1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 package com.android.cts.deviceandprofileowner; 17 18 import android.app.KeyguardManager; 19 import android.app.admin.DevicePolicyManager; 20 import android.support.test.InstrumentationRegistry; 21 22 public class ResetPasswordWithTokenTest extends BaseDeviceAdminTest { 23 24 private static final String SHORT_PASSWORD = "1234"; 25 private static final String COMPLEX_PASSWORD = "abc123."; 26 27 private static final byte[] TOKEN0 = "abcdefghijklmnopqrstuvwxyz0123456789".getBytes(); 28 private static final byte[] TOKEN1 = "abcdefghijklmnopqrstuvwxyz012345678*".getBytes(); 29 30 private static final String ARG_ALLOW_FAILURE = "allowFailure"; 31 32 private boolean mShouldRun; 33 34 @Override 35 protected void setUp() throws Exception { 36 super.setUp(); 37 Boolean allowFailure = Boolean.parseBoolean(InstrumentationRegistry.getArguments() 38 .getString(ARG_ALLOW_FAILURE)); 39 mShouldRun = setUpResetPasswordToken(allowFailure); 40 } 41 42 @Override 43 protected void tearDown() throws Exception { 44 if (mShouldRun) { 45 cleanUpResetPasswordToken(); 46 } 47 super.tearDown(); 48 } 49 50 public void testBadTokenShouldFail() { 51 if (!mShouldRun) { 52 return; 53 } 54 // resetting password with wrong token should fail 55 assertFalse(mDevicePolicyManager.resetPasswordWithToken(ADMIN_RECEIVER_COMPONENT, 56 SHORT_PASSWORD, TOKEN1, 0)); 57 } 58 59 public void testChangePasswordWithToken() { 60 if (!mShouldRun) { 61 return; 62 } 63 // try changing password with token 64 assertTrue(mDevicePolicyManager.resetPasswordWithToken(ADMIN_RECEIVER_COMPONENT, 65 SHORT_PASSWORD, TOKEN0, 0)); 66 67 // Set a strong password constraint and expect the sufficiency check to fail 68 mDevicePolicyManager.setPasswordQuality(ADMIN_RECEIVER_COMPONENT, 69 DevicePolicyManager.PASSWORD_QUALITY_NUMERIC); 70 mDevicePolicyManager.setPasswordMinimumLength(ADMIN_RECEIVER_COMPONENT, 6); 71 assertPasswordSufficiency(false); 72 73 // try changing to a stronger password and verify it satisfies requested constraint 74 assertTrue(mDevicePolicyManager.resetPasswordWithToken(ADMIN_RECEIVER_COMPONENT, 75 COMPLEX_PASSWORD, TOKEN0, 0)); 76 assertPasswordSufficiency(true); 77 } 78 79 public void testResetPasswordFailIfQualityNotMet() { 80 if (!mShouldRun) { 81 return; 82 } 83 mDevicePolicyManager.setPasswordQuality(ADMIN_RECEIVER_COMPONENT, 84 DevicePolicyManager.PASSWORD_QUALITY_NUMERIC); 85 mDevicePolicyManager.setPasswordMinimumLength(ADMIN_RECEIVER_COMPONENT, 6); 86 87 assertFalse(mDevicePolicyManager.resetPasswordWithToken(ADMIN_RECEIVER_COMPONENT, 88 SHORT_PASSWORD, TOKEN0, 0)); 89 90 assertTrue(mDevicePolicyManager.resetPasswordWithToken(ADMIN_RECEIVER_COMPONENT, 91 COMPLEX_PASSWORD, TOKEN0, 0)); 92 } 93 94 public void testPasswordMetricAfterResetPassword() { 95 if (!mShouldRun) { 96 return; 97 } 98 mDevicePolicyManager.setPasswordQuality(ADMIN_RECEIVER_COMPONENT, 99 DevicePolicyManager.PASSWORD_QUALITY_COMPLEX); 100 mDevicePolicyManager.setPasswordMinimumNumeric(ADMIN_RECEIVER_COMPONENT, 1); 101 mDevicePolicyManager.setPasswordMinimumLetters(ADMIN_RECEIVER_COMPONENT, 1); 102 mDevicePolicyManager.setPasswordMinimumSymbols(ADMIN_RECEIVER_COMPONENT, 0); 103 assertTrue(mDevicePolicyManager.resetPasswordWithToken(ADMIN_RECEIVER_COMPONENT, 104 COMPLEX_PASSWORD, TOKEN0, 0)); 105 106 // Change required complexity and verify new password satisfies it 107 // First set a slightly stronger requirement and expect password sufficiency is false 108 mDevicePolicyManager.setPasswordMinimumNumeric(ADMIN_RECEIVER_COMPONENT, 3); 109 mDevicePolicyManager.setPasswordMinimumLetters(ADMIN_RECEIVER_COMPONENT, 3); 110 mDevicePolicyManager.setPasswordMinimumSymbols(ADMIN_RECEIVER_COMPONENT, 2); 111 assertPasswordSufficiency(false); 112 // Then sets the appropriate quality and verify it should pass 113 mDevicePolicyManager.setPasswordMinimumSymbols(ADMIN_RECEIVER_COMPONENT, 1); 114 assertPasswordSufficiency(true); 115 } 116 117 public void testClearPasswordWithToken() { 118 if (!mShouldRun) { 119 return; 120 } 121 KeyguardManager km = mContext.getSystemService(KeyguardManager.class); 122 // First set a password 123 assertTrue(mDevicePolicyManager.resetPasswordWithToken(ADMIN_RECEIVER_COMPONENT, 124 SHORT_PASSWORD, TOKEN0, 0)); 125 assertTrue(km.isDeviceSecure()); 126 127 // clear password with token 128 assertTrue(mDevicePolicyManager.resetPasswordWithToken(ADMIN_RECEIVER_COMPONENT, null, 129 TOKEN0, 0)); 130 assertFalse(km.isDeviceSecure()); 131 } 132 133 private boolean setUpResetPasswordToken(boolean acceptFailure) { 134 // set up a token 135 assertFalse(mDevicePolicyManager.isResetPasswordTokenActive(ADMIN_RECEIVER_COMPONENT)); 136 137 try { 138 // On devices with password token disabled, calling this method will throw 139 // a security exception. If that's anticipated, then return early without failing. 140 assertTrue(mDevicePolicyManager.setResetPasswordToken(ADMIN_RECEIVER_COMPONENT, 141 TOKEN0)); 142 } catch (SecurityException e) { 143 if (acceptFailure && 144 e.getMessage().equals("Escrow token is disabled on the current user")) { 145 return false; 146 } else { 147 throw e; 148 } 149 } 150 assertTrue(mDevicePolicyManager.isResetPasswordTokenActive(ADMIN_RECEIVER_COMPONENT)); 151 return true; 152 } 153 154 private void cleanUpResetPasswordToken() { 155 // First remove device lock 156 mDevicePolicyManager.setPasswordQuality(ADMIN_RECEIVER_COMPONENT, 157 DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED); 158 mDevicePolicyManager.setPasswordMinimumLength(ADMIN_RECEIVER_COMPONENT, 0); 159 assertTrue(mDevicePolicyManager.resetPasswordWithToken(ADMIN_RECEIVER_COMPONENT, null, 160 TOKEN0, 0)); 161 162 // Then remove token and check it succeeds 163 assertTrue(mDevicePolicyManager.clearResetPasswordToken(ADMIN_RECEIVER_COMPONENT)); 164 assertFalse(mDevicePolicyManager.isResetPasswordTokenActive(ADMIN_RECEIVER_COMPONENT)); 165 assertFalse(mDevicePolicyManager.resetPasswordWithToken(ADMIN_RECEIVER_COMPONENT, 166 SHORT_PASSWORD, TOKEN0, 0)); 167 } 168 }