Merge "Copy the remaining policies on migration." into rvc-dev am: c4adf5e87b am: 942034fa4a am: 59b22d2058

Change-Id: Ibd76eed6126143edc237399078efc7fbfe320a10
2020-04-09 17:50:21 +00:00
parent 40ca0fdd64 59b22d2058
commit 7292a984ad
5 changed files with 24 additions and 16 deletions
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -8606,7 +8606,7 @@ public class DevicePolicyManager {
     * <p>
     * This method may be called on the {@code DevicePolicyManager} instance returned from
     * {@link #getParentProfileInstance(ComponentName)}. Note that only a profile owner on
-     * an organization-deviced can affect account types on the parent profile instance.
+     * an organization-owned device can affect account types on the parent profile instance.
     *
     * @return a list of account types for which account management has been disabled.
     *
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -2702,10 +2702,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
        Slog.i(LOG_TAG, "Clearing the DO...");
        final ComponentName doAdminReceiver = doAdmin.info.getComponent();
        clearDeviceOwnerLocked(doAdmin, doUserId);
-        // TODO(b/143516163): If we have a power cut here, we might leave active admin. Consider if
-        // it is worth the complexity to make it more robust.
        Slog.i(LOG_TAG, "Removing admin artifacts...");
-        // TODO(b/143516163): Clean up application restrictions in UserManager.
+        // TODO(b/149075700): Clean up application restrictions in UserManager.
        removeAdminArtifacts(doAdminReceiver, doUserId);
        Slog.i(LOG_TAG, "Migration complete.");

@@ -2747,18 +2745,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {

        // The following policies weren't available to PO, but will be available after migration.
        parentAdmin.disableCamera = doAdmin.disableCamera;
-
        parentAdmin.requireAutoTime = doAdmin.requireAutoTime;
-
-        // TODO(b/143516163): Uncomment once corresponding APIs are available via parent instance.
-        // parentAdmin.disableScreenCapture = doAdmin.disableScreenCapture;
-        // parentAdmin.accountTypesWithManagementDisabled.addAll(
-        //         doAdmin.accountTypesWithManagementDisabled);
+        parentAdmin.disableScreenCapture = doAdmin.disableScreenCapture;
+        parentAdmin.accountTypesWithManagementDisabled.addAll(
+                doAdmin.accountTypesWithManagementDisabled);

        moveDoUserRestrictionsToCopeParent(doAdmin, parentAdmin);
-
-        // TODO(b/143516163): migrate network and security logging state, currently they are
-        // turned off when DO is removed.
    }

    private void moveDoUserRestrictionsToCopeParent(ActiveAdmin doAdmin, ActiveAdmin parentAdmin) {
@@ -2778,7 +2770,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
     * a managed profile.
     */
    @GuardedBy("getLockObject()")
-    void applyManagedProfileRestrictionIfDeviceOwnerLocked() {
+    private void applyManagedProfileRestrictionIfDeviceOwnerLocked() {
        final int doUserId = mOwners.getDeviceOwnerUserId();
        if (doUserId == UserHandle.USER_NULL) {
            logIfVerbose("No DO found, skipping application of restriction.");
@@ -4002,11 +3994,11 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
                mOwners.systemReady();
                break;
            case SystemService.PHASE_ACTIVITY_MANAGER_READY:
-                maybeStartSecurityLogMonitorOnActivityManagerReady();
                synchronized (getLockObject()) {
                    migrateToProfileOnOrganizationOwnedDeviceIfCompLocked();
                    applyManagedProfileRestrictionIfDeviceOwnerLocked();
                }
+                maybeStartSecurityLogMonitorOnActivityManagerReady();
                final int userId = getManagedUserId(UserHandle.USER_SYSTEM);
                if (userId >= 0) {
                    updatePersonalAppSuspension(userId, false /* running */);
--- a/services/tests/servicestests/res/raw/comp_policies_primary.xml
+++ b/services/tests/servicestests/res/raw/comp_policies_primary.xml
@@ -5,5 +5,9 @@
        <password-history-length value="33" />
        <require_auto_time value="true" />
        <user-restrictions no_bluetooth="true" />
+        <disable-screen-capture value="true" />
+        <disable-account-management>
+            <account-type value="com.google-primary" />
+        </disable-account-management>
    </admin>
 </policies>
--- a/services/tests/servicestests/res/raw/comp_policies_profile_same_package.xml
+++ b/services/tests/servicestests/res/raw/comp_policies_profile_same_package.xml
@@ -2,5 +2,8 @@
 <policies setup-complete="true" provisioning-state="3">
    <admin name="com.android.frameworks.servicestests/com.android.server.devicepolicy.DummyDeviceAdmins$Admin1">
        <policies flags="991"/>
+        <disable-account-management>
+            <account-type value="com.google-profile" />
+        </disable-account-management>
    </admin>
 </policies>
--- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerServiceMigrationTest.java
+++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerServiceMigrationTest.java
@@ -19,6 +19,7 @@ import static android.os.UserHandle.USER_SYSTEM;

 import static com.android.server.devicepolicy.DpmTestUtils.writeInputStreamToFile;

+import static org.junit.Assert.assertArrayEquals;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anyInt;
 import static org.mockito.Matchers.eq;
@@ -378,6 +379,15 @@ public class DevicePolicyManagerServiceMigrationTest extends DpmTestBase {
                    33, dpm.getParentProfileInstance(admin1).getPasswordHistoryLength(admin1));
            assertEquals("Password history policy was put into non-parent PO instance",
                    0, dpm.getPasswordHistoryLength(admin1));
+            assertTrue("Screen capture restriction wasn't migrated to PO parent instance",
+                    dpm.getParentProfileInstance(admin1).getScreenCaptureDisabled(admin1));
+
+            assertArrayEquals("Accounts with management disabled weren't migrated to PO parent",
+                    new String[] {"com.google-primary"},
+                    dpm.getParentProfileInstance(admin1).getAccountTypesWithManagementDisabled());
+            assertArrayEquals("Accounts with management disabled for profile were lost",
+                    new String[] {"com.google-profile"},
+                    dpm.getAccountTypesWithManagementDisabled());

            assertTrue("User restriction wasn't migrated to PO parent instance",
                    dpm.getParentProfileInstance(admin1).getUserRestrictions(admin1)
@@ -394,7 +404,6 @@ public class DevicePolicyManagerServiceMigrationTest extends DpmTestBase {
                    dpms.getProfileOwnerAdminLocked(COPE_PROFILE_USER_ID)
                            .getEffectiveRestrictions()
                            .containsKey(UserManager.DISALLOW_CONFIG_DATE_TIME));
-            // TODO(b/143516163): verify more policies.
        });
    }