Merge changes from topic "ike-cts-mts" into rvc-dev
* changes: Cleanup of IkeSessionPskTest Exit test if device does not support IPsec tunnel
This commit is contained in:
Yan Yan
@@ -99,19 +99,17 @@ public class IkeSessionPskTest extends IkeSessionTestBase {
|
||||
.addInternalAddressRequest(AF_INET6)
|
||||
.build();
|
||||
|
||||
private IkeSessionParams createIkeSessionParams(InetAddress mRemoteAddress) {
|
||||
return new IkeSessionParams.Builder(sContext)
|
||||
.setNetwork(mTunNetwork)
|
||||
.setServerHostname(mRemoteAddress.getHostAddress())
|
||||
.addSaProposal(SaProposalTest.buildIkeSaProposalWithNormalModeCipher())
|
||||
.addSaProposal(SaProposalTest.buildIkeSaProposalWithCombinedModeCipher())
|
||||
.setLocalIdentification(new IkeFqdnIdentification(LOCAL_HOSTNAME))
|
||||
.setRemoteIdentification(new IkeFqdnIdentification(REMOTE_HOSTNAME))
|
||||
.setAuthPsk(IKE_PSK)
|
||||
.build();
|
||||
}
|
||||
|
||||
private IkeSession openIkeSession(IkeSessionParams ikeParams) {
|
||||
private IkeSession openIkeSessionWithRemoteAddress(InetAddress remoteAddress) {
|
||||
IkeSessionParams ikeParams =
|
||||
new IkeSessionParams.Builder(sContext)
|
||||
.setNetwork(mTunNetwork)
|
||||
.setServerHostname(remoteAddress.getHostAddress())
|
||||
.addSaProposal(SaProposalTest.buildIkeSaProposalWithNormalModeCipher())
|
||||
.addSaProposal(SaProposalTest.buildIkeSaProposalWithCombinedModeCipher())
|
||||
.setLocalIdentification(new IkeFqdnIdentification(LOCAL_HOSTNAME))
|
||||
.setRemoteIdentification(new IkeFqdnIdentification(REMOTE_HOSTNAME))
|
||||
.setAuthPsk(IKE_PSK)
|
||||
.build();
|
||||
return new IkeSession(
|
||||
sContext,
|
||||
ikeParams,
|
||||
@@ -122,9 +120,11 @@ public class IkeSessionPskTest extends IkeSessionTestBase {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testIkeSessionSetupAndManageChildSas() throws Exception {
|
||||
public void testIkeSessionSetupAndChildSessionSetupWithTunnelMode() throws Exception {
|
||||
if (!hasTunnelsFeature()) return;
|
||||
|
||||
// Open IKE Session
|
||||
IkeSession ikeSession = openIkeSession(createIkeSessionParams(mRemoteAddress));
|
||||
IkeSession ikeSession = openIkeSessionWithRemoteAddress(mRemoteAddress);
|
||||
int expectedMsgId = 0;
|
||||
mTunUtils.awaitReqAndInjectResp(
|
||||
IKE_INIT_SPI,
|
||||
@@ -165,6 +165,9 @@ public class IkeSessionPskTest extends IkeSessionTestBase {
|
||||
assertTrue(firstChildConfig.getInternalDnsServers().isEmpty());
|
||||
assertTrue(firstChildConfig.getInternalDhcpServers().isEmpty());
|
||||
|
||||
assertNotNull(mFirstChildSessionCallback.awaitNextCreatedIpSecTransform());
|
||||
assertNotNull(mFirstChildSessionCallback.awaitNextCreatedIpSecTransform());
|
||||
|
||||
// Open additional Child Session
|
||||
TestChildSessionCallback additionalChildCb = new TestChildSessionCallback();
|
||||
ikeSession.openChildSession(CHILD_PARAMS, additionalChildCb);
|
||||
@@ -181,9 +184,12 @@ public class IkeSessionPskTest extends IkeSessionTestBase {
|
||||
Arrays.asList(EXPECTED_INBOUND_TS), firstChildConfig.getInboundTrafficSelectors());
|
||||
assertEquals(Arrays.asList(DEFAULT_V4_TS), firstChildConfig.getOutboundTrafficSelectors());
|
||||
assertTrue(additionalChildConfig.getInternalAddresses().isEmpty());
|
||||
assertTrue(firstChildConfig.getInternalSubnets().isEmpty());
|
||||
assertTrue(firstChildConfig.getInternalDnsServers().isEmpty());
|
||||
assertTrue(firstChildConfig.getInternalDhcpServers().isEmpty());
|
||||
assertTrue(additionalChildConfig.getInternalSubnets().isEmpty());
|
||||
assertTrue(additionalChildConfig.getInternalDnsServers().isEmpty());
|
||||
assertTrue(additionalChildConfig.getInternalDhcpServers().isEmpty());
|
||||
|
||||
assertNotNull(additionalChildCb.awaitNextCreatedIpSecTransform());
|
||||
assertNotNull(additionalChildCb.awaitNextCreatedIpSecTransform());
|
||||
|
||||
// Close additional Child Session
|
||||
ikeSession.closeChildSession(additionalChildCb);
|
||||
@@ -193,6 +199,8 @@ public class IkeSessionPskTest extends IkeSessionTestBase {
|
||||
true /* expectedUseEncap */,
|
||||
hexStringToByteArray(SUCCESS_DELETE_CHILD_RESP));
|
||||
|
||||
assertNotNull(additionalChildCb.awaitNextDeletedIpSecTransform());
|
||||
assertNotNull(additionalChildCb.awaitNextDeletedIpSecTransform());
|
||||
additionalChildCb.awaitOnClosed();
|
||||
|
||||
// Close IKE Session
|
||||
@@ -203,16 +211,20 @@ public class IkeSessionPskTest extends IkeSessionTestBase {
|
||||
true /* expectedUseEncap */,
|
||||
hexStringToByteArray(SUCCESS_DELETE_IKE_RESP));
|
||||
|
||||
assertNotNull(mFirstChildSessionCallback.awaitNextDeletedIpSecTransform());
|
||||
assertNotNull(mFirstChildSessionCallback.awaitNextDeletedIpSecTransform());
|
||||
mFirstChildSessionCallback.awaitOnClosed();
|
||||
mIkeSessionCallback.awaitOnClosed();
|
||||
|
||||
// TODO: verify IpSecTransform pair is created and deleted
|
||||
// TODO: verify created and deleted IpSecTransform pair and their directions
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testIkeSessionKill() throws Exception {
|
||||
public void testIkeSessionKillWithTunnelMode() throws Exception {
|
||||
if (!hasTunnelsFeature()) return;
|
||||
|
||||
// Open IKE Session
|
||||
IkeSession ikeSession = openIkeSession(createIkeSessionParams(mRemoteAddress));
|
||||
IkeSession ikeSession = openIkeSessionWithRemoteAddress(mRemoteAddress);
|
||||
int expectedMsgId = 0;
|
||||
mTunUtils.awaitReqAndInjectResp(
|
||||
IKE_INIT_SPI,
|
||||
@@ -227,7 +239,6 @@ public class IkeSessionPskTest extends IkeSessionTestBase {
|
||||
hexStringToByteArray(SUCCESS_IKE_AUTH_RESP));
|
||||
|
||||
ikeSession.kill();
|
||||
|
||||
mFirstChildSessionCallback.awaitOnClosed();
|
||||
mIkeSessionCallback.awaitOnClosed();
|
||||
}
|
||||
@@ -238,7 +249,7 @@ public class IkeSessionPskTest extends IkeSessionTestBase {
|
||||
"46B8ECA1E0D72A180000000000000000292022200000000000000024000000080000000E";
|
||||
|
||||
// Open IKE Session
|
||||
IkeSession ikeSession = openIkeSession(createIkeSessionParams(mRemoteAddress));
|
||||
IkeSession ikeSession = openIkeSessionWithRemoteAddress(mRemoteAddress);
|
||||
int expectedMsgId = 0;
|
||||
mTunUtils.awaitReqAndInjectResp(
|
||||
IKE_INIT_SPI,
|
||||
@@ -246,6 +257,8 @@ public class IkeSessionPskTest extends IkeSessionTestBase {
|
||||
false /* expectedUseEncap */,
|
||||
hexStringToByteArray(ikeInitFailRespHex));
|
||||
|
||||
mFirstChildSessionCallback.awaitOnClosed();
|
||||
|
||||
IkeException exception = mIkeSessionCallback.awaitOnClosedException();
|
||||
assertNotNull(exception);
|
||||
assertTrue(exception instanceof IkeProtocolException);
|
||||
@@ -254,5 +267,7 @@ public class IkeSessionPskTest extends IkeSessionTestBase {
|
||||
assertArrayEquals(EXPECTED_PROTOCOL_ERROR_DATA_NONE, protocolException.getErrorData());
|
||||
}
|
||||
|
||||
// TODO(b/148689509): Verify rekey process and handling IKE_AUTH failure
|
||||
// TODO(b/155821007): Verify rekey process and handling IKE_AUTH failure
|
||||
|
||||
// TODO(b/155821007): Test creating transport mode Child SA
|
||||
}
|
||||
|
||||
@@ -20,6 +20,7 @@ import static android.app.AppOpsManager.OP_MANAGE_IPSEC_TUNNELS;
|
||||
import android.annotation.NonNull;
|
||||
import android.app.AppOpsManager;
|
||||
import android.content.Context;
|
||||
import android.content.pm.PackageManager;
|
||||
import android.net.ConnectivityManager;
|
||||
import android.net.InetAddresses;
|
||||
import android.net.IpSecTransform;
|
||||
@@ -39,7 +40,6 @@ import android.net.ipsec.ike.exceptions.IkeProtocolException;
|
||||
import android.os.Binder;
|
||||
import android.os.ParcelFileDescriptor;
|
||||
import android.platform.test.annotations.AppModeFull;
|
||||
import android.util.Log;
|
||||
|
||||
import androidx.test.InstrumentationRegistry;
|
||||
import androidx.test.ext.junit.runners.AndroidJUnit4;
|
||||
@@ -65,6 +65,13 @@ import java.util.concurrent.TimeUnit;
|
||||
*
|
||||
* <p>Subclasses MUST explicitly call #setUpTestNetwork and #tearDownTestNetwork to be able to use
|
||||
* the test network
|
||||
*
|
||||
* <p>All IKE Sessions running in test mode will generate SPIs deterministically. That is to say
|
||||
* each IKE Session will always generate the same IKE INIT SPI and test vectors are generated based
|
||||
* on this deterministic IKE SPI. Each test will use different local and remote addresses to avoid
|
||||
* the case that the next test try to allocate the same SPI before the previous test has released
|
||||
* it, since SPI resources are not released in testing thread. Similarly, each test MUST use
|
||||
* different Network instances to avoid sharing the same IkeSocket and hitting IKE SPI collision.
|
||||
*/
|
||||
@RunWith(AndroidJUnit4.class)
|
||||
@AppModeFull(reason = "MANAGE_TEST_NETWORKS permission can't be granted to instant apps")
|
||||
@@ -116,7 +123,7 @@ abstract class IkeSessionTestBase extends IkeTestBase {
|
||||
InstrumentationRegistry.getInstrumentation()
|
||||
.getUiAutomation()
|
||||
.adoptShellPermissionIdentity();
|
||||
sTNM = (TestNetworkManager) sContext.getSystemService(Context.TEST_NETWORK_SERVICE);
|
||||
sTNM = sContext.getSystemService(TestNetworkManager.class);
|
||||
|
||||
// Under normal circumstances, the MANAGE_IPSEC_TUNNELS appop would be auto-granted, and
|
||||
// a standard permission is insufficient. So we shell out the appop, to give us the
|
||||
@@ -149,10 +156,6 @@ abstract class IkeSessionTestBase extends IkeTestBase {
|
||||
@After
|
||||
public void tearDown() throws Exception {
|
||||
tearDownTestNetwork();
|
||||
|
||||
resetNextAvailableAddress(NEXT_AVAILABLE_IP4_ADDR_LOCAL, INITIAL_AVAILABLE_IP4_ADDR_LOCAL);
|
||||
resetNextAvailableAddress(
|
||||
NEXT_AVAILABLE_IP4_ADDR_REMOTE, INITIAL_AVAILABLE_IP4_ADDR_REMOTE);
|
||||
}
|
||||
|
||||
void setUpTestNetwork(InetAddress localAddr) throws Exception {
|
||||
@@ -185,9 +188,8 @@ abstract class IkeSessionTestBase extends IkeTestBase {
|
||||
pkg, // Package name
|
||||
opName, // Appop
|
||||
(allow ? "allow" : "deny")); // Action
|
||||
Log.d("IKE", "CTS setAppOp cmd " + cmd);
|
||||
|
||||
String result = SystemUtil.runShellCommand(cmd);
|
||||
SystemUtil.runShellCommand(cmd);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -229,6 +231,7 @@ abstract class IkeSessionTestBase extends IkeTestBase {
|
||||
}
|
||||
}
|
||||
|
||||
/** Testing callback that allows caller to block current thread until a method get called */
|
||||
static class TestIkeSessionCallback implements IkeSessionCallback {
|
||||
private CompletableFuture<IkeSessionConfiguration> mFutureIkeConfig =
|
||||
new CompletableFuture<>();
|
||||
@@ -282,6 +285,7 @@ abstract class IkeSessionTestBase extends IkeTestBase {
|
||||
}
|
||||
}
|
||||
|
||||
/** Testing callback that allows caller to block current thread until a method get called */
|
||||
static class TestChildSessionCallback implements ChildSessionCallback {
|
||||
private CompletableFuture<ChildSessionConfiguration> mFutureChildConfig =
|
||||
new CompletableFuture<>();
|
||||
@@ -368,6 +372,11 @@ abstract class IkeSessionTestBase extends IkeTestBase {
|
||||
}
|
||||
}
|
||||
|
||||
/** Package private method to check if device has IPsec tunnels feature */
|
||||
static boolean hasTunnelsFeature() {
|
||||
return sContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_IPSEC_TUNNELS);
|
||||
}
|
||||
|
||||
// TODO(b/148689509): Verify IKE Session setup using EAP and digital-signature-based auth
|
||||
|
||||
// TODO(b/148689509): Verify hostname based creation
|
||||
|
||||
@@ -121,7 +121,9 @@ public class IkeTunUtils extends TunUtils {
|
||||
+ " and message ID "
|
||||
+ expectedMsgId);
|
||||
}
|
||||
return null;
|
||||
|
||||
throw new IllegalStateException(
|
||||
"Hit an impossible case where fail() didn't throw an exception");
|
||||
}
|
||||
|
||||
private static boolean isIke(
|
||||
|
||||
Reference in New Issue
Block a user