Check user restriction DISALLOW_REMOVE_USER in isProvisioningAllowed.

If DISALLOW_REMOVE_USER is set and there is already a managed profile: isProvisioningAllowed() should return false BUG:32629873 Test: adb shell am instrument -e class com.android.server.devicepolicy.DevicePolicyManagerTest -w com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner Change-Id: I093bed0a4a54f83decf11716ebfd50dd4f17c089
author: Nicolas Prevot <nprevot@google.com> 2016-11-10 12:57:54 +0000
committer: Nicolas Prevot <nprevot@google.com> 2016-11-16 12:12:41 +0000
commit: 56400a445fa29b0a90e92d15daf6246cfc3f310d (patch)
tree: 93b3a97e010a2f48714d3fecc1e82fd989fb4447
parent: 2cf7c483a8049e2c657d5f4c138132167fa71ae9 (diff)
2 files changed, 23 insertions, 1 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 0ea8d4e5101d..669d9ac6ac14 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -8686,9 +8686,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
                 // Managed user cannot have a managed profile.
                 return false;
             }
+            boolean canRemoveProfile
+                    = !mUserManager.hasUserRestriction(UserManager.DISALLOW_REMOVE_USER);
             final long ident = mInjector.binderClearCallingIdentity();
             try {
-                if (!mUserManager.canAddMoreManagedProfiles(callingUserId, true)) {
+                if (!mUserManager.canAddMoreManagedProfiles(callingUserId, canRemoveProfile)) {
                     return false;
                 }
             } finally {
diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
index 56ff6214a908..71379b8258e2 100644
--- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
+++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
@@ -2178,6 +2178,26 @@ public class DevicePolicyManagerTest extends DpmTestBase {
         assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, true);
     }
 
+    public void testIsProvisioningAllowed_provisionManagedProfileCantRemoveUser_primaryUser()
+            throws Exception {
+        setDeviceOwner();
+
+        when(mContext.ipackageManager.hasSystemFeature(PackageManager.FEATURE_MANAGED_USERS, 0))
+                .thenReturn(true);
+        when(mContext.userManagerForMock.isSplitSystemUser()).thenReturn(true);
+        when(mContext.userManager.hasUserRestriction(UserManager.DISALLOW_REMOVE_USER))
+                .thenReturn(true);
+        when(mContext.userManager.canAddMoreManagedProfiles(DpmMockContext.CALLER_USER_HANDLE,
+                false /* we can't remove a managed profile*/)).thenReturn(false);
+        when(mContext.userManager.canAddMoreManagedProfiles(DpmMockContext.CALLER_USER_HANDLE,
+                true)).thenReturn(true);
+        setUserSetupCompleteForUser(false, DpmMockContext.CALLER_USER_HANDLE);
+
+        mContext.binder.callingUid = DpmMockContext.CALLER_UID;
+
+        assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, false);
+    }
+
     public void testForceUpdateUserSetupComplete_permission() {
         // GIVEN the permission MANAGE_PROFILE_AND_DEVICE_OWNERS is not granted
         try {
author	Nicolas Prevot <nprevot@google.com>	2016-11-10 12:57:54 +0000
committer	Nicolas Prevot <nprevot@google.com>	2016-11-16 12:12:41 +0000
commit	56400a445fa29b0a90e92d15daf6246cfc3f310d (patch)
tree	93b3a97e010a2f48714d3fecc1e82fd989fb4447
parent	2cf7c483a8049e2c657d5f4c138132167fa71ae9 (diff)