Merge "Add RequiresFeature annotations for IKEv2 VPN profiles" into rvc-dev

c5401ef0 · Benedict Wong · Android (Google) Code Review · 24060272 · 29d64121 · c5401ef0
Commit c5401ef0 authored 4 years ago by Benedict Wong Committed by Android (Google) Code Review 4 years ago
--- a/core/java/android/net/Ikev2VpnProfile.java
+++ b/core/java/android/net/Ikev2VpnProfile.java
@@ -25,6 +25,8 @@ import static com.android.internal.util.Preconditions.checkStringNotEmpty;

 import android.annotation.NonNull;
 import android.annotation.Nullable;
+import android.annotation.RequiresFeature;
+import android.content.pm.PackageManager;
 import android.os.Process;
 import android.security.Credentials;
 import android.security.KeyStore;
@@ -647,6 +649,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile {
         * @param serverAddr the server that the VPN should connect to
         * @param identity the identity string to be used for IKEv2 authentication
         */
+        @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS)
        public Builder(@NonNull String serverAddr, @NonNull String identity) {
            checkNotNull(serverAddr, MISSING_PARAM_MSG_TMPL, "serverAddr");
            checkNotNull(identity, MISSING_PARAM_MSG_TMPL, "identity");
@@ -680,6 +683,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile {
         *     unrecognized format
         */
        @NonNull
+        @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS)
        public Builder setAuthUsernamePassword(
                @NonNull String user,
                @NonNull String pass,
@@ -715,6 +719,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile {
         *     unrecognized format
         */
        @NonNull
+        @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS)
        public Builder setAuthDigitalSignature(
                @NonNull X509Certificate userCert,
                @NonNull PrivateKey key,
@@ -745,6 +750,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile {
         * @return this {@link Builder} object to facilitate chaining of method calls
         */
        @NonNull
+        @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS)
        public Builder setAuthPsk(@NonNull byte[] psk) {
            checkNotNull(psk, MISSING_PARAM_MSG_TMPL, "psk");

@@ -768,6 +774,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile {
         * @return this {@link Builder} object to facilitate chaining of method calls
         */
        @NonNull
+        @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS)
        public Builder setBypassable(boolean isBypassable) {
            mIsBypassable = isBypassable;
            return this;
@@ -782,6 +789,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile {
         * @return this {@link Builder} object to facilitate chaining of method calls
         */
        @NonNull
+        @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS)
        public Builder setProxy(@Nullable ProxyInfo proxy) {
            mProxyInfo = proxy;
            return this;
@@ -798,6 +806,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile {
         * @throws IllegalArgumentException if the value is not at least the minimum IPv6 MTU (1280)
         */
        @NonNull
+        @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS)
        public Builder setMaxMtu(int mtu) {
            // IPv6 MTU is greater; since profiles may be started by the system on IPv4 and IPv6
            // networks, the VPN must provide a link fulfilling the stricter of the two conditions
@@ -825,6 +834,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile {
         * @see NetworkCapabilities#NET_CAPABILITY_NOT_METERED
         */
        @NonNull
+        @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS)
        public Builder setMetered(boolean isMetered) {
            mIsMetered = isMetered;
            return this;
@@ -852,6 +862,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile {
         * @see IpSecAlgorithm
         */
        @NonNull
+        @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS)
        public Builder setAllowedAlgorithms(@NonNull List<String> algorithmNames) {
            checkNotNull(algorithmNames, MISSING_PARAM_MSG_TMPL, "algorithmNames");
            validateAllowedAlgorithms(algorithmNames);
@@ -870,6 +881,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile {
         * @hide
         */
        @NonNull
+        @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS)
        public Builder restrictToTestNetworks() {
            mIsRestrictedToTestNetworks = true;
            return this;
@@ -881,6 +893,7 @@ public final class Ikev2VpnProfile extends PlatformVpnProfile {
         * @throws IllegalArgumentException if any of the required keys or values were invalid
         */
        @NonNull
+        @RequiresFeature(PackageManager.FEATURE_IPSEC_TUNNELS)
        public Ikev2VpnProfile build() {
            return new Ikev2VpnProfile(
                    mType,

--- a/services/core/java/com/android/server/connectivity/Vpn.java
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
@@ -2867,6 +2867,23 @@ public class Vpn {
        return Credentials.PLATFORM_VPN + mUserHandle + "_" + packageName;
    }

+    @VisibleForTesting
+    void validateRequiredFeatures(VpnProfile profile) {
+        switch (profile.type) {
+            case VpnProfile.TYPE_IKEV2_IPSEC_USER_PASS:
+            case VpnProfile.TYPE_IKEV2_IPSEC_PSK:
+            case VpnProfile.TYPE_IKEV2_IPSEC_RSA:
+                if (!mContext.getPackageManager().hasSystemFeature(
+                        PackageManager.FEATURE_IPSEC_TUNNELS)) {
+                    throw new UnsupportedOperationException(
+                            "Ikev2VpnProfile(s) requires PackageManager.FEATURE_IPSEC_TUNNELS");
+                }
+                break;
+            default:
+                return;
+        }
+    }
+
    /**
     * Stores an app-provisioned VPN profile and returns whether the app is already prepared.
     *
@@ -2883,6 +2900,7 @@ public class Vpn {

        verifyCallingUidAndPackage(packageName);
        enforceNotRestrictedUser();
+        validateRequiredFeatures(profile);

        if (profile.isRestrictedToTestNetworks) {
            mContext.enforceCallingPermission(Manifest.permission.MANAGE_TEST_NETWORKS,

--- a/tests/net/java/com/android/server/connectivity/VpnTest.java
+++ b/tests/net/java/com/android/server/connectivity/VpnTest.java
@@ -199,6 +199,8 @@ public class VpnTest {
        when(mContext.getString(R.string.config_customVpnAlwaysOnDisconnectedDialogComponent))
                .thenReturn(Resources.getSystem().getString(
                        R.string.config_customVpnAlwaysOnDisconnectedDialogComponent));
+        when(mPackageManager.hasSystemFeature(PackageManager.FEATURE_IPSEC_TUNNELS))
+                .thenReturn(true);
        when(mSystemServices.isCallerSystem()).thenReturn(true);

        // Used by {@link Notification.Builder}
@@ -730,6 +732,20 @@ public class VpnTest {
        }
    }

+    @Test
+    public void testProvisionVpnProfileNoIpsecTunnels() throws Exception {
+        when(mPackageManager.hasSystemFeature(PackageManager.FEATURE_IPSEC_TUNNELS))
+                .thenReturn(false);
+        final Vpn vpn = createVpnAndSetupUidChecks(AppOpsManager.OP_ACTIVATE_PLATFORM_VPN);
+
+        try {
+            checkProvisionVpnProfile(
+                    vpn, true /* expectedResult */, AppOpsManager.OP_ACTIVATE_PLATFORM_VPN);
+            fail("Expected exception due to missing feature");
+        } catch (UnsupportedOperationException expected) {
+        }
+    }
+
    @Test
    public void testProvisionVpnProfilePreconsented() throws Exception {
        final Vpn vpn = createVpnAndSetupUidChecks(AppOpsManager.OP_ACTIVATE_PLATFORM_VPN);