hostsidetests/securitybulletin/test-apps/CVE-2020-0015/src/android/security/cts/CVE_2020_0015/DeviceTest.java

/*
 * Copyright (C) 2022 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package android.security.cts.CVE_2020_0015;

import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assume.assumeNoException;
import static org.junit.Assume.assumeTrue;

import android.content.ActivityNotFoundException;
import android.content.Context;
import android.content.Intent;
import android.content.pm.PackageManager;
import android.content.pm.ResolveInfo;
import android.provider.Settings;
import android.security.KeyChain;

import androidx.test.runner.AndroidJUnit4;
import androidx.test.uiautomator.By;
import androidx.test.uiautomator.UiDevice;
import androidx.test.uiautomator.Until;

import org.junit.Test;
import org.junit.runner.RunWith;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.util.regex.Pattern;

@RunWith(AndroidJUnit4.class)
public class DeviceTest {
    String testVulnerablePackage = "";

    private void startOverlayService() {
        Context context = getApplicationContext();
        assertNotNull(context);
        Intent intent = new Intent(context, PocService.class);

        assumeTrue(context.getString(R.string.canNotDrawOverlaysMsg),
                Settings.canDrawOverlays(getApplicationContext()));
        try {
            context.startService(intent);
        } catch (Exception e) {
            assumeNoException(
                    context.getString(R.string.activityNotStartedException, "overlay service"), e);
        }
    }

    private void startVulnerableActivity() {
        Context context = getApplicationContext();
        assertNotNull(context);

        InputStream inStream = context.getResources().openRawResource(R.raw.cacert);
        assumeTrue(context.getString(R.string.rawResOpenError, "cacert"), inStream != null);
        ByteArrayOutputStream outStream = new ByteArrayOutputStream();
        byte[] data = new byte[1024];
        try {
            int nRead = inStream.read(data, 0, data.length);
            assumeTrue(context.getString(R.string.streamReadError), nRead > 0);
            outStream.write(data, 0, nRead);
        } catch (Exception e) {
            assumeNoException(context.getString(R.string.streamReadWriteException), e);
        }

        Intent intent = KeyChain.createInstallIntent();
        intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
        intent.putExtra(context.getString(R.string.intentExtraKeyName),
                context.getString(R.string.certName));
        intent.putExtra(context.getString(R.string.intentExtraKeyCert), outStream.toByteArray());
        PackageManager pm = context.getPackageManager();
        ResolveInfo ri = pm.resolveActivity(intent, PackageManager.MATCH_DEFAULT_ONLY);
        assumeTrue(context.getString(R.string.activityNotFoundMsg, intent), ri != null);
        testVulnerablePackage = ri.activityInfo.packageName;

        try {
            context.startActivity(intent);
        } catch (ActivityNotFoundException e) {
            assumeNoException(context.getString(R.string.activityNotFoundMsg, intent), e);
        }
    }

    @Test
    public void testOverlayButtonPresence() {
        UiDevice mDevice = UiDevice.getInstance(getInstrumentation());

        /* Start the overlay service */
        startOverlayService();

        /* Wait for the overlay window */
        Context context = getApplicationContext();
        Pattern overlayTextPattern = Pattern.compile(context.getString(R.string.overlayButtonText),
                Pattern.CASE_INSENSITIVE);
        final int launchTimeoutMs = 20000;
        assumeTrue(context.getString(R.string.overlayUiScreenError),
                mDevice.wait(Until.hasObject(By.text(overlayTextPattern)), launchTimeoutMs));

        /* Start the vulnerable activity */
        startVulnerableActivity();

        /* Wait until the object of launcher activity is gone */
        boolean overlayDisallowed = false;
        if (mDevice.wait(Until.gone(By.pkg(context.getString(R.string.testPkg))),
                launchTimeoutMs)) {
            overlayDisallowed = true;
        }

        /* Check if the currently running activity is the vulnerable activity */
        String activityDump = "";
        try {
            activityDump = mDevice.executeShellCommand(
                    context.getString(R.string.dumpsysActivityCmd, testVulnerablePackage));
        } catch (IOException e) {
            assumeNoException(context.getString(R.string.dumpsysActivityException), e);
        }
        Pattern activityPattern =
                Pattern.compile(context.getString(R.string.mResumedTrue), Pattern.CASE_INSENSITIVE);
        assumeTrue(context.getString(R.string.vulActivityNotRunningError, testVulnerablePackage),
                activityPattern.matcher(activityDump).find());

        /* Failing the test as fix is not present */
        assertTrue(context.getString(R.string.overlayErrorMessage, testVulnerablePackage),
                overlayDisallowed);
    }
}