Improve handling of unsupported security policies
* If the server asks for more than we can support, don't throw and error from PolicySet creation. Let isSupported() do that. * Overlong password lengths cannot be supported and isSupported is false. * Overlong timeouts & max wipes can be reduced to supported amount (this actually increases security) and isSupported is true. * Clean up an obsolete comment * Unit tests Bug: 2567804 Change-Id: I2d664a7f2a315b9f9bdcb867fe2cd98f74de6f66
This commit is contained in:
parent
abed4c04c9
commit
a843d40ba1
@ -451,7 +451,8 @@ public class SecurityPolicy {
|
||||
// bits 0..4: password length (0=no password required)
|
||||
private static final int PASSWORD_LENGTH_MASK = 31;
|
||||
private static final int PASSWORD_LENGTH_SHIFT = 0;
|
||||
public static final int PASSWORD_LENGTH_MAX = 31;
|
||||
public static final int PASSWORD_LENGTH_MAX = 30;
|
||||
private static final int PASSWORD_LENGTH_EXCEEDED = 31;
|
||||
// bits 5..8: password mode
|
||||
private static final int PASSWORD_MODE_SHIFT = 5;
|
||||
private static final int PASSWORD_MODE_MASK = 15 << PASSWORD_MODE_SHIFT;
|
||||
@ -482,22 +483,26 @@ public class SecurityPolicy {
|
||||
* @param maxPasswordFails (0=not enforced)
|
||||
* @param maxScreenLockTime in seconds (0=not enforced)
|
||||
* @param requireRemoteWipe
|
||||
* @throws IllegalArgumentException when any arguments are outside of legal ranges.
|
||||
* @throws IllegalArgumentException for illegal arguments.
|
||||
*/
|
||||
public PolicySet(int minPasswordLength, int passwordMode, int maxPasswordFails,
|
||||
int maxScreenLockTime, boolean requireRemoteWipe) throws IllegalArgumentException {
|
||||
// This value has a hard limit which cannot be supported if exceeded. Setting the
|
||||
// exceeded value will force isSupported() to return false.
|
||||
if (minPasswordLength > PASSWORD_LENGTH_MAX) {
|
||||
throw new IllegalArgumentException("password length");
|
||||
minPasswordLength = PASSWORD_LENGTH_EXCEEDED;
|
||||
}
|
||||
if (passwordMode < PASSWORD_MODE_NONE
|
||||
|| passwordMode > PASSWORD_MODE_STRONG) {
|
||||
throw new IllegalArgumentException("password mode");
|
||||
}
|
||||
// This value can be reduced (which actually increases security) if necessary
|
||||
if (maxPasswordFails > PASSWORD_MAX_FAILS_MAX) {
|
||||
throw new IllegalArgumentException("password max fails");
|
||||
maxPasswordFails = PASSWORD_MAX_FAILS_MAX;
|
||||
}
|
||||
// This value can be reduced (which actually increases security) if necessary
|
||||
if (maxScreenLockTime > SCREEN_LOCK_TIME_MAX) {
|
||||
throw new IllegalArgumentException("max screen lock time");
|
||||
maxScreenLockTime = SCREEN_LOCK_TIME_MAX;
|
||||
}
|
||||
|
||||
mMinPasswordLength = minPasswordLength;
|
||||
|
@ -1181,7 +1181,6 @@ public class EasSyncService extends AbstractSyncService {
|
||||
Eas.SUPPORTED_PROTOCOL_EX2007_DOUBLE) ? EAS_12_POLICY_TYPE : EAS_2_POLICY_TYPE;
|
||||
}
|
||||
|
||||
// TODO This is Exchange 2007 only at this point
|
||||
/**
|
||||
* Obtain a set of policies from the server and determine whether those policies are supported
|
||||
* by the device.
|
||||
|
@ -177,7 +177,7 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
|
||||
* for any encoding mask/shift errors, which would cause bits to overflow into other fields.
|
||||
*/
|
||||
@SmallTest
|
||||
public void testFieldRanges() {
|
||||
public void testFieldIsolation() {
|
||||
PolicySet p = new PolicySet(PolicySet.PASSWORD_LENGTH_MAX, 0, 0, 0, false);
|
||||
assertEquals(PolicySet.PASSWORD_LENGTH_MAX, p.mMinPasswordLength);
|
||||
assertEquals(0, p.mPasswordMode);
|
||||
@ -214,6 +214,27 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
|
||||
assertTrue(p.mRequireRemoteWipe);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test creation of policies with unsupported ranges
|
||||
*/
|
||||
@SmallTest
|
||||
public void testFieldRanges() {
|
||||
SecurityPolicy sp = getSecurityPolicy();
|
||||
// Overlong password length cannot be supported
|
||||
PolicySet p = new PolicySet(PolicySet.PASSWORD_LENGTH_MAX + 1, 0, 0, 0, false);
|
||||
assertFalse(sp.isSupported(p));
|
||||
|
||||
// Too many wipes before reboot can be supported (by reducing to the max)
|
||||
p = new PolicySet(0, 0, PolicySet.PASSWORD_MAX_FAILS_MAX + 1, 0, false);
|
||||
assertTrue(sp.isSupported(p));
|
||||
assertEquals(PolicySet.PASSWORD_MAX_FAILS_MAX, p.mMaxPasswordFails);
|
||||
|
||||
// Too long lock time can be supported (by reducing to the max)
|
||||
p = new PolicySet(0, 0, 0, PolicySet.SCREEN_LOCK_TIME_MAX + 1, false);
|
||||
assertTrue(sp.isSupported(p));
|
||||
assertEquals(PolicySet.SCREEN_LOCK_TIME_MAX, p.mMaxScreenLockTime);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test encoding into an Account and out again
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user