app/tests/e2e/src/com/android/rkpdapp/e2etest/RkpdHostTestHelperTests.java - platform/packages/modules/RemoteKeyProvisioning - Git at Google

 /*
  * Copyright (C) 2023 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package com.android.rkpdapp.e2etest;

 import static android.security.keystore.KeyProperties.KEY_ALGORITHM_EC;
 import static android.security.keystore.KeyProperties.PURPOSE_SIGN;

 import static com.android.rkpdapp.database.RkpdDatabase.DB_NAME;

 import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.TruthJUnit.assume;

 import android.content.Context;
 import android.hardware.security.keymint.IRemotelyProvisionedComponent;
 import android.os.ServiceManager;
 import android.os.SystemProperties;
 import android.security.keystore.KeyGenParameterSpec;

 import androidx.room.Room;
 import androidx.test.core.app.ApplicationProvider;
 import androidx.work.ListenableWorker;
 import androidx.work.testing.TestWorkerBuilder;

 import com.android.rkpdapp.database.ProvisionedKey;
 import com.android.rkpdapp.database.ProvisionedKeyDao;
 import com.android.rkpdapp.database.RkpdDatabase;
 import com.android.rkpdapp.interfaces.ServerInterface;
 import com.android.rkpdapp.interfaces.ServiceManagerInterface;
 import com.android.rkpdapp.interfaces.SystemInterface;
 import com.android.rkpdapp.provisioner.PeriodicProvisioner;
 import com.android.rkpdapp.testutil.SystemInterfaceSelector;
 import com.android.rkpdapp.testutil.TestDatabase;
 import com.android.rkpdapp.testutil.TestProvisionedKeyDao;
 import com.android.rkpdapp.utils.Settings;
 import com.android.rkpdapp.utils.StatsProcessor;

 import org.junit.After;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TestName;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;

 import java.security.KeyPairGenerator;
 import java.security.KeyStore;
 import java.security.spec.ECGenParameterSpec;
 import java.time.Instant;
 import java.util.List;
 import java.util.concurrent.Executors;

 @RunWith(Parameterized.class)
 public class RkpdHostTestHelperTests {
     private static final String KEY_ALIAS = "RKPD_HOST_TEST_HELPER_KEY";
     private static Context sContext;
     private final String mInstanceName;
     private final String mServiceName;
     private ProvisionedKeyDao mRealDao;
     private TestProvisionedKeyDao mTestDao;
     private PeriodicProvisioner mProvisioner;
     private AutoCloseable mPeriodicProvisionerLock;

     @Rule
     public final TestName mName = new TestName();

     @Parameterized.Parameters(name = "{index}: instanceName={0}")
     public static String[] parameters() {
         return ServiceManager.getDeclaredInstances(IRemotelyProvisionedComponent.DESCRIPTOR);
     }

     public RkpdHostTestHelperTests(String instanceName) {
         mInstanceName = instanceName;
         mServiceName = IRemotelyProvisionedComponent.DESCRIPTOR + "/" + instanceName;
     }

     @BeforeClass
     public static void init() {
         sContext = ApplicationProvider.getApplicationContext();
     }

     @Before
     public void setUp() throws Exception {
         assume()
                 .withMessage("The RKP server hostname is not configured -- assume RKP disabled.")
                 .that(SystemProperties.get("remote_provisioning.hostname"))
                 .isNotEmpty();

         assume()
                 .withMessage("RKP Integration tests rely on network availability.")
                 .that(ServerInterface.isNetworkConnected(sContext))
                 .isTrue();

         mPeriodicProvisionerLock = PeriodicProvisioner.lock();
         Settings.clearPreferences(sContext);
         mRealDao = RkpdDatabase.getDatabase(sContext).provisionedKeyDao();
         mRealDao.deleteAllKeys();
         mTestDao = Room.databaseBuilder(sContext, TestDatabase.class, DB_NAME).build().dao();

         mProvisioner = TestWorkerBuilder.from(
                 sContext,
                 PeriodicProvisioner.class,
                 Executors.newSingleThreadExecutor()).build();

         SystemInterface systemInterface =
                 SystemInterfaceSelector.getSystemInterfaceForServiceName(mServiceName);
         ServiceManagerInterface.setInstances(new SystemInterface[] {systemInterface});
     }

     @After
     public void tearDown() throws Exception {
         Settings.clearPreferences(sContext);

         if (mRealDao != null) {
             mRealDao.deleteAllKeys();
         }

         KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
         keyStore.load(null);
         keyStore.deleteEntry(KEY_ALIAS);

         ServiceManagerInterface.setInstances(null);

         if (mPeriodicProvisionerLock != null) {
             mPeriodicProvisionerLock.close();
         }
     }

     @Test
     public void provisionThenUseKeyThenProvision() throws Exception {
         assertThat(mProvisioner.doWork()).isEqualTo(ListenableWorker.Result.success());

         KeyPairGenerator generator = KeyPairGenerator.getInstance(KEY_ALGORITHM_EC,
                 "AndroidKeyStore");
         generator.initialize(
                 new KeyGenParameterSpec.Builder(KEY_ALIAS, PURPOSE_SIGN)
                         .setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1"))
                         .setAttestationChallenge((new byte[64]))
                         .setIsStrongBoxBacked(mInstanceName.equals("strongbox"))
                         .build());
         generator.generateKeyPair();

         assertThat(mProvisioner.doWork()).isEqualTo(ListenableWorker.Result.success());
     }

     @Test
     public void provisionThenExpireThenProvisionAgain() throws Exception {
         assertThat(mProvisioner.doWork()).isEqualTo(ListenableWorker.Result.success());

         List<ProvisionedKey> keys = mTestDao.getAllKeys();

         // Expire a key
         keys.get(0).expirationTime = Instant.now().minusSeconds(60);
         mRealDao.updateKey(keys.get(0));

         // Mark two more keys as expiring soon
         for (int i = 1; i < 3; ++i) {
             keys.get(i).expirationTime = Instant.now().plusSeconds(60);
             mRealDao.updateKey(keys.get(i));
         }

         assertThat(mProvisioner.doWork()).isEqualTo(ListenableWorker.Result.success());
     }

     @Test
     public void testPeriodicProvisionerNoop() {
         // Similar to the PeriodicProvisioner round trip, except first we actually populate the
         // key pool to ensure that the PeriodicProvisioner just noops.
         // This test is purely to test out proper metrics.
         assertThat(mProvisioner.doWork()).isEqualTo(ListenableWorker.Result.success());
         StatsProcessor.PoolStats pool = StatsProcessor.processPool(mRealDao, mServiceName,
                 Settings.getExtraSignedKeysAvailable(sContext),
                 Settings.getExpirationTime(sContext));

         // The metrics host test will perform additional validation by ensuring correct metrics
         // are recorded.
         assertThat(mProvisioner.doWork()).isEqualTo(ListenableWorker.Result.success());
         StatsProcessor.PoolStats updatedPool = StatsProcessor.processPool(mRealDao, mServiceName,
                 Settings.getExtraSignedKeysAvailable(sContext),
                 Settings.getExpirationTime(sContext));

         assertThat(updatedPool.keysInUse + updatedPool.keysUnassigned)
                 .isEqualTo(pool.keysInUse + pool.keysUnassigned);
     }
 }
	/*
	* Copyright (C) 2023 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package com.android.rkpdapp.e2etest;

	import static android.security.keystore.KeyProperties.KEY_ALGORITHM_EC;
	import static android.security.keystore.KeyProperties.PURPOSE_SIGN;

	import static com.android.rkpdapp.database.RkpdDatabase.DB_NAME;

	import static com.google.common.truth.Truth.assertThat;
	import static com.google.common.truth.TruthJUnit.assume;

	import android.content.Context;
	import android.hardware.security.keymint.IRemotelyProvisionedComponent;
	import android.os.ServiceManager;
	import android.os.SystemProperties;
	import android.security.keystore.KeyGenParameterSpec;

	import androidx.room.Room;
	import androidx.test.core.app.ApplicationProvider;
	import androidx.work.ListenableWorker;
	import androidx.work.testing.TestWorkerBuilder;

	import com.android.rkpdapp.database.ProvisionedKey;
	import com.android.rkpdapp.database.ProvisionedKeyDao;
	import com.android.rkpdapp.database.RkpdDatabase;
	import com.android.rkpdapp.interfaces.ServerInterface;
	import com.android.rkpdapp.interfaces.ServiceManagerInterface;
	import com.android.rkpdapp.interfaces.SystemInterface;
	import com.android.rkpdapp.provisioner.PeriodicProvisioner;
	import com.android.rkpdapp.testutil.SystemInterfaceSelector;
	import com.android.rkpdapp.testutil.TestDatabase;
	import com.android.rkpdapp.testutil.TestProvisionedKeyDao;
	import com.android.rkpdapp.utils.Settings;
	import com.android.rkpdapp.utils.StatsProcessor;

	import org.junit.After;
	import org.junit.Before;
	import org.junit.BeforeClass;
	import org.junit.Rule;
	import org.junit.Test;
	import org.junit.rules.TestName;
	import org.junit.runner.RunWith;
	import org.junit.runners.Parameterized;

	import java.security.KeyPairGenerator;
	import java.security.KeyStore;
	import java.security.spec.ECGenParameterSpec;
	import java.time.Instant;
	import java.util.List;
	import java.util.concurrent.Executors;

	@RunWith(Parameterized.class)
	public class RkpdHostTestHelperTests {
	private static final String KEY_ALIAS = "RKPD_HOST_TEST_HELPER_KEY";
	private static Context sContext;
	private final String mInstanceName;
	private final String mServiceName;
	private ProvisionedKeyDao mRealDao;
	private TestProvisionedKeyDao mTestDao;
	private PeriodicProvisioner mProvisioner;
	private AutoCloseable mPeriodicProvisionerLock;

	@Rule
	public final TestName mName = new TestName();

	@Parameterized.Parameters(name = "{index}: instanceName={0}")
	public static String[] parameters() {
	return ServiceManager.getDeclaredInstances(IRemotelyProvisionedComponent.DESCRIPTOR);
	}

	public RkpdHostTestHelperTests(String instanceName) {
	mInstanceName = instanceName;
	mServiceName = IRemotelyProvisionedComponent.DESCRIPTOR + "/" + instanceName;
	}

	@BeforeClass
	public static void init() {
	sContext = ApplicationProvider.getApplicationContext();
	}

	@Before
	public void setUp() throws Exception {
	assume()
	.withMessage("The RKP server hostname is not configured -- assume RKP disabled.")
	.that(SystemProperties.get("remote_provisioning.hostname"))
	.isNotEmpty();

	assume()
	.withMessage("RKP Integration tests rely on network availability.")
	.that(ServerInterface.isNetworkConnected(sContext))
	.isTrue();

	mPeriodicProvisionerLock = PeriodicProvisioner.lock();
	Settings.clearPreferences(sContext);
	mRealDao = RkpdDatabase.getDatabase(sContext).provisionedKeyDao();
	mRealDao.deleteAllKeys();
	mTestDao = Room.databaseBuilder(sContext, TestDatabase.class, DB_NAME).build().dao();

	mProvisioner = TestWorkerBuilder.from(
	sContext,
	PeriodicProvisioner.class,
	Executors.newSingleThreadExecutor()).build();

	SystemInterface systemInterface =
	SystemInterfaceSelector.getSystemInterfaceForServiceName(mServiceName);
	ServiceManagerInterface.setInstances(new SystemInterface[] {systemInterface});
	}

	@After
	public void tearDown() throws Exception {
	Settings.clearPreferences(sContext);

	if (mRealDao != null) {
	mRealDao.deleteAllKeys();
	}

	KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
	keyStore.load(null);
	keyStore.deleteEntry(KEY_ALIAS);

	ServiceManagerInterface.setInstances(null);

	if (mPeriodicProvisionerLock != null) {
	mPeriodicProvisionerLock.close();
	}
	}

	@Test
	public void provisionThenUseKeyThenProvision() throws Exception {
	assertThat(mProvisioner.doWork()).isEqualTo(ListenableWorker.Result.success());

	KeyPairGenerator generator = KeyPairGenerator.getInstance(KEY_ALGORITHM_EC,
	"AndroidKeyStore");
	generator.initialize(
	new KeyGenParameterSpec.Builder(KEY_ALIAS, PURPOSE_SIGN)
	.setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1"))
	.setAttestationChallenge((new byte[64]))
	.setIsStrongBoxBacked(mInstanceName.equals("strongbox"))
	.build());
	generator.generateKeyPair();

	assertThat(mProvisioner.doWork()).isEqualTo(ListenableWorker.Result.success());
	}

	@Test
	public void provisionThenExpireThenProvisionAgain() throws Exception {
	assertThat(mProvisioner.doWork()).isEqualTo(ListenableWorker.Result.success());

	List<ProvisionedKey> keys = mTestDao.getAllKeys();

	// Expire a key
	keys.get(0).expirationTime = Instant.now().minusSeconds(60);
	mRealDao.updateKey(keys.get(0));

	// Mark two more keys as expiring soon
	for (int i = 1; i < 3; ++i) {
	keys.get(i).expirationTime = Instant.now().plusSeconds(60);
	mRealDao.updateKey(keys.get(i));
	}

	assertThat(mProvisioner.doWork()).isEqualTo(ListenableWorker.Result.success());
	}

	@Test
	public void testPeriodicProvisionerNoop() {
	// Similar to the PeriodicProvisioner round trip, except first we actually populate the
	// key pool to ensure that the PeriodicProvisioner just noops.
	// This test is purely to test out proper metrics.
	assertThat(mProvisioner.doWork()).isEqualTo(ListenableWorker.Result.success());
	StatsProcessor.PoolStats pool = StatsProcessor.processPool(mRealDao, mServiceName,
	Settings.getExtraSignedKeysAvailable(sContext),
	Settings.getExpirationTime(sContext));

	// The metrics host test will perform additional validation by ensuring correct metrics
	// are recorded.
	assertThat(mProvisioner.doWork()).isEqualTo(ListenableWorker.Result.success());
	StatsProcessor.PoolStats updatedPool = StatsProcessor.processPool(mRealDao, mServiceName,
	Settings.getExtraSignedKeysAvailable(sContext),
	Settings.getExpirationTime(sContext));

	assertThat(updatedPool.keysInUse + updatedPool.keysUnassigned)
	.isEqualTo(pool.keysInUse + pool.keysUnassigned);
	}
	}