Merge "Validate all INTERNET-providing VCN-managed networks" am: b56816d57b am: fdc1ee1f77
Original change: https://android-review.googlesource.com/c/platform/packages/modules/NetworkStack/+/1705647
Change-Id: I5dbb09b155ad2b1d7aad0de0d25d71be104c1a48
diff --git a/common/moduleutils/src/android/net/shared/NetworkMonitorUtils.java b/common/moduleutils/src/android/net/shared/NetworkMonitorUtils.java
index 61e3174..18138a7 100644
--- a/common/moduleutils/src/android/net/shared/NetworkMonitorUtils.java
+++ b/common/moduleutils/src/android/net/shared/NetworkMonitorUtils.java
@@ -37,6 +37,14 @@
// TODO: use NetworkCapabilities.TRANSPORT_TEST once NetworkStack builds against API 31.
private static final int TRANSPORT_TEST = 7;
+ // This class is used by both NetworkMonitor and ConnectivityService, so it cannot use
+ // NetworkStack shims, but at the same time cannot use non-system APIs.
+ // NET_CAPABILITY_NOT_VCN_MANAGED is system API as of S (so it is enforced to always be 28 and
+ // can't be changed).
+ // TODO: use NetworkCapabilities.NET_CAPABILITY_NOT_VCN_MANAGED once NetworkStack builds against
+ // API 31.
+ public static final int NET_CAPABILITY_NOT_VCN_MANAGED = 28;
+
// Network conditions broadcast constants
public static final String ACTION_NETWORK_CONDITIONS_MEASURED =
"android.net.conn.NETWORK_CONDITIONS_MEASURED";
@@ -60,12 +68,15 @@
public static boolean isPrivateDnsValidationRequired(NetworkCapabilities nc) {
if (nc == null) return false;
+ final boolean isVcnManaged = !nc.hasCapability(NET_CAPABILITY_NOT_VCN_MANAGED);
+ final boolean isOemPaid = nc.hasCapability(NET_CAPABILITY_OEM_PAID)
+ && nc.hasCapability(NET_CAPABILITY_TRUSTED);
+ final boolean isDefaultCapable = nc.hasCapability(NET_CAPABILITY_NOT_RESTRICTED)
+ && nc.hasCapability(NET_CAPABILITY_TRUSTED);
+
// TODO: Consider requiring validation for DUN networks.
if (nc.hasCapability(NET_CAPABILITY_INTERNET)
- && (nc.hasCapability(NET_CAPABILITY_NOT_RESTRICTED)
- || nc.hasCapability(NET_CAPABILITY_OEM_PAID))
- && nc.hasCapability(NET_CAPABILITY_TRUSTED)) {
- // Real networks
+ && (isVcnManaged || isOemPaid || isDefaultCapable)) {
return true;
}
diff --git a/tests/unit/src/com/android/server/connectivity/NetworkMonitorTest.java b/tests/unit/src/com/android/server/connectivity/NetworkMonitorTest.java
index b1c167e..d15c18f 100644
--- a/tests/unit/src/com/android/server/connectivity/NetworkMonitorTest.java
+++ b/tests/unit/src/com/android/server/connectivity/NetworkMonitorTest.java
@@ -116,6 +116,7 @@
import android.net.Uri;
import android.net.captiveportal.CaptivePortalProbeResult;
import android.net.metrics.IpConnectivityLog;
+import android.net.shared.NetworkMonitorUtils;
import android.net.shared.PrivateDnsConfig;
import android.net.util.SharedLog;
import android.net.wifi.WifiInfo;
@@ -1805,6 +1806,47 @@
verify(mCleartextDnsNetwork, never()).openConnection(any());
}
+ private NetworkCapabilities getVcnUnderlyingCarrierWifiCaps() {
+ // Must be called from within the test because NOT_VCN_MANAGED is an invalid capability
+ // value up to Android R. Thus, this must be guarded by an SDK check in tests that use this.
+ return new NetworkCapabilities.Builder()
+ .addTransportType(NetworkCapabilities.TRANSPORT_WIFI)
+ .removeCapability(NetworkMonitorUtils.NET_CAPABILITY_NOT_VCN_MANAGED)
+ .removeCapability(NetworkCapabilities.NET_CAPABILITY_NOT_RESTRICTED)
+ .removeCapability(NetworkCapabilities.NET_CAPABILITY_TRUSTED)
+ .addCapability(NET_CAPABILITY_INTERNET)
+ .build();
+ }
+
+ @Test
+ public void testVcnUnderlyingNetwork() throws Exception {
+ assumeTrue(ShimUtils.isAtLeastS());
+ setStatus(mHttpsConnection, 204);
+ setStatus(mHttpConnection, 204);
+
+ final NetworkMonitor nm = runNetworkTest(
+ TEST_LINK_PROPERTIES, getVcnUnderlyingCarrierWifiCaps(),
+ NETWORK_VALIDATION_RESULT_VALID,
+ NETWORK_VALIDATION_PROBE_DNS | NETWORK_VALIDATION_PROBE_HTTPS,
+ null /* redirectUrl */);
+ assertEquals(NETWORK_VALIDATION_RESULT_VALID,
+ nm.getEvaluationState().getEvaluationResult());
+ }
+
+ @Test
+ public void testVcnUnderlyingNetworkBadNetwork() throws Exception {
+ assumeTrue(ShimUtils.isAtLeastS());
+ setSslException(mHttpsConnection);
+ setStatus(mHttpConnection, 500);
+ setStatus(mFallbackConnection, 404);
+
+ final NetworkMonitor nm = runNetworkTest(
+ TEST_LINK_PROPERTIES, getVcnUnderlyingCarrierWifiCaps(),
+ VALIDATION_RESULT_INVALID, 0 /* probesSucceeded */, null /* redirectUrl */);
+ assertEquals(VALIDATION_RESULT_INVALID,
+ nm.getEvaluationState().getEvaluationResult());
+ }
+
@Test
public void testLaunchCaptivePortalApp() throws Exception {
setSslException(mHttpsConnection);