AdminRestrictedPermissions: Add Health Permissions.

Adds the health permissions to the list of those that are admin- restricted. Bug: 375599258 Flag: android.permission.flags.replace_body_sensor_permission_enabled Change-Id: I6c7a3f9c522c8cb13351bc72f6e571f95d54b0f0 Test: atest GooglePermissionControllerInProcessTests Relnote: Adds health permission to admin restricted list.
author: Justin Lannin <jlannin@google.com> 2025-02-03 16:59:58 -0800
committer: Justin Lannin <jlannin@google.com> 2025-02-04 12:53:17 -0800
commit: 5e30868b5c2e80805a98a84a78505a0675d619c8 (patch)
tree: 3a741723b34c4a9ac7657f767db7d0111295ced6
parent: 6dfdb7d5fe86129285f57f8cc662b395e6d82d68 (diff)
4 files changed, 173 insertions, 53 deletions
diff --git a/PermissionController/src/com/android/permissioncontroller/permission/utils/PermissionMapping.kt b/PermissionController/src/com/android/permissioncontroller/permission/utils/PermissionMapping.kt
index 7f714e083..7ab05b93d 100644
--- a/PermissionController/src/com/android/permissioncontroller/permission/utils/PermissionMapping.kt
+++ b/PermissionController/src/com/android/permissioncontroller/permission/utils/PermissionMapping.kt
@@ -27,6 +27,7 @@ import android.util.Log
 import com.android.modules.utils.build.SdkLevel
 import com.android.permission.safetylabel.DataCategoryConstants
 import com.android.permissioncontroller.permission.model.livedatatypes.LightAppPermGroup
+import com.android.permissioncontroller.permission.utils.v31.AdminRestrictedPermissionsUtils
 
 /**
  * This file contains the canonical mapping of permission to permission group, used in the
@@ -332,6 +333,9 @@ object PermissionMapping {
             PLATFORM_PERMISSIONS[permission] = HEALTH_PERMISSION_GROUP
             PLATFORM_PERMISSION_GROUPS[HEALTH_PERMISSION_GROUP]?.add(permission)
             HEALTH_PERMISSIONS_SET.add(permission)
+            if (Flags.replaceBodySensorPermissionEnabled()) {
+                AdminRestrictedPermissionsUtils.addAdminRestrictedPermission(permission)
+            }
         }
     }
 
diff --git a/PermissionController/src/com/android/permissioncontroller/permission/utils/v31/AdminRestrictedPermissionsUtils.java b/PermissionController/src/com/android/permissioncontroller/permission/utils/v31/AdminRestrictedPermissionsUtils.java
index 4fde616e3..a3b885752 100644
--- a/PermissionController/src/com/android/permissioncontroller/permission/utils/v31/AdminRestrictedPermissionsUtils.java
+++ b/PermissionController/src/com/android/permissioncontroller/permission/utils/v31/AdminRestrictedPermissionsUtils.java
@@ -54,6 +54,12 @@ public final class AdminRestrictedPermissionsUtils {
         if (SdkLevel.isAtLeastT()) {
             ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.BODY_SENSORS_BACKGROUND);
         }
+
+    }
+
+    /** Adds a new permission to the list of admin restricted permissions. */
+    public static void addAdminRestrictedPermission(String permission) {
+        ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(permission);
     }
 
     /**
@@ -91,7 +97,6 @@ public final class AdminRestrictedPermissionsUtils {
         boolean isAdminRestrictedSensorPermissionGroup = permissionGroup != null
                 && PermissionMapping.getPlatformPermissionNamesOfGroup(permissionGroup).stream()
                 .anyMatch(ADMIN_RESTRICTED_SENSORS_PERMISSIONS::contains);
-
         if (!ADMIN_RESTRICTED_SENSORS_PERMISSIONS.contains(permission)
                 && !isAdminRestrictedSensorPermissionGroup) {
             return true;
diff --git a/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/util/v31/AdminRestrictedPermissionsUtilsTest.kt b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/util/v31/AdminRestrictedPermissionsUtilsTest.kt
new file mode 100644
index 000000000..dad0d6fea
--- /dev/null
+++ b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/util/v31/AdminRestrictedPermissionsUtilsTest.kt
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2025 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.permissioncontroller.permission.util.v31
+
+import android.app.admin.DevicePolicyManager
+import android.content.Context
+import android.health.connect.HealthConnectManager
+import android.health.connect.HealthPermissions
+import android.os.Build
+import android.permission.flags.Flags
+import android.platform.test.annotations.RequiresFlagsEnabled
+import android.platform.test.flag.junit.CheckFlagsRule
+import android.platform.test.flag.junit.DeviceFlagsValueProvider
+import androidx.test.core.app.ApplicationProvider
+import androidx.test.ext.junit.runners.AndroidJUnit4
+import androidx.test.filters.SdkSuppress
+import com.android.permissioncontroller.permission.utils.v31.AdminRestrictedPermissionsUtils
+import org.junit.Assert.assertEquals
+import org.junit.Rule
+import org.junit.Test
+import org.junit.runner.RunWith
+import org.mockito.Mockito.mock
+
+@RunWith(AndroidJUnit4::class)
+class AdminRestrictedPermissionsUtilsTest {
+
+    @JvmField @Rule val checkFlagsRule = DeviceFlagsValueProvider.createCheckFlagsRule()
+
+    private val context: Context = ApplicationProvider.getApplicationContext()
+    private val dpm: DevicePolicyManager = mock(DevicePolicyManager::class.java)
+
+    @SdkSuppress(minSdkVersion = Build.VERSION_CODES.BAKLAVA)
+    @RequiresFlagsEnabled(Flags.FLAG_REPLACE_BODY_SENSOR_PERMISSION_ENABLED)
+    @Test
+    fun mayAdminGrantPermission_healthPermissions_restricted() {
+        val permissions: Set<String> = HealthConnectManager.getHealthPermissions(context)
+        for (permission in permissions) {
+            val canGrant =
+              AdminRestrictedPermissionsUtils.mayAdminGrantPermission(
+                  permission,
+                  HealthPermissions.HEALTH_PERMISSION_GROUP,
+                  /* canAdminGrantSensorsPermissions= */ false,
+                  /* isManagedProfile= */ false,
+                  dpm,
+              )
+            assertEquals(false, canGrant)
+        }
+    }
+}
diff --git a/PermissionController/tests/mocking/src/com/android/permissioncontroller/tests/mocking/permission/utils/AdminRestrictedPermissionsUtilsTest.kt b/PermissionController/tests/mocking/src/com/android/permissioncontroller/tests/mocking/permission/utils/AdminRestrictedPermissionsUtilsTest.kt
index 0c864da4a..2a60e1325 100644
--- a/PermissionController/tests/mocking/src/com/android/permissioncontroller/tests/mocking/permission/utils/AdminRestrictedPermissionsUtilsTest.kt
+++ b/PermissionController/tests/mocking/src/com/android/permissioncontroller/tests/mocking/permission/utils/AdminRestrictedPermissionsUtilsTest.kt
@@ -17,75 +17,123 @@
 package com.android.permissioncontroller.tests.mocking.permission.utils
 
 import android.app.admin.DevicePolicyManager
+import android.content.Context
+import android.health.connect.HealthPermissions
+import android.permission.flags.Flags
 import android.platform.test.annotations.AsbSecurityTest
+import android.platform.test.annotations.RequiresFlagsEnabled
+import android.platform.test.flag.junit.DeviceFlagsValueProvider
+import androidx.test.core.app.ApplicationProvider
+import androidx.test.ext.junit.runners.AndroidJUnit4
 import com.android.modules.utils.build.SdkLevel
 import com.android.permissioncontroller.permission.utils.v31.AdminRestrictedPermissionsUtils
 import org.junit.Assert.assertEquals
 import org.junit.Assume
 import org.junit.Before
+import org.junit.Rule
 import org.junit.Test
+import org.junit.experimental.runners.Enclosed
 import org.junit.runner.RunWith
 import org.junit.runners.Parameterized
 import org.mockito.Mockito.mock
 
-@RunWith(Parameterized::class)
-class AdminRestrictedPermissionsUtilsTest(
-    private val permission: String,
-    private val group: String?,
-    private val canAdminGrantSensorsPermissions: Boolean,
-    private val expected: Boolean
-) {
+@RunWith(Enclosed::class)
+object AdminRestrictedPermissionsUtilsTest {
+
+    @get:Rule val checkFlagsRule = DeviceFlagsValueProvider.createCheckFlagsRule()
+
+    private val context: Context = ApplicationProvider.getApplicationContext()
     private val dpm: DevicePolicyManager = mock(DevicePolicyManager::class.java)
 
-    @Before
-    fun setup() {
-        Assume.assumeTrue(SdkLevel.isAtLeastS())
-    }
+    @RunWith(Parameterized::class)
+    class AdminRestrictedPermissionsUtilsParameterizedTest(
+        private val permission: String,
+        private val group: String?,
+        private val canAdminGrantSensorsPermissions: Boolean,
+        private val expected: Boolean,
+    ) {
 
-    @AsbSecurityTest(cveBugId = [308138085])
-    @Test
-    fun mayAdminGrantPermissionTest() {
-        val canGrant =
-            AdminRestrictedPermissionsUtils.mayAdminGrantPermission(
-                permission,
-                group,
-                canAdminGrantSensorsPermissions,
-                false,
-                dpm
-            )
-        assertEquals(expected, canGrant)
-    }
+        @Before
+        fun setup() {
+            Assume.assumeTrue(SdkLevel.isAtLeastS())
+        }
 
-    companion object {
-        /**
-         * Returns a list of arrays containing the following values:
-         *
-         * 0. Permission name (String)
-         * 1. Permission group name (String)
-         * 2. Can admin grant sensors permissions (Boolean)
-         * 3. Expected return from mayAdminGrantPermission method (Boolean)
-         */
-        @JvmStatic
-        @Parameterized.Parameters(name = "{index}: validate({0}, {1}, {3}) = {4}")
-        fun getParameters(): List<Array<out Any?>> {
-            return listOf(
-                arrayOf("abc", "xyz", false, true),
-                arrayOf("abc", null, false, true),
-                arrayOf("android.permission.RECORD_AUDIO", "xyz", false, false),
-                arrayOf("abc", "android.permission-group.MICROPHONE", false, false),
-                arrayOf(
-                    "android.permission.RECORD_AUDIO",
-                    "android.permission-group.MICROPHONE",
+        @AsbSecurityTest(cveBugId = [308138085])
+        @Test
+        fun mayAdminGrantPermissionTest() {
+            val canGrant =
+                AdminRestrictedPermissionsUtils.mayAdminGrantPermission(
+                    permission,
+                    group,
+                    canAdminGrantSensorsPermissions,
                     false,
-                    false
-                ),
-                arrayOf(
-                    "android.permission.RECORD_AUDIO",
-                    "android.permission-group.MICROPHONE",
-                    true,
-                    true
-                ),
+                    dpm,
+                )
+            assertEquals(expected, canGrant)
+        }
+
+        companion object {
+            /**
+            * Returns a list of arrays containing the following values:
+            * 0. Permission name (String)
+            * 1. Permission group name (String)
+            * 2. Can admin grant sensors permissions (Boolean)
+            * 3. Expected return from mayAdminGrantPermission method (Boolean)
+            */
+            @JvmStatic
+            @Parameterized.Parameters(name = "{index}: validate({0}, {1}, {3}) = {4}")
+            fun getParameters(): List<Array<out Any?>> {
+                return listOf(
+                    arrayOf("abc", "xyz", false, true),
+                    arrayOf("abc", null, false, true),
+                    arrayOf("android.permission.RECORD_AUDIO", "xyz", false, false),
+                    arrayOf("abc", "android.permission-group.MICROPHONE", false, false),
+                    arrayOf(
+                        "android.permission.RECORD_AUDIO",
+                        "android.permission-group.MICROPHONE",
+                        false,
+                        false,
+                    ),
+                    arrayOf(
+                        "android.permission.RECORD_AUDIO",
+                        "android.permission-group.MICROPHONE",
+                        true,
+                        true,
+                    ),
+                )
+            }
+        }
+    }
+
+    @RunWith(AndroidJUnit4::class)
+    class AdminRestrictedPermissionsUtilsSingleTest {
+
+        @Test
+        @RequiresFlagsEnabled(Flags.FLAG_REPLACE_BODY_SENSOR_PERMISSION_ENABLED)
+        fun addAdminRestrictedPermission_addsPermissionToRestrictedList() {
+            var canGrant =
+                AdminRestrictedPermissionsUtils.mayAdminGrantPermission(
+                    HealthPermissions.READ_HEART_RATE,
+                    HealthPermissions.HEALTH_PERMISSION_GROUP,
+                    /* canAdminGrantSensorsPermissions= */ false,
+                    /* isManagedProfile= */ false,
+                    dpm,
+                )
+            assertEquals(true, canGrant)
+
+            AdminRestrictedPermissionsUtils.addAdminRestrictedPermission(
+                HealthPermissions.READ_HEART_RATE
             )
+
+            canGrant =
+                AdminRestrictedPermissionsUtils.mayAdminGrantPermission(
+                    HealthPermissions.READ_HEART_RATE,
+                    HealthPermissions.HEALTH_PERMISSION_GROUP,
+                    /* canAdminGrantSensorsPermissions= */ false,
+                    /* isManagedProfile= */ false,
+                    dpm,
+                )
+            assertEquals(false, canGrant)
         }
     }
 }
author	Justin Lannin <jlannin@google.com>	2025-02-03 16:59:58 -0800
committer	Justin Lannin <jlannin@google.com>	2025-02-04 12:53:17 -0800
commit	5e30868b5c2e80805a98a84a78505a0675d619c8 (patch)
tree	3a741723b34c4a9ac7657f767db7d0111295ced6
parent	6dfdb7d5fe86129285f57f8cc662b395e6d82d68 (diff)