Merge "[ADI][60/N] Update emergency-bypass conditions" into main

            return false;

        }

        // Only system installers can have an emergency installer

        if (PackageManager.PERMISSION_GRANTED

                != snapshot.checkUidPermission(Manifest.permission.INSTALL_PACKAGES, uid)

                && PackageManager.PERMISSION_GRANTED

                != snapshot.checkUidPermission(Manifest.permission.INSTALL_PACKAGE_UPDATES, uid)

                && PackageManager.PERMISSION_GRANTED

                != snapshot.checkUidPermission(Manifest.permission.INSTALL_SELF_UPDATES, uid)) {

        if (!hasSystemInstallerPermissions(snapshot, uid)) {

            return false;

        }

        return (snapshot.checkUidPermission(Manifest.permission.EMERGENCY_INSTALL_PACKAGES,

                installerUid) == PackageManager.PERMISSION_GRANTED);

        return hasEmergencyInstallerPermission(snapshot, installerUid);

    }

    private static boolean hasSystemInstallerPermissions(Computer snapshot, int uid) {

        return (PackageManager.PERMISSION_GRANTED

                == snapshot.checkUidPermission(Manifest.permission.INSTALL_PACKAGES, uid)

                || PackageManager.PERMISSION_GRANTED

                == snapshot.checkUidPermission(Manifest.permission.INSTALL_PACKAGE_UPDATES, uid)

                || PackageManager.PERMISSION_GRANTED

                == snapshot.checkUidPermission(Manifest.permission.INSTALL_SELF_UPDATES, uid));

    }

    private static boolean hasEmergencyInstallerPermission(Computer snapshot, int installerUid) {

        return snapshot.checkUidPermission(Manifest.permission.EMERGENCY_INSTALL_PACKAGES,

                installerUid) == PackageManager.PERMISSION_GRANTED;

    }

    private static final int USER_ACTION_NOT_NEEDED = 0;

            // the emergency bypass.

            return false;

        }

        // Check if app being installed is the verifier itself.

        if (TextUtils.equals(verifierPackageName, packageName)) {

            Slog.d(TAG, "Bypassing developer verification because the verifier is being updated");

            return true;

        }

        // Check if app being installed is the sysconfig-specified update-owner of the verifier.

        final String updateOwnerPackageName = mPm.getSystemAppUpdateOwnerPackageName(

                verifierPackageName);

        if (updateOwnerPackageName == null) {

            // No sysconfig-specified update-owner for the verifier. No need to check further.

            // The verifier has not specified an update-owner in sysconfig.

            return false;

        }

        if (TextUtils.equals(updateOwnerPackageName, packageName)) {

            Slog.d(TAG, "Bypassing verification service because the sysconfig-specified "

                    + "update owner of the verifier is being updated");

            return true;

        final String installerPackageName = getInstallerPackageName();

        if (installerPackageName == null) {

            return false;

        }

        // Check if app being installed is the emergency installer of the sysconfig-specified

        // update-owner of the verifier.

        if (isEmergencyInstallerEnabled(updateOwnerPackageName, snapshot, userId, ps.getAppId())) {

        final PackageStateInternal psUpdateOwner = snapshot.getPackageStateInternal(

                updateOwnerPackageName, Process.SYSTEM_UID);

        if (psUpdateOwner == null || psUpdateOwner.getPkg() == null) {

                // Impossible condition, because the if clause above already checked this.

                // Added to prevent lint warnings.

                return false;

        }

            String emergencyInstallerPackageName = psUpdateOwner.getPkg().getEmergencyInstaller();

            if (emergencyInstallerPackageName != null

                    && TextUtils.equals(emergencyInstallerPackageName, packageName)) {

                Slog.d(TAG, "Bypassing verification service because the "

                        + "emergency installer of the verifier's update owner is being updated");

        // Validate the permissions of the sysconfig-specified update-owner

        if (!hasSystemInstallerPermissions(snapshot, psUpdateOwner.getAppId())) {

            return false;

        }

        // Check if the verifier is being updated, and the installer is the verifier's

        // sysconfig-specified update-owner.

        if (TextUtils.equals(verifierPackageName, packageName)

                && TextUtils.equals(updateOwnerPackageName, installerPackageName)) {

            Slog.d(TAG, "Bypassing developer verification because the verifier is being updated.");

            return true;

        }

        // Check if the verifier's sysconfig-specified update-owner is being updated, and the

        // installer is the verifier's sysconfig-specified update-owner.

        if (TextUtils.equals(updateOwnerPackageName, packageName)

                && TextUtils.equals(updateOwnerPackageName, installerPackageName)) {

            Slog.d(TAG, "Bypassing developer verification because the update-owner of the"

                    + " verifier which is specified in the sysconfig is being updated.");

            return true;

        }

        String emergencyInstallerOfUpdateOwner = psUpdateOwner.getPkg().getEmergencyInstaller();

        if (emergencyInstallerOfUpdateOwner == null) {

            // The rest of the bypass checks involve the emergency installer of the update-owner.

            // If this is no such emergency installer, no need to check further.

            return false;

        }

        final PackageStateInternal psEmergencyInstallerOfUpdateOwner =

                snapshot.getPackageStateInternal(emergencyInstallerOfUpdateOwner,

                        Process.SYSTEM_UID);

        if (psEmergencyInstallerOfUpdateOwner == null

                || psEmergencyInstallerOfUpdateOwner.getPkg() == null) {

            return false;

        }

        // Check the permission of the emergency installer

        if (!hasEmergencyInstallerPermission(

                snapshot, psEmergencyInstallerOfUpdateOwner.getAppId())) {

            return false;

        }

        // Check if the emergency installer of the verifier's sysconfig-specified update-owner is

        // being updated, and the installer is the verifier's sysconfig-specified update-owner.

        if (TextUtils.equals(emergencyInstallerOfUpdateOwner, packageName)

                && TextUtils.equals(updateOwnerPackageName, installerPackageName)) {

            Slog.d(TAG, "Bypassing developer verification because the emergency installer of"

                    + " the update-owner of the verifier which is specified in the sysconfig is"

                    + " being updated.");

            return true;

        }

        // If the app being installed is the sysconfig-specified update-owner, also allow bypassing

        // if the installer is the app's emergency-installer.

        if (TextUtils.equals(updateOwnerPackageName, packageName)

                && TextUtils.equals(emergencyInstallerOfUpdateOwner, installerPackageName)) {

            Slog.d(TAG, "Bypassing developer verification because the update-owner of the"

                    + " verifier which is specified in the sysconfig is being updated by its"

                    + " emergency installer.");

            return true;

        }

        return false;

    }

                    resumeVerify();

                    return;

                }

                if (shouldAllowDeveloperVerificationEmergencyBypass(

                        getPackageName(), mPm.snapshotComputer())) {

                    // Bypass verification when critical package is being updated and the

                    // verification result is not verified.

                    synchronized (mMetrics) {

                        mMetrics.onDeveloperVerificationBypassed(

                                DEVELOPER_VERIFICATION_BYPASSED_REASON_EMERGENCY);

                    }

                    resumeVerify();

                    return;

                }

                // Package is blocked.

                mVerificationUserActionNeededReason =

                    resumeVerify();

                    return;

                }

                if (shouldAllowDeveloperVerificationEmergencyBypass(

                        getPackageName(), mPm.snapshotComputer())) {

                    // Bypass verification when critical package is being updated and the

                    // verification is incomplete.

                    synchronized (mMetrics) {

                        mMetrics.onDeveloperVerificationBypassed(

                                DEVELOPER_VERIFICATION_BYPASSED_REASON_EMERGENCY);

                    }

                    resumeVerify();

                    return;

                }

                StringBuilder sb = new StringBuilder(

                        "Verification cannot be completed because of ");

import android.content.Context

import android.content.pm.PackageInstaller

import android.content.pm.PackageInstaller.DEVELOPER_VERIFICATION_POLICY_BLOCK_FAIL_CLOSED

import android.content.pm.PackageInstaller.DEVELOPER_VERIFICATION_POLICY_BLOCK_FAIL_OPEN

import android.content.pm.PackageInstaller.SessionParams

import android.content.pm.PackageInstaller.SessionParams.PERMISSION_STATE_DEFAULT

import android.content.pm.PackageInstaller.SessionParams.PERMISSION_STATE_DENIED

import android.content.pm.PackageInstaller.SessionParams.PERMISSION_STATE_GRANTED

import android.content.pm.PackageInstaller.DEVELOPER_VERIFICATION_POLICY_BLOCK_FAIL_CLOSED

import android.content.pm.PackageInstaller.DEVELOPER_VERIFICATION_POLICY_BLOCK_FAIL_OPEN

import android.content.pm.PackageManager

import android.content.pm.verify.domain.DomainSet

import android.os.Parcel

    @Test

    fun testShouldAllowDeveloperVerificationEmergencyBypassForVerifier() {

        val verifierPackageName = "verifierPackageName"

        val updateOwnerName = "updateOwnerPackageName"

        val mockPs = mock(PackageStateInternal::class.java)

        val mockUpdateOwnerPs = mock(PackageStateInternal::class.java)

        val mockUpdateOwnerPkg = mock(AndroidPackageInternal::class.java)

        val updateOwnerUid = 10200

        whenever(mMockDeveloperVerifierController.verifierPackageName).thenReturn(

            verifierPackageName)

        whenever(mockPs.isSystem).thenReturn(true)

        whenever(mSnapshot.getPackageStateInternal(

            eq(verifierPackageName), eq(Process.SYSTEM_UID)))

            .thenReturn(mockPs)

        val session = createSession()

        whenever(mMockPackageManagerInternal.getSystemAppUpdateOwnerPackageName(

            anyString())).thenReturn(updateOwnerName)

        whenever(mSnapshot.getPackageStateInternal(

            eq(updateOwnerName), eq(Process.SYSTEM_UID)))

            .thenReturn(mockUpdateOwnerPs)

        whenever(mockUpdateOwnerPs.pkg).thenReturn(mockUpdateOwnerPkg)

        whenever(mockUpdateOwnerPs.appId).thenReturn(updateOwnerUid)

        whenever(mSnapshot.checkUidPermission(anyString(), eq(updateOwnerUid)))

            .thenReturn(PackageManager.PERMISSION_GRANTED)

        val session = createSession(installerPackageName = updateOwnerName)

        assertThat(session.shouldAllowDeveloperVerificationEmergencyBypass(

            verifierPackageName, mSnapshot)).isTrue()

    }

            eq(updateOwnerName), eq(Process.SYSTEM_UID)))

            .thenReturn(mockPs)

        whenever(mMockPackageManagerInternal.getSystemAppUpdateOwnerPackageName(

            anyString())).thenReturn(null)

        val session = createSession()

        eq(verifierPackageName))).thenReturn(null)

        val session = createSession(installerPackageName = updateOwnerName)

        assertThat(session.shouldAllowDeveloperVerificationEmergencyBypass(

            updateOwnerName, mSnapshot)).isFalse()

    }

    fun testShouldAllowDeveloperVerificationEmergencyBypassForUpdateOwner() {

        val verifierPackageName = "verifierPackageName"

        val updateOwnerName = "updateOwnerPackageName"

        val mockPs = mock(PackageStateInternal::class.java)

        val mockUpdateOwnerPs = mock(PackageStateInternal::class.java)

        val mockUpdateOwnerPkg = mock(AndroidPackageInternal::class.java)

        val updateOwnerUid = 10200

        whenever(mMockDeveloperVerifierController.verifierPackageName).thenReturn(

            verifierPackageName)

        whenever(mockPs.isSystem).thenReturn(true)

        whenever(mockUpdateOwnerPs.isSystem).thenReturn(true)

        whenever(mSnapshot.getPackageStateInternal(

            eq(updateOwnerName), eq(Process.SYSTEM_UID)))

            .thenReturn(mockPs)

            .thenReturn(mockUpdateOwnerPs)

        whenever(mMockPackageManagerInternal.getSystemAppUpdateOwnerPackageName(

            eq(verifierPackageName))).thenReturn(updateOwnerName)

        val session = createSession()

        whenever(mockUpdateOwnerPs.pkg).thenReturn(mockUpdateOwnerPkg)

        whenever(mockUpdateOwnerPs.appId).thenReturn(updateOwnerUid)

        whenever(mSnapshot.checkUidPermission(anyString(), eq(updateOwnerUid)))

            .thenReturn(PackageManager.PERMISSION_GRANTED)

        val session = createSession(installerPackageName = updateOwnerName)

        assertThat(session.shouldAllowDeveloperVerificationEmergencyBypass(

            updateOwnerName, mSnapshot)).isTrue()

    }

        val verifierPackageName = "verifierPackageName"

        val updateOwnerName = "updateOwnerPackageName"

        val emergencyInstallerPackageName = "emergencyInstallerPackageName"

        val mockPs = mock(PackageStateInternal::class.java)

        val mockUpdateOwnerPs = mock(PackageStateInternal::class.java)

        val mockUpdateOwnerPkg = mock(AndroidPackageInternal::class.java)

        val mockUid = 10001

        val mockEmergencyInstallerPs = mock(PackageStateInternal::class.java)

        val mockEmergencyInstallerPkg = mock(AndroidPackageInternal::class.java)

        val mockEmergencyInstallerUid = 10001

        val mockUpdateOwnerUid = 10200

        whenever(mockPs.appId).thenReturn(mockUid)

        whenever(mockUpdateOwnerPs.appId).thenReturn(mockUpdateOwnerUid)

        whenever(mockUpdateOwnerPkg.emergencyInstaller).thenReturn(

            emergencyInstallerPackageName)

        whenever(mMockDeveloperVerifierController.verifierPackageName).thenReturn(

            verifierPackageName)

        whenever(mockPs.isSystem).thenReturn(true)

        whenever(mockUpdateOwnerPs.isSystem).thenReturn(true)

        whenever(mMockPackageManagerInternal.getSystemAppUpdateOwnerPackageName(

            eq(verifierPackageName))).thenReturn(updateOwnerName)

        whenever(mockUpdateOwnerPs.pkg).thenReturn(mockUpdateOwnerPkg)

        whenever(mockUpdateOwnerPs.appId).thenReturn(mockUpdateOwnerUid)

        whenever(mockUpdateOwnerPkg.emergencyInstaller).thenReturn(

            emergencyInstallerPackageName)

        whenever(mSnapshot.getPackageStateInternal(

            eq(updateOwnerName), eq(Process.SYSTEM_UID)))

            .thenReturn(mockUpdateOwnerPs)

        whenever(mSnapshot.getPackageStateInternal(

            eq(updateOwnerName)))

            .thenReturn(mockUpdateOwnerPs)

        whenever(mSnapshot.getPackageStateInternal(

            eq(emergencyInstallerPackageName), eq(Process.SYSTEM_UID)))

            .thenReturn(mockPs)

        whenever(mSnapshot.getPackagesForUid(eq(mockUid))).thenReturn(

            listOf(emergencyInstallerPackageName).toTypedArray())

        whenever(mSnapshot.checkUidPermission(anyString(),

            eq(UserHandle.getUid(USER_ID, mockUpdateOwnerUid))))

            .thenReturn(PackageManager.PERMISSION_GRANTED)

        whenever(mSnapshot.checkUidPermission(anyString(), eq(mockUid)))

        whenever(mSnapshot.getPackageStateInternal(

            eq(emergencyInstallerPackageName), eq(Process.SYSTEM_UID)))

            .thenReturn(mockEmergencyInstallerPs)

        whenever(mockEmergencyInstallerPs.pkg).thenReturn(mockEmergencyInstallerPkg)

        whenever(mockEmergencyInstallerPs.appId).thenReturn(mockEmergencyInstallerUid)

        whenever(mockEmergencyInstallerPs.isSystem).thenReturn(true)

        whenever(mSnapshot.checkUidPermission(anyString(), eq(mockEmergencyInstallerUid)))

            .thenReturn(PackageManager.PERMISSION_GRANTED)

        val session = createSession(installerPackageName = updateOwnerName)

        assertThat(session.shouldAllowDeveloperVerificationEmergencyBypass(

            emergencyInstallerPackageName, mSnapshot)).isTrue()

    }

    @Test

    fun testShouldAllowDeveloperVerificationEmergencyBypassForUpdaterOwnerByEmergencyInstaller() {

        val verifierPackageName = "verifierPackageName"

        val updateOwnerName = "updateOwnerPackageName"

        val emergencyInstallerPackageName = "emergencyInstallerPackageName"

        val mockUpdateOwnerPs = mock(PackageStateInternal::class.java)

        val mockUpdateOwnerPkg = mock(AndroidPackageInternal::class.java)

        val mockEmergencyInstallerPs = mock(PackageStateInternal::class.java)

        val mockEmergencyInstallerPkg = mock(AndroidPackageInternal::class.java)

        val mockEmergencyInstallerUid = 10001

        val mockUpdateOwnerUid = 10200

        whenever(mMockDeveloperVerifierController.verifierPackageName).thenReturn(

            verifierPackageName)

        whenever(mMockPackageManagerInternal.getSystemAppUpdateOwnerPackageName(

            eq(verifierPackageName))).thenReturn(updateOwnerName)

        val session = createSession()

        whenever(mSnapshot.getPackageStateInternal(

            eq(updateOwnerName), eq(Process.SYSTEM_UID)))

            .thenReturn(mockUpdateOwnerPs)

        whenever(mockUpdateOwnerPs.appId).thenReturn(mockUpdateOwnerUid)

        whenever(mockUpdateOwnerPs.isSystem).thenReturn(true)

        whenever(mockUpdateOwnerPs.pkg).thenReturn(mockUpdateOwnerPkg)

        whenever(mSnapshot.checkUidPermission(anyString(),

            eq(UserHandle.getUid(USER_ID, mockUpdateOwnerUid))))

            .thenReturn(PackageManager.PERMISSION_GRANTED)

        whenever(mockUpdateOwnerPkg.emergencyInstaller).thenReturn(

            emergencyInstallerPackageName)

        whenever(mSnapshot.getPackageStateInternal(

            eq(emergencyInstallerPackageName), eq(Process.SYSTEM_UID)))

            .thenReturn(mockEmergencyInstallerPs)

        whenever(mockEmergencyInstallerPs.pkg).thenReturn(mockEmergencyInstallerPkg)

        whenever(mockEmergencyInstallerPs.appId).thenReturn(mockEmergencyInstallerUid)

        whenever(mSnapshot.checkUidPermission(anyString(), eq(mockEmergencyInstallerUid)))

            .thenReturn(PackageManager.PERMISSION_GRANTED)

        val session = createSession(installerPackageName = emergencyInstallerPackageName)

        assertThat(session.shouldAllowDeveloperVerificationEmergencyBypass(

            emergencyInstallerPackageName, mSnapshot)).isTrue()

            updateOwnerName, mSnapshot)).isTrue()

    }

    private fun createSession(

        multiPackage: Boolean = false,

        parentSessionId: Int = PackageInstaller.SessionInfo.INVALID_ID,

        childSessionIds: List<Int> = emptyList(),

        installerPackageName: String = "testInstaller",

        block: (SessionParams) -> Unit = {},

    ): PackageInstallerSession {

        val bundle = PersistableBundle()

        val installSource = InstallSource.create(

            "testInstallInitiator",

            "testInstallOriginator", "testInstaller", -1, "testUpdateOwner",

            "testInstallOriginator", installerPackageName, -1, "testUpdateOwner",

            "testAttributionTag", PackageInstaller.PACKAGE_SOURCE_UNSPECIFIED

        )