Merge "Expose APIs to migrate IpSecTransform" am: 19aa23db7e am: bd3a05ce90 am: 0d066bd27e
Original change: https://android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/2264321
Change-Id: I1d53fd8eb673dd483a93eae8aa07a59b44c35627
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/framework-t/api/system-current.txt b/framework-t/api/system-current.txt
index cbe725f..8b82a7b 100644
--- a/framework-t/api/system-current.txt
+++ b/framework-t/api/system-current.txt
@@ -464,6 +464,7 @@
public class IpSecManager {
method @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS) public void applyTunnelModeTransform(@NonNull android.net.IpSecManager.IpSecTunnelInterface, int, @NonNull android.net.IpSecTransform) throws java.io.IOException;
method @NonNull @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS) public android.net.IpSecManager.IpSecTunnelInterface createIpSecTunnelInterface(@NonNull java.net.InetAddress, @NonNull java.net.InetAddress, @NonNull android.net.Network) throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
+ method @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS) public void startTunnelModeTransformMigration(@NonNull android.net.IpSecTransform, @NonNull java.net.InetAddress, @NonNull java.net.InetAddress);
}
public static final class IpSecManager.IpSecTunnelInterface implements java.lang.AutoCloseable {
diff --git a/framework-t/src/android/net/IpSecManager.java b/framework-t/src/android/net/IpSecManager.java
index ff021d6..c8469b1 100644
--- a/framework-t/src/android/net/IpSecManager.java
+++ b/framework-t/src/android/net/IpSecManager.java
@@ -823,16 +823,18 @@
* Update the underlying network for this IpSecTunnelInterface.
*
* <p>This new underlying network will be used for all transforms applied AFTER this call is
- * complete. Before new {@link IpSecTransform}(s) with matching addresses are applied to
- * this tunnel interface, traffic will still use the old SA, and be routed on the old
+ * complete. Before {@link IpSecTransform}(s) with matching addresses are applied to this
+ * tunnel interface, traffic will still use the old transform, and be routed on the old
* underlying network.
*
* <p>To migrate IPsec tunnel mode traffic, a caller should:
*
* <ol>
* <li>Update the IpSecTunnelInterface’s underlying network.
- * <li>Apply {@link IpSecTransform}(s) with matching addresses to this
- * IpSecTunnelInterface.
+ * <li>Apply the new {@link IpSecTransform}(s) to this IpSecTunnelInterface. These can be
+ * new {@link IpSecTransform}(s) with matching addresses, or {@link IpSecTransform}(s)
+ * that have started migration (see {@link
+ * IpSecManager#startTunnelModeTransformMigration}).
* </ol>
*
* @param underlyingNetwork the new {@link Network} that will carry traffic for this tunnel.
@@ -841,7 +843,6 @@
* method will throw an {@link IllegalArgumentException}. If the IpSecTunnelInterface is
* later added to this network, all outbound traffic will be blackholed.
*/
- // TODO: b/169171001 Update the documentation when transform migration is supported.
// The purpose of making updating network and applying transforms separate is to leave open
// the possibility to support lossless migration procedures. To do that, Android platform
// will need to support multiple inbound tunnel mode transforms, just like it can support
@@ -1033,9 +1034,10 @@
* @param newDestinationAddress the new destination address
* @hide
*/
+ @SystemApi
@RequiresFeature(FEATURE_IPSEC_TUNNEL_MIGRATION)
@RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS)
- public void startMigration(
+ public void startTunnelModeTransformMigration(
@NonNull IpSecTransform transform,
@NonNull InetAddress newSourceAddress,
@NonNull InetAddress newDestinationAddress) {
diff --git a/tests/unit/java/android/net/IpSecTransformTest.java b/tests/unit/java/android/net/IpSecTransformTest.java
index ec59064..8bc1bbd 100644
--- a/tests/unit/java/android/net/IpSecTransformTest.java
+++ b/tests/unit/java/android/net/IpSecTransformTest.java
@@ -143,8 +143,9 @@
@Test
@DevSdkIgnoreRule.IgnoreUpTo(Build.VERSION_CODES.TIRAMISU)
- public void testStartMigration() throws Exception {
- mIpSecManager.startMigration(buildTestTransform(), SRC_ADDRESS_V6, DST_ADDRESS_V6);
+ public void testStartTransformMigration() throws Exception {
+ mIpSecManager.startTunnelModeTransformMigration(
+ buildTestTransform(), SRC_ADDRESS_V6, DST_ADDRESS_V6);
verify(mMockIpSecService)
.migrateTransform(
anyInt(),
@@ -155,9 +156,10 @@
@Test
@DevSdkIgnoreRule.IgnoreAfter(Build.VERSION_CODES.TIRAMISU)
- public void testStartMigrationOnSdkBeforeU() throws Exception {
+ public void testStartTransformMigrationOnSdkBeforeU() throws Exception {
try {
- mIpSecManager.startMigration(buildTestTransform(), SRC_ADDRESS_V6, DST_ADDRESS_V6);
+ mIpSecManager.startTunnelModeTransformMigration(
+ buildTestTransform(), SRC_ADDRESS_V6, DST_ADDRESS_V6);
fail("Expect to fail since migration is not supported before U");
} catch (UnsupportedOperationException expected) {
}