We currently test CONNECTIVITY_ACTION broadcasts by directly
registering BroadcastReceivers with BroadcastInterceptingContext,
and making the receivers unregister themselves when all the
broadcasts they expect have been received.
This works for current test cases, but does not work if anything
registers another receiver for CONNECTIVITY_ACTION. In that case,
when we unregister the receiver in the receiver's onReceive
method, BroadcastInterceptingContext will throw a
ConcurrentModificationException because the list of receivers is
being modified during iteration.
Fix this by adding an ExpectedBroadcast class that stores the
receiver and unregisters the receiver only when the test checks
that the broadcast was received, which happens after the receiver
runs. This is easier to use and also guarantees that the receiver
is unregistered even if the test is expecting that the broadcast
is never fired. Accordingly, remove mRegisteredReceivers and the
code that uses it; it's no longer necessary now that
ExpectedBroadcast always unregisters its receivers.
Also add a convenience expectConnectivityAction method to expect
a CONNECTIVITY_ACTION broadcast with specific contents. This
makes the test easier to read and more detailed. Convert some
existing tests to this method.
While I'm at it, fix a test that was using "mCellNetworkAgent" to
represent a wifi network.
R backport notes: added import for NetworkInfo.DetailedState.
That was added in aosp/1527378, which is impractical to backport.
Bug: 172870110
Test: test-only change
Change-Id: Ibada8b4215625e1016d9fd170526206920af76f5
Merged-In: Ibada8b4215625e1016d9fd170526206920af76f5
Current code treats these nulls as if they weren't there.
Bug: 172870110
Test: test-only change
Change-Id: Id4632e1b004c09910b4b7613f7233d2c19e2f0ac
Merged-In: Id4632e1b004c09910b4b7613f7233d2c19e2f0ac
This test is a bit brittle because it sets the underlying
networks while the VPN is undergoing validation by
NetworkMonitor. The test does attempt to disable validation,
but that's not actually possible - the only thing that's possible
is to tell NetworkMonitor to validate immediately without sending
any probes. So the underlying network change races with the
validation. I'm not sure why the test isn't flaky. It might be
because both the network change and the validation result in a
capabilities change, and the test expects "a capabilities change"
without expressing what change that should be.
Make this a bit more predictable by ensuring that the network
validates before the underlying networks are set.
This is useful because an upcoming CL will change the way
underlying network capabilities are propagated. With this test
CL, both the old and the new code pass.
Bug: 172870110
Test: test-only change
Change-Id: I319858228e8d097c0b60a107029f296385f91269
Merged-In: I319858228e8d097c0b60a107029f296385f91269
MockVpn is very difficult to use because it requires the test
caller keeping track of both the MockVpn object and an
accompanying TestNetworkAgentWrapper.
It's also not very realistic: for example, connect() doesn't
actually connect anything, it just makes it so that if
ConnectivityService tries to update the capabilities, the attempt
will not be ignored. Also, unlike the real code in Vpn, it
connects with empty NetworkCapabilities (in particular, with
empty UID ranges).
Make this easier to use and a bit more realistic by:
- Allowing TestNetworkAgentWrapper to take a "NetworkCapabilities
template" that will form the initial capabilities sent when the
agent registers with ConnectivityService. This allows the VPN
to register its agent with its UID ranges already set, like the
production code does.
- Providing separate methods to register the NetworkAgent and
mark it connected for cases where the test needs to make
changes to the NetworkAgent before connecting (e.g., poking
NetworkMonitor).
- Putting the TestNetworkAgentWrapper inside MockVpn and driving
it through MockVpn's methods. In order not to have too many
wrapper functions (and because we can't delegate like in
Kotlin), there's still an agent() method that returns the
TestNetworkAgentWrapper.
Bug: 172870110
Test: test-only change
Change-Id: I749ff325bc13ac96f512270b86d1f67686eec378
Merged-In: I749ff325bc13ac96f512270b86d1f67686eec378
This CL removes four methods in MockVpn by slightly changing the
test code to leverage the actual methods implemented by the
(production) Vpn superclass.
This works because setting mInterface results in
isRunningLocked() returning true, which makes a number of methods
behave as if the VPN is connected (which is what the test
expects).
The more realistic behaviour exposes a minor bug in the treatment
of underlying networks. Add a TODO to fix it.
Bug: 172870110
Test: test-only change
Change-Id: I49421183538ba61ca790af71e309ece36b653bf9
Merged-In: I49421183538ba61ca790af71e309ece36b653bf9
This test checks that if a VPN declares an underlying network
that does not exist, the capabilities of that network are applied
to the VPN as soon as the network starts to exist.
Bug: 172870110
Test: test-only change
Change-Id: Icc0701cb4cea7d91f7738c1e426e94cd26686b74
Merged-In: Icc0701cb4cea7d91f7738c1e426e94cd26686b74
Network specifiers are used for 2 purposes:
- As part of network requests to specify more information on the type
of requested networks.
- On network agents to specify information about their networks.
The network specifiers of the requests and agents are matched to each
other. However, the agent network specifier may contain sensitive
information which we do not want forwarded to any app.
This CL adds an option to strip out this agent network specifier before
the network capabilities are forwarded to the app.
Bug: 161853197
Bug: 161370134
Test: atest ConnectivityServiceTest (frameworks/base/tests/net)
Test: atest frameworks/base/tests/net
Test: atest frameworks/opt/net/wifi/tests/wifitests
Test: atest frameworks/opt/telephony/tests/telephonytests
Test: atest frameworks/opt/net/ethernet/tests
Test: atest android.net.cts - some flakiness!
Test: act.py ThroughputTest
Test: act.py DataPathTest
Test: atest SingleDeviceTest (cts)
Change-Id: I38ed3ff88532ef522ab167c88d87e6e82295ffc5
Merged-In: If08d312ff814bdde1147518f923199e6349503d5
For non-telephony networks, this was always set to 0 before R.
In R, it is currently set to the same value as the network type.
This is incorrect because the two have different namespaces.
or example, currently, any network of type WIFI (==1) will have
a subtype of NETWORK_TYPE_GPRS (==1). Similarly, all ETHERNET
networks will have subtype NETWORK_TYPE_1XRTT, all VPN networks
will have a subtype of NETWORK_TYPE_TD_SCDMA, etd.
Bug: 161653721
Test: builds, boots
Change-Id: I07e111c1762e0021c931cefc27f193f78578748b
This change updates ConnectivityService to notify the
ConnectivityDiagnosticsHandler of app-reported connectivity before
attempting to revalidate the network. This change forces an ordering on
Connectivity Diagnostics events in the case that the reported
connectivity does not match the known connectivity for the network -
this leads to the network being revalidated and the
ConnectivityDiagnostics event onConnectivityReportAvailable. Passing the
onNetworkConnectivityReported event to the
ConnectivityDiagnosticsHandler first ensures that it is passed to
callbacks before any potential ConnectivityReports are.
Bug: 159718782
Test: android.net.cts.ConnectivityDiagnosticsManagerTest
Original-Change: https://android-review.googlesource.com/1350662
Merged-In: Ic7bc7138c54c47bbfdf56af5811709fde66f8606
Change-Id: Ic7bc7138c54c47bbfdf56af5811709fde66f8606
Check one more parameter enforceDnsUid in ResolverOptionsParcel in
DnsManagerTest.
Bug: 159587277
Test: atest
com.android.server.connectivity.DnsManagerTest#testSendDnsConfiguration
Change-Id: Ic53f42b968626294c851dac252a70769846ba427
Probe DNS servers to see they support DNS-over-TLS. Use system
CAs to verify whether the certificates sent by DNS servers are
trusted or not. An error is thrown to cause the probe failed if
DNS servers send untrusted certificates.
Unlike the DnsResolver which doesn't verify the certificates
in opportunistic mode, all of the DoT probes from NetworkDiagnostics
check certificates.
DoT probes apply to the DNS servers gotten from LinkProperties
and the DoT servers gotten from PrivateDnsConfig whatever private
DNS mode is.
A common example in DNS strict mode:
. DNS TLS dst{8.8.8.8} hostname{dns.google} src{192.168.43.2:48436} qtype{1} qname{815149-android-ds.metric.gstatic.com}: SUCCEEDED: 1/1 NOERROR (432ms)
F DNS TLS dst{192.168.43.144} hostname{}: FAILED: java.net.ConnectException: failed to connect to /192.168.43.144 (port 853) from /192.168.43.2 (port 41770) after 2500ms: isConnected failed: ECONNREFUSED (Connection refused) (172ms)
. DNS TLS dst{8.8.4.4} hostname{dns.google} src{192.168.43.2:37598} qtype{1} qname{759312-android-ds.metric.gstatic.com}: SUCCEEDED: 1/1 NOERROR (427ms)
An example when the CA is not trusted:
F DNS TLS dst{8.8.8.8} hostname{dns.google}: FAILED: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. (16ms)
An example when TCP/TLS handshake timeout:
F DNS TLS dst{8.8.8.8} hostname{dns.google}: FAILED: java.net.SocketTimeoutException: failed to connect to /8.8.8.8 (port 853) from /192.168.2.108 (port 45680) after 2500ms (2514ms)
Bug: 132925257
Bug: 118369977
Test: atest FrameworksNetTests
Original-Change: https://android-review.googlesource.com/1011670
Merged-In: I1b54abed0e931ca4b8a97149459cde54da1c3d6f
Change-Id: I1b54abed0e931ca4b8a97149459cde54da1c3d6f
ConnectivityService puts up some notifications with pending
intents, but these pending intents are mutable that content can
be changed by someone. So make these pending intents to be
immutable.
Some OEMs have their own Settings package. Thus, need to get the
current using Settings package name instead of just use default
name "com.android.settings".
Bug: 154928507
Test: atest FrameworksNetTests
Change-Id: I02e3277358623400aa03dc8996af3d7c46a8ce76
This class might be used by some mainline modules.
Bug: 151052811
Test: atest DnsPacketTest
Test: atest DnsResolverTest
Change-Id: I8841d91456952ded5efbf8ea221289aecc7746ad
This is a Client-only solution.
- Add to NetdClient a per-process std::atomic_boolean
similar to netIdForProcess and netIdForResolv.
- The boolean says whether the process should be
allowed Internet connectivity.
- Add an @hide method to NetUtils.java to set the boolean;
call it from the initialization code of the new
process just after forking from zygote.
- Make netdClientSocket and dnsOpenProxy check the
boolean. If the boolean is false, return EPERM from
socket calls.
Bug: 150028556
Test: atest NetworkUtilsTest
Test: atest CtsAppSecurityHostTestCases:UseProcessTest
Change-Id: If002280fbad493dfc2db3d9d505c0257d49a9056
Exempt-From-Owner-Approval: OWNERS already approved identical patchset 5
On Android different interfaces usually use different routing tables.
As a result, a change in interface should not be treated as route
update, but rather a remove and an add.
This change fixes a bug in VPN seamless handover where routes
failed to be updated when a new tunnel interface replaces the existing
one within the same network.
Bug: 158696878
Test: atest com.android.cts.net.HostsideVpnTests
Test: atest NetworkStackTests
Test: atest CtsNetTestCases
Test: atest FrameworksNetTests
Original-Change: https://android-review.googlesource.com/1331916
Merged-In: I57987233d42a0253eaee2e1ca5f28728c2354620
Change-Id: I57987233d42a0253eaee2e1ca5f28728c2354620
Test extra info sent to NetworkMonitor correctly if network
agent is created through new NetworkAgent constructor without
legacy network info taken as parameter.
Bug: 156173829
Test: atest FrameworkNetTests
Merged-In: I4f827664c528bea30cc957a0a617dd37693f4460
Change-Id: I4f827664c528bea30cc957a0a617dd37693f4460
This commit changes agentConnect to set the owner UID as the mOwnerUid
field instead of the Binder.getCallingUid().
Binder.getCallingUid() can return incorrect results for platform VPNs,
as agentConnect() is called under a clean calling UID.
Additionally, this relaxes the ownerUid sanitization check to allow a
VPN network's owner to see it's own ownership information.
Vpn.mOwnerUid is guaranteed to be correct, as all VPNs MUST have called
prepareInternal() at some previous point, which sets mOwnerUid as the
package's UID (or SYSTEM_UID if this is legacy VPN).
Bug: 150135470
Test: CTS tests showing ownership information
Merged-In: Ic979dad73983d722365849fbfb0becfd432b894c
Change-Id: Ic979dad73983d722365849fbfb0becfd432b894c
(cherry picked from commit 5da3e20cfb)
The classes should not be picked up from frameworks/base, as they are
part of several mainline modules.
Also refine comments in DhcpResults following feedback in previous
change.
Bug: 151052811
Test: m; manual: flashed, wifi and telephony working
Test: atest NetworkStackCoverageTests
Change-Id: I7074651c6a2a7a6b11bcf13cc4bb03833d7d655f
Some developers have been surprised by this limitation and had trouble
figuring out what the issue was. Add documentation to address this.
This also includes a drive-by removal of a duplicate check.
Bug: 149867479
Test: doc-only change
Original-Change: https://android-review.googlesource.com/1313813
Merged-In: I5911d01984695550b6c9afe7a8eb535bf5e320a1
Change-Id: I5911d01984695550b6c9afe7a8eb535bf5e320a1
config_mobile_hotspot_provision_app would be move out of framework and
only private for tethering only.
enforceTetherChangePermission is no longer needed because its only
caller PanService already gate by other privileged permission
(BLUETOOTH_PRIVILEGED).
Bug: 146918263
Test: m
Change-Id: I030871c2bc46bc09c4e52970b4995f98d31bb90e
Merged-In: I030871c2bc46bc09c4e52970b4995f98d31bb90e
Avoid using the "iff" abbreviation in our Javadoc.
Bug: 158092978
Test: m doc-comment-check-docs and check the generated doc
Merged-In: I41bf8a6ddad200f00524d9b2dd1bf169810ee460
Change-Id: I41bf8a6ddad200f00524d9b2dd1bf169810ee460
The extra info is taken into NetworkMonitor from while creating
it. The NetworkMonitor is created when a new agent is registered
but the extra info is not available at that time. Make sure the
field is set in the NetworkInfo when registering.
Bug: 156173829
Test: adb shell dumpsys network and check the apn in the extra
info shown correctly
Test: atest FrameworkNetTests
Merged-In: Ieaad8cbf1a28af3b97c7f98f74358e417fcad661
Change-Id: Ieaad8cbf1a28af3b97c7f98f74358e417fcad661
This consumes ~3.5% system logs, however it is not very useful
when debugging since similar information could be obtained from
dumpsys {connectivity|netpolicy}. Thus, remove the log.
Test: manual
Bug: 135504481
Change-Id: I04d2b7402f892546722fe6868c521afd9534f183
Merged-In: I04d2b7402f892546722fe6868c521afd9534f183
(cherry picked from commit 21a352f761ce558bea6fa9ab2a4e49a164228b56)
Ethernet networks using tap interfaces should have TRANSPORT_TEST so
they are not considered by network selection.
Test: atest CaptivePortalApiTest FrameworksNetTests
Bug: 156319532
Original-Change: https://android-review.googlesource.com/1317238
Merged-In: I0d9477977c88aa055625ab4046577a41e76b05ff
Change-Id: I0d9477977c88aa055625ab4046577a41e76b05ff
This change adds the @RequiresFeature annotation to Ikev2VpnProfile
Builder methods, and checks before provisioning VPN profiles.
Bug: 156681625
Test: New tests added, passing.
Change-Id: I125d8fbe5d67fb877ad7d0636c007cb3e1a9f59b
Merged-In: I125d8fbe5d67fb877ad7d0636c007cb3e1a9f59b
(cherry picked from commit e84a17dd1706f4c8373047b2023a1ec4b7cf4bf3)
This should no longer be needed after all the cleanups.
Test: atest NetworkStatsTest NetworkStatsFactoryTest
Bug: 150738490
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I289d935f84b616ed857ef4c5a7427d57c282d00c
Merged-In: I289d935f84b616ed857ef4c5a7427d57c282d00c
No clat app uid 0 rx stats on base iface due to ip6tables raw prerouting drop
(so just copy over the rx stats from the before file)
Test: atest NetworkStatsTest NetworkStatsFactoryTest
Bug: 150738490
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie73ba0586dafde67bc2726db26e07f7268c18be3
Merged-In: Ie73ba0586dafde67bc2726db26e07f7268c18be3
No clat app uid 0 rx stats on base iface due to ip6tables raw prerouting drop
Test: atest NetworkStatsFactoryTest
Bug: 150738490
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I4393afcbe8e1bb886ecf4f5c1573f6ac8a0e29f5
Merged-In: I4393afcbe8e1bb886ecf4f5c1573f6ac8a0e29f5
