Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / c8a5a555f1482d0f45b538eb898d6ee7e26552a6 / . / services / tests / servicestests / src / com / android / server / devicepolicy / DevicePolicyManagerTest.java
blob: 79ba08d50ec4c88a4499178cc21b4ea7b49bc578 [file] [log] [blame]
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]16package com.android.server.devicepolicy;
17
18import com.android.server.LocalServices;
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]19import com.android.server.SystemService;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]20
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]21import android.Manifest.permission;
22import android.app.Activity;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]23import android.app.admin.DeviceAdminReceiver;
24import android.app.admin.DevicePolicyManager;
25import android.app.admin.DevicePolicyManagerInternal;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]26import android.content.BroadcastReceiver;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]27import android.content.ComponentName;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]28import android.content.pm.PackageManager;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]29import android.os.Bundle;
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]30import android.os.Process;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]31import android.os.UserHandle;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]32import android.os.UserManager;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]33import android.util.Pair;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]34
35import org.mockito.ArgumentCaptor;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]36import org.mockito.invocation.InvocationOnMock;
37import org.mockito.stubbing.Answer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]38
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]39import java.util.ArrayList;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]40import java.util.HashMap;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]41import java.util.List;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]42import java.util.Map;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]43
44import static org.mockito.Matchers.any;
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]45import static org.mockito.Matchers.anyInt;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]46import static org.mockito.Matchers.anyString;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]47import static org.mockito.Matchers.eq;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]48import static org.mockito.Matchers.isNull;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]49import static org.mockito.Mockito.doAnswer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]50import static org.mockito.Mockito.doReturn;
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]51import static org.mockito.Mockito.reset;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]52import static org.mockito.Mockito.times;
53import static org.mockito.Mockito.verify;
54import static org.mockito.Mockito.when;
55
56/**
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]57 * Tests for DevicePolicyManager( and DevicePolicyManagerService).
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]58 *
59 m FrameworksServicesTests &&
60 adb install \
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]61 -r out/target/product/hammerhead/data/app/FrameworksServicesTests/FrameworksServicesTests.apk &&
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]62 adb shell am instrument -e class com.android.server.devicepolicy.DevicePolicyManagerTest \
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]63 -w com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]64
65 (mmma frameworks/base/services/tests/servicestests/ for non-ninja build)
66 */
67public class DevicePolicyManagerTest extends DpmTestBase {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]68 private DpmMockContext mContext;
69 public DevicePolicyManager dpm;
70 public DevicePolicyManagerServiceTestable dpms;
71
72 @Override
73 protected void setUp() throws Exception {
74 super.setUp();
75
76 mContext = getContext();
77
78 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
79 .thenReturn(true);
80
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]81 initializeDpms();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]82
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]83 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
84 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
85 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_UID);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]86
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]87 setUpUserManager();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]88 }
89
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]90 private void initializeDpms() {
91 // Need clearCallingIdentity() to pass permission checks.
92 final long ident = mContext.binder.clearCallingIdentity();
93 try {
94 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
95
96 dpms = new DevicePolicyManagerServiceTestable(mContext, dataDir);
97
98 dpms.systemReady(SystemService.PHASE_LOCK_SETTINGS_READY);
99 dpms.systemReady(SystemService.PHASE_BOOT_COMPLETED);
100
101 dpm = new DevicePolicyManagerTestable(mContext, dpms);
102 } finally {
103 mContext.binder.restoreCallingIdentity(ident);
104 }
105 }
106
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]107 private void setUpUserManager() {
108 // Emulate UserManager.set/getApplicationRestriction().
109 final Map<Pair<String, UserHandle>, Bundle> appRestrictions = new HashMap<>();
110
111 // UM.setApplicationRestrictions() will save to appRestrictions.
112 doAnswer(new Answer<Void>() {
113 @Override
114 public Void answer(InvocationOnMock invocation) throws Throwable {
115 String pkg = (String) invocation.getArguments()[0];
116 Bundle bundle = (Bundle) invocation.getArguments()[1];
117 UserHandle user = (UserHandle) invocation.getArguments()[2];
118
119 appRestrictions.put(Pair.create(pkg, user), bundle);
120
121 return null;
122 }
123 }).when(mContext.userManager).setApplicationRestrictions(
124 anyString(), any(Bundle.class), any(UserHandle.class));
125
126 // UM.getApplicationRestrictions() will read from appRestrictions.
127 doAnswer(new Answer<Bundle>() {
128 @Override
129 public Bundle answer(InvocationOnMock invocation) throws Throwable {
130 String pkg = (String) invocation.getArguments()[0];
131 UserHandle user = (UserHandle) invocation.getArguments()[1];
132
133 return appRestrictions.get(Pair.create(pkg, user));
134 }
135 }).when(mContext.userManager).getApplicationRestrictions(
136 anyString(), any(UserHandle.class));
137
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]138 // Add the first secondary user.
139 mContext.addUser(DpmMockContext.CALLER_USER_HANDLE, 0);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]140 }
141
142 private void setAsProfileOwner(ComponentName admin) {
143 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
144 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
145
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]146 // PO needs to be an DA.
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]147 dpm.setActiveAdmin(admin, /* replace =*/ false);
148
149 // Fire!
150 assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
151
152 // Check
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]153 assertEquals(admin, dpm.getProfileOwnerAsUser(DpmMockContext.CALLER_USER_HANDLE));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]154 }
155
156 public void testHasNoFeature() throws Exception {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]157 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
158 .thenReturn(false);
159
160 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
161 new DevicePolicyManagerServiceTestable(mContext, dataDir);
162
163 // If the device has no DPMS feature, it shouldn't register the local service.
164 assertNull(LocalServices.getService(DevicePolicyManagerInternal.class));
165 }
166
167 /**
168 * Caller doesn't have proper permissions.
169 */
170 public void testSetActiveAdmin_SecurityException() {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]171 // 1. Failure cases.
172
173 // Caller doesn't have MANAGE_DEVICE_ADMINS.
174 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]175 dpm.setActiveAdmin(admin1, false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]176 fail("Didn't throw SecurityException");
177 } catch (SecurityException expected) {
178 }
179
180 // Caller has MANAGE_DEVICE_ADMINS, but for different user.
181 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
182 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]183 dpm.setActiveAdmin(admin1, false, DpmMockContext.CALLER_USER_HANDLE + 1);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]184 fail("Didn't throw SecurityException");
185 } catch (SecurityException expected) {
186 }
187 }
188
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]189 /**
190 * Test for:
191 * {@link DevicePolicyManager#setActiveAdmin}
192 * with replace=false and replace=true
193 * {@link DevicePolicyManager#isAdminActive}
194 * {@link DevicePolicyManager#isAdminActiveAsUser}
195 * {@link DevicePolicyManager#getActiveAdmins}
196 * {@link DevicePolicyManager#getActiveAdminsAsUser}
197 */
198 public void testSetActiveAdmin() throws Exception {
199 // 1. Make sure the caller has proper permissions.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]200 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
201
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]202 // 2. Call the API.
203 dpm.setActiveAdmin(admin1, /* replace =*/ false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]204
205 // 3. Verify internal calls.
206
207 // Check if the boradcast is sent.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]208 verify(mContext.spiedContext).sendBroadcastAsUser(
209 MockUtils.checkIntentAction(
210 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
211 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
212 verify(mContext.spiedContext).sendBroadcastAsUser(
213 MockUtils.checkIntentAction(
214 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_ENABLED),
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]215 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
216
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]217 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
218 eq(admin1.getPackageName()),
219 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
220 eq(PackageManager.DONT_KILL_APP),
221 eq(DpmMockContext.CALLER_USER_HANDLE),
222 anyString());
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]223
224 // TODO Verify other calls too.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]225
226 // Make sure it's active admin1.
227 assertTrue(dpm.isAdminActive(admin1));
228 assertFalse(dpm.isAdminActive(admin2));
229 assertFalse(dpm.isAdminActive(admin3));
230
231 // But not admin1 for a different user.
232
233 // For this to work, caller needs android.permission.INTERACT_ACROSS_USERS_FULL.
234 // (Because we're checking a different user's status from CALLER_USER_HANDLE.)
235 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
236
237 assertFalse(dpm.isAdminActiveAsUser(admin1, DpmMockContext.CALLER_USER_HANDLE + 1));
238 assertFalse(dpm.isAdminActiveAsUser(admin2, DpmMockContext.CALLER_USER_HANDLE + 1));
239
240 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
241
242 // Next, add one more admin.
243 // Before doing so, update the application info, now it's enabled.
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]244 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID,
245 PackageManager.COMPONENT_ENABLED_STATE_ENABLED);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]246
247 dpm.setActiveAdmin(admin2, /* replace =*/ false);
248
249 // Now we have two admins.
250 assertTrue(dpm.isAdminActive(admin1));
251 assertTrue(dpm.isAdminActive(admin2));
252 assertFalse(dpm.isAdminActive(admin3));
253
254 // Admin2 was already enabled, so setApplicationEnabledSetting() shouldn't have called
255 // again. (times(1) because it was previously called for admin1)
256 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
257 eq(admin1.getPackageName()),
258 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
259 eq(PackageManager.DONT_KILL_APP),
260 eq(DpmMockContext.CALLER_USER_HANDLE),
261 anyString());
262
263 // 4. Add the same admin1 again without replace, which should throw.
264 try {
265 dpm.setActiveAdmin(admin1, /* replace =*/ false);
266 fail("Didn't throw");
267 } catch (IllegalArgumentException expected) {
268 }
269
270 // 5. Add the same admin1 again with replace, which should succeed.
271 dpm.setActiveAdmin(admin1, /* replace =*/ true);
272
273 // TODO make sure it's replaced.
274
275 // 6. Test getActiveAdmins()
276 List<ComponentName> admins = dpm.getActiveAdmins();
277 assertEquals(2, admins.size());
278 assertEquals(admin1, admins.get(0));
279 assertEquals(admin2, admins.get(1));
280
281 // Another user has no admins.
282 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
283
284 assertEquals(0, DpmTestUtils.getListSizeAllowingNull(
285 dpm.getActiveAdminsAsUser(DpmMockContext.CALLER_USER_HANDLE + 1)));
286
287 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
288 }
289
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]290 public void testSetActiveAdmin_multiUsers() throws Exception {
291
292 final int ANOTHER_USER_ID = 100;
293 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 20456);
294
295 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
296
297 // Set up pacakge manager for the other user.
298 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]299
300 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
301
302 dpm.setActiveAdmin(admin1, /* replace =*/ false);
303
304 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
305 dpm.setActiveAdmin(admin2, /* replace =*/ false);
306
307
308 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
309 assertTrue(dpm.isAdminActive(admin1));
310 assertFalse(dpm.isAdminActive(admin2));
311
312 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
313 assertFalse(dpm.isAdminActive(admin1));
314 assertTrue(dpm.isAdminActive(admin2));
315 }
316
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]317 /**
318 * Test for:
319 * {@link DevicePolicyManager#setActiveAdmin}
320 * with replace=false
321 */
322 public void testSetActiveAdmin_twiceWithoutReplace() throws Exception {
323 // 1. Make sure the caller has proper permissions.
324 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
325
326 dpm.setActiveAdmin(admin1, /* replace =*/ false);
327 assertTrue(dpm.isAdminActive(admin1));
328
329 // Add the same admin1 again without replace, which should throw.
330 try {
331 dpm.setActiveAdmin(admin1, /* replace =*/ false);
332 fail("Didn't throw");
333 } catch (IllegalArgumentException expected) {
334 }
335 }
336
337 /**
338 * Test for:
339 * {@link DevicePolicyManager#removeActiveAdmin}
340 */
341 public void testRemoveActiveAdmin_SecurityException() {
342 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
343
344 // Add admin.
345
346 dpm.setActiveAdmin(admin1, /* replace =*/ false);
347
348 assertTrue(dpm.isAdminActive(admin1));
349
350 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
351
352 // Directly call the DPMS method with a different userid, which should fail.
353 try {
354 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE + 1);
355 fail("Didn't throw SecurityException");
356 } catch (SecurityException expected) {
357 }
358
359 // Try to remove active admin with a different caller userid should fail too, without
360 // having MANAGE_DEVICE_ADMINS.
361 mContext.callerPermissions.clear();
362
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]363 // Change the caller, and call into DPMS directly with a different user-id.
364
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]365 mContext.binder.callingUid = 1234567;
366 try {
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]367 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]368 fail("Didn't throw SecurityException");
369 } catch (SecurityException expected) {
370 }
371 }
372
373 /**
374 * Test for:
375 * {@link DevicePolicyManager#removeActiveAdmin}
376 */
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]377 public void testRemoveActiveAdmin_fromDifferentUserWithINTERACT_ACROSS_USERS_FULL() {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]378 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
379
380 // Add admin1.
381
382 dpm.setActiveAdmin(admin1, /* replace =*/ false);
383
384 assertTrue(dpm.isAdminActive(admin1));
385 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
386
387 // Different user, but should work, because caller has proper permissions.
388 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]389
390 // Change the caller, and call into DPMS directly with a different user-id.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]391 mContext.binder.callingUid = 1234567;
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]392
393 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]394
395 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
396
397 // TODO DO Still can't be removed in this case.
398 }
399
400 /**
401 * Test for:
402 * {@link DevicePolicyManager#removeActiveAdmin}
403 */
404 public void testRemoveActiveAdmin_sameUserNoMANAGE_DEVICE_ADMINS() {
405 // Need MANAGE_DEVICE_ADMINS for setActiveAdmin. We'll remove it later.
406 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
407
408 // Add admin1.
409
410 dpm.setActiveAdmin(admin1, /* replace =*/ false);
411
412 assertTrue(dpm.isAdminActive(admin1));
413 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
414
415 // Broadcast from saveSettingsLocked().
416 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
417 MockUtils.checkIntentAction(
418 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
419 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
420
421 // Remove. No permissions, but same user, so it'll work.
422 mContext.callerPermissions.clear();
423 dpm.removeActiveAdmin(admin1);
424
425 final ArgumentCaptor<BroadcastReceiver> brCap =
426 ArgumentCaptor.forClass(BroadcastReceiver.class);
427
428 // Is removing now, but not removed yet.
429 assertTrue(dpm.isAdminActive(admin1));
430 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
431
432 verify(mContext.spiedContext).sendOrderedBroadcastAsUser(
433 MockUtils.checkIntentAction(
434 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_DISABLED),
435 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE),
436 isNull(String.class),
437 brCap.capture(),
438 eq(dpms.mHandler),
439 eq(Activity.RESULT_OK),
440 isNull(String.class),
441 isNull(Bundle.class));
442
443 brCap.getValue().onReceive(mContext, null);
444
445 assertFalse(dpm.isAdminActive(admin1));
446 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
447
448 // Again broadcast from saveSettingsLocked().
449 verify(mContext.spiedContext, times(2)).sendBroadcastAsUser(
450 MockUtils.checkIntentAction(
451 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
452 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
453
454 // TODO Check other internal calls.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]455 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]456
457 /**
458 * Test for: {@link DevicePolicyManager#setDeviceOwner} DO on system user installs
459 * successfully.
460 */
461 public void testSetDeviceOwner() throws Exception {
462 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]463 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]464 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
465 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
466
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]467 // In this test, change the caller user to "system".
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]468 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
469
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]470 // Make sure admin1 is installed on system user.
471 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]472
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]473 // Check various get APIs.
474 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ false);
475
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]476 // DO needs to be an DA.
477 dpm.setActiveAdmin(admin1, /* replace =*/ false);
478
479 // Fire!
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]480 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]481
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]482 // getDeviceOwnerComponent should return the admin1 component.
483 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
484 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
485
486 // Check various get APIs.
487 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ true);
488
489 // getDeviceOwnerComponent should *NOT* return the admin1 component for other users.
490 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
491 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
492 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
493
494 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
495
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]496 // Verify internal calls.
497 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
498 eq(admin1.getPackageName()));
499
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]500 // TODO We should check if the caller has called clearCallerIdentity().
501 verify(mContext.ibackupManager, times(1)).setBackupServiceActive(
502 eq(UserHandle.USER_SYSTEM), eq(false));
503
504 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
505 MockUtils.checkIntentAction(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED),
506 MockUtils.checkUserHandle(UserHandle.USER_SYSTEM));
507
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]508 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]509
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]510 // Try to set a profile owner on the same user, which should fail.
511 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
512 dpm.setActiveAdmin(admin2, /* refreshing= */ true, UserHandle.USER_SYSTEM);
513 try {
514 dpm.setProfileOwner(admin2, "owner-name", UserHandle.USER_SYSTEM);
515 fail("IllegalStateException not thrown");
516 } catch (IllegalStateException expected) {
517 assertTrue("Message was: " + expected.getMessage(),
518 expected.getMessage().contains("already has a device owner"));
519 }
520
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]521 // TODO Test getDeviceOwnerName() too. To do so, we need to change
522 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
523 }
524
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]525 private void checkGetDeviceOwnerInfoApi(DevicePolicyManager dpm, boolean hasDeviceOwner) {
526 final int origCallingUser = mContext.binder.callingUid;
527 final List origPermissions = new ArrayList(mContext.callerPermissions);
528 mContext.callerPermissions.clear();
529
530 mContext.callerPermissions.add(permission.MANAGE_USERS);
531
532 mContext.binder.callingUid = Process.SYSTEM_UID;
533
534 // TODO Test getDeviceOwnerName() too. To do so, we need to change
535 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
536 if (hasDeviceOwner) {
537 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
538 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
539 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
540
541 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
542 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
543 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
544 } else {
545 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
546 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
547 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
548
549 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
550 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
551 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
552 }
553
554 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
555 if (hasDeviceOwner) {
556 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
557 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
558 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
559
560 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
561 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
562 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
563 } else {
564 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
565 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
566 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
567
568 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
569 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
570 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
571 }
572
573 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
574 // Still with MANAGE_USERS.
575 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
576 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
577 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
578
579 if (hasDeviceOwner) {
580 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
581 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
582 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
583 } else {
584 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
585 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
586 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
587 }
588
589 mContext.binder.callingUid = Process.SYSTEM_UID;
590 mContext.callerPermissions.remove(permission.MANAGE_USERS);
591 // System can still call "OnAnyUser" without MANAGE_USERS.
592 if (hasDeviceOwner) {
593 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
594 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
595 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
596
597 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
598 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
599 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
600 } else {
601 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
602 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
603 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
604
605 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
606 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
607 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
608 }
609
610 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
611 // Still no MANAGE_USERS.
612 if (hasDeviceOwner) {
613 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
614 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
615 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
616 } else {
617 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
618 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
619 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
620 }
621
622 try {
623 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
624 fail();
625 } catch (SecurityException expected) {
626 }
627 try {
628 dpm.getDeviceOwnerComponentOnAnyUser();
629 fail();
630 } catch (SecurityException expected) {
631 }
632 try {
633 dpm.getDeviceOwnerUserId();
634 fail();
635 } catch (SecurityException expected) {
636 }
637 try {
638 dpm.getDeviceOwnerNameOnAnyUser();
639 fail();
640 } catch (SecurityException expected) {
641 }
642
643 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
644 // Still no MANAGE_USERS.
645 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
646 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
647 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
648
649 try {
650 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
651 fail();
652 } catch (SecurityException expected) {
653 }
654 try {
655 dpm.getDeviceOwnerComponentOnAnyUser();
656 fail();
657 } catch (SecurityException expected) {
658 }
659 try {
660 dpm.getDeviceOwnerUserId();
661 fail();
662 } catch (SecurityException expected) {
663 }
664 try {
665 dpm.getDeviceOwnerNameOnAnyUser();
666 fail();
667 } catch (SecurityException expected) {
668 }
669
670 // Restore.
671 mContext.binder.callingUid = origCallingUser;
672 mContext.callerPermissions.addAll(origPermissions);
673 }
674
675
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]676 /**
677 * Test for: {@link DevicePolicyManager#setDeviceOwner} Package doesn't exist.
678 */
679 public void testSetDeviceOwner_noSuchPackage() {
680 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]681 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]682 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
683 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
684
685 // Call from a process on the system user.
686 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
687
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]688 try {
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]689 dpm.setDeviceOwner(new ComponentName("a.b.c", ".def"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]690 fail("Didn't throw IllegalArgumentException");
691 } catch (IllegalArgumentException expected) {
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]692 assertTrue("Message was: " + expected.getMessage(),
693 expected.getMessage().contains("Invalid component"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]694 }
695 }
696
697 public void testSetDeviceOwner_failures() throws Exception {
698 // TODO Test more failure cases. Basically test all chacks in enforceCanSetDeviceOwner().
699 }
700
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]701 public void testClearDeviceOwner() throws Exception {
702 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]703 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]704 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
705 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
706
707 // Set admin1 as a DA to the secondary user.
708 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
709
710 dpm.setActiveAdmin(admin1, /* replace =*/ false);
711
712 // Set admin 1 as the DO to the system user.
713
714 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
715 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
716 dpm.setActiveAdmin(admin1, /* replace =*/ false);
717 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
718
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]719 // Verify internal calls.
720 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
721 eq(admin1.getPackageName()));
722
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]723 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]724
725 // Set up other mocks.
726 when(mContext.userManager.getUserRestrictions()).thenReturn(new Bundle());
727
728 // Now call clear.
729 doReturn(DpmMockContext.CALLER_SYSTEM_USER_UID).when(mContext.packageManager).getPackageUid(
730 eq(admin1.getPackageName()),
731 anyInt());
732 dpm.clearDeviceOwnerApp(admin1.getPackageName());
733
734 // Now DO shouldn't be set.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]735 assertNull(dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]736
737 // TODO Check other calls.
738 }
739
740 public void testClearDeviceOwner_fromDifferentUser() throws Exception {
741 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]742 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]743 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
744 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
745
746 // Set admin1 as a DA to the secondary user.
747 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
748
749 dpm.setActiveAdmin(admin1, /* replace =*/ false);
750
751 // Set admin 1 as the DO to the system user.
752
753 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
754 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
755 dpm.setActiveAdmin(admin1, /* replace =*/ false);
756 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
757
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]758 // Verify internal calls.
759 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
760 eq(admin1.getPackageName()));
761
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]762 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]763
764 // Now call clear from the secondary user, which should throw.
765 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
766
767 // Now call clear.
768 doReturn(DpmMockContext.CALLER_UID).when(mContext.packageManager).getPackageUid(
769 eq(admin1.getPackageName()),
770 anyInt());
771 try {
772 dpm.clearDeviceOwnerApp(admin1.getPackageName());
773 fail("Didn't throw");
774 } catch (SecurityException e) {
775 assertEquals("clearDeviceOwner can only be called by the device owner", e.getMessage());
776 }
777
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]778 // DO shouldn't be removed.
779 assertTrue(dpm.isDeviceManaged());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]780 }
781
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]782 public void testSetProfileOwner() throws Exception {
783 setAsProfileOwner(admin1);
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]784
785 // Try setting DO on the same user, which should fail.
786 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
787 dpm.setActiveAdmin(admin2, /* refreshing= */ true, DpmMockContext.CALLER_USER_HANDLE);
788 try {
789 dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE);
790 fail("IllegalStateException not thrown");
791 } catch (IllegalStateException expected) {
792 assertTrue("Message was: " + expected.getMessage(),
793 expected.getMessage().contains("already has a profile owner"));
794 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]795 }
796
797 public void testSetProfileOwner_failures() throws Exception {
798 // TODO Test more failure cases. Basically test all chacks in enforceCanSetProfileOwner().
799 }
800
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]801 public void testGetDeviceOwnerAdminLocked() throws Exception {
802 checkDeviceOwnerWithMultipleDeviceAdmins();
803 }
804
805 private void checkDeviceOwnerWithMultipleDeviceAdmins() throws Exception {
806 // In ths test, we use 3 users (system + 2 secondary users), set some device admins to them,
807 // set admin2 on CALLER_USER_HANDLE as DO, then call getDeviceOwnerAdminLocked() to
808 // make sure it gets the right component from the right user.
809
810 final int ANOTHER_USER_ID = 100;
811 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 456);
812
813 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
814
815 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]816 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]817 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
818 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
819
820 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
821
822 // Make sure the admin packge is installed to each user.
823 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
824 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_SYSTEM_USER_UID);
825
826 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
827 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
828
829 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
830
831
832 // Set active admins to the users.
833 dpm.setActiveAdmin(admin1, /* replace =*/ false);
834 dpm.setActiveAdmin(admin3, /* replace =*/ false);
835
836 dpm.setActiveAdmin(admin1, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
837 dpm.setActiveAdmin(admin2, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
838
839 dpm.setActiveAdmin(admin2, /* replace =*/ false, ANOTHER_USER_ID);
840
841 // Set DO on the first non-system user.
842 mContext.setUserRunning(DpmMockContext.CALLER_USER_HANDLE, true);
843 assertTrue(dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
844
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]845 assertEquals(admin2, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]846
847 // Then check getDeviceOwnerAdminLocked().
848 assertEquals(admin2, dpms.getDeviceOwnerAdminLocked().info.getComponent());
849 assertEquals(DpmMockContext.CALLER_UID, dpms.getDeviceOwnerAdminLocked().getUid());
850 }
851
852 /**
853 * This essentially tests
854 * {@code DevicePolicyManagerService.findOwnerComponentIfNecessaryLocked()}. (which is private.)
855 *
856 * We didn't use to persist the DO component class name, but now we do, and the above method
857 * finds the right component from a package name upon migration.
858 */
859 public void testDeviceOwnerMigration() throws Exception {
860 checkDeviceOwnerWithMultipleDeviceAdmins();
861
862 // Overwrite the device owner setting and clears the clas name.
863 dpms.mOwners.setDeviceOwner(
864 new ComponentName(admin2.getPackageName(), ""),
865 "owner-name", DpmMockContext.CALLER_USER_HANDLE);
866 dpms.mOwners.writeDeviceOwner();
867
868 // Make sure the DO component name doesn't have a class name.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]869 assertEquals("", dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false).getClassName());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]870
871 // Then create a new DPMS to have it load the settings from files.
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]872 when(mContext.userManager.getUserRestrictions(any(UserHandle.class)))
873 .thenReturn(new Bundle());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]874 initializeDpms();
875
876 // Now the DO component name is a full name.
877 // *BUT* because both admin1 and admin2 belong to the same package, we think admin1 is the
878 // DO.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]879 assertEquals(admin1, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]880 }
881
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]882 public void testSetGetApplicationRestriction() {
883 setAsProfileOwner(admin1);
884
885 {
886 Bundle rest = new Bundle();
887 rest.putString("KEY_STRING", "Foo1");
888 dpm.setApplicationRestrictions(admin1, "pkg1", rest);
889 }
890
891 {
892 Bundle rest = new Bundle();
893 rest.putString("KEY_STRING", "Foo2");
894 dpm.setApplicationRestrictions(admin1, "pkg2", rest);
895 }
896
897 {
898 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg1");
899 assertNotNull(returned);
900 assertEquals(returned.size(), 1);
901 assertEquals(returned.get("KEY_STRING"), "Foo1");
902 }
903
904 {
905 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg2");
906 assertNotNull(returned);
907 assertEquals(returned.size(), 1);
908 assertEquals(returned.get("KEY_STRING"), "Foo2");
909 }
910
911 dpm.setApplicationRestrictions(admin1, "pkg2", new Bundle());
912 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg2").size());
913 }
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]914
915 public void testSetUserRestriction_asDo() throws Exception {
916 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame^]917 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]918 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
919 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
920
921 // First, set DO.
922
923 // Call from a process on the system user.
924 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
925
926 // Make sure admin1 is installed on system user.
927 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]928
929 // Call.
930 dpm.setActiveAdmin(admin1, /* replace =*/ false, UserHandle.USER_SYSTEM);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]931 assertTrue(dpm.setDeviceOwner(admin1, "owner-name",
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]932 UserHandle.USER_SYSTEM));
933
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]934 DpmTestUtils.assertRestrictions(
935 DpmTestUtils.newRestrictions(),
936 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
937 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]938 DpmTestUtils.assertRestrictions(
939 DpmTestUtils.newRestrictions(),
940 dpm.getUserRestrictions(admin1)
941 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]942
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]943 reset(mContext.userManagerInternal);
944
945 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
946 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
947 eq(UserHandle.USER_SYSTEM),
948 MockUtils.checkUserRestrictions(),
949 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
950 );
951 reset(mContext.userManagerInternal);
952
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]953 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]954 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
955 eq(UserHandle.USER_SYSTEM),
956 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
957 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
958 );
959 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]960
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]961 DpmTestUtils.assertRestrictions(
962 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]963 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]964 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
965 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]966 DpmTestUtils.assertRestrictions(
967 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]968 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]969 dpm.getUserRestrictions(admin1)
970 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]971
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]972 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
973 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
974 eq(UserHandle.USER_SYSTEM),
975 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
976 MockUtils.checkUserRestrictions()
977 );
978 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]979
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]980 DpmTestUtils.assertRestrictions(
981 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
982 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
983 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]984 DpmTestUtils.assertRestrictions(
985 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
986 dpm.getUserRestrictions(admin1)
987 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]988
989 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]990 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
991 eq(UserHandle.USER_SYSTEM),
992 MockUtils.checkUserRestrictions(),
993 MockUtils.checkUserRestrictions()
994 );
995 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]996
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]997 DpmTestUtils.assertRestrictions(
998 DpmTestUtils.newRestrictions(),
999 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1000 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1001 DpmTestUtils.assertRestrictions(
1002 DpmTestUtils.newRestrictions(),
1003 dpm.getUserRestrictions(admin1)
1004 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1005
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1006 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE are PO restrictions, but when
1007 // DO sets them, the scope is global.
1008 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1009 reset(mContext.userManagerInternal);
1010 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1011 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1012 eq(UserHandle.USER_SYSTEM),
1013 MockUtils.checkUserRestrictions(),
1014 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1015 UserManager.DISALLOW_UNMUTE_MICROPHONE)
1016 );
1017 reset(mContext.userManagerInternal);
1018
1019 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1020 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1021
1022
1023 // More tests.
1024 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1025 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1026 eq(UserHandle.USER_SYSTEM),
1027 MockUtils.checkUserRestrictions(),
1028 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1029 );
1030 reset(mContext.userManagerInternal);
1031
1032 dpm.addUserRestriction(admin1, UserManager.DISALLOW_FUN);
1033 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1034 eq(UserHandle.USER_SYSTEM),
1035 MockUtils.checkUserRestrictions(),
1036 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1037 UserManager.DISALLOW_ADD_USER)
1038 );
1039 reset(mContext.userManagerInternal);
1040
1041 dpm.setCameraDisabled(admin1, true);
1042 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1043 eq(UserHandle.USER_SYSTEM),
1044 // DISALLOW_CAMERA will be applied to both local and global.
1045 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1046 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1047 UserManager.DISALLOW_CAMERA, UserManager.DISALLOW_ADD_USER)
1048 );
1049 reset(mContext.userManagerInternal);
1050
1051 // Set up another DA and let it disable camera. Now DISALLOW_CAMERA will only be applied
1052 // locally.
1053 dpm.setCameraDisabled(admin1, false);
1054 reset(mContext.userManagerInternal);
1055
1056 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
1057 dpm.setActiveAdmin(admin2, /* replace =*/ false, UserHandle.USER_SYSTEM);
1058 dpm.setCameraDisabled(admin2, true);
1059
1060 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1061 eq(UserHandle.USER_SYSTEM),
1062 // DISALLOW_CAMERA will be applied to both local and global.
1063 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1064 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1065 UserManager.DISALLOW_ADD_USER)
1066 );
1067 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1068 // TODO Make sure restrictions are written to the file.
1069 }
1070
1071 public void testSetUserRestriction_asPo() {
1072 setAsProfileOwner(admin1);
1073
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1074 DpmTestUtils.assertRestrictions(
1075 DpmTestUtils.newRestrictions(),
1076 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1077 .ensureUserRestrictions()
1078 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1079
1080 dpm.addUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1081 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1082 eq(DpmMockContext.CALLER_USER_HANDLE),
1083 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES),
1084 isNull(Bundle.class)
1085 );
1086 reset(mContext.userManagerInternal);
1087
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1088 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1089 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1090 eq(DpmMockContext.CALLER_USER_HANDLE),
1091 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1092 UserManager.DISALLOW_OUTGOING_CALLS),
1093 isNull(Bundle.class)
1094 );
1095 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1096
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1097 DpmTestUtils.assertRestrictions(
1098 DpmTestUtils.newRestrictions(
1099 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1100 UserManager.DISALLOW_OUTGOING_CALLS
1101 ),
1102 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1103 .ensureUserRestrictions()
1104 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1105 DpmTestUtils.assertRestrictions(
1106 DpmTestUtils.newRestrictions(
1107 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1108 UserManager.DISALLOW_OUTGOING_CALLS
1109 ),
1110 dpm.getUserRestrictions(admin1)
1111 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1112
1113 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1114 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1115 eq(DpmMockContext.CALLER_USER_HANDLE),
1116 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1117 isNull(Bundle.class)
1118 );
1119 reset(mContext.userManagerInternal);
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1120
1121 DpmTestUtils.assertRestrictions(
1122 DpmTestUtils.newRestrictions(
1123 UserManager.DISALLOW_OUTGOING_CALLS
1124 ),
1125 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1126 .ensureUserRestrictions()
1127 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1128 DpmTestUtils.assertRestrictions(
1129 DpmTestUtils.newRestrictions(
1130 UserManager.DISALLOW_OUTGOING_CALLS
1131 ),
1132 dpm.getUserRestrictions(admin1)
1133 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1134
1135 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1136 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1137 eq(DpmMockContext.CALLER_USER_HANDLE),
1138 MockUtils.checkUserRestrictions(),
1139 isNull(Bundle.class)
1140 );
1141 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1142
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1143 DpmTestUtils.assertRestrictions(
1144 DpmTestUtils.newRestrictions(),
1145 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1146 .ensureUserRestrictions()
1147 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1148 DpmTestUtils.assertRestrictions(
1149 DpmTestUtils.newRestrictions(),
1150 dpm.getUserRestrictions(admin1)
1151 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1152
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1153 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE can be set by PO too, even
1154 // though when DO sets them they'll be applied globally.
1155 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1156 reset(mContext.userManagerInternal);
1157 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1158 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1159 eq(DpmMockContext.CALLER_USER_HANDLE),
1160 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1161 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1162 isNull(Bundle.class)
1163 );
1164 reset(mContext.userManagerInternal);
1165
1166 dpm.setCameraDisabled(admin1, true);
1167 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1168 eq(DpmMockContext.CALLER_USER_HANDLE),
1169 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA,
1170 UserManager.DISALLOW_ADJUST_VOLUME,
1171 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1172 isNull(Bundle.class)
1173 );
1174 reset(mContext.userManagerInternal);
1175
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1176 // TODO Make sure restrictions are written to the file.
1177 }
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1178}