1 /* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 package com.android.server.devicepolicy; 17 18 import static org.mockito.Matchers.any; 19 import static org.mockito.Matchers.anyInt; 20 import static org.mockito.Matchers.eq; 21 import static org.mockito.Mockito.doAnswer; 22 import static org.mockito.Mockito.when; 23 24 import android.app.admin.DevicePolicyManagerInternal; 25 import android.content.pm.PackageManager; 26 import android.content.pm.UserInfo; 27 import android.os.Bundle; 28 import android.os.UserHandle; 29 import android.os.UserManager; 30 import android.provider.Settings; 31 32 import com.android.server.LocalServices; 33 import com.android.server.SystemService; 34 import com.android.server.devicepolicy.DevicePolicyManagerServiceTestable.OwnersTestable; 35 36 import java.io.File; 37 import java.util.HashMap; 38 import java.util.Map; 39 import java.util.Set; 40 41 public class DevicePolicyManagerServiceMigrationTest extends DpmTestBase { 42 private DpmMockContext mContext; 43 44 @Override 45 protected void setUp() throws Exception { 46 super.setUp(); 47 48 mContext = getContext(); 49 50 when(getServices().packageManager.hasSystemFeature(eq(PackageManager.FEATURE_DEVICE_ADMIN))) 51 .thenReturn(true); 52 } 53 54 public void testMigration() throws Exception { 55 final File user10dir = getServices().addUser(10, 0); 56 final File user11dir = getServices().addUser(11, UserInfo.FLAG_MANAGED_PROFILE); 57 getServices().addUser(12, 0); 58 59 setUpPackageManagerForAdmin(admin1, DpmMockContext.CALLER_SYSTEM_USER_UID); 60 setUpPackageManagerForAdmin(admin2, UserHandle.getUid(10, 123)); 61 setUpPackageManagerForAdmin(admin3, UserHandle.getUid(11, 456)); 62 63 // Create the legacy owners & policies file. 64 DpmTestUtils.writeToFile( 65 (new File(getServices().dataDir, OwnersTestable.LEGACY_FILE)).getAbsoluteFile(), 66 DpmTestUtils.readAsset(mRealTestContext, 67 "DevicePolicyManagerServiceMigrationTest/legacy_device_owner.xml")); 68 69 DpmTestUtils.writeToFile( 70 (new File(getServices().systemUserDataDir, "device_policies.xml")).getAbsoluteFile(), 71 DpmTestUtils.readAsset(mRealTestContext, 72 "DevicePolicyManagerServiceMigrationTest/legacy_device_policies.xml")); 73 74 DpmTestUtils.writeToFile( 75 (new File(user10dir, "device_policies.xml")).getAbsoluteFile(), 76 DpmTestUtils.readAsset(mRealTestContext, 77 "DevicePolicyManagerServiceMigrationTest/legacy_device_policies_10.xml")); 78 DpmTestUtils.writeToFile( 79 (new File(user11dir, "device_policies.xml")).getAbsoluteFile(), 80 DpmTestUtils.readAsset(mRealTestContext, 81 "DevicePolicyManagerServiceMigrationTest/legacy_device_policies_11.xml")); 82 83 // Set up UserManager 84 when(getServices().userManagerInternal.getBaseUserRestrictions( 85 eq(UserHandle.USER_SYSTEM))).thenReturn(DpmTestUtils.newRestrictions( 86 UserManager.DISALLOW_ADD_USER, 87 UserManager.DISALLOW_RECORD_AUDIO)); 88 89 when(getServices().userManagerInternal.getBaseUserRestrictions( 90 eq(10))).thenReturn(DpmTestUtils.newRestrictions( 91 UserManager.DISALLOW_REMOVE_USER, 92 UserManager.DISALLOW_ADD_USER, 93 UserManager.DISALLOW_SMS, 94 UserManager.DISALLOW_OUTGOING_CALLS, 95 UserManager.DISALLOW_WALLPAPER, 96 UserManager.DISALLOW_RECORD_AUDIO)); 97 98 when(getServices().userManagerInternal.getBaseUserRestrictions( 99 eq(11))).thenReturn(DpmTestUtils.newRestrictions( 100 UserManager.DISALLOW_REMOVE_USER, 101 UserManager.DISALLOW_ADD_USER, 102 UserManager.DISALLOW_SMS, 103 UserManager.DISALLOW_OUTGOING_CALLS, 104 UserManager.DISALLOW_WALLPAPER, 105 UserManager.DISALLOW_RECORD_AUDIO)); 106 107 final Map<Integer, Bundle> newBaseRestrictions = new HashMap<>(); 108 109 doAnswer(invocation -> { 110 Integer userId = (Integer) invocation.getArguments()[0]; 111 Bundle bundle = (Bundle) invocation.getArguments()[1]; 112 113 newBaseRestrictions.put(userId, bundle); 114 115 return null; 116 }).when(getServices().userManagerInternal).setBaseUserRestrictionsByDpmsForMigration( 117 anyInt(), any(Bundle.class)); 118 119 // Initialize DPM/DPMS and let it migrate the persisted information. 120 // (Need clearCallingIdentity() to pass permission checks.) 121 122 final DevicePolicyManagerServiceTestable dpms; 123 124 final long ident = mContext.binder.clearCallingIdentity(); 125 try { 126 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class); 127 128 dpms = new DevicePolicyManagerServiceTestable(getServices(), mContext); 129 130 dpms.systemReady(SystemService.PHASE_LOCK_SETTINGS_READY); 131 dpms.systemReady(SystemService.PHASE_BOOT_COMPLETED); 132 } finally { 133 mContext.binder.restoreCallingIdentity(ident); 134 } 135 136 assertTrue(dpms.mOwners.hasDeviceOwner()); 137 assertFalse(dpms.mOwners.hasProfileOwner(UserHandle.USER_SYSTEM)); 138 assertTrue(dpms.mOwners.hasProfileOwner(10)); 139 assertTrue(dpms.mOwners.hasProfileOwner(11)); 140 assertFalse(dpms.mOwners.hasProfileOwner(12)); 141 142 // Now all information should be migrated. 143 assertFalse(dpms.mOwners.getDeviceOwnerUserRestrictionsNeedsMigration()); 144 assertFalse(dpms.mOwners.getProfileOwnerUserRestrictionsNeedsMigration( 145 UserHandle.USER_SYSTEM)); 146 assertFalse(dpms.mOwners.getProfileOwnerUserRestrictionsNeedsMigration(10)); 147 assertFalse(dpms.mOwners.getProfileOwnerUserRestrictionsNeedsMigration(11)); 148 assertFalse(dpms.mOwners.getProfileOwnerUserRestrictionsNeedsMigration(12)); 149 150 // Check the new base restrictions. 151 DpmTestUtils.assertRestrictions( 152 DpmTestUtils.newRestrictions( 153 UserManager.DISALLOW_RECORD_AUDIO 154 ), 155 newBaseRestrictions.get(UserHandle.USER_SYSTEM)); 156 157 DpmTestUtils.assertRestrictions( 158 DpmTestUtils.newRestrictions( 159 UserManager.DISALLOW_ADD_USER, 160 UserManager.DISALLOW_SMS, 161 UserManager.DISALLOW_OUTGOING_CALLS, 162 UserManager.DISALLOW_RECORD_AUDIO, 163 UserManager.DISALLOW_WALLPAPER 164 ), 165 newBaseRestrictions.get(10)); 166 167 DpmTestUtils.assertRestrictions( 168 DpmTestUtils.newRestrictions( 169 UserManager.DISALLOW_ADD_USER, 170 UserManager.DISALLOW_SMS, 171 UserManager.DISALLOW_OUTGOING_CALLS, 172 UserManager.DISALLOW_WALLPAPER, 173 UserManager.DISALLOW_RECORD_AUDIO 174 ), 175 newBaseRestrictions.get(11)); 176 177 // Check the new owner restrictions. 178 DpmTestUtils.assertRestrictions( 179 DpmTestUtils.newRestrictions( 180 UserManager.DISALLOW_ADD_USER, 181 UserManager.DISALLOW_ADD_MANAGED_PROFILE 182 ), 183 dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()); 184 185 DpmTestUtils.assertRestrictions( 186 DpmTestUtils.newRestrictions( 187 UserManager.DISALLOW_REMOVE_USER 188 ), 189 dpms.getProfileOwnerAdminLocked(10).ensureUserRestrictions()); 190 191 DpmTestUtils.assertRestrictions( 192 DpmTestUtils.newRestrictions( 193 UserManager.DISALLOW_REMOVE_USER 194 ), 195 dpms.getProfileOwnerAdminLocked(11).ensureUserRestrictions()); 196 } 197 198 public void testMigration2_profileOwnerOnUser0() throws Exception { 199 setUpPackageManagerForAdmin(admin2, DpmMockContext.CALLER_SYSTEM_USER_UID); 200 201 // Create the legacy owners & policies file. 202 DpmTestUtils.writeToFile( 203 (new File(getServices().dataDir, OwnersTestable.LEGACY_FILE)).getAbsoluteFile(), 204 DpmTestUtils.readAsset(mRealTestContext, 205 "DevicePolicyManagerServiceMigrationTest2/legacy_device_owner.xml")); 206 207 DpmTestUtils.writeToFile( 208 (new File(getServices().systemUserDataDir, "device_policies.xml")).getAbsoluteFile(), 209 DpmTestUtils.readAsset(mRealTestContext, 210 "DevicePolicyManagerServiceMigrationTest2/legacy_device_policies.xml")); 211 212 // Set up UserManager 213 when(getServices().userManagerInternal.getBaseUserRestrictions( 214 eq(UserHandle.USER_SYSTEM))).thenReturn(DpmTestUtils.newRestrictions( 215 UserManager.DISALLOW_ADD_USER, 216 UserManager.DISALLOW_RECORD_AUDIO, 217 UserManager.DISALLOW_SMS, 218 UserManager.DISALLOW_OUTGOING_CALLS)); 219 220 final Map<Integer, Bundle> newBaseRestrictions = new HashMap<>(); 221 222 doAnswer(invocation -> { 223 Integer userId = (Integer) invocation.getArguments()[0]; 224 Bundle bundle = (Bundle) invocation.getArguments()[1]; 225 226 newBaseRestrictions.put(userId, bundle); 227 228 return null; 229 }).when(getServices().userManagerInternal).setBaseUserRestrictionsByDpmsForMigration( 230 anyInt(), any(Bundle.class)); 231 232 // Initialize DPM/DPMS and let it migrate the persisted information. 233 // (Need clearCallingIdentity() to pass permission checks.) 234 235 final DevicePolicyManagerServiceTestable dpms; 236 237 final long ident = mContext.binder.clearCallingIdentity(); 238 try { 239 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class); 240 241 dpms = new DevicePolicyManagerServiceTestable(getServices(), mContext); 242 243 dpms.systemReady(SystemService.PHASE_LOCK_SETTINGS_READY); 244 dpms.systemReady(SystemService.PHASE_BOOT_COMPLETED); 245 } finally { 246 mContext.binder.restoreCallingIdentity(ident); 247 } 248 assertFalse(dpms.mOwners.hasDeviceOwner()); 249 assertTrue(dpms.mOwners.hasProfileOwner(UserHandle.USER_SYSTEM)); 250 251 // Now all information should be migrated. 252 assertFalse(dpms.mOwners.getDeviceOwnerUserRestrictionsNeedsMigration()); 253 assertFalse(dpms.mOwners.getProfileOwnerUserRestrictionsNeedsMigration( 254 UserHandle.USER_SYSTEM)); 255 256 // Check the new base restrictions. 257 DpmTestUtils.assertRestrictions( 258 DpmTestUtils.newRestrictions( 259 UserManager.DISALLOW_RECORD_AUDIO 260 ), 261 newBaseRestrictions.get(UserHandle.USER_SYSTEM)); 262 263 // Check the new owner restrictions. 264 DpmTestUtils.assertRestrictions( 265 DpmTestUtils.newRestrictions( 266 UserManager.DISALLOW_ADD_USER, 267 UserManager.DISALLOW_SMS, 268 UserManager.DISALLOW_OUTGOING_CALLS 269 ), 270 dpms.getProfileOwnerAdminLocked(UserHandle.USER_SYSTEM).ensureUserRestrictions()); 271 } 272 273 // Test setting default restrictions for managed profile. 274 public void testMigration3_managedProfileOwner() throws Exception { 275 // Create a managed profile user. 276 final File user10dir = getServices().addUser(10, UserInfo.FLAG_MANAGED_PROFILE); 277 // Profile owner package for managed profile user. 278 setUpPackageManagerForAdmin(admin1, UserHandle.getUid(10, 123)); 279 // Set up fake UserManager to make it look like a managed profile. 280 when(getServices().userManager.isManagedProfile(eq(10))).thenReturn(true); 281 // Set up fake Settings to make it look like INSTALL_NON_MARKET_APPS was reversed. 282 when(getServices().settings.settingsSecureGetIntForUser( 283 eq(Settings.Secure.UNKNOWN_SOURCES_DEFAULT_REVERSED), 284 eq(0), eq(10))).thenReturn(1); 285 // Write policy and owners files. 286 DpmTestUtils.writeToFile( 287 (new File(getServices().systemUserDataDir, "device_policies.xml")).getAbsoluteFile(), 288 DpmTestUtils.readAsset(mRealTestContext, 289 "DevicePolicyManagerServiceMigrationTest3/system_device_policies.xml")); 290 DpmTestUtils.writeToFile( 291 (new File(user10dir, "device_policies.xml")).getAbsoluteFile(), 292 DpmTestUtils.readAsset(mRealTestContext, 293 "DevicePolicyManagerServiceMigrationTest3/profile_device_policies.xml")); 294 DpmTestUtils.writeToFile( 295 (new File(user10dir, "profile_owner.xml")).getAbsoluteFile(), 296 DpmTestUtils.readAsset(mRealTestContext, 297 "DevicePolicyManagerServiceMigrationTest3/profile_owner.xml")); 298 299 final DevicePolicyManagerServiceTestable dpms; 300 301 // Initialize DPM/DPMS and let it migrate the persisted information. 302 // (Need clearCallingIdentity() to pass permission checks.) 303 final long ident = mContext.binder.clearCallingIdentity(); 304 try { 305 LocalServices.removeServiceForTest(DevicePolicyManagerInternal.class); 306 307 dpms = new DevicePolicyManagerServiceTestable(getServices(), mContext); 308 309 dpms.systemReady(SystemService.PHASE_LOCK_SETTINGS_READY); 310 dpms.systemReady(SystemService.PHASE_BOOT_COMPLETED); 311 } finally { 312 mContext.binder.restoreCallingIdentity(ident); 313 } 314 315 assertFalse(dpms.mOwners.hasDeviceOwner()); 316 assertTrue(dpms.mOwners.hasProfileOwner(10)); 317 318 // Check that default restrictions were applied. 319 DpmTestUtils.assertRestrictions( 320 DpmTestUtils.newRestrictions( 321 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES, 322 UserManager.DISALLOW_BLUETOOTH_SHARING 323 ), 324 dpms.getProfileOwnerAdminLocked(10).ensureUserRestrictions()); 325 326 final Set<String> alreadySet = 327 dpms.getProfileOwnerAdminLocked(10).defaultEnabledRestrictionsAlreadySet; 328 assertEquals(alreadySet.size(), 1); 329 assertTrue(alreadySet.contains(UserManager.DISALLOW_BLUETOOTH_SHARING)); 330 } 331 } 332
