From 4fbb5919e2a26f94b11233e30d4c19bdc3cd5b01 Mon Sep 17 00:00:00 2001
From: Richard MacGregor <rmacgregor@google.com>
Date: Thu, 5 Dec 2024 12:13:45 -0800
Subject: Ensure cross-user roles are not available for private space
 profile/user

Relnote: N/A
Flag: com.android.permission.flags.cross_user_role_enabled
Bug: 382514430
Test: atest RoleManagerMultiUserTest
Change-Id: I78abf982c1c633db366fb4951f3ff6fde8c6612c
---
 .../java/com/android/role/controller/model/Role.java  |  6 ++++++
 .../app/rolemultiuser/cts/RoleManagerMultiUserTest.kt | 19 +++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/PermissionController/role-controller/java/com/android/role/controller/model/Role.java b/PermissionController/role-controller/java/com/android/role/controller/model/Role.java
index c551c37dc..c4ed99be1 100644
--- a/PermissionController/role-controller/java/com/android/role/controller/model/Role.java
+++ b/PermissionController/role-controller/java/com/android/role/controller/model/Role.java
@@ -472,6 +472,12 @@ public class Role {
         if (!isAvailableByFeatureFlagAndSdkVersion()) {
             return false;
         }
+
+        if (getExclusivity() == EXCLUSIVITY_PROFILE_GROUP
+                && UserUtils.isPrivateProfile(user, context)) {
+            return false;
+        }
+
         if (mBehavior != null) {
             boolean isAvailableAsUser = mBehavior.isAvailableAsUser(this, user, context);
             // Ensure that cross-user role is only available if also available for
diff --git a/tests/cts/rolemultiuser/src/android/app/rolemultiuser/cts/RoleManagerMultiUserTest.kt b/tests/cts/rolemultiuser/src/android/app/rolemultiuser/cts/RoleManagerMultiUserTest.kt
index 80507d0c8..134f45131 100644
--- a/tests/cts/rolemultiuser/src/android/app/rolemultiuser/cts/RoleManagerMultiUserTest.kt
+++ b/tests/cts/rolemultiuser/src/android/app/rolemultiuser/cts/RoleManagerMultiUserTest.kt
@@ -75,6 +75,25 @@ class RoleManagerMultiUserTest {
         uninstallAppForAllUsers()
     }
 
+    @RequireFlagsEnabled(com.android.permission.flags.Flags.FLAG_CROSS_USER_ROLE_ENABLED)
+    @EnsureHasPermission(INTERACT_ACROSS_USERS_FULL, MANAGE_ROLE_HOLDERS)
+    @EnsureHasWorkProfile(installInstrumentedApp = OptionalBoolean.TRUE)
+    @EnsureHasPrivateProfile(installInstrumentedApp = OptionalBoolean.TRUE)
+    @RequireRunOnPrimaryUser
+    @Test
+    @Throws(Exception::class)
+    fun isAvailableAsUserForProfileGroupExclusiveRole() {
+        val workProfileRoleManager = getRoleManagerForUser(deviceState.workProfile().userHandle())
+        val privateProfileRoleManager =
+            getRoleManagerForUser(deviceState.privateProfile().userHandle())
+
+        assertThat(roleManager.isRoleAvailable(PROFILE_GROUP_EXCLUSIVITY_ROLE_NAME)).isTrue()
+        assertThat(workProfileRoleManager.isRoleAvailable(PROFILE_GROUP_EXCLUSIVITY_ROLE_NAME))
+            .isTrue()
+        assertThat(privateProfileRoleManager.isRoleAvailable(PROFILE_GROUP_EXCLUSIVITY_ROLE_NAME))
+            .isFalse()
+    }
+
     @RequireFlagsEnabled(com.android.permission.flags.Flags.FLAG_CROSS_USER_ROLE_ENABLED)
     @EnsureHasPermission(INTERACT_ACROSS_USERS_FULL, MANAGE_ROLE_HOLDERS)
     @Test
-- 
cgit v1.2.3-59-g8ed1b