/*
* Copyright (C) 2013 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.android.settings.vpn2;
import android.content.Context;
import android.net.IConnectivityManager;
import android.os.Bundle;
import android.os.Environment;
import android.os.RemoteException;
import android.os.ServiceManager;
import android.os.UserHandle;
import android.security.Credentials;
import android.security.KeyStore;
import android.security.NetworkSecurityPolicy;
import android.test.InstrumentationTestCase;
import android.test.InstrumentationTestRunner;
import android.test.suitebuilder.annotation.LargeTest;
import android.util.Log;
import com.android.internal.net.LegacyVpnInfo;
import com.android.internal.net.VpnConfig;
import com.android.internal.net.VpnProfile;
import java.net.HttpURLConnection;
import java.net.URL;
import junit.framework.Assert;
import libcore.io.Streams;
import org.json.JSONException;
import org.json.JSONObject;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Map;
/**
* Legacy VPN connection tests
*
* To run the test, use command:
* adb shell am instrument -e class com.android.settings.vpn2.VpnTests -e profile foo.xml
* -w com.android.settings.tests/android.test.InstrumentationTestRunner
*
* VPN profiles are saved in an xml file and will be loaded through {@link VpnProfileParser}.
* Push the profile (foo.xml) to the external storage, e.g adb push foo.xml /sdcard/ before running
* the above command.
*
* A typical profile looks like the following:
* <vpn>
* <name></name>
* <type></type>
* <server></server>
* <username></username>
* <password></password>
* <dnsServers></dnsServers>
* <searchDomains></searchDomains>
* <routes></routes>
* <l2tpSecret></l2tpSecret>
* <ipsecIdentifier></ipsecIdentifier>
* <ipsecSecret></ipsecSecret>
* <ipsecUserCert></ipsecUserCert>
* <ipsecCaCert></ipsecCaCert>
* <ipsecServerCert></ipsecServerCert>
* </vpn>
* VPN types include: TYPE_PPTP, TYPE_L2TP_IPSEC_PSK, TYPE_L2TP_IPSEC_RSA,
* TYPE_IPSEC_XAUTH_PSK, TYPE_IPSEC_XAUTH_RSA, TYPE_IPSEC_HYBRID_RSA
*/
public class VpnTests extends InstrumentationTestCase {
private static final String TAG = "VpnTests";
/* Maximum time to wait for VPN connection */
private static final long MAX_CONNECTION_TIME = 5 * 60 * 1000;
private static final long VPN_STAY_TIME = 60 * 1000;
private static final int MAX_DISCONNECTION_TRIES = 3;
private static final String EXTERNAL_SERVER =
"http://ip2country.sourceforge.net/ip2c.php?format=JSON";
private static final String VPN_INTERFACE = "ppp0";
private final IConnectivityManager mService = IConnectivityManager.Stub
.asInterface(ServiceManager.getService(Context.CONNECTIVITY_SERVICE));
private Map<Integer, VpnInfo> mVpnInfoPool = null;
private Context mContext;
private CertInstallerHelper mCertHelper = null;
private KeyStore mKeyStore = KeyStore.getInstance();
private String mPreviousIpAddress = null;
private boolean DEBUG = false;
@Override
protected void setUp() throws Exception {
super.setUp();
InputStream in = null;
InstrumentationTestRunner mRunner = (InstrumentationTestRunner)getInstrumentation();
mContext = mRunner.getContext();
Bundle arguments = mRunner.getArguments();
String PROFILE_NAME = arguments.getString("profile");
Assert.assertNotNull("Push profile to external storage and load with"
+ "'-e profile <filename>'", PROFILE_NAME);
File profileFile = new File(Environment.getExternalStorageDirectory(), PROFILE_NAME);
in = new FileInputStream(profileFile);
mVpnInfoPool = VpnProfileParser.parse(in);
Assert.assertNotNull("no VPN profiles are parsed", mVpnInfoPool);
if (DEBUG) {
Log.v(TAG, "print out the vpn profiles");
for (Map.Entry<Integer, VpnInfo> profileEntrySet: mVpnInfoPool.entrySet()) {
VpnInfo vpnInfo = profileEntrySet.getValue();
printVpnProfile(vpnInfo.getVpnProfile());
if (vpnInfo.getCertificateFile() != null) {
Log.d(TAG, "certificate file for this vpn is " + vpnInfo.getCertificateFile());
}
if (vpnInfo.getPassword() != null) {
Log.d(TAG, "password for the certificate file is: " + vpnInfo.getPassword());
}
}
}
// disconnect existing vpn if there is any
LegacyVpnInfo oldVpn = mService.getLegacyVpnInfo(UserHandle.myUserId());
if (oldVpn != null) {
Log.v(TAG, "disconnect legacy VPN");
disconnect();
// wait till the legacy VPN is disconnected.
int tries = 0;
while (tries < MAX_DISCONNECTION_TRIES &&
mService.getLegacyVpnInfo(UserHandle.myUserId()) != null) {
tries++;
Thread.sleep(10 * 1000);
Log.v(TAG, "Wait for legacy VPN to be disconnected.");
}
Assert.assertNull("Failed to disconect VPN",
mService.getLegacyVpnInfo(UserHandle.myUserId()));
// wait for 30 seconds after the previous VPN is disconnected.
sleep(30 * 1000);
}
// Create CertInstallerHelper to initialize the keystore
mCertHelper = new CertInstallerHelper();
}
@Override
protected void tearDown() throws Exception {
sleep(VPN_STAY_TIME);
super.tearDown();
}
private void printVpnProfile(VpnProfile profile) {
Log.v(TAG, "profile: ");
Log.v(TAG, "key: " + profile.key);
Log.v(TAG, "name: " + profile.name);
Log.v(TAG, "type: " + profile.type);
Log.v(TAG, "server: " + profile.server);
Log.v(TAG, "username: " + profile.username);
Log.v(TAG, "password: " + profile.password);
Log.v(TAG, "dnsServers: " + profile.dnsServers);
Log.v(TAG, "searchDomains: " + profile.searchDomains);
Log.v(TAG, "routes: " + profile.routes);
Log.v(TAG, "mppe: " + profile.mppe);
Log.v(TAG, "l2tpSecret: " + profile.l2tpSecret);
Log.v(TAG, "ipsecIdentifier: " + profile.ipsecIdentifier);
Log.v(TAG, "ipsecSecret: " + profile.ipsecSecret);
Log.v(TAG, "ipsecUserCert: " + profile.ipsecUserCert);
Log.v(TAG, "ipsecCaCert: " + profile.ipsecCaCert);
Log.v(TAG, "ipsecServerCert: " + profile.ipsecServerCert);
}
private void printKeyStore(VpnProfile profile) {
// print out the information from keystore
String privateKey = "";
String userCert = "";
String caCert = "";
String serverCert = "";
if (!profile.ipsecUserCert.isEmpty()) {
privateKey = Credentials.USER_PRIVATE_KEY + profile.ipsecUserCert;
byte[] value = mKeyStore.get(Credentials.USER_CERTIFICATE + profile.ipsecUserCert);
userCert = (value == null) ? null : new String(value, StandardCharsets.UTF_8);
}
if (!profile.ipsecCaCert.isEmpty()) {
byte[] value = mKeyStore.get(Credentials.CA_CERTIFICATE + profile.ipsecCaCert);
caCert = (value == null) ? null : new String(value, StandardCharsets.UTF_8);
}
if (!profile.ipsecServerCert.isEmpty()) {
byte[] value = mKeyStore.get(Credentials.USER_CERTIFICATE + profile.ipsecServerCert);
serverCert = (value == null) ? null : new String(value, StandardCharsets.UTF_8);
}
Log.v(TAG, "privateKey: \n" + ((privateKey == null) ? "" : privateKey));
Log.v(TAG, "userCert: \n" + ((userCert == null) ? "" : userCert));
Log.v(TAG, "caCert: \n" + ((caCert == null) ? "" : caCert));
Log.v(TAG, "serverCert: \n" + ((serverCert == null) ? "" : serverCert));
}
/**
* Connect legacy VPN
*/
private void connect(VpnProfile profile) throws Exception {
try {
mService.startLegacyVpn(profile);
} catch (IllegalStateException e) {
fail(String.format("start legacy vpn: %s failed: %s", profile.name, e.toString()));
}
}
/**
* Disconnect legacy VPN
*/
private void disconnect() throws Exception {
try {
mService.prepareVpn(VpnConfig.LEGACY_VPN, VpnConfig.LEGACY_VPN, UserHandle.myUserId());
} catch (RemoteException e) {
Log.e(TAG, String.format("disconnect VPN exception: %s", e.toString()));
}
}
/**
* Get external IP address
*/
private String getIpAddress() {
String ip = null;
HttpURLConnection urlConnection = null;
// TODO: Rewrite this test to use an HTTPS URL.
// Because this test uses cleartext HTTP, the network security policy of this app needs to
// be temporarily relaxed to permit such traffic.
NetworkSecurityPolicy networkSecurityPolicy = NetworkSecurityPolicy.getInstance();
boolean cleartextTrafficPermittedBeforeTest =
networkSecurityPolicy.isCleartextTrafficPermitted();
networkSecurityPolicy.setCleartextTrafficPermitted(true);
try {
URL url = new URL(EXTERNAL_SERVER);
urlConnection = (HttpURLConnection) url.openConnection();
Log.i(TAG, "Response from httpget: " + urlConnection.getResponseCode());
InputStream is = urlConnection.getInputStream();
String response;
try {
response = new String(Streams.readFully(is), StandardCharsets.UTF_8);
} finally {
is.close();
}
JSONObject json_data = new JSONObject(response);
ip = json_data.getString("ip");
Log.v(TAG, "json_data: " + ip);
} catch (IllegalArgumentException e) {
Log.e(TAG, "exception while getting external IP: " + e.toString());
} catch (IOException e) {
Log.e(TAG, "IOException while getting IP: " + e.toString());
} catch (JSONException e) {
Log.e(TAG, "exception while creating JSONObject: " + e.toString());
} finally {
networkSecurityPolicy.setCleartextTrafficPermitted(cleartextTrafficPermittedBeforeTest);
if (urlConnection != null) {
urlConnection.disconnect();
}
}
return ip;
}
/**
* Verify the vpn connection by checking the VPN state and external IP
*/
private void validateVpnConnection(VpnProfile profile) throws Exception {
validateVpnConnection(profile, false);
}
/**
* Verify the vpn connection by checking the VPN state, external IP or ping test
*/
private void validateVpnConnection(VpnProfile profile, boolean pingTestFlag) throws Exception {
LegacyVpnInfo legacyVpnInfo = mService.getLegacyVpnInfo(UserHandle.myUserId());
Assert.assertTrue(legacyVpnInfo != null);
long start = System.currentTimeMillis();
while (((System.currentTimeMillis() - start) < MAX_CONNECTION_TIME) &&
(legacyVpnInfo.state != LegacyVpnInfo.STATE_CONNECTED)) {
Log.v(TAG, "vpn state: " + legacyVpnInfo.state);
sleep(10 * 1000);
legacyVpnInfo = mService.getLegacyVpnInfo(UserHandle.myUserId());
}
// the vpn state should be CONNECTED
Assert.assertTrue(legacyVpnInfo.state == LegacyVpnInfo.STATE_CONNECTED);
if (pingTestFlag) {
Assert.assertTrue(pingTest(profile.server));
} else {
String curIpAddress = getIpAddress();
// the outgoing IP address should be the same as the VPN server address
Assert.assertEquals(profile.server, curIpAddress);
}
}
private boolean pingTest(String server) {
final long PING_TIMER = 3 * 60 * 1000; // 3 minutes
if (server == null || server.isEmpty()) {
return false;
}
long startTime = System.currentTimeMillis();
while ((System.currentTimeMillis() - startTime) < PING_TIMER) {
try {
Log.v(TAG, "Start ping test, ping " + server);
Process p = Runtime.getRuntime().exec("ping -c 10 -w 100 " + server);
int status = p.waitFor();
if (status == 0) {
// if any of the ping test is successful, return true
return true;
}
} catch (UnknownHostException e) {
Log.e(TAG, "Ping test Fail: Unknown Host");
} catch (IOException e) {
Log.e(TAG, "Ping test Fail: IOException");
} catch (InterruptedException e) {
Log.e(TAG, "Ping test Fail: InterruptedException");
}
}
// ping test timeout
return false;
}
/**
* Install certificates from a file loaded in external stroage on the device
* @param profile vpn profile
* @param fileName certificate file name
* @param password password to extract certificate file
*/
private void installCertificatesFromFile(VpnProfile profile, String fileName, String password)
throws Exception {
if (profile == null || fileName == null || password == null) {
throw new Exception ("vpn profile, certificate file name and password can not be null");
}
int curUid = mContext.getUserId();
mCertHelper.installCertificate(profile, fileName, password);
if (DEBUG) {
printKeyStore(profile);
}
}
private void sleep(long time) {
try {
Thread.sleep(time);
} catch (InterruptedException e) {
Log.e(TAG, "interrupted: " + e.toString());
}
}
/**
* Test PPTP VPN connection
*/
@LargeTest
public void testPPTPConnection() throws Exception {
mPreviousIpAddress = getIpAddress();
VpnInfo curVpnInfo = mVpnInfoPool.get(VpnProfile.TYPE_PPTP);
VpnProfile vpnProfile = curVpnInfo.getVpnProfile();
connect(vpnProfile);
validateVpnConnection(vpnProfile);
}
/**
* Test L2TP/IPSec PSK VPN connection
*/
@LargeTest
public void testL2tpIpsecPskConnection() throws Exception {
mPreviousIpAddress = getIpAddress();
VpnInfo curVpnInfo = mVpnInfoPool.get(VpnProfile.TYPE_L2TP_IPSEC_PSK);
VpnProfile vpnProfile = curVpnInfo.getVpnProfile();
connect(vpnProfile);
validateVpnConnection(vpnProfile);
}
/**
* Test L2TP/IPSec RSA VPN connection
*/
@LargeTest
public void testL2tpIpsecRsaConnection() throws Exception {
mPreviousIpAddress = getIpAddress();
VpnInfo curVpnInfo = mVpnInfoPool.get(VpnProfile.TYPE_L2TP_IPSEC_RSA);
VpnProfile vpnProfile = curVpnInfo.getVpnProfile();
if (DEBUG) {
printVpnProfile(vpnProfile);
}
String certFile = curVpnInfo.getCertificateFile();
String password = curVpnInfo.getPassword();
installCertificatesFromFile(vpnProfile, certFile, password);
connect(vpnProfile);
validateVpnConnection(vpnProfile);
}
/**
* Test IPSec Xauth RSA VPN connection
*/
@LargeTest
public void testIpsecXauthRsaConnection() throws Exception {
mPreviousIpAddress = getIpAddress();
VpnInfo curVpnInfo = mVpnInfoPool.get(VpnProfile.TYPE_IPSEC_XAUTH_RSA);
VpnProfile vpnProfile = curVpnInfo.getVpnProfile();
if (DEBUG) {
printVpnProfile(vpnProfile);
}
String certFile = curVpnInfo.getCertificateFile();
String password = curVpnInfo.getPassword();
installCertificatesFromFile(vpnProfile, certFile, password);
connect(vpnProfile);
validateVpnConnection(vpnProfile);
}
/**
* Test IPSec Xauth PSK VPN connection
*/
@LargeTest
public void testIpsecXauthPskConnection() throws Exception {
VpnInfo curVpnInfo = mVpnInfoPool.get(VpnProfile.TYPE_IPSEC_XAUTH_PSK);
VpnProfile vpnProfile = curVpnInfo.getVpnProfile();
if (DEBUG) {
printVpnProfile(vpnProfile);
}
connect(vpnProfile);
validateVpnConnection(vpnProfile, true);
}
/**
* Test IPSec Hybrid RSA VPN connection
*/
@LargeTest
public void testIpsecHybridRsaConnection() throws Exception {
mPreviousIpAddress = getIpAddress();
VpnInfo curVpnInfo = mVpnInfoPool.get(VpnProfile.TYPE_IPSEC_HYBRID_RSA);
VpnProfile vpnProfile = curVpnInfo.getVpnProfile();
if (DEBUG) {
printVpnProfile(vpnProfile);
}
connect(vpnProfile);
validateVpnConnection(vpnProfile);
}
}