Merge changes I982543cd,I41c3bf6c,Id3e5f6e1 am: 86d837da am: e5334a1b am: 487c7453

     */

     */

    public static final int ID_NONE = -1;

    public static final int ID_NONE = -1;

    /**

     * A hardcoded ID for NetworkAgents representing VPNs. These agents are not created by any

     * provider, so they use this constant for clarity instead of NONE.

     * @hide only used by ConnectivityService.

     */

    public static final int ID_VPN = -2;

    /**

    /**

     * The first providerId value that will be allocated.

     * The first providerId value that will be allocated.

     * @hide only used by ConnectivityService.

     * @hide only used by ConnectivityService.

        }

        }

    }

    }

    private void onUserStart(int userId) {

    private void onUserStarted(int userId) {

        synchronized (mVpns) {

        synchronized (mVpns) {

            Vpn userVpn = mVpns.get(userId);

            Vpn userVpn = mVpns.get(userId);

            if (userVpn != null) {

            if (userVpn != null) {

        }

        }

    }

    }

    private void onUserStop(int userId) {

    private void onUserStopped(int userId) {

        synchronized (mVpns) {

        synchronized (mVpns) {

            Vpn userVpn = mVpns.get(userId);

            Vpn userVpn = mVpns.get(userId);

            if (userVpn == null) {

            if (userVpn == null) {

            if (userId == UserHandle.USER_NULL) return;

            if (userId == UserHandle.USER_NULL) return;

            if (Intent.ACTION_USER_STARTED.equals(action)) {

            if (Intent.ACTION_USER_STARTED.equals(action)) {

                onUserStart(userId);

                onUserStarted(userId);

            } else if (Intent.ACTION_USER_STOPPED.equals(action)) {

            } else if (Intent.ACTION_USER_STOPPED.equals(action)) {

                onUserStop(userId);

                onUserStopped(userId);

            } else if (Intent.ACTION_USER_ADDED.equals(action)) {

            } else if (Intent.ACTION_USER_ADDED.equals(action)) {

                onUserAdded(userId);

                onUserAdded(userId);

            } else if (Intent.ACTION_USER_REMOVED.equals(action)) {

            } else if (Intent.ACTION_USER_REMOVED.equals(action)) {

import java.io.IOException;

import java.io.IOException;

import java.io.InputStream;

import java.io.InputStream;

import java.io.OutputStream;

import java.io.OutputStream;

import java.math.BigInteger;

import java.net.Inet4Address;

import java.net.Inet4Address;

import java.net.Inet6Address;

import java.net.Inet6Address;

import java.net.InetAddress;

import java.net.InetAddress;

public class Vpn {

public class Vpn {

    private static final String NETWORKTYPE = "VPN";

    private static final String NETWORKTYPE = "VPN";

    private static final String TAG = "Vpn";

    private static final String TAG = "Vpn";

    private static final String VPN_PROVIDER_NAME_BASE = "VpnNetworkProvider:";

    private static final boolean LOGD = true;

    private static final boolean LOGD = true;

    // Length of time (in milliseconds) that an app hosting an always-on VPN is placed on

    // Length of time (in milliseconds) that an app hosting an always-on VPN is placed on

    // the device idle allowlist during service launch and VPN bootstrap.

    // the device idle allowlist during service launch and VPN bootstrap.

    private static final long VPN_LAUNCH_IDLE_ALLOWLIST_DURATION_MS = 60 * 1000;

    private static final long VPN_LAUNCH_IDLE_ALLOWLIST_DURATION_MS = 60 * 1000;

    // Settings for how much of the address space should be routed so that Vpn considers

    // "most" of the address space is routed. This is used to determine whether this Vpn

    // should be marked with the INTERNET capability.

    private static final long MOST_IPV4_ADDRESSES_COUNT;

    private static final BigInteger MOST_IPV6_ADDRESSES_COUNT;

    static {

        // 85% of the address space must be routed for Vpn to consider this VPN to provide

        // INTERNET access.

        final int howManyPercentIsMost = 85;

        final long twoPower32 = 1L << 32;

        MOST_IPV4_ADDRESSES_COUNT = twoPower32 * howManyPercentIsMost / 100;

        final BigInteger twoPower128 = BigInteger.ONE.shiftLeft(128);

        MOST_IPV6_ADDRESSES_COUNT = twoPower128

                .multiply(BigInteger.valueOf(howManyPercentIsMost))

                .divide(BigInteger.valueOf(100));

    }

    // How many routes to evaluate before bailing and declaring this Vpn should provide

    // the INTERNET capability. This is necessary because computing the address space is

    // O(n²) and this is running in the system service, so a limit is needed to alleviate

    // the risk of attack.

    // This is taken as a total of IPv4 + IPV6 routes for simplicity, but the algorithm

    // is actually O(n²)+O(n²).

    private static final int MAX_ROUTES_TO_EVALUATE = 150;

    private static final String LOCKDOWN_ALLOWLIST_SETTING_NAME =

    private static final String LOCKDOWN_ALLOWLIST_SETTING_NAME =

            Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN_WHITELIST;

            Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN_WHITELIST;

    /**

    /**

    // automated reconnection

    // automated reconnection

    private final Context mContext;

    private final Context mContext;

    private final ConnectivityManager mConnectivityManager;

    // The context is for specific user which is created from mUserId

    // The context is for specific user which is created from mUserId

    private final Context mUserIdContext;

    private final Context mUserIdContext;

    @VisibleForTesting final Dependencies mDeps;

    @VisibleForTesting final Dependencies mDeps;

    private final INetworkManagementService mNetd;

    private final INetworkManagementService mNetd;

    @VisibleForTesting

    @VisibleForTesting

    protected VpnConfig mConfig;

    protected VpnConfig mConfig;

    private final NetworkProvider mNetworkProvider;

    @VisibleForTesting

    @VisibleForTesting

    protected NetworkAgent mNetworkAgent;

    protected NetworkAgent mNetworkAgent;

    private final Looper mLooper;

    private final Looper mLooper;

            int userId, @NonNull KeyStore keyStore, SystemServices systemServices,

            int userId, @NonNull KeyStore keyStore, SystemServices systemServices,

            Ikev2SessionCreator ikev2SessionCreator) {

            Ikev2SessionCreator ikev2SessionCreator) {

        mContext = context;

        mContext = context;

        mConnectivityManager = mContext.getSystemService(ConnectivityManager.class);

        mUserIdContext = context.createContextAsUser(UserHandle.of(userId), 0 /* flags */);

        mUserIdContext = context.createContextAsUser(UserHandle.of(userId), 0 /* flags */);

        mDeps = deps;

        mDeps = deps;

        mNetd = netService;

        mNetd = netService;

            Log.wtf(TAG, "Problem registering observer", e);

            Log.wtf(TAG, "Problem registering observer", e);

        }

        }

        mNetworkProvider = new NetworkProvider(context, looper, VPN_PROVIDER_NAME_BASE + mUserId);

        // This constructor is called in onUserStart and registers the provider. The provider

        // will be unregistered in onUserStop.

        mConnectivityManager.registerNetworkProvider(mNetworkProvider);

        mLegacyState = LegacyVpnInfo.STATE_DISCONNECTED;

        mLegacyState = LegacyVpnInfo.STATE_DISCONNECTED;

        mNetworkInfo = new NetworkInfo(ConnectivityManager.TYPE_VPN, 0 /* subtype */, NETWORKTYPE,

        mNetworkInfo = new NetworkInfo(ConnectivityManager.TYPE_VPN, 0 /* subtype */, NETWORKTYPE,

                "" /* subtypeName */);

                "" /* subtypeName */);

     * Update current state, dispatching event to listeners.

     * Update current state, dispatching event to listeners.

     */

     */

    @VisibleForTesting

    @VisibleForTesting

    @GuardedBy("this")

    protected void updateState(DetailedState detailedState, String reason) {

    protected void updateState(DetailedState detailedState, String reason) {

        if (LOGD) Log.d(TAG, "setting state=" + detailedState + ", reason=" + reason);

        if (LOGD) Log.d(TAG, "setting state=" + detailedState + ", reason=" + reason);

        mLegacyState = LegacyVpnInfo.stateFromNetworkInfo(detailedState);

        mLegacyState = LegacyVpnInfo.stateFromNetworkInfo(detailedState);

        mNetworkInfo.setDetailedState(detailedState, reason, null);

        mNetworkInfo.setDetailedState(detailedState, reason, null);

        if (mNetworkAgent != null) {

        // TODO : only accept transitions when the agent is in the correct state (non-null for

            mNetworkAgent.sendNetworkInfo(mNetworkInfo);

        // CONNECTED, DISCONNECTED and FAILED, null for CONNECTED).

        // This will require a way for tests to pretend the VPN is connected that's not

        // calling this method with CONNECTED.

        // It will also require audit of where the code calls this method with DISCONNECTED

        // with a null agent, which it was doing historically to make sure the agent is

        // disconnected as this was a no-op if the agent was null.

        switch (detailedState) {

            case CONNECTED:

                if (null != mNetworkAgent) {

                    mNetworkAgent.markConnected();

                }

                break;

            case DISCONNECTED:

            case FAILED:

                if (null != mNetworkAgent) {

                    mNetworkAgent.unregister();

                    mNetworkAgent = null;

                }

                break;

            case CONNECTING:

                if (null != mNetworkAgent) {

                    throw new IllegalStateException("VPN can only go to CONNECTING state when"

                            + " the agent is null.");

                }

                break;

            default:

                throw new IllegalArgumentException("Illegal state argument " + detailedState);

        }

        }

        updateAlwaysOnNotification(detailedState);

        updateAlwaysOnNotification(detailedState);

    }

    }

        final boolean isAlwaysMetered = mIsPackageTargetingAtLeastQ && mConfig.isMetered;

        final boolean isAlwaysMetered = mIsPackageTargetingAtLeastQ && mConfig.isMetered;

        applyUnderlyingCapabilities(

        applyUnderlyingCapabilities(

                mContext.getSystemService(ConnectivityManager.class),

                mConnectivityManager,

                underlyingNetworks,

                underlyingNetworks,

                mNetworkCapabilities,

                mNetworkCapabilities,

                isAlwaysMetered);

                isAlwaysMetered);

    @VisibleForTesting

    @VisibleForTesting

    public static void applyUnderlyingCapabilities(

    public static void applyUnderlyingCapabilities(

            ConnectivityManager cm,

            @NonNull final ConnectivityManager cm,

            Network[] underlyingNetworks,

            @Nullable final Network[] underlyingNetworks,

            NetworkCapabilities caps,

            @NonNull final NetworkCapabilities caps,

            boolean isAlwaysMetered) {

            final boolean isAlwaysMetered) {

        int[] transportTypes = new int[] { NetworkCapabilities.TRANSPORT_VPN };

        int[] transportTypes = new int[] { NetworkCapabilities.TRANSPORT_VPN };

        int downKbps = NetworkCapabilities.LINK_BANDWIDTH_UNSPECIFIED;

        int downKbps = NetworkCapabilities.LINK_BANDWIDTH_UNSPECIFIED;

        int upKbps = NetworkCapabilities.LINK_BANDWIDTH_UNSPECIFIED;

        int upKbps = NetworkCapabilities.LINK_BANDWIDTH_UNSPECIFIED;

            }

            }

            mConfig = null;

            mConfig = null;

            updateState(DetailedState.IDLE, "prepare");

            updateState(DetailedState.DISCONNECTED, "prepare");

            setVpnForcedLocked(mLockdown);

            setVpnForcedLocked(mLockdown);

        } finally {

        } finally {

            Binder.restoreCallingIdentity(token);

            Binder.restoreCallingIdentity(token);

        mNetworkCapabilities.addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET);

        mNetworkCapabilities.addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET);

        mLegacyState = LegacyVpnInfo.STATE_CONNECTING;

        mLegacyState = LegacyVpnInfo.STATE_CONNECTING;

        mNetworkInfo.setDetailedState(DetailedState.CONNECTING, null, null);

        updateState(DetailedState.CONNECTING, "agentConnect");

        NetworkAgentConfig networkAgentConfig = new NetworkAgentConfig();

        NetworkAgentConfig networkAgentConfig = new NetworkAgentConfig();

        networkAgentConfig.allowBypass = mConfig.allowBypass && !mLockdown;

        networkAgentConfig.allowBypass = mConfig.allowBypass && !mLockdown;

            mNetworkCapabilities.addCapability(NET_CAPABILITY_NOT_METERED);

            mNetworkCapabilities.addCapability(NET_CAPABILITY_NOT_METERED);

        }

        }

        final long token = Binder.clearCallingIdentity();

        mNetworkAgent = new NetworkAgent(mContext, mLooper, NETWORKTYPE /* logtag */,

        try {

                mNetworkCapabilities, lp,

            mNetworkAgent = new NetworkAgent(mLooper, mContext, NETWORKTYPE /* logtag */,

                ConnectivityConstants.VPN_DEFAULT_SCORE, networkAgentConfig, mNetworkProvider) {

                    mNetworkInfo, mNetworkCapabilities, lp,

                    ConnectivityConstants.VPN_DEFAULT_SCORE, networkAgentConfig,

                    NetworkProvider.ID_VPN) {

            @Override

            @Override

            public void unwanted() {

            public void unwanted() {

                // We are user controlled, not driven by NetworkRequest.

                // We are user controlled, not driven by NetworkRequest.

            }

            }

        };

        };

        } finally {

        Binder.withCleanCallingIdentity(() -> {

            Binder.restoreCallingIdentity(token);

            try {

                mNetworkAgent.register();

            } catch (final Exception e) {

                // If register() throws, don't keep an unregistered agent.

                mNetworkAgent = null;

                throw e;

            }

            }

        });

        mNetworkAgent.setUnderlyingNetworks((mConfig.underlyingNetworks != null)

        mNetworkAgent.setUnderlyingNetworks((mConfig.underlyingNetworks != null)

                ? Arrays.asList(mConfig.underlyingNetworks) : null);

                ? Arrays.asList(mConfig.underlyingNetworks) : null);

        mNetworkInfo.setIsAvailable(true);

        mNetworkInfo.setIsAvailable(true);

    private void agentDisconnect(NetworkAgent networkAgent) {

    private void agentDisconnect(NetworkAgent networkAgent) {

        if (networkAgent != null) {

        if (networkAgent != null) {

            NetworkInfo networkInfo = new NetworkInfo(mNetworkInfo);

            networkAgent.unregister();

            networkInfo.setIsAvailable(false);

            networkInfo.setDetailedState(DetailedState.DISCONNECTED, null, null);

            networkAgent.sendNetworkInfo(networkInfo);

        }

        }

    }

    }

    private void agentDisconnect() {

    private void agentDisconnect() {

        if (mNetworkInfo.isConnected()) {

            mNetworkInfo.setIsAvailable(false);

        updateState(DetailedState.DISCONNECTED, "agentDisconnect");

        updateState(DetailedState.DISCONNECTED, "agentDisconnect");

            mNetworkAgent = null;

        }

    }

    }

    /**

    /**

                    && updateLinkPropertiesInPlaceIfPossible(mNetworkAgent, oldConfig)) {

                    && updateLinkPropertiesInPlaceIfPossible(mNetworkAgent, oldConfig)) {

                // Keep mNetworkAgent unchanged

                // Keep mNetworkAgent unchanged

            } else {

            } else {

                // Initialize the state for a new agent, while keeping the old one connected

                // in case this new connection fails.

                mNetworkAgent = null;

                mNetworkAgent = null;

                updateState(DetailedState.CONNECTING, "establish");

                updateState(DetailedState.CONNECTING, "establish");

                // Set up forwarding and DNS rules.

                // Set up forwarding and DNS rules.

        // Quit any active connections

        // Quit any active connections

        agentDisconnect();

        agentDisconnect();

        // The provider has been registered in the constructor, which is called in onUserStart.

        mConnectivityManager.unregisterNetworkProvider(mNetworkProvider);

    }

    }

    /**

    /**

            // When restricted to test networks, select any network with TRANSPORT_TEST. Since the

            // When restricted to test networks, select any network with TRANSPORT_TEST. Since the

            // creator of the profile and the test network creator both have MANAGE_TEST_NETWORKS,

            // creator of the profile and the test network creator both have MANAGE_TEST_NETWORKS,

            // this is considered safe.

            // this is considered safe.

            final ConnectivityManager cm = ConnectivityManager.from(mContext);

            final NetworkRequest req;

            final NetworkRequest req;

            if (mProfile.isRestrictedToTestNetworks()) {

            if (mProfile.isRestrictedToTestNetworks()) {

                        .build();

                        .build();

            }

            }

            cm.requestNetwork(req, mNetworkCallback);

            mConnectivityManager.requestNetwork(req, mNetworkCallback);

        }

        }

        private boolean isActiveNetwork(@Nullable Network network) {

        private boolean isActiveNetwork(@Nullable Network network) {

            resetIkeState();

            resetIkeState();

            final ConnectivityManager cm = ConnectivityManager.from(mContext);

            mConnectivityManager.unregisterNetworkCallback(mNetworkCallback);

            cm.unregisterNetworkCallback(mNetworkCallback);

            mExecutor.shutdown();

            mExecutor.shutdown();

        }

        }

            mProfile = profile;

            mProfile = profile;

            if (!TextUtils.isEmpty(mOuterInterface)) {

            if (!TextUtils.isEmpty(mOuterInterface)) {

                final ConnectivityManager cm = ConnectivityManager.from(mContext);

                for (Network network : mConnectivityManager.getAllNetworks()) {

                for (Network network : cm.getAllNetworks()) {

                    final LinkProperties lp = mConnectivityManager.getLinkProperties(network);

                    final LinkProperties lp = cm.getLinkProperties(network);

                    if (lp != null && lp.getAllInterfaceNames().contains(mOuterInterface)) {

                    if (lp != null && lp.getAllInterfaceNames().contains(mOuterInterface)) {

                        final NetworkInfo networkInfo = cm.getNetworkInfo(network);

                        final NetworkInfo netInfo = mConnectivityManager.getNetworkInfo(network);

                        if (networkInfo != null) {

                        if (netInfo != null) {

                            mOuterConnection.set(networkInfo.getType());

                            mOuterConnection.set(netInfo.getType());

                            break;

                            break;

                        }

                        }

                    }

                    }

            mMockNetworkAgent = new TestNetworkAgentWrapper(TRANSPORT_VPN, lp,

            mMockNetworkAgent = new TestNetworkAgentWrapper(TRANSPORT_VPN, lp,

                    mNetworkCapabilities);

                    mNetworkCapabilities);

            mMockNetworkAgent.waitForIdle(TIMEOUT_MS);

            mMockNetworkAgent.waitForIdle(TIMEOUT_MS);

            verify(mNetworkManagementService, times(1))

                    .addVpnUidRanges(eq(mMockVpn.getNetId()), eq(uids.toArray(new UidRange[0])));

            verify(mNetworkManagementService, never())

                    .removeVpnUidRanges(eq(mMockVpn.getNetId()), any());

            mAgentRegistered = true;

            mAgentRegistered = true;

            mNetworkCapabilities.set(mMockNetworkAgent.getNetworkCapabilities());

            mNetworkCapabilities.set(mMockNetworkAgent.getNetworkCapabilities());

            mNetworkAgent = mMockNetworkAgent.getNetworkAgent();

            mNetworkAgent = mMockNetworkAgent.getNetworkAgent();

        final Set<UidRange> vpnRange = Collections.singleton(UidRange.createForUser(VPN_USER));

        final Set<UidRange> vpnRange = Collections.singleton(UidRange.createForUser(VPN_USER));

        mMockVpn.establish(lp, VPN_UID, vpnRange);

        mMockVpn.establish(lp, VPN_UID, vpnRange);

        // Connected VPN should have interface rules set up. There are two expected invocations,

        // A connected VPN should have interface rules set up. There are two expected invocations,

        // one during VPN uid update, one during VPN LinkProperties update

        // one during the VPN initial connection, one during the VPN LinkProperties update.

        ArgumentCaptor<int[]> uidCaptor = ArgumentCaptor.forClass(int[].class);

        ArgumentCaptor<int[]> uidCaptor = ArgumentCaptor.forClass(int[].class);

        verify(mMockNetd, times(2)).firewallAddUidInterfaceRules(eq("tun0"), uidCaptor.capture());

        verify(mMockNetd, times(2)).firewallAddUidInterfaceRules(eq("tun0"), uidCaptor.capture());

        assertContainsExactly(uidCaptor.getAllValues().get(0), APP1_UID, APP2_UID);

        assertContainsExactly(uidCaptor.getAllValues().get(0), APP1_UID, APP2_UID);

import static org.mockito.ArgumentMatchers.anyBoolean;

import static org.mockito.ArgumentMatchers.anyBoolean;

import static org.mockito.ArgumentMatchers.anyInt;

import static org.mockito.ArgumentMatchers.anyInt;

import static org.mockito.ArgumentMatchers.anyString;

import static org.mockito.ArgumentMatchers.anyString;

import static org.mockito.ArgumentMatchers.argThat;

import static org.mockito.ArgumentMatchers.eq;

import static org.mockito.ArgumentMatchers.eq;

import static org.mockito.Mockito.atLeastOnce;

import static org.mockito.Mockito.atLeastOnce;

import static org.mockito.Mockito.doAnswer;

import static org.mockito.Mockito.doAnswer;

import android.os.Bundle;

import android.os.Bundle;

import android.os.ConditionVariable;

import android.os.ConditionVariable;

import android.os.INetworkManagementService;

import android.os.INetworkManagementService;

import android.os.Looper;

import android.os.Process;

import android.os.Process;

import android.os.UserHandle;

import android.os.UserHandle;

import android.os.UserManager;

import android.os.UserManager;

import android.os.test.TestLooper;

import android.provider.Settings;

import android.provider.Settings;

import android.security.Credentials;

import android.security.Credentials;

import android.security.KeyStore;

import android.security.KeyStore;

import androidx.test.runner.AndroidJUnit4;

import androidx.test.runner.AndroidJUnit4;

import com.android.internal.R;

import com.android.internal.R;

import com.android.internal.net.LegacyVpnInfo;

import com.android.internal.net.VpnConfig;

import com.android.internal.net.VpnConfig;

import com.android.internal.net.VpnProfile;

import com.android.internal.net.VpnProfile;

import com.android.server.IpSecService;

import com.android.server.IpSecService;

                .thenReturn(mNotificationManager);

                .thenReturn(mNotificationManager);

        when(mContext.getSystemService(eq(Context.CONNECTIVITY_SERVICE)))

        when(mContext.getSystemService(eq(Context.CONNECTIVITY_SERVICE)))

                .thenReturn(mConnectivityManager);

                .thenReturn(mConnectivityManager);

        when(mContext.getSystemServiceName(eq(ConnectivityManager.class)))

                .thenReturn(Context.CONNECTIVITY_SERVICE);

        when(mContext.getSystemService(eq(Context.IPSEC_SERVICE))).thenReturn(mIpSecManager);

        when(mContext.getSystemService(eq(Context.IPSEC_SERVICE))).thenReturn(mIpSecManager);

        when(mContext.getString(R.string.config_customVpnAlwaysOnDisconnectedDialogComponent))

        when(mContext.getString(R.string.config_customVpnAlwaysOnDisconnectedDialogComponent))

                .thenReturn(Resources.getSystem().getString(

                .thenReturn(Resources.getSystem().getString(

    }

    }

    @Test

    @Test

    public void testNotificationShownForAlwaysOnApp() {

    public void testNotificationShownForAlwaysOnApp() throws Exception {

        final UserHandle userHandle = UserHandle.of(primaryUser.id);

        final UserHandle userHandle = UserHandle.of(primaryUser.id);

        final Vpn vpn = createVpn(primaryUser.id);

        final Vpn vpn = createVpn(primaryUser.id);

        setMockedUsers(primaryUser);

        setMockedUsers(primaryUser);

    @Test

    @Test

    public void testCapabilities() {

    public void testCapabilities() {

        final Vpn vpn = createVpn(primaryUser.id);

        setMockedUsers(primaryUser);

        setMockedUsers(primaryUser);

        final Network mobile = new Network(1);

        final Network mobile = new Network(1);

        when(exception.getErrorType())

        when(exception.getErrorType())

                .thenReturn(IkeProtocolException.ERROR_TYPE_AUTHENTICATION_FAILED);

                .thenReturn(IkeProtocolException.ERROR_TYPE_AUTHENTICATION_FAILED);

        final Vpn vpn = startLegacyVpn(mVpnProfile);

        final Vpn vpn = startLegacyVpn(createVpn(primaryUser.id), (mVpnProfile));

        final NetworkCallback cb = triggerOnAvailableAndGetCallback();

        final NetworkCallback cb = triggerOnAvailableAndGetCallback();

        // Wait for createIkeSession() to be called before proceeding in order to ensure consistent

        // Wait for createIkeSession() to be called before proceeding in order to ensure consistent

        ikeCb.onClosedExceptionally(exception);

        ikeCb.onClosedExceptionally(exception);

        verify(mConnectivityManager, timeout(TEST_TIMEOUT_MS)).unregisterNetworkCallback(eq(cb));

        verify(mConnectivityManager, timeout(TEST_TIMEOUT_MS)).unregisterNetworkCallback(eq(cb));

        assertEquals(DetailedState.FAILED, vpn.getNetworkInfo().getDetailedState());

        assertEquals(LegacyVpnInfo.STATE_FAILED, vpn.getLegacyVpnInfo().state);

    }

    }

    @Test

    @Test

    public void testStartPlatformVpnIllegalArgumentExceptionInSetup() throws Exception {

    public void testStartPlatformVpnIllegalArgumentExceptionInSetup() throws Exception {

        when(mIkev2SessionCreator.createIkeSession(any(), any(), any(), any(), any(), any()))

        when(mIkev2SessionCreator.createIkeSession(any(), any(), any(), any(), any(), any()))

                .thenThrow(new IllegalArgumentException());

                .thenThrow(new IllegalArgumentException());

        final Vpn vpn = startLegacyVpn(mVpnProfile);

        final Vpn vpn = startLegacyVpn(createVpn(primaryUser.id), mVpnProfile);

        final NetworkCallback cb = triggerOnAvailableAndGetCallback();

        final NetworkCallback cb = triggerOnAvailableAndGetCallback();

        // Wait for createIkeSession() to be called before proceeding in order to ensure consistent

        // Wait for createIkeSession() to be called before proceeding in order to ensure consistent

        // state

        // state

        verify(mConnectivityManager, timeout(TEST_TIMEOUT_MS)).unregisterNetworkCallback(eq(cb));

        verify(mConnectivityManager, timeout(TEST_TIMEOUT_MS)).unregisterNetworkCallback(eq(cb));

        assertEquals(DetailedState.FAILED, vpn.getNetworkInfo().getDetailedState());

        assertEquals(LegacyVpnInfo.STATE_FAILED, vpn.getLegacyVpnInfo().state);

    }

    }

    private void setAndVerifyAlwaysOnPackage(Vpn vpn, int uid, boolean lockdownEnabled) {

    private void setAndVerifyAlwaysOnPackage(Vpn vpn, int uid, boolean lockdownEnabled) {

        // a subsequent CL.

        // a subsequent CL.

    }

    }

    public Vpn startLegacyVpn(final VpnProfile vpnProfile) throws Exception {

    private Vpn startLegacyVpn(final Vpn vpn, final VpnProfile vpnProfile) throws Exception {

        final Vpn vpn = createVpn(primaryUser.id);

        setMockedUsers(primaryUser);

        setMockedUsers(primaryUser);

        // Dummy egress interface

        // Dummy egress interface

    @Test

    @Test

    public void testStartPlatformVpn() throws Exception {

    public void testStartPlatformVpn() throws Exception {

        startLegacyVpn(mVpnProfile);

        startLegacyVpn(createVpn(primaryUser.id), mVpnProfile);

        // TODO: Test the Ikev2VpnRunner started up properly. Relies on utility methods added in