Improve handling of unsupported security policies

* If the server asks for more than we can support, don't throw
  and error from PolicySet creation.  Let isSupported() do that.
* Overlong password lengths cannot be supported and isSupported is false.
* Overlong timeouts & max wipes can be reduced to supported
  amount (this actually increases security) and isSupported is true.
* Clean up an obsolete comment
* Unit tests

Bug: 2567804
Change-Id: I2d664a7f2a315b9f9bdcb867fe2cd98f74de6f66
This commit is contained in:
Andrew Stadler 2010-04-02 22:05:12 -07:00
parent abed4c04c9
commit a843d40ba1
3 changed files with 32 additions and 7 deletions

View File

@ -451,7 +451,8 @@ public class SecurityPolicy {
// bits 0..4: password length (0=no password required)
private static final int PASSWORD_LENGTH_MASK = 31;
private static final int PASSWORD_LENGTH_SHIFT = 0;
public static final int PASSWORD_LENGTH_MAX = 31;
public static final int PASSWORD_LENGTH_MAX = 30;
private static final int PASSWORD_LENGTH_EXCEEDED = 31;
// bits 5..8: password mode
private static final int PASSWORD_MODE_SHIFT = 5;
private static final int PASSWORD_MODE_MASK = 15 << PASSWORD_MODE_SHIFT;
@ -482,22 +483,26 @@ public class SecurityPolicy {
* @param maxPasswordFails (0=not enforced)
* @param maxScreenLockTime in seconds (0=not enforced)
* @param requireRemoteWipe
* @throws IllegalArgumentException when any arguments are outside of legal ranges.
* @throws IllegalArgumentException for illegal arguments.
*/
public PolicySet(int minPasswordLength, int passwordMode, int maxPasswordFails,
int maxScreenLockTime, boolean requireRemoteWipe) throws IllegalArgumentException {
// This value has a hard limit which cannot be supported if exceeded. Setting the
// exceeded value will force isSupported() to return false.
if (minPasswordLength > PASSWORD_LENGTH_MAX) {
throw new IllegalArgumentException("password length");
minPasswordLength = PASSWORD_LENGTH_EXCEEDED;
}
if (passwordMode < PASSWORD_MODE_NONE
|| passwordMode > PASSWORD_MODE_STRONG) {
throw new IllegalArgumentException("password mode");
}
// This value can be reduced (which actually increases security) if necessary
if (maxPasswordFails > PASSWORD_MAX_FAILS_MAX) {
throw new IllegalArgumentException("password max fails");
maxPasswordFails = PASSWORD_MAX_FAILS_MAX;
}
// This value can be reduced (which actually increases security) if necessary
if (maxScreenLockTime > SCREEN_LOCK_TIME_MAX) {
throw new IllegalArgumentException("max screen lock time");
maxScreenLockTime = SCREEN_LOCK_TIME_MAX;
}
mMinPasswordLength = minPasswordLength;

View File

@ -1181,7 +1181,6 @@ public class EasSyncService extends AbstractSyncService {
Eas.SUPPORTED_PROTOCOL_EX2007_DOUBLE) ? EAS_12_POLICY_TYPE : EAS_2_POLICY_TYPE;
}
// TODO This is Exchange 2007 only at this point
/**
* Obtain a set of policies from the server and determine whether those policies are supported
* by the device.

View File

@ -177,7 +177,7 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
* for any encoding mask/shift errors, which would cause bits to overflow into other fields.
*/
@SmallTest
public void testFieldRanges() {
public void testFieldIsolation() {
PolicySet p = new PolicySet(PolicySet.PASSWORD_LENGTH_MAX, 0, 0, 0, false);
assertEquals(PolicySet.PASSWORD_LENGTH_MAX, p.mMinPasswordLength);
assertEquals(0, p.mPasswordMode);
@ -214,6 +214,27 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
assertTrue(p.mRequireRemoteWipe);
}
/**
* Test creation of policies with unsupported ranges
*/
@SmallTest
public void testFieldRanges() {
SecurityPolicy sp = getSecurityPolicy();
// Overlong password length cannot be supported
PolicySet p = new PolicySet(PolicySet.PASSWORD_LENGTH_MAX + 1, 0, 0, 0, false);
assertFalse(sp.isSupported(p));
// Too many wipes before reboot can be supported (by reducing to the max)
p = new PolicySet(0, 0, PolicySet.PASSWORD_MAX_FAILS_MAX + 1, 0, false);
assertTrue(sp.isSupported(p));
assertEquals(PolicySet.PASSWORD_MAX_FAILS_MAX, p.mMaxPasswordFails);
// Too long lock time can be supported (by reducing to the max)
p = new PolicySet(0, 0, 0, PolicySet.SCREEN_LOCK_TIME_MAX + 1, false);
assertTrue(sp.isSupported(p));
assertEquals(PolicySet.SCREEN_LOCK_TIME_MAX, p.mMaxScreenLockTime);
}
/**
* Test encoding into an Account and out again
*/