Add checking NetworkStack permission methods and tests
These methods migrate from android.net.NetworkStack.
checkNetworkStackPermission()
checkNetworkStackPermissionOr()
Bug: 178352309
Test: atest NetworkStaticLibTests
Change-Id: Iba4daaac3c662b87fec038f7c557e4fd6544c069
diff --git a/staticlibs/framework/com/android/net/module/util/PermissionUtils.java b/staticlibs/framework/com/android/net/module/util/PermissionUtils.java
index ce8a745..10eda57 100644
--- a/staticlibs/framework/com/android/net/module/util/PermissionUtils.java
+++ b/staticlibs/framework/com/android/net/module/util/PermissionUtils.java
@@ -16,11 +16,16 @@
package com.android.net.module.util;
+import static android.Manifest.permission.NETWORK_STACK;
import static android.content.pm.PackageManager.PERMISSION_GRANTED;
+import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK;
import android.annotation.NonNull;
import android.content.Context;
+import java.util.ArrayList;
+import java.util.Arrays;
+
/**
* Collection of permission utilities.
* @hide
@@ -49,4 +54,30 @@
+ String.join(", ", permissions) + ".");
}
}
+
+ /**
+ * If the NetworkStack, MAINLINE_NETWORK_STACK are not allowed for a particular process, throw a
+ * {@link SecurityException}.
+ *
+ * @param context {@link android.content.Context} for the process.
+ */
+ public static void enforceNetworkStackPermission(final @NonNull Context context) {
+ enforceNetworkStackPermissionOr(context);
+ }
+
+ /**
+ * If the NetworkStack, MAINLINE_NETWORK_STACK or other specified permissions are not allowed
+ * for a particular process, throw a {@link SecurityException}.
+ *
+ * @param context {@link android.content.Context} for the process.
+ * @param otherPermissions The set of permissions that could be the candidate permissions , or
+ * empty string if none of other permissions needed.
+ */
+ public static void enforceNetworkStackPermissionOr(final @NonNull Context context,
+ final @NonNull String... otherPermissions) {
+ ArrayList<String> permissions = new ArrayList<String>(Arrays.asList(otherPermissions));
+ permissions.add(NETWORK_STACK);
+ permissions.add(PERMISSION_MAINLINE_NETWORK_STACK);
+ enforceAnyPermissionOf(context, permissions.toArray(new String[0]));
+ }
}
diff --git a/staticlibs/tests/unit/src/com/android/net/module/util/PermissionUtilsTest.kt b/staticlibs/tests/unit/src/com/android/net/module/util/PermissionUtilsTest.kt
new file mode 100644
index 0000000..6da5e7d
--- /dev/null
+++ b/staticlibs/tests/unit/src/com/android/net/module/util/PermissionUtilsTest.kt
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.net.module.util
+
+import android.Manifest.permission.NETWORK_STACK
+import android.content.Context
+import android.content.pm.PackageManager.PERMISSION_DENIED
+import android.content.pm.PackageManager.PERMISSION_GRANTED
+import android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK
+import androidx.test.filters.SmallTest
+import androidx.test.runner.AndroidJUnit4
+import com.android.net.module.util.PermissionUtils.checkAnyPermissionOf
+import com.android.net.module.util.PermissionUtils.enforceNetworkStackPermission
+import com.android.net.module.util.PermissionUtils.enforceNetworkStackPermissionOr
+import com.android.net.module.util.PermissionUtils.enforceAnyPermissionOf
+import org.junit.Assert.assertFalse
+import org.junit.Assert.assertTrue
+import org.junit.Test
+import org.junit.runner.RunWith
+import org.mockito.ArgumentMatchers.any
+import org.mockito.Mockito.doReturn
+import org.mockito.Mockito.mock
+import kotlin.test.assertFailsWith
+
+/** Tests for PermissionUtils */
+@RunWith(AndroidJUnit4::class)
+@SmallTest
+class PermissionUtilsTest {
+ private val TEST_PERMISSION1 = "android.permission.TEST_PERMISSION1"
+ private val TEST_PERMISSION2 = "android.permission.TEST_PERMISSION2"
+ private val context = mock(Context::class.java)
+
+ @Test
+ fun testEnforceAnyPermissionOf() {
+ doReturn(PERMISSION_GRANTED).`when`(context).checkCallingOrSelfPermission(TEST_PERMISSION1)
+ doReturn(PERMISSION_DENIED).`when`(context).checkCallingOrSelfPermission(TEST_PERMISSION2)
+ assertTrue(checkAnyPermissionOf(context, TEST_PERMISSION1, TEST_PERMISSION2))
+ enforceAnyPermissionOf(context, TEST_PERMISSION1, TEST_PERMISSION2)
+
+ doReturn(PERMISSION_DENIED).`when`(context).checkCallingOrSelfPermission(TEST_PERMISSION1)
+ doReturn(PERMISSION_GRANTED).`when`(context).checkCallingOrSelfPermission(TEST_PERMISSION2)
+ assertTrue(checkAnyPermissionOf(context, TEST_PERMISSION1, TEST_PERMISSION2))
+ enforceAnyPermissionOf(context, TEST_PERMISSION1, TEST_PERMISSION2)
+
+ doReturn(PERMISSION_DENIED).`when`(context).checkCallingOrSelfPermission(any())
+ assertFalse(checkAnyPermissionOf(context, TEST_PERMISSION1, TEST_PERMISSION2))
+ assertFailsWith<SecurityException>("Expect fail but permission granted.") {
+ enforceAnyPermissionOf(context, TEST_PERMISSION1, TEST_PERMISSION2) }
+ }
+
+ @Test
+ fun testEnforceNetworkStackPermissionOr() {
+ doReturn(PERMISSION_GRANTED).`when`(context).checkCallingOrSelfPermission(NETWORK_STACK)
+ doReturn(PERMISSION_DENIED).`when`(context)
+ .checkCallingOrSelfPermission(PERMISSION_MAINLINE_NETWORK_STACK)
+ enforceNetworkStackPermission(context)
+ enforceNetworkStackPermissionOr(context, TEST_PERMISSION1)
+
+ doReturn(PERMISSION_DENIED).`when`(context).checkCallingOrSelfPermission(NETWORK_STACK)
+ doReturn(PERMISSION_GRANTED).`when`(context)
+ .checkCallingOrSelfPermission(PERMISSION_MAINLINE_NETWORK_STACK)
+ enforceNetworkStackPermission(context)
+ enforceNetworkStackPermissionOr(context, TEST_PERMISSION2)
+
+ doReturn(PERMISSION_DENIED).`when`(context).checkCallingOrSelfPermission(NETWORK_STACK)
+ doReturn(PERMISSION_DENIED).`when`(context)
+ .checkCallingOrSelfPermission(PERMISSION_MAINLINE_NETWORK_STACK)
+ doReturn(PERMISSION_GRANTED).`when`(context).checkCallingOrSelfPermission(TEST_PERMISSION1)
+ assertFailsWith<SecurityException>("Expect fail but permission granted.") {
+ enforceNetworkStackPermission(context) }
+ enforceNetworkStackPermissionOr(context, TEST_PERMISSION1)
+
+ doReturn(PERMISSION_DENIED).`when`(context).checkCallingOrSelfPermission(any())
+ assertFailsWith<SecurityException>("Expect fail but permission granted.") {
+ enforceNetworkStackPermission(context) }
+ assertFailsWith<SecurityException>("Expect fail but permission granted.") {
+ enforceNetworkStackPermissionOr(context, TEST_PERMISSION2) }
+ }
+}