Clear password related policies in PolicySet when p/w not required

Bug: 2883736
Change-Id: I2c9c573aea9a4fef1699ff6339e8ef628d7f2269
This commit is contained in:
Marc Blank 2010-08-06 19:57:05 -07:00
parent 36bdeeb0e1
commit c263810b08
2 changed files with 71 additions and 44 deletions

View File

@ -469,31 +469,41 @@ public class SecurityPolicy {
public PolicySet(int minPasswordLength, int passwordMode, int maxPasswordFails,
int maxScreenLockTime, boolean requireRemoteWipe, int passwordExpiration,
int passwordHistory, int passwordComplexChars) throws IllegalArgumentException {
// This value has a hard limit which cannot be supported if exceeded. Setting the
// exceeded value will force isSupported() to return false.
if (minPasswordLength > PASSWORD_LENGTH_MAX) {
throw new IllegalArgumentException("password length");
}
if ((passwordMode != PASSWORD_MODE_NONE) && (passwordMode != PASSWORD_MODE_SIMPLE) &&
(passwordMode != PASSWORD_MODE_STRONG)) {
throw new IllegalArgumentException("password mode");
}
if (passwordExpiration > PASSWORD_EXPIRATION_MAX) {
throw new IllegalArgumentException("password expiration");
}
if (passwordHistory > PASSWORD_HISTORY_MAX) {
throw new IllegalArgumentException("password history");
}
if (passwordComplexChars > PASSWORD_COMPLEX_CHARS_MAX) {
throw new IllegalArgumentException("complex chars");
}
// This value can be reduced (which actually increases security) if necessary
if (maxPasswordFails > PASSWORD_MAX_FAILS_MAX) {
maxPasswordFails = PASSWORD_MAX_FAILS_MAX;
}
// This value can be reduced (which actually increases security) if necessary
if (maxScreenLockTime > SCREEN_LOCK_TIME_MAX) {
maxScreenLockTime = SCREEN_LOCK_TIME_MAX;
// If we're not enforcing passwords, make sure we clean up related values, since EAS
// can send non-zero values for any or all of these
if (passwordMode == PASSWORD_MODE_NONE) {
maxPasswordFails = 0;
maxScreenLockTime = 0;
minPasswordLength = 0;
passwordComplexChars = 0;
passwordHistory = 0;
passwordExpiration = 0;
} else {
if ((passwordMode != PASSWORD_MODE_SIMPLE) &&
(passwordMode != PASSWORD_MODE_STRONG)) {
throw new IllegalArgumentException("password mode");
}
// The next four values have hard limits which cannot be supported if exceeded.
if (minPasswordLength > PASSWORD_LENGTH_MAX) {
throw new IllegalArgumentException("password length");
}
if (passwordExpiration > PASSWORD_EXPIRATION_MAX) {
throw new IllegalArgumentException("password expiration");
}
if (passwordHistory > PASSWORD_HISTORY_MAX) {
throw new IllegalArgumentException("password history");
}
if (passwordComplexChars > PASSWORD_COMPLEX_CHARS_MAX) {
throw new IllegalArgumentException("complex chars");
}
// This value can be reduced (which actually increases security) if necessary
if (maxPasswordFails > PASSWORD_MAX_FAILS_MAX) {
maxPasswordFails = PASSWORD_MAX_FAILS_MAX;
}
// This value can be reduced (which actually increases security) if necessary
if (maxScreenLockTime > SCREEN_LOCK_TIME_MAX) {
maxScreenLockTime = SCREEN_LOCK_TIME_MAX;
}
}
mMinPasswordLength = minPasswordLength;
mPasswordMode = passwordMode;

View File

@ -103,7 +103,7 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
// We know that EMPTY_POLICY_SET doesn't generate an Exception or we wouldn't be here
// Try some illegal parameters
try {
new PolicySet(100, PolicySet.PASSWORD_MODE_NONE, 0, 0, false, 0, 0, 0);
new PolicySet(100, PolicySet.PASSWORD_MODE_SIMPLE, 0, 0, false, 0, 0, 0);
fail("Too-long password allowed");
} catch (IllegalArgumentException e) {
}
@ -112,12 +112,23 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
fail("Illegal password mode allowed");
} catch (IllegalArgumentException e) {
}
PolicySet ps = new PolicySet(0, PolicySet.PASSWORD_MODE_NONE, 0,
PolicySet ps = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE, 0,
PolicySet.SCREEN_LOCK_TIME_MAX + 1, false, 0, 0, 0);
assertEquals(PolicySet.SCREEN_LOCK_TIME_MAX, ps.getMaxScreenLockTime());
ps = new PolicySet(0, PolicySet.PASSWORD_MODE_NONE,
ps = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE,
PolicySet.PASSWORD_MAX_FAILS_MAX + 1, 0, false, 0, 0, 0);
assertEquals(PolicySet.PASSWORD_MAX_FAILS_MAX, ps.getMaxPasswordFails());
// All password related fields should be zero when password mode is NONE
// Illegal values for these fields should be ignored
ps = new PolicySet(999/*length*/, PolicySet.PASSWORD_MODE_NONE,
999/*fails*/, 9999/*screenlock*/, false, 999/*expir*/, 999/*history*/,
999/*complex*/);
assertEquals(0, ps.mMinPasswordLength);
assertEquals(0, ps.mMaxScreenLockTime);
assertEquals(0, ps.mMaxPasswordFails);
assertEquals(0, ps.mPasswordExpiration);
assertEquals(0, ps.mPasswordHistory);
assertEquals(0, ps.mPasswordComplexChars);
}
/**
@ -177,7 +188,7 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
// fail count and lock timer - min logic - will change because smaller #s here
// password exp will change (max logic), but history and complex chars will be as before
// wipe required - OR logic - will change here because true
PolicySet p5in = new PolicySet(4, PolicySet.PASSWORD_MODE_NONE, 5, 6, true, 6, 0, 0);
PolicySet p5in = new PolicySet(4, PolicySet.PASSWORD_MODE_SIMPLE, 5, 6, true, 6, 0, 0);
Account a5 = ProviderTestUtils.setupAccount("sec-5", false, mMockContext);
p5in.writeAccount(a5, null, true, mMockContext);
PolicySet p5out = sp.computeAggregatePolicy();
@ -217,9 +228,10 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
*/
@SmallTest
public void testFieldIsolation() {
PolicySet p = new PolicySet(PolicySet.PASSWORD_LENGTH_MAX, 0, 0, 0, false, 0, 0 ,0);
PolicySet p = new PolicySet(PolicySet.PASSWORD_LENGTH_MAX, PolicySet.PASSWORD_MODE_SIMPLE,
0, 0, false, 0, 0 ,0);
assertEquals(PolicySet.PASSWORD_MODE_SIMPLE, p.mPasswordMode);
assertEquals(PolicySet.PASSWORD_LENGTH_MAX, p.mMinPasswordLength);
assertEquals(0, p.mPasswordMode);
assertEquals(0, p.mMaxPasswordFails);
assertEquals(0, p.mMaxScreenLockTime);
assertEquals(0, p.mPasswordExpiration);
@ -228,8 +240,8 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
assertFalse(p.mRequireRemoteWipe);
p = new PolicySet(0, PolicySet.PASSWORD_MODE_STRONG, 0, 0, false, 0, 0, 0);
assertEquals(0, p.mMinPasswordLength);
assertEquals(PolicySet.PASSWORD_MODE_STRONG, p.mPasswordMode);
assertEquals(0, p.mMinPasswordLength);
assertEquals(0, p.mMaxPasswordFails);
assertEquals(0, p.mMaxScreenLockTime);
assertEquals(0, p.mPasswordExpiration);
@ -237,9 +249,10 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
assertEquals(0, p.mPasswordComplexChars);
assertFalse(p.mRequireRemoteWipe);
p = new PolicySet(0, 0, PolicySet.PASSWORD_MAX_FAILS_MAX, 0, false, 0, 0, 0);
p = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE, PolicySet.PASSWORD_MAX_FAILS_MAX, 0,
false, 0, 0, 0);
assertEquals(PolicySet.PASSWORD_MODE_SIMPLE, p.mPasswordMode);
assertEquals(0, p.mMinPasswordLength);
assertEquals(0, p.mPasswordMode);
assertEquals(PolicySet.PASSWORD_MAX_FAILS_MAX, p.mMaxPasswordFails);
assertEquals(0, p.mMaxScreenLockTime);
assertEquals(0, p.mPasswordExpiration);
@ -247,9 +260,10 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
assertEquals(0, p.mPasswordComplexChars);
assertFalse(p.mRequireRemoteWipe);
p = new PolicySet(0, 0, 0, PolicySet.SCREEN_LOCK_TIME_MAX, false, 0, 0, 0);
p = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE, 0, PolicySet.SCREEN_LOCK_TIME_MAX,
false, 0, 0, 0);
assertEquals(PolicySet.PASSWORD_MODE_SIMPLE, p.mPasswordMode);
assertEquals(0, p.mMinPasswordLength);
assertEquals(0, p.mPasswordMode);
assertEquals(0, p.mMaxPasswordFails);
assertEquals(PolicySet.SCREEN_LOCK_TIME_MAX, p.mMaxScreenLockTime);
assertEquals(0, p.mPasswordExpiration);
@ -257,9 +271,9 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
assertEquals(0, p.mPasswordComplexChars);
assertFalse(p.mRequireRemoteWipe);
p = new PolicySet(0, 0, 0, 0, true, 0, 0, 0);
p = new PolicySet(0, PolicySet.PASSWORD_MODE_NONE, 0, 0, true, 0, 0, 0);
assertEquals(PolicySet.PASSWORD_MODE_NONE, p.mPasswordMode);
assertEquals(0, p.mMinPasswordLength);
assertEquals(0, p.mPasswordMode);
assertEquals(0, p.mMaxPasswordFails);
assertEquals(0, p.mMaxScreenLockTime);
assertEquals(0, p.mPasswordExpiration);
@ -267,9 +281,10 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
assertEquals(0, p.mPasswordComplexChars);
assertTrue(p.mRequireRemoteWipe);
p = new PolicySet(0, 0, 0, 0, false, PolicySet.PASSWORD_EXPIRATION_MAX, 0, 0);
p = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE, 0, 0, false,
PolicySet.PASSWORD_EXPIRATION_MAX, 0, 0);
assertEquals(PolicySet.PASSWORD_MODE_SIMPLE, p.mPasswordMode);
assertEquals(0, p.mMinPasswordLength);
assertEquals(0, p.mPasswordMode);
assertEquals(0, p.mMaxPasswordFails);
assertEquals(0, p.mMaxScreenLockTime);
assertEquals(PolicySet.PASSWORD_EXPIRATION_MAX, p.mPasswordExpiration);
@ -277,9 +292,10 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
assertEquals(0, p.mPasswordComplexChars);
assertFalse(p.mRequireRemoteWipe);
p = new PolicySet(0, 0, 0, 0, false, 0, PolicySet.PASSWORD_HISTORY_MAX, 0);
p = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE, 0, 0, false, 0,
PolicySet.PASSWORD_HISTORY_MAX, 0);
assertEquals(PolicySet.PASSWORD_MODE_SIMPLE, p.mPasswordMode);
assertEquals(0, p.mMinPasswordLength);
assertEquals(0, p.mPasswordMode);
assertEquals(0, p.mMaxPasswordFails);
assertEquals(0, p.mMaxScreenLockTime);
assertEquals(0, p.mPasswordExpiration);
@ -287,9 +303,10 @@ public class SecurityPolicyTests extends ProviderTestCase2<EmailProvider> {
assertEquals(0, p.mPasswordComplexChars);
assertFalse(p.mRequireRemoteWipe);
p = new PolicySet(0, 0, 0, 0, false, 0, 0, PolicySet.PASSWORD_COMPLEX_CHARS_MAX);
p = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE, 0, 0, false, 0, 0,
PolicySet.PASSWORD_COMPLEX_CHARS_MAX);
assertEquals(PolicySet.PASSWORD_MODE_SIMPLE, p.mPasswordMode);
assertEquals(0, p.mMinPasswordLength);
assertEquals(0, p.mPasswordMode);
assertEquals(0, p.mMaxPasswordFails);
assertEquals(0, p.mMaxScreenLockTime);
assertEquals(0, p.mPasswordExpiration);