Merge "Default to not allowing cleartext traffic for ephemeral apps"

    private final int mApplicationInfoFlags;

    private final int mApplicationInfoFlags;

    private final int mTargetSdkVersion;

    private final int mTargetSdkVersion;

    private final int mConfigResourceId;

    private final int mConfigResourceId;

    private final boolean mEphemeralApp;

    private ConfigSource mConfigSource;

    private ConfigSource mConfigSource;

        mApplicationInfoFlags = info.flags;

        mApplicationInfoFlags = info.flags;

        mTargetSdkVersion = info.targetSdkVersion;

        mTargetSdkVersion = info.targetSdkVersion;

        mConfigResourceId = info.networkSecurityConfigRes;

        mConfigResourceId = info.networkSecurityConfigRes;

        mEphemeralApp = info.isEphemeralApp();

    }

    }

    @Override

    @Override

                            + " debugBuild: " + debugBuild);

                            + " debugBuild: " + debugBuild);

                }

                }

                source = new XmlConfigSource(mContext, mConfigResourceId, debugBuild,

                source = new XmlConfigSource(mContext, mConfigResourceId, debugBuild,

                        mTargetSdkVersion);

                        mTargetSdkVersion, mEphemeralApp);

            } else {

            } else {

                if (DBG) {

                if (DBG) {

                    Log.d(LOG_TAG, "No Network Security Config specified, using platform default");

                    Log.d(LOG_TAG, "No Network Security Config specified, using platform default");

                }

                }

                // the legacy FLAG_USES_CLEARTEXT_TRAFFIC is not supported for Ephemeral apps, they

                // should use the network security config.

                boolean usesCleartextTraffic =

                boolean usesCleartextTraffic =

                        (mApplicationInfoFlags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0;

                        (mApplicationInfoFlags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0

                source = new DefaultConfigSource(usesCleartextTraffic, mTargetSdkVersion);

                        && !mEphemeralApp;

                source = new DefaultConfigSource(usesCleartextTraffic, mTargetSdkVersion,

                        mEphemeralApp);

            }

            }

            mConfigSource = source;

            mConfigSource = source;

            return mConfigSource;

            return mConfigSource;

        private final NetworkSecurityConfig mDefaultConfig;

        private final NetworkSecurityConfig mDefaultConfig;

        public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion) {

        public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion,

            mDefaultConfig = NetworkSecurityConfig.getDefaultBuilder(targetSdkVersion)

                boolean ephemeralApp) {

            mDefaultConfig = NetworkSecurityConfig.getDefaultBuilder(targetSdkVersion,

                    ephemeralApp)

                    .setCleartextTrafficPermitted(usesCleartextTraffic)

                    .setCleartextTrafficPermitted(usesCleartextTraffic)

                    .build();

                    .build();

        }

        }

     * <p>

     * <p>

     * The default configuration has the following properties:

     * The default configuration has the following properties:

     * <ol>

     * <ol>

     * <li>Cleartext traffic is permitted.</li>

     * <li>Cleartext traffic is permitted for non-ephemeral apps.</li>

     * <li>Cleartext traffic is not permitted for ephemeral apps.</li>

     * <li>HSTS is not enforced.</li>

     * <li>HSTS is not enforced.</li>

     * <li>No certificate pinning is used.</li>

     * <li>No certificate pinning is used.</li>

     * <li>The system certificate store is trusted for connections.</li>

     * <li>The system certificate store is trusted for connections.</li>

     *

     *

     * @hide

     * @hide

     */

     */

    public static final Builder getDefaultBuilder(int targetSdkVersion) {

    public static final Builder getDefaultBuilder(int targetSdkVersion, boolean ephemeralApp) {

        Builder builder = new Builder()

        Builder builder = new Builder()

                .setCleartextTrafficPermitted(DEFAULT_CLEARTEXT_TRAFFIC_PERMITTED)

                .setCleartextTrafficPermitted(!ephemeralApp)

                .setHstsEnforced(DEFAULT_HSTS_ENFORCED)

                .setHstsEnforced(DEFAULT_HSTS_ENFORCED)

                // System certificate store, does not bypass static pins.

                // System certificate store, does not bypass static pins.

                .addCertificatesEntryRef(

                .addCertificatesEntryRef(

    private final int mResourceId;

    private final int mResourceId;

    private final boolean mDebugBuild;

    private final boolean mDebugBuild;

    private final int mTargetSdkVersion;

    private final int mTargetSdkVersion;

    private final boolean mEphemeralApp;

    private boolean mInitialized;

    private boolean mInitialized;

    private NetworkSecurityConfig mDefaultConfig;

    private NetworkSecurityConfig mDefaultConfig;

        this(context, resourceId, debugBuild, Build.VERSION_CODES.CUR_DEVELOPMENT);

        this(context, resourceId, debugBuild, Build.VERSION_CODES.CUR_DEVELOPMENT);

    }

    }

    @VisibleForTesting

    public XmlConfigSource(Context context, int resourceId, boolean debugBuild,

    public XmlConfigSource(Context context, int resourceId, boolean debugBuild,

            int targetSdkVersion) {

            int targetSdkVersion) {

        this(context, resourceId, debugBuild, targetSdkVersion, false);

    }

    public XmlConfigSource(Context context, int resourceId, boolean debugBuild,

            int targetSdkVersion, boolean ephemeralApp) {

        mResourceId = resourceId;

        mResourceId = resourceId;

        mContext = context;

        mContext = context;

        mDebugBuild = debugBuild;

        mDebugBuild = debugBuild;

        mTargetSdkVersion = targetSdkVersion;

        mTargetSdkVersion = targetSdkVersion;

        mEphemeralApp = ephemeralApp;

    }

    }

    public Set<Pair<Domain, NetworkSecurityConfig>> getPerDomainConfigs() {

    public Set<Pair<Domain, NetworkSecurityConfig>> getPerDomainConfigs() {

        // Use the platform default as the parent of the base config for any values not provided

        // Use the platform default as the parent of the base config for any values not provided

        // there. If there is no base config use the platform default.

        // there. If there is no base config use the platform default.

        NetworkSecurityConfig.Builder platformDefaultBuilder =

        NetworkSecurityConfig.Builder platformDefaultBuilder =

                NetworkSecurityConfig.getDefaultBuilder(mTargetSdkVersion);

                NetworkSecurityConfig.getDefaultBuilder(mTargetSdkVersion, mEphemeralApp);

        addDebugAnchorsIfNeeded(debugConfigBuilder, platformDefaultBuilder);

        addDebugAnchorsIfNeeded(debugConfigBuilder, platformDefaultBuilder);

        if (baseConfigBuilder != null) {

        if (baseConfigBuilder != null) {

            baseConfigBuilder.setParent(platformDefaultBuilder);

            baseConfigBuilder.setParent(platformDefaultBuilder);

    public void testConfigBuilderUsesParents() throws Exception {

    public void testConfigBuilderUsesParents() throws Exception {

        // Check that a builder with a parent uses the parent's values when non is set.

        // Check that a builder with a parent uses the parent's values when non is set.

        NetworkSecurityConfig config = new NetworkSecurityConfig.Builder()

        NetworkSecurityConfig config = new NetworkSecurityConfig.Builder()

                .setParent(NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N))

                .setParent(NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N, false))

                .build();

                .build();

        assert(!config.getTrustAnchors().isEmpty());

        assert(!config.getTrustAnchors().isEmpty());

    }

    }

            // Install the test CA.

            // Install the test CA.

            store.installCertificate(TEST_CA_CERT);

            store.installCertificate(TEST_CA_CERT);

            NetworkSecurityConfig preNConfig =

            NetworkSecurityConfig preNConfig =

                    NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.M).build();

                    NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.M, false).build();

            NetworkSecurityConfig nConfig =

            NetworkSecurityConfig nConfig =

                    NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N).build();

                    NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N, false).build();

            Set<TrustAnchor> preNAnchors = preNConfig.getTrustAnchors();

            Set<TrustAnchor> preNAnchors = preNConfig.getTrustAnchors();

            Set<TrustAnchor> nAnchors = nConfig.getTrustAnchors();

            Set<TrustAnchor> nAnchors = nConfig.getTrustAnchors();

            Set<X509Certificate> preNCerts = new HashSet<X509Certificate>();

            Set<X509Certificate> preNCerts = new HashSet<X509Certificate>();