Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Connectivity / 7e14c0763b25c9efde56d75675f36a58c45bdd61^! / .
commit7e14c0763b25c9efde56d75675f36a58c45bdd61[log] [tgz]
authorBenedict Wong <benedictwong@google.com>Fri Sep 14 11:35:49 2018 -0700
committerBenedict Wong <benedictwong@google.com>Wed Dec 26 17:05:20 2018 -0800
treeacac8cbc2f572a1393a713289bee7568a7e071a3
parent357ed6d3e440dd3f56f651dae3a203e03add38c7 [diff]
Add IPsec Tunnel Mode security-check tests

This change adds tests for the security checks in IpSecService, ensuring
that the MANAGE_IPSEC_TUNNELS appOp is granted before anything can run.

Bug: 115685048
Test: This, passes on aosp_taimen-eng
Change-Id: Ide50c71548847bedbcaa75410b4696ed29404ab5

diff --git a/tests/cts/net/src/android/net/cts/IpSecManagerTunnelTest.java b/tests/cts/net/src/android/net/cts/IpSecManagerTunnelTest.java
index 5c80e33..95ca25c 100644
--- a/tests/cts/net/src/android/net/cts/IpSecManagerTunnelTest.java
+++ b/tests/cts/net/src/android/net/cts/IpSecManagerTunnelTest.java

@@ -50,7 +50,6 @@
 
     protected void setUp() throws Exception {
         super.setUp();
-        setAppop(true);
     }
 
     protected void tearDown() {
@@ -69,8 +68,36 @@
         SystemUtil.runShellCommand(cmd);
     }
 
+    public void testSecurityExceptionsCreateTunnelInterface() throws Exception {
+        // Ensure we don't have the appop. Permission is not requested in the Manifest
+        setAppop(false);
+
+        // Security exceptions are thrown regardless of IPv4/IPv6. Just test one
+        try {
+            mISM.createIpSecTunnelInterface(OUTER_ADDR6, OUTER_ADDR6, mUnderlyingNetwork);
+            fail("Did not throw SecurityException for Tunnel creation without appop");
+        } catch (SecurityException expected) {
+        }
+    }
+
+    public void testSecurityExceptionsBuildTunnelTransform() throws Exception {
+        // Ensure we don't have the appop. Permission is not requested in the Manifest
+        setAppop(false);
+
+        // Security exceptions are thrown regardless of IPv4/IPv6. Just test one
+        try (IpSecManager.SecurityParameterIndex spi =
+                mISM.allocateSecurityParameterIndex(OUTER_ADDR4);
+                IpSecTransform transform =
+                        new IpSecTransform.Builder(mContext)
+                                .buildTunnelModeTransform(OUTER_ADDR4, spi)) {
+            fail("Did not throw SecurityException for Transform creation without appop");
+        } catch (SecurityException expected) {
+        }
+    }
+
     private void checkTunnel(InetAddress inner, InetAddress outer, boolean useEncap)
             throws Exception {
+        setAppop(true);
         int innerPrefixLen = inner instanceof Inet6Address ? IP6_PREFIX_LEN : IP4_PREFIX_LEN;
 
         try (IpSecManager.SecurityParameterIndex spi = mISM.allocateSecurityParameterIndex(outer);