diff options
9 files changed, 177 insertions, 64 deletions
diff --git a/PermissionController/src/com/android/permissioncontroller/permission/utils/PermissionMapping.kt b/PermissionController/src/com/android/permissioncontroller/permission/utils/PermissionMapping.kt index 7f714e083..7ab05b93d 100644 --- a/PermissionController/src/com/android/permissioncontroller/permission/utils/PermissionMapping.kt +++ b/PermissionController/src/com/android/permissioncontroller/permission/utils/PermissionMapping.kt @@ -27,6 +27,7 @@ import android.util.Log import com.android.modules.utils.build.SdkLevel import com.android.permission.safetylabel.DataCategoryConstants import com.android.permissioncontroller.permission.model.livedatatypes.LightAppPermGroup +import com.android.permissioncontroller.permission.utils.v31.AdminRestrictedPermissionsUtils /** * This file contains the canonical mapping of permission to permission group, used in the @@ -332,6 +333,9 @@ object PermissionMapping { PLATFORM_PERMISSIONS[permission] = HEALTH_PERMISSION_GROUP PLATFORM_PERMISSION_GROUPS[HEALTH_PERMISSION_GROUP]?.add(permission) HEALTH_PERMISSIONS_SET.add(permission) + if (Flags.replaceBodySensorPermissionEnabled()) { + AdminRestrictedPermissionsUtils.addAdminRestrictedPermission(permission) + } } } diff --git a/PermissionController/src/com/android/permissioncontroller/permission/utils/v31/AdminRestrictedPermissionsUtils.java b/PermissionController/src/com/android/permissioncontroller/permission/utils/v31/AdminRestrictedPermissionsUtils.java index 4fde616e3..a3b885752 100644 --- a/PermissionController/src/com/android/permissioncontroller/permission/utils/v31/AdminRestrictedPermissionsUtils.java +++ b/PermissionController/src/com/android/permissioncontroller/permission/utils/v31/AdminRestrictedPermissionsUtils.java @@ -54,6 +54,12 @@ public final class AdminRestrictedPermissionsUtils { if (SdkLevel.isAtLeastT()) { ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.BODY_SENSORS_BACKGROUND); } + + } + + /** Adds a new permission to the list of admin restricted permissions. */ + public static void addAdminRestrictedPermission(String permission) { + ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(permission); } /** @@ -91,7 +97,6 @@ public final class AdminRestrictedPermissionsUtils { boolean isAdminRestrictedSensorPermissionGroup = permissionGroup != null && PermissionMapping.getPlatformPermissionNamesOfGroup(permissionGroup).stream() .anyMatch(ADMIN_RESTRICTED_SENSORS_PERMISSIONS::contains); - if (!ADMIN_RESTRICTED_SENSORS_PERMISSIONS.contains(permission) && !isAdminRestrictedSensorPermissionGroup) { return true; diff --git a/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/util/ArrayUtilsTest.kt b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/utils/ArrayUtilsTest.kt index c7b9ad823..6590a4516 100644 --- a/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/util/ArrayUtilsTest.kt +++ b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/utils/ArrayUtilsTest.kt @@ -14,10 +14,9 @@ * limitations under the License. */ -package com.android.permissioncontroller.permission.util +package com.android.permissioncontroller.permission.utils import androidx.arch.core.executor.testing.InstantTaskExecutorRule -import com.android.permissioncontroller.permission.utils.ArrayUtils import com.google.common.truth.Truth.assertThat import org.junit.Rule import org.junit.Test diff --git a/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/util/CollectionUtilsTest.kt b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/utils/CollectionUtilsTest.kt index 627d19474..771f4ab6e 100644 --- a/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/util/CollectionUtilsTest.kt +++ b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/utils/CollectionUtilsTest.kt @@ -14,10 +14,9 @@ * limitations under the License. */ -package com.android.permissioncontroller.permission.util +package com.android.permissioncontroller.permission.utils import androidx.arch.core.executor.testing.InstantTaskExecutorRule -import com.android.permissioncontroller.permission.utils.CollectionUtils import com.google.common.truth.Truth.assertThat import org.junit.Rule import org.junit.Test diff --git a/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/util/KotlinUtilsTest.kt b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/utils/KotlinUtilsTest.kt index 34c351683..2c8eefcd3 100644 --- a/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/util/KotlinUtilsTest.kt +++ b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/utils/KotlinUtilsTest.kt @@ -14,7 +14,7 @@ * limitations under the License. */ -package com.android.permissioncontroller.permission.util +package com.android.permissioncontroller.permission.utils import android.Manifest.permission.READ_MEDIA_IMAGES import android.Manifest.permission.READ_MEDIA_VIDEO @@ -33,7 +33,6 @@ import android.graphics.drawable.Drawable import androidx.arch.core.executor.testing.InstantTaskExecutorRule import androidx.test.ext.junit.runners.AndroidJUnit4 import androidx.test.platform.app.InstrumentationRegistry -import com.android.permissioncontroller.permission.utils.KotlinUtils import com.google.common.truth.Truth.assertThat import kotlin.test.assertFailsWith import org.junit.Rule diff --git a/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/util/PermissionMappingTest.kt b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/utils/PermissionMappingTest.kt index 29b4e1c4e..cf349b8d4 100644 --- a/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/util/PermissionMappingTest.kt +++ b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/utils/PermissionMappingTest.kt @@ -14,7 +14,7 @@ * limitations under the License. */ -package com.android.permissioncontroller.permission.util +package com.android.permissioncontroller.permission.utils import android.Manifest import android.app.AppOpsManager @@ -28,8 +28,6 @@ import android.platform.test.flag.junit.DeviceFlagsValueProvider import androidx.arch.core.executor.testing.InstantTaskExecutorRule import androidx.test.ext.junit.runners.AndroidJUnit4 import androidx.test.filters.SdkSuppress -import com.android.permissioncontroller.permission.utils.PermissionMapping -import com.android.permissioncontroller.permission.utils.Utils; import com.google.common.truth.Truth.assertThat import org.junit.Assert.assertNotNull import org.junit.Assert.assertNull diff --git a/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/util/UtilsTest.kt b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/utils/UtilsTest.kt index 1cfe6a5d3..8cc6b952c 100644 --- a/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/util/UtilsTest.kt +++ b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/utils/UtilsTest.kt @@ -14,7 +14,7 @@ * limitations under the License. */ -package com.android.permissioncontroller.permission.util +package com.android.permissioncontroller.permission.utils import android.Manifest.permission.BODY_SENSORS import android.Manifest.permission.BODY_SENSORS_BACKGROUND @@ -52,7 +52,6 @@ import androidx.test.platform.app.InstrumentationRegistry import com.android.permissioncontroller.Constants.EXTRA_SESSION_ID import com.android.permissioncontroller.Constants.INVALID_SESSION_ID import com.android.permissioncontroller.R -import com.android.permissioncontroller.permission.utils.Utils import com.android.permissioncontroller.privacysources.WorkPolicyInfo import com.google.common.truth.Truth.assertThat import kotlin.test.assertFailsWith diff --git a/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/utils/v31/AdminRestrictedPermissionsUtilsTest.kt b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/utils/v31/AdminRestrictedPermissionsUtilsTest.kt new file mode 100644 index 000000000..b1ac6095d --- /dev/null +++ b/PermissionController/tests/inprocess/src/com/android/permissioncontroller/permission/utils/v31/AdminRestrictedPermissionsUtilsTest.kt @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2025 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.android.permissioncontroller.permission.utils.v31 + +import android.app.admin.DevicePolicyManager +import android.content.Context +import android.health.connect.HealthConnectManager +import android.health.connect.HealthPermissions +import android.os.Build +import android.permission.flags.Flags +import android.platform.test.annotations.RequiresFlagsEnabled +import android.platform.test.flag.junit.CheckFlagsRule +import android.platform.test.flag.junit.DeviceFlagsValueProvider +import androidx.test.core.app.ApplicationProvider +import androidx.test.ext.junit.runners.AndroidJUnit4 +import androidx.test.filters.SdkSuppress +import org.junit.Assert.assertEquals +import org.junit.Rule +import org.junit.Test +import org.junit.runner.RunWith +import org.mockito.Mockito.mock + +@RunWith(AndroidJUnit4::class) +class AdminRestrictedPermissionsUtilsTest { + + @JvmField @Rule val checkFlagsRule = DeviceFlagsValueProvider.createCheckFlagsRule() + + private val context: Context = ApplicationProvider.getApplicationContext() + private val dpm: DevicePolicyManager = mock(DevicePolicyManager::class.java) + + @SdkSuppress(minSdkVersion = Build.VERSION_CODES.BAKLAVA) + @RequiresFlagsEnabled(Flags.FLAG_REPLACE_BODY_SENSOR_PERMISSION_ENABLED) + @Test + fun mayAdminGrantPermission_healthPermissions_restricted() { + val permissions: Set<String> = HealthConnectManager.getHealthPermissions(context) + for (permission in permissions) { + val canGrant = + AdminRestrictedPermissionsUtils.mayAdminGrantPermission( + permission, + HealthPermissions.HEALTH_PERMISSION_GROUP, + /* canAdminGrantSensorsPermissions= */ false, + /* isManagedProfile= */ false, + dpm, + ) + assertEquals(false, canGrant) + } + } +} diff --git a/PermissionController/tests/mocking/src/com/android/permissioncontroller/tests/mocking/permission/utils/AdminRestrictedPermissionsUtilsTest.kt b/PermissionController/tests/mocking/src/com/android/permissioncontroller/tests/mocking/permission/utils/AdminRestrictedPermissionsUtilsTest.kt index 0c864da4a..2a60e1325 100644 --- a/PermissionController/tests/mocking/src/com/android/permissioncontroller/tests/mocking/permission/utils/AdminRestrictedPermissionsUtilsTest.kt +++ b/PermissionController/tests/mocking/src/com/android/permissioncontroller/tests/mocking/permission/utils/AdminRestrictedPermissionsUtilsTest.kt @@ -17,75 +17,123 @@ package com.android.permissioncontroller.tests.mocking.permission.utils import android.app.admin.DevicePolicyManager +import android.content.Context +import android.health.connect.HealthPermissions +import android.permission.flags.Flags import android.platform.test.annotations.AsbSecurityTest +import android.platform.test.annotations.RequiresFlagsEnabled +import android.platform.test.flag.junit.DeviceFlagsValueProvider +import androidx.test.core.app.ApplicationProvider +import androidx.test.ext.junit.runners.AndroidJUnit4 import com.android.modules.utils.build.SdkLevel import com.android.permissioncontroller.permission.utils.v31.AdminRestrictedPermissionsUtils import org.junit.Assert.assertEquals import org.junit.Assume import org.junit.Before +import org.junit.Rule import org.junit.Test +import org.junit.experimental.runners.Enclosed import org.junit.runner.RunWith import org.junit.runners.Parameterized import org.mockito.Mockito.mock -@RunWith(Parameterized::class) -class AdminRestrictedPermissionsUtilsTest( - private val permission: String, - private val group: String?, - private val canAdminGrantSensorsPermissions: Boolean, - private val expected: Boolean -) { +@RunWith(Enclosed::class) +object AdminRestrictedPermissionsUtilsTest { + + @get:Rule val checkFlagsRule = DeviceFlagsValueProvider.createCheckFlagsRule() + + private val context: Context = ApplicationProvider.getApplicationContext() private val dpm: DevicePolicyManager = mock(DevicePolicyManager::class.java) - @Before - fun setup() { - Assume.assumeTrue(SdkLevel.isAtLeastS()) - } + @RunWith(Parameterized::class) + class AdminRestrictedPermissionsUtilsParameterizedTest( + private val permission: String, + private val group: String?, + private val canAdminGrantSensorsPermissions: Boolean, + private val expected: Boolean, + ) { - @AsbSecurityTest(cveBugId = [308138085]) - @Test - fun mayAdminGrantPermissionTest() { - val canGrant = - AdminRestrictedPermissionsUtils.mayAdminGrantPermission( - permission, - group, - canAdminGrantSensorsPermissions, - false, - dpm - ) - assertEquals(expected, canGrant) - } + @Before + fun setup() { + Assume.assumeTrue(SdkLevel.isAtLeastS()) + } - companion object { - /** - * Returns a list of arrays containing the following values: - * - * 0. Permission name (String) - * 1. Permission group name (String) - * 2. Can admin grant sensors permissions (Boolean) - * 3. Expected return from mayAdminGrantPermission method (Boolean) - */ - @JvmStatic - @Parameterized.Parameters(name = "{index}: validate({0}, {1}, {3}) = {4}") - fun getParameters(): List<Array<out Any?>> { - return listOf( - arrayOf("abc", "xyz", false, true), - arrayOf("abc", null, false, true), - arrayOf("android.permission.RECORD_AUDIO", "xyz", false, false), - arrayOf("abc", "android.permission-group.MICROPHONE", false, false), - arrayOf( - "android.permission.RECORD_AUDIO", - "android.permission-group.MICROPHONE", + @AsbSecurityTest(cveBugId = [308138085]) + @Test + fun mayAdminGrantPermissionTest() { + val canGrant = + AdminRestrictedPermissionsUtils.mayAdminGrantPermission( + permission, + group, + canAdminGrantSensorsPermissions, false, - false - ), - arrayOf( - "android.permission.RECORD_AUDIO", - "android.permission-group.MICROPHONE", - true, - true - ), + dpm, + ) + assertEquals(expected, canGrant) + } + + companion object { + /** + * Returns a list of arrays containing the following values: + * 0. Permission name (String) + * 1. Permission group name (String) + * 2. Can admin grant sensors permissions (Boolean) + * 3. Expected return from mayAdminGrantPermission method (Boolean) + */ + @JvmStatic + @Parameterized.Parameters(name = "{index}: validate({0}, {1}, {3}) = {4}") + fun getParameters(): List<Array<out Any?>> { + return listOf( + arrayOf("abc", "xyz", false, true), + arrayOf("abc", null, false, true), + arrayOf("android.permission.RECORD_AUDIO", "xyz", false, false), + arrayOf("abc", "android.permission-group.MICROPHONE", false, false), + arrayOf( + "android.permission.RECORD_AUDIO", + "android.permission-group.MICROPHONE", + false, + false, + ), + arrayOf( + "android.permission.RECORD_AUDIO", + "android.permission-group.MICROPHONE", + true, + true, + ), + ) + } + } + } + + @RunWith(AndroidJUnit4::class) + class AdminRestrictedPermissionsUtilsSingleTest { + + @Test + @RequiresFlagsEnabled(Flags.FLAG_REPLACE_BODY_SENSOR_PERMISSION_ENABLED) + fun addAdminRestrictedPermission_addsPermissionToRestrictedList() { + var canGrant = + AdminRestrictedPermissionsUtils.mayAdminGrantPermission( + HealthPermissions.READ_HEART_RATE, + HealthPermissions.HEALTH_PERMISSION_GROUP, + /* canAdminGrantSensorsPermissions= */ false, + /* isManagedProfile= */ false, + dpm, + ) + assertEquals(true, canGrant) + + AdminRestrictedPermissionsUtils.addAdminRestrictedPermission( + HealthPermissions.READ_HEART_RATE ) + + canGrant = + AdminRestrictedPermissionsUtils.mayAdminGrantPermission( + HealthPermissions.READ_HEART_RATE, + HealthPermissions.HEALTH_PERMISSION_GROUP, + /* canAdminGrantSensorsPermissions= */ false, + /* isManagedProfile= */ false, + dpm, + ) + assertEquals(false, canGrant) } } } |