Test Ikev2VpnProfile provisioned with IkeTunnelConnectionParams

Bug: 223841137 Test: atest CtsNetTestCases FrameworksNetTests Change-Id: I683f6242e4ed4a469893e3a17fe7b479a7a768e5
2022-04-14 21:31:26 +08:00
parent 0366028f64
commit 476e2a08bf
4 changed files with 161 additions and 75 deletions
--- a/tests/cts/net/src/android/net/cts/Ikev2VpnTest.java
+++ b/tests/cts/net/src/android/net/cts/Ikev2VpnTest.java
@@ -20,8 +20,6 @@ import static android.net.NetworkCapabilities.NET_CAPABILITY_INTERNET;
 import static android.net.NetworkCapabilities.NET_CAPABILITY_VALIDATED;
 import static android.net.NetworkCapabilities.TRANSPORT_VPN;
 import static android.net.cts.util.CtsNetUtils.TestNetworkCallback;
-import static android.net.cts.util.IkeSessionTestUtils.CHILD_PARAMS;
-import static android.net.cts.util.IkeSessionTestUtils.IKE_PARAMS;

 import static com.android.compatibility.common.util.SystemUtil.runWithShellPermissionIdentity;
 import static com.android.testutils.DevSdkIgnoreRuleKt.SC_V2;
@@ -51,6 +49,7 @@ import android.net.ProxyInfo;
 import android.net.TestNetworkInterface;
 import android.net.VpnManager;
 import android.net.cts.util.CtsNetUtils;
+import android.net.cts.util.IkeSessionTestUtils;
 import android.net.ipsec.ike.IkeTunnelConnectionParams;
 import android.os.Build;
 import android.os.Process;
@@ -252,6 +251,28 @@ public class Ikev2VpnTest {
        return builder.build();
    }

+    private Ikev2VpnProfile buildIkev2VpnProfileIkeTunConnParams(
+            final boolean isRestrictedToTestNetworks, final boolean requiresValidation,
+            final boolean testIpv6) throws Exception {
+        final IkeTunnelConnectionParams params =
+                new IkeTunnelConnectionParams(testIpv6
+                        ? IkeSessionTestUtils.IKE_PARAMS_V6 : IkeSessionTestUtils.IKE_PARAMS_V4,
+                        IkeSessionTestUtils.CHILD_PARAMS);
+
+        final Ikev2VpnProfileBuilderShim builderShim =
+                Ikev2VpnProfileBuilderShimImpl.newInstance(null, null, params)
+                        .setRequiresInternetValidation(requiresValidation)
+                        .setProxy(TEST_PROXY_INFO)
+                        .setMaxMtu(TEST_MTU)
+                        .setMetered(false);
+
+        final Ikev2VpnProfile.Builder builder = (Ikev2VpnProfile.Builder) builderShim.getBuilder();
+        if (isRestrictedToTestNetworks) {
+            builder.restrictToTestNetworks();
+        }
+        return builder.build();
+    }
+
    private Ikev2VpnProfile buildIkev2VpnProfilePsk(@NonNull String remote,
            boolean isRestrictedToTestNetworks, boolean requiresValidation) throws Exception {
        final Ikev2VpnProfileBuilderShim builder =
@@ -325,8 +346,8 @@ public class Ikev2VpnTest {
        assumeTrue(mCtsNetUtils.hasIpsecTunnelsFeature());
        assumeTrue(TestUtils.shouldTestTApis());

-        final IkeTunnelConnectionParams expectedParams =
-                new IkeTunnelConnectionParams(IKE_PARAMS, CHILD_PARAMS);
+        final IkeTunnelConnectionParams expectedParams = new IkeTunnelConnectionParams(
+                IkeSessionTestUtils.IKE_PARAMS_V6, IkeSessionTestUtils.CHILD_PARAMS);
        final Ikev2VpnProfileBuilderShim ikeProfileBuilder =
                Ikev2VpnProfileBuilderShimImpl.newInstance(null, null, expectedParams);
        // Verify the other Ike options could not be set with IkeTunnelConnectionParams.
@@ -472,7 +493,8 @@ public class Ikev2VpnTest {
    }

    private void checkStartStopVpnProfileBuildsNetworks(@NonNull IkeTunUtils tunUtils,
-            boolean testIpv6, boolean requiresValidation, boolean testSessionKey)
+            boolean testIpv6, boolean requiresValidation, boolean testSessionKey,
+            boolean testIkeTunConnParams)
            throws Exception {
        String serverAddr = testIpv6 ? TEST_SERVER_ADDR_V6 : TEST_SERVER_ADDR_V4;
        String initResp = testIpv6 ? SUCCESSFUL_IKE_INIT_RESP_V6 : SUCCESSFUL_IKE_INIT_RESP_V4;
@@ -482,8 +504,11 @@ public class Ikev2VpnTest {
        // Requires MANAGE_TEST_NETWORKS to provision a test-mode profile.
        mCtsNetUtils.setAppopPrivileged(AppOpsManager.OP_ACTIVATE_PLATFORM_VPN, true);

-        final Ikev2VpnProfile profile = buildIkev2VpnProfilePsk(serverAddr,
-                true /* isRestrictedToTestNetworks */, requiresValidation);
+        final Ikev2VpnProfile profile = testIkeTunConnParams
+                ? buildIkev2VpnProfileIkeTunConnParams(true /* isRestrictedToTestNetworks */,
+                        requiresValidation, testIpv6)
+                : buildIkev2VpnProfilePsk(serverAddr, true /* isRestrictedToTestNetworks */,
+                        requiresValidation);
        assertNull(sVpnMgr.provisionVpnProfile(profile));

        final TestableNetworkCallback cb = new TestableNetworkCallback(TIMEOUT_MS);
@@ -564,6 +589,7 @@ public class Ikev2VpnTest {
        private final boolean mTestIpv6Only;
        private final boolean mRequiresValidation;
        private final boolean mTestSessionKey;
+        private final boolean mTestIkeTunConnParams;

        /**
         * Constructs the test
@@ -573,10 +599,11 @@ public class Ikev2VpnTest {
         * @param testSessionKey if true, start VPN by calling startProvisionedVpnProfileSession()
         */
        VerifyStartStopVpnProfileTest(boolean testIpv6Only, boolean requiresValidation,
-                boolean testSessionKey) {
+                boolean testSessionKey, boolean testIkeTunConnParams) {
            mTestIpv6Only = testIpv6Only;
            mRequiresValidation = requiresValidation;
            mTestSessionKey = testSessionKey;
+            mTestIkeTunConnParams = testIkeTunConnParams;
        }

        @Override
@@ -584,8 +611,8 @@ public class Ikev2VpnTest {
                throws Exception {
            final IkeTunUtils tunUtils = new IkeTunUtils(testIface.getFileDescriptor());

-            checkStartStopVpnProfileBuildsNetworks(
-                    tunUtils, mTestIpv6Only, mRequiresValidation, mTestSessionKey);
+            checkStartStopVpnProfileBuildsNetworks(tunUtils, mTestIpv6Only, mRequiresValidation,
+                    mTestSessionKey, mTestIkeTunConnParams);
        }

        @Override
@@ -603,53 +630,83 @@ public class Ikev2VpnTest {
        }
    }

-    @Test
-    public void testStartStopVpnProfileV4() throws Exception {
+    private void doTestStartStopVpnProfile(boolean testIpv6Only, boolean requiresValidation,
+            boolean testSessionKey, boolean testIkeTunConnParams) throws Exception {
        assumeTrue(mCtsNetUtils.hasIpsecTunnelsFeature());
-
        // Requires shell permission to update appops.
        runWithShellPermissionIdentity(
                new TestNetworkRunnable(new VerifyStartStopVpnProfileTest(
-                        false /* testIpv6Only */, false /* requiresValidation */,
-                        false /* testSessionKey */)));
+                        testIpv6Only, requiresValidation, testSessionKey , testIkeTunConnParams)));
+    }

-        runWithShellPermissionIdentity(
-                new TestNetworkRunnable(new VerifyStartStopVpnProfileTest(
-                        false /* testIpv6Only */, true /* requiresValidation */,
-                        false /* testSessionKey */)));
+    @Test
+    public void testStartStopVpnProfileV4() throws Exception {
+        doTestStartStopVpnProfile(false /* testIpv6Only */, false /* requiresValidation */,
+                false /* testSessionKey */, false /* testIkeTunConnParams */);
+    }
+
+    @Test @IgnoreUpTo(SC_V2)
+    public void testStartStopVpnProfileV4WithValidation() throws Exception {
+        assumeTrue(TestUtils.shouldTestTApis());
+        doTestStartStopVpnProfile(false /* testIpv6Only */, true /* requiresValidation */,
+                false /* testSessionKey */, false /* testIkeTunConnParams */);
    }

    @Test
    public void testStartStopVpnProfileV6() throws Exception {
-        assumeTrue(mCtsNetUtils.hasIpsecTunnelsFeature());
+        doTestStartStopVpnProfile(true /* testIpv6Only */, false /* requiresValidation */,
+                false /* testSessionKey */, false /* testIkeTunConnParams */);
+    }

-        // Requires shell permission to update appops.
-        runWithShellPermissionIdentity(
-                new TestNetworkRunnable(new VerifyStartStopVpnProfileTest(
-                        true /* testIpv6Only */, false /* requiresValidation */,
-                        false /* testSessionKey */)));
-        runWithShellPermissionIdentity(
-                new TestNetworkRunnable(new VerifyStartStopVpnProfileTest(
-                        true /* testIpv6Only */, true /* requiresValidation */,
-                        false /* testSessionKey */)));
+    @Test @IgnoreUpTo(SC_V2)
+    public void testStartStopVpnProfileV6WithValidation() throws Exception {
+        assumeTrue(TestUtils.shouldTestTApis());
+        doTestStartStopVpnProfile(true /* testIpv6Only */, true /* requiresValidation */,
+                false /* testSessionKey */, false /* testIkeTunConnParams */);
+    }
+
+    @Test @IgnoreUpTo(SC_V2)
+    public void testStartStopVpnProfileIkeTunConnParamsV4() throws Exception {
+        assumeTrue(TestUtils.shouldTestTApis());
+        doTestStartStopVpnProfile(false /* testIpv6Only */, false /* requiresValidation */,
+                false /* testSessionKey */, true /* testIkeTunConnParams */);
+    }
+
+    @Test @IgnoreUpTo(SC_V2)
+    public void testStartStopVpnProfileIkeTunConnParamsV4WithValidation() throws Exception {
+        assumeTrue(TestUtils.shouldTestTApis());
+        doTestStartStopVpnProfile(false /* testIpv6Only */, true /* requiresValidation */,
+                false /* testSessionKey */, true /* testIkeTunConnParams */);
+    }
+
+    @Test @IgnoreUpTo(SC_V2)
+    public void testStartStopVpnProfileIkeTunConnParamsV6() throws Exception {
+        assumeTrue(TestUtils.shouldTestTApis());
+        doTestStartStopVpnProfile(true /* testIpv6Only */, false /* requiresValidation */,
+                false /* testSessionKey */, true /* testIkeTunConnParams */);
+    }
+
+    @Test @IgnoreUpTo(SC_V2)
+    public void testStartStopVpnProfileIkeTunConnParamsV6WithValidation() throws Exception {
+        assumeTrue(TestUtils.shouldTestTApis());
+        doTestStartStopVpnProfile(true /* testIpv6Only */, true /* requiresValidation */,
+                false /* testSessionKey */, true /* testIkeTunConnParams */);
    }

    @IgnoreUpTo(SC_V2)
    @Test
-    public void testStartProvisionedVpnProfileSession() throws Exception {
-        assumeTrue(mCtsNetUtils.hasIpsecTunnelsFeature());
+    public void testStartProvisionedVpnV4ProfileSession() throws Exception {
        assumeTrue(TestUtils.shouldTestTApis());
+        doTestStartStopVpnProfile(false /* testIpv6Only */, false /* requiresValidation */,
+                true /* testSessionKey */, false /* testIkeTunConnParams */);
+    }

-        // Requires shell permission to update appops.
-        runWithShellPermissionIdentity(
-                new TestNetworkRunnable(new VerifyStartStopVpnProfileTest(
-                        false /* testIpv6Only */, false /* requiresValidation */,
-                        true /* testSessionKey */)));
-
-        runWithShellPermissionIdentity(
-                new TestNetworkRunnable(new VerifyStartStopVpnProfileTest(
-                        true /* testIpv6Only */, false /* requiresValidation */,
-                        true /* testSessionKey */)));
+    @IgnoreUpTo(SC_V2)
+    @Test
+    public void testStartProvisionedVpnV6ProfileSession() throws Exception {
+        assumeTrue(TestUtils.shouldTestTApis());
+        doTestStartStopVpnProfile(true /* testIpv6Only */, false /* requiresValidation */,
+                true /* testSessionKey */, false /* testIkeTunConnParams */);
    }

    private static class CertificateAndKey {
--- a/tests/cts/net/util/java/android/net/cts/util/IkeSessionTestUtils.java
+++ b/tests/cts/net/util/java/android/net/cts/util/IkeSessionTestUtils.java
@@ -16,44 +16,73 @@

 package android.net.cts.util;

+import static android.net.ipsec.ike.SaProposal.DH_GROUP_4096_BIT_MODP;
+import static android.net.ipsec.ike.SaProposal.ENCRYPTION_ALGORITHM_AES_CBC;
+import static android.net.ipsec.ike.SaProposal.ENCRYPTION_ALGORITHM_AES_GCM_12;
+import static android.net.ipsec.ike.SaProposal.INTEGRITY_ALGORITHM_HMAC_SHA2_256_128;
 import static android.net.ipsec.ike.SaProposal.KEY_LEN_AES_128;
-import static android.net.ipsec.ike.SaProposal.KEY_LEN_UNUSED;
+import static android.net.ipsec.ike.SaProposal.KEY_LEN_AES_256;
+import static android.net.ipsec.ike.SaProposal.PSEUDORANDOM_FUNCTION_AES128_XCBC;

+import android.net.InetAddresses;
 import android.net.ipsec.ike.ChildSaProposal;
 import android.net.ipsec.ike.IkeFqdnIdentification;
+import android.net.ipsec.ike.IkeIpv4AddrIdentification;
+import android.net.ipsec.ike.IkeIpv6AddrIdentification;
 import android.net.ipsec.ike.IkeSaProposal;
 import android.net.ipsec.ike.IkeSessionParams;
-import android.net.ipsec.ike.SaProposal;
 import android.net.ipsec.ike.TunnelModeChildSessionParams;

+import java.net.Inet4Address;
+import java.net.Inet6Address;
+import java.net.InetAddress;
+
 /** Shared testing parameters and util methods for testing IKE */
 public class IkeSessionTestUtils {
-    private static final String TEST_CLIENT_ADDR = "test.client.com";
-    private static final String TEST_SERVER_ADDR = "test.server.com";
-    private static final String TEST_SERVER = "2001:0db8:85a3:0000:0000:8a2e:0370:7334";
+    private static final String TEST_SERVER_ADDR_V4 = "192.0.2.2";
+    private static final String TEST_SERVER_ADDR_V6 = "2001:db8::2";
+    private static final String TEST_IDENTITY = "client.cts.android.com";
+    private static final byte[] TEST_PSK = "ikeAndroidPsk".getBytes();
+    public static final IkeSessionParams IKE_PARAMS_V4 = getTestIkeSessionParams(false);
+    public static final IkeSessionParams IKE_PARAMS_V6 = getTestIkeSessionParams(true);

-    public static final IkeSaProposal SA_PROPOSAL = new IkeSaProposal.Builder()
-            .addEncryptionAlgorithm(SaProposal.ENCRYPTION_ALGORITHM_3DES, KEY_LEN_UNUSED)
-            .addIntegrityAlgorithm(SaProposal.INTEGRITY_ALGORITHM_HMAC_SHA1_96)
-            .addPseudorandomFunction(SaProposal.PSEUDORANDOM_FUNCTION_AES128_XCBC)
-            .addDhGroup(SaProposal.DH_GROUP_1024_BIT_MODP)
-            .build();
-    public static final ChildSaProposal CHILD_PROPOSAL = new ChildSaProposal.Builder()
-            .addEncryptionAlgorithm(SaProposal.ENCRYPTION_ALGORITHM_AES_CBC, KEY_LEN_AES_128)
-            .addIntegrityAlgorithm(SaProposal.INTEGRITY_ALGORITHM_NONE)
-            .addDhGroup(SaProposal.DH_GROUP_1024_BIT_MODP)
-            .build();
+    public static final TunnelModeChildSessionParams CHILD_PARAMS = getChildSessionParams();

-    public static final IkeSessionParams IKE_PARAMS =
-            new IkeSessionParams.Builder()
-                    .setServerHostname(TEST_SERVER)
-                    .addSaProposal(SA_PROPOSAL)
-                    .setLocalIdentification(new IkeFqdnIdentification(TEST_CLIENT_ADDR))
-                    .setRemoteIdentification(new IkeFqdnIdentification(TEST_SERVER_ADDR))
-                    .setAuthPsk("psk".getBytes())
-                    .build();
-    public static final TunnelModeChildSessionParams CHILD_PARAMS =
+    private static TunnelModeChildSessionParams getChildSessionParams() {
+        final TunnelModeChildSessionParams.Builder childOptionsBuilder =
                new TunnelModeChildSessionParams.Builder()
-                    .addSaProposal(CHILD_PROPOSAL)
+                        .addSaProposal(getChildSaProposals());
+
+        return childOptionsBuilder.build();
+    }
+
+    private static IkeSessionParams getTestIkeSessionParams(boolean testIpv6) {
+        final String testServer = testIpv6 ? TEST_SERVER_ADDR_V6 : TEST_SERVER_ADDR_V4;
+        final InetAddress addr = InetAddresses.parseNumericAddress(testServer);
+        final IkeSessionParams.Builder ikeOptionsBuilder =
+                new IkeSessionParams.Builder()
+                        .setServerHostname(testServer)
+                        .setLocalIdentification(new IkeFqdnIdentification(TEST_IDENTITY))
+                        .setRemoteIdentification(testIpv6
+                                ? new IkeIpv6AddrIdentification((Inet6Address) addr)
+                                : new IkeIpv4AddrIdentification((Inet4Address) addr))
+                        .setAuthPsk(TEST_PSK)
+                        .addSaProposal(getIkeSaProposals());
+
+        return ikeOptionsBuilder.build();
+    }
+
+    private static IkeSaProposal getIkeSaProposals() {
+        return new IkeSaProposal.Builder()
+                .addEncryptionAlgorithm(ENCRYPTION_ALGORITHM_AES_CBC, KEY_LEN_AES_256)
+                .addIntegrityAlgorithm(INTEGRITY_ALGORITHM_HMAC_SHA2_256_128)
+                .addDhGroup(DH_GROUP_4096_BIT_MODP)
+                .addPseudorandomFunction(PSEUDORANDOM_FUNCTION_AES128_XCBC).build();
+    }
+
+    private static ChildSaProposal getChildSaProposals() {
+        return new ChildSaProposal.Builder()
+                .addEncryptionAlgorithm(ENCRYPTION_ALGORITHM_AES_GCM_12, KEY_LEN_AES_128)
                .build();
    }
+}
--- a/tests/unit/java/android/net/Ikev2VpnProfileTest.java
+++ b/tests/unit/java/android/net/Ikev2VpnProfileTest.java
@@ -17,7 +17,7 @@
 package android.net;

 import static android.net.cts.util.IkeSessionTestUtils.CHILD_PARAMS;
-import static android.net.cts.util.IkeSessionTestUtils.IKE_PARAMS;
+import static android.net.cts.util.IkeSessionTestUtils.IKE_PARAMS_V6;

 import static com.android.testutils.DevSdkIgnoreRuleKt.SC_V2;

@@ -448,7 +448,7 @@ public class Ikev2VpnProfileTest {
    @Test
    public void testConversionIsLosslessWithIkeTunConnParams() throws Exception {
        final IkeTunnelConnectionParams tunnelParams =
-                new IkeTunnelConnectionParams(IKE_PARAMS, CHILD_PARAMS);
+                new IkeTunnelConnectionParams(IKE_PARAMS_V6, CHILD_PARAMS);
        // Config authentication related fields is not required while building with
        // IkeTunnelConnectionParams.
        final Ikev2VpnProfile ikeProfile = new Ikev2VpnProfile.Builder(tunnelParams).build();
@@ -464,9 +464,9 @@ public class Ikev2VpnProfileTest {

        // Verify building with IkeTunnelConnectionParams
        final IkeTunnelConnectionParams tunnelParams =
-                new IkeTunnelConnectionParams(IKE_PARAMS, CHILD_PARAMS);
+                new IkeTunnelConnectionParams(IKE_PARAMS_V6, CHILD_PARAMS);
        final IkeTunnelConnectionParams tunnelParams2 =
-                new IkeTunnelConnectionParams(IKE_PARAMS, CHILD_PARAMS);
+                new IkeTunnelConnectionParams(IKE_PARAMS_V6, CHILD_PARAMS);
        assertEquals(new Ikev2VpnProfile.Builder(tunnelParams).build(),
                new Ikev2VpnProfile.Builder(tunnelParams2).build());
    }
--- a/tests/unit/java/com/android/internal/net/VpnProfileTest.java
+++ b/tests/unit/java/com/android/internal/net/VpnProfileTest.java
@@ -17,7 +17,7 @@
 package com.android.internal.net;

 import static android.net.cts.util.IkeSessionTestUtils.CHILD_PARAMS;
-import static android.net.cts.util.IkeSessionTestUtils.IKE_PARAMS;
+import static android.net.cts.util.IkeSessionTestUtils.IKE_PARAMS_V4;

 import static com.android.modules.utils.build.SdkLevel.isAtLeastT;
 import static com.android.testutils.ParcelUtils.assertParcelSane;
@@ -128,7 +128,7 @@ public class VpnProfileTest {
    private VpnProfile getSampleIkev2ProfileWithIkeTunConnParams(String key) {
        final VpnProfile p = new VpnProfile(key, true /* isRestrictedToTestNetworks */,
                false /* excludesLocalRoutes */, true /* requiresPlatformValidation */,
-                new IkeTunnelConnectionParams(IKE_PARAMS, CHILD_PARAMS));
+                new IkeTunnelConnectionParams(IKE_PARAMS_V4, CHILD_PARAMS));

        p.name = "foo";
        p.server = "bar";