diff options
| -rw-r--r-- | core/java/android/net/Ikev2VpnProfile.java | 13 | ||||
| -rw-r--r-- | services/core/java/com/android/server/connectivity/Vpn.java | 18 | ||||
| -rw-r--r-- | tests/net/java/com/android/server/connectivity/VpnTest.java | 16 |
3 files changed, 47 insertions, 0 deletions
diff --git a/core/java/android/net/Ikev2VpnProfile.java b/core/java/android/net/Ikev2VpnProfile.java index 407ff04dc4a3..c8ca618e5969 100644 --- a/core/java/android/net/Ikev2VpnProfile.java +++ b/core/java/android/net/Ikev2VpnProfile.java @@ -25,6 +25,8 @@ import static com.android.internal.util.Preconditions.checkStringNotEmpty; import android.annotation.NonNull; import android.annotation.Nullable; +import android.annotation.RequiresFeature; +import android.content.pm.PackageManager; import android.os.Process; import android.security.Credentials; import android.security.KeyStore; @@ -647,6 +649,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile { * @param serverAddr the server that the VPN should connect to * @param identity the identity string to be used for IKEv2 authentication */ + @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS) public Builder(@NonNull String serverAddr, @NonNull String identity) { checkNotNull(serverAddr, MISSING_PARAM_MSG_TMPL, "serverAddr"); checkNotNull(identity, MISSING_PARAM_MSG_TMPL, "identity"); @@ -680,6 +683,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile { * unrecognized format */ @NonNull + @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS) public Builder setAuthUsernamePassword( @NonNull String user, @NonNull String pass, @@ -715,6 +719,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile { * unrecognized format */ @NonNull + @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS) public Builder setAuthDigitalSignature( @NonNull X509Certificate userCert, @NonNull PrivateKey key, @@ -745,6 +750,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile { * @return this {@link Builder} object to facilitate chaining of method calls */ @NonNull + @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS) public Builder setAuthPsk(@NonNull byte[] psk) { checkNotNull(psk, MISSING_PARAM_MSG_TMPL, "psk"); @@ -768,6 +774,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile { * @return this {@link Builder} object to facilitate chaining of method calls */ @NonNull + @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS) public Builder setBypassable(boolean isBypassable) { mIsBypassable = isBypassable; return this; @@ -782,6 +789,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile { * @return this {@link Builder} object to facilitate chaining of method calls */ @NonNull + @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS) public Builder setProxy(@Nullable ProxyInfo proxy) { mProxyInfo = proxy; return this; @@ -798,6 +806,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile { * @throws IllegalArgumentException if the value is not at least the minimum IPv6 MTU (1280) */ @NonNull + @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS) public Builder setMaxMtu(int mtu) { // IPv6 MTU is greater; since profiles may be started by the system on IPv4 and IPv6 // networks, the VPN must provide a link fulfilling the stricter of the two conditions @@ -825,6 +834,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile { * @see NetworkCapabilities#NET_CAPABILITY_NOT_METERED */ @NonNull + @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS) public Builder setMetered(boolean isMetered) { mIsMetered = isMetered; return this; @@ -852,6 +862,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile { * @see IpSecAlgorithm */ @NonNull + @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS) public Builder setAllowedAlgorithms(@NonNull List<String> algorithmNames) { checkNotNull(algorithmNames, MISSING_PARAM_MSG_TMPL, "algorithmNames"); validateAllowedAlgorithms(algorithmNames); @@ -870,6 +881,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile { * @hide */ @NonNull + @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS) public Builder restrictToTestNetworks() { mIsRestrictedToTestNetworks = true; return this; @@ -881,6 +893,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile { * @throws IllegalArgumentException if any of the required keys or values were invalid */ @NonNull + @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS) public Ikev2VpnProfile build() { return new Ikev2VpnProfile( mType, diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java index a33817c0bf24..e654af706fca 100644 --- a/services/core/java/com/android/server/connectivity/Vpn.java +++ b/services/core/java/com/android/server/connectivity/Vpn.java @@ -2867,6 +2867,23 @@ public class Vpn { return Credentials.PLATFORM_VPN + mUserHandle + "_" + packageName; } + @VisibleForTesting + void validateRequiredFeatures(VpnProfile profile) { + switch (profile.type) { + case VpnProfile.TYPE_IKEV2_IPSEC_USER_PASS: + case VpnProfile.TYPE_IKEV2_IPSEC_PSK: + case VpnProfile.TYPE_IKEV2_IPSEC_RSA: + if (!mContext.getPackageManager().hasSystemFeature( + PackageManager.FEATURE_IPSEC_TUNNELS)) { + throw new UnsupportedOperationException( + "Ikev2VpnProfile(s) requires PackageManager.FEATURE_IPSEC_TUNNELS"); + } + break; + default: + return; + } + } + /** * Stores an app-provisioned VPN profile and returns whether the app is already prepared. * @@ -2883,6 +2900,7 @@ public class Vpn { verifyCallingUidAndPackage(packageName); enforceNotRestrictedUser(); + validateRequiredFeatures(profile); if (profile.isRestrictedToTestNetworks) { mContext.enforceCallingPermission(Manifest.permission.MANAGE_TEST_NETWORKS, diff --git a/tests/net/java/com/android/server/connectivity/VpnTest.java b/tests/net/java/com/android/server/connectivity/VpnTest.java index f8d8a56b57c0..4ccf79a0cb37 100644 --- a/tests/net/java/com/android/server/connectivity/VpnTest.java +++ b/tests/net/java/com/android/server/connectivity/VpnTest.java @@ -199,6 +199,8 @@ public class VpnTest { when(mContext.getString(R.string.config_customVpnAlwaysOnDisconnectedDialogComponent)) .thenReturn(Resources.getSystem().getString( R.string.config_customVpnAlwaysOnDisconnectedDialogComponent)); + when(mPackageManager.hasSystemFeature(PackageManager.FEATURE_IPSEC_TUNNELS)) + .thenReturn(true); when(mSystemServices.isCallerSystem()).thenReturn(true); // Used by {@link Notification.Builder} @@ -731,6 +733,20 @@ public class VpnTest { } @Test + public void testProvisionVpnProfileNoIpsecTunnels() throws Exception { + when(mPackageManager.hasSystemFeature(PackageManager.FEATURE_IPSEC_TUNNELS)) + .thenReturn(false); + final Vpn vpn = createVpnAndSetupUidChecks(AppOpsManager.OP_ACTIVATE_PLATFORM_VPN); + + try { + checkProvisionVpnProfile( + vpn, true /* expectedResult */, AppOpsManager.OP_ACTIVATE_PLATFORM_VPN); + fail("Expected exception due to missing feature"); + } catch (UnsupportedOperationException expected) { + } + } + + @Test public void testProvisionVpnProfilePreconsented() throws Exception { final Vpn vpn = createVpnAndSetupUidChecks(AppOpsManager.OP_ACTIVATE_PLATFORM_VPN); |