Add AppOps, Runtime and AllOf/AnyOf tests

Update the test services to use the Stub constructor and provide their own Context (best practice). Test: atest EnforcePermissionTest Bug: 269721152 Change-Id: I059a31950034e0bb67977eb88990515ed0cac4e1
author: Thiébaud Weksteen <tweek@google.com> 2023-03-06 11:05:05 +1100
committer: Thiébaud Weksteen <tweek@google.com> 2023-03-14 11:19:29 +1100
commit: ab6ec3173dd681087eb358410564f0584f08c279 (patch)
tree: 4c6856962bc59a92c34f65b4220fd9d5c992bacd
parent: 44ec9a5b13d9cd3c324a3882591194a3eb5c8a41 (diff)
6 files changed, 170 insertions, 6 deletions
diff --git a/tests/EnforcePermission/aidl/android/tests/enforcepermission/IProtected.aidl b/tests/EnforcePermission/aidl/android/tests/enforcepermission/IProtected.aidl
index 18e3aecfa832..87aad108f31f 100644
--- a/tests/EnforcePermission/aidl/android/tests/enforcepermission/IProtected.aidl
+++ b/tests/EnforcePermission/aidl/android/tests/enforcepermission/IProtected.aidl
@@ -31,4 +31,25 @@ interface IProtected {
 
     @EnforcePermission("INTERNET")
     void ProtectedByInternetAndReadSyncSettingsImplicitly();
+
+    @EnforcePermission("TURN_SCREEN_ON")
+    void ProtectedByTurnScreenOn();
+
+    @EnforcePermission("READ_CONTACTS")
+    void ProtectedByReadContacts();
+
+    @EnforcePermission("READ_CALENDAR")
+    void ProtectedByReadCalendar();
+
+    @EnforcePermission(allOf={"INTERNET", "VIBRATE"})
+    void ProtectedByInternetAndVibrate();
+
+    @EnforcePermission(allOf={"INTERNET", "READ_SYNC_SETTINGS"})
+    void ProtectedByInternetAndReadSyncSettings();
+
+    @EnforcePermission(anyOf={"ACCESS_WIFI_STATE", "VIBRATE"})
+    void ProtectedByAccessWifiStateOrVibrate();
+
+    @EnforcePermission(anyOf={"INTERNET", "VIBRATE"})
+    void ProtectedByInternetOrVibrate();
 }
diff --git a/tests/EnforcePermission/service-app/AndroidManifest.xml b/tests/EnforcePermission/service-app/AndroidManifest.xml
index ddafe15ab88f..eba1230ff7a2 100644
--- a/tests/EnforcePermission/service-app/AndroidManifest.xml
+++ b/tests/EnforcePermission/service-app/AndroidManifest.xml
@@ -15,6 +15,9 @@
 -->
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
   package="android.tests.enforcepermission.service">
+
+    <uses-permission android:name="android.permission.UPDATE_APP_OPS_STATS" />
+
     <application>
         <service
           android:name=".TestService"
diff --git a/tests/EnforcePermission/service-app/src/android/tests/enforcepermission/service/NestedTestService.java b/tests/EnforcePermission/service-app/src/android/tests/enforcepermission/service/NestedTestService.java
index 7879a1214c01..0f083c994738 100644
--- a/tests/EnforcePermission/service-app/src/android/tests/enforcepermission/service/NestedTestService.java
+++ b/tests/EnforcePermission/service-app/src/android/tests/enforcepermission/service/NestedTestService.java
@@ -18,13 +18,21 @@ package android.tests.enforcepermission.service;
 
 import android.annotation.EnforcePermission;
 import android.app.Service;
+import android.content.Context;
 import android.content.Intent;
 import android.os.IBinder;
+import android.os.PermissionEnforcer;
 import android.tests.enforcepermission.INested;
 import android.util.Log;
 
 public class NestedTestService extends Service {
     private static final String TAG = "EnforcePermission.NestedTestService";
+    private INested.Stub mBinder;
+
+    @Override
+    public void onCreate() {
+        mBinder = new Stub(this);
+    }
 
     @Override
     public IBinder onBind(Intent intent) {
@@ -32,7 +40,12 @@ public class NestedTestService extends Service {
         return mBinder;
     }
 
-    private final INested.Stub mBinder = new INested.Stub() {
+    private static class Stub extends INested.Stub {
+
+        Stub(Context context) {
+            super(PermissionEnforcer.fromContext(context));
+        }
+
         @Override
         @EnforcePermission(android.Manifest.permission.ACCESS_NETWORK_STATE)
         public void ProtectedByAccessNetworkState() {
@@ -44,5 +57,5 @@ public class NestedTestService extends Service {
         public void ProtectedByReadSyncSettings() {
             ProtectedByReadSyncSettings_enforcePermission();
         }
-    };
+    }
 }
diff --git a/tests/EnforcePermission/service-app/src/android/tests/enforcepermission/service/TestService.java b/tests/EnforcePermission/service-app/src/android/tests/enforcepermission/service/TestService.java
index e9b897db1294..0a3af1af8139 100644
--- a/tests/EnforcePermission/service-app/src/android/tests/enforcepermission/service/TestService.java
+++ b/tests/EnforcePermission/service-app/src/android/tests/enforcepermission/service/TestService.java
@@ -22,6 +22,7 @@ import android.content.ComponentName;
 import android.content.Context;
 import android.content.Intent;
 import android.os.IBinder;
+import android.os.PermissionEnforcer;
 import android.os.RemoteException;
 import android.tests.enforcepermission.INested;
 import android.tests.enforcepermission.IProtected;
@@ -36,9 +37,11 @@ public class TestService extends Service {
 
     private static final String TAG = "EnforcePermission.TestService";
     private volatile ServiceConnection mNestedServiceConnection;
+    private IProtected.Stub mBinder;
 
     @Override
     public void onCreate() {
+        mBinder = new Stub(this);
         mNestedServiceConnection = new ServiceConnection();
         Intent intent = new Intent(this, NestedTestService.class);
         boolean bound = bindService(intent, mNestedServiceConnection, Context.BIND_AUTO_CREATE);
@@ -78,7 +81,12 @@ public class TestService extends Service {
         return mBinder;
     }
 
-    private final IProtected.Stub mBinder = new IProtected.Stub() {
+    private class Stub extends IProtected.Stub {
+
+        Stub(Context context) {
+            super(PermissionEnforcer.fromContext(context));
+        }
+
         @Override
         @EnforcePermission(android.Manifest.permission.INTERNET)
         public void ProtectedByInternet() {
@@ -105,7 +113,6 @@ public class TestService extends Service {
             ProtectedByInternetAndAccessNetworkStateImplicitly_enforcePermission();
 
             mNestedServiceConnection.get().ProtectedByAccessNetworkState();
-
         }
 
         @Override
@@ -115,5 +122,55 @@ public class TestService extends Service {
 
             mNestedServiceConnection.get().ProtectedByReadSyncSettings();
         }
-    };
+
+        @Override
+        @EnforcePermission(android.Manifest.permission.TURN_SCREEN_ON)
+        public void ProtectedByTurnScreenOn() {
+            ProtectedByTurnScreenOn_enforcePermission();
+        }
+
+        @Override
+        @EnforcePermission(android.Manifest.permission.READ_CONTACTS)
+        public void ProtectedByReadContacts() {
+            ProtectedByReadContacts_enforcePermission();
+        }
+
+        @Override
+        @EnforcePermission(android.Manifest.permission.READ_CALENDAR)
+        public void ProtectedByReadCalendar() {
+            ProtectedByReadCalendar_enforcePermission();
+        }
+
+        @Override
+        @EnforcePermission(allOf = {
+                android.Manifest.permission.INTERNET,
+                android.Manifest.permission.VIBRATE})
+        public void ProtectedByInternetAndVibrate() {
+            ProtectedByInternetAndVibrate_enforcePermission();
+        }
+
+        @Override
+        @EnforcePermission(allOf = {
+                android.Manifest.permission.INTERNET,
+                android.Manifest.permission.READ_SYNC_SETTINGS})
+        public void ProtectedByInternetAndReadSyncSettings() {
+            ProtectedByInternetAndReadSyncSettings_enforcePermission();
+        }
+
+        @Override
+        @EnforcePermission(anyOf = {
+                  android.Manifest.permission.ACCESS_WIFI_STATE,
+                  android.Manifest.permission.VIBRATE})
+        public void ProtectedByAccessWifiStateOrVibrate() {
+            ProtectedByAccessWifiStateOrVibrate_enforcePermission();
+        }
+
+        @Override
+        @EnforcePermission(anyOf = {
+                android.Manifest.permission.INTERNET,
+                android.Manifest.permission.VIBRATE})
+        public void ProtectedByInternetOrVibrate() {
+            ProtectedByInternetOrVibrate_enforcePermission();
+        }
+    }
 }
diff --git a/tests/EnforcePermission/test-app/AndroidManifest.xml b/tests/EnforcePermission/test-app/AndroidManifest.xml
index 4a0c6a86628f..8bd05d7350e5 100644
--- a/tests/EnforcePermission/test-app/AndroidManifest.xml
+++ b/tests/EnforcePermission/test-app/AndroidManifest.xml
@@ -16,9 +16,20 @@
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
   package="android.tests.enforcepermission.tests">
 
-    <!-- Expected for the tests (not actually used) -->
+    <!-- Expected permissions for the tests (not actually used). These
+         are granted automatically at runtime by Tradefed (see
+         GrantPermissionPreparer). -->
+    <!-- normal -->
     <uses-permission android:name="android.permission.INTERNET" />
     <uses-permission android:name="android.permission.READ_SYNC_SETTINGS" />
+    <!-- normal|appops -->
+    <uses-permission android:name="android.permission.TURN_SCREEN_ON" />
+    <!-- dangerous -->
+    <uses-permission android:name="android.permission.READ_CONTACTS" />
+
+    <!-- Used by the tests to activate/deactivate AppOps -->
+    <uses-permission android:name="android.permission.MANAGE_APP_OPS_MODES" />
+    <uses-permission android:name="android.permission.MANAGE_APPOPS" />
 
     <queries>
         <package android:name="android.tests.enforcepermission.service" />
diff --git a/tests/EnforcePermission/test-app/src/android/tests/enforcepermission/tests/ServiceTest.java b/tests/EnforcePermission/test-app/src/android/tests/enforcepermission/tests/ServiceTest.java
index d2a4a037f125..e09097cd2a04 100644
--- a/tests/EnforcePermission/test-app/src/android/tests/enforcepermission/tests/ServiceTest.java
+++ b/tests/EnforcePermission/test-app/src/android/tests/enforcepermission/tests/ServiceTest.java
@@ -21,11 +21,13 @@ import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 
+import android.app.AppOpsManager;
 import android.content.ComponentName;
 import android.content.Context;
 import android.content.Intent;
 import android.content.ServiceConnection;
 import android.os.IBinder;
+import android.os.Process;
 import android.os.RemoteException;
 import android.tests.enforcepermission.IProtected;
 import android.util.Log;
@@ -126,4 +128,61 @@ public class ServiceTest {
             throws RemoteException {
         mServiceConnection.get().ProtectedByInternetAndReadSyncSettingsImplicitly();
     }
+
+    @Test
+    public void testAppOpPermissionGranted_succeeds() throws RemoteException {
+        AppOpsManager appOpsManager = mContext.getSystemService(AppOpsManager.class);
+        appOpsManager.setUidMode(AppOpsManager.OP_TURN_SCREEN_ON,
+                Process.myUid(), AppOpsManager.MODE_ALLOWED);
+
+        mServiceConnection.get().ProtectedByTurnScreenOn();
+    }
+
+    @Test
+    public void testAppOpPermissionDenied_fails() throws RemoteException {
+        AppOpsManager appOpsManager = mContext.getSystemService(AppOpsManager.class);
+        appOpsManager.setUidMode(AppOpsManager.OP_TURN_SCREEN_ON,
+                Process.myUid(), AppOpsManager.MODE_ERRORED);
+
+        final Exception ex = assertThrows(SecurityException.class,
+                () -> mServiceConnection.get().ProtectedByTurnScreenOn());
+        assertThat(ex.getMessage(), containsString("TURN_SCREEN_ON"));
+    }
+
+    @Test
+    public void testRuntimePermissionGranted_succeeds() throws RemoteException {
+        mServiceConnection.get().ProtectedByReadContacts();
+    }
+
+    @Test
+    public void testRuntimePermissionDenied_fails() throws RemoteException {
+        final Exception ex = assertThrows(SecurityException.class,
+                () -> mServiceConnection.get().ProtectedByReadCalendar());
+        assertThat(ex.getMessage(), containsString("READ_CALENDAR"));
+    }
+
+    @Test
+    public void testAllOfPermissionGranted_succeeds() throws RemoteException {
+        mServiceConnection.get().ProtectedByInternetAndReadSyncSettings();
+    }
+
+    @Test
+    public void testAllOfPermissionDenied_fails() throws RemoteException {
+        final Exception ex = assertThrows(SecurityException.class,
+                () -> mServiceConnection.get().ProtectedByInternetAndVibrate());
+        assertThat(ex.getMessage(), containsString("VIBRATE"));
+    }
+
+    @Test
+    public void testAnyOfPermissionGranted_succeeds() throws RemoteException {
+        mServiceConnection.get().ProtectedByInternetOrVibrate();
+    }
+
+    @Test
+    public void testAnyOfPermissionDenied_fails() throws RemoteException {
+        final Exception ex = assertThrows(SecurityException.class,
+                () -> mServiceConnection.get().ProtectedByAccessWifiStateOrVibrate());
+        assertThat(ex.getMessage(), containsString("VIBRATE"));
+        assertThat(ex.getMessage(), containsString("ACCESS_WIFI_STATE"));
+    }
 }
author	Thiébaud Weksteen <tweek@google.com>	2023-03-06 11:05:05 +1100
committer	Thiébaud Weksteen <tweek@google.com>	2023-03-14 11:19:29 +1100
commit	ab6ec3173dd681087eb358410564f0584f08c279 (patch)
tree	4c6856962bc59a92c34f65b4220fd9d5c992bacd
parent	44ec9a5b13d9cd3c324a3882591194a3eb5c8a41 (diff)