {
282 }
283
284 // 5. Add the same admin1 again with replace, which should succeed.
285 dpm.setActiveAdmin(admin1, /* replace =*/ true);
286
287 // TODO make sure it's replaced.
288
289 // 6. Test getActiveAdmins()
290 List<ComponentName> admins = dpm.getActiveAdmins();
291 assertEquals(2, admins.size());
292 assertEquals(admin1, admins.get(0));
293 assertEquals(admin2, admins.get(1));
294
295 // Another user has no admins.
296 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
297
298 assertEquals(0, DpmTestUtils.getListSizeAllowingNull(
299 dpm.getActiveAdminsAsUser(DpmMockContext.CALLER_USER_HANDLE + 1)));
300
301 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
302 }
303
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]304 public void testSetActiveAdmin_multiUsers() throws Exception {
305
306 final int ANOTHER_USER_ID = 100;
307 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 20456);
308
309 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
310
311 // Set up pacakge manager for the other user.
312 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]313
314 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
315
316 dpm.setActiveAdmin(admin1, /* replace =*/ false);
317
318 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
319 dpm.setActiveAdmin(admin2, /* replace =*/ false);
320
321
322 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
323 assertTrue(dpm.isAdminActive(admin1));
324 assertFalse(dpm.isAdminActive(admin2));
325
326 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
327 assertFalse(dpm.isAdminActive(admin1));
328 assertTrue(dpm.isAdminActive(admin2));
329 }
330
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]331 /**
332 * Test for:
333 * {@link DevicePolicyManager#setActiveAdmin}
334 * with replace=false
335 */
336 public void testSetActiveAdmin_twiceWithoutReplace() throws Exception {
337 // 1. Make sure the caller has proper permissions.
338 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
339
340 dpm.setActiveAdmin(admin1, /* replace =*/ false);
341 assertTrue(dpm.isAdminActive(admin1));
342
343 // Add the same admin1 again without replace, which should throw.
344 try {
345 dpm.setActiveAdmin(admin1, /* replace =*/ false);
346 fail("Didn't throw");
347 } catch (IllegalArgumentException expected) {
348 }
349 }
350
351 /**
352 * Test for:
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]353 * {@link DevicePolicyManager#setActiveAdmin} when the admin isn't protected with
354 * BIND_DEVICE_ADMIN.
355 */
356 public void testSetActiveAdmin_permissionCheck() throws Exception {
357 // 1. Make sure the caller has proper permissions.
358 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
359
360 try {
361 dpm.setActiveAdmin(adminNoPerm, /* replace =*/ false);
362 fail();
363 } catch (IllegalArgumentException expected) {
364 assertTrue(expected.getMessage().contains(permission.BIND_DEVICE_ADMIN));
365 }
366 assertFalse(dpm.isAdminActive(adminNoPerm));
367
368 // Change the target API level to MNC. Now it can be set as DA.
369 setUpPackageManagerForAdmin(adminNoPerm, DpmMockContext.CALLER_UID, null,
370 VERSION_CODES.M);
371 dpm.setActiveAdmin(adminNoPerm, /* replace =*/ false);
372 assertTrue(dpm.isAdminActive(adminNoPerm));
373
374 // TODO Test the "load from the file" case where DA will still be loaded even without
375 // BIND_DEVICE_ADMIN and target API is N.
376 }
377
378 /**
379 * Test for:
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]380 * {@link DevicePolicyManager#removeActiveAdmin}
381 */
382 public void testRemoveActiveAdmin_SecurityException() {
383 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
384
385 // Add admin.
386
387 dpm.setActiveAdmin(admin1, /* replace =*/ false);
388
389 assertTrue(dpm.isAdminActive(admin1));
390
391 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
392
393 // Directly call the DPMS method with a different userid, which should fail.
394 try {
395 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE + 1);
396 fail("Didn't throw SecurityException");
397 } catch (SecurityException expected) {
398 }
399
400 // Try to remove active admin with a different caller userid should fail too, without
401 // having MANAGE_DEVICE_ADMINS.
402 mContext.callerPermissions.clear();
403
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]404 // Change the caller, and call into DPMS directly with a different user-id.
405
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]406 mContext.binder.callingUid = 1234567;
407 try {
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]408 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]409 fail("Didn't throw SecurityException");
410 } catch (SecurityException expected) {
411 }
412 }
413
414 /**
415 * Test for:
416 * {@link DevicePolicyManager#removeActiveAdmin}
417 */
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]418 public void testRemoveActiveAdmin_fromDifferentUserWithINTERACT_ACROSS_USERS_FULL() {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]419 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
420
421 // Add admin1.
422
423 dpm.setActiveAdmin(admin1, /* replace =*/ false);
424
425 assertTrue(dpm.isAdminActive(admin1));
426 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
427
428 // Different user, but should work, because caller has proper permissions.
429 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]430
431 // Change the caller, and call into DPMS directly with a different user-id.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]432 mContext.binder.callingUid = 1234567;
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]433
434 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]435
436 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
437
438 // TODO DO Still can't be removed in this case.
439 }
440
441 /**
442 * Test for:
443 * {@link DevicePolicyManager#removeActiveAdmin}
444 */
445 public void testRemoveActiveAdmin_sameUserNoMANAGE_DEVICE_ADMINS() {
446 // Need MANAGE_DEVICE_ADMINS for setActiveAdmin. We'll remove it later.
447 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
448
449 // Add admin1.
450
451 dpm.setActiveAdmin(admin1, /* replace =*/ false);
452
453 assertTrue(dpm.isAdminActive(admin1));
454 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
455
456 // Broadcast from saveSettingsLocked().
457 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
458 MockUtils.checkIntentAction(
459 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
460 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
461
462 // Remove. No permissions, but same user, so it'll work.
463 mContext.callerPermissions.clear();
464 dpm.removeActiveAdmin(admin1);
465
466 final ArgumentCaptor<BroadcastReceiver> brCap =
467 ArgumentCaptor.forClass(BroadcastReceiver.class);
468
469 // Is removing now, but not removed yet.
470 assertTrue(dpm.isAdminActive(admin1));
471 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
472
473 verify(mContext.spiedContext).sendOrderedBroadcastAsUser(
474 MockUtils.checkIntentAction(
475 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_DISABLED),
476 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE),
477 isNull(String.class),
478 brCap.capture(),
479 eq(dpms.mHandler),
480 eq(Activity.RESULT_OK),
481 isNull(String.class),
482 isNull(Bundle.class));
483
484 brCap.getValue().onReceive(mContext, null);
485
486 assertFalse(dpm.isAdminActive(admin1));
487 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
488
489 // Again broadcast from saveSettingsLocked().
490 verify(mContext.spiedContext, times(2)).sendBroadcastAsUser(
491 MockUtils.checkIntentAction(
492 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
493 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
494
495 // TODO Check other internal calls.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]496 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]497
498 /**
499 * Test for: {@link DevicePolicyManager#setDeviceOwner} DO on system user installs
500 * successfully.
501 */
502 public void testSetDeviceOwner() throws Exception {
503 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]504 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]505 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
506 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
507
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]508 // In this test, change the caller user to "system".
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]509 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
510
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]511 // Make sure admin1 is installed on system user.
512 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]513
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]514 // Check various get APIs.
515 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ false);
516
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]517 // DO needs to be an DA.
518 dpm.setActiveAdmin(admin1, /* replace =*/ false);
519
520 // Fire!
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]521 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]522
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]523 // getDeviceOwnerComponent should return the admin1 component.
524 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
525 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
526
527 // Check various get APIs.
528 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ true);
529
530 // getDeviceOwnerComponent should *NOT* return the admin1 component for other users.
531 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
532 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
533 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
534
535 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
536
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]537 // Verify internal calls.
538 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
539 eq(admin1.getPackageName()));
540
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]541 // TODO We should check if the caller has called clearCallerIdentity().
542 verify(mContext.ibackupManager, times(1)).setBackupServiceActive(
543 eq(UserHandle.USER_SYSTEM), eq(false));
544
545 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
546 MockUtils.checkIntentAction(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED),
547 MockUtils.checkUserHandle(UserHandle.USER_SYSTEM));
548
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]549 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]550
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]551 // Try to set a profile owner on the same user, which should fail.
552 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
553 dpm.setActiveAdmin(admin2, /* refreshing= */ true, UserHandle.USER_SYSTEM);
554 try {
555 dpm.setProfileOwner(admin2, "owner-name", UserHandle.USER_SYSTEM);
556 fail("IllegalStateException not thrown");
557 } catch (IllegalStateException expected) {
558 assertTrue("Message was: " + expected.getMessage(),
559 expected.getMessage().contains("already has a device owner"));
560 }
561
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame^]562 // DO admin can't be deactivated.
563 dpm.removeActiveAdmin(admin1);
564 assertTrue(dpm.isAdminActive(admin1));
565
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]566 // TODO Test getDeviceOwnerName() too. To do so, we need to change
567 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
568 }
569
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]570 private void checkGetDeviceOwnerInfoApi(DevicePolicyManager dpm, boolean hasDeviceOwner) {
571 final int origCallingUser = mContext.binder.callingUid;
572 final List origPermissions = new ArrayList(mContext.callerPermissions);
573 mContext.callerPermissions.clear();
574
575 mContext.callerPermissions.add(permission.MANAGE_USERS);
576
577 mContext.binder.callingUid = Process.SYSTEM_UID;
578
579 // TODO Test getDeviceOwnerName() too. To do so, we need to change
580 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
581 if (hasDeviceOwner) {
582 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
583 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
584 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
585
586 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
587 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
588 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
589 } else {
590 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
591 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
592 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
593
594 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
595 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
596 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
597 }
598
599 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
600 if (hasDeviceOwner) {
601 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
602 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
603 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
604
605 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
606 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
607 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
608 } else {
609 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
610 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
611 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
612
613 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
614 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
615 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
616 }
617
618 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
619 // Still with MANAGE_USERS.
620 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
621 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
622 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
623
624 if (hasDeviceOwner) {
625 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
626 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
627 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
628 } else {
629 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
630 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
631 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
632 }
633
634 mContext.binder.callingUid = Process.SYSTEM_UID;
635 mContext.callerPermissions.remove(permission.MANAGE_USERS);
636 // System can still call "OnAnyUser" without MANAGE_USERS.
637 if (hasDeviceOwner) {
638 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
639 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
640 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
641
642 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
643 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
644 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
645 } else {
646 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
647 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
648 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
649
650 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
651 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
652 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
653 }
654
655 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
656 // Still no MANAGE_USERS.
657 if (hasDeviceOwner) {
658 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
659 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
660 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
661 } else {
662 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
663 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
664 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
665 }
666
667 try {
668 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
669 fail();
670 } catch (SecurityException expected) {
671 }
672 try {
673 dpm.getDeviceOwnerComponentOnAnyUser();
674 fail();
675 } catch (SecurityException expected) {
676 }
677 try {
678 dpm.getDeviceOwnerUserId();
679 fail();
680 } catch (SecurityException expected) {
681 }
682 try {
683 dpm.getDeviceOwnerNameOnAnyUser();
684 fail();
685 } catch (SecurityException expected) {
686 }
687
688 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
689 // Still no MANAGE_USERS.
690 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
691 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
692 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
693
694 try {
695 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
696 fail();
697 } catch (SecurityException expected) {
698 }
699 try {
700 dpm.getDeviceOwnerComponentOnAnyUser();
701 fail();
702 } catch (SecurityException expected) {
703 }
704 try {
705 dpm.getDeviceOwnerUserId();
706 fail();
707 } catch (SecurityException expected) {
708 }
709 try {
710 dpm.getDeviceOwnerNameOnAnyUser();
711 fail();
712 } catch (SecurityException expected) {
713 }
714
715 // Restore.
716 mContext.binder.callingUid = origCallingUser;
717 mContext.callerPermissions.addAll(origPermissions);
718 }
719
720
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]721 /**
722 * Test for: {@link DevicePolicyManager#setDeviceOwner} Package doesn't exist.
723 */
724 public void testSetDeviceOwner_noSuchPackage() {
725 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]726 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]727 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
728 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
729
730 // Call from a process on the system user.
731 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
732
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]733 try {
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]734 dpm.setDeviceOwner(new ComponentName("a.b.c", ".def"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]735 fail("Didn't throw IllegalArgumentException");
736 } catch (IllegalArgumentException expected) {
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]737 assertTrue("Message was: " + expected.getMessage(),
738 expected.getMessage().contains("Invalid component"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]739 }
740 }
741
742 public void testSetDeviceOwner_failures() throws Exception {
743 // TODO Test more failure cases. Basically test all chacks in enforceCanSetDeviceOwner().
744 }
745
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]746 public void testClearDeviceOwner() throws Exception {
747 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]748 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]749 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
750 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
751
752 // Set admin1 as a DA to the secondary user.
753 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
754
755 dpm.setActiveAdmin(admin1, /* replace =*/ false);
756
757 // Set admin 1 as the DO to the system user.
758
759 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
760 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
761 dpm.setActiveAdmin(admin1, /* replace =*/ false);
762 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
763
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]764 // Verify internal calls.
765 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
766 eq(admin1.getPackageName()));
767
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]768 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]769
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame^]770 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
771
772 assertTrue(dpm.isAdminActive(admin1));
773 assertFalse(dpm.isRemovingAdmin(admin1, UserHandle.USER_SYSTEM));
774
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]775 // Set up other mocks.
776 when(mContext.userManager.getUserRestrictions()).thenReturn(new Bundle());
777
778 // Now call clear.
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]779 doReturn(DpmMockContext.CALLER_SYSTEM_USER_UID).when(mContext.packageManager).getPackageUidAsUser(
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]780 eq(admin1.getPackageName()),
781 anyInt());
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame^]782 reset(mContext.userManagerInternal);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]783 dpm.clearDeviceOwnerApp(admin1.getPackageName());
784
785 // Now DO shouldn't be set.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]786 assertNull(dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]787
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame^]788 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
789 eq(UserHandle.USER_SYSTEM),
790 MockUtils.checkUserRestrictions(),
791 MockUtils.checkUserRestrictions()
792 );
793
794 assertTrue(dpm.isAdminActive(admin1));
795 assertTrue(dpm.isRemovingAdmin(admin1, UserHandle.USER_SYSTEM));
796
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]797 // TODO Check other calls.
798 }
799
800 public void testClearDeviceOwner_fromDifferentUser() throws Exception {
801 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]802 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]803 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
804 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
805
806 // Set admin1 as a DA to the secondary user.
807 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
808
809 dpm.setActiveAdmin(admin1, /* replace =*/ false);
810
811 // Set admin 1 as the DO to the system user.
812
813 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
814 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
815 dpm.setActiveAdmin(admin1, /* replace =*/ false);
816 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
817
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]818 // Verify internal calls.
819 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
820 eq(admin1.getPackageName()));
821
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]822 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]823
824 // Now call clear from the secondary user, which should throw.
825 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
826
827 // Now call clear.
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]828 doReturn(DpmMockContext.CALLER_UID).when(mContext.packageManager).getPackageUidAsUser(
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]829 eq(admin1.getPackageName()),
830 anyInt());
831 try {
832 dpm.clearDeviceOwnerApp(admin1.getPackageName());
833 fail("Didn't throw");
834 } catch (SecurityException e) {
835 assertEquals("clearDeviceOwner can only be called by the device owner", e.getMessage());
836 }
837
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]838 // DO shouldn't be removed.
839 assertTrue(dpm.isDeviceManaged());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]840 }
841
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]842 public void testSetProfileOwner() throws Exception {
843 setAsProfileOwner(admin1);
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]844
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame^]845 // PO admin can't be deactivated.
846 dpm.removeActiveAdmin(admin1);
847 assertTrue(dpm.isAdminActive(admin1));
848
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]849 // Try setting DO on the same user, which should fail.
850 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
851 dpm.setActiveAdmin(admin2, /* refreshing= */ true, DpmMockContext.CALLER_USER_HANDLE);
852 try {
853 dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE);
854 fail("IllegalStateException not thrown");
855 } catch (IllegalStateException expected) {
856 assertTrue("Message was: " + expected.getMessage(),
857 expected.getMessage().contains("already has a profile owner"));
858 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]859 }
860
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame^]861 public void testClearProfileOwner() throws Exception {
862 setAsProfileOwner(admin1);
863
864 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
865
866 assertTrue(dpm.isProfileOwnerApp(admin1.getPackageName()));
867 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
868
869 // Clear
870 dpm.clearProfileOwner(admin1);
871
872 // Check
873 assertFalse(dpm.isProfileOwnerApp(admin1.getPackageName()));
874 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
875 }
876
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]877 public void testSetProfileOwner_failures() throws Exception {
878 // TODO Test more failure cases. Basically test all chacks in enforceCanSetProfileOwner().
879 }
880
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]881 public void testGetDeviceOwnerAdminLocked() throws Exception {
882 checkDeviceOwnerWithMultipleDeviceAdmins();
883 }
884
885 private void checkDeviceOwnerWithMultipleDeviceAdmins() throws Exception {
886 // In ths test, we use 3 users (system + 2 secondary users), set some device admins to them,
887 // set admin2 on CALLER_USER_HANDLE as DO, then call getDeviceOwnerAdminLocked() to
888 // make sure it gets the right component from the right user.
889
890 final int ANOTHER_USER_ID = 100;
891 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 456);
892
893 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
894
895 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]896 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]897 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
898 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
899
900 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
901
902 // Make sure the admin packge is installed to each user.
903 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
904 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_SYSTEM_USER_UID);
905
906 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
907 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
908
909 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
910
911
912 // Set active admins to the users.
913 dpm.setActiveAdmin(admin1, /* replace =*/ false);
914 dpm.setActiveAdmin(admin3, /* replace =*/ false);
915
916 dpm.setActiveAdmin(admin1, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
917 dpm.setActiveAdmin(admin2, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
918
919 dpm.setActiveAdmin(admin2, /* replace =*/ false, ANOTHER_USER_ID);
920
921 // Set DO on the first non-system user.
922 mContext.setUserRunning(DpmMockContext.CALLER_USER_HANDLE, true);
923 assertTrue(dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
924
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]925 assertEquals(admin2, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]926
927 // Then check getDeviceOwnerAdminLocked().
928 assertEquals(admin2, dpms.getDeviceOwnerAdminLocked().info.getComponent());
929 assertEquals(DpmMockContext.CALLER_UID, dpms.getDeviceOwnerAdminLocked().getUid());
930 }
931
932 /**
933 * This essentially tests
934 * {@code DevicePolicyManagerService.findOwnerComponentIfNecessaryLocked()}. (which is private.)
935 *
936 * We didn't use to persist the DO component class name, but now we do, and the above method
937 * finds the right component from a package name upon migration.
938 */
939 public void testDeviceOwnerMigration() throws Exception {
940 checkDeviceOwnerWithMultipleDeviceAdmins();
941
942 // Overwrite the device owner setting and clears the clas name.
943 dpms.mOwners.setDeviceOwner(
944 new ComponentName(admin2.getPackageName(), ""),
945 "owner-name", DpmMockContext.CALLER_USER_HANDLE);
946 dpms.mOwners.writeDeviceOwner();
947
948 // Make sure the DO component name doesn't have a class name.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]949 assertEquals("", dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false).getClassName());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]950
951 // Then create a new DPMS to have it load the settings from files.
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]952 when(mContext.userManager.getUserRestrictions(any(UserHandle.class)))
953 .thenReturn(new Bundle());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]954 initializeDpms();
955
956 // Now the DO component name is a full name.
957 // *BUT* because both admin1 and admin2 belong to the same package, we think admin1 is the
958 // DO.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]959 assertEquals(admin1, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]960 }
961
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]962 public void testSetGetApplicationRestriction() {
963 setAsProfileOwner(admin1);
964
965 {
966 Bundle rest = new Bundle();
967 rest.putString("KEY_STRING", "Foo1");
968 dpm.setApplicationRestrictions(admin1, "pkg1", rest);
969 }
970
971 {
972 Bundle rest = new Bundle();
973 rest.putString("KEY_STRING", "Foo2");
974 dpm.setApplicationRestrictions(admin1, "pkg2", rest);
975 }
976
977 {
978 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg1");
979 assertNotNull(returned);
980 assertEquals(returned.size(), 1);
981 assertEquals(returned.get("KEY_STRING"), "Foo1");
982 }
983
984 {
985 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg2");
986 assertNotNull(returned);
987 assertEquals(returned.size(), 1);
988 assertEquals(returned.get("KEY_STRING"), "Foo2");
989 }
990
991 dpm.setApplicationRestrictions(admin1, "pkg2", new Bundle());
992 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg2").size());
993 }
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]994
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]995 public void testApplicationRestrictionsManagingApp() throws Exception {
996 setAsProfileOwner(admin1);
997
998 final String appRestrictionsManagerPackage = "com.google.app.restrictions.manager";
999 final int appRestrictionsManagerAppId = 20987;
1000 final int appRestrictionsManagerUid = UserHandle.getUid(
1001 DpmMockContext.CALLER_USER_HANDLE, appRestrictionsManagerAppId);
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]1002 doReturn(appRestrictionsManagerUid).when(mContext.packageManager).getPackageUidAsUser(
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]1003 eq(appRestrictionsManagerPackage),
1004 eq(DpmMockContext.CALLER_USER_HANDLE));
1005 mContext.binder.callingUid = appRestrictionsManagerUid;
1006
1007 // appRestrictionsManager package shouldn't be able to manage restrictions as the PO hasn't
1008 // delegated that permission yet.
1009 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1010 Bundle rest = new Bundle();
1011 rest.putString("KEY_STRING", "Foo1");
1012 try {
1013 dpm.setApplicationRestrictions(null, "pkg1", rest);
1014 fail("Didn't throw expected SecurityException");
1015 } catch (SecurityException expected) {
1016 MoreAsserts.assertContainsRegex(
1017 "caller cannot manage application restrictions", expected.getMessage());
1018 }
1019 try {
1020 dpm.getApplicationRestrictions(null, "pkg1");
1021 fail("Didn't throw expected SecurityException");
1022 } catch (SecurityException expected) {
1023 MoreAsserts.assertContainsRegex(
1024 "caller cannot manage application restrictions", expected.getMessage());
1025 }
1026
1027 // Check via the profile owner that no restrictions were set.
1028 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1029 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
1030
1031 // Let appRestrictionsManagerPackage manage app restrictions
1032 dpm.setApplicationRestrictionsManagingPackage(admin1, appRestrictionsManagerPackage);
1033 assertEquals(appRestrictionsManagerPackage,
1034 dpm.getApplicationRestrictionsManagingPackage(admin1));
1035
1036 // Now that package should be able to set and retrieve app restrictions.
1037 mContext.binder.callingUid = appRestrictionsManagerUid;
1038 assertTrue(dpm.isCallerApplicationRestrictionsManagingPackage());
1039 dpm.setApplicationRestrictions(null, "pkg1", rest);
1040 Bundle returned = dpm.getApplicationRestrictions(null, "pkg1");
1041 assertEquals(1, returned.size(), 1);
1042 assertEquals("Foo1", returned.get("KEY_STRING"));
1043
1044 // The same app running on a separate user shouldn't be able to manage app restrictions.
1045 mContext.binder.callingUid = UserHandle.getUid(
1046 UserHandle.USER_SYSTEM, appRestrictionsManagerAppId);
1047 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1048 try {
1049 dpm.setApplicationRestrictions(null, "pkg1", rest);
1050 fail("Didn't throw expected SecurityException");
1051 } catch (SecurityException expected) {
1052 MoreAsserts.assertContainsRegex(
1053 "caller cannot manage application restrictions", expected.getMessage());
1054 }
1055
1056 // The DPM is still able to manage app restrictions, even if it allowed another app to do it
1057 // too.
1058 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1059 assertEquals(returned, dpm.getApplicationRestrictions(admin1, "pkg1"));
1060 dpm.setApplicationRestrictions(admin1, "pkg1", null);
1061 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
1062
1063 // Removing the ability for the package to manage app restrictions.
1064 dpm.setApplicationRestrictionsManagingPackage(admin1, null);
1065 assertNull(dpm.getApplicationRestrictionsManagingPackage(admin1));
1066 mContext.binder.callingUid = appRestrictionsManagerUid;
1067 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1068 try {
1069 dpm.setApplicationRestrictions(null, "pkg1", null);
1070 fail("Didn't throw expected SecurityException");
1071 } catch (SecurityException expected) {
1072 MoreAsserts.assertContainsRegex(
1073 "caller cannot manage application restrictions", expected.getMessage());
1074 }
1075 }
1076
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1077 public void testSetUserRestriction_asDo() throws Exception {
1078 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]1079 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1080 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1081 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1082
1083 // First, set DO.
1084
1085 // Call from a process on the system user.
1086 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1087
1088 // Make sure admin1 is installed on system user.
1089 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1090
1091 // Call.
1092 dpm.setActiveAdmin(admin1, /* replace =*/ false, UserHandle.USER_SYSTEM);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]1093 assertTrue(dpm.setDeviceOwner(admin1, "owner-name",
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1094 UserHandle.USER_SYSTEM));
1095
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1096 DpmTestUtils.assertRestrictions(
1097 DpmTestUtils.newRestrictions(),
1098 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1099 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1100 DpmTestUtils.assertRestrictions(
1101 DpmTestUtils.newRestrictions(),
1102 dpm.getUserRestrictions(admin1)
1103 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1104
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1105 reset(mContext.userManagerInternal);
1106
1107 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1108 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1109 eq(UserHandle.USER_SYSTEM),
1110 MockUtils.checkUserRestrictions(),
1111 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1112 );
1113 reset(mContext.userManagerInternal);
1114
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1115 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1116 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1117 eq(UserHandle.USER_SYSTEM),
1118 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1119 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1120 );
1121 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1122
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1123 DpmTestUtils.assertRestrictions(
1124 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1125 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1126 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1127 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1128 DpmTestUtils.assertRestrictions(
1129 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1130 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1131 dpm.getUserRestrictions(admin1)
1132 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1133
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1134 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1135 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1136 eq(UserHandle.USER_SYSTEM),
1137 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1138 MockUtils.checkUserRestrictions()
1139 );
1140 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1141
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1142 DpmTestUtils.assertRestrictions(
1143 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1144 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1145 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1146 DpmTestUtils.assertRestrictions(
1147 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1148 dpm.getUserRestrictions(admin1)
1149 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1150
1151 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1152 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1153 eq(UserHandle.USER_SYSTEM),
1154 MockUtils.checkUserRestrictions(),
1155 MockUtils.checkUserRestrictions()
1156 );
1157 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1158
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1159 DpmTestUtils.assertRestrictions(
1160 DpmTestUtils.newRestrictions(),
1161 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1162 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1163 DpmTestUtils.assertRestrictions(
1164 DpmTestUtils.newRestrictions(),
1165 dpm.getUserRestrictions(admin1)
1166 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1167
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1168 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE are PO restrictions, but when
1169 // DO sets them, the scope is global.
1170 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1171 reset(mContext.userManagerInternal);
1172 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1173 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1174 eq(UserHandle.USER_SYSTEM),
1175 MockUtils.checkUserRestrictions(),
1176 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1177 UserManager.DISALLOW_UNMUTE_MICROPHONE)
1178 );
1179 reset(mContext.userManagerInternal);
1180
1181 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1182 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1183
1184
1185 // More tests.
1186 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1187 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1188 eq(UserHandle.USER_SYSTEM),
1189 MockUtils.checkUserRestrictions(),
1190 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1191 );
1192 reset(mContext.userManagerInternal);
1193
1194 dpm.addUserRestriction(admin1, UserManager.DISALLOW_FUN);
1195 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1196 eq(UserHandle.USER_SYSTEM),
1197 MockUtils.checkUserRestrictions(),
1198 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1199 UserManager.DISALLOW_ADD_USER)
1200 );
1201 reset(mContext.userManagerInternal);
1202
1203 dpm.setCameraDisabled(admin1, true);
1204 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1205 eq(UserHandle.USER_SYSTEM),
1206 // DISALLOW_CAMERA will be applied to both local and global.
1207 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1208 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1209 UserManager.DISALLOW_CAMERA, UserManager.DISALLOW_ADD_USER)
1210 );
1211 reset(mContext.userManagerInternal);
1212
1213 // Set up another DA and let it disable camera. Now DISALLOW_CAMERA will only be applied
1214 // locally.
1215 dpm.setCameraDisabled(admin1, false);
1216 reset(mContext.userManagerInternal);
1217
1218 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
1219 dpm.setActiveAdmin(admin2, /* replace =*/ false, UserHandle.USER_SYSTEM);
1220 dpm.setCameraDisabled(admin2, true);
1221
1222 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1223 eq(UserHandle.USER_SYSTEM),
1224 // DISALLOW_CAMERA will be applied to both local and global.
1225 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1226 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1227 UserManager.DISALLOW_ADD_USER)
1228 );
1229 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1230 // TODO Make sure restrictions are written to the file.
1231 }
1232
1233 public void testSetUserRestriction_asPo() {
1234 setAsProfileOwner(admin1);
1235
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1236 DpmTestUtils.assertRestrictions(
1237 DpmTestUtils.newRestrictions(),
1238 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1239 .ensureUserRestrictions()
1240 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1241
1242 dpm.addUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1243 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1244 eq(DpmMockContext.CALLER_USER_HANDLE),
1245 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES),
1246 isNull(Bundle.class)
1247 );
1248 reset(mContext.userManagerInternal);
1249
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1250 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1251 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1252 eq(DpmMockContext.CALLER_USER_HANDLE),
1253 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1254 UserManager.DISALLOW_OUTGOING_CALLS),
1255 isNull(Bundle.class)
1256 );
1257 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1258
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1259 DpmTestUtils.assertRestrictions(
1260 DpmTestUtils.newRestrictions(
1261 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1262 UserManager.DISALLOW_OUTGOING_CALLS
1263 ),
1264 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1265 .ensureUserRestrictions()
1266 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1267 DpmTestUtils.assertRestrictions(
1268 DpmTestUtils.newRestrictions(
1269 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1270 UserManager.DISALLOW_OUTGOING_CALLS
1271 ),
1272 dpm.getUserRestrictions(admin1)
1273 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1274
1275 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1276 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1277 eq(DpmMockContext.CALLER_USER_HANDLE),
1278 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1279 isNull(Bundle.class)
1280 );
1281 reset(mContext.userManagerInternal);
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1282
1283 DpmTestUtils.assertRestrictions(
1284 DpmTestUtils.newRestrictions(
1285 UserManager.DISALLOW_OUTGOING_CALLS
1286 ),
1287 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1288 .ensureUserRestrictions()
1289 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1290 DpmTestUtils.assertRestrictions(
1291 DpmTestUtils.newRestrictions(
1292 UserManager.DISALLOW_OUTGOING_CALLS
1293 ),
1294 dpm.getUserRestrictions(admin1)
1295 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1296
1297 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1298 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1299 eq(DpmMockContext.CALLER_USER_HANDLE),
1300 MockUtils.checkUserRestrictions(),
1301 isNull(Bundle.class)
1302 );
1303 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1304
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1305 DpmTestUtils.assertRestrictions(
1306 DpmTestUtils.newRestrictions(),
1307 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1308 .ensureUserRestrictions()
1309 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1310 DpmTestUtils.assertRestrictions(
1311 DpmTestUtils.newRestrictions(),
1312 dpm.getUserRestrictions(admin1)
1313 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1314
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1315 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE can be set by PO too, even
1316 // though when DO sets them they'll be applied globally.
1317 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1318 reset(mContext.userManagerInternal);
1319 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1320 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1321 eq(DpmMockContext.CALLER_USER_HANDLE),
1322 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1323 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1324 isNull(Bundle.class)
1325 );
1326 reset(mContext.userManagerInternal);
1327
1328 dpm.setCameraDisabled(admin1, true);
1329 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1330 eq(DpmMockContext.CALLER_USER_HANDLE),
1331 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA,
1332 UserManager.DISALLOW_ADJUST_VOLUME,
1333 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1334 isNull(Bundle.class)
1335 );
1336 reset(mContext.userManagerInternal);
1337
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1338 // TODO Make sure restrictions are written to the file.
1339 }
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]1340
1341 public void testGetMacAddress() throws Exception {
1342 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1343 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1344 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1345
1346 // In this test, change the caller user to "system".
1347 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1348
1349 // Make sure admin1 is installed on system user.
1350 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1351
1352 // Test 1. Caller doesn't have DO or DA.
1353 try {
1354 dpm.getWifiMacAddress();
1355 fail();
1356 } catch (SecurityException e) {
1357 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1358 }
1359
1360 // DO needs to be an DA.
1361 dpm.setActiveAdmin(admin1, /* replace =*/ false);
1362 assertTrue(dpm.isAdminActive(admin1));
1363
1364 // Test 2. Caller has DA, but not DO.
1365 try {
1366 dpm.getWifiMacAddress();
1367 fail();
1368 } catch (SecurityException e) {
1369 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1370 }
1371
1372 // Test 3. Caller has PO, but not DO.
1373 assertTrue(dpm.setProfileOwner(admin1, null, UserHandle.USER_SYSTEM));
1374 try {
1375 dpm.getWifiMacAddress();
1376 fail();
1377 } catch (SecurityException e) {
1378 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1379 }
1380
1381 // Remove PO.
1382 dpm.clearProfileOwner(admin1);
1383
1384 // Test 4, Caller is DO now.
1385 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1386
1387 // 4-1. But no WifiInfo.
1388 assertNull(dpm.getWifiMacAddress());
1389
1390 // 4-2. Returns WifiInfo, but with the default MAC.
1391 when(mContext.wifiManager.getConnectionInfo()).thenReturn(new WifiInfo());
1392 assertNull(dpm.getWifiMacAddress());
1393
1394 // 4-3. With a real MAC address.
1395 final WifiInfo wi = new WifiInfo();
1396 wi.setMacAddress("11:22:33:44:55:66");
1397 when(mContext.wifiManager.getConnectionInfo()).thenReturn(wi);
1398 assertEquals("11:22:33:44:55:66", dpm.getWifiMacAddress());
1399 }
Mahaver Chopraf8373b52015-12-23 14:42:18 +0000[diff] [blame]1400
1401 public void testRebootCanOnlyBeCalledByDeviceOwner() throws Exception {
1402 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1403 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1404
1405 // In this test, change the caller user to "system".
1406 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1407
1408 // Make sure admin1 is installed on system user.
1409 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1410
1411 // Set admin1 as DA.
1412 dpm.setActiveAdmin(admin1, false);
1413 assertTrue(dpm.isAdminActive(admin1));
1414 try {
1415 dpm.reboot(admin1);
1416 fail("DA calls DPM.reboot(), did not throw expected SecurityException");
1417 } catch (SecurityException expected) {
1418 MoreAsserts.assertContainsRegex("does not own the device", expected.getMessage());
1419 }
1420
1421 // Set admin1 as PO.
1422 assertTrue(dpm.setProfileOwner(admin1, null, UserHandle.USER_SYSTEM));
1423 try {
1424 dpm.reboot(admin1);
1425 fail("PO calls DPM.reboot(), did not throw expected SecurityException");
1426 } catch (SecurityException expected) {
1427 MoreAsserts.assertContainsRegex("does not own the device", expected.getMessage());
1428 }
1429
1430 // Remove PO and add DO.
1431 dpm.clearProfileOwner(admin1);
1432 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1433
1434 dpm.reboot(admin1);
1435 }
Kenny Guy06de4e72015-12-22 12:07:39 +0000[diff] [blame]1436
1437 public void testSetGetSupportText() {
1438 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1439 dpm.setActiveAdmin(admin1, true);
1440 dpm.setActiveAdmin(admin2, true);
1441 mContext.callerPermissions.remove(permission.MANAGE_DEVICE_ADMINS);
1442
1443 // Null default support messages.
1444 {
1445 assertNull(dpm.getLongSupportMessage(admin1));
1446 assertNull(dpm.getShortSupportMessage(admin1));
1447 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1448 assertNull(dpm.getShortSupportMessageForUser(admin1,
1449 DpmMockContext.CALLER_USER_HANDLE));
1450 assertNull(dpm.getLongSupportMessageForUser(admin1,
1451 DpmMockContext.CALLER_USER_HANDLE));
1452 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1453 }
1454
1455 // Only system can call the per user versions.
1456 {
1457 try {
1458 dpm.getShortSupportMessageForUser(admin1,
1459 DpmMockContext.CALLER_USER_HANDLE);
1460 fail("Only system should be able to call getXXXForUser versions");
1461 } catch (SecurityException expected) {
1462 MoreAsserts.assertContainsRegex("message for user", expected.getMessage());
1463 }
1464 try {
1465 dpm.getLongSupportMessageForUser(admin1,
1466 DpmMockContext.CALLER_USER_HANDLE);
1467 fail("Only system should be able to call getXXXForUser versions");
1468 } catch (SecurityException expected) {
1469 MoreAsserts.assertContainsRegex("message for user", expected.getMessage());
1470 }
1471 }
1472
1473 // Can't set message for admin in another uid.
1474 {
1475 mContext.binder.callingUid = DpmMockContext.CALLER_UID + 1;
1476 try {
1477 dpm.setShortSupportMessage(admin1, "Some text");
1478 fail("Admins should only be able to change their own support text.");
1479 } catch (SecurityException expected) {
1480 MoreAsserts.assertContainsRegex("is not owned by uid", expected.getMessage());
1481 }
1482 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1483 }
1484
1485 // Set/Get short returns what it sets and other admins text isn't changed.
1486 {
1487 final String supportText = "Some text to test with.";
1488 dpm.setShortSupportMessage(admin1, supportText);
1489 assertEquals(supportText, dpm.getShortSupportMessage(admin1));
1490 assertNull(dpm.getLongSupportMessage(admin1));
1491 assertNull(dpm.getShortSupportMessage(admin2));
1492
1493 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1494 assertEquals(supportText, dpm.getShortSupportMessageForUser(admin1,
1495 DpmMockContext.CALLER_USER_HANDLE));
1496 assertNull(dpm.getShortSupportMessageForUser(admin2,
1497 DpmMockContext.CALLER_USER_HANDLE));
1498 assertNull(dpm.getLongSupportMessageForUser(admin1,
1499 DpmMockContext.CALLER_USER_HANDLE));
1500 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1501
1502 dpm.setShortSupportMessage(admin1, null);
1503 assertNull(dpm.getShortSupportMessage(admin1));
1504 }
1505
1506 // Set/Get long returns what it sets and other admins text isn't changed.
1507 {
1508 final String supportText = "Some text to test with.\nWith more text.";
1509 dpm.setLongSupportMessage(admin1, supportText);
1510 assertEquals(supportText, dpm.getLongSupportMessage(admin1));
1511 assertNull(dpm.getShortSupportMessage(admin1));
1512 assertNull(dpm.getLongSupportMessage(admin2));
1513
1514 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1515 assertEquals(supportText, dpm.getLongSupportMessageForUser(admin1,
1516 DpmMockContext.CALLER_USER_HANDLE));
1517 assertNull(dpm.getLongSupportMessageForUser(admin2,
1518 DpmMockContext.CALLER_USER_HANDLE));
1519 assertNull(dpm.getShortSupportMessageForUser(admin1,
1520 DpmMockContext.CALLER_USER_HANDLE));
1521 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1522
1523 dpm.setLongSupportMessage(admin1, null);
1524 assertNull(dpm.getLongSupportMessage(admin1));
1525 }
1526 }
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]1527
1528 /**
1529 * Test for:
1530 * {@link DevicePolicyManager#setAffiliationIds}
1531 * {@link DevicePolicyManager#isAffiliatedUser}
1532 */
1533 public void testUserAffiliation() throws Exception {
1534 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1535 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1536 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1537
1538 // Check that the system user is unaffiliated.
1539 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1540 assertFalse(dpm.isAffiliatedUser());
1541
1542 // Set a device owner on the system user. Check that the system user becomes affiliated.
1543 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1544 dpm.setActiveAdmin(admin1, /* replace =*/ false);
1545 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
1546 assertTrue(dpm.isAffiliatedUser());
1547
1548 // Install a profile owner whose package name matches the device owner on a test user. Check
1549 // that the test user is unaffiliated.
1550 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1551 setAsProfileOwner(admin2);
1552 assertFalse(dpm.isAffiliatedUser());
1553
1554 // Have the profile owner specify a set of affiliation ids. Check that the test user remains
1555 // unaffiliated.
1556 final Set<String> userAffiliationIds = new ArraySet<>();
1557 userAffiliationIds.add("red");
1558 userAffiliationIds.add("green");
1559 userAffiliationIds.add("blue");
1560 dpm.setAffiliationIds(admin2, userAffiliationIds);
1561 assertFalse(dpm.isAffiliatedUser());
1562
1563 // Have the device owner specify a set of affiliation ids that do not intersect with those
1564 // specified by the profile owner. Check that the test user remains unaffiliated.
1565 final Set<String> deviceAffiliationIds = new ArraySet<>();
1566 deviceAffiliationIds.add("cyan");
1567 deviceAffiliationIds.add("yellow");
1568 deviceAffiliationIds.add("magenta");
1569 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1570 dpm.setAffiliationIds(admin1, deviceAffiliationIds);
1571 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1572 assertFalse(dpm.isAffiliatedUser());
1573
1574 // Have the profile owner specify a set of affiliation ids that intersect with those
1575 // specified by the device owner. Check that the test user becomes affiliated.
1576 userAffiliationIds.add("yellow");
1577 dpm.setAffiliationIds(admin2, userAffiliationIds);
1578 assertTrue(dpm.isAffiliatedUser());
1579
1580 // Change the profile owner to one whose package name does not match the device owner. Check
1581 // that the test user is not affiliated anymore.
1582 dpm.clearProfileOwner(admin2);
1583 final ComponentName admin = new ComponentName("test", "test");
1584 markPackageAsInstalled(admin.getPackageName(), null, DpmMockContext.CALLER_USER_HANDLE);
1585 assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
1586 assertFalse(dpm.isAffiliatedUser());
1587
1588 // Check that the system user remains affiliated.
1589 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1590 assertTrue(dpm.isAffiliatedUser());
1591 }
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]1592
1593 public void testGetUserProvisioningState_defaultResult() {
1594 assertEquals(DevicePolicyManager.STATE_USER_UNMANAGED, dpm.getUserProvisioningState());
1595 }
1596
1597 public void testSetUserProvisioningState_permission() throws Exception {
1598 setupProfileOwner();
1599 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1600
1601 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1602 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1603 }
1604
1605 public void testSetUserProvisioningState_unprivileged() throws Exception {
1606 setupProfileOwner();
1607 try {
1608 dpm.setUserProvisioningState(DevicePolicyManager.STATE_USER_SETUP_FINALIZED,
1609 DpmMockContext.CALLER_USER_HANDLE);
1610 fail("Expected SecurityException");
1611 } catch (SecurityException expected) {
1612 }
1613 }
1614
1615 public void testSetUserProvisioningState_noManagement() {
1616 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1617 try {
1618 dpm.setUserProvisioningState(DevicePolicyManager.STATE_USER_SETUP_FINALIZED,
1619 DpmMockContext.CALLER_USER_HANDLE);
1620 fail("IllegalStateException expected");
1621 } catch (IllegalStateException e) {
1622 MoreAsserts.assertContainsRegex("change provisioning state unless a .* owner is set",
1623 e.getMessage());
1624 }
1625 assertEquals(DevicePolicyManager.STATE_USER_UNMANAGED, dpm.getUserProvisioningState());
1626 }
1627
1628 public void testSetUserProvisioningState_deviceOwnerFromSetupWizard() throws Exception {
1629 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1630 setupDeviceOwner();
1631 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1632
1633 exerciseUserProvisioningTransitions(UserHandle.USER_SYSTEM,
1634 DevicePolicyManager.STATE_USER_SETUP_COMPLETE,
1635 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1636 }
1637
1638 public void testSetUserProvisioningState_deviceOwnerFromSetupWizardAlternative()
1639 throws Exception {
1640 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1641 setupDeviceOwner();
1642 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1643
1644 exerciseUserProvisioningTransitions(UserHandle.USER_SYSTEM,
1645 DevicePolicyManager.STATE_USER_SETUP_INCOMPLETE,
1646 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1647 }
1648
1649 public void testSetUserProvisioningState_deviceOwnerWithoutSetupWizard() throws Exception {
1650 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1651 setupDeviceOwner();
1652 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1653
1654 exerciseUserProvisioningTransitions(UserHandle.USER_SYSTEM,
1655 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1656 }
1657
1658 public void testSetUserProvisioningState_managedProfileFromSetupWizard_primaryUser()
1659 throws Exception {
1660 setupProfileOwner();
1661 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1662
1663 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1664 DevicePolicyManager.STATE_USER_PROFILE_COMPLETE,
1665 DevicePolicyManager.STATE_USER_UNMANAGED);
1666 }
1667
1668 public void testSetUserProvisioningState_managedProfileFromSetupWizard_managedProfile()
1669 throws Exception {
1670 setupProfileOwner();
1671 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1672
1673 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1674 DevicePolicyManager.STATE_USER_SETUP_COMPLETE,
1675 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1676 }
1677
1678 public void testSetUserProvisioningState_managedProfileWithoutSetupWizard() throws Exception {
1679 setupProfileOwner();
1680 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1681
1682 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1683 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1684 }
1685
1686 public void testSetUserProvisioningState_illegalTransitionOutOfFinalized1() throws Exception {
1687 setupProfileOwner();
1688 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1689
1690 try {
1691 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1692 DevicePolicyManager.STATE_USER_SETUP_FINALIZED,
1693 DevicePolicyManager.STATE_USER_UNMANAGED);
1694 fail("Expected IllegalStateException");
1695 } catch (IllegalStateException e) {
1696 MoreAsserts.assertContainsRegex("Cannot move to user provisioning state",
1697 e.getMessage());
1698 }
1699 }
1700
1701 public void testSetUserProvisioningState_illegalTransitionToAnotherInProgressState()
1702 throws Exception {
1703 setupProfileOwner();
1704 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1705
1706 try {
1707 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1708 DevicePolicyManager.STATE_USER_SETUP_INCOMPLETE,
1709 DevicePolicyManager.STATE_USER_SETUP_COMPLETE);
1710 fail("Expected IllegalStateException");
1711 } catch (IllegalStateException e) {
1712 MoreAsserts.assertContainsRegex("Cannot move to user provisioning state",
1713 e.getMessage());
1714 }
1715 }
1716
1717 private void exerciseUserProvisioningTransitions(int userId, int... states) {
1718 assertEquals(DevicePolicyManager.STATE_USER_UNMANAGED, dpm.getUserProvisioningState());
1719 for (int state : states) {
1720 dpm.setUserProvisioningState(state, userId);
1721 assertEquals(state, dpm.getUserProvisioningState());
1722 }
1723 }
1724
1725 private void setupProfileOwner() throws Exception {
1726 mContext.callerPermissions.addAll(OWNER_SETUP_PERMISSIONS);
1727
1728 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
1729 dpm.setActiveAdmin(admin1, false);
1730 assertTrue(dpm.setProfileOwner(admin1, null, DpmMockContext.CALLER_USER_HANDLE));
1731
1732 mContext.callerPermissions.removeAll(OWNER_SETUP_PERMISSIONS);
1733 }
1734
1735 private void setupDeviceOwner() throws Exception {
1736 mContext.callerPermissions.addAll(OWNER_SETUP_PERMISSIONS);
1737
1738 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1739 dpm.setActiveAdmin(admin1, false);
1740 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1741
1742 mContext.callerPermissions.removeAll(OWNER_SETUP_PERMISSIONS);
1743 }
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1744}