tests/net/java/com/android/server/IpSecServiceTest.java - platform/frameworks/base - Git at Google

 /*
  * Copyright (C) 2017 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package com.android.server;

 import static android.system.OsConstants.AF_INET;
 import static android.system.OsConstants.EADDRINUSE;
 import static android.system.OsConstants.IPPROTO_UDP;
 import static android.system.OsConstants.SOCK_DGRAM;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.mockito.Matchers.anyInt;
 import static org.mockito.Matchers.anyString;
 import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;

 import android.content.Context;
 import android.net.INetd;
 import android.net.IpSecManager;
 import android.net.IpSecSpiResponse;
 import android.net.IpSecTransform;
 import android.net.IpSecUdpEncapResponse;
 import android.os.Binder;
 import android.os.ParcelFileDescriptor;
 import android.support.test.filters.SmallTest;
 import android.support.test.runner.AndroidJUnit4;
 import android.system.ErrnoException;
 import android.system.Os;

 import java.io.FileDescriptor;
 import java.net.InetAddress;
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.UnknownHostException;
 import java.util.ArrayList;
 import java.util.List;

 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;

 /** Unit tests for {@link IpSecService}. */
 @SmallTest
 @RunWith(AndroidJUnit4.class)
 public class IpSecServiceTest {

     private static final int DROID_SPI = 0xD1201D;
     private static final int MAX_NUM_ENCAP_SOCKETS = 100;
     private static final int MAX_NUM_SPIS = 100;
     private static final int TEST_UDP_ENCAP_INVALID_PORT = 100;
     private static final int TEST_UDP_ENCAP_PORT_OUT_RANGE = 100000;

     private static final InetAddress INADDR_ANY;

     static {
         try {
             INADDR_ANY = InetAddress.getByAddress(new byte[] {0, 0, 0, 0});
         } catch (UnknownHostException e) {
             throw new RuntimeException(e);
         }
     }

     Context mMockContext;
     INetd mMockNetd;
     IpSecService.IpSecServiceConfiguration mMockIpSecSrvConfig;
     IpSecService mIpSecService;

     @Before
     public void setUp() throws Exception {
         mMockContext = mock(Context.class);
         mMockNetd = mock(INetd.class);
         mMockIpSecSrvConfig = mock(IpSecService.IpSecServiceConfiguration.class);
         mIpSecService = new IpSecService(mMockContext, mMockIpSecSrvConfig);

         // Injecting mock netd
         when(mMockIpSecSrvConfig.getNetdInstance()).thenReturn(mMockNetd);
     }

     @Test
     public void testIpSecServiceCreate() throws InterruptedException {
         IpSecService ipSecSrv = IpSecService.create(mMockContext);
         assertNotNull(ipSecSrv);
     }

     @Test
     public void testReleaseInvalidSecurityParameterIndex() throws Exception {
         try {
             mIpSecService.releaseSecurityParameterIndex(1);
             fail("IllegalArgumentException not thrown");
         } catch (IllegalArgumentException e) {
         }
     }

     /** This function finds an available port */
     int findUnusedPort() throws Exception {
         // Get an available port.
         ServerSocket s = new ServerSocket(0);
         int port = s.getLocalPort();
         s.close();
         return port;
     }

     @Test
     public void testOpenAndCloseUdpEncapsulationSocket() throws Exception {
         int localport = findUnusedPort();

         IpSecUdpEncapResponse udpEncapResp =
                 mIpSecService.openUdpEncapsulationSocket(localport, new Binder());
         assertNotNull(udpEncapResp);
         assertEquals(IpSecManager.Status.OK, udpEncapResp.status);
         assertEquals(localport, udpEncapResp.port);

         mIpSecService.closeUdpEncapsulationSocket(udpEncapResp.resourceId);
         udpEncapResp.fileDescriptor.close();

         IpSecService.UserRecord userRecord =
                 mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid());
         assertEquals(0, userRecord.mSocketQuotaTracker.mCurrent);
         try {
             userRecord.mEncapSocketRecords.getRefcountedResourceOrThrow(udpEncapResp.resourceId);
             fail("Expected IllegalArgumentException on attempt to access deleted resource");
         } catch (IllegalArgumentException expected) {

         }
     }

     @Test
     public void testUdpEncapsulationSocketBinderDeath() throws Exception {
         int localport = findUnusedPort();

         IpSecUdpEncapResponse udpEncapResp =
                 mIpSecService.openUdpEncapsulationSocket(localport, new Binder());

         IpSecService.UserRecord userRecord =
                 mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid());
         IpSecService.RefcountedResource refcountedRecord =
                 userRecord.mEncapSocketRecords.getRefcountedResourceOrThrow(
                         udpEncapResp.resourceId);

         refcountedRecord.binderDied();

         assertEquals(0, userRecord.mSocketQuotaTracker.mCurrent);
         try {
             userRecord.mEncapSocketRecords.getRefcountedResourceOrThrow(udpEncapResp.resourceId);
             fail("Expected IllegalArgumentException on attempt to access deleted resource");
         } catch (IllegalArgumentException expected) {

         }
     }

     @Test
     public void testOpenUdpEncapsulationSocketAfterClose() throws Exception {
         int localport = findUnusedPort();
         IpSecUdpEncapResponse udpEncapResp =
                 mIpSecService.openUdpEncapsulationSocket(localport, new Binder());
         assertNotNull(udpEncapResp);
         assertEquals(IpSecManager.Status.OK, udpEncapResp.status);
         assertEquals(localport, udpEncapResp.port);

         mIpSecService.closeUdpEncapsulationSocket(udpEncapResp.resourceId);
         udpEncapResp.fileDescriptor.close();

         /** Check if localport is available. */
         FileDescriptor newSocket = Os.socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
         Os.bind(newSocket, INADDR_ANY, localport);
         Os.close(newSocket);
     }

     /**
      * This function checks if the IpSecService holds the reserved port. If
      * closeUdpEncapsulationSocket is not called, the socket cleanup should not be complete.
      */
     @Test
     public void testUdpEncapPortNotReleased() throws Exception {
         int localport = findUnusedPort();
         IpSecUdpEncapResponse udpEncapResp =
                 mIpSecService.openUdpEncapsulationSocket(localport, new Binder());
         assertNotNull(udpEncapResp);
         assertEquals(IpSecManager.Status.OK, udpEncapResp.status);
         assertEquals(localport, udpEncapResp.port);

         udpEncapResp.fileDescriptor.close();

         FileDescriptor newSocket = Os.socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
         try {
             Os.bind(newSocket, INADDR_ANY, localport);
             fail("ErrnoException not thrown");
         } catch (ErrnoException e) {
             assertEquals(EADDRINUSE, e.errno);
         }
         mIpSecService.closeUdpEncapsulationSocket(udpEncapResp.resourceId);
     }

     @Test
     public void testOpenUdpEncapsulationSocketOnRandomPort() throws Exception {
         IpSecUdpEncapResponse udpEncapResp =
                 mIpSecService.openUdpEncapsulationSocket(0, new Binder());
         assertNotNull(udpEncapResp);
         assertEquals(IpSecManager.Status.OK, udpEncapResp.status);
         assertNotEquals(0, udpEncapResp.port);
         mIpSecService.closeUdpEncapsulationSocket(udpEncapResp.resourceId);
         udpEncapResp.fileDescriptor.close();
     }

     @Test
     public void testOpenUdpEncapsulationSocketPortRange() throws Exception {
         try {
             mIpSecService.openUdpEncapsulationSocket(TEST_UDP_ENCAP_INVALID_PORT, new Binder());
             fail("IllegalArgumentException not thrown");
         } catch (IllegalArgumentException e) {
         }

         try {
             mIpSecService.openUdpEncapsulationSocket(TEST_UDP_ENCAP_PORT_OUT_RANGE, new Binder());
             fail("IllegalArgumentException not thrown");
         } catch (IllegalArgumentException e) {
         }
     }

     @Test
     public void testOpenUdpEncapsulationSocketTwice() throws Exception {
         int localport = findUnusedPort();

         IpSecUdpEncapResponse udpEncapResp =
                 mIpSecService.openUdpEncapsulationSocket(localport, new Binder());
         assertNotNull(udpEncapResp);
         assertEquals(IpSecManager.Status.OK, udpEncapResp.status);
         assertEquals(localport, udpEncapResp.port);
         mIpSecService.openUdpEncapsulationSocket(localport, new Binder());

         IpSecUdpEncapResponse testUdpEncapResp =
                 mIpSecService.openUdpEncapsulationSocket(localport, new Binder());
         assertEquals(IpSecManager.Status.RESOURCE_UNAVAILABLE, testUdpEncapResp.status);

         mIpSecService.closeUdpEncapsulationSocket(udpEncapResp.resourceId);
         udpEncapResp.fileDescriptor.close();
     }

     @Test
     public void testCloseInvalidUdpEncapsulationSocket() throws Exception {
         try {
             mIpSecService.closeUdpEncapsulationSocket(1);
             fail("IllegalArgumentException not thrown");
         } catch (IllegalArgumentException e) {
         }
     }

     @Test
     public void testDeleteInvalidTransportModeTransform() throws Exception {
         try {
             mIpSecService.deleteTransportModeTransform(1);
             fail("IllegalArgumentException not thrown");
         } catch (IllegalArgumentException e) {
         }
     }

     @Test
     public void testRemoveTransportModeTransform() throws Exception {
         ParcelFileDescriptor pfd = ParcelFileDescriptor.fromSocket(new Socket());
         mIpSecService.removeTransportModeTransform(pfd, 1);

         verify(mMockNetd).ipSecRemoveTransportModeTransform(pfd.getFileDescriptor());
     }

     @Test
     public void testValidateIpAddresses() throws Exception {
         String[] invalidAddresses =
                 new String[] {"www.google.com", "::", "2001::/64", "0.0.0.0", ""};
         for (String address : invalidAddresses) {
             try {
                 IpSecSpiResponse spiResp =
                         mIpSecService.allocateSecurityParameterIndex(
                                 IpSecTransform.DIRECTION_OUT, address, DROID_SPI, new Binder());
                 fail("Invalid address was passed through IpSecService validation: " + address);
             } catch (IllegalArgumentException e) {
             } catch (Exception e) {
                 fail(
                         "Invalid InetAddress was not caught in validation: "
                                 + address
                                 + ", Exception: "
                                 + e);
             }
         }
     }

     /**
      * This function checks if the number of encap UDP socket that one UID can reserve has a
      * reasonable limit.
      */
     @Test
     public void testSocketResourceTrackerLimitation() throws Exception {
         List<IpSecUdpEncapResponse> openUdpEncapSockets = new ArrayList<IpSecUdpEncapResponse>();
         // Reserve sockets until it fails.
         for (int i = 0; i < MAX_NUM_ENCAP_SOCKETS; i++) {
             IpSecUdpEncapResponse newUdpEncapSocket =
                     mIpSecService.openUdpEncapsulationSocket(0, new Binder());
             assertNotNull(newUdpEncapSocket);
             if (IpSecManager.Status.OK != newUdpEncapSocket.status) {
                 break;
             }
             openUdpEncapSockets.add(newUdpEncapSocket);
         }
         // Assert that the total sockets quota has a reasonable limit.
         assertTrue("No UDP encap socket was open", !openUdpEncapSockets.isEmpty());
         assertTrue(
                 "Number of open UDP encap sockets is out of bound",
                 openUdpEncapSockets.size() < MAX_NUM_ENCAP_SOCKETS);

         // Try to reserve one more UDP encapsulation socket, and should fail.
         IpSecUdpEncapResponse extraUdpEncapSocket =
                 mIpSecService.openUdpEncapsulationSocket(0, new Binder());
         assertNotNull(extraUdpEncapSocket);
         assertEquals(IpSecManager.Status.RESOURCE_UNAVAILABLE, extraUdpEncapSocket.status);

         // Close one of the open UDP encapsulation sockets.
         mIpSecService.closeUdpEncapsulationSocket(openUdpEncapSockets.get(0).resourceId);
         openUdpEncapSockets.get(0).fileDescriptor.close();
         openUdpEncapSockets.remove(0);

         // Try to reserve one more UDP encapsulation socket, and should be successful.
         extraUdpEncapSocket = mIpSecService.openUdpEncapsulationSocket(0, new Binder());
         assertNotNull(extraUdpEncapSocket);
         assertEquals(IpSecManager.Status.OK, extraUdpEncapSocket.status);
         openUdpEncapSockets.add(extraUdpEncapSocket);

         // Close open UDP sockets.
         for (IpSecUdpEncapResponse openSocket : openUdpEncapSockets) {
             mIpSecService.closeUdpEncapsulationSocket(openSocket.resourceId);
             openSocket.fileDescriptor.close();
         }
     }

     /**
      * This function checks if the number of SPI that one UID can reserve has a reasonable limit.
      * This test does not test for both address families or duplicate SPIs because resource tracking
      * code does not depend on them.
      */
     @Test
     public void testSpiResourceTrackerLimitation() throws Exception {
         List<IpSecSpiResponse> reservedSpis = new ArrayList<IpSecSpiResponse>();
         // Return the same SPI for all SPI allocation since IpSecService only
         // tracks the resource ID.
         when(mMockNetd.ipSecAllocateSpi(
                         anyInt(),
                         eq(IpSecTransform.DIRECTION_OUT),
                         anyString(),
                         eq(InetAddress.getLoopbackAddress().getHostAddress()),
                         anyInt()))
                 .thenReturn(DROID_SPI);
         // Reserve spis until it fails.
         for (int i = 0; i < MAX_NUM_SPIS; i++) {
             IpSecSpiResponse newSpi =
                     mIpSecService.allocateSecurityParameterIndex(
                             0x1,
                             InetAddress.getLoopbackAddress().getHostAddress(),
                             DROID_SPI + i,
                             new Binder());
             assertNotNull(newSpi);
             if (IpSecManager.Status.OK != newSpi.status) {
                 break;
             }
             reservedSpis.add(newSpi);
         }
         // Assert that the SPI quota has a reasonable limit.
         assertTrue(reservedSpis.size() > 0 && reservedSpis.size() < MAX_NUM_SPIS);

         // Try to reserve one more SPI, and should fail.
         IpSecSpiResponse extraSpi =
                 mIpSecService.allocateSecurityParameterIndex(
                         0x1,
                         InetAddress.getLoopbackAddress().getHostAddress(),
                         DROID_SPI + MAX_NUM_SPIS,
                         new Binder());
         assertNotNull(extraSpi);
         assertEquals(IpSecManager.Status.RESOURCE_UNAVAILABLE, extraSpi.status);

         // Release one reserved spi.
         mIpSecService.releaseSecurityParameterIndex(reservedSpis.get(0).resourceId);
         reservedSpis.remove(0);

         // Should successfully reserve one more spi.
         extraSpi =
                 mIpSecService.allocateSecurityParameterIndex(
                         0x1,
                         InetAddress.getLoopbackAddress().getHostAddress(),
                         DROID_SPI + MAX_NUM_SPIS,
                         new Binder());
         assertNotNull(extraSpi);
         assertEquals(IpSecManager.Status.OK, extraSpi.status);

         // Release reserved SPIs.
         for (IpSecSpiResponse spiResp : reservedSpis) {
             mIpSecService.releaseSecurityParameterIndex(spiResp.resourceId);
         }
     }
 }
	/*
	* Copyright (C) 2017 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package com.android.server;

	import static android.system.OsConstants.AF_INET;
	import static android.system.OsConstants.EADDRINUSE;
	import static android.system.OsConstants.IPPROTO_UDP;
	import static android.system.OsConstants.SOCK_DGRAM;
	import static org.junit.Assert.assertEquals;
	import static org.junit.Assert.assertNotEquals;
	import static org.junit.Assert.assertNotNull;
	import static org.junit.Assert.assertTrue;
	import static org.junit.Assert.fail;
	import static org.mockito.Matchers.anyInt;
	import static org.mockito.Matchers.anyString;
	import static org.mockito.Matchers.eq;
	import static org.mockito.Mockito.mock;
	import static org.mockito.Mockito.verify;
	import static org.mockito.Mockito.when;

	import android.content.Context;
	import android.net.INetd;
	import android.net.IpSecManager;
	import android.net.IpSecSpiResponse;
	import android.net.IpSecTransform;
	import android.net.IpSecUdpEncapResponse;
	import android.os.Binder;
	import android.os.ParcelFileDescriptor;
	import android.support.test.filters.SmallTest;
	import android.support.test.runner.AndroidJUnit4;
	import android.system.ErrnoException;
	import android.system.Os;

	import java.io.FileDescriptor;
	import java.net.InetAddress;
	import java.net.ServerSocket;
	import java.net.Socket;
	import java.net.UnknownHostException;
	import java.util.ArrayList;
	import java.util.List;

	import org.junit.Before;
	import org.junit.Test;
	import org.junit.runner.RunWith;

	/** Unit tests for {@link IpSecService}. */
	@SmallTest
	@RunWith(AndroidJUnit4.class)
	public class IpSecServiceTest {

	private static final int DROID_SPI = 0xD1201D;
	private static final int MAX_NUM_ENCAP_SOCKETS = 100;
	private static final int MAX_NUM_SPIS = 100;
	private static final int TEST_UDP_ENCAP_INVALID_PORT = 100;
	private static final int TEST_UDP_ENCAP_PORT_OUT_RANGE = 100000;

	private static final InetAddress INADDR_ANY;

	static {
	try {
	INADDR_ANY = InetAddress.getByAddress(new byte[] {0, 0, 0, 0});
	} catch (UnknownHostException e) {
	throw new RuntimeException(e);
	}
	}

	Context mMockContext;
	INetd mMockNetd;
	IpSecService.IpSecServiceConfiguration mMockIpSecSrvConfig;
	IpSecService mIpSecService;

	@Before
	public void setUp() throws Exception {
	mMockContext = mock(Context.class);
	mMockNetd = mock(INetd.class);
	mMockIpSecSrvConfig = mock(IpSecService.IpSecServiceConfiguration.class);
	mIpSecService = new IpSecService(mMockContext, mMockIpSecSrvConfig);

	// Injecting mock netd
	when(mMockIpSecSrvConfig.getNetdInstance()).thenReturn(mMockNetd);
	}

	@Test
	public void testIpSecServiceCreate() throws InterruptedException {
	IpSecService ipSecSrv = IpSecService.create(mMockContext);
	assertNotNull(ipSecSrv);
	}

	@Test
	public void testReleaseInvalidSecurityParameterIndex() throws Exception {
	try {
	mIpSecService.releaseSecurityParameterIndex(1);
	fail("IllegalArgumentException not thrown");
	} catch (IllegalArgumentException e) {
	}
	}

	/** This function finds an available port */
	int findUnusedPort() throws Exception {
	// Get an available port.
	ServerSocket s = new ServerSocket(0);
	int port = s.getLocalPort();
	s.close();
	return port;
	}

	@Test
	public void testOpenAndCloseUdpEncapsulationSocket() throws Exception {
	int localport = findUnusedPort();

	IpSecUdpEncapResponse udpEncapResp =
	mIpSecService.openUdpEncapsulationSocket(localport, new Binder());
	assertNotNull(udpEncapResp);
	assertEquals(IpSecManager.Status.OK, udpEncapResp.status);
	assertEquals(localport, udpEncapResp.port);

	mIpSecService.closeUdpEncapsulationSocket(udpEncapResp.resourceId);
	udpEncapResp.fileDescriptor.close();

	IpSecService.UserRecord userRecord =
	mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid());
	assertEquals(0, userRecord.mSocketQuotaTracker.mCurrent);
	try {
	userRecord.mEncapSocketRecords.getRefcountedResourceOrThrow(udpEncapResp.resourceId);
	fail("Expected IllegalArgumentException on attempt to access deleted resource");
	} catch (IllegalArgumentException expected) {

	}
	}

	@Test
	public void testUdpEncapsulationSocketBinderDeath() throws Exception {
	int localport = findUnusedPort();

	IpSecUdpEncapResponse udpEncapResp =
	mIpSecService.openUdpEncapsulationSocket(localport, new Binder());

	IpSecService.UserRecord userRecord =
	mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid());
	IpSecService.RefcountedResource refcountedRecord =
	userRecord.mEncapSocketRecords.getRefcountedResourceOrThrow(
	udpEncapResp.resourceId);

	refcountedRecord.binderDied();

	assertEquals(0, userRecord.mSocketQuotaTracker.mCurrent);
	try {
	userRecord.mEncapSocketRecords.getRefcountedResourceOrThrow(udpEncapResp.resourceId);
	fail("Expected IllegalArgumentException on attempt to access deleted resource");
	} catch (IllegalArgumentException expected) {

	}
	}

	@Test
	public void testOpenUdpEncapsulationSocketAfterClose() throws Exception {
	int localport = findUnusedPort();
	IpSecUdpEncapResponse udpEncapResp =
	mIpSecService.openUdpEncapsulationSocket(localport, new Binder());
	assertNotNull(udpEncapResp);
	assertEquals(IpSecManager.Status.OK, udpEncapResp.status);
	assertEquals(localport, udpEncapResp.port);

	mIpSecService.closeUdpEncapsulationSocket(udpEncapResp.resourceId);
	udpEncapResp.fileDescriptor.close();

	/** Check if localport is available. */
	FileDescriptor newSocket = Os.socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
	Os.bind(newSocket, INADDR_ANY, localport);
	Os.close(newSocket);
	}

	/**
	* This function checks if the IpSecService holds the reserved port. If
	* closeUdpEncapsulationSocket is not called, the socket cleanup should not be complete.
	*/
	@Test
	public void testUdpEncapPortNotReleased() throws Exception {
	int localport = findUnusedPort();
	IpSecUdpEncapResponse udpEncapResp =
	mIpSecService.openUdpEncapsulationSocket(localport, new Binder());
	assertNotNull(udpEncapResp);
	assertEquals(IpSecManager.Status.OK, udpEncapResp.status);
	assertEquals(localport, udpEncapResp.port);

	udpEncapResp.fileDescriptor.close();

	FileDescriptor newSocket = Os.socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
	try {
	Os.bind(newSocket, INADDR_ANY, localport);
	fail("ErrnoException not thrown");
	} catch (ErrnoException e) {
	assertEquals(EADDRINUSE, e.errno);
	}
	mIpSecService.closeUdpEncapsulationSocket(udpEncapResp.resourceId);
	}

	@Test
	public void testOpenUdpEncapsulationSocketOnRandomPort() throws Exception {
	IpSecUdpEncapResponse udpEncapResp =
	mIpSecService.openUdpEncapsulationSocket(0, new Binder());
	assertNotNull(udpEncapResp);
	assertEquals(IpSecManager.Status.OK, udpEncapResp.status);
	assertNotEquals(0, udpEncapResp.port);
	mIpSecService.closeUdpEncapsulationSocket(udpEncapResp.resourceId);
	udpEncapResp.fileDescriptor.close();
	}

	@Test
	public void testOpenUdpEncapsulationSocketPortRange() throws Exception {
	try {
	mIpSecService.openUdpEncapsulationSocket(TEST_UDP_ENCAP_INVALID_PORT, new Binder());
	fail("IllegalArgumentException not thrown");
	} catch (IllegalArgumentException e) {
	}

	try {
	mIpSecService.openUdpEncapsulationSocket(TEST_UDP_ENCAP_PORT_OUT_RANGE, new Binder());
	fail("IllegalArgumentException not thrown");
	} catch (IllegalArgumentException e) {
	}
	}

	@Test
	public void testOpenUdpEncapsulationSocketTwice() throws Exception {
	int localport = findUnusedPort();

	IpSecUdpEncapResponse udpEncapResp =
	mIpSecService.openUdpEncapsulationSocket(localport, new Binder());
	assertNotNull(udpEncapResp);
	assertEquals(IpSecManager.Status.OK, udpEncapResp.status);
	assertEquals(localport, udpEncapResp.port);
	mIpSecService.openUdpEncapsulationSocket(localport, new Binder());

	IpSecUdpEncapResponse testUdpEncapResp =
	mIpSecService.openUdpEncapsulationSocket(localport, new Binder());
	assertEquals(IpSecManager.Status.RESOURCE_UNAVAILABLE, testUdpEncapResp.status);

	mIpSecService.closeUdpEncapsulationSocket(udpEncapResp.resourceId);
	udpEncapResp.fileDescriptor.close();
	}

	@Test
	public void testCloseInvalidUdpEncapsulationSocket() throws Exception {
	try {
	mIpSecService.closeUdpEncapsulationSocket(1);
	fail("IllegalArgumentException not thrown");
	} catch (IllegalArgumentException e) {
	}
	}

	@Test
	public void testDeleteInvalidTransportModeTransform() throws Exception {
	try {
	mIpSecService.deleteTransportModeTransform(1);
	fail("IllegalArgumentException not thrown");
	} catch (IllegalArgumentException e) {
	}
	}

	@Test
	public void testRemoveTransportModeTransform() throws Exception {
	ParcelFileDescriptor pfd = ParcelFileDescriptor.fromSocket(new Socket());
	mIpSecService.removeTransportModeTransform(pfd, 1);

	verify(mMockNetd).ipSecRemoveTransportModeTransform(pfd.getFileDescriptor());
	}

	@Test
	public void testValidateIpAddresses() throws Exception {
	String[] invalidAddresses =
	new String[] {"www.google.com", "::", "2001::/64", "0.0.0.0", ""};
	for (String address : invalidAddresses) {
	try {
	IpSecSpiResponse spiResp =
	mIpSecService.allocateSecurityParameterIndex(
	IpSecTransform.DIRECTION_OUT, address, DROID_SPI, new Binder());
	fail("Invalid address was passed through IpSecService validation: " + address);
	} catch (IllegalArgumentException e) {
	} catch (Exception e) {
	fail(
	"Invalid InetAddress was not caught in validation: "
	+ address
	+ ", Exception: "
	+ e);
	}
	}
	}

	/**
	* This function checks if the number of encap UDP socket that one UID can reserve has a
	* reasonable limit.
	*/
	@Test
	public void testSocketResourceTrackerLimitation() throws Exception {
	List<IpSecUdpEncapResponse> openUdpEncapSockets = new ArrayList<IpSecUdpEncapResponse>();
	// Reserve sockets until it fails.
	for (int i = 0; i < MAX_NUM_ENCAP_SOCKETS; i++) {
	IpSecUdpEncapResponse newUdpEncapSocket =
	mIpSecService.openUdpEncapsulationSocket(0, new Binder());
	assertNotNull(newUdpEncapSocket);
	if (IpSecManager.Status.OK != newUdpEncapSocket.status) {
	break;
	}
	openUdpEncapSockets.add(newUdpEncapSocket);
	}
	// Assert that the total sockets quota has a reasonable limit.
	assertTrue("No UDP encap socket was open", !openUdpEncapSockets.isEmpty());
	assertTrue(
	"Number of open UDP encap sockets is out of bound",
	openUdpEncapSockets.size() < MAX_NUM_ENCAP_SOCKETS);

	// Try to reserve one more UDP encapsulation socket, and should fail.
	IpSecUdpEncapResponse extraUdpEncapSocket =
	mIpSecService.openUdpEncapsulationSocket(0, new Binder());
	assertNotNull(extraUdpEncapSocket);
	assertEquals(IpSecManager.Status.RESOURCE_UNAVAILABLE, extraUdpEncapSocket.status);

	// Close one of the open UDP encapsulation sockets.
	mIpSecService.closeUdpEncapsulationSocket(openUdpEncapSockets.get(0).resourceId);
	openUdpEncapSockets.get(0).fileDescriptor.close();
	openUdpEncapSockets.remove(0);

	// Try to reserve one more UDP encapsulation socket, and should be successful.
	extraUdpEncapSocket = mIpSecService.openUdpEncapsulationSocket(0, new Binder());
	assertNotNull(extraUdpEncapSocket);
	assertEquals(IpSecManager.Status.OK, extraUdpEncapSocket.status);
	openUdpEncapSockets.add(extraUdpEncapSocket);

	// Close open UDP sockets.
	for (IpSecUdpEncapResponse openSocket : openUdpEncapSockets) {
	mIpSecService.closeUdpEncapsulationSocket(openSocket.resourceId);
	openSocket.fileDescriptor.close();
	}
	}

	/**
	* This function checks if the number of SPI that one UID can reserve has a reasonable limit.
	* This test does not test for both address families or duplicate SPIs because resource tracking
	* code does not depend on them.
	*/
	@Test
	public void testSpiResourceTrackerLimitation() throws Exception {
	List<IpSecSpiResponse> reservedSpis = new ArrayList<IpSecSpiResponse>();
	// Return the same SPI for all SPI allocation since IpSecService only
	// tracks the resource ID.
	when(mMockNetd.ipSecAllocateSpi(
	anyInt(),
	eq(IpSecTransform.DIRECTION_OUT),
	anyString(),
	eq(InetAddress.getLoopbackAddress().getHostAddress()),
	anyInt()))
	.thenReturn(DROID_SPI);
	// Reserve spis until it fails.
	for (int i = 0; i < MAX_NUM_SPIS; i++) {
	IpSecSpiResponse newSpi =
	mIpSecService.allocateSecurityParameterIndex(
	0x1,
	InetAddress.getLoopbackAddress().getHostAddress(),
	DROID_SPI + i,
	new Binder());
	assertNotNull(newSpi);
	if (IpSecManager.Status.OK != newSpi.status) {
	break;
	}
	reservedSpis.add(newSpi);
	}
	// Assert that the SPI quota has a reasonable limit.
	assertTrue(reservedSpis.size() > 0 && reservedSpis.size() < MAX_NUM_SPIS);

	// Try to reserve one more SPI, and should fail.
	IpSecSpiResponse extraSpi =
	mIpSecService.allocateSecurityParameterIndex(
	0x1,
	InetAddress.getLoopbackAddress().getHostAddress(),
	DROID_SPI + MAX_NUM_SPIS,
	new Binder());
	assertNotNull(extraSpi);
	assertEquals(IpSecManager.Status.RESOURCE_UNAVAILABLE, extraSpi.status);

	// Release one reserved spi.
	mIpSecService.releaseSecurityParameterIndex(reservedSpis.get(0).resourceId);
	reservedSpis.remove(0);

	// Should successfully reserve one more spi.
	extraSpi =
	mIpSecService.allocateSecurityParameterIndex(
	0x1,
	InetAddress.getLoopbackAddress().getHostAddress(),
	DROID_SPI + MAX_NUM_SPIS,
	new Binder());
	assertNotNull(extraSpi);
	assertEquals(IpSecManager.Status.OK, extraSpi.status);

	// Release reserved SPIs.
	for (IpSecSpiResponse spiResp : reservedSpis) {
	mIpSecService.releaseSecurityParameterIndex(spiResp.resourceId);
	}
	}
	}