Merge "Expose APIs to migrate IpSecTransform" am: 19aa23db7e

Original change: https://android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/2264321

Change-Id: Ifa5f3e0839a64dee46aa1a04088f4f39ab9a4091
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

framework-t/api/system-current.txt

@@ -260,6 +260,7 @@ package android.net {
   public class IpSecManager {
     method @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS) public void applyTunnelModeTransform(@NonNull android.net.IpSecManager.IpSecTunnelInterface, int, @NonNull android.net.IpSecTransform) throws java.io.IOException;
     method @NonNull @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS) public android.net.IpSecManager.IpSecTunnelInterface createIpSecTunnelInterface(@NonNull java.net.InetAddress, @NonNull java.net.InetAddress, @NonNull android.net.Network) throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
+    method @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS) public void startTunnelModeTransformMigration(@NonNull android.net.IpSecTransform, @NonNull java.net.InetAddress, @NonNull java.net.InetAddress);
   }
 
   public static final class IpSecManager.IpSecTunnelInterface implements java.lang.AutoCloseable {

framework-t/src/android/net/IpSecManager.java

@@ -823,16 +823,18 @@ public class IpSecManager {
          * Update the underlying network for this IpSecTunnelInterface.
          *
          * <p>This new underlying network will be used for all transforms applied AFTER this call is
-         * complete. Before new {@link IpSecTransform}(s) with matching addresses are applied to
+         * complete. Before {@link IpSecTransform}(s) with matching addresses are applied to this
-         * this tunnel interface, traffic will still use the old SA, and be routed on the old
+         * tunnel interface, traffic will still use the old transform, and be routed on the old
          * underlying network.
          *
          * <p>To migrate IPsec tunnel mode traffic, a caller should:
          *
          * <ol>
          *   <li>Update the IpSecTunnelInterface’s underlying network.
-         *   <li>Apply {@link IpSecTransform}(s) with matching addresses to this
+         *   <li>Apply the new {@link IpSecTransform}(s) to this IpSecTunnelInterface. These can be
-         *       IpSecTunnelInterface.
+         *       new {@link IpSecTransform}(s) with matching addresses, or {@link IpSecTransform}(s)
+         *       that have started migration (see {@link
+         *       IpSecManager#startTunnelModeTransformMigration}).
          * </ol>
          *
          * @param underlyingNetwork the new {@link Network} that will carry traffic for this tunnel.
@@ -841,7 +843,6 @@ public class IpSecManager {
          *     method will throw an {@link IllegalArgumentException}. If the IpSecTunnelInterface is
          *     later added to this network, all outbound traffic will be blackholed.
          */
-        // TODO: b/169171001 Update the documentation when transform migration is supported.
         // The purpose of making updating network and applying transforms separate is to leave open
         // the possibility to support lossless migration procedures. To do that, Android platform
         // will need to support multiple inbound tunnel mode transforms, just like it can support
@@ -1033,9 +1034,10 @@ public class IpSecManager {
      * @param newDestinationAddress the new destination address
      * @hide
      */
+    @SystemApi
     @RequiresFeature(FEATURE_IPSEC_TUNNEL_MIGRATION)
     @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS)
-    public void startMigration(
+    public void startTunnelModeTransformMigration(
             @NonNull IpSecTransform transform,
             @NonNull InetAddress newSourceAddress,
             @NonNull InetAddress newDestinationAddress) {

tests/unit/java/android/net/IpSecTransformTest.java

@@ -143,8 +143,9 @@ public class IpSecTransformTest {
 
     @Test
     @DevSdkIgnoreRule.IgnoreUpTo(Build.VERSION_CODES.TIRAMISU)
-    public void testStartMigration() throws Exception {
+    public void testStartTransformMigration() throws Exception {
-        mIpSecManager.startMigration(buildTestTransform(), SRC_ADDRESS_V6, DST_ADDRESS_V6);
+        mIpSecManager.startTunnelModeTransformMigration(
+                buildTestTransform(), SRC_ADDRESS_V6, DST_ADDRESS_V6);
         verify(mMockIpSecService)
                 .migrateTransform(
                         anyInt(),
@@ -155,9 +156,10 @@ public class IpSecTransformTest {
 
     @Test
     @DevSdkIgnoreRule.IgnoreAfter(Build.VERSION_CODES.TIRAMISU)
-    public void testStartMigrationOnSdkBeforeU() throws Exception {
+    public void testStartTransformMigrationOnSdkBeforeU() throws Exception {
         try {
-            mIpSecManager.startMigration(buildTestTransform(), SRC_ADDRESS_V6, DST_ADDRESS_V6);
+            mIpSecManager.startTunnelModeTransformMigration(
+                    buildTestTransform(), SRC_ADDRESS_V6, DST_ADDRESS_V6);
             fail("Expect to fail since migration is not supported before U");
         } catch (UnsupportedOperationException expected) {
         }