Delegation-aware TestDPC

Rubin Xu · Rubin Xu · commit e2d3ec468284 · 2018-12-06T15:28:42.000Z
Mark some of the preferences available when TestDPC is not a DO/PO, but has the
appropriate delegation capabilities. Fix calls to DPM so TestDPC can call these
APIs as a delegated app (passing null as admin argument). Also make the
delegation fragment show the current delegations TestDPC has if it's no DO/PO.

To use this functionality, you should install the TestDPC-replica app alongside
the normal TestDPC as DO/PO, grant delegation to TestDPC-replica, and use it
to test the delegated functonalities.

Bug: 112982695
Test: manual
Change-Id: I630f532320f3ea37e37a3b3011a01e9611ca8f37
diff --git a/app/src/main/java/com/afwsamples/testdpc/common/ManageAppFragment.java b/app/src/main/java/com/afwsamples/testdpc/common/ManageAppFragment.java
@@ -46,6 +46,14 @@ protected SpinnerAdapter createSpinnerAdapter() {
                 managedAppList);
     }
 
+    /**
+     * Additionally filter apps returned in the list, return {@code true} to keep the app in the
+     * list, {@code false} to exclude it.
+     */
+    protected boolean filterApp(ApplicationInfo info) {
+        return true;
+    }
+
     private List<ApplicationInfo> getInstalledOrLaunchableApps() {
         List<ApplicationInfo> installedApps = mPackageManager.getInstalledApplications(
                 0 /* Default flags */);
@@ -54,7 +62,9 @@ private List<ApplicationInfo> getInstalledOrLaunchableApps() {
             if (mPackageManager.getLaunchIntentForPackage(applicationInfo.packageName) != null
                     || (applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) == 0
                     || WHITELISTED_APPS.contains(applicationInfo.packageName)) {
-                filteredAppList.add(applicationInfo);
+                if (filterApp(applicationInfo)) {
+                    filteredAppList.add(applicationInfo);
+                }
             }
         }
         return filteredAppList;
diff --git a/app/src/main/java/com/afwsamples/testdpc/common/Util.java b/app/src/main/java/com/afwsamples/testdpc/common/Util.java
@@ -259,4 +259,13 @@ private static DevicePolicyManager getDevicePolicyManager(Context context) {
         return (DevicePolicyManager)context.getSystemService(Service.DEVICE_POLICY_SERVICE);
     }
 
+    public static boolean hasDelegation(Context context, String delegation) {
+        if (Build.VERSION.SDK_INT < VERSION_CODES.O) {
+            return false;
+        }
+        DevicePolicyManager dpm = context.getSystemService(DevicePolicyManager.class);
+        return dpm.getDelegatedScopes(null, context.getPackageName()).contains(delegation);
+    }
+
+
 }
diff --git a/app/src/main/java/com/afwsamples/testdpc/common/preference/DpcPreferenceHelper.java b/app/src/main/java/com/afwsamples/testdpc/common/preference/DpcPreferenceHelper.java
@@ -35,6 +35,7 @@
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 
 /**
@@ -84,6 +85,7 @@ public class DpcPreferenceHelper {
     private int mMinSdkVersion;
     private @AdminKind int mAdminConstraint;
     private @UserKind int mUserConstraint;
+    private String mDelegationConstraint;
 
     /**
      * Update this method as {@link Build.VERSION_CODES} and Android releases are updated.
@@ -118,7 +120,7 @@ public DpcPreferenceHelper(Context context, Preference preference, AttributeSet
         mAdminConstraint = a.getInt(R.styleable.DpcPreference_admin, ADMIN_DEFAULT);
         // noinspection ResourceType
         mUserConstraint = a.getInt(R.styleable.DpcPreference_user, USER_DEFAULT);
-
+        mDelegationConstraint = a.getString(R.styleable.DpcPreference_delegation);
         a.recycle();
     }
 
@@ -223,7 +225,7 @@ private CharSequence findConstraintViolation() {
             return mContext.getString(R.string.requires_android_api_level, mMinSdkVersion);
         }
 
-        if (!isEnabledForAdmin(getCurrentAdmin())) {
+        if (!isSufficientlyPrivileged(getCurrentAdmin(), getCurrentDelegations())) {
             return getAdminConstraintSummary();
         }
 
@@ -254,23 +256,40 @@ private int getCurrentAdmin() {
         return ADMIN_NONE;
     }
 
+    private List<String> getCurrentDelegations() {
+        if (Build.VERSION.SDK_INT < Build.VERSION_CODES.O) {
+            return Collections.EMPTY_LIST;
+        }
+        final DevicePolicyManager dpm =
+                (DevicePolicyManager) mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);
+        final String packageName = mContext.getPackageName();
+            return dpm.getDelegatedScopes(null, packageName);
+    }
+
     private int getCurrentUser() {
         if (Util.isPrimaryUser(mContext)) {
             return USER_PRIMARY_USER;
         }
 
         if (Util.isManagedProfileOwner(mContext)) {
-
             return USER_MANAGED_PROFILE;
         }
 
         return USER_SECONDARY_USER;
     }
 
+    private boolean isSufficientlyPrivileged(@AdminKind int admin, List<String> delegations) {
+        return isEnabledForAdmin(admin) || hasDelegation(delegations);
+    }
+
     private boolean isEnabledForAdmin(@AdminKind int admin) {
         return (mAdminConstraint & admin) == admin;
     }
 
+    private boolean hasDelegation(List<String> delegations) {
+        return delegations.contains(mDelegationConstraint);
+    }
+
     private boolean isEnabledForUser(@UserKind int user) {
         return (mUserConstraint & user) == user;
     }
@@ -284,7 +303,9 @@ private String getAdminConstraintSummary() {
         if (isEnabledForAdmin(ADMIN_PROFILE_OWNER)) {
             admins.add(mContext.getString(R.string.profile_owner));
         }
-
+        if (!TextUtils.isEmpty(mDelegationConstraint)) {
+            admins.add(mDelegationConstraint);
+        }
         return joinRequirementList(admins);
     }
 
diff --git a/app/src/main/java/com/afwsamples/testdpc/policy/PolicyManagementFragment.java b/app/src/main/java/com/afwsamples/testdpc/policy/PolicyManagementFragment.java
@@ -427,7 +427,11 @@ public class PolicyManagementFragment extends BaseSearchablePolicyPreferenceFrag
 
     @Override
     public void onCreate(Bundle savedInstanceState) {
-        mAdminComponentName = DeviceAdminReceiver.getComponentName(getActivity());
+        if (isDelegatedApp()) {
+            mAdminComponentName = null;
+        } else {
+            mAdminComponentName = DeviceAdminReceiver.getComponentName(getActivity());
+        }
         mDevicePolicyManager = (DevicePolicyManager) getActivity().getSystemService(
                 Context.DEVICE_POLICY_SERVICE);
         mUserManager = (UserManager) getActivity().getSystemService(Context.USER_SERVICE);
@@ -667,6 +671,14 @@ private void maybeDisableLockTaskPreferences() {
         }
     }
 
+    private boolean isDelegatedApp() {
+        if (Build.VERSION.SDK_INT < Build.VERSION_CODES.O) {
+            return false;
+        }
+        DevicePolicyManager dpm = getActivity().getSystemService(DevicePolicyManager.class);
+        return !dpm.getDelegatedScopes(null, getActivity().getPackageName()).isEmpty();
+    }
+
     @Override
     public boolean isAvailable(Context context) {
         return true;
@@ -1287,7 +1299,7 @@ private void generateKeyPair(final String alias, boolean isUserSelectable,
                                  boolean useStrongBox) {
         new GenerateKeyAndCertificateTask(
                 alias, isUserSelectable, attestationChallenge, idAttestationFlags,
-                useStrongBox, getActivity()).execute();
+                useStrongBox, getActivity(), mAdminComponentName).execute();
     }
 
     /**
@@ -1952,6 +1964,8 @@ private void loadAppStatus() {
             appStatusStringId = R.string.this_is_a_profile_owner;
         } else if (mDevicePolicyManager.isDeviceOwnerApp(mPackageName)) {
             appStatusStringId = R.string.this_is_a_device_owner;
+        } else if (isDelegatedApp()) {
+            appStatusStringId = R.string.this_is_a_delegated_app;
         } else {
             appStatusStringId = R.string.this_is_not_an_admin;
         }
@@ -2521,7 +2535,7 @@ private void showBlockUninstallationPrompt() {
 
         final BlockUninstallationInfoArrayAdapter blockUninstallationInfoArrayAdapter
                 = new BlockUninstallationInfoArrayAdapter(getActivity(), R.id.pkg_name,
-                resolveInfoList);
+                resolveInfoList, mAdminComponentName);
         ListView listview = new ListView(getActivity());
         listview.setAdapter(blockUninstallationInfoArrayAdapter);
         listview.setOnItemClickListener(new AdapterView.OnItemClickListener() {
diff --git a/app/src/main/java/com/afwsamples/testdpc/policy/blockuninstallation/BlockUninstallationInfoArrayAdapter.java b/app/src/main/java/com/afwsamples/testdpc/policy/blockuninstallation/BlockUninstallationInfoArrayAdapter.java
@@ -16,6 +16,7 @@
 
 package com.afwsamples.testdpc.policy.blockuninstallation;
 
+import android.content.ComponentName;
 import android.content.Context;
 import android.content.pm.ApplicationInfo;
 import android.content.pm.PackageManager;
@@ -37,16 +38,18 @@
  */
 public class BlockUninstallationInfoArrayAdapter extends ToggleComponentsArrayAdapter {
 
+    private final ComponentName mAdminComponent;
+
     public BlockUninstallationInfoArrayAdapter(Context context, int resource,
-            List<ResolveInfo> resolveInfoList) {
+            List<ResolveInfo> resolveInfoList, ComponentName admin) {
         super(context, resource, resolveInfoList);
+        mAdminComponent = admin;
         setIsComponentEnabledList(createIsComponentEnabledList());
     }
 
     @Override
     public boolean isComponentEnabled(ResolveInfo resolveInfo) {
-        return mDevicePolicyManager.isUninstallBlocked(
-                DeviceAdminReceiver.getComponentName(getContext()),
+        return mDevicePolicyManager.isUninstallBlocked(mAdminComponent,
                 resolveInfo.resolvePackageName);
     }
 
@@ -59,8 +62,7 @@ public View getView(final int position, View convertView, ViewGroup parent) {
                     public void onClick(View v) {
                         boolean isBlocked = ((CheckBox) v).isChecked();
                         mIsComponentCheckedList.set(position, isBlocked);
-                        mDevicePolicyManager.setUninstallBlocked(
-                                DeviceAdminReceiver.getComponentName(getContext()),
+                        mDevicePolicyManager.setUninstallBlocked(mAdminComponent,
                                 getItem(position).resolvePackageName, isBlocked);
                     }
                 }
diff --git a/app/src/main/java/com/afwsamples/testdpc/policy/keymanagement/GenerateKeyAndCertificateTask.java b/app/src/main/java/com/afwsamples/testdpc/policy/keymanagement/GenerateKeyAndCertificateTask.java
@@ -68,14 +68,15 @@ public GenerateKeyAndCertificateTask(
             byte[] attestationChallenge,
             int idAttestationFlags,
             boolean useStrongBox,
-            Activity activity) {
+            Activity activity,
+            ComponentName admin) {
         mAlias = alias;
         mIsUserSelectable = isUserSelectable;
         mAttestationChallenge = attestationChallenge;
         mIdAttestationFlags = idAttestationFlags;
         mUseStrongBox = useStrongBox;
         mActivity = activity;
-        mAdminComponentName = DeviceAdminReceiver.getComponentName(activity);
+        mAdminComponentName = admin;
         mDevicePolicyManager =
                 (DevicePolicyManager) activity.getSystemService(Context.DEVICE_POLICY_SERVICE);
     }
diff --git a/app/src/main/java/com/afwsamples/testdpc/profilepolicy/apprestrictions/ManageAppRestrictionsFragment.java b/app/src/main/java/com/afwsamples/testdpc/profilepolicy/apprestrictions/ManageAppRestrictionsFragment.java
@@ -19,6 +19,7 @@
 import android.annotation.TargetApi;
 import android.app.Activity;
 import android.app.admin.DevicePolicyManager;
+import android.content.ComponentName;
 import android.content.Context;
 import android.content.Intent;
 import android.content.RestrictionEntry;
@@ -39,6 +40,7 @@
 import com.afwsamples.testdpc.common.EditDeleteArrayAdapter;
 import com.afwsamples.testdpc.common.ManageAppFragment;
 import com.afwsamples.testdpc.common.RestrictionManagerCompat;
+import com.afwsamples.testdpc.common.Util;
 import com.afwsamples.testdpc.common.keyvaluepair.KeyValuePairDialogFragment;
 
 import java.util.ArrayList;
@@ -60,6 +62,7 @@ public class ManageAppRestrictionsFragment extends ManageAppFragment
     private RestrictionsManager mRestrictionsManager;
     private EditDeleteArrayAdapter<RestrictionEntry> mAppRestrictionsArrayAdapter;
     private RestrictionEntry mEditingRestrictionEntry;
+    private ComponentName mAdminComponent;
 
     private static final int RESULT_CODE_EDIT_DIALOG = 1;
 
@@ -86,6 +89,11 @@ public void onCreate(Bundle savedInstanceState) {
                 Context.DEVICE_POLICY_SERVICE);
         mRestrictionsManager = (RestrictionsManager) getActivity().getSystemService(
                 Context.RESTRICTIONS_SERVICE);
+        if (Util.hasDelegation(getActivity(), DevicePolicyManager.DELEGATION_APP_RESTRICTIONS)) {
+            mAdminComponent = null;
+        } else {
+            mAdminComponent = DeviceAdminReceiver.getComponentName(getActivity());
+        }
     }
 
     @Override
@@ -320,7 +328,7 @@ protected void onSpinnerItemSelected(ApplicationInfo appInfo) {
         String pkgName = appInfo.packageName;
         if (!TextUtils.isEmpty(pkgName)) {
             Bundle bundle = mDevicePolicyManager.getApplicationRestrictions(
-                    DeviceAdminReceiver.getComponentName(getActivity()), pkgName);
+                    mAdminComponent, pkgName);
             loadAppRestrictionsList(convertBundleToRestrictions(bundle));
             mLastRestrictionEntries = new ArrayList<>(mRestrictionEntries);
         }
@@ -368,7 +376,7 @@ protected void saveConfig() {
         String pkgName =
                 ((ApplicationInfo) mManagedAppsSpinner.getSelectedItem()).packageName;
         mDevicePolicyManager.setApplicationRestrictions(
-                DeviceAdminReceiver.getComponentName(getActivity()), pkgName,
+                mAdminComponent, pkgName,
                 RestrictionManagerCompat.convertRestrictionsToBundle(mRestrictionEntries));
         mLastRestrictionEntries = new ArrayList<>(mRestrictionEntries);
         showToast(getString(R.string.set_app_restrictions_success, pkgName));
diff --git a/app/src/main/java/com/afwsamples/testdpc/profilepolicy/delegation/DelegationFragment.java b/app/src/main/java/com/afwsamples/testdpc/profilepolicy/delegation/DelegationFragment.java
@@ -51,11 +51,17 @@ public class DelegationFragment extends ManageAppFragment {
      * Model for representing the scopes delegated to the selected app.
      */
     List<DelegationScope> mDelegations = DelegationScope.defaultDelegationScopes();
+    private String mPackageName;
+    private boolean mIsDeviceOrProfileOwner;
 
     @Override
     public void onCreate(Bundle savedInstanceState) {
         super.onCreate(savedInstanceState);
         mDpm = (DevicePolicyManager) getActivity().getSystemService(Context.DEVICE_POLICY_SERVICE);
+        mPackageName = getActivity().getPackageName();
+        final boolean isDeviceOwner = mDpm.isDeviceOwnerApp(mPackageName);
+        final boolean isProfileOwner = mDpm.isProfileOwnerApp(mPackageName);
+        mIsDeviceOrProfileOwner = isDeviceOwner || isProfileOwner;
 
         getActivity().getActionBar().setTitle(R.string.generic_delegation);
     }
@@ -66,17 +72,33 @@ public View onCreateView(LayoutInflater layoutInflater, ViewGroup container,
         View view = super.onCreateView(layoutInflater, container, savedInstanceState);
         view.findViewById(R.id.add_new_row).setVisibility(View.GONE);
         view.findViewById(R.id.reset_app).setVisibility(View.GONE);
+
+        if (!mIsDeviceOrProfileOwner) {
+            // Non-PO/DO app cannot make changes to delegations.
+            view.findViewById(R.id.save_app).setVisibility(View.GONE);
+        }
         return view;
     }
 
+    @Override
+    protected boolean filterApp(ApplicationInfo info) {
+        if (mIsDeviceOrProfileOwner) {
+            return super.filterApp(info);
+        } else {
+            // Non-PO/DO app can only view its own delegations
+            return info.packageName.equals(mPackageName);
+        }
+    }
+
     /**
      * Query the DevicePolicyManager for the delegation scopes granted to pkgName.
      */
     @TargetApi(Build.VERSION_CODES.O)
     private void readScopesFromDpm(String pkgName) {
         // Get the scopes delegated to pkgName.
-        List<String> scopes = mDpm.getDelegatedScopes(
-                DeviceAdminReceiver.getComponentName(getActivity()), pkgName);
+        List<String> scopes = mDpm.getDelegatedScopes(mIsDeviceOrProfileOwner
+                ? DeviceAdminReceiver.getComponentName(getActivity())
+                : null, pkgName);
         Log.i(TAG, pkgName + " | " + Arrays.toString(scopes.toArray()));
 
         // Update our model.
@@ -121,6 +143,12 @@ protected void onSpinnerItemSelected(ApplicationInfo info) {
     @Override
     @TargetApi(Build.VERSION_CODES.O)
     protected void saveConfig() {
+        if (!mIsDeviceOrProfileOwner) {
+            Toast.makeText(getActivity(), getString(R.string.delegation_error),
+                    Toast.LENGTH_SHORT).show();
+            Log.i(TAG, "Only PO/DO can modify delegations");
+            return;
+        }
         // Get selected package name.
         final ApplicationInfo info = (ApplicationInfo) mManagedAppsSpinner.getSelectedItem();
         final String pkgName = info.packageName;
diff --git a/app/src/main/java/com/afwsamples/testdpc/profilepolicy/permission/AppPermissionsArrayAdapter.java b/app/src/main/java/com/afwsamples/testdpc/profilepolicy/permission/AppPermissionsArrayAdapter.java
@@ -45,11 +45,11 @@ public class AppPermissionsArrayAdapter
     private final DevicePolicyManager mDpm;
     private final ComponentName mAdminComponentName;
 
-    public AppPermissionsArrayAdapter(Context context, int resource,
-            List<AppPermission> objects) {
+    public AppPermissionsArrayAdapter(Context context, int resource, List<AppPermission> objects,
+            ComponentName admin) {
         super(context, resource, objects);
         mDpm = (DevicePolicyManager) getContext().getSystemService(Context.DEVICE_POLICY_SERVICE);
-        mAdminComponentName = DeviceAdminReceiver.getComponentName(context);
+        mAdminComponentName = admin;
     }
 
     @Override
diff --git a/app/src/main/java/com/afwsamples/testdpc/profilepolicy/permission/ManageAppPermissionsFragment.java b/app/src/main/java/com/afwsamples/testdpc/profilepolicy/permission/ManageAppPermissionsFragment.java
diff --git a/app/src/main/res/values/attrs.xml b/app/src/main/res/values/attrs.xml
diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml
diff --git a/app/src/main/res/xml/device_policy_header.xml b/app/src/main/res/xml/device_policy_header.xml

Original file line number	Diff line number	Diff line change
`@@ -259,4 +259,13 @@ private static DevicePolicyManager getDevicePolicyManager(Context context) {`
`259`	`259`	`return (DevicePolicyManager)context.getSystemService(Service.DEVICE_POLICY_SERVICE);`
`260`	`260`	`}`
`261`	`261`
	`262`	`+ public static boolean hasDelegation(Context context, String delegation) {`
	`263`	`+ if (Build.VERSION.SDK_INT < VERSION_CODES.O) {`
	`264`	`+ return false;`
	`265`	`+ }`
	`266`	`+ DevicePolicyManager dpm = context.getSystemService(DevicePolicyManager.class);`
	`267`	`+ return dpm.getDelegatedScopes(null, context.getPackageName()).contains(delegation);`
	`268`	`+ }`
	`269`	`+`
	`270`	`+`
`262`	`271`	`}`