Revert "To read the Group UUID, the Caller must also have the US..."

import android.annotation.Nullable;

import android.app.AppOpsManager;

import android.app.PendingIntent;

import android.app.compat.CompatChanges;

import android.compat.annotation.ChangeId;

import android.compat.annotation.EnabledSince;

import android.compat.annotation.UnsupportedAppUsage;

import android.content.ContentResolver;

import android.content.ContentValues;

    // Allows test mocks to avoid SELinux failures on invalidate calls.

    private static boolean sCachingEnabled = true;

    /**

     * Apps targeting on Android T and beyond will get exception if there is no

     * {@link Manifest.permission#USE_ICC_AUTH_WITH_DEVICE_IDENTIFIER} permission

     * when calling SubscriptionManager#getSubscriptionsInGroup.

     */

    @ChangeId

    @EnabledSince(targetSdkVersion = Build.VERSION_CODES.TIRAMISU)

    public static final long REQUIRE_ICC_AUTH_DEVICE_IDENTIFIERS_FOR_GROUP_UUID = 213902861L;

    // Each slot can have multiple subs.

    private static class WatchedSlotIndexToSubIds {

        private Map<Integer, ArrayList<Integer>> mSlotIndexToSubIds = new ConcurrentHashMap<>();

    /**

     * Returns whether the {@code callingPackage} has access to subscriber identifiers on the

     * specified {@code subId} using the provided {@code message} in any resulting

     * SecurityException. {@code throwException} flag to indicate if throw exception.

     * SecurityException.

     */

    private boolean hasSubscriberIdentifierAccess(int subId, String callingPackage,

            String callingFeatureId, String message, boolean reportFailure,

            boolean throwException) {

            String callingFeatureId, String message, boolean reportFailure) {

        try {

            return TelephonyPermissions.checkCallingOrSelfReadSubscriberIdentifiers(mContext, subId,

                    callingPackage, callingFeatureId, message, reportFailure);

            // A SecurityException indicates that the calling package is targeting at least the

            // minimum level that enforces identifier access restrictions and the new access

            // requirements are not met.

            if (throwException) {

                throw e;

            }

            return false;

        }

    }

     * Get subscriptionInfo list of subscriptions that are in the same group of given subId.

     * See {@link #createSubscriptionGroup(int[], String)} for more details.

     *

     * Caller must have {@link android.Manifest.permission#READ_PHONE_STATE}

     * or carrier privilege permission on the subscription.

     * Caller will either have {@link android.Manifest.permission#READ_PHONE_STATE}

     * permission or had carrier privilege permission on the subscription.

     * {@link TelephonyManager#hasCarrierPrivileges(int)}

     *

     * <p>Starting with API level 33, the caller needs the additional permission

     * {@link Manifest.permission#USE_ICC_AUTH_WITH_DEVICE_IDENTIFIER}

     * to get the list of subscriptions associated with a group UUID.

     * This method can be invoked if one of the following requirements is met:

     * <ul>

     *     <li>If the app has carrier privilege permission.

     *     {@link TelephonyManager#hasCarrierPrivileges()}

     *     <li>If the app has {@link android.Manifest.permission#READ_PHONE_STATE} and

     *     {@link Manifest.permission#USE_ICC_AUTH_WITH_DEVICE_IDENTIFIER} permission.

     * </ul>

     *

     * @throws SecurityException if the caller doesn't meet the requirements

     *             outlined above.

     *

        }

        return subInfoList.stream().filter(info -> {

            int subId = info.getSubscriptionId();

            boolean permission = checkPermissionForGroupUuid(subId, callingPackage,

                    callingFeatureId, Binder.getCallingUid());

            if (!groupUuid.equals(info.getGroupUuid())) return false;

            return permission || info.canManageSubscription(mContext, callingPackage);

            int subId = info.getSubscriptionId();

            return TelephonyPermissions.checkCallingOrSelfReadPhoneState(mContext, subId,

                    callingPackage, callingFeatureId, "getSubscriptionsInGroup")

                    || info.canManageSubscription(mContext, callingPackage);

        }).map(subscriptionInfo -> conditionallyRemoveIdentifiers(subscriptionInfo,

                callingPackage, callingFeatureId, "getSubscriptionsInGroup"))

        .collect(Collectors.toList());

    }

    private boolean checkPermissionForGroupUuid(int subId, String callingPackage,

            String callingFeatureId, int uid) {

        if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState(mContext, subId,

                callingPackage, callingFeatureId, "getSubscriptionsInGroup")) {

            return false;

        }

        if (CompatChanges.isChangeEnabled(

                REQUIRE_ICC_AUTH_DEVICE_IDENTIFIERS_FOR_GROUP_UUID, uid)) {

            return hasSubscriberIdentifierAccess(subId, callingPackage,

                    callingFeatureId, "getSubscriptionsInGroup", true, true);

        }

        return true;

    }

    /**

            if (canReadPhoneState) {

                canReadIdentifiers = hasSubscriberIdentifierAccess(

                        SubscriptionManager.INVALID_SUBSCRIPTION_ID, callingPackage,

                        callingFeatureId, "getSubscriptionInfoList", false, false);

                        callingFeatureId, "getSubscriptionInfoList", false);

                canReadPhoneNumber = hasPhoneNumberAccess(

                        SubscriptionManager.INVALID_SUBSCRIPTION_ID, callingPackage,

                        callingFeatureId, "getSubscriptionInfoList");

        SubscriptionInfo result = subInfo;

        int subId = subInfo.getSubscriptionId();

        boolean hasIdentifierAccess = hasSubscriberIdentifierAccess(subId, callingPackage,

                callingFeatureId, message, true, false);

                callingFeatureId, message, true);

        boolean hasPhoneNumberAccess = hasPhoneNumberAccess(subId, callingPackage, callingFeatureId,

                message);

        return conditionallyRemoveIdentifiers(subInfo, hasIdentifierAccess, hasPhoneNumberAccess);

import static android.telephony.TelephonyManager.SET_OPPORTUNISTIC_SUB_REMOTE_SERVICE_EXCEPTION;

import static com.android.internal.telephony.SubscriptionController.REQUIRE_ICC_AUTH_DEVICE_IDENTIFIERS_FOR_GROUP_UUID;

import static com.android.internal.telephony.uicc.IccCardStatus.CardState.CARDSTATE_PRESENT;

import static org.junit.Assert.assertEquals;

import static org.mockito.ArgumentMatchers.anyLong;

import static org.mockito.ArgumentMatchers.anyString;

import static org.mockito.Mockito.atLeast;

import static org.mockito.Mockito.doNothing;

import static org.mockito.Mockito.doReturn;

import static org.mockito.Mockito.doThrow;

import static org.mockito.Mockito.eq;

import static org.mockito.Mockito.mock;

import static org.mockito.Mockito.times;

import static org.mockito.Mockito.when;

import android.Manifest;

import android.compat.testing.PlatformCompatChangeRule;

import android.content.ContentResolver;

import android.content.ContentValues;

import android.content.Intent;

import com.android.internal.telephony.uicc.UiccController;

import com.android.internal.telephony.uicc.UiccSlot;

import libcore.junit.util.compat.CoreCompatChangeRule.DisableCompatChanges;

import libcore.junit.util.compat.CoreCompatChangeRule.EnableCompatChanges;

import org.junit.After;

import org.junit.Before;

import org.junit.Rule;

import org.junit.Test;

import org.junit.rules.TestRule;

import org.mockito.ArgumentCaptor;

import java.util.ArrayList;

    private static final String DISPLAY_NUMBER = "123456";

    private static final String DISPLAY_NAME = "testing_display_name";

    @Rule

    public TestRule mCompatChangeRule = new PlatformCompatChangeRule();

    @Before

    public void setUp() throws Exception {

        super.setUp(getClass().getSimpleName());

    @Test

    @SmallTest

    @EnableCompatChanges({REQUIRE_ICC_AUTH_DEVICE_IDENTIFIERS_FOR_GROUP_UUID})

    public void testAddSubscriptionIntoGroupWithCarrierPrivilegePermission() throws Exception {

        testInsertSim();

        // Adding a second profile and mark as embedded.

    @Test

    @SmallTest

    @EnableCompatChanges({REQUIRE_ICC_AUTH_DEVICE_IDENTIFIERS_FOR_GROUP_UUID})

    public void testUpdateSubscriptionGroupWithCarrierPrivilegePermission() throws Exception {

        testInsertSim();

        // Adding a second profile and mark as embedded.

    @Test

    @SmallTest

    @EnableCompatChanges({REQUIRE_ICC_AUTH_DEVICE_IDENTIFIERS_FOR_GROUP_UUID})

    public void testSetSubscriptionGroup() throws Exception {

        testInsertSim();

        // Adding a second profile and mark as embedded.

    }

    @Test

    @DisableCompatChanges({REQUIRE_ICC_AUTH_DEVICE_IDENTIFIERS_FOR_GROUP_UUID})

    public void testGetSubscriptionsInGroupWithReadPhoneState() throws Exception {

        // For backward compatibility test

        ParcelUuid groupUuid = setupGetSubscriptionsInGroupTest();

        setupReadPhoneNumbersTest();

        setIdentifierAccess(false);

        List<SubscriptionInfo> subInfoList = mSubscriptionControllerUT.getSubscriptionsInGroup(

                groupUuid, mCallingPackage, mCallingFeature);

        assertTrue(subInfoList.size() > 0);

        for (SubscriptionInfo info : subInfoList) {

            assertEquals(UNAVAILABLE_ICCID, info.getIccId());

            assertEquals(UNAVAILABLE_ICCID, info.getCardString());

            assertEquals(UNAVAILABLE_NUMBER, info.getNumber());

        }

    }

    @Test

    @EnableCompatChanges({REQUIRE_ICC_AUTH_DEVICE_IDENTIFIERS_FOR_GROUP_UUID})

    public void testGetSubscriptionsInGroupWithoutAppropriatePermission() throws Exception {

    public void testGetSubscriptionsInGroupWithNoPermission() throws Exception {

        // If the calling package does not have the READ_PHONE_STATE permission or carrier

        // privileges then getSubscriptionsInGroup should throw a SecurityException when the

        // READ_PHONE_STATE permission check is performed.

        ParcelUuid groupUuid = setupGetSubscriptionsInGroupTest();

        mContextFixture.removeCallingOrSelfPermission(ContextFixture.PERMISSION_ENABLE_ALL);

        // no permission

        setNoPermission();

        try {

            mSubscriptionControllerUT.getSubscriptionsInGroup(groupUuid, mCallingPackage,

                    mCallingFeature);

            fail("getSubscriptionsInGroup should fail when invoked with no permissions");

        } catch (SecurityException expected) {

        }

        // only has the USE_ICC_AUTH_WITH_DEVICE_IDENTIFIER permission

        setIdentifierAccess(true);

        try {

            mSubscriptionControllerUT.getSubscriptionsInGroup(groupUuid, mCallingPackage,

                    mCallingFeature);

            fail("getSubscriptionsInGroup should fail when invoked with no"

                    + "READ_PHONE_STATE permissions");

        } catch (SecurityException expected) {

        }

        // only has the READ_PHONE_STATE permission

        setIdentifierAccess(false);

        setReadPhoneState();

        try {

            mSubscriptionControllerUT.getSubscriptionsInGroup(groupUuid, mCallingPackage,

                    mCallingFeature);

            fail("getSubscriptionsInGroup should fail when invoked with no "

                    + "USE_ICC_AUTH_WITH_DEVICE_IDENTIFIER permissions");

        } catch (SecurityException expected) {

        }

    }

    @Test

    @EnableCompatChanges({REQUIRE_ICC_AUTH_DEVICE_IDENTIFIERS_FOR_GROUP_UUID})

    public void testGetSubscriptionsInGroupWithReadDeviceIdentifier() throws Exception {

    public void testGetSubscriptionsInGroupWithReadPhoneState() throws Exception {

        // If the calling package only has the READ_PHONE_STATE permission then

        // getSubscriptionsInGroup should still return the list of SubscriptionInfo objects

        // but the ICC ID should not be available via getIccId or getCardString.

        ParcelUuid groupUuid = setupGetSubscriptionsInGroupTest();

        setNoPermission();

        setCarrierPrivileges(false);

        setIdentifierAccess(true);

        setReadPhoneState();

        setupReadPhoneNumbersTest();

        setIdentifierAccess(false);

        List<SubscriptionInfo> subInfoList = mSubscriptionControllerUT.getSubscriptionsInGroup(

                groupUuid, mCallingPackage, mCallingFeature);

        assertTrue(subInfoList.size() > 0);

        for (SubscriptionInfo info : subInfoList) {

            assertTrue(info.getIccId().length() > 0);

            assertTrue(info.getCardString().length() > 0);

            assertEquals(UNAVAILABLE_ICCID, info.getIccId());

            assertEquals(UNAVAILABLE_ICCID, info.getCardString());

            assertEquals(UNAVAILABLE_NUMBER, info.getNumber());

        }

    }

    @Test

    @EnableCompatChanges({REQUIRE_ICC_AUTH_DEVICE_IDENTIFIERS_FOR_GROUP_UUID})

    public void testGetSubscriptionInGroupWithPhoneNumberAccess() throws Exception {

        // If the calling package meets any of the requirements for the

        // LegacyPermissionManager#checkPhoneNumberAccess test then the number should be available

    }

    @Test

    @EnableCompatChanges({REQUIRE_ICC_AUTH_DEVICE_IDENTIFIERS_FOR_GROUP_UUID})

    public void testGetSubscriptionsInGroupWithCarrierPrivileges() throws Exception {

        // If the calling package has the READ_PRIVILEGED_PHONE_STATE permission or carrier

        // privileges the ICC ID should be available in the SubscriptionInfo objects in the List.

    }

    @Test

    @EnableCompatChanges({REQUIRE_ICC_AUTH_DEVICE_IDENTIFIERS_FOR_GROUP_UUID})

    public void testGetSubscriptionsInGroupWithPrivilegedPermission() throws Exception {

        // If the calling package has the READ_PRIVILEGED_PHONE_STATE permission or carrier

        // privileges the ICC ID should be available in the SubscriptionInfo objects in the List.

        assertTrue(mSubscriptionControllerUT.checkPhoneIdAndIccIdMatch(0, "test2"));

        assertFalse(mSubscriptionControllerUT.checkPhoneIdAndIccIdMatch(0, "test3"));

    }

    private void setNoPermission() {

        doThrow(new SecurityException()).when(mContext)

                .enforcePermission(anyString(), anyInt(), anyInt(), anyString());

    }

    private void setReadPhoneState() {

        doNothing().when(mContext).enforcePermission(

                eq(android.Manifest.permission.READ_PHONE_STATE), anyInt(), anyInt(), anyString());

    }

}