From c263810b08943541135a24e2b7520692152455cc Mon Sep 17 00:00:00 2001 From: Marc Blank Date: Fri, 6 Aug 2010 19:57:05 -0700 Subject: [PATCH] Clear password related policies in PolicySet when p/w not required Bug: 2883736 Change-Id: I2c9c573aea9a4fef1699ff6339e8ef628d7f2269 --- src/com/android/email/SecurityPolicy.java | 60 +++++++++++-------- .../android/email/SecurityPolicyTests.java | 55 +++++++++++------ 2 files changed, 71 insertions(+), 44 deletions(-) diff --git a/src/com/android/email/SecurityPolicy.java b/src/com/android/email/SecurityPolicy.java index 1678db993..047eb9f59 100644 --- a/src/com/android/email/SecurityPolicy.java +++ b/src/com/android/email/SecurityPolicy.java @@ -469,31 +469,41 @@ public class SecurityPolicy { public PolicySet(int minPasswordLength, int passwordMode, int maxPasswordFails, int maxScreenLockTime, boolean requireRemoteWipe, int passwordExpiration, int passwordHistory, int passwordComplexChars) throws IllegalArgumentException { - // This value has a hard limit which cannot be supported if exceeded. Setting the - // exceeded value will force isSupported() to return false. - if (minPasswordLength > PASSWORD_LENGTH_MAX) { - throw new IllegalArgumentException("password length"); - } - if ((passwordMode != PASSWORD_MODE_NONE) && (passwordMode != PASSWORD_MODE_SIMPLE) && - (passwordMode != PASSWORD_MODE_STRONG)) { - throw new IllegalArgumentException("password mode"); - } - if (passwordExpiration > PASSWORD_EXPIRATION_MAX) { - throw new IllegalArgumentException("password expiration"); - } - if (passwordHistory > PASSWORD_HISTORY_MAX) { - throw new IllegalArgumentException("password history"); - } - if (passwordComplexChars > PASSWORD_COMPLEX_CHARS_MAX) { - throw new IllegalArgumentException("complex chars"); - } - // This value can be reduced (which actually increases security) if necessary - if (maxPasswordFails > PASSWORD_MAX_FAILS_MAX) { - maxPasswordFails = PASSWORD_MAX_FAILS_MAX; - } - // This value can be reduced (which actually increases security) if necessary - if (maxScreenLockTime > SCREEN_LOCK_TIME_MAX) { - maxScreenLockTime = SCREEN_LOCK_TIME_MAX; + // If we're not enforcing passwords, make sure we clean up related values, since EAS + // can send non-zero values for any or all of these + if (passwordMode == PASSWORD_MODE_NONE) { + maxPasswordFails = 0; + maxScreenLockTime = 0; + minPasswordLength = 0; + passwordComplexChars = 0; + passwordHistory = 0; + passwordExpiration = 0; + } else { + if ((passwordMode != PASSWORD_MODE_SIMPLE) && + (passwordMode != PASSWORD_MODE_STRONG)) { + throw new IllegalArgumentException("password mode"); + } + // The next four values have hard limits which cannot be supported if exceeded. + if (minPasswordLength > PASSWORD_LENGTH_MAX) { + throw new IllegalArgumentException("password length"); + } + if (passwordExpiration > PASSWORD_EXPIRATION_MAX) { + throw new IllegalArgumentException("password expiration"); + } + if (passwordHistory > PASSWORD_HISTORY_MAX) { + throw new IllegalArgumentException("password history"); + } + if (passwordComplexChars > PASSWORD_COMPLEX_CHARS_MAX) { + throw new IllegalArgumentException("complex chars"); + } + // This value can be reduced (which actually increases security) if necessary + if (maxPasswordFails > PASSWORD_MAX_FAILS_MAX) { + maxPasswordFails = PASSWORD_MAX_FAILS_MAX; + } + // This value can be reduced (which actually increases security) if necessary + if (maxScreenLockTime > SCREEN_LOCK_TIME_MAX) { + maxScreenLockTime = SCREEN_LOCK_TIME_MAX; + } } mMinPasswordLength = minPasswordLength; mPasswordMode = passwordMode; diff --git a/tests/src/com/android/email/SecurityPolicyTests.java b/tests/src/com/android/email/SecurityPolicyTests.java index 6bcb00929..1b89e024f 100644 --- a/tests/src/com/android/email/SecurityPolicyTests.java +++ b/tests/src/com/android/email/SecurityPolicyTests.java @@ -103,7 +103,7 @@ public class SecurityPolicyTests extends ProviderTestCase2 { // We know that EMPTY_POLICY_SET doesn't generate an Exception or we wouldn't be here // Try some illegal parameters try { - new PolicySet(100, PolicySet.PASSWORD_MODE_NONE, 0, 0, false, 0, 0, 0); + new PolicySet(100, PolicySet.PASSWORD_MODE_SIMPLE, 0, 0, false, 0, 0, 0); fail("Too-long password allowed"); } catch (IllegalArgumentException e) { } @@ -112,12 +112,23 @@ public class SecurityPolicyTests extends ProviderTestCase2 { fail("Illegal password mode allowed"); } catch (IllegalArgumentException e) { } - PolicySet ps = new PolicySet(0, PolicySet.PASSWORD_MODE_NONE, 0, + PolicySet ps = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE, 0, PolicySet.SCREEN_LOCK_TIME_MAX + 1, false, 0, 0, 0); assertEquals(PolicySet.SCREEN_LOCK_TIME_MAX, ps.getMaxScreenLockTime()); - ps = new PolicySet(0, PolicySet.PASSWORD_MODE_NONE, + ps = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE, PolicySet.PASSWORD_MAX_FAILS_MAX + 1, 0, false, 0, 0, 0); assertEquals(PolicySet.PASSWORD_MAX_FAILS_MAX, ps.getMaxPasswordFails()); + // All password related fields should be zero when password mode is NONE + // Illegal values for these fields should be ignored + ps = new PolicySet(999/*length*/, PolicySet.PASSWORD_MODE_NONE, + 999/*fails*/, 9999/*screenlock*/, false, 999/*expir*/, 999/*history*/, + 999/*complex*/); + assertEquals(0, ps.mMinPasswordLength); + assertEquals(0, ps.mMaxScreenLockTime); + assertEquals(0, ps.mMaxPasswordFails); + assertEquals(0, ps.mPasswordExpiration); + assertEquals(0, ps.mPasswordHistory); + assertEquals(0, ps.mPasswordComplexChars); } /** @@ -177,7 +188,7 @@ public class SecurityPolicyTests extends ProviderTestCase2 { // fail count and lock timer - min logic - will change because smaller #s here // password exp will change (max logic), but history and complex chars will be as before // wipe required - OR logic - will change here because true - PolicySet p5in = new PolicySet(4, PolicySet.PASSWORD_MODE_NONE, 5, 6, true, 6, 0, 0); + PolicySet p5in = new PolicySet(4, PolicySet.PASSWORD_MODE_SIMPLE, 5, 6, true, 6, 0, 0); Account a5 = ProviderTestUtils.setupAccount("sec-5", false, mMockContext); p5in.writeAccount(a5, null, true, mMockContext); PolicySet p5out = sp.computeAggregatePolicy(); @@ -217,9 +228,10 @@ public class SecurityPolicyTests extends ProviderTestCase2 { */ @SmallTest public void testFieldIsolation() { - PolicySet p = new PolicySet(PolicySet.PASSWORD_LENGTH_MAX, 0, 0, 0, false, 0, 0 ,0); + PolicySet p = new PolicySet(PolicySet.PASSWORD_LENGTH_MAX, PolicySet.PASSWORD_MODE_SIMPLE, + 0, 0, false, 0, 0 ,0); + assertEquals(PolicySet.PASSWORD_MODE_SIMPLE, p.mPasswordMode); assertEquals(PolicySet.PASSWORD_LENGTH_MAX, p.mMinPasswordLength); - assertEquals(0, p.mPasswordMode); assertEquals(0, p.mMaxPasswordFails); assertEquals(0, p.mMaxScreenLockTime); assertEquals(0, p.mPasswordExpiration); @@ -228,8 +240,8 @@ public class SecurityPolicyTests extends ProviderTestCase2 { assertFalse(p.mRequireRemoteWipe); p = new PolicySet(0, PolicySet.PASSWORD_MODE_STRONG, 0, 0, false, 0, 0, 0); - assertEquals(0, p.mMinPasswordLength); assertEquals(PolicySet.PASSWORD_MODE_STRONG, p.mPasswordMode); + assertEquals(0, p.mMinPasswordLength); assertEquals(0, p.mMaxPasswordFails); assertEquals(0, p.mMaxScreenLockTime); assertEquals(0, p.mPasswordExpiration); @@ -237,9 +249,10 @@ public class SecurityPolicyTests extends ProviderTestCase2 { assertEquals(0, p.mPasswordComplexChars); assertFalse(p.mRequireRemoteWipe); - p = new PolicySet(0, 0, PolicySet.PASSWORD_MAX_FAILS_MAX, 0, false, 0, 0, 0); + p = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE, PolicySet.PASSWORD_MAX_FAILS_MAX, 0, + false, 0, 0, 0); + assertEquals(PolicySet.PASSWORD_MODE_SIMPLE, p.mPasswordMode); assertEquals(0, p.mMinPasswordLength); - assertEquals(0, p.mPasswordMode); assertEquals(PolicySet.PASSWORD_MAX_FAILS_MAX, p.mMaxPasswordFails); assertEquals(0, p.mMaxScreenLockTime); assertEquals(0, p.mPasswordExpiration); @@ -247,9 +260,10 @@ public class SecurityPolicyTests extends ProviderTestCase2 { assertEquals(0, p.mPasswordComplexChars); assertFalse(p.mRequireRemoteWipe); - p = new PolicySet(0, 0, 0, PolicySet.SCREEN_LOCK_TIME_MAX, false, 0, 0, 0); + p = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE, 0, PolicySet.SCREEN_LOCK_TIME_MAX, + false, 0, 0, 0); + assertEquals(PolicySet.PASSWORD_MODE_SIMPLE, p.mPasswordMode); assertEquals(0, p.mMinPasswordLength); - assertEquals(0, p.mPasswordMode); assertEquals(0, p.mMaxPasswordFails); assertEquals(PolicySet.SCREEN_LOCK_TIME_MAX, p.mMaxScreenLockTime); assertEquals(0, p.mPasswordExpiration); @@ -257,9 +271,9 @@ public class SecurityPolicyTests extends ProviderTestCase2 { assertEquals(0, p.mPasswordComplexChars); assertFalse(p.mRequireRemoteWipe); - p = new PolicySet(0, 0, 0, 0, true, 0, 0, 0); + p = new PolicySet(0, PolicySet.PASSWORD_MODE_NONE, 0, 0, true, 0, 0, 0); + assertEquals(PolicySet.PASSWORD_MODE_NONE, p.mPasswordMode); assertEquals(0, p.mMinPasswordLength); - assertEquals(0, p.mPasswordMode); assertEquals(0, p.mMaxPasswordFails); assertEquals(0, p.mMaxScreenLockTime); assertEquals(0, p.mPasswordExpiration); @@ -267,9 +281,10 @@ public class SecurityPolicyTests extends ProviderTestCase2 { assertEquals(0, p.mPasswordComplexChars); assertTrue(p.mRequireRemoteWipe); - p = new PolicySet(0, 0, 0, 0, false, PolicySet.PASSWORD_EXPIRATION_MAX, 0, 0); + p = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE, 0, 0, false, + PolicySet.PASSWORD_EXPIRATION_MAX, 0, 0); + assertEquals(PolicySet.PASSWORD_MODE_SIMPLE, p.mPasswordMode); assertEquals(0, p.mMinPasswordLength); - assertEquals(0, p.mPasswordMode); assertEquals(0, p.mMaxPasswordFails); assertEquals(0, p.mMaxScreenLockTime); assertEquals(PolicySet.PASSWORD_EXPIRATION_MAX, p.mPasswordExpiration); @@ -277,9 +292,10 @@ public class SecurityPolicyTests extends ProviderTestCase2 { assertEquals(0, p.mPasswordComplexChars); assertFalse(p.mRequireRemoteWipe); - p = new PolicySet(0, 0, 0, 0, false, 0, PolicySet.PASSWORD_HISTORY_MAX, 0); + p = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE, 0, 0, false, 0, + PolicySet.PASSWORD_HISTORY_MAX, 0); + assertEquals(PolicySet.PASSWORD_MODE_SIMPLE, p.mPasswordMode); assertEquals(0, p.mMinPasswordLength); - assertEquals(0, p.mPasswordMode); assertEquals(0, p.mMaxPasswordFails); assertEquals(0, p.mMaxScreenLockTime); assertEquals(0, p.mPasswordExpiration); @@ -287,9 +303,10 @@ public class SecurityPolicyTests extends ProviderTestCase2 { assertEquals(0, p.mPasswordComplexChars); assertFalse(p.mRequireRemoteWipe); - p = new PolicySet(0, 0, 0, 0, false, 0, 0, PolicySet.PASSWORD_COMPLEX_CHARS_MAX); + p = new PolicySet(0, PolicySet.PASSWORD_MODE_SIMPLE, 0, 0, false, 0, 0, + PolicySet.PASSWORD_COMPLEX_CHARS_MAX); + assertEquals(PolicySet.PASSWORD_MODE_SIMPLE, p.mPasswordMode); assertEquals(0, p.mMinPasswordLength); - assertEquals(0, p.mPasswordMode); assertEquals(0, p.mMaxPasswordFails); assertEquals(0, p.mMaxScreenLockTime); assertEquals(0, p.mPasswordExpiration);