Add device_config flag to change the threshold for logging log list
update failures to statsd
This will allow it easier to debug the logging logic, without needing to
hit the default threshold of 10.
Flag: com.android.net.ct.flags.certificate_transparency_service
Bug: 378626065
Test: atest NetworkSecurityUnitTests && tested flag behavior manually
Change-Id: I10c652615e78a700bb84aabaa37ddc850e031e56
diff --git a/networksecurity/service/src/com/android/server/net/ct/CertificateTransparencyDownloader.java b/networksecurity/service/src/com/android/server/net/ct/CertificateTransparencyDownloader.java
index d365ca1..ce14fc6 100644
--- a/networksecurity/service/src/com/android/server/net/ct/CertificateTransparencyDownloader.java
+++ b/networksecurity/service/src/com/android/server/net/ct/CertificateTransparencyDownloader.java
@@ -29,6 +29,7 @@
import android.content.IntentFilter;
import android.net.Uri;
import android.os.Build;
+import android.provider.DeviceConfig;
import android.util.Log;
import androidx.annotation.VisibleForTesting;
@@ -320,7 +321,12 @@
mDataStore.setPropertyInt(Config.LOG_LIST_UPDATE_FAILURE_COUNT, new_failure_count);
mDataStore.store();
- boolean shouldReport = new_failure_count >= Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD;
+ int threshold = DeviceConfig.getInt(
+ Config.NAMESPACE_NETWORK_SECURITY,
+ Config.FLAG_LOG_FAILURE_THRESHOLD,
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+
+ boolean shouldReport = new_failure_count >= threshold;
if (shouldReport) {
Log.d(TAG, "Log list update failure count exceeds threshold: " + new_failure_count);
}
diff --git a/networksecurity/service/src/com/android/server/net/ct/Config.java b/networksecurity/service/src/com/android/server/net/ct/Config.java
index 592bc4e..bc4efab 100644
--- a/networksecurity/service/src/com/android/server/net/ct/Config.java
+++ b/networksecurity/service/src/com/android/server/net/ct/Config.java
@@ -45,6 +45,7 @@
static final String FLAG_METADATA_URL = FLAGS_PREFIX + "metadata_url";
static final String FLAG_VERSION = FLAGS_PREFIX + "version";
static final String FLAG_PUBLIC_KEY = FLAGS_PREFIX + "public_key";
+ static final String FLAG_LOG_FAILURE_THRESHOLD = FLAGS_PREFIX + "log_list_failure_threshold";
// properties
static final String VERSION = "version";
@@ -60,5 +61,5 @@
static final String URL_PUBLIC_KEY = URL_PREFIX + "log_list.pub";
// Threshold amounts
- static final int LOG_LIST_UPDATE_FAILURE_THRESHOLD = 10;
+ static final int DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD = 10;
}
diff --git a/networksecurity/tests/unit/src/com/android/server/net/ct/CertificateTransparencyDownloaderTest.java b/networksecurity/tests/unit/src/com/android/server/net/ct/CertificateTransparencyDownloaderTest.java
index 34f8dd1..2f57fc9 100644
--- a/networksecurity/tests/unit/src/com/android/server/net/ct/CertificateTransparencyDownloaderTest.java
+++ b/networksecurity/tests/unit/src/com/android/server/net/ct/CertificateTransparencyDownloaderTest.java
@@ -203,7 +203,8 @@
mCertificateTransparencyDownloader.startPublicKeyDownload();
// Set the failure count to just below the threshold
mDataStore.setPropertyInt(
- Config.LOG_LIST_UPDATE_FAILURE_COUNT, Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
+ Config.LOG_LIST_UPDATE_FAILURE_COUNT,
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
mCertificateTransparencyDownloader.onReceive(
mContext,
@@ -212,11 +213,11 @@
assertThat(
mDataStore.getPropertyInt(
Config.LOG_LIST_UPDATE_FAILURE_COUNT, /* defaultValue= */ 0))
- .isEqualTo(Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ .isEqualTo(Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
verify(mLogger, times(1))
.logCTLogListUpdateFailedEventWithDownloadStatus(
DownloadManager.ERROR_INSUFFICIENT_SPACE,
- Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
}
@Test
@@ -273,7 +274,8 @@
mCertificateTransparencyDownloader.startMetadataDownload();
// Set the failure count to just below the threshold
mDataStore.setPropertyInt(
- Config.LOG_LIST_UPDATE_FAILURE_COUNT, Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
+ Config.LOG_LIST_UPDATE_FAILURE_COUNT,
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
mCertificateTransparencyDownloader.onReceive(
mContext,
@@ -283,11 +285,11 @@
assertThat(
mDataStore.getPropertyInt(
Config.LOG_LIST_UPDATE_FAILURE_COUNT, /* defaultValue= */ 0))
- .isEqualTo(Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ .isEqualTo(Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
verify(mLogger, times(1))
.logCTLogListUpdateFailedEventWithDownloadStatus(
DownloadManager.ERROR_INSUFFICIENT_SPACE,
- Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
}
@Test
@@ -350,7 +352,8 @@
mCertificateTransparencyDownloader.startContentDownload(mCompatVersion);
// Set the failure count to just below the threshold
mDataStore.setPropertyInt(
- Config.LOG_LIST_UPDATE_FAILURE_COUNT, Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
+ Config.LOG_LIST_UPDATE_FAILURE_COUNT,
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
mCertificateTransparencyDownloader.onReceive(
mContext,
@@ -360,11 +363,11 @@
assertThat(
mDataStore.getPropertyInt(
Config.LOG_LIST_UPDATE_FAILURE_COUNT, /* defaultValue= */ 0))
- .isEqualTo(Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ .isEqualTo(Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
verify(mLogger, times(1))
.logCTLogListUpdateFailedEventWithDownloadStatus(
DownloadManager.ERROR_INSUFFICIENT_SPACE,
- Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
}
@Test
@@ -415,7 +418,8 @@
mCertificateTransparencyDownloader.startMetadataDownload();
// Set the failure count to just below the threshold
mDataStore.setPropertyInt(
- Config.LOG_LIST_UPDATE_FAILURE_COUNT, Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
+ Config.LOG_LIST_UPDATE_FAILURE_COUNT,
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
// Set the public key to be missing
mSignatureVerifier.resetPublicKey();
@@ -427,11 +431,11 @@
assertThat(
mDataStore.getPropertyInt(
Config.LOG_LIST_UPDATE_FAILURE_COUNT, /* defaultValue= */ 0))
- .isEqualTo(Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ .isEqualTo(Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
verify(mLogger, times(1))
.logCTLogListUpdateFailedEvent(
CERTIFICATE_TRANSPARENCY_LOG_LIST_UPDATE_FAILED__FAILURE_REASON__FAILURE_SIGNATURE_NOT_FOUND,
- Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
verify(mLogger, never())
.logCTLogListUpdateFailedEvent(
eq(
@@ -453,7 +457,8 @@
// Set the failure count to just below the threshold
mDataStore.setPropertyInt(
- Config.LOG_LIST_UPDATE_FAILURE_COUNT, Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
+ Config.LOG_LIST_UPDATE_FAILURE_COUNT,
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
// Act
mCertificateTransparencyDownloader.startMetadataDownload();
@@ -466,7 +471,7 @@
assertThat(
mDataStore.getPropertyInt(
Config.LOG_LIST_UPDATE_FAILURE_COUNT, /* defaultValue= */ 0))
- .isEqualTo(Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ .isEqualTo(Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
verify(mLogger, never())
.logCTLogListUpdateFailedEvent(
eq(
@@ -475,7 +480,7 @@
verify(mLogger, times(1))
.logCTLogListUpdateFailedEvent(
CERTIFICATE_TRANSPARENCY_LOG_LIST_UPDATE_FAILED__FAILURE_REASON__FAILURE_SIGNATURE_VERIFICATION,
- Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
}
@Test
@@ -492,7 +497,8 @@
// Set the failure count to just below the threshold
mDataStore.setPropertyInt(
- Config.LOG_LIST_UPDATE_FAILURE_COUNT, Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
+ Config.LOG_LIST_UPDATE_FAILURE_COUNT,
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
// Act
mCertificateTransparencyDownloader.startMetadataDownload();
@@ -505,7 +511,7 @@
assertThat(
mDataStore.getPropertyInt(
Config.LOG_LIST_UPDATE_FAILURE_COUNT, /* defaultValue= */ 0))
- .isEqualTo(Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ .isEqualTo(Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
verify(mLogger, never())
.logCTLogListUpdateFailedEvent(
eq(
@@ -514,7 +520,7 @@
verify(mLogger, times(1))
.logCTLogListUpdateFailedEvent(
CERTIFICATE_TRANSPARENCY_LOG_LIST_UPDATE_FAILED__FAILURE_REASON__FAILURE_SIGNATURE_VERIFICATION,
- Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
}
@Test
@@ -560,7 +566,8 @@
mSignatureVerifier.setPublicKey(mPublicKey);
// Set the failure count to just below the threshold
mDataStore.setPropertyInt(
- Config.LOG_LIST_UPDATE_FAILURE_COUNT, Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
+ Config.LOG_LIST_UPDATE_FAILURE_COUNT,
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD - 1);
mCertificateTransparencyDownloader.startMetadataDownload();
mCertificateTransparencyDownloader.onReceive(
@@ -571,11 +578,11 @@
assertThat(
mDataStore.getPropertyInt(
Config.LOG_LIST_UPDATE_FAILURE_COUNT, /* defaultValue= */ 0))
- .isEqualTo(Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ .isEqualTo(Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
verify(mLogger, times(1))
.logCTLogListUpdateFailedEvent(
CERTIFICATE_TRANSPARENCY_LOG_LIST_UPDATE_FAILED__FAILURE_REASON__FAILURE_VERSION_ALREADY_EXISTS,
- Config.LOG_LIST_UPDATE_FAILURE_THRESHOLD);
+ Config.DEFAULT_LOG_LIST_UPDATE_FAILURE_THRESHOLD);
}
@Test