Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / b341c383debd2395e6be2747338c763de41ff0a8 / . / virtualizationservice / src / maintenance.rs
blob: 4732e1f0ae2332835e0051b3777b904862b2da5c [file] [log] [blame]
Alan Stokesea1f0462024-02-19 16:25:47 +0000[diff] [blame]1// Copyright 2024 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]15use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::{
16 ISecretkeeper::ISecretkeeper, SecretId::SecretId,
Alan Stokesea1f0462024-02-19 16:25:47 +0000[diff] [blame]17};
David Drysdale1138fa02024-03-19 13:06:23 +0000[diff] [blame]18use android_system_virtualizationmaintenance::aidl::android::system::virtualizationmaintenance;
19use anyhow::{anyhow, Context, Result};
20use binder::Strong;
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]21use log::{error, info, warn};
David Drysdale1138fa02024-03-19 13:06:23 +0000[diff] [blame]22use virtualizationmaintenance::IVirtualizationReconciliationCallback::IVirtualizationReconciliationCallback;
Alan Stokesea1f0462024-02-19 16:25:47 +0000[diff] [blame]23
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]24mod vmdb;
25use vmdb::{VmId, VmIdDb};
26
27/// Interface name for the Secretkeeper HAL.
28const SECRETKEEPER_SERVICE: &str = "android.hardware.security.secretkeeper.ISecretkeeper/default";
29
30/// Directory in which to write persistent state.
31const PERSISTENT_DIRECTORY: &str = "/data/misc/apexdata/com.android.virt";
32
33/// Maximum number of VM IDs to delete at once. Needs to be smaller than both the maximum
34/// number of SQLite parameters (999) and also small enough that an ISecretkeeper::deleteIds
35/// parcel fits within max AIDL message size.
36const DELETE_MAX_BATCH_SIZE: usize = 100;
37
David Drysdale825c90f2024-03-26 12:45:29 +0000[diff] [blame]38/// Maximum number of VM IDs that a single app can have.
39const MAX_VM_IDS_PER_APP: usize = 400;
40
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]41/// State related to VM secrets.
42pub struct State {
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]43 /// The real state, lazily created when we first need it.
44 inner: Option<InnerState>,
45}
46
47struct InnerState {
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]48 sk: binder::Strong<dyn ISecretkeeper>,
49 /// Database of VM IDs,
50 vm_id_db: VmIdDb,
51 batch_size: usize,
Alan Stokesea1f0462024-02-19 16:25:47 +0000[diff] [blame]52}
53
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]54impl State {
55 pub fn new() -> Option<Self> {
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]56 if is_sk_present() {
57 // Don't instantiate the inner state yet, that will happen when it is needed.
58 Some(Self { inner: None })
59 } else {
60 // If the Secretkeeper HAL doesn't exist, there's never any point in trying to
61 // handle maintenance for it.
62 info!("Failed to find a Secretkeeper instance; skipping secret management");
63 None
64 }
65 }
66
67 /// Return the existing inner state, or create one if there isn't one.
68 /// This is done on demand as in early boot (before we need Secretkeeper) it may not be
69 /// available to connect to. See b/331417880.
70 fn get_inner(&mut self) -> Result<&mut InnerState> {
71 if self.inner.is_none() {
72 self.inner = Some(InnerState::new()?);
73 }
74 Ok(self.inner.as_mut().unwrap())
75 }
76
77 /// Record a new VM ID. If there is an existing owner (user_id, app_id) for the VM ID,
78 /// it will be replaced.
79 pub fn add_id(&mut self, vm_id: &VmId, user_id: u32, app_id: u32) -> Result<()> {
80 self.get_inner()?.add_id(vm_id, user_id, app_id)
81 }
82
83 /// Delete the VM IDs associated with Android user ID `user_id`.
84 pub fn delete_ids_for_user(&mut self, user_id: i32) -> Result<()> {
85 self.get_inner()?.delete_ids_for_user(user_id)
86 }
87
88 /// Delete the VM IDs associated with `(user_id, app_id)`.
89 pub fn delete_ids_for_app(&mut self, user_id: i32, app_id: i32) -> Result<()> {
90 self.get_inner()?.delete_ids_for_app(user_id, app_id)
91 }
92
93 /// Delete the provided VM IDs from both Secretkeeper and the database.
94 pub fn delete_ids(&mut self, vm_ids: &[VmId]) {
95 let Ok(inner) = self.get_inner() else {
96 warn!("No Secretkeeper available, not deleting secrets");
97 return;
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]98 };
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]99
100 inner.delete_ids(vm_ids)
101 }
102
103 /// Perform reconciliation to allow for possibly missed notifications of user or app removal.
104 pub fn reconcile(
105 &mut self,
106 callback: &Strong<dyn IVirtualizationReconciliationCallback>,
107 ) -> Result<()> {
108 self.get_inner()?.reconcile(callback)
109 }
110}
111
112impl InnerState {
113 fn new() -> Result<Self> {
114 info!("Connecting to {SECRETKEEPER_SERVICE}");
115 let sk = binder::wait_for_interface::<dyn ISecretkeeper>(SECRETKEEPER_SERVICE)
116 .context("Connecting to {SECRETKEEPER_SERVICE}")?;
117 let (vm_id_db, created) = VmIdDb::new(PERSISTENT_DIRECTORY)
118 .context("Connecting to secret management database")?;
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]119 if created {
120 // If the database did not previously exist, then this appears to be the first run of
121 // `virtualizationservice` since device setup or factory reset. In case of the latter,
122 // delete any secrets that may be left over from before reset, thus ensuring that the
123 // local database state matches that of the TA (i.e. empty).
124 warn!("no existing VM ID DB; clearing any previous secrets to match fresh DB");
125 if let Err(e) = sk.deleteAll() {
126 error!("failed to delete previous secrets, dropping database: {e:?}");
127 vm_id_db.delete_db_file(PERSISTENT_DIRECTORY);
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]128 return Err(e.into());
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]129 }
130 } else {
131 info!("re-using existing VM ID DB");
132 }
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]133 Ok(Self { sk, vm_id_db, batch_size: DELETE_MAX_BATCH_SIZE })
Alan Stokesea1f0462024-02-19 16:25:47 +0000[diff] [blame]134 }
135
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]136 fn add_id(&mut self, vm_id: &VmId, user_id: u32, app_id: u32) -> Result<()> {
David Drysdalee64de8e2024-02-29 11:54:29 +0000[diff] [blame]137 let user_id: i32 = user_id.try_into().context(format!("user_id {user_id} out of range"))?;
138 let app_id: i32 = app_id.try_into().context(format!("app_id {app_id} out of range"))?;
David Drysdale825c90f2024-03-26 12:45:29 +0000[diff] [blame]139
140 // To prevent unbounded growth of VM IDs (and the associated state) for an app, limit the
141 // number of VM IDs per app.
142 let count = self
143 .vm_id_db
144 .count_vm_ids_for_app(user_id, app_id)
145 .context("failed to determine VM count")?;
146 if count >= MAX_VM_IDS_PER_APP {
147 // The owner has too many VM IDs, so delete the oldest IDs so that the new VM ID
148 // creation can progress/succeed.
149 let purge = 1 + count - MAX_VM_IDS_PER_APP;
150 let old_vm_ids = self
151 .vm_id_db
152 .oldest_vm_ids_for_app(user_id, app_id, purge)
153 .context("failed to find oldest VM IDs")?;
154 error!("Deleting {purge} of {count} VM IDs for user_id={user_id}, app_id={app_id}");
155 self.delete_ids(&old_vm_ids);
156 }
David Drysdalee64de8e2024-02-29 11:54:29 +0000[diff] [blame]157 self.vm_id_db.add_vm_id(vm_id, user_id, app_id)
158 }
159
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]160 fn delete_ids_for_user(&mut self, user_id: i32) -> Result<()> {
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]161 let vm_ids = self.vm_id_db.vm_ids_for_user(user_id)?;
162 info!(
163 "delete_ids_for_user(user_id={user_id}) triggers deletion of {} secrets",
164 vm_ids.len()
165 );
166 self.delete_ids(&vm_ids);
167 Ok(())
168 }
169
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]170 fn delete_ids_for_app(&mut self, user_id: i32, app_id: i32) -> Result<()> {
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]171 let vm_ids = self.vm_id_db.vm_ids_for_app(user_id, app_id)?;
172 info!(
173 "delete_ids_for_app(user_id={user_id}, app_id={app_id}) removes {} secrets",
174 vm_ids.len()
175 );
176 self.delete_ids(&vm_ids);
177 Ok(())
178 }
179
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]180 fn delete_ids(&mut self, mut vm_ids: &[VmId]) {
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]181 while !vm_ids.is_empty() {
182 let len = std::cmp::min(vm_ids.len(), self.batch_size);
183 let batch = &vm_ids[..len];
184 self.delete_ids_batch(batch);
185 vm_ids = &vm_ids[len..];
186 }
187 }
188
189 /// Delete a batch of VM IDs from both Secretkeeper and the database. The batch is assumed
190 /// to be smaller than both:
191 /// - the corresponding limit for number of database parameters
192 /// - the corresponding limit for maximum size of a single AIDL message for `ISecretkeeper`.
193 fn delete_ids_batch(&mut self, vm_ids: &[VmId]) {
194 let secret_ids: Vec<SecretId> = vm_ids.iter().map(|id| SecretId { id: *id }).collect();
195 if let Err(e) = self.sk.deleteIds(&secret_ids) {
196 error!("failed to delete all secrets from Secretkeeper: {e:?}");
197 }
198 if let Err(e) = self.vm_id_db.delete_vm_ids(vm_ids) {
199 error!("failed to remove secret IDs from database: {e:?}");
200 }
201 }
David Drysdale1138fa02024-03-19 13:06:23 +0000[diff] [blame]202
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]203 fn reconcile(
David Drysdale1138fa02024-03-19 13:06:23 +0000[diff] [blame]204 &mut self,
205 callback: &Strong<dyn IVirtualizationReconciliationCallback>,
206 ) -> Result<()> {
207 // First, retrieve all (user_id, app_id) pairs that own a VM.
208 let owners = self.vm_id_db.get_all_owners().context("failed to retrieve owners from DB")?;
209 if owners.is_empty() {
210 info!("no VM owners, nothing to do");
211 return Ok(());
212 }
213
214 // Look for absent users.
215 let mut users: Vec<i32> = owners.iter().map(|(u, _a)| *u).collect();
216 users.sort();
217 users.dedup();
218 let users_exist = callback
219 .doUsersExist(&users)
220 .context(format!("failed to determine if {} users exist", users.len()))?;
221 if users_exist.len() != users.len() {
222 error!("callback returned {} bools for {} inputs!", users_exist.len(), users.len());
223 return Err(anyhow!("unexpected number of results from callback"));
224 }
225
226 for (user_id, present) in users.into_iter().zip(users_exist.into_iter()) {
227 if present {
228 // User is still present, but are all of the associated apps?
229 let mut apps: Vec<i32> = owners
230 .iter()
231 .filter_map(|(u, a)| if *u == user_id { Some(*a) } else { None })
232 .collect();
233 apps.sort();
234 apps.dedup();
235
236 let apps_exist = callback
237 .doAppsExist(user_id, &apps)
238 .context(format!("failed to check apps for user {user_id}"))?;
239 if apps_exist.len() != apps.len() {
240 error!(
241 "callback returned {} bools for {} inputs!",
242 apps_exist.len(),
243 apps.len()
244 );
245 return Err(anyhow!("unexpected number of results from callback"));
246 }
247
248 let missing_apps: Vec<i32> = apps
249 .iter()
250 .zip(apps_exist.into_iter())
251 .filter_map(|(app_id, present)| if present { None } else { Some(*app_id) })
252 .collect();
253
254 for app_id in missing_apps {
255 if core_app_id(app_id) {
256 info!("Skipping deletion for core app {app_id} for user {user_id}");
257 continue;
258 }
259 info!("App {app_id} for user {user_id} absent, deleting associated VM IDs");
260 if let Err(err) = self.delete_ids_for_app(user_id, app_id) {
261 error!("Failed to delete VM ID for user {user_id} app {app_id}: {err:?}");
262 }
263 }
264 } else {
265 info!("user {user_id} no longer present, deleting associated VM IDs");
266 if let Err(err) = self.delete_ids_for_user(user_id) {
267 error!("Failed to delete VM IDs for user {user_id} : {err:?}");
268 }
269 }
270 }
271
272 Ok(())
273 }
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]274}
275
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]276/// Indicate whether an app ID belongs to a system core component.
277fn core_app_id(app_id: i32) -> bool {
278 app_id < 10000
279}
280
281fn is_sk_present() -> bool {
282 matches!(binder::is_declared(SECRETKEEPER_SERVICE), Ok(true))
283}
284
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]285#[cfg(test)]
286mod tests {
287 use super::*;
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]288 use android_hardware_security_authgraph::aidl::android::hardware::security::authgraph;
289 use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper;
290 use authgraph::IAuthGraphKeyExchange::IAuthGraphKeyExchange;
291 use secretkeeper::ISecretkeeper::BnSecretkeeper;
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]292 use std::sync::{Arc, Mutex};
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]293 use virtualizationmaintenance::IVirtualizationReconciliationCallback::BnVirtualizationReconciliationCallback;
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]294
295 /// Fake implementation of Secretkeeper that keeps a history of what operations were invoked.
296 #[derive(Default)]
297 struct FakeSk {
298 history: Arc<Mutex<Vec<SkOp>>>,
299 }
300
301 #[derive(Clone, PartialEq, Eq, Debug)]
302 enum SkOp {
303 Management,
304 DeleteIds(Vec<VmId>),
305 DeleteAll,
306 }
307
308 impl ISecretkeeper for FakeSk {
309 fn processSecretManagementRequest(&self, _req: &[u8]) -> binder::Result<Vec<u8>> {
310 self.history.lock().unwrap().push(SkOp::Management);
311 Ok(vec![])
312 }
313
314 fn getAuthGraphKe(&self) -> binder::Result<binder::Strong<dyn IAuthGraphKeyExchange>> {
315 unimplemented!()
316 }
317
318 fn deleteIds(&self, ids: &[SecretId]) -> binder::Result<()> {
319 self.history.lock().unwrap().push(SkOp::DeleteIds(ids.iter().map(|s| s.id).collect()));
320 Ok(())
321 }
322
323 fn deleteAll(&self) -> binder::Result<()> {
324 self.history.lock().unwrap().push(SkOp::DeleteAll);
325 Ok(())
326 }
327 }
328 impl binder::Interface for FakeSk {}
329
330 fn new_test_state(history: Arc<Mutex<Vec<SkOp>>>, batch_size: usize) -> State {
331 let vm_id_db = vmdb::new_test_db();
332 let sk = FakeSk { history };
333 let sk = BnSecretkeeper::new_binder(sk, binder::BinderFeatures::default());
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]334 let inner = InnerState { sk, vm_id_db, batch_size };
335 State { inner: Some(inner) }
336 }
337
338 fn get_db(state: &mut State) -> &mut VmIdDb {
339 &mut state.inner.as_mut().unwrap().vm_id_db
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]340 }
341
David Drysdale1138fa02024-03-19 13:06:23 +0000[diff] [blame]342 struct Reconciliation {
343 gone_users: Vec<i32>,
344 gone_apps: Vec<i32>,
345 }
346
347 impl IVirtualizationReconciliationCallback for Reconciliation {
348 fn doUsersExist(&self, user_ids: &[i32]) -> binder::Result<Vec<bool>> {
349 Ok(user_ids.iter().map(|user_id| !self.gone_users.contains(user_id)).collect())
350 }
351 fn doAppsExist(&self, _user_id: i32, app_ids: &[i32]) -> binder::Result<Vec<bool>> {
352 Ok(app_ids.iter().map(|app_id| !self.gone_apps.contains(app_id)).collect())
353 }
354 }
355 impl binder::Interface for Reconciliation {}
356
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]357 const VM_ID1: VmId = [1u8; 64];
358 const VM_ID2: VmId = [2u8; 64];
359 const VM_ID3: VmId = [3u8; 64];
360 const VM_ID4: VmId = [4u8; 64];
361 const VM_ID5: VmId = [5u8; 64];
362
David Drysdale1138fa02024-03-19 13:06:23 +0000[diff] [blame]363 const USER1: i32 = 1;
364 const USER2: i32 = 2;
365 const USER3: i32 = 3;
366 const APP_A: i32 = 10050;
367 const APP_B: i32 = 10060;
368 const APP_C: i32 = 10070;
369 const CORE_APP_A: i32 = 45;
370
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]371 #[test]
372 fn test_sk_state_batching() {
373 let history = Arc::new(Mutex::new(Vec::new()));
374 let mut sk_state = new_test_state(history.clone(), 2);
375 sk_state.delete_ids(&[VM_ID1, VM_ID2, VM_ID3, VM_ID4, VM_ID5]);
376 let got = (*history.lock().unwrap()).clone();
377 assert_eq!(
378 got,
379 vec![
380 SkOp::DeleteIds(vec![VM_ID1, VM_ID2]),
381 SkOp::DeleteIds(vec![VM_ID3, VM_ID4]),
382 SkOp::DeleteIds(vec![VM_ID5]),
383 ]
384 );
385 }
386
387 #[test]
388 fn test_sk_state_no_batching() {
389 let history = Arc::new(Mutex::new(Vec::new()));
390 let mut sk_state = new_test_state(history.clone(), 6);
391 sk_state.delete_ids(&[VM_ID1, VM_ID2, VM_ID3, VM_ID4, VM_ID5]);
392 let got = (*history.lock().unwrap()).clone();
393 assert_eq!(got, vec![SkOp::DeleteIds(vec![VM_ID1, VM_ID2, VM_ID3, VM_ID4, VM_ID5])]);
394 }
395
396 #[test]
397 fn test_sk_state() {
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]398 let history = Arc::new(Mutex::new(Vec::new()));
399 let mut sk_state = new_test_state(history.clone(), 2);
400
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]401 get_db(&mut sk_state).add_vm_id(&VM_ID1, USER1, APP_A).unwrap();
402 get_db(&mut sk_state).add_vm_id(&VM_ID2, USER1, APP_A).unwrap();
403 get_db(&mut sk_state).add_vm_id(&VM_ID3, USER2, APP_B).unwrap();
404 get_db(&mut sk_state).add_vm_id(&VM_ID4, USER3, APP_A).unwrap();
405 get_db(&mut sk_state).add_vm_id(&VM_ID5, USER3, APP_C).unwrap(); // Overwrites APP_A
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]406 assert_eq!((*history.lock().unwrap()).clone(), vec![]);
407
408 sk_state.delete_ids_for_app(USER2, APP_B).unwrap();
409 assert_eq!((*history.lock().unwrap()).clone(), vec![SkOp::DeleteIds(vec![VM_ID3])]);
410
411 sk_state.delete_ids_for_user(USER3).unwrap();
412 assert_eq!(
413 (*history.lock().unwrap()).clone(),
414 vec![SkOp::DeleteIds(vec![VM_ID3]), SkOp::DeleteIds(vec![VM_ID4, VM_ID5]),]
415 );
416
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]417 assert_eq!(vec![VM_ID1, VM_ID2], get_db(&mut sk_state).vm_ids_for_user(USER1).unwrap());
418 assert_eq!(
419 vec![VM_ID1, VM_ID2],
420 get_db(&mut sk_state).vm_ids_for_app(USER1, APP_A).unwrap()
421 );
David Drysdale79af2662024-02-19 14:50:31 +0000[diff] [blame]422 let empty: Vec<VmId> = Vec::new();
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]423 assert_eq!(empty, get_db(&mut sk_state).vm_ids_for_app(USER2, APP_B).unwrap());
424 assert_eq!(empty, get_db(&mut sk_state).vm_ids_for_user(USER3).unwrap());
Alan Stokesea1f0462024-02-19 16:25:47 +0000[diff] [blame]425 }
David Drysdale1138fa02024-03-19 13:06:23 +0000[diff] [blame]426
427 #[test]
428 fn test_sk_state_reconcile() {
429 let history = Arc::new(Mutex::new(Vec::new()));
430 let mut sk_state = new_test_state(history.clone(), 20);
431
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]432 get_db(&mut sk_state).add_vm_id(&VM_ID1, USER1, APP_A).unwrap();
433 get_db(&mut sk_state).add_vm_id(&VM_ID2, USER1, APP_A).unwrap();
434 get_db(&mut sk_state).add_vm_id(&VM_ID3, USER2, APP_B).unwrap();
435 get_db(&mut sk_state).add_vm_id(&VM_ID4, USER2, CORE_APP_A).unwrap();
436 get_db(&mut sk_state).add_vm_id(&VM_ID5, USER3, APP_C).unwrap();
David Drysdale1138fa02024-03-19 13:06:23 +0000[diff] [blame]437
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]438 assert_eq!(vec![VM_ID1, VM_ID2], get_db(&mut sk_state).vm_ids_for_user(USER1).unwrap());
439 assert_eq!(
440 vec![VM_ID1, VM_ID2],
441 get_db(&mut sk_state).vm_ids_for_app(USER1, APP_A).unwrap()
442 );
443 assert_eq!(vec![VM_ID3], get_db(&mut sk_state).vm_ids_for_app(USER2, APP_B).unwrap());
444 assert_eq!(vec![VM_ID5], get_db(&mut sk_state).vm_ids_for_user(USER3).unwrap());
David Drysdale1138fa02024-03-19 13:06:23 +0000[diff] [blame]445
446 // Perform a reconciliation and pretend that USER1 and [CORE_APP_A, APP_B] are gone.
447 let reconciliation =
448 Reconciliation { gone_users: vec![USER1], gone_apps: vec![CORE_APP_A, APP_B] };
449 let callback = BnVirtualizationReconciliationCallback::new_binder(
450 reconciliation,
451 binder::BinderFeatures::default(),
452 );
453 sk_state.reconcile(&callback).unwrap();
454
455 let empty: Vec<VmId> = Vec::new();
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]456 assert_eq!(empty, get_db(&mut sk_state).vm_ids_for_user(USER1).unwrap());
457 assert_eq!(empty, get_db(&mut sk_state).vm_ids_for_app(USER1, APP_A).unwrap());
David Drysdale1138fa02024-03-19 13:06:23 +0000[diff] [blame]458 // VM for core app stays even though it's reported as absent.
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]459 assert_eq!(vec![VM_ID4], get_db(&mut sk_state).vm_ids_for_user(USER2).unwrap());
460 assert_eq!(empty, get_db(&mut sk_state).vm_ids_for_app(USER2, APP_B).unwrap());
461 assert_eq!(vec![VM_ID5], get_db(&mut sk_state).vm_ids_for_user(USER3).unwrap());
David Drysdale1138fa02024-03-19 13:06:23 +0000[diff] [blame]462 }
463
David Drysdale825c90f2024-03-26 12:45:29 +0000[diff] [blame]464 #[test]
465 fn test_sk_state_too_many_vms() {
466 let history = Arc::new(Mutex::new(Vec::new()));
467 let mut sk_state = new_test_state(history.clone(), 20);
468
469 // Every VM ID added up to the limit is kept.
470 for idx in 0..MAX_VM_IDS_PER_APP {
471 let mut vm_id = [0u8; 64];
472 vm_id[0..8].copy_from_slice(&(idx as u64).to_be_bytes());
473 sk_state.add_id(&vm_id, USER1 as u32, APP_A as u32).unwrap();
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]474 assert_eq!(idx + 1, get_db(&mut sk_state).count_vm_ids_for_app(USER1, APP_A).unwrap());
David Drysdale825c90f2024-03-26 12:45:29 +0000[diff] [blame]475 }
476 assert_eq!(
477 MAX_VM_IDS_PER_APP,
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]478 get_db(&mut sk_state).count_vm_ids_for_app(USER1, APP_A).unwrap()
David Drysdale825c90f2024-03-26 12:45:29 +0000[diff] [blame]479 );
480
481 // Beyond the limit it's one in, one out.
482 for idx in MAX_VM_IDS_PER_APP..MAX_VM_IDS_PER_APP + 10 {
483 let mut vm_id = [0u8; 64];
484 vm_id[0..8].copy_from_slice(&(idx as u64).to_be_bytes());
485 sk_state.add_id(&vm_id, USER1 as u32, APP_A as u32).unwrap();
486 assert_eq!(
487 MAX_VM_IDS_PER_APP,
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]488 get_db(&mut sk_state).count_vm_ids_for_app(USER1, APP_A).unwrap()
David Drysdale825c90f2024-03-26 12:45:29 +0000[diff] [blame]489 );
490 }
491 assert_eq!(
492 MAX_VM_IDS_PER_APP,
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]493 get_db(&mut sk_state).count_vm_ids_for_app(USER1, APP_A).unwrap()
David Drysdale825c90f2024-03-26 12:45:29 +0000[diff] [blame]494 );
495 }
496
David Drysdale1138fa02024-03-19 13:06:23 +0000[diff] [blame]497 struct Irreconcilable;
498
499 impl IVirtualizationReconciliationCallback for Irreconcilable {
500 fn doUsersExist(&self, user_ids: &[i32]) -> binder::Result<Vec<bool>> {
501 panic!("doUsersExist called with {user_ids:?}");
502 }
503 fn doAppsExist(&self, user_id: i32, app_ids: &[i32]) -> binder::Result<Vec<bool>> {
504 panic!("doAppsExist called with {user_id:?}, {app_ids:?}");
505 }
506 }
507 impl binder::Interface for Irreconcilable {}
508
509 #[test]
510 fn test_sk_state_reconcile_not_needed() {
511 let history = Arc::new(Mutex::new(Vec::new()));
512 let mut sk_state = new_test_state(history.clone(), 20);
513
Alan Stokes72820a92024-05-13 13:38:50 +0100[diff] [blame]514 get_db(&mut sk_state).add_vm_id(&VM_ID1, USER1, APP_A).unwrap();
515 get_db(&mut sk_state).add_vm_id(&VM_ID2, USER1, APP_A).unwrap();
516 get_db(&mut sk_state).add_vm_id(&VM_ID3, USER2, APP_B).unwrap();
517 get_db(&mut sk_state).add_vm_id(&VM_ID5, USER3, APP_C).unwrap();
David Drysdale1138fa02024-03-19 13:06:23 +0000[diff] [blame]518 sk_state.delete_ids_for_user(USER1).unwrap();
519 sk_state.delete_ids_for_user(USER2).unwrap();
520 sk_state.delete_ids_for_user(USER3).unwrap();
521
522 // No extant secrets, so reconciliation should not trigger the callback.
523 let callback = BnVirtualizationReconciliationCallback::new_binder(
524 Irreconcilable,
525 binder::BinderFeatures::default(),
526 );
527 sk_state.reconcile(&callback).unwrap();
528 }
Alan Stokesea1f0462024-02-19 16:25:47 +0000[diff] [blame]529}