Make some of the UID-based VPN code reusable
By changing some member refs into arguments and having one of the
functions create the UID range instead of adding to mVpnUsers.
This will be useful for other layers of UID filtering like having
UIDs explicitly blocked from the VPN.
Deleted one broken line of code that cleared the status intent when
a restricted profile is removed. Other than that, this commit shouldn't
change any behaviour. If it does, that's a bug.
Bug: 26694104
Change-Id: Ieb656835d3282a8ba63cc3f12a80bfae166bcf44
diff --git a/core/java/android/net/UidRange.java b/core/java/android/net/UidRange.java
index 2e586b3..fd465d9 100644
--- a/core/java/android/net/UidRange.java
+++ b/core/java/android/net/UidRange.java
@@ -48,6 +48,17 @@
return start / PER_USER_RANGE;
}
+ public boolean contains(int uid) {
+ return start <= uid && uid <= stop;
+ }
+
+ /**
+ * @return {@code true} if this range contains every UID contained by the {@param other} range.
+ */
+ public boolean containsRange(UidRange other) {
+ return start <= other.start && other.stop <= stop;
+ }
+
@Override
public int hashCode() {
int result = 17;
diff --git a/services/tests/servicestests/src/com/android/server/connectivity/VpnTest.java b/services/tests/servicestests/src/com/android/server/connectivity/VpnTest.java
new file mode 100644
index 0000000..3295bf5
--- /dev/null
+++ b/services/tests/servicestests/src/com/android/server/connectivity/VpnTest.java
@@ -0,0 +1,198 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.connectivity;
+
+import static android.content.pm.UserInfo.FLAG_ADMIN;
+import static android.content.pm.UserInfo.FLAG_MANAGED_PROFILE;
+import static android.content.pm.UserInfo.FLAG_PRIMARY;
+import static android.content.pm.UserInfo.FLAG_RESTRICTED;
+import static org.mockito.Mockito.*;
+
+import android.annotation.UserIdInt;
+import android.content.Context;
+import android.content.pm.PackageManager;
+import android.content.pm.UserInfo;
+import android.net.UidRange;
+import android.os.INetworkManagementService;
+import android.os.Looper;
+import android.os.UserHandle;
+import android.os.UserManager;
+import android.test.AndroidTestCase;
+import android.test.suitebuilder.annotation.SmallTest;
+import android.util.ArrayMap;
+import android.util.ArraySet;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Map;
+import java.util.Set;
+
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+
+/**
+ * Tests for {@link Vpn}.
+ *
+ * Build, install and run with:
+ * runtest --path src/com/android/server/connectivity/VpnTest.java
+ */
+public class VpnTest extends AndroidTestCase {
+ private static final String TAG = "VpnTest";
+
+ // Mock users
+ static final UserInfo primaryUser = new UserInfo(27, "Primary", FLAG_ADMIN | FLAG_PRIMARY);
+ static final UserInfo secondaryUser = new UserInfo(15, "Secondary", FLAG_ADMIN);
+ static final UserInfo restrictedProfileA = new UserInfo(40, "RestrictedA", FLAG_RESTRICTED);
+ static final UserInfo restrictedProfileB = new UserInfo(42, "RestrictedB", FLAG_RESTRICTED);
+ static final UserInfo managedProfileA = new UserInfo(45, "ManagedA", FLAG_MANAGED_PROFILE);
+ static {
+ restrictedProfileA.restrictedProfileParentId = primaryUser.id;
+ restrictedProfileB.restrictedProfileParentId = secondaryUser.id;
+ managedProfileA.profileGroupId = primaryUser.id;
+ }
+
+ @Mock private Context mContext;
+ @Mock private UserManager mUserManager;
+ @Mock private PackageManager mPackageManager;
+ @Mock private INetworkManagementService mNetService;
+
+ @Override
+ public void setUp() throws Exception {
+ MockitoAnnotations.initMocks(this);
+ when(mContext.getPackageManager()).thenReturn(mPackageManager);
+ when(mContext.getSystemService(eq(Context.USER_SERVICE))).thenReturn(mUserManager);
+ doNothing().when(mNetService).registerObserver(any());
+ }
+
+ @SmallTest
+ public void testRestrictedProfilesAreAddedToVpn() {
+ setMockedUsers(primaryUser, secondaryUser, restrictedProfileA, restrictedProfileB);
+
+ final Vpn vpn = createVpn(primaryUser.id);
+ final Set<UidRange> ranges = vpn.createUserAndRestrictedProfilesRanges(primaryUser.id,
+ null, null);
+
+ assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] {
+ UidRange.createForUser(primaryUser.id),
+ UidRange.createForUser(restrictedProfileA.id)
+ })), ranges);
+ }
+
+ @SmallTest
+ public void testManagedProfilesAreNotAddedToVpn() {
+ setMockedUsers(primaryUser, managedProfileA);
+
+ final Vpn vpn = createVpn(primaryUser.id);
+ final Set<UidRange> ranges = vpn.createUserAndRestrictedProfilesRanges(primaryUser.id,
+ null, null);
+
+ assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] {
+ UidRange.createForUser(primaryUser.id)
+ })), ranges);
+ }
+
+ @SmallTest
+ public void testAddUserToVpnOnlyAddsOneUser() {
+ setMockedUsers(primaryUser, restrictedProfileA, managedProfileA);
+
+ final Vpn vpn = createVpn(primaryUser.id);
+ final Set<UidRange> ranges = new ArraySet<>();
+ vpn.addUserToRanges(ranges, primaryUser.id, null, null);
+
+ assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] {
+ UidRange.createForUser(primaryUser.id)
+ })), ranges);
+ }
+
+ @SmallTest
+ public void testUidWhiteAndBlacklist() throws Exception {
+ final Map<String, Integer> packages = new ArrayMap<>();
+ packages.put("com.example", 66);
+ packages.put("org.example", 77);
+ packages.put("net.example", 78);
+ setMockedPackages(packages);
+
+ final Vpn vpn = createVpn(primaryUser.id);
+ final UidRange user = UidRange.createForUser(primaryUser.id);
+
+ // Whitelist
+ final Set<UidRange> allow = vpn.createUserAndRestrictedProfilesRanges(primaryUser.id,
+ new ArrayList<String>(packages.keySet()), null);
+ assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] {
+ new UidRange(user.start + 66, user.start + 66),
+ new UidRange(user.start + 77, user.start + 78)
+ })), allow);
+
+ // Blacklist
+ final Set<UidRange> disallow = vpn.createUserAndRestrictedProfilesRanges(primaryUser.id,
+ null, new ArrayList<String>(packages.keySet()));
+ assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] {
+ new UidRange(user.start, user.start + 65),
+ new UidRange(user.start + 67, user.start + 76),
+ new UidRange(user.start + 79, user.stop)
+ })), disallow);
+ }
+
+ /**
+ * @return A subclass of {@link Vpn} which is reliably:
+ * <ul>
+ * <li>Associated with a specific user ID</li>
+ * <li>Not in always-on mode</li>
+ * </ul>
+ */
+ private Vpn createVpn(@UserIdInt int userId) {
+ return new Vpn(Looper.myLooper(), mContext, mNetService, userId);
+ }
+
+ /**
+ * Populate {@link #mUserManager} with a list of fake users.
+ */
+ private void setMockedUsers(UserInfo... users) {
+ final Map<Integer, UserInfo> userMap = new ArrayMap<>();
+ for (UserInfo user : users) {
+ userMap.put(user.id, user);
+ }
+
+ doAnswer(invocation -> {
+ return new ArrayList(userMap.values());
+ }).when(mUserManager).getUsers();
+
+ doAnswer(invocation -> {
+ final int id = (int) invocation.getArguments()[0];
+ return userMap.get(id);
+ }).when(mUserManager).getUserInfo(anyInt());
+
+ doAnswer(invocation -> {
+ final int id = (int) invocation.getArguments()[0];
+ return (userMap.get(id).flags & UserInfo.FLAG_ADMIN) != 0;
+ }).when(mUserManager).canHaveRestrictedProfile(anyInt());
+ }
+
+ /**
+ * Populate {@link #mPackageManager} with a fake packageName-to-UID mapping.
+ */
+ private void setMockedPackages(final Map<String, Integer> packages) {
+ try {
+ doAnswer(invocation -> {
+ final String appName = (String) invocation.getArguments()[0];
+ final int userId = (int) invocation.getArguments()[1];
+ return UserHandle.getUid(userId, packages.get(appName));
+ }).when(mPackageManager).getPackageUidAsUser(anyString(), anyInt());
+ } catch (Exception e) {
+ }
+ }
+}