Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License |
| 15 | */ |
| 16 | |
Andrew Scull | 507d11c | 2017-05-03 17:19:01 +0100 | [diff] [blame] | 17 | package com.android.server.locksettings; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 18 | |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 19 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_ALPHABETIC; |
| 20 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING; |
| 21 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED; |
| 22 | |
| 23 | import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 24 | import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_ENABLED_KEY; |
| 25 | import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY; |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 26 | |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 27 | import static org.mockito.Mockito.any; |
| 28 | import static org.mockito.Mockito.atLeastOnce; |
| 29 | import static org.mockito.Mockito.never; |
| 30 | import static org.mockito.Mockito.reset; |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 31 | import static org.mockito.Mockito.verify; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 32 | |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 33 | import android.app.admin.PasswordMetrics; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 34 | import android.os.RemoteException; |
| 35 | import android.os.UserHandle; |
| 36 | |
| 37 | import com.android.internal.widget.LockPatternUtils; |
| 38 | import com.android.internal.widget.VerifyCredentialResponse; |
Andrew Scull | 507d11c | 2017-05-03 17:19:01 +0100 | [diff] [blame] | 39 | import com.android.server.locksettings.SyntheticPasswordManager.AuthenticationResult; |
| 40 | import com.android.server.locksettings.SyntheticPasswordManager.AuthenticationToken; |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 41 | import com.android.server.locksettings.SyntheticPasswordManager.PasswordData; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 42 | |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 43 | import org.mockito.ArgumentCaptor; |
| 44 | |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 45 | import java.util.ArrayList; |
| 46 | |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 47 | |
| 48 | /** |
Andrew Scull | 507d11c | 2017-05-03 17:19:01 +0100 | [diff] [blame] | 49 | * runtest frameworks-services -c com.android.server.locksettings.SyntheticPasswordTests |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 50 | */ |
| 51 | public class SyntheticPasswordTests extends BaseLockSettingsServiceTests { |
| 52 | |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 53 | public static final byte[] PAYLOAD = new byte[] {1, 2, -1, -2, 55}; |
| 54 | public static final byte[] PAYLOAD2 = new byte[] {2, 3, -2, -3, 44, 1}; |
| 55 | |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 56 | @Override |
| 57 | protected void setUp() throws Exception { |
| 58 | super.setUp(); |
| 59 | } |
| 60 | |
| 61 | @Override |
| 62 | protected void tearDown() throws Exception { |
| 63 | super.tearDown(); |
| 64 | } |
| 65 | |
| 66 | public void testPasswordBasedSyntheticPassword() throws RemoteException { |
| 67 | final int USER_ID = 10; |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 68 | final byte[] password = "user-password".getBytes(); |
| 69 | final byte[] badPassword = "bad-password".getBytes(); |
Adrian Roos | 2adc263 | 2017-09-05 17:01:42 +0200 | [diff] [blame] | 70 | MockSyntheticPasswordManager manager = new MockSyntheticPasswordManager(mContext, mStorage, |
David Anderson | 28dea68 | 2019-02-20 13:37:51 -0800 | [diff] [blame] | 71 | mGateKeeperService, mUserManager, mPasswordSlotManager); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 72 | AuthenticationToken authToken = manager.newSyntheticPasswordAndSid(mGateKeeperService, null, |
| 73 | null, USER_ID); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 74 | long handle = manager.createPasswordBasedSyntheticPassword(mGateKeeperService, |
| 75 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, authToken, |
| 76 | PASSWORD_QUALITY_ALPHABETIC, USER_ID); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 77 | |
Rubin Xu | cf326f1 | 2017-11-15 11:55:35 +0000 | [diff] [blame] | 78 | AuthenticationResult result = manager.unwrapPasswordBasedSyntheticPassword( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 79 | mGateKeeperService, handle, password, USER_ID, null); |
| 80 | assertArrayEquals(result.authToken.deriveKeyStorePassword(), |
| 81 | authToken.deriveKeyStorePassword()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 82 | |
Rubin Xu | cf326f1 | 2017-11-15 11:55:35 +0000 | [diff] [blame] | 83 | result = manager.unwrapPasswordBasedSyntheticPassword(mGateKeeperService, handle, |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 84 | badPassword, USER_ID, null); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 85 | assertNull(result.authToken); |
| 86 | } |
| 87 | |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 88 | private void disableSyntheticPassword() throws RemoteException { |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 89 | mService.setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 0, UserHandle.USER_SYSTEM); |
| 90 | } |
| 91 | |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 92 | private void enableSyntheticPassword() throws RemoteException { |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 93 | mService.setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 1, UserHandle.USER_SYSTEM); |
| 94 | } |
| 95 | |
| 96 | private boolean hasSyntheticPassword(int userId) throws RemoteException { |
| 97 | return mService.getLong(SYNTHETIC_PASSWORD_HANDLE_KEY, 0, userId) != 0; |
| 98 | } |
| 99 | |
| 100 | public void testPasswordMigration() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 101 | final byte[] password = "testPasswordMigration-password".getBytes(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 102 | |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 103 | disableSyntheticPassword(); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 104 | mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 105 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 106 | long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
| 107 | final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 108 | enableSyntheticPassword(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 109 | // Performs migration |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 110 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 111 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 112 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 113 | assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 114 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 115 | |
| 116 | // SP-based verification |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 117 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password, |
| 118 | LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 119 | .getResponseCode()); |
| 120 | assertArrayNotEquals(primaryStorageKey, |
| 121 | mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 122 | } |
| 123 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 124 | protected void initializeCredentialUnderSP(byte[] password, int userId) throws RemoteException { |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 125 | enableSyntheticPassword(); |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 126 | int quality = password != null ? PASSWORD_QUALITY_ALPHABETIC |
| 127 | : PASSWORD_QUALITY_UNSPECIFIED; |
| 128 | int type = password != null ? LockPatternUtils.CREDENTIAL_TYPE_PASSWORD |
| 129 | : LockPatternUtils.CREDENTIAL_TYPE_NONE; |
| 130 | mService.setLockCredential(password, type, null, quality, userId); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 131 | } |
| 132 | |
| 133 | public void testSyntheticPasswordChangeCredential() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 134 | final byte[] password = "testSyntheticPasswordChangeCredential-password".getBytes(); |
| 135 | final byte[] newPassword = "testSyntheticPasswordChangeCredential-newpassword".getBytes(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 136 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 137 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 138 | long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 139 | mService.setLockCredential(newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, password, |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 140 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 141 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 142 | newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 143 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 144 | assertEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 145 | } |
| 146 | |
| 147 | public void testSyntheticPasswordVerifyCredential() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 148 | final byte[] password = "testSyntheticPasswordVerifyCredential-password".getBytes(); |
| 149 | final byte[] badPassword = "testSyntheticPasswordVerifyCredential-badpassword".getBytes(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 150 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 151 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 152 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 153 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 154 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 155 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 156 | assertEquals(VerifyCredentialResponse.RESPONSE_ERROR, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 157 | badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 158 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 159 | } |
| 160 | |
| 161 | public void testSyntheticPasswordClearCredential() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 162 | final byte[] password = "testSyntheticPasswordClearCredential-password".getBytes(); |
| 163 | final byte[] badPassword = "testSyntheticPasswordClearCredential-newpassword".getBytes(); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 164 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 165 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 166 | long sid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
| 167 | // clear password |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 168 | mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, password, |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 169 | PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 170 | assertEquals(0 ,mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 171 | |
| 172 | // set a new password |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 173 | mService.setLockCredential(badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 174 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 175 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 176 | badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 177 | .getResponseCode()); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 178 | assertNotEquals(sid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 179 | } |
| 180 | |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 181 | public void testSyntheticPasswordChangeCredentialKeepsAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 182 | final byte[] password = |
| 183 | "testSyntheticPasswordChangeCredentialKeepsAuthSecret-password".getBytes(); |
| 184 | final byte[] badPassword = |
| 185 | "testSyntheticPasswordChangeCredentialKeepsAuthSecret-new".getBytes(); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 186 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 187 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
| 188 | mService.setLockCredential(badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, password, |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 189 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
| 190 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 191 | badPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 192 | .getResponseCode()); |
| 193 | |
| 194 | // Check the same secret was passed each time |
| 195 | ArgumentCaptor<ArrayList<Byte>> secret = ArgumentCaptor.forClass(ArrayList.class); |
| 196 | verify(mAuthSecretService, atLeastOnce()).primaryUserCredential(secret.capture()); |
| 197 | assertEquals(1, secret.getAllValues().stream().distinct().count()); |
| 198 | } |
| 199 | |
| 200 | public void testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 201 | final byte[] password = |
| 202 | "testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret-password".getBytes(); |
| 203 | final byte[] newPassword = |
| 204 | "testSyntheticPasswordVerifyPassesPrimaryUserAuthSecret-new".getBytes(); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 205 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 206 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 207 | reset(mAuthSecretService); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 208 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential(password, |
| 209 | LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 210 | .getResponseCode()); |
| 211 | verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class)); |
| 212 | } |
| 213 | |
| 214 | public void testSecondaryUserDoesNotPassAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 215 | final byte[] password = "testSecondaryUserDoesNotPassAuthSecret-password".getBytes(); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 216 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 217 | initializeCredentialUnderSP(password, SECONDARY_USER_ID); |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 218 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 219 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, SECONDARY_USER_ID) |
Andrew Scull | e6527c1 | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 220 | .getResponseCode()); |
| 221 | verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class)); |
| 222 | } |
| 223 | |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 224 | public void testNoSyntheticPasswordOrCredentialDoesNotPassAuthSecret() throws RemoteException { |
| 225 | // Setting null doesn't create a synthetic password |
| 226 | initializeCredentialUnderSP(null, PRIMARY_USER_ID); |
| 227 | |
| 228 | reset(mAuthSecretService); |
| 229 | mService.onUnlockUser(PRIMARY_USER_ID); |
| 230 | mService.mHandler.runWithScissors(() -> {}, 0 /*now*/); // Flush runnables on handler |
| 231 | verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class)); |
| 232 | } |
| 233 | |
| 234 | public void testSyntheticPasswordAndCredentialDoesNotPassAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 235 | final byte[] password = "passwordForASyntheticPassword".getBytes(); |
| 236 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 237 | |
| 238 | reset(mAuthSecretService); |
| 239 | mService.onUnlockUser(PRIMARY_USER_ID); |
| 240 | mService.mHandler.runWithScissors(() -> {}, 0 /*now*/); // Flush runnables on handler |
| 241 | verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class)); |
| 242 | } |
| 243 | |
| 244 | public void testSyntheticPasswordButNoCredentialPassesAuthSecret() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 245 | final byte[] password = "getASyntheticPassword".getBytes(); |
| 246 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
| 247 | mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, password, |
Andrew Scull | f49794b | 2018-04-13 12:01:25 +0100 | [diff] [blame] | 248 | PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID); |
| 249 | |
| 250 | reset(mAuthSecretService); |
| 251 | mService.onUnlockUser(PRIMARY_USER_ID); |
| 252 | mService.mHandler.runWithScissors(() -> {}, 0 /*now*/); // Flush runnables on handler |
| 253 | verify(mAuthSecretService).primaryUserCredential(any(ArrayList.class)); |
| 254 | } |
| 255 | |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 256 | public void testManagedProfileUnifiedChallengeMigration() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 257 | final byte[] UnifiedPassword = "testManagedProfileUnifiedChallengeMigration-pwd".getBytes(); |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 258 | disableSyntheticPassword(); |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 259 | mService.setLockCredential(UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
| 260 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 261 | mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null); |
| 262 | final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
| 263 | final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID); |
| 264 | final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 265 | final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID); |
| 266 | assertTrue(primarySid != 0); |
| 267 | assertTrue(profileSid != 0); |
| 268 | assertTrue(profileSid != primarySid); |
| 269 | |
| 270 | // do migration |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 271 | enableSyntheticPassword(); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 272 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 273 | UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 274 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 275 | |
| 276 | // verify |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 277 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 278 | UnifiedPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 279 | .getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 280 | assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 281 | assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID)); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 282 | assertArrayNotEquals(primaryStorageKey, |
| 283 | mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 284 | assertArrayNotEquals(profileStorageKey, |
| 285 | mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID)); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 286 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 287 | assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID)); |
| 288 | } |
| 289 | |
| 290 | public void testManagedProfileSeparateChallengeMigration() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 291 | final byte[] primaryPassword = |
| 292 | "testManagedProfileSeparateChallengeMigration-primary".getBytes(); |
| 293 | final byte[] profilePassword = |
| 294 | "testManagedProfileSeparateChallengeMigration-profile".getBytes(); |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 295 | disableSyntheticPassword(); |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 296 | mService.setLockCredential(primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
| 297 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
| 298 | mService.setLockCredential(profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
| 299 | PASSWORD_QUALITY_ALPHABETIC, MANAGED_PROFILE_USER_ID); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 300 | final long primarySid = mGateKeeperService.getSecureUserId(PRIMARY_USER_ID); |
| 301 | final long profileSid = mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID); |
| 302 | final byte[] primaryStorageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 303 | final byte[] profileStorageKey = mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID); |
| 304 | assertTrue(primarySid != 0); |
| 305 | assertTrue(profileSid != 0); |
| 306 | assertTrue(profileSid != primarySid); |
| 307 | |
| 308 | // do migration |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 309 | enableSyntheticPassword(); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 310 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 311 | primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 312 | .getResponseCode()); |
| 313 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 314 | profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, |
| 315 | 0, MANAGED_PROFILE_USER_ID).getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 316 | |
| 317 | // verify |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 318 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 319 | primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 320 | .getResponseCode()); |
| 321 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 322 | profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, |
| 323 | 0, MANAGED_PROFILE_USER_ID).getResponseCode()); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 324 | assertEquals(primarySid, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 325 | assertEquals(profileSid, mGateKeeperService.getSecureUserId(MANAGED_PROFILE_USER_ID)); |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 326 | assertArrayNotEquals(primaryStorageKey, |
| 327 | mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 328 | assertArrayNotEquals(profileStorageKey, |
| 329 | mStorageManager.getUserUnlockToken(MANAGED_PROFILE_USER_ID)); |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 330 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 331 | assertTrue(hasSyntheticPassword(MANAGED_PROFILE_USER_ID)); |
| 332 | } |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 333 | |
| 334 | public void testTokenBasedResetPassword() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 335 | final byte[] password = "password".getBytes(); |
| 336 | final byte[] pattern = "123654".getBytes(); |
| 337 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
| 338 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 339 | final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 340 | |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 341 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 342 | assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 343 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 344 | mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 345 | PRIMARY_USER_ID).getResponseCode(); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 346 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 347 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 348 | mLocalService.setLockCredentialWithToken(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, |
| 349 | handle, token, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 350 | |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 351 | // Verify DPM gets notified about new device lock |
| 352 | mService.mHandler.runWithScissors(() -> {}, 0 /*now*/); // Flush runnables on handler |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 353 | PasswordMetrics metric = PasswordMetrics.computeForPassword(pattern); |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 354 | metric.quality = PASSWORD_QUALITY_SOMETHING; |
| 355 | verify(mDevicePolicyManager).setActivePasswordState(metric, PRIMARY_USER_ID); |
| 356 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 357 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 358 | pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 359 | .getResponseCode()); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 360 | assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 361 | } |
| 362 | |
| 363 | public void testTokenBasedClearPassword() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 364 | final byte[] password = "password".getBytes(); |
| 365 | final byte[] pattern = "123654".getBytes(); |
| 366 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
| 367 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 368 | final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 369 | |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 370 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 371 | assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 372 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 373 | mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 374 | 0, PRIMARY_USER_ID).getResponseCode(); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 375 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 376 | |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 377 | mLocalService.setLockCredentialWithToken(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 378 | handle, token, PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID); |
| 379 | mLocalService.setLockCredentialWithToken(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, |
| 380 | handle, token, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 381 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 382 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 383 | pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 384 | .getResponseCode()); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 385 | assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 386 | } |
| 387 | |
| 388 | public void testTokenBasedResetPasswordAfterCredentialChanges() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 389 | final byte[] password = "password".getBytes(); |
| 390 | final byte[] pattern = "123654".getBytes(); |
| 391 | final byte[] newPassword = "password".getBytes(); |
| 392 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
| 393 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 394 | final byte[] storageKey = mStorageManager.getUserUnlockToken(PRIMARY_USER_ID); |
| 395 | |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 396 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 397 | assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 398 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 399 | mService.verifyCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 400 | 0, PRIMARY_USER_ID).getResponseCode(); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 401 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 402 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 403 | mService.setLockCredential(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, password, |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 404 | PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 405 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 406 | mLocalService.setLockCredentialWithToken(newPassword, |
| 407 | LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, handle, token, |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 408 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 409 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 410 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 411 | newPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 412 | .getResponseCode()); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 413 | assertArrayEquals(storageKey, mStorageManager.getUserUnlockToken(PRIMARY_USER_ID)); |
| 414 | } |
| 415 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 416 | public void testEscrowTokenActivatedImmediatelyIfNoUserPasswordNeedsMigration() |
| 417 | throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 418 | final String token = "some-high-entropy-secure-token"; |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 419 | enableSyntheticPassword(); |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 420 | long handle = mLocalService.addEscrowToken(token.getBytes(), PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 421 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 422 | assertEquals(0, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 423 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 424 | } |
| 425 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 426 | public void testEscrowTokenActivatedImmediatelyIfNoUserPasswordNoMigration() |
| 427 | throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 428 | final String token = "some-high-entropy-secure-token"; |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 429 | initializeCredentialUnderSP(null, PRIMARY_USER_ID); |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 430 | long handle = mLocalService.addEscrowToken(token.getBytes(), PRIMARY_USER_ID, null); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 431 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 432 | assertEquals(0, mGateKeeperService.getSecureUserId(PRIMARY_USER_ID)); |
| 433 | assertTrue(hasSyntheticPassword(PRIMARY_USER_ID)); |
| 434 | } |
| 435 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 436 | public void testEscrowTokenActivatedLaterWithUserPasswordNeedsMigration() |
| 437 | throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 438 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
| 439 | final byte[] password = "password".getBytes(); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 440 | // Set up pre-SP user password |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 441 | disableSyntheticPassword(); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 442 | mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 443 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
Rubin Xu | 16c823e | 2017-06-27 14:44:58 +0100 | [diff] [blame] | 444 | enableSyntheticPassword(); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 445 | |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 446 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 447 | // Token not activated immediately since user password exists |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 448 | assertFalse(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 449 | // Activate token (password gets migrated to SP at the same time) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 450 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 451 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 452 | .getResponseCode()); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 453 | // Verify token is activated |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 454 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
Rubin Xu | 128180b | 2017-04-12 18:02:44 +0100 | [diff] [blame] | 455 | } |
| 456 | |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 457 | public void testSetLockCredentialWithTokenFailsWithoutLockScreen() throws Exception { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 458 | final byte[] password = "password".getBytes(); |
| 459 | final byte[] pattern = "123654".getBytes(); |
| 460 | final byte[] token = "some-high-entropy-secure-token".getBytes(); |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 461 | |
| 462 | mHasSecureLockScreen = false; |
| 463 | enableSyntheticPassword(); |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 464 | long handle = mLocalService.addEscrowToken(token, PRIMARY_USER_ID, null); |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 465 | assertTrue(mLocalService.isEscrowTokenActive(handle, PRIMARY_USER_ID)); |
| 466 | |
| 467 | try { |
| 468 | mLocalService.setLockCredentialWithToken(password, |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 469 | LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, handle, token, |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 470 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
| 471 | fail("An exception should have been thrown."); |
| 472 | } catch (UnsupportedOperationException e) { |
| 473 | // Success - the exception was expected. |
| 474 | } |
| 475 | assertFalse(mService.havePassword(PRIMARY_USER_ID)); |
| 476 | |
| 477 | try { |
| 478 | mLocalService.setLockCredentialWithToken(pattern, |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 479 | LockPatternUtils.CREDENTIAL_TYPE_PATTERN, handle, token, |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 480 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
| 481 | fail("An exception should have been thrown."); |
| 482 | } catch (UnsupportedOperationException e) { |
| 483 | // Success - the exception was expected. |
| 484 | } |
| 485 | assertFalse(mService.havePattern(PRIMARY_USER_ID)); |
| 486 | } |
| 487 | |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 488 | public void testgetHashFactorPrimaryUser() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 489 | final byte[] password = "password".getBytes(); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 490 | mService.setLockCredential(password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
| 491 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
| 492 | final byte[] hashFactor = mService.getHashFactor(password, PRIMARY_USER_ID); |
| 493 | assertNotNull(hashFactor); |
| 494 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 495 | mService.setLockCredential(null, LockPatternUtils.CREDENTIAL_TYPE_NONE, |
| 496 | password, PASSWORD_QUALITY_UNSPECIFIED, PRIMARY_USER_ID); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 497 | final byte[] newHashFactor = mService.getHashFactor(null, PRIMARY_USER_ID); |
| 498 | assertNotNull(newHashFactor); |
| 499 | // Hash factor should never change after password change/removal |
| 500 | assertArrayEquals(hashFactor, newHashFactor); |
| 501 | } |
| 502 | |
| 503 | public void testgetHashFactorManagedProfileUnifiedChallenge() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 504 | final byte[] pattern = "1236".getBytes(); |
| 505 | mService.setLockCredential(pattern, LockPatternUtils.CREDENTIAL_TYPE_PATTERN, |
| 506 | null, PASSWORD_QUALITY_SOMETHING, PRIMARY_USER_ID); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 507 | mService.setSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID, false, null); |
| 508 | assertNotNull(mService.getHashFactor(null, MANAGED_PROFILE_USER_ID)); |
| 509 | } |
| 510 | |
| 511 | public void testgetHashFactorManagedProfileSeparateChallenge() throws RemoteException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 512 | final byte[] primaryPassword = "primary".getBytes(); |
| 513 | final byte[] profilePassword = "profile".getBytes(); |
Rubin Xu | 4ed9898 | 2018-05-23 14:27:53 +0100 | [diff] [blame] | 514 | mService.setLockCredential(primaryPassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
| 515 | PASSWORD_QUALITY_ALPHABETIC, PRIMARY_USER_ID); |
| 516 | mService.setLockCredential(profilePassword, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, null, |
| 517 | PASSWORD_QUALITY_ALPHABETIC, MANAGED_PROFILE_USER_ID); |
| 518 | assertNotNull(mService.getHashFactor(profilePassword, MANAGED_PROFILE_USER_ID)); |
| 519 | } |
| 520 | |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 521 | public void testPasswordData_serializeDeserialize() { |
| 522 | PasswordData data = new PasswordData(); |
| 523 | data.scryptN = 11; |
| 524 | data.scryptR = 22; |
| 525 | data.scryptP = 33; |
| 526 | data.passwordType = CREDENTIAL_TYPE_PASSWORD; |
| 527 | data.salt = PAYLOAD; |
| 528 | data.passwordHandle = PAYLOAD2; |
| 529 | |
| 530 | PasswordData deserialized = PasswordData.fromBytes(data.toBytes()); |
| 531 | |
| 532 | assertEquals(11, deserialized.scryptN); |
| 533 | assertEquals(22, deserialized.scryptR); |
| 534 | assertEquals(33, deserialized.scryptP); |
| 535 | assertEquals(CREDENTIAL_TYPE_PASSWORD, deserialized.passwordType); |
| 536 | assertArrayEquals(PAYLOAD, deserialized.salt); |
| 537 | assertArrayEquals(PAYLOAD2, deserialized.passwordHandle); |
| 538 | } |
| 539 | |
| 540 | public void testPasswordData_deserialize() { |
| 541 | // Test that we can deserialize existing PasswordData and don't inadvertently change the |
| 542 | // wire format. |
| 543 | byte[] serialized = new byte[] { |
| 544 | 0, 0, 0, 2, /* CREDENTIAL_TYPE_PASSWORD */ |
| 545 | 11, /* scryptN */ |
| 546 | 22, /* scryptR */ |
| 547 | 33, /* scryptP */ |
| 548 | 0, 0, 0, 5, /* salt.length */ |
| 549 | 1, 2, -1, -2, 55, /* salt */ |
| 550 | 0, 0, 0, 6, /* passwordHandle.length */ |
| 551 | 2, 3, -2, -3, 44, 1, /* passwordHandle */ |
| 552 | }; |
| 553 | PasswordData deserialized = PasswordData.fromBytes(serialized); |
| 554 | |
| 555 | assertEquals(11, deserialized.scryptN); |
| 556 | assertEquals(22, deserialized.scryptR); |
| 557 | assertEquals(33, deserialized.scryptP); |
| 558 | assertEquals(CREDENTIAL_TYPE_PASSWORD, deserialized.passwordType); |
| 559 | assertArrayEquals(PAYLOAD, deserialized.salt); |
| 560 | assertArrayEquals(PAYLOAD2, deserialized.passwordHandle); |
| 561 | } |
| 562 | |
David Anderson | 6ebc25b | 2019-02-12 16:25:56 -0800 | [diff] [blame] | 563 | public void testGsiDisablesAuthSecret() throws RemoteException { |
| 564 | mGsiService.setIsGsiRunning(true); |
| 565 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 566 | final byte[] password = "testGsiDisablesAuthSecret-password".getBytes(); |
David Anderson | 6ebc25b | 2019-02-12 16:25:56 -0800 | [diff] [blame] | 567 | |
| 568 | initializeCredentialUnderSP(password, PRIMARY_USER_ID); |
| 569 | assertEquals(VerifyCredentialResponse.RESPONSE_OK, mService.verifyCredential( |
| 570 | password, LockPatternUtils.CREDENTIAL_TYPE_PASSWORD, 0, PRIMARY_USER_ID) |
| 571 | .getResponseCode()); |
| 572 | verify(mAuthSecretService, never()).primaryUserCredential(any(ArrayList.class)); |
| 573 | } |
| 574 | |
Andrew Scull | 7f4ff4c | 2018-01-05 18:33:58 +0000 | [diff] [blame] | 575 | // b/62213311 |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 576 | //TODO: add non-migration work profile case, and unify/un-unify transition. |
| 577 | //TODO: test token after user resets password |
| 578 | //TODO: test token based reset after unified work challenge |
| 579 | //TODO: test clear password after unified work challenge |
| 580 | } |