Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / ed1928a981cbff9a67b5c1786ded8cbdf848056b / . / services / tests / servicestests / src / com / android / server / devicepolicy / DevicePolicyManagerTest.java
blob: 467ecd77970ee916c43b4d9027638c8f290974f3 [file] [log] [blame]
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]16package com.android.server.devicepolicy;
17
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]18import android.Manifest.permission;
19import android.app.Activity;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]20import android.app.admin.DeviceAdminReceiver;
21import android.app.admin.DevicePolicyManager;
22import android.app.admin.DevicePolicyManagerInternal;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]23import android.content.BroadcastReceiver;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]24import android.content.ComponentName;
Rubin Xued1928a2016-02-11 17:23:06 +0000[diff] [blame^]25import android.content.pm.ApplicationInfo;
26import android.content.pm.PackageInfo;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]27import android.content.pm.PackageManager;
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]28import android.net.wifi.WifiInfo;
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]29import android.os.Build.VERSION_CODES;
Rubin Xued1928a2016-02-11 17:23:06 +0000[diff] [blame^]30import android.os.Build;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]31import android.os.Bundle;
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]32import android.os.Process;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]33import android.os.UserHandle;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]34import android.os.UserManager;
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]35import android.test.MoreAsserts;
Benjamin Franz6d009032016-01-25 18:56:38 +0000[diff] [blame]36import android.test.suitebuilder.annotation.SmallTest;
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]37import android.util.ArraySet;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]38import android.util.Pair;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]39
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]40import com.android.server.LocalServices;
41import com.android.server.SystemService;
42
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]43import org.mockito.ArgumentCaptor;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]44import org.mockito.invocation.InvocationOnMock;
45import org.mockito.stubbing.Answer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]46
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]47import java.util.ArrayList;
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]48import java.util.Arrays;
49import java.util.Collections;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]50import java.util.HashMap;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]51import java.util.List;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]52import java.util.Map;
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]53import java.util.Set;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]54
55import static org.mockito.Matchers.any;
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]56import static org.mockito.Matchers.anyInt;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]57import static org.mockito.Matchers.anyString;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]58import static org.mockito.Matchers.eq;
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]59import static org.mockito.Matchers.isNull;
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]60import static org.mockito.Mockito.doAnswer;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]61import static org.mockito.Mockito.doReturn;
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]62import static org.mockito.Mockito.reset;
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]63import static org.mockito.Mockito.times;
64import static org.mockito.Mockito.verify;
65import static org.mockito.Mockito.when;
66
67/**
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]68 * Tests for DevicePolicyManager( and DevicePolicyManagerService).
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]69 *
70 m FrameworksServicesTests &&
71 adb install \
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]72 -r ${ANDROID_PRODUCT_OUT}/data/app/FrameworksServicesTests/FrameworksServicesTests.apk &&
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]73 adb shell am instrument -e class com.android.server.devicepolicy.DevicePolicyManagerTest \
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]74 -w com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]75
76 (mmma frameworks/base/services/tests/servicestests/ for non-ninja build)
77 */
Benjamin Franz6d009032016-01-25 18:56:38 +0000[diff] [blame]78@SmallTest
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]79public class DevicePolicyManagerTest extends DpmTestBase {
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]80 private static final List<String> OWNER_SETUP_PERMISSIONS = Arrays.asList(
81 permission.MANAGE_DEVICE_ADMINS, permission.MANAGE_PROFILE_AND_DEVICE_OWNERS,
82 permission.MANAGE_USERS, permission.INTERACT_ACROSS_USERS_FULL);
83
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]84 private DpmMockContext mContext;
85 public DevicePolicyManager dpm;
86 public DevicePolicyManagerServiceTestable dpms;
87
88 @Override
89 protected void setUp() throws Exception {
90 super.setUp();
91
92 mContext = getContext();
93
94 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
95 .thenReturn(true);
96
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]97 initializeDpms();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]98
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]99 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
100 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
101 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_UID);
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]102 setUpPackageManagerForAdmin(adminNoPerm, DpmMockContext.CALLER_UID);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]103
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]104 setUpUserManager();
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]105 }
106
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]107 private void initializeDpms() {
108 // Need clearCallingIdentity() to pass permission checks.
109 final long ident = mContext.binder.clearCallingIdentity();
110 try {
111 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
112
113 dpms = new DevicePolicyManagerServiceTestable(mContext, dataDir);
114
115 dpms.systemReady(SystemService.PHASE_LOCK_SETTINGS_READY);
116 dpms.systemReady(SystemService.PHASE_BOOT_COMPLETED);
117
118 dpm = new DevicePolicyManagerTestable(mContext, dpms);
119 } finally {
120 mContext.binder.restoreCallingIdentity(ident);
121 }
122 }
123
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]124 private void setUpUserManager() {
125 // Emulate UserManager.set/getApplicationRestriction().
126 final Map<Pair<String, UserHandle>, Bundle> appRestrictions = new HashMap<>();
127
128 // UM.setApplicationRestrictions() will save to appRestrictions.
129 doAnswer(new Answer<Void>() {
130 @Override
131 public Void answer(InvocationOnMock invocation) throws Throwable {
132 String pkg = (String) invocation.getArguments()[0];
133 Bundle bundle = (Bundle) invocation.getArguments()[1];
134 UserHandle user = (UserHandle) invocation.getArguments()[2];
135
136 appRestrictions.put(Pair.create(pkg, user), bundle);
137
138 return null;
139 }
140 }).when(mContext.userManager).setApplicationRestrictions(
141 anyString(), any(Bundle.class), any(UserHandle.class));
142
143 // UM.getApplicationRestrictions() will read from appRestrictions.
144 doAnswer(new Answer<Bundle>() {
145 @Override
146 public Bundle answer(InvocationOnMock invocation) throws Throwable {
147 String pkg = (String) invocation.getArguments()[0];
148 UserHandle user = (UserHandle) invocation.getArguments()[1];
149
150 return appRestrictions.get(Pair.create(pkg, user));
151 }
152 }).when(mContext.userManager).getApplicationRestrictions(
153 anyString(), any(UserHandle.class));
154
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]155 // Add the first secondary user.
156 mContext.addUser(DpmMockContext.CALLER_USER_HANDLE, 0);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]157 }
158
159 private void setAsProfileOwner(ComponentName admin) {
160 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
161 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
162
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]163 // PO needs to be an DA.
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]164 dpm.setActiveAdmin(admin, /* replace =*/ false);
165
166 // Fire!
167 assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
168
169 // Check
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]170 assertEquals(admin, dpm.getProfileOwnerAsUser(DpmMockContext.CALLER_USER_HANDLE));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]171 }
172
173 public void testHasNoFeature() throws Exception {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]174 when(mContext.packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN)))
175 .thenReturn(false);
176
177 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class);
178 new DevicePolicyManagerServiceTestable(mContext, dataDir);
179
180 // If the device has no DPMS feature, it shouldn't register the local service.
181 assertNull(LocalServices.getService(DevicePolicyManagerInternal.class));
182 }
183
184 /**
185 * Caller doesn't have proper permissions.
186 */
187 public void testSetActiveAdmin_SecurityException() {
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]188 // 1. Failure cases.
189
190 // Caller doesn't have MANAGE_DEVICE_ADMINS.
191 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]192 dpm.setActiveAdmin(admin1, false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]193 fail("Didn't throw SecurityException");
194 } catch (SecurityException expected) {
195 }
196
197 // Caller has MANAGE_DEVICE_ADMINS, but for different user.
198 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
199 try {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]200 dpm.setActiveAdmin(admin1, false, DpmMockContext.CALLER_USER_HANDLE + 1);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]201 fail("Didn't throw SecurityException");
202 } catch (SecurityException expected) {
203 }
204 }
205
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]206 /**
207 * Test for:
208 * {@link DevicePolicyManager#setActiveAdmin}
209 * with replace=false and replace=true
210 * {@link DevicePolicyManager#isAdminActive}
211 * {@link DevicePolicyManager#isAdminActiveAsUser}
212 * {@link DevicePolicyManager#getActiveAdmins}
213 * {@link DevicePolicyManager#getActiveAdminsAsUser}
214 */
215 public void testSetActiveAdmin() throws Exception {
216 // 1. Make sure the caller has proper permissions.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]217 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
218
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]219 // 2. Call the API.
220 dpm.setActiveAdmin(admin1, /* replace =*/ false);
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]221
222 // 3. Verify internal calls.
223
224 // Check if the boradcast is sent.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]225 verify(mContext.spiedContext).sendBroadcastAsUser(
226 MockUtils.checkIntentAction(
227 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
228 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
229 verify(mContext.spiedContext).sendBroadcastAsUser(
230 MockUtils.checkIntentAction(
231 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_ENABLED),
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]232 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
233
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]234 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
235 eq(admin1.getPackageName()),
236 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
237 eq(PackageManager.DONT_KILL_APP),
238 eq(DpmMockContext.CALLER_USER_HANDLE),
239 anyString());
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]240
241 // TODO Verify other calls too.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]242
243 // Make sure it's active admin1.
244 assertTrue(dpm.isAdminActive(admin1));
245 assertFalse(dpm.isAdminActive(admin2));
246 assertFalse(dpm.isAdminActive(admin3));
247
248 // But not admin1 for a different user.
249
250 // For this to work, caller needs android.permission.INTERACT_ACROSS_USERS_FULL.
251 // (Because we're checking a different user's status from CALLER_USER_HANDLE.)
252 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
253
254 assertFalse(dpm.isAdminActiveAsUser(admin1, DpmMockContext.CALLER_USER_HANDLE + 1));
255 assertFalse(dpm.isAdminActiveAsUser(admin2, DpmMockContext.CALLER_USER_HANDLE + 1));
256
257 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
258
259 // Next, add one more admin.
260 // Before doing so, update the application info, now it's enabled.
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]261 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID,
262 PackageManager.COMPONENT_ENABLED_STATE_ENABLED);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]263
264 dpm.setActiveAdmin(admin2, /* replace =*/ false);
265
266 // Now we have two admins.
267 assertTrue(dpm.isAdminActive(admin1));
268 assertTrue(dpm.isAdminActive(admin2));
269 assertFalse(dpm.isAdminActive(admin3));
270
271 // Admin2 was already enabled, so setApplicationEnabledSetting() shouldn't have called
272 // again. (times(1) because it was previously called for admin1)
273 verify(mContext.ipackageManager, times(1)).setApplicationEnabledSetting(
274 eq(admin1.getPackageName()),
275 eq(PackageManager.COMPONENT_ENABLED_STATE_DEFAULT),
276 eq(PackageManager.DONT_KILL_APP),
277 eq(DpmMockContext.CALLER_USER_HANDLE),
278 anyString());
279
280 // 4. Add the same admin1 again without replace, which should throw.
281 try {
282 dpm.setActiveAdmin(admin1, /* replace =*/ false);
283 fail("Didn't throw");
284 } catch (IllegalArgumentException expected) {
285 }
286
287 // 5. Add the same admin1 again with replace, which should succeed.
288 dpm.setActiveAdmin(admin1, /* replace =*/ true);
289
290 // TODO make sure it's replaced.
291
292 // 6. Test getActiveAdmins()
293 List<ComponentName> admins = dpm.getActiveAdmins();
294 assertEquals(2, admins.size());
295 assertEquals(admin1, admins.get(0));
296 assertEquals(admin2, admins.get(1));
297
298 // Another user has no admins.
299 mContext.callerPermissions.add("android.permission.INTERACT_ACROSS_USERS_FULL");
300
301 assertEquals(0, DpmTestUtils.getListSizeAllowingNull(
302 dpm.getActiveAdminsAsUser(DpmMockContext.CALLER_USER_HANDLE + 1)));
303
304 mContext.callerPermissions.remove("android.permission.INTERACT_ACROSS_USERS_FULL");
305 }
306
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]307 public void testSetActiveAdmin_multiUsers() throws Exception {
308
309 final int ANOTHER_USER_ID = 100;
310 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 20456);
311
312 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
313
314 // Set up pacakge manager for the other user.
315 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]316
317 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
318
319 dpm.setActiveAdmin(admin1, /* replace =*/ false);
320
321 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
322 dpm.setActiveAdmin(admin2, /* replace =*/ false);
323
324
325 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
326 assertTrue(dpm.isAdminActive(admin1));
327 assertFalse(dpm.isAdminActive(admin2));
328
329 mMockContext.binder.callingUid = ANOTHER_ADMIN_UID;
330 assertFalse(dpm.isAdminActive(admin1));
331 assertTrue(dpm.isAdminActive(admin2));
332 }
333
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]334 /**
335 * Test for:
336 * {@link DevicePolicyManager#setActiveAdmin}
337 * with replace=false
338 */
339 public void testSetActiveAdmin_twiceWithoutReplace() throws Exception {
340 // 1. Make sure the caller has proper permissions.
341 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
342
343 dpm.setActiveAdmin(admin1, /* replace =*/ false);
344 assertTrue(dpm.isAdminActive(admin1));
345
346 // Add the same admin1 again without replace, which should throw.
347 try {
348 dpm.setActiveAdmin(admin1, /* replace =*/ false);
349 fail("Didn't throw");
350 } catch (IllegalArgumentException expected) {
351 }
352 }
353
354 /**
355 * Test for:
Makoto Onuki3ab6f2e2015-11-05 13:55:37 -0800[diff] [blame]356 * {@link DevicePolicyManager#setActiveAdmin} when the admin isn't protected with
357 * BIND_DEVICE_ADMIN.
358 */
359 public void testSetActiveAdmin_permissionCheck() throws Exception {
360 // 1. Make sure the caller has proper permissions.
361 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
362
363 try {
364 dpm.setActiveAdmin(adminNoPerm, /* replace =*/ false);
365 fail();
366 } catch (IllegalArgumentException expected) {
367 assertTrue(expected.getMessage().contains(permission.BIND_DEVICE_ADMIN));
368 }
369 assertFalse(dpm.isAdminActive(adminNoPerm));
370
371 // Change the target API level to MNC. Now it can be set as DA.
372 setUpPackageManagerForAdmin(adminNoPerm, DpmMockContext.CALLER_UID, null,
373 VERSION_CODES.M);
374 dpm.setActiveAdmin(adminNoPerm, /* replace =*/ false);
375 assertTrue(dpm.isAdminActive(adminNoPerm));
376
377 // TODO Test the "load from the file" case where DA will still be loaded even without
378 // BIND_DEVICE_ADMIN and target API is N.
379 }
380
381 /**
382 * Test for:
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]383 * {@link DevicePolicyManager#removeActiveAdmin}
384 */
385 public void testRemoveActiveAdmin_SecurityException() {
386 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
387
388 // Add admin.
389
390 dpm.setActiveAdmin(admin1, /* replace =*/ false);
391
392 assertTrue(dpm.isAdminActive(admin1));
393
394 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
395
396 // Directly call the DPMS method with a different userid, which should fail.
397 try {
398 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE + 1);
399 fail("Didn't throw SecurityException");
400 } catch (SecurityException expected) {
401 }
402
403 // Try to remove active admin with a different caller userid should fail too, without
404 // having MANAGE_DEVICE_ADMINS.
405 mContext.callerPermissions.clear();
406
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]407 // Change the caller, and call into DPMS directly with a different user-id.
408
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]409 mContext.binder.callingUid = 1234567;
410 try {
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]411 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]412 fail("Didn't throw SecurityException");
413 } catch (SecurityException expected) {
414 }
415 }
416
417 /**
418 * Test for:
419 * {@link DevicePolicyManager#removeActiveAdmin}
420 */
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]421 public void testRemoveActiveAdmin_fromDifferentUserWithINTERACT_ACROSS_USERS_FULL() {
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]422 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
423
424 // Add admin1.
425
426 dpm.setActiveAdmin(admin1, /* replace =*/ false);
427
428 assertTrue(dpm.isAdminActive(admin1));
429 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
430
431 // Different user, but should work, because caller has proper permissions.
432 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]433
434 // Change the caller, and call into DPMS directly with a different user-id.
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]435 mContext.binder.callingUid = 1234567;
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]436
437 dpms.removeActiveAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE);
Makoto Onukif76b06a2015-09-22 15:03:44 -0700[diff] [blame]438
439 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
440
441 // TODO DO Still can't be removed in this case.
442 }
443
444 /**
445 * Test for:
446 * {@link DevicePolicyManager#removeActiveAdmin}
447 */
448 public void testRemoveActiveAdmin_sameUserNoMANAGE_DEVICE_ADMINS() {
449 // Need MANAGE_DEVICE_ADMINS for setActiveAdmin. We'll remove it later.
450 mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
451
452 // Add admin1.
453
454 dpm.setActiveAdmin(admin1, /* replace =*/ false);
455
456 assertTrue(dpm.isAdminActive(admin1));
457 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
458
459 // Broadcast from saveSettingsLocked().
460 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
461 MockUtils.checkIntentAction(
462 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
463 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
464
465 // Remove. No permissions, but same user, so it'll work.
466 mContext.callerPermissions.clear();
467 dpm.removeActiveAdmin(admin1);
468
469 final ArgumentCaptor<BroadcastReceiver> brCap =
470 ArgumentCaptor.forClass(BroadcastReceiver.class);
471
472 // Is removing now, but not removed yet.
473 assertTrue(dpm.isAdminActive(admin1));
474 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
475
476 verify(mContext.spiedContext).sendOrderedBroadcastAsUser(
477 MockUtils.checkIntentAction(
478 DeviceAdminReceiver.ACTION_DEVICE_ADMIN_DISABLED),
479 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE),
480 isNull(String.class),
481 brCap.capture(),
482 eq(dpms.mHandler),
483 eq(Activity.RESULT_OK),
484 isNull(String.class),
485 isNull(Bundle.class));
486
487 brCap.getValue().onReceive(mContext, null);
488
489 assertFalse(dpm.isAdminActive(admin1));
490 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
491
492 // Again broadcast from saveSettingsLocked().
493 verify(mContext.spiedContext, times(2)).sendBroadcastAsUser(
494 MockUtils.checkIntentAction(
495 DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED),
496 MockUtils.checkUserHandle(DpmMockContext.CALLER_USER_HANDLE));
497
498 // TODO Check other internal calls.
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]499 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]500
501 /**
502 * Test for: {@link DevicePolicyManager#setDeviceOwner} DO on system user installs
503 * successfully.
504 */
505 public void testSetDeviceOwner() throws Exception {
506 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]507 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]508 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
509 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
510
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]511 // In this test, change the caller user to "system".
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]512 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
513
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]514 // Make sure admin1 is installed on system user.
515 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukid932f762015-09-29 16:53:38 -0700[diff] [blame]516
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]517 // Check various get APIs.
518 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ false);
519
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]520 // DO needs to be an DA.
521 dpm.setActiveAdmin(admin1, /* replace =*/ false);
522
523 // Fire!
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]524 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]525
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]526 // getDeviceOwnerComponent should return the admin1 component.
527 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
528 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
529
530 // Check various get APIs.
531 checkGetDeviceOwnerInfoApi(dpm, /* hasDeviceOwner =*/ true);
532
533 // getDeviceOwnerComponent should *NOT* return the admin1 component for other users.
534 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
535 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
536 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
537
538 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
539
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]540 // Verify internal calls.
541 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
542 eq(admin1.getPackageName()));
543
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]544 // TODO We should check if the caller has called clearCallerIdentity().
545 verify(mContext.ibackupManager, times(1)).setBackupServiceActive(
546 eq(UserHandle.USER_SYSTEM), eq(false));
547
548 verify(mContext.spiedContext, times(1)).sendBroadcastAsUser(
549 MockUtils.checkIntentAction(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED),
550 MockUtils.checkUserHandle(UserHandle.USER_SYSTEM));
551
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]552 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]553
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]554 // Try to set a profile owner on the same user, which should fail.
555 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
556 dpm.setActiveAdmin(admin2, /* refreshing= */ true, UserHandle.USER_SYSTEM);
557 try {
558 dpm.setProfileOwner(admin2, "owner-name", UserHandle.USER_SYSTEM);
559 fail("IllegalStateException not thrown");
560 } catch (IllegalStateException expected) {
561 assertTrue("Message was: " + expected.getMessage(),
562 expected.getMessage().contains("already has a device owner"));
563 }
564
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame]565 // DO admin can't be deactivated.
566 dpm.removeActiveAdmin(admin1);
567 assertTrue(dpm.isAdminActive(admin1));
568
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]569 // TODO Test getDeviceOwnerName() too. To do so, we need to change
570 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
571 }
572
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]573 private void checkGetDeviceOwnerInfoApi(DevicePolicyManager dpm, boolean hasDeviceOwner) {
574 final int origCallingUser = mContext.binder.callingUid;
575 final List origPermissions = new ArrayList(mContext.callerPermissions);
576 mContext.callerPermissions.clear();
577
578 mContext.callerPermissions.add(permission.MANAGE_USERS);
579
580 mContext.binder.callingUid = Process.SYSTEM_UID;
581
582 // TODO Test getDeviceOwnerName() too. To do so, we need to change
583 // DPMS.getApplicationLabel() because Context.createPackageContextAsUser() is not mockable.
584 if (hasDeviceOwner) {
585 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
586 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
587 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
588
589 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
590 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
591 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
592 } else {
593 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
594 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
595 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
596
597 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
598 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
599 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
600 }
601
602 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
603 if (hasDeviceOwner) {
604 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
605 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
606 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
607
608 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
609 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
610 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
611 } else {
612 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
613 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
614 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
615
616 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
617 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
618 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
619 }
620
621 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
622 // Still with MANAGE_USERS.
623 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
624 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
625 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
626
627 if (hasDeviceOwner) {
628 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
629 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
630 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
631 } else {
632 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
633 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
634 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
635 }
636
637 mContext.binder.callingUid = Process.SYSTEM_UID;
638 mContext.callerPermissions.remove(permission.MANAGE_USERS);
639 // System can still call "OnAnyUser" without MANAGE_USERS.
640 if (hasDeviceOwner) {
641 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
642 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
643 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
644
645 assertTrue(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
646 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
647 assertEquals(UserHandle.USER_SYSTEM, dpm.getDeviceOwnerUserId());
648 } else {
649 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
650 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
651 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
652
653 assertFalse(dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName()));
654 assertEquals(null, dpm.getDeviceOwnerComponentOnAnyUser());
655 assertEquals(UserHandle.USER_NULL, dpm.getDeviceOwnerUserId());
656 }
657
658 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
659 // Still no MANAGE_USERS.
660 if (hasDeviceOwner) {
661 assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
662 assertTrue(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
663 assertEquals(admin1, dpm.getDeviceOwnerComponentOnCallingUser());
664 } else {
665 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
666 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
667 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
668 }
669
670 try {
671 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
672 fail();
673 } catch (SecurityException expected) {
674 }
675 try {
676 dpm.getDeviceOwnerComponentOnAnyUser();
677 fail();
678 } catch (SecurityException expected) {
679 }
680 try {
681 dpm.getDeviceOwnerUserId();
682 fail();
683 } catch (SecurityException expected) {
684 }
685 try {
686 dpm.getDeviceOwnerNameOnAnyUser();
687 fail();
688 } catch (SecurityException expected) {
689 }
690
691 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
692 // Still no MANAGE_USERS.
693 assertFalse(dpm.isDeviceOwnerApp(admin1.getPackageName()));
694 assertFalse(dpm.isDeviceOwnerAppOnCallingUser(admin1.getPackageName()));
695 assertEquals(null, dpm.getDeviceOwnerComponentOnCallingUser());
696
697 try {
698 dpm.isDeviceOwnerAppOnAnyUser(admin1.getPackageName());
699 fail();
700 } catch (SecurityException expected) {
701 }
702 try {
703 dpm.getDeviceOwnerComponentOnAnyUser();
704 fail();
705 } catch (SecurityException expected) {
706 }
707 try {
708 dpm.getDeviceOwnerUserId();
709 fail();
710 } catch (SecurityException expected) {
711 }
712 try {
713 dpm.getDeviceOwnerNameOnAnyUser();
714 fail();
715 } catch (SecurityException expected) {
716 }
717
718 // Restore.
719 mContext.binder.callingUid = origCallingUser;
720 mContext.callerPermissions.addAll(origPermissions);
721 }
722
723
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]724 /**
725 * Test for: {@link DevicePolicyManager#setDeviceOwner} Package doesn't exist.
726 */
727 public void testSetDeviceOwner_noSuchPackage() {
728 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]729 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]730 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
731 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
732
733 // Call from a process on the system user.
734 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
735
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]736 try {
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]737 dpm.setDeviceOwner(new ComponentName("a.b.c", ".def"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]738 fail("Didn't throw IllegalArgumentException");
739 } catch (IllegalArgumentException expected) {
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]740 assertTrue("Message was: " + expected.getMessage(),
741 expected.getMessage().contains("Invalid component"));
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]742 }
743 }
744
745 public void testSetDeviceOwner_failures() throws Exception {
746 // TODO Test more failure cases. Basically test all chacks in enforceCanSetDeviceOwner().
747 }
748
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]749 public void testClearDeviceOwner() throws Exception {
750 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]751 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]752 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
753 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
754
755 // Set admin1 as a DA to the secondary user.
756 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
757
758 dpm.setActiveAdmin(admin1, /* replace =*/ false);
759
760 // Set admin 1 as the DO to the system user.
761
762 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
763 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
764 dpm.setActiveAdmin(admin1, /* replace =*/ false);
765 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
766
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]767 // Verify internal calls.
768 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
769 eq(admin1.getPackageName()));
770
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]771 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]772
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame]773 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
774
775 assertTrue(dpm.isAdminActive(admin1));
776 assertFalse(dpm.isRemovingAdmin(admin1, UserHandle.USER_SYSTEM));
777
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]778 // Set up other mocks.
779 when(mContext.userManager.getUserRestrictions()).thenReturn(new Bundle());
780
781 // Now call clear.
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]782 doReturn(DpmMockContext.CALLER_SYSTEM_USER_UID).when(mContext.packageManager).getPackageUidAsUser(
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]783 eq(admin1.getPackageName()),
784 anyInt());
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame]785 reset(mContext.userManagerInternal);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]786 dpm.clearDeviceOwnerApp(admin1.getPackageName());
787
788 // Now DO shouldn't be set.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]789 assertNull(dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]790
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame]791 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
792 eq(UserHandle.USER_SYSTEM),
793 MockUtils.checkUserRestrictions(),
794 MockUtils.checkUserRestrictions()
795 );
796
797 assertTrue(dpm.isAdminActive(admin1));
798 assertTrue(dpm.isRemovingAdmin(admin1, UserHandle.USER_SYSTEM));
799
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]800 // TODO Check other calls.
801 }
802
803 public void testClearDeviceOwner_fromDifferentUser() throws Exception {
804 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]805 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]806 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
807 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
808
809 // Set admin1 as a DA to the secondary user.
810 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
811
812 dpm.setActiveAdmin(admin1, /* replace =*/ false);
813
814 // Set admin 1 as the DO to the system user.
815
816 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
817 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
818 dpm.setActiveAdmin(admin1, /* replace =*/ false);
819 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
820
Makoto Onuki219bbaf2015-11-12 01:38:47 +0000[diff] [blame]821 // Verify internal calls.
822 verify(mContext.iactivityManager, times(1)).updateDeviceOwner(
823 eq(admin1.getPackageName()));
824
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]825 assertEquals(admin1, dpm.getDeviceOwnerComponentOnAnyUser());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]826
827 // Now call clear from the secondary user, which should throw.
828 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
829
830 // Now call clear.
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]831 doReturn(DpmMockContext.CALLER_UID).when(mContext.packageManager).getPackageUidAsUser(
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]832 eq(admin1.getPackageName()),
833 anyInt());
834 try {
835 dpm.clearDeviceOwnerApp(admin1.getPackageName());
836 fail("Didn't throw");
837 } catch (SecurityException e) {
838 assertEquals("clearDeviceOwner can only be called by the device owner", e.getMessage());
839 }
840
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]841 // DO shouldn't be removed.
842 assertTrue(dpm.isDeviceManaged());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]843 }
844
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]845 public void testSetProfileOwner() throws Exception {
846 setAsProfileOwner(admin1);
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]847
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame]848 // PO admin can't be deactivated.
849 dpm.removeActiveAdmin(admin1);
850 assertTrue(dpm.isAdminActive(admin1));
851
Makoto Onuki803d6752015-10-30 12:58:39 -0700[diff] [blame]852 // Try setting DO on the same user, which should fail.
853 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
854 dpm.setActiveAdmin(admin2, /* refreshing= */ true, DpmMockContext.CALLER_USER_HANDLE);
855 try {
856 dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE);
857 fail("IllegalStateException not thrown");
858 } catch (IllegalStateException expected) {
859 assertTrue("Message was: " + expected.getMessage(),
860 expected.getMessage().contains("already has a profile owner"));
861 }
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]862 }
863
Makoto Onuki90b89652016-01-28 14:44:18 -0800[diff] [blame]864 public void testClearProfileOwner() throws Exception {
865 setAsProfileOwner(admin1);
866
867 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
868
869 assertTrue(dpm.isProfileOwnerApp(admin1.getPackageName()));
870 assertFalse(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
871
872 // Clear
873 dpm.clearProfileOwner(admin1);
874
875 // Check
876 assertFalse(dpm.isProfileOwnerApp(admin1.getPackageName()));
877 assertTrue(dpm.isRemovingAdmin(admin1, DpmMockContext.CALLER_USER_HANDLE));
878 }
879
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]880 public void testSetProfileOwner_failures() throws Exception {
881 // TODO Test more failure cases. Basically test all chacks in enforceCanSetProfileOwner().
882 }
883
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]884 public void testGetDeviceOwnerAdminLocked() throws Exception {
885 checkDeviceOwnerWithMultipleDeviceAdmins();
886 }
887
888 private void checkDeviceOwnerWithMultipleDeviceAdmins() throws Exception {
889 // In ths test, we use 3 users (system + 2 secondary users), set some device admins to them,
890 // set admin2 on CALLER_USER_HANDLE as DO, then call getDeviceOwnerAdminLocked() to
891 // make sure it gets the right component from the right user.
892
893 final int ANOTHER_USER_ID = 100;
894 final int ANOTHER_ADMIN_UID = UserHandle.getUid(ANOTHER_USER_ID, 456);
895
896 mMockContext.addUser(ANOTHER_USER_ID, 0); // Add one more user.
897
898 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]899 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]900 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
901 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
902
903 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
904
905 // Make sure the admin packge is installed to each user.
906 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
907 setUpPackageManagerForAdmin(admin3, DpmMockContext.CALLER_SYSTEM_USER_UID);
908
909 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
910 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_UID);
911
912 setUpPackageManagerForAdmin(admin2, ANOTHER_ADMIN_UID);
913
914
915 // Set active admins to the users.
916 dpm.setActiveAdmin(admin1, /* replace =*/ false);
917 dpm.setActiveAdmin(admin3, /* replace =*/ false);
918
919 dpm.setActiveAdmin(admin1, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
920 dpm.setActiveAdmin(admin2, /* replace =*/ false, DpmMockContext.CALLER_USER_HANDLE);
921
922 dpm.setActiveAdmin(admin2, /* replace =*/ false, ANOTHER_USER_ID);
923
924 // Set DO on the first non-system user.
925 mContext.setUserRunning(DpmMockContext.CALLER_USER_HANDLE, true);
926 assertTrue(dpm.setDeviceOwner(admin2, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
927
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]928 assertEquals(admin2, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]929
930 // Then check getDeviceOwnerAdminLocked().
931 assertEquals(admin2, dpms.getDeviceOwnerAdminLocked().info.getComponent());
932 assertEquals(DpmMockContext.CALLER_UID, dpms.getDeviceOwnerAdminLocked().getUid());
933 }
934
935 /**
936 * This essentially tests
937 * {@code DevicePolicyManagerService.findOwnerComponentIfNecessaryLocked()}. (which is private.)
938 *
939 * We didn't use to persist the DO component class name, but now we do, and the above method
940 * finds the right component from a package name upon migration.
941 */
942 public void testDeviceOwnerMigration() throws Exception {
943 checkDeviceOwnerWithMultipleDeviceAdmins();
944
945 // Overwrite the device owner setting and clears the clas name.
946 dpms.mOwners.setDeviceOwner(
947 new ComponentName(admin2.getPackageName(), ""),
948 "owner-name", DpmMockContext.CALLER_USER_HANDLE);
949 dpms.mOwners.writeDeviceOwner();
950
951 // Make sure the DO component name doesn't have a class name.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]952 assertEquals("", dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false).getClassName());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]953
954 // Then create a new DPMS to have it load the settings from files.
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]955 when(mContext.userManager.getUserRestrictions(any(UserHandle.class)))
956 .thenReturn(new Bundle());
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]957 initializeDpms();
958
959 // Now the DO component name is a full name.
960 // *BUT* because both admin1 and admin2 belong to the same package, we think admin1 is the
961 // DO.
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]962 assertEquals(admin1, dpms.getDeviceOwnerComponent(/* callingUserOnly =*/ false));
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]963 }
964
Makoto Onukib643fb02015-09-22 15:03:44 -0700[diff] [blame]965 public void testSetGetApplicationRestriction() {
966 setAsProfileOwner(admin1);
967
968 {
969 Bundle rest = new Bundle();
970 rest.putString("KEY_STRING", "Foo1");
971 dpm.setApplicationRestrictions(admin1, "pkg1", rest);
972 }
973
974 {
975 Bundle rest = new Bundle();
976 rest.putString("KEY_STRING", "Foo2");
977 dpm.setApplicationRestrictions(admin1, "pkg2", rest);
978 }
979
980 {
981 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg1");
982 assertNotNull(returned);
983 assertEquals(returned.size(), 1);
984 assertEquals(returned.get("KEY_STRING"), "Foo1");
985 }
986
987 {
988 Bundle returned = dpm.getApplicationRestrictions(admin1, "pkg2");
989 assertNotNull(returned);
990 assertEquals(returned.size(), 1);
991 assertEquals(returned.get("KEY_STRING"), "Foo2");
992 }
993
994 dpm.setApplicationRestrictions(admin1, "pkg2", new Bundle());
995 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg2").size());
996 }
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]997
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]998 public void testApplicationRestrictionsManagingApp() throws Exception {
999 setAsProfileOwner(admin1);
1000
Rubin Xued1928a2016-02-11 17:23:06 +0000[diff] [blame^]1001 final String nonExistAppRestrictionsManagerPackage = "com.google.app.restrictions.manager2";
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]1002 final String appRestrictionsManagerPackage = "com.google.app.restrictions.manager";
1003 final int appRestrictionsManagerAppId = 20987;
1004 final int appRestrictionsManagerUid = UserHandle.getUid(
1005 DpmMockContext.CALLER_USER_HANDLE, appRestrictionsManagerAppId);
Jeff Sharkeye06b4d12016-01-06 14:51:50 -0700[diff] [blame]1006 doReturn(appRestrictionsManagerUid).when(mContext.packageManager).getPackageUidAsUser(
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]1007 eq(appRestrictionsManagerPackage),
1008 eq(DpmMockContext.CALLER_USER_HANDLE));
1009 mContext.binder.callingUid = appRestrictionsManagerUid;
1010
Rubin Xued1928a2016-02-11 17:23:06 +0000[diff] [blame^]1011 final PackageInfo pi = new PackageInfo();
1012 pi.applicationInfo = new ApplicationInfo();
1013 pi.applicationInfo.flags = ApplicationInfo.FLAG_HAS_CODE;
1014 doReturn(pi).when(mContext.ipackageManager).getPackageInfo(
1015 eq(appRestrictionsManagerPackage),
1016 anyInt(),
1017 eq(DpmMockContext.CALLER_USER_HANDLE));
1018
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]1019 // appRestrictionsManager package shouldn't be able to manage restrictions as the PO hasn't
1020 // delegated that permission yet.
1021 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1022 Bundle rest = new Bundle();
1023 rest.putString("KEY_STRING", "Foo1");
1024 try {
1025 dpm.setApplicationRestrictions(null, "pkg1", rest);
1026 fail("Didn't throw expected SecurityException");
1027 } catch (SecurityException expected) {
1028 MoreAsserts.assertContainsRegex(
1029 "caller cannot manage application restrictions", expected.getMessage());
1030 }
1031 try {
1032 dpm.getApplicationRestrictions(null, "pkg1");
1033 fail("Didn't throw expected SecurityException");
1034 } catch (SecurityException expected) {
1035 MoreAsserts.assertContainsRegex(
1036 "caller cannot manage application restrictions", expected.getMessage());
1037 }
1038
1039 // Check via the profile owner that no restrictions were set.
1040 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1041 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
1042
Rubin Xued1928a2016-02-11 17:23:06 +0000[diff] [blame^]1043 // Check the API does not allow setting a non-existent package
1044 try {
1045 dpm.setApplicationRestrictionsManagingPackage(admin1,
1046 nonExistAppRestrictionsManagerPackage);
1047 fail("Non-existent app set as app restriction manager.");
1048 } catch (IllegalArgumentException expected) {
1049 MoreAsserts.assertContainsRegex(
1050 "is not installed on the current user", expected.getMessage());
1051 }
1052
Esteban Talaverabf60f722015-12-10 16:26:44 +0000[diff] [blame]1053 // Let appRestrictionsManagerPackage manage app restrictions
1054 dpm.setApplicationRestrictionsManagingPackage(admin1, appRestrictionsManagerPackage);
1055 assertEquals(appRestrictionsManagerPackage,
1056 dpm.getApplicationRestrictionsManagingPackage(admin1));
1057
1058 // Now that package should be able to set and retrieve app restrictions.
1059 mContext.binder.callingUid = appRestrictionsManagerUid;
1060 assertTrue(dpm.isCallerApplicationRestrictionsManagingPackage());
1061 dpm.setApplicationRestrictions(null, "pkg1", rest);
1062 Bundle returned = dpm.getApplicationRestrictions(null, "pkg1");
1063 assertEquals(1, returned.size(), 1);
1064 assertEquals("Foo1", returned.get("KEY_STRING"));
1065
1066 // The same app running on a separate user shouldn't be able to manage app restrictions.
1067 mContext.binder.callingUid = UserHandle.getUid(
1068 UserHandle.USER_SYSTEM, appRestrictionsManagerAppId);
1069 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1070 try {
1071 dpm.setApplicationRestrictions(null, "pkg1", rest);
1072 fail("Didn't throw expected SecurityException");
1073 } catch (SecurityException expected) {
1074 MoreAsserts.assertContainsRegex(
1075 "caller cannot manage application restrictions", expected.getMessage());
1076 }
1077
1078 // The DPM is still able to manage app restrictions, even if it allowed another app to do it
1079 // too.
1080 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1081 assertEquals(returned, dpm.getApplicationRestrictions(admin1, "pkg1"));
1082 dpm.setApplicationRestrictions(admin1, "pkg1", null);
1083 assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
1084
1085 // Removing the ability for the package to manage app restrictions.
1086 dpm.setApplicationRestrictionsManagingPackage(admin1, null);
1087 assertNull(dpm.getApplicationRestrictionsManagingPackage(admin1));
1088 mContext.binder.callingUid = appRestrictionsManagerUid;
1089 assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
1090 try {
1091 dpm.setApplicationRestrictions(null, "pkg1", null);
1092 fail("Didn't throw expected SecurityException");
1093 } catch (SecurityException expected) {
1094 MoreAsserts.assertContainsRegex(
1095 "caller cannot manage application restrictions", expected.getMessage());
1096 }
1097 }
1098
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1099 public void testSetUserRestriction_asDo() throws Exception {
1100 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
Makoto Onukic8a5a552015-11-19 14:29:12 -0800[diff] [blame]1101 mContext.callerPermissions.add(permission.MANAGE_USERS);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1102 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1103 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1104
1105 // First, set DO.
1106
1107 // Call from a process on the system user.
1108 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1109
1110 // Make sure admin1 is installed on system user.
1111 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1112
1113 // Call.
1114 dpm.setActiveAdmin(admin1, /* replace =*/ false, UserHandle.USER_SYSTEM);
Makoto Onukia52562c2015-10-01 16:12:31 -0700[diff] [blame]1115 assertTrue(dpm.setDeviceOwner(admin1, "owner-name",
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1116 UserHandle.USER_SYSTEM));
1117
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1118 DpmTestUtils.assertRestrictions(
1119 DpmTestUtils.newRestrictions(),
1120 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1121 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1122 DpmTestUtils.assertRestrictions(
1123 DpmTestUtils.newRestrictions(),
1124 dpm.getUserRestrictions(admin1)
1125 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1126
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1127 reset(mContext.userManagerInternal);
1128
1129 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1130 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1131 eq(UserHandle.USER_SYSTEM),
1132 MockUtils.checkUserRestrictions(),
1133 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1134 );
1135 reset(mContext.userManagerInternal);
1136
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1137 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1138 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1139 eq(UserHandle.USER_SYSTEM),
1140 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1141 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1142 );
1143 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1144
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1145 DpmTestUtils.assertRestrictions(
1146 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1147 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1148 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1149 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1150 DpmTestUtils.assertRestrictions(
1151 DpmTestUtils.newRestrictions(
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1152 UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_OUTGOING_CALLS),
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1153 dpm.getUserRestrictions(admin1)
1154 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1155
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1156 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1157 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1158 eq(UserHandle.USER_SYSTEM),
1159 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1160 MockUtils.checkUserRestrictions()
1161 );
1162 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1163
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1164 DpmTestUtils.assertRestrictions(
1165 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1166 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1167 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1168 DpmTestUtils.assertRestrictions(
1169 DpmTestUtils.newRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1170 dpm.getUserRestrictions(admin1)
1171 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1172
1173 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1174 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1175 eq(UserHandle.USER_SYSTEM),
1176 MockUtils.checkUserRestrictions(),
1177 MockUtils.checkUserRestrictions()
1178 );
1179 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1180
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1181 DpmTestUtils.assertRestrictions(
1182 DpmTestUtils.newRestrictions(),
1183 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
1184 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1185 DpmTestUtils.assertRestrictions(
1186 DpmTestUtils.newRestrictions(),
1187 dpm.getUserRestrictions(admin1)
1188 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1189
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1190 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE are PO restrictions, but when
1191 // DO sets them, the scope is global.
1192 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1193 reset(mContext.userManagerInternal);
1194 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1195 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1196 eq(UserHandle.USER_SYSTEM),
1197 MockUtils.checkUserRestrictions(),
1198 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1199 UserManager.DISALLOW_UNMUTE_MICROPHONE)
1200 );
1201 reset(mContext.userManagerInternal);
1202
1203 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1204 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1205
1206
1207 // More tests.
1208 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADD_USER);
1209 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1210 eq(UserHandle.USER_SYSTEM),
1211 MockUtils.checkUserRestrictions(),
1212 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER)
1213 );
1214 reset(mContext.userManagerInternal);
1215
1216 dpm.addUserRestriction(admin1, UserManager.DISALLOW_FUN);
1217 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1218 eq(UserHandle.USER_SYSTEM),
1219 MockUtils.checkUserRestrictions(),
1220 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1221 UserManager.DISALLOW_ADD_USER)
1222 );
1223 reset(mContext.userManagerInternal);
1224
1225 dpm.setCameraDisabled(admin1, true);
1226 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1227 eq(UserHandle.USER_SYSTEM),
1228 // DISALLOW_CAMERA will be applied to both local and global.
1229 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1230 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1231 UserManager.DISALLOW_CAMERA, UserManager.DISALLOW_ADD_USER)
1232 );
1233 reset(mContext.userManagerInternal);
1234
1235 // Set up another DA and let it disable camera. Now DISALLOW_CAMERA will only be applied
1236 // locally.
1237 dpm.setCameraDisabled(admin1, false);
1238 reset(mContext.userManagerInternal);
1239
1240 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID);
1241 dpm.setActiveAdmin(admin2, /* replace =*/ false, UserHandle.USER_SYSTEM);
1242 dpm.setCameraDisabled(admin2, true);
1243
1244 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1245 eq(UserHandle.USER_SYSTEM),
1246 // DISALLOW_CAMERA will be applied to both local and global.
1247 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA),
1248 MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
1249 UserManager.DISALLOW_ADD_USER)
1250 );
1251 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1252 // TODO Make sure restrictions are written to the file.
1253 }
1254
1255 public void testSetUserRestriction_asPo() {
1256 setAsProfileOwner(admin1);
1257
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1258 DpmTestUtils.assertRestrictions(
1259 DpmTestUtils.newRestrictions(),
1260 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1261 .ensureUserRestrictions()
1262 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1263
1264 dpm.addUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1265 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1266 eq(DpmMockContext.CALLER_USER_HANDLE),
1267 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES),
1268 isNull(Bundle.class)
1269 );
1270 reset(mContext.userManagerInternal);
1271
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1272 dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1273 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1274 eq(DpmMockContext.CALLER_USER_HANDLE),
1275 MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1276 UserManager.DISALLOW_OUTGOING_CALLS),
1277 isNull(Bundle.class)
1278 );
1279 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1280
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1281 DpmTestUtils.assertRestrictions(
1282 DpmTestUtils.newRestrictions(
1283 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1284 UserManager.DISALLOW_OUTGOING_CALLS
1285 ),
1286 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1287 .ensureUserRestrictions()
1288 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1289 DpmTestUtils.assertRestrictions(
1290 DpmTestUtils.newRestrictions(
1291 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
1292 UserManager.DISALLOW_OUTGOING_CALLS
1293 ),
1294 dpm.getUserRestrictions(admin1)
1295 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1296
1297 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1298 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1299 eq(DpmMockContext.CALLER_USER_HANDLE),
1300 MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
1301 isNull(Bundle.class)
1302 );
1303 reset(mContext.userManagerInternal);
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1304
1305 DpmTestUtils.assertRestrictions(
1306 DpmTestUtils.newRestrictions(
1307 UserManager.DISALLOW_OUTGOING_CALLS
1308 ),
1309 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1310 .ensureUserRestrictions()
1311 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1312 DpmTestUtils.assertRestrictions(
1313 DpmTestUtils.newRestrictions(
1314 UserManager.DISALLOW_OUTGOING_CALLS
1315 ),
1316 dpm.getUserRestrictions(admin1)
1317 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1318
1319 dpm.clearUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1320 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1321 eq(DpmMockContext.CALLER_USER_HANDLE),
1322 MockUtils.checkUserRestrictions(),
1323 isNull(Bundle.class)
1324 );
1325 reset(mContext.userManagerInternal);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1326
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]1327 DpmTestUtils.assertRestrictions(
1328 DpmTestUtils.newRestrictions(),
1329 dpms.getProfileOwnerAdminLocked(DpmMockContext.CALLER_USER_HANDLE)
1330 .ensureUserRestrictions()
1331 );
Makoto Onuki3a3092f2015-10-30 11:07:51 -0700[diff] [blame]1332 DpmTestUtils.assertRestrictions(
1333 DpmTestUtils.newRestrictions(),
1334 dpm.getUserRestrictions(admin1)
1335 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1336
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]1337 // DISALLOW_ADJUST_VOLUME and DISALLOW_UNMUTE_MICROPHONE can be set by PO too, even
1338 // though when DO sets them they'll be applied globally.
1339 dpm.addUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
1340 reset(mContext.userManagerInternal);
1341 dpm.addUserRestriction(admin1, UserManager.DISALLOW_UNMUTE_MICROPHONE);
1342 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1343 eq(DpmMockContext.CALLER_USER_HANDLE),
1344 MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
1345 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1346 isNull(Bundle.class)
1347 );
1348 reset(mContext.userManagerInternal);
1349
1350 dpm.setCameraDisabled(admin1, true);
1351 verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
1352 eq(DpmMockContext.CALLER_USER_HANDLE),
1353 MockUtils.checkUserRestrictions(UserManager.DISALLOW_CAMERA,
1354 UserManager.DISALLOW_ADJUST_VOLUME,
1355 UserManager.DISALLOW_UNMUTE_MICROPHONE),
1356 isNull(Bundle.class)
1357 );
1358 reset(mContext.userManagerInternal);
1359
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1360 // TODO Make sure restrictions are written to the file.
1361 }
Makoto Onukia31ebbc2015-11-23 17:15:21 -0800[diff] [blame]1362
1363 public void testGetMacAddress() throws Exception {
1364 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1365 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1366 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1367
1368 // In this test, change the caller user to "system".
1369 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1370
1371 // Make sure admin1 is installed on system user.
1372 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1373
1374 // Test 1. Caller doesn't have DO or DA.
1375 try {
1376 dpm.getWifiMacAddress();
1377 fail();
1378 } catch (SecurityException e) {
1379 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1380 }
1381
1382 // DO needs to be an DA.
1383 dpm.setActiveAdmin(admin1, /* replace =*/ false);
1384 assertTrue(dpm.isAdminActive(admin1));
1385
1386 // Test 2. Caller has DA, but not DO.
1387 try {
1388 dpm.getWifiMacAddress();
1389 fail();
1390 } catch (SecurityException e) {
1391 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1392 }
1393
1394 // Test 3. Caller has PO, but not DO.
1395 assertTrue(dpm.setProfileOwner(admin1, null, UserHandle.USER_SYSTEM));
1396 try {
1397 dpm.getWifiMacAddress();
1398 fail();
1399 } catch (SecurityException e) {
1400 MoreAsserts.assertContainsRegex("No active admin owned", e.getMessage());
1401 }
1402
1403 // Remove PO.
1404 dpm.clearProfileOwner(admin1);
1405
1406 // Test 4, Caller is DO now.
1407 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1408
1409 // 4-1. But no WifiInfo.
1410 assertNull(dpm.getWifiMacAddress());
1411
1412 // 4-2. Returns WifiInfo, but with the default MAC.
1413 when(mContext.wifiManager.getConnectionInfo()).thenReturn(new WifiInfo());
1414 assertNull(dpm.getWifiMacAddress());
1415
1416 // 4-3. With a real MAC address.
1417 final WifiInfo wi = new WifiInfo();
1418 wi.setMacAddress("11:22:33:44:55:66");
1419 when(mContext.wifiManager.getConnectionInfo()).thenReturn(wi);
1420 assertEquals("11:22:33:44:55:66", dpm.getWifiMacAddress());
1421 }
Mahaver Chopraf8373b52015-12-23 14:42:18 +0000[diff] [blame]1422
1423 public void testRebootCanOnlyBeCalledByDeviceOwner() throws Exception {
1424 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1425 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1426
1427 // In this test, change the caller user to "system".
1428 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1429
1430 // Make sure admin1 is installed on system user.
1431 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1432
1433 // Set admin1 as DA.
1434 dpm.setActiveAdmin(admin1, false);
1435 assertTrue(dpm.isAdminActive(admin1));
1436 try {
1437 dpm.reboot(admin1);
1438 fail("DA calls DPM.reboot(), did not throw expected SecurityException");
1439 } catch (SecurityException expected) {
1440 MoreAsserts.assertContainsRegex("does not own the device", expected.getMessage());
1441 }
1442
1443 // Set admin1 as PO.
1444 assertTrue(dpm.setProfileOwner(admin1, null, UserHandle.USER_SYSTEM));
1445 try {
1446 dpm.reboot(admin1);
1447 fail("PO calls DPM.reboot(), did not throw expected SecurityException");
1448 } catch (SecurityException expected) {
1449 MoreAsserts.assertContainsRegex("does not own the device", expected.getMessage());
1450 }
1451
1452 // Remove PO and add DO.
1453 dpm.clearProfileOwner(admin1);
1454 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1455
1456 dpm.reboot(admin1);
1457 }
Kenny Guy06de4e72015-12-22 12:07:39 +0000[diff] [blame]1458
1459 public void testSetGetSupportText() {
1460 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1461 dpm.setActiveAdmin(admin1, true);
1462 dpm.setActiveAdmin(admin2, true);
1463 mContext.callerPermissions.remove(permission.MANAGE_DEVICE_ADMINS);
1464
1465 // Null default support messages.
1466 {
1467 assertNull(dpm.getLongSupportMessage(admin1));
1468 assertNull(dpm.getShortSupportMessage(admin1));
1469 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1470 assertNull(dpm.getShortSupportMessageForUser(admin1,
1471 DpmMockContext.CALLER_USER_HANDLE));
1472 assertNull(dpm.getLongSupportMessageForUser(admin1,
1473 DpmMockContext.CALLER_USER_HANDLE));
1474 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1475 }
1476
1477 // Only system can call the per user versions.
1478 {
1479 try {
1480 dpm.getShortSupportMessageForUser(admin1,
1481 DpmMockContext.CALLER_USER_HANDLE);
1482 fail("Only system should be able to call getXXXForUser versions");
1483 } catch (SecurityException expected) {
1484 MoreAsserts.assertContainsRegex("message for user", expected.getMessage());
1485 }
1486 try {
1487 dpm.getLongSupportMessageForUser(admin1,
1488 DpmMockContext.CALLER_USER_HANDLE);
1489 fail("Only system should be able to call getXXXForUser versions");
1490 } catch (SecurityException expected) {
1491 MoreAsserts.assertContainsRegex("message for user", expected.getMessage());
1492 }
1493 }
1494
1495 // Can't set message for admin in another uid.
1496 {
1497 mContext.binder.callingUid = DpmMockContext.CALLER_UID + 1;
1498 try {
1499 dpm.setShortSupportMessage(admin1, "Some text");
1500 fail("Admins should only be able to change their own support text.");
1501 } catch (SecurityException expected) {
1502 MoreAsserts.assertContainsRegex("is not owned by uid", expected.getMessage());
1503 }
1504 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1505 }
1506
1507 // Set/Get short returns what it sets and other admins text isn't changed.
1508 {
1509 final String supportText = "Some text to test with.";
1510 dpm.setShortSupportMessage(admin1, supportText);
1511 assertEquals(supportText, dpm.getShortSupportMessage(admin1));
1512 assertNull(dpm.getLongSupportMessage(admin1));
1513 assertNull(dpm.getShortSupportMessage(admin2));
1514
1515 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1516 assertEquals(supportText, dpm.getShortSupportMessageForUser(admin1,
1517 DpmMockContext.CALLER_USER_HANDLE));
1518 assertNull(dpm.getShortSupportMessageForUser(admin2,
1519 DpmMockContext.CALLER_USER_HANDLE));
1520 assertNull(dpm.getLongSupportMessageForUser(admin1,
1521 DpmMockContext.CALLER_USER_HANDLE));
1522 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1523
1524 dpm.setShortSupportMessage(admin1, null);
1525 assertNull(dpm.getShortSupportMessage(admin1));
1526 }
1527
1528 // Set/Get long returns what it sets and other admins text isn't changed.
1529 {
1530 final String supportText = "Some text to test with.\nWith more text.";
1531 dpm.setLongSupportMessage(admin1, supportText);
1532 assertEquals(supportText, dpm.getLongSupportMessage(admin1));
1533 assertNull(dpm.getShortSupportMessage(admin1));
1534 assertNull(dpm.getLongSupportMessage(admin2));
1535
1536 mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
1537 assertEquals(supportText, dpm.getLongSupportMessageForUser(admin1,
1538 DpmMockContext.CALLER_USER_HANDLE));
1539 assertNull(dpm.getLongSupportMessageForUser(admin2,
1540 DpmMockContext.CALLER_USER_HANDLE));
1541 assertNull(dpm.getShortSupportMessageForUser(admin1,
1542 DpmMockContext.CALLER_USER_HANDLE));
1543 mMockContext.binder.callingUid = DpmMockContext.CALLER_UID;
1544
1545 dpm.setLongSupportMessage(admin1, null);
1546 assertNull(dpm.getLongSupportMessage(admin1));
1547 }
1548 }
Bartosz Fabianowski4c052f22016-01-25 14:18:43 +0100[diff] [blame]1549
1550 /**
1551 * Test for:
1552 * {@link DevicePolicyManager#setAffiliationIds}
1553 * {@link DevicePolicyManager#isAffiliatedUser}
1554 */
1555 public void testUserAffiliation() throws Exception {
1556 mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
1557 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1558 mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS_FULL);
1559
1560 // Check that the system user is unaffiliated.
1561 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1562 assertFalse(dpm.isAffiliatedUser());
1563
1564 // Set a device owner on the system user. Check that the system user becomes affiliated.
1565 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1566 dpm.setActiveAdmin(admin1, /* replace =*/ false);
1567 assertTrue(dpm.setDeviceOwner(admin1, "owner-name"));
1568 assertTrue(dpm.isAffiliatedUser());
1569
1570 // Install a profile owner whose package name matches the device owner on a test user. Check
1571 // that the test user is unaffiliated.
1572 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1573 setAsProfileOwner(admin2);
1574 assertFalse(dpm.isAffiliatedUser());
1575
1576 // Have the profile owner specify a set of affiliation ids. Check that the test user remains
1577 // unaffiliated.
1578 final Set<String> userAffiliationIds = new ArraySet<>();
1579 userAffiliationIds.add("red");
1580 userAffiliationIds.add("green");
1581 userAffiliationIds.add("blue");
1582 dpm.setAffiliationIds(admin2, userAffiliationIds);
1583 assertFalse(dpm.isAffiliatedUser());
1584
1585 // Have the device owner specify a set of affiliation ids that do not intersect with those
1586 // specified by the profile owner. Check that the test user remains unaffiliated.
1587 final Set<String> deviceAffiliationIds = new ArraySet<>();
1588 deviceAffiliationIds.add("cyan");
1589 deviceAffiliationIds.add("yellow");
1590 deviceAffiliationIds.add("magenta");
1591 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1592 dpm.setAffiliationIds(admin1, deviceAffiliationIds);
1593 mContext.binder.callingUid = DpmMockContext.CALLER_UID;
1594 assertFalse(dpm.isAffiliatedUser());
1595
1596 // Have the profile owner specify a set of affiliation ids that intersect with those
1597 // specified by the device owner. Check that the test user becomes affiliated.
1598 userAffiliationIds.add("yellow");
1599 dpm.setAffiliationIds(admin2, userAffiliationIds);
1600 assertTrue(dpm.isAffiliatedUser());
1601
1602 // Change the profile owner to one whose package name does not match the device owner. Check
1603 // that the test user is not affiliated anymore.
1604 dpm.clearProfileOwner(admin2);
1605 final ComponentName admin = new ComponentName("test", "test");
1606 markPackageAsInstalled(admin.getPackageName(), null, DpmMockContext.CALLER_USER_HANDLE);
1607 assertTrue(dpm.setProfileOwner(admin, "owner-name", DpmMockContext.CALLER_USER_HANDLE));
1608 assertFalse(dpm.isAffiliatedUser());
1609
1610 // Check that the system user remains affiliated.
1611 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1612 assertTrue(dpm.isAffiliatedUser());
1613 }
Alan Treadwayafad8782016-01-19 15:15:08 +0000[diff] [blame]1614
1615 public void testGetUserProvisioningState_defaultResult() {
1616 assertEquals(DevicePolicyManager.STATE_USER_UNMANAGED, dpm.getUserProvisioningState());
1617 }
1618
1619 public void testSetUserProvisioningState_permission() throws Exception {
1620 setupProfileOwner();
1621 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1622
1623 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1624 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1625 }
1626
1627 public void testSetUserProvisioningState_unprivileged() throws Exception {
1628 setupProfileOwner();
1629 try {
1630 dpm.setUserProvisioningState(DevicePolicyManager.STATE_USER_SETUP_FINALIZED,
1631 DpmMockContext.CALLER_USER_HANDLE);
1632 fail("Expected SecurityException");
1633 } catch (SecurityException expected) {
1634 }
1635 }
1636
1637 public void testSetUserProvisioningState_noManagement() {
1638 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1639 try {
1640 dpm.setUserProvisioningState(DevicePolicyManager.STATE_USER_SETUP_FINALIZED,
1641 DpmMockContext.CALLER_USER_HANDLE);
1642 fail("IllegalStateException expected");
1643 } catch (IllegalStateException e) {
1644 MoreAsserts.assertContainsRegex("change provisioning state unless a .* owner is set",
1645 e.getMessage());
1646 }
1647 assertEquals(DevicePolicyManager.STATE_USER_UNMANAGED, dpm.getUserProvisioningState());
1648 }
1649
1650 public void testSetUserProvisioningState_deviceOwnerFromSetupWizard() throws Exception {
1651 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1652 setupDeviceOwner();
1653 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1654
1655 exerciseUserProvisioningTransitions(UserHandle.USER_SYSTEM,
1656 DevicePolicyManager.STATE_USER_SETUP_COMPLETE,
1657 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1658 }
1659
1660 public void testSetUserProvisioningState_deviceOwnerFromSetupWizardAlternative()
1661 throws Exception {
1662 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1663 setupDeviceOwner();
1664 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1665
1666 exerciseUserProvisioningTransitions(UserHandle.USER_SYSTEM,
1667 DevicePolicyManager.STATE_USER_SETUP_INCOMPLETE,
1668 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1669 }
1670
1671 public void testSetUserProvisioningState_deviceOwnerWithoutSetupWizard() throws Exception {
1672 mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
1673 setupDeviceOwner();
1674 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1675
1676 exerciseUserProvisioningTransitions(UserHandle.USER_SYSTEM,
1677 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1678 }
1679
1680 public void testSetUserProvisioningState_managedProfileFromSetupWizard_primaryUser()
1681 throws Exception {
1682 setupProfileOwner();
1683 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1684
1685 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1686 DevicePolicyManager.STATE_USER_PROFILE_COMPLETE,
1687 DevicePolicyManager.STATE_USER_UNMANAGED);
1688 }
1689
1690 public void testSetUserProvisioningState_managedProfileFromSetupWizard_managedProfile()
1691 throws Exception {
1692 setupProfileOwner();
1693 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1694
1695 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1696 DevicePolicyManager.STATE_USER_SETUP_COMPLETE,
1697 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1698 }
1699
1700 public void testSetUserProvisioningState_managedProfileWithoutSetupWizard() throws Exception {
1701 setupProfileOwner();
1702 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1703
1704 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1705 DevicePolicyManager.STATE_USER_SETUP_FINALIZED);
1706 }
1707
1708 public void testSetUserProvisioningState_illegalTransitionOutOfFinalized1() throws Exception {
1709 setupProfileOwner();
1710 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1711
1712 try {
1713 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1714 DevicePolicyManager.STATE_USER_SETUP_FINALIZED,
1715 DevicePolicyManager.STATE_USER_UNMANAGED);
1716 fail("Expected IllegalStateException");
1717 } catch (IllegalStateException e) {
1718 MoreAsserts.assertContainsRegex("Cannot move to user provisioning state",
1719 e.getMessage());
1720 }
1721 }
1722
1723 public void testSetUserProvisioningState_illegalTransitionToAnotherInProgressState()
1724 throws Exception {
1725 setupProfileOwner();
1726 mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
1727
1728 try {
1729 exerciseUserProvisioningTransitions(DpmMockContext.CALLER_USER_HANDLE,
1730 DevicePolicyManager.STATE_USER_SETUP_INCOMPLETE,
1731 DevicePolicyManager.STATE_USER_SETUP_COMPLETE);
1732 fail("Expected IllegalStateException");
1733 } catch (IllegalStateException e) {
1734 MoreAsserts.assertContainsRegex("Cannot move to user provisioning state",
1735 e.getMessage());
1736 }
1737 }
1738
1739 private void exerciseUserProvisioningTransitions(int userId, int... states) {
1740 assertEquals(DevicePolicyManager.STATE_USER_UNMANAGED, dpm.getUserProvisioningState());
1741 for (int state : states) {
1742 dpm.setUserProvisioningState(state, userId);
1743 assertEquals(state, dpm.getUserProvisioningState());
1744 }
1745 }
1746
1747 private void setupProfileOwner() throws Exception {
1748 mContext.callerPermissions.addAll(OWNER_SETUP_PERMISSIONS);
1749
1750 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_UID);
1751 dpm.setActiveAdmin(admin1, false);
1752 assertTrue(dpm.setProfileOwner(admin1, null, DpmMockContext.CALLER_USER_HANDLE));
1753
1754 mContext.callerPermissions.removeAll(OWNER_SETUP_PERMISSIONS);
1755 }
1756
1757 private void setupDeviceOwner() throws Exception {
1758 mContext.callerPermissions.addAll(OWNER_SETUP_PERMISSIONS);
1759
1760 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID);
1761 dpm.setActiveAdmin(admin1, false);
1762 assertTrue(dpm.setDeviceOwner(admin1, null, UserHandle.USER_SYSTEM));
1763
1764 mContext.callerPermissions.removeAll(OWNER_SETUP_PERMISSIONS);
1765 }
Makoto Onukicc4bbeb2015-09-17 10:28:24 -0700[diff] [blame]1766}