drgreen/android_frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
android_frameworks_base/test-mock/src/android/test/mock/MockContentProvider.java

379 lines
14 KiB
Java
Raw Normal View History

auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
/*
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
* Copyright (C) 2009 The Android Open Source Project
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.test.mock;
Detailed ContentProvider permissions checks. The new MediaProvider design has an internal dynamic security model based on the value stored in OWNER_PACKAGE_NAME, so the OS always needs to consult the provider when resolving Uri permission grants. Blocking calls from the system process like this are typically discouraged, but this is the best we can do with the limited time left, and there is existing precident with getType(). For now, use "forceUriPermissions" as a proxy for determining when we need to consult the provider directly. Bug: 115619667 Test: atest --test-mapping packages/providers/MediaProvider Test: atest android.appsecurity.cts.ExternalStorageHostTest Change-Id: I1d54feeec93fbb4cf5ff55240ef4eae3a35ed068
2019-05-20 14:00:17 -06:00
import android.annotation.NonNull;
Replace ContentProvider SQL args w/ Bundle & Constants. Test: cts-tradefed run cts-dev -m CtsContentTestCases Bug: 30927484 Change-Id: Idb9dbc2b80896e9f8474a0db71353b7a3810d597
2016-12-02 11:35:35 -08:00
import android.annotation.Nullable;
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
import android.content.AttributionSource;
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
import android.content.ContentProvider;
import android.content.ContentProviderOperation;
import android.content.ContentProviderResult;
Add async version of getProviderMimeType Fixes: b/147646960 Test: atest FrameworksCoreTests:android.content.ContentResolverTest Change-Id: I04c15ac008fe14b215f954af150226dc94f22232
2020-01-16 17:00:02 -08:00
import android.content.ContentResolver;
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
import android.content.ContentValues;
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
import android.content.Context;
import android.content.IContentProvider;
Detailed ContentProvider permissions checks. The new MediaProvider design has an internal dynamic security model based on the value stored in OWNER_PACKAGE_NAME, so the OS always needs to consult the provider when resolving Uri permission grants. Blocking calls from the system process like this are typically discouraged, but this is the best we can do with the limited time left, and there is existing precident with getType(). For now, use "forceUriPermissions" as a proxy for determining when we need to consult the provider directly. Bug: 115619667 Test: atest --test-mapping packages/providers/MediaProvider Test: atest android.appsecurity.cts.ExternalStorageHostTest Change-Id: I1d54feeec93fbb4cf5ff55240ef4eae3a35ed068
2019-05-20 14:00:17 -06:00
import android.content.Intent;
add ipc support to batching
2009-05-15 15:10:40 -07:00
import android.content.OperationApplicationException;
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
import android.content.pm.PathPermission;
import android.content.pm.ProviderInfo;
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
import android.content.res.AssetFileDescriptor;
import android.database.Cursor;
import android.net.Uri;
Add async version of getProviderMimeType Fixes: b/147646960 Test: atest FrameworksCoreTests:android.content.ContentResolverTest Change-Id: I04c15ac008fe14b215f954af150226dc94f22232
2020-01-16 17:00:02 -08:00
import android.os.AsyncTask;
Don't use impl lib of android.test.[mock|base|runners] The java_sdk_library modules are now added with 'default_to_stubs: true' so that their impl libraries are not used even when the clients don't have sdk_version property set. This will allow us to replace the direct references to the stub libraries of the java_sdk_library modules with the references to the modules themselves (e.g. android.test.base.stubs -> android.test.base) in many of the CTS tests without unintentionally exposing the private APIs in the impl lib. As part of the change, MockContentProvider.getIContentProviderBinder() now returns an anonymous Binder object instead of throwing an exception. This is to eliminate the need for clients to override the now inaccessible method to escape from the exception. Also, InstrumentationTestRunner.addTestListener method is added to the stub because it is used by several tests (MtpServiceTests, etc.) Bug: 157007292 Test: m Change-Id: I14cf217f21fd3534c920c3a6336cf2d14c02e60c
2020-05-29 10:51:18 +09:00
import android.os.Binder;
Add "call" method on ContentProvider. This permits implementing interfaces which are faster than using remote Cursors. It then uses it for Settings & SettingProvider, which together account for ~50% of total ContentProvider event loop stalls across Froyo dogfooders. For fetching Settings this looks like it should reduce average Settings lookup from 10 ms to 0.4 ms on Sholes, once the SettingsProvider serves most gets from in-memory cache. Currently it brings the Sholes average down from 10ms to 2.5 ms while still using SQLite queries on each get.
2010-03-04 17:48:13 -08:00
import android.os.Bundle;
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
import android.os.IBinder;
Move CancellationSignal to android.os package. Bug: 6427830 Change-Id: I39451bb1e1d4a8d976ed1c671234f0c8c61658dd
2012-05-07 20:06:46 -07:00
import android.os.ICancellationSignal;
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
import android.os.ParcelFileDescriptor;
Add async version of getProviderMimeType Fixes: b/147646960 Test: atest FrameworksCoreTests:android.content.ContentResolverTest Change-Id: I04c15ac008fe14b215f954af150226dc94f22232
2020-01-16 17:00:02 -08:00
import android.os.RemoteCallback;
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
import android.os.RemoteException;
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
import java.io.FileNotFoundException;
- create a new generic ISyncAdapter implementation, SyncAdapterNew - change the applyBatch to take an ArrayList rather than an [] - change Entity to be a final flass that contains ContentValues - remove the ability to update/insert Entities by a ContentProviderOperation
2009-05-22 14:23:31 -07:00
import java.util.ArrayList;
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
/**
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
* Mock implementation of ContentProvider. All methods are non-functional and throw
* {@link java.lang.UnsupportedOperationException}. Tests can extend this class to
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
* implement behavior needed for tests.
*/
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
public class MockContentProvider extends ContentProvider {
/*
* Note: if you add methods to ContentProvider, you must add similar methods to
* MockContentProvider.
*/
/**
* IContentProvider that directs all calls to this MockContentProvider.
*/
private class InversionIContentProvider implements IContentProvider {
Fix ownership of CursorWindows across processes. Bug: 5332296 Ensure that there is always an owner for each CursorWindow and that references to each window are acquired/released appropriately at all times. Added synchronization to CursorToBulkCursorAdaptor to prevent the underlying Cursor and CursorWindow from being remotely accessed in ways that might violate invariants, resulting in leaks or other problems. Ensured that CursorToBulkCursorAdaptor promptly releases its references to the Cursor and CursorWindow when closed so they don't stick around longer than they should, even if the remote end hangs onto the IBulkCursor for some reason. CursorWindow respects Parcelable.FLAG_WRITE_RETURN_VALUE as an indication that one reference to the CursorWindow is being released. Correspondingly, CursorToBulkCursorAdaptor acquires a reference to the CursorWindow before returning it to the caller. This change also prevents races from resulting in the transfer of an invalid CursorWindow over the wire. Ensured that BulkCursorToCursorAdaptor promptly releases its reference to the IBulkCursor when closed and throws on attempts to access the cursor while closed. Modified ContentProviderNative to handle both parts of the wrapping and unwrapping of Cursors into IBulkCursors. This makes it a lot easier to ensure that the right things happen on both ends. Also, it turns out that the only caller of IContentProvider.bulkQuery was ContentProviderNative itself so there was no need to support bulkQuery on ContentProviderProxy and it was just getting in the way. Implement CloseGuard on CursorWindow. Change-Id: Ib3c8305d3cc62322f38a06698d404a2989bb6ef9
2011-10-09 12:39:53 -07:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public ContentProviderResult[] applyBatch(@NonNull AttributionSource attributionSource,
String authority, ArrayList<ContentProviderOperation> operations)
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
throws RemoteException, OperationApplicationException {
Extract common methods into ContentInterface. Existing APIs that accept a ContentResolver are too restrictive when the caller has their own ContentProviderClient already bound and configured, so we're in the market for a solution to open those existing APIs to accept a wider range of inputs. The solution we've come up with is to introduce a super-interface which contains the common ContentProvider APIs, and then make ContentProvider, ContentResolver, and ContentProviderClient all implement that interface for consistency. After this change lands, we can then safely relax existing APIs to accept this new ContentInterface, offering a clean path to solving the problem outlined above. Bug: 117635768 Test: atest android.content.cts Test: atest android.provider.cts Change-Id: Ic5ae08107f7dd3dd23dcaec2df40c16543e0d86e Exempted-From-Owner-Approval: keep tests working
2018-12-07 12:00:45 -07:00
return MockContentProvider.this.applyBatch(authority, operations);
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
}
Fix ownership of CursorWindows across processes. Bug: 5332296 Ensure that there is always an owner for each CursorWindow and that references to each window are acquired/released appropriately at all times. Added synchronization to CursorToBulkCursorAdaptor to prevent the underlying Cursor and CursorWindow from being remotely accessed in ways that might violate invariants, resulting in leaks or other problems. Ensured that CursorToBulkCursorAdaptor promptly releases its references to the Cursor and CursorWindow when closed so they don't stick around longer than they should, even if the remote end hangs onto the IBulkCursor for some reason. CursorWindow respects Parcelable.FLAG_WRITE_RETURN_VALUE as an indication that one reference to the CursorWindow is being released. Correspondingly, CursorToBulkCursorAdaptor acquires a reference to the CursorWindow before returning it to the caller. This change also prevents races from resulting in the transfer of an invalid CursorWindow over the wire. Ensured that BulkCursorToCursorAdaptor promptly releases its reference to the IBulkCursor when closed and throws on attempts to access the cursor while closed. Modified ContentProviderNative to handle both parts of the wrapping and unwrapping of Cursors into IBulkCursors. This makes it a lot easier to ensure that the right things happen on both ends. Also, it turns out that the only caller of IContentProvider.bulkQuery was ContentProviderNative itself so there was no need to support bulkQuery on ContentProviderProxy and it was just getting in the way. Implement CloseGuard on CursorWindow. Change-Id: Ib3c8305d3cc62322f38a06698d404a2989bb6ef9
2011-10-09 12:39:53 -07:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public int bulkInsert(@NonNull AttributionSource attributionSource, Uri url,
Note with featureId from ContentProvider This takes the Context#getFeatureId from the calling context and pipes it all way through to the noteOp calls done by the content provider. Bug: 136595429 Test: atest CtsAppOpsTestCases (new test added to capture this case) TelecomUnitTests:CallLogManagerTest ContentProviderClientTest TelecomUnitTests:MissedCallNotifierImplTest TelecomUnitTests:BasicCallTests MediaInserterTest PreferencesHelperTest RankingHelperTest PinnedSliceStateTest FrameworksCoreTests:ContentResolverTest Change-Id: I53b1035626229c920b353509a5bece157b52fb51
2019-09-27 08:44:12 -07:00
ContentValues[] initialValues) throws RemoteException {
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
return MockContentProvider.this.bulkInsert(url, initialValues);
}
Fix ownership of CursorWindows across processes. Bug: 5332296 Ensure that there is always an owner for each CursorWindow and that references to each window are acquired/released appropriately at all times. Added synchronization to CursorToBulkCursorAdaptor to prevent the underlying Cursor and CursorWindow from being remotely accessed in ways that might violate invariants, resulting in leaks or other problems. Ensured that CursorToBulkCursorAdaptor promptly releases its references to the Cursor and CursorWindow when closed so they don't stick around longer than they should, even if the remote end hangs onto the IBulkCursor for some reason. CursorWindow respects Parcelable.FLAG_WRITE_RETURN_VALUE as an indication that one reference to the CursorWindow is being released. Correspondingly, CursorToBulkCursorAdaptor acquires a reference to the CursorWindow before returning it to the caller. This change also prevents races from resulting in the transfer of an invalid CursorWindow over the wire. Ensured that BulkCursorToCursorAdaptor promptly releases its reference to the IBulkCursor when closed and throws on attempts to access the cursor while closed. Modified ContentProviderNative to handle both parts of the wrapping and unwrapping of Cursors into IBulkCursors. This makes it a lot easier to ensure that the right things happen on both ends. Also, it turns out that the only caller of IContentProvider.bulkQuery was ContentProviderNative itself so there was no need to support bulkQuery on ContentProviderProxy and it was just getting in the way. Implement CloseGuard on CursorWindow. Change-Id: Ib3c8305d3cc62322f38a06698d404a2989bb6ef9
2011-10-09 12:39:53 -07:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public int delete(@NonNull AttributionSource attributionSource, Uri url,
Extend insert/update/delete to provide extras. A few releases ago we added ContentResolver.QUERY_ARG_* constants to query() as a new best-practice that will help wean us off raw SQL arguments. (For example, a provider could add their own custom arguments like QUERY_ARG_INCLUDE_PENDING to cause the query to reveal pending items that would otherwise be hidden.) This change expands update() and delete() to accept those arguments. This change also expand insert() to accept extras too, as part of preparing to support an upcoming MediaProvider feature that will let apps place new media "adjacent" to an existing media item. (Sending that adjacent item through extras is cleaner than trying to send it through escaped query parameters.) Bug: 131643582 Test: atest CtsContentTestCases Change-Id: I436296155b9b5f371b4cbe661feaf42070285fcc
2019-11-15 12:45:15 -07:00
Bundle extras) throws RemoteException {
return MockContentProvider.this.delete(url, extras);
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
}
Fix ownership of CursorWindows across processes. Bug: 5332296 Ensure that there is always an owner for each CursorWindow and that references to each window are acquired/released appropriately at all times. Added synchronization to CursorToBulkCursorAdaptor to prevent the underlying Cursor and CursorWindow from being remotely accessed in ways that might violate invariants, resulting in leaks or other problems. Ensured that CursorToBulkCursorAdaptor promptly releases its references to the Cursor and CursorWindow when closed so they don't stick around longer than they should, even if the remote end hangs onto the IBulkCursor for some reason. CursorWindow respects Parcelable.FLAG_WRITE_RETURN_VALUE as an indication that one reference to the CursorWindow is being released. Correspondingly, CursorToBulkCursorAdaptor acquires a reference to the CursorWindow before returning it to the caller. This change also prevents races from resulting in the transfer of an invalid CursorWindow over the wire. Ensured that BulkCursorToCursorAdaptor promptly releases its reference to the IBulkCursor when closed and throws on attempts to access the cursor while closed. Modified ContentProviderNative to handle both parts of the wrapping and unwrapping of Cursors into IBulkCursors. This makes it a lot easier to ensure that the right things happen on both ends. Also, it turns out that the only caller of IContentProvider.bulkQuery was ContentProviderNative itself so there was no need to support bulkQuery on ContentProviderProxy and it was just getting in the way. Implement CloseGuard on CursorWindow. Change-Id: Ib3c8305d3cc62322f38a06698d404a2989bb6ef9
2011-10-09 12:39:53 -07:00
@Override
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
public String getType(Uri url) throws RemoteException {
return MockContentProvider.this.getType(url);
}
Add async version of getProviderMimeType Fixes: b/147646960 Test: atest FrameworksCoreTests:android.content.ContentResolverTest Change-Id: I04c15ac008fe14b215f954af150226dc94f22232
2020-01-16 17:00:02 -08:00
@Override
public void getTypeAsync(Uri uri, RemoteCallback callback) throws RemoteException {
MockContentProvider.this.getTypeAsync(uri, callback);
}
Fix ownership of CursorWindows across processes. Bug: 5332296 Ensure that there is always an owner for each CursorWindow and that references to each window are acquired/released appropriately at all times. Added synchronization to CursorToBulkCursorAdaptor to prevent the underlying Cursor and CursorWindow from being remotely accessed in ways that might violate invariants, resulting in leaks or other problems. Ensured that CursorToBulkCursorAdaptor promptly releases its references to the Cursor and CursorWindow when closed so they don't stick around longer than they should, even if the remote end hangs onto the IBulkCursor for some reason. CursorWindow respects Parcelable.FLAG_WRITE_RETURN_VALUE as an indication that one reference to the CursorWindow is being released. Correspondingly, CursorToBulkCursorAdaptor acquires a reference to the CursorWindow before returning it to the caller. This change also prevents races from resulting in the transfer of an invalid CursorWindow over the wire. Ensured that BulkCursorToCursorAdaptor promptly releases its reference to the IBulkCursor when closed and throws on attempts to access the cursor while closed. Modified ContentProviderNative to handle both parts of the wrapping and unwrapping of Cursors into IBulkCursors. This makes it a lot easier to ensure that the right things happen on both ends. Also, it turns out that the only caller of IContentProvider.bulkQuery was ContentProviderNative itself so there was no need to support bulkQuery on ContentProviderProxy and it was just getting in the way. Implement CloseGuard on CursorWindow. Change-Id: Ib3c8305d3cc62322f38a06698d404a2989bb6ef9
2011-10-09 12:39:53 -07:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public Uri insert(@NonNull AttributionSource attributionSource, Uri url,
Extend insert/update/delete to provide extras. A few releases ago we added ContentResolver.QUERY_ARG_* constants to query() as a new best-practice that will help wean us off raw SQL arguments. (For example, a provider could add their own custom arguments like QUERY_ARG_INCLUDE_PENDING to cause the query to reveal pending items that would otherwise be hidden.) This change expands update() and delete() to accept those arguments. This change also expand insert() to accept extras too, as part of preparing to support an upcoming MediaProvider feature that will let apps place new media "adjacent" to an existing media item. (Sending that adjacent item through extras is cleaner than trying to send it through escaped query parameters.) Bug: 131643582 Test: atest CtsContentTestCases Change-Id: I436296155b9b5f371b4cbe661feaf42070285fcc
2019-11-15 12:45:15 -07:00
ContentValues initialValues, Bundle extras) throws RemoteException {
return MockContentProvider.this.insert(url, initialValues, extras);
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
}
Fix ownership of CursorWindows across processes. Bug: 5332296 Ensure that there is always an owner for each CursorWindow and that references to each window are acquired/released appropriately at all times. Added synchronization to CursorToBulkCursorAdaptor to prevent the underlying Cursor and CursorWindow from being remotely accessed in ways that might violate invariants, resulting in leaks or other problems. Ensured that CursorToBulkCursorAdaptor promptly releases its references to the Cursor and CursorWindow when closed so they don't stick around longer than they should, even if the remote end hangs onto the IBulkCursor for some reason. CursorWindow respects Parcelable.FLAG_WRITE_RETURN_VALUE as an indication that one reference to the CursorWindow is being released. Correspondingly, CursorToBulkCursorAdaptor acquires a reference to the CursorWindow before returning it to the caller. This change also prevents races from resulting in the transfer of an invalid CursorWindow over the wire. Ensured that BulkCursorToCursorAdaptor promptly releases its reference to the IBulkCursor when closed and throws on attempts to access the cursor while closed. Modified ContentProviderNative to handle both parts of the wrapping and unwrapping of Cursors into IBulkCursors. This makes it a lot easier to ensure that the right things happen on both ends. Also, it turns out that the only caller of IContentProvider.bulkQuery was ContentProviderNative itself so there was no need to support bulkQuery on ContentProviderProxy and it was just getting in the way. Implement CloseGuard on CursorWindow. Change-Id: Ib3c8305d3cc62322f38a06698d404a2989bb6ef9
2011-10-09 12:39:53 -07:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public AssetFileDescriptor openAssetFile(@NonNull AttributionSource attributionSource,
Uri url, String mode, ICancellationSignal signal)
More work on App Ops service. Implemented reading and writing state to retain information across boots, API to retrieve state from it, improved location manager interaction to monitor both coarse and fine access and only note operations when location data is being delivered back to app (not when it is just registering to get the data at some time in the future). Also implement tracking of read/write ops on contacts and the call log. This involved tweaking the content provider protocol to pass over the name of the calling package, and some infrastructure in the ContentProvider transport to note incoming calls with the app ops service. The contacts provider and call log provider turn this on for themselves. This also implements some of the mechanics of being able to ignore incoming provider calls... all that is left are some new APIs for the real content provider implementation to be involved with providing the correct behavior for query() (return an empty cursor with the right columns) and insert() (need to figure out what URI to return). Change-Id: I36ebbcd63dee58264a480f3d3786891ca7cbdb4c
2013-01-14 17:38:02 -08:00
throws RemoteException, FileNotFoundException {
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
return MockContentProvider.this.openAssetFile(url, mode);
}
Fix ownership of CursorWindows across processes. Bug: 5332296 Ensure that there is always an owner for each CursorWindow and that references to each window are acquired/released appropriately at all times. Added synchronization to CursorToBulkCursorAdaptor to prevent the underlying Cursor and CursorWindow from being remotely accessed in ways that might violate invariants, resulting in leaks or other problems. Ensured that CursorToBulkCursorAdaptor promptly releases its references to the Cursor and CursorWindow when closed so they don't stick around longer than they should, even if the remote end hangs onto the IBulkCursor for some reason. CursorWindow respects Parcelable.FLAG_WRITE_RETURN_VALUE as an indication that one reference to the CursorWindow is being released. Correspondingly, CursorToBulkCursorAdaptor acquires a reference to the CursorWindow before returning it to the caller. This change also prevents races from resulting in the transfer of an invalid CursorWindow over the wire. Ensured that BulkCursorToCursorAdaptor promptly releases its reference to the IBulkCursor when closed and throws on attempts to access the cursor while closed. Modified ContentProviderNative to handle both parts of the wrapping and unwrapping of Cursors into IBulkCursors. This makes it a lot easier to ensure that the right things happen on both ends. Also, it turns out that the only caller of IContentProvider.bulkQuery was ContentProviderNative itself so there was no need to support bulkQuery on ContentProviderProxy and it was just getting in the way. Implement CloseGuard on CursorWindow. Change-Id: Ib3c8305d3cc62322f38a06698d404a2989bb6ef9
2011-10-09 12:39:53 -07:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public ParcelFileDescriptor openFile(@NonNull AttributionSource attributionSource,
Uri url, String mode, ICancellationSignal signal)
Note with featureId from ContentProvider This takes the Context#getFeatureId from the calling context and pipes it all way through to the noteOp calls done by the content provider. Bug: 136595429 Test: atest CtsAppOpsTestCases (new test added to capture this case) TelecomUnitTests:CallLogManagerTest ContentProviderClientTest TelecomUnitTests:MissedCallNotifierImplTest TelecomUnitTests:BasicCallTests MediaInserterTest PreferencesHelperTest RankingHelperTest PinnedSliceStateTest FrameworksCoreTests:ContentResolverTest Change-Id: I53b1035626229c920b353509a5bece157b52fb51
2019-09-27 08:44:12 -07:00
throws RemoteException, FileNotFoundException {
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
return MockContentProvider.this.openFile(url, mode);
}
Fix ownership of CursorWindows across processes. Bug: 5332296 Ensure that there is always an owner for each CursorWindow and that references to each window are acquired/released appropriately at all times. Added synchronization to CursorToBulkCursorAdaptor to prevent the underlying Cursor and CursorWindow from being remotely accessed in ways that might violate invariants, resulting in leaks or other problems. Ensured that CursorToBulkCursorAdaptor promptly releases its references to the Cursor and CursorWindow when closed so they don't stick around longer than they should, even if the remote end hangs onto the IBulkCursor for some reason. CursorWindow respects Parcelable.FLAG_WRITE_RETURN_VALUE as an indication that one reference to the CursorWindow is being released. Correspondingly, CursorToBulkCursorAdaptor acquires a reference to the CursorWindow before returning it to the caller. This change also prevents races from resulting in the transfer of an invalid CursorWindow over the wire. Ensured that BulkCursorToCursorAdaptor promptly releases its reference to the IBulkCursor when closed and throws on attempts to access the cursor while closed. Modified ContentProviderNative to handle both parts of the wrapping and unwrapping of Cursors into IBulkCursors. This makes it a lot easier to ensure that the right things happen on both ends. Also, it turns out that the only caller of IContentProvider.bulkQuery was ContentProviderNative itself so there was no need to support bulkQuery on ContentProviderProxy and it was just getting in the way. Implement CloseGuard on CursorWindow. Change-Id: Ib3c8305d3cc62322f38a06698d404a2989bb6ef9
2011-10-09 12:39:53 -07:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public Cursor query(@NonNull AttributionSource attributionSource, Uri url,
Note with featureId from ContentProvider This takes the Context#getFeatureId from the calling context and pipes it all way through to the noteOp calls done by the content provider. Bug: 136595429 Test: atest CtsAppOpsTestCases (new test added to capture this case) TelecomUnitTests:CallLogManagerTest ContentProviderClientTest TelecomUnitTests:MissedCallNotifierImplTest TelecomUnitTests:BasicCallTests MediaInserterTest PreferencesHelperTest RankingHelperTest PinnedSliceStateTest FrameworksCoreTests:ContentResolverTest Change-Id: I53b1035626229c920b353509a5bece157b52fb51
2019-09-27 08:44:12 -07:00
@Nullable String[] projection, @Nullable Bundle queryArgs,
@Nullable ICancellationSignal cancellationSignal) throws RemoteException {
Replace ContentProvider SQL args w/ Bundle & Constants. Test: cts-tradefed run cts-dev -m CtsContentTestCases Bug: 30927484 Change-Id: Idb9dbc2b80896e9f8474a0db71353b7a3810d597
2016-12-02 11:35:35 -08:00
return MockContentProvider.this.query(url, projection, queryArgs, null);
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
}
Fix ownership of CursorWindows across processes. Bug: 5332296 Ensure that there is always an owner for each CursorWindow and that references to each window are acquired/released appropriately at all times. Added synchronization to CursorToBulkCursorAdaptor to prevent the underlying Cursor and CursorWindow from being remotely accessed in ways that might violate invariants, resulting in leaks or other problems. Ensured that CursorToBulkCursorAdaptor promptly releases its references to the Cursor and CursorWindow when closed so they don't stick around longer than they should, even if the remote end hangs onto the IBulkCursor for some reason. CursorWindow respects Parcelable.FLAG_WRITE_RETURN_VALUE as an indication that one reference to the CursorWindow is being released. Correspondingly, CursorToBulkCursorAdaptor acquires a reference to the CursorWindow before returning it to the caller. This change also prevents races from resulting in the transfer of an invalid CursorWindow over the wire. Ensured that BulkCursorToCursorAdaptor promptly releases its reference to the IBulkCursor when closed and throws on attempts to access the cursor while closed. Modified ContentProviderNative to handle both parts of the wrapping and unwrapping of Cursors into IBulkCursors. This makes it a lot easier to ensure that the right things happen on both ends. Also, it turns out that the only caller of IContentProvider.bulkQuery was ContentProviderNative itself so there was no need to support bulkQuery on ContentProviderProxy and it was just getting in the way. Implement CloseGuard on CursorWindow. Change-Id: Ib3c8305d3cc62322f38a06698d404a2989bb6ef9
2011-10-09 12:39:53 -07:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public int update(@NonNull AttributionSource attributionSource, Uri url,
Extend insert/update/delete to provide extras. A few releases ago we added ContentResolver.QUERY_ARG_* constants to query() as a new best-practice that will help wean us off raw SQL arguments. (For example, a provider could add their own custom arguments like QUERY_ARG_INCLUDE_PENDING to cause the query to reveal pending items that would otherwise be hidden.) This change expands update() and delete() to accept those arguments. This change also expand insert() to accept extras too, as part of preparing to support an upcoming MediaProvider feature that will let apps place new media "adjacent" to an existing media item. (Sending that adjacent item through extras is cleaner than trying to send it through escaped query parameters.) Bug: 131643582 Test: atest CtsContentTestCases Change-Id: I436296155b9b5f371b4cbe661feaf42070285fcc
2019-11-15 12:45:15 -07:00
ContentValues values, Bundle extras) throws RemoteException {
return MockContentProvider.this.update(url, values, extras);
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
}
Fix ownership of CursorWindows across processes. Bug: 5332296 Ensure that there is always an owner for each CursorWindow and that references to each window are acquired/released appropriately at all times. Added synchronization to CursorToBulkCursorAdaptor to prevent the underlying Cursor and CursorWindow from being remotely accessed in ways that might violate invariants, resulting in leaks or other problems. Ensured that CursorToBulkCursorAdaptor promptly releases its references to the Cursor and CursorWindow when closed so they don't stick around longer than they should, even if the remote end hangs onto the IBulkCursor for some reason. CursorWindow respects Parcelable.FLAG_WRITE_RETURN_VALUE as an indication that one reference to the CursorWindow is being released. Correspondingly, CursorToBulkCursorAdaptor acquires a reference to the CursorWindow before returning it to the caller. This change also prevents races from resulting in the transfer of an invalid CursorWindow over the wire. Ensured that BulkCursorToCursorAdaptor promptly releases its reference to the IBulkCursor when closed and throws on attempts to access the cursor while closed. Modified ContentProviderNative to handle both parts of the wrapping and unwrapping of Cursors into IBulkCursors. This makes it a lot easier to ensure that the right things happen on both ends. Also, it turns out that the only caller of IContentProvider.bulkQuery was ContentProviderNative itself so there was no need to support bulkQuery on ContentProviderProxy and it was just getting in the way. Implement CloseGuard on CursorWindow. Change-Id: Ib3c8305d3cc62322f38a06698d404a2989bb6ef9
2011-10-09 12:39:53 -07:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public Bundle call(@NonNull AttributionSource attributionSource, String authority,
Note with featureId from ContentProvider This takes the Context#getFeatureId from the calling context and pipes it all way through to the noteOp calls done by the content provider. Bug: 136595429 Test: atest CtsAppOpsTestCases (new test added to capture this case) TelecomUnitTests:CallLogManagerTest ContentProviderClientTest TelecomUnitTests:MissedCallNotifierImplTest TelecomUnitTests:BasicCallTests MediaInserterTest PreferencesHelperTest RankingHelperTest PinnedSliceStateTest FrameworksCoreTests:ContentResolverTest Change-Id: I53b1035626229c920b353509a5bece157b52fb51
2019-09-27 08:44:12 -07:00
String method, String request, Bundle args) throws RemoteException {
Extract common methods into ContentInterface. Existing APIs that accept a ContentResolver are too restrictive when the caller has their own ContentProviderClient already bound and configured, so we're in the market for a solution to open those existing APIs to accept a wider range of inputs. The solution we've come up with is to introduce a super-interface which contains the common ContentProvider APIs, and then make ContentProvider, ContentResolver, and ContentProviderClient all implement that interface for consistency. After this change lands, we can then safely relax existing APIs to accept this new ContentInterface, offering a clean path to solving the problem outlined above. Bug: 117635768 Test: atest android.content.cts Test: atest android.provider.cts Change-Id: Ic5ae08107f7dd3dd23dcaec2df40c16543e0d86e Exempted-From-Owner-Approval: keep tests working
2018-12-07 12:00:45 -07:00
return MockContentProvider.this.call(authority, method, request, args);
Add "call" method on ContentProvider. This permits implementing interfaces which are faster than using remote Cursors. It then uses it for Settings & SettingProvider, which together account for ~50% of total ContentProvider event loop stalls across Froyo dogfooders. For fetching Settings this looks like it should reduce average Settings lookup from 10 ms to 0.4 ms on Sholes, once the SettingsProvider serves most gets from in-memory cache. Currently it brings the Sholes average down from 10ms to 2.5 ms while still using SQLite queries on each get.
2010-03-04 17:48:13 -08:00
}
Fix ownership of CursorWindows across processes. Bug: 5332296 Ensure that there is always an owner for each CursorWindow and that references to each window are acquired/released appropriately at all times. Added synchronization to CursorToBulkCursorAdaptor to prevent the underlying Cursor and CursorWindow from being remotely accessed in ways that might violate invariants, resulting in leaks or other problems. Ensured that CursorToBulkCursorAdaptor promptly releases its references to the Cursor and CursorWindow when closed so they don't stick around longer than they should, even if the remote end hangs onto the IBulkCursor for some reason. CursorWindow respects Parcelable.FLAG_WRITE_RETURN_VALUE as an indication that one reference to the CursorWindow is being released. Correspondingly, CursorToBulkCursorAdaptor acquires a reference to the CursorWindow before returning it to the caller. This change also prevents races from resulting in the transfer of an invalid CursorWindow over the wire. Ensured that BulkCursorToCursorAdaptor promptly releases its reference to the IBulkCursor when closed and throws on attempts to access the cursor while closed. Modified ContentProviderNative to handle both parts of the wrapping and unwrapping of Cursors into IBulkCursors. This makes it a lot easier to ensure that the right things happen on both ends. Also, it turns out that the only caller of IContentProvider.bulkQuery was ContentProviderNative itself so there was no need to support bulkQuery on ContentProviderProxy and it was just getting in the way. Implement CloseGuard on CursorWindow. Change-Id: Ib3c8305d3cc62322f38a06698d404a2989bb6ef9
2011-10-09 12:39:53 -07:00
@Override
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
public IBinder asBinder() {
Add Downloads.Impl.COLUMN_MEDIASTORE_URI & DownloadColumns.Description. Entries from DownloadProvider are added to MediaStore Downloads collection. COLUMN_MEDIASTORE_URI will be used to track corresponding entries in MediaProvider. We can't re-use COLUMN_MEDIAPROVIDER_URI for this purpose because it is updateable by apps. Bug: 120876251 Test: atest DownloadProviderTests Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java Test: atest MediaProviderTests Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore* Change-Id: Ifd252c54f4ee739a31be2866896efac6696a088e
2018-12-16 15:52:33 -08:00
return MockContentProvider.this.getIContentProviderBinder();
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
}
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
Fix ownership of CursorWindows across processes. Bug: 5332296 Ensure that there is always an owner for each CursorWindow and that references to each window are acquired/released appropriately at all times. Added synchronization to CursorToBulkCursorAdaptor to prevent the underlying Cursor and CursorWindow from being remotely accessed in ways that might violate invariants, resulting in leaks or other problems. Ensured that CursorToBulkCursorAdaptor promptly releases its references to the Cursor and CursorWindow when closed so they don't stick around longer than they should, even if the remote end hangs onto the IBulkCursor for some reason. CursorWindow respects Parcelable.FLAG_WRITE_RETURN_VALUE as an indication that one reference to the CursorWindow is being released. Correspondingly, CursorToBulkCursorAdaptor acquires a reference to the CursorWindow before returning it to the caller. This change also prevents races from resulting in the transfer of an invalid CursorWindow over the wire. Ensured that BulkCursorToCursorAdaptor promptly releases its reference to the IBulkCursor when closed and throws on attempts to access the cursor while closed. Modified ContentProviderNative to handle both parts of the wrapping and unwrapping of Cursors into IBulkCursors. This makes it a lot easier to ensure that the right things happen on both ends. Also, it turns out that the only caller of IContentProvider.bulkQuery was ContentProviderNative itself so there was no need to support bulkQuery on ContentProviderProxy and it was just getting in the way. Implement CloseGuard on CursorWindow. Change-Id: Ib3c8305d3cc62322f38a06698d404a2989bb6ef9
2011-10-09 12:39:53 -07:00
@Override
Add new ContentProvider for doing conversions to data streams. This introduces basic infrastructure that should allow content providers holding complex data to perform on-demand conversion of their data to streams of various types. It is achieved through two new content provider APIs, one to interrogate the possible stream MIME types the provider can return, and the other to request a stream of data in a particular MIME type. Because implementations of this will often need to do on-demand data conversion, there is also a utility intoduced in ContentProvider for subclasses to easily run a function to write data into a pipe that is read by the client. This feature is mostly intended for cut and paste and drag and drop, as the complex data interchange allowing the source and destination to negotiate data types and copy (possible large) data between them. However because it is fundamental facility of ContentProvider, it can be used in other places, such as for more advanced GET_CONTENT data exchanges. An example implementation of this would be in ContactsProvider, which can now provider a data stream when a client opens certain pieces of it data, to return data as flat text, a vcard, or other format. Change-Id: I58627ea4ed359aa7cf2c66274adb18306c209cb2
2010-08-06 12:16:55 -07:00
public String[] getStreamTypes(Uri url, String mimeTypeFilter) throws RemoteException {
return MockContentProvider.this.getStreamTypes(url, mimeTypeFilter);
}
Fix ownership of CursorWindows across processes. Bug: 5332296 Ensure that there is always an owner for each CursorWindow and that references to each window are acquired/released appropriately at all times. Added synchronization to CursorToBulkCursorAdaptor to prevent the underlying Cursor and CursorWindow from being remotely accessed in ways that might violate invariants, resulting in leaks or other problems. Ensured that CursorToBulkCursorAdaptor promptly releases its references to the Cursor and CursorWindow when closed so they don't stick around longer than they should, even if the remote end hangs onto the IBulkCursor for some reason. CursorWindow respects Parcelable.FLAG_WRITE_RETURN_VALUE as an indication that one reference to the CursorWindow is being released. Correspondingly, CursorToBulkCursorAdaptor acquires a reference to the CursorWindow before returning it to the caller. This change also prevents races from resulting in the transfer of an invalid CursorWindow over the wire. Ensured that BulkCursorToCursorAdaptor promptly releases its reference to the IBulkCursor when closed and throws on attempts to access the cursor while closed. Modified ContentProviderNative to handle both parts of the wrapping and unwrapping of Cursors into IBulkCursors. This makes it a lot easier to ensure that the right things happen on both ends. Also, it turns out that the only caller of IContentProvider.bulkQuery was ContentProviderNative itself so there was no need to support bulkQuery on ContentProviderProxy and it was just getting in the way. Implement CloseGuard on CursorWindow. Change-Id: Ib3c8305d3cc62322f38a06698d404a2989bb6ef9
2011-10-09 12:39:53 -07:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public AssetFileDescriptor openTypedAssetFile(
@NonNull AttributionSource attributionSource, Uri url, String mimeType,
Bundle opts, ICancellationSignal signal)
throws RemoteException, FileNotFoundException {
Add new ContentProvider for doing conversions to data streams. This introduces basic infrastructure that should allow content providers holding complex data to perform on-demand conversion of their data to streams of various types. It is achieved through two new content provider APIs, one to interrogate the possible stream MIME types the provider can return, and the other to request a stream of data in a particular MIME type. Because implementations of this will often need to do on-demand data conversion, there is also a utility intoduced in ContentProvider for subclasses to easily run a function to write data into a pipe that is read by the client. This feature is mostly intended for cut and paste and drag and drop, as the complex data interchange allowing the source and destination to negotiate data types and copy (possible large) data between them. However because it is fundamental facility of ContentProvider, it can be used in other places, such as for more advanced GET_CONTENT data exchanges. An example implementation of this would be in ContactsProvider, which can now provider a data stream when a client opens certain pieces of it data, to return data as flat text, a vcard, or other format. Change-Id: I58627ea4ed359aa7cf2c66274adb18306c209cb2
2010-08-06 12:16:55 -07:00
return MockContentProvider.this.openTypedAssetFile(url, mimeType, opts);
}
Implement a cancelation mechanism for queries. Added new API to enable cancelation of SQLite and content provider queries by means of a CancelationSignal object. The application creates a CancelationSignal object and passes it as an argument to the query. The cancelation signal can then be used to cancel the query while it is executing. If the cancelation signal is raised before the query is executed, then it is immediately terminated. Change-Id: If2c76e9a7e56ea5e98768b6d4f225f0a1ca61c61
2012-01-25 19:37:13 -08:00
@Override
Rename CancellationSignal using preferred spelling. Bug: 5943637 Change-Id: I12a339f285f4db58e79acb5fd8ec2fc1acda5265
2012-02-02 17:05:00 -08:00
public ICancellationSignal createCancellationSignal() throws RemoteException {
Implement a cancelation mechanism for queries. Added new API to enable cancelation of SQLite and content provider queries by means of a CancelationSignal object. The application creates a CancelationSignal object and passes it as an argument to the query. The cancelation signal can then be used to cancel the query while it is executing. If the cancelation signal is raised before the query is executed, then it is immediately terminated. Change-Id: If2c76e9a7e56ea5e98768b6d4f225f0a1ca61c61
2012-01-25 19:37:13 -08:00
return null;
}
Work on issue #10130785: Restore silence and vibrate settings... ...in settings > sound Add a new ContentProvider API to canonicalize URIs, so they can be transported across backup/restore. Change-Id: Ie5af3662f6822a32310e49c7f1e1ff084986c56e
2013-09-06 16:17:22 -07:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public Uri canonicalize(@NonNull AttributionSource attributionSource, Uri uri)
Note with featureId from ContentProvider This takes the Context#getFeatureId from the calling context and pipes it all way through to the noteOp calls done by the content provider. Bug: 136595429 Test: atest CtsAppOpsTestCases (new test added to capture this case) TelecomUnitTests:CallLogManagerTest ContentProviderClientTest TelecomUnitTests:MissedCallNotifierImplTest TelecomUnitTests:BasicCallTests MediaInserterTest PreferencesHelperTest RankingHelperTest PinnedSliceStateTest FrameworksCoreTests:ContentResolverTest Change-Id: I53b1035626229c920b353509a5bece157b52fb51
2019-09-27 08:44:12 -07:00
throws RemoteException {
Work on issue #10130785: Restore silence and vibrate settings... ...in settings > sound Add a new ContentProvider API to canonicalize URIs, so they can be transported across backup/restore. Change-Id: Ie5af3662f6822a32310e49c7f1e1ff084986c56e
2013-09-06 16:17:22 -07:00
return MockContentProvider.this.canonicalize(uri);
}
Add async version of "canonicalize" Fixes: b/147699082 Test: atest FrameworksCoreTests:android.content.ContentResolverTest Change-Id: I2e851839a454ad5eabc981c76774d03b57a1aa09
2020-02-14 17:04:13 -08:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public void canonicalizeAsync(@NonNull AttributionSource attributionSource, Uri uri,
Add async version of "canonicalize" Fixes: b/147699082 Test: atest FrameworksCoreTests:android.content.ContentResolverTest Change-Id: I2e851839a454ad5eabc981c76774d03b57a1aa09
2020-02-14 17:04:13 -08:00
RemoteCallback callback) {
MockContentProvider.this.canonicalizeAsync(uri, callback);
}
Work on issue #10130785: Restore silence and vibrate settings... ...in settings > sound Add a new ContentProvider API to canonicalize URIs, so they can be transported across backup/restore. Change-Id: Ie5af3662f6822a32310e49c7f1e1ff084986c56e
2013-09-06 16:17:22 -07:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public Uri uncanonicalize(@NonNull AttributionSource attributionSource, Uri uri)
Note with featureId from ContentProvider This takes the Context#getFeatureId from the calling context and pipes it all way through to the noteOp calls done by the content provider. Bug: 136595429 Test: atest CtsAppOpsTestCases (new test added to capture this case) TelecomUnitTests:CallLogManagerTest ContentProviderClientTest TelecomUnitTests:MissedCallNotifierImplTest TelecomUnitTests:BasicCallTests MediaInserterTest PreferencesHelperTest RankingHelperTest PinnedSliceStateTest FrameworksCoreTests:ContentResolverTest Change-Id: I53b1035626229c920b353509a5bece157b52fb51
2019-09-27 08:44:12 -07:00
throws RemoteException {
Work on issue #10130785: Restore silence and vibrate settings... ...in settings > sound Add a new ContentProvider API to canonicalize URIs, so they can be transported across backup/restore. Change-Id: Ie5af3662f6822a32310e49c7f1e1ff084986c56e
2013-09-06 16:17:22 -07:00
return MockContentProvider.this.uncanonicalize(uri);
}
Adding ContentProvider#refresh and ContentResolver#refresh. Original CL is from ag/1568530. Bug: 31647485 Change-Id: Ib45fc995a361b8c75cd3600f638910b18a263d51
2016-11-10 13:50:54 -08:00
Add async version of "uncanonicalize" This CL is basically identical to http://ag/10353234, which did the same with the sister method, "canonicalize". Fixes: b/147705670 Test: atest FrameworksCoreTests:android.content.ContentResolverTest Change-Id: Ide93850f225cdd61779a62fc2c4666efe438b536
2020-10-23 15:47:19 -07:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public void uncanonicalizeAsync(@NonNull AttributionSource attributionSource, Uri uri,
Add async version of "uncanonicalize" This CL is basically identical to http://ag/10353234, which did the same with the sister method, "canonicalize". Fixes: b/147705670 Test: atest FrameworksCoreTests:android.content.ContentResolverTest Change-Id: Ide93850f225cdd61779a62fc2c4666efe438b536
2020-10-23 15:47:19 -07:00
RemoteCallback callback) {
MockContentProvider.this.uncanonicalizeAsync(uri, callback);
}
Adding ContentProvider#refresh and ContentResolver#refresh. Original CL is from ag/1568530. Bug: 31647485 Change-Id: Ib45fc995a361b8c75cd3600f638910b18a263d51
2016-11-10 13:50:54 -08:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public boolean refresh(@NonNull AttributionSource attributionSource, Uri url,
Note with featureId from ContentProvider This takes the Context#getFeatureId from the calling context and pipes it all way through to the noteOp calls done by the content provider. Bug: 136595429 Test: atest CtsAppOpsTestCases (new test added to capture this case) TelecomUnitTests:CallLogManagerTest ContentProviderClientTest TelecomUnitTests:MissedCallNotifierImplTest TelecomUnitTests:BasicCallTests MediaInserterTest PreferencesHelperTest RankingHelperTest PinnedSliceStateTest FrameworksCoreTests:ContentResolverTest Change-Id: I53b1035626229c920b353509a5bece157b52fb51
2019-09-27 08:44:12 -07:00
Bundle args, ICancellationSignal cancellationSignal) throws RemoteException {
Adding ContentProvider#refresh and ContentResolver#refresh. Original CL is from ag/1568530. Bug: 31647485 Change-Id: Ib45fc995a361b8c75cd3600f638910b18a263d51
2016-11-10 13:50:54 -08:00
return MockContentProvider.this.refresh(url, args);
}
Detailed ContentProvider permissions checks. The new MediaProvider design has an internal dynamic security model based on the value stored in OWNER_PACKAGE_NAME, so the OS always needs to consult the provider when resolving Uri permission grants. Blocking calls from the system process like this are typically discouraged, but this is the best we can do with the limited time left, and there is existing precident with getType(). For now, use "forceUriPermissions" as a proxy for determining when we need to consult the provider directly. Bug: 115619667 Test: atest --test-mapping packages/providers/MediaProvider Test: atest android.appsecurity.cts.ExternalStorageHostTest Change-Id: I1d54feeec93fbb4cf5ff55240ef4eae3a35ed068
2019-05-20 14:00:17 -06:00
@Override
Runtime permission attribution improvements When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
2021-02-24 04:09:05 +00:00
public int checkUriPermission(@NonNull AttributionSource attributionSource, Uri uri,
Note with featureId from ContentProvider This takes the Context#getFeatureId from the calling context and pipes it all way through to the noteOp calls done by the content provider. Bug: 136595429 Test: atest CtsAppOpsTestCases (new test added to capture this case) TelecomUnitTests:CallLogManagerTest ContentProviderClientTest TelecomUnitTests:MissedCallNotifierImplTest TelecomUnitTests:BasicCallTests MediaInserterTest PreferencesHelperTest RankingHelperTest PinnedSliceStateTest FrameworksCoreTests:ContentResolverTest Change-Id: I53b1035626229c920b353509a5bece157b52fb51
2019-09-27 08:44:12 -07:00
int uid, int modeFlags) {
Detailed ContentProvider permissions checks. The new MediaProvider design has an internal dynamic security model based on the value stored in OWNER_PACKAGE_NAME, so the OS always needs to consult the provider when resolving Uri permission grants. Blocking calls from the system process like this are typically discouraged, but this is the best we can do with the limited time left, and there is existing precident with getType(). For now, use "forceUriPermissions" as a proxy for determining when we need to consult the provider directly. Bug: 115619667 Test: atest --test-mapping packages/providers/MediaProvider Test: atest android.appsecurity.cts.ExternalStorageHostTest Change-Id: I1d54feeec93fbb4cf5ff55240ef4eae3a35ed068
2019-05-20 14:00:17 -06:00
return MockContentProvider.this.checkUriPermission(uri, uid, modeFlags);
}
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
}
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
private final InversionIContentProvider mIContentProvider = new InversionIContentProvider();
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
/**
* A constructor using {@link MockContext} instance as a Context in it.
*/
protected MockContentProvider() {
super(new MockContext(), "", "", null);
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
}
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
/**
* A constructor accepting a Context instance, which is supposed to be the subclasss of
* {@link MockContext}.
*/
public MockContentProvider(Context context) {
super(context, "", "", null);
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
}
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
/**
* A constructor which initialize four member variables which
* {@link android.content.ContentProvider} have internally.
*
* @param context A Context object which should be some mock instance (like the
* instance of {@link android.test.mock.MockContext}).
* @param readPermission The read permision you want this instance should have in the
* test, which is available via {@link #getReadPermission()}.
* @param writePermission The write permission you want this instance should have
* in the test, which is available via {@link #getWritePermission()}.
* @param pathPermissions The PathPermissions you want this instance should have
* in the test, which is available via {@link #getPathPermissions()}.
*/
public MockContentProvider(Context context,
String readPermission,
String writePermission,
PathPermission[] pathPermissions) {
super(context, readPermission, writePermission, pathPermissions);
}
@Override
public int delete(Uri uri, String selection, String[] selectionArgs) {
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
throw new UnsupportedOperationException("unimplemented mock method");
}
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
@Override
public String getType(Uri uri) {
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
throw new UnsupportedOperationException("unimplemented mock method");
}
Add async version of getProviderMimeType Fixes: b/147646960 Test: atest FrameworksCoreTests:android.content.ContentResolverTest Change-Id: I04c15ac008fe14b215f954af150226dc94f22232
2020-01-16 17:00:02 -08:00
/**
* @hide
*/
@SuppressWarnings("deprecation")
public void getTypeAsync(Uri uri, RemoteCallback remoteCallback) {
AsyncTask.SERIAL_EXECUTOR.execute(() -> {
final Bundle bundle = new Bundle();
bundle.putString(ContentResolver.REMOTE_CALLBACK_RESULT, getType(uri));
remoteCallback.sendResult(bundle);
});
}
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
@Override
public Uri insert(Uri uri, ContentValues values) {
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
throw new UnsupportedOperationException("unimplemented mock method");
}
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
@Override
public boolean onCreate() {
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
throw new UnsupportedOperationException("unimplemented mock method");
}
add ipc support to batching
2009-05-15 15:10:40 -07:00
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
@Override
public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs,
String sortOrder) {
add ipc support to batching
2009-05-15 15:10:40 -07:00
throw new UnsupportedOperationException("unimplemented mock method");
}
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
@Override
public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) {
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
throw new UnsupportedOperationException("unimplemented mock method");
}
- hide Entity and all its references - remove updateEntity and insertEntity, since they are not used - add the RawContacts.Entity class, which is used in lieu of the android.content.Entity
2009-10-05 14:21:12 -07:00
/**
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
* If you're reluctant to implement this manually, please just call super.bulkInsert().
- hide Entity and all its references - remove updateEntity and insertEntity, since they are not used - add the RawContacts.Entity class, which is used in lieu of the android.content.Entity
2009-10-05 14:21:12 -07:00
*/
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
@Override
public int bulkInsert(Uri uri, ContentValues[] values) {
content provider entities
2009-05-07 17:35:38 -07:00
throw new UnsupportedOperationException("unimplemented mock method");
}
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
@Override
public void attachInfo(Context context, ProviderInfo info) {
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
throw new UnsupportedOperationException("unimplemented mock method");
}
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
@Override
public ContentProviderResult[] applyBatch(ArrayList<ContentProviderOperation> operations) {
auto import from //depot/cupcake/@135843
2009-03-03 19:31:44 -08:00
throw new UnsupportedOperationException("unimplemented mock method");
}
Add "call" method on ContentProvider. This permits implementing interfaces which are faster than using remote Cursors. It then uses it for Settings & SettingProvider, which together account for ~50% of total ContentProvider event loop stalls across Froyo dogfooders. For fetching Settings this looks like it should reduce average Settings lookup from 10 ms to 0.4 ms on Sholes, once the SettingsProvider serves most gets from in-memory cache. Currently it brings the Sholes average down from 10ms to 2.5 ms while still using SQLite queries on each get.
2010-03-04 17:48:13 -08:00
/**
* @hide
*/
@Override
public Bundle call(String method, String request, Bundle args) {
throw new UnsupportedOperationException("unimplemented mock method call");
}
Replace ContentProvider SQL args w/ Bundle & Constants. Test: cts-tradefed run cts-dev -m CtsContentTestCases Bug: 30927484 Change-Id: Idb9dbc2b80896e9f8474a0db71353b7a3810d597
2016-12-02 11:35:35 -08:00
@Override
Add new ContentProvider for doing conversions to data streams. This introduces basic infrastructure that should allow content providers holding complex data to perform on-demand conversion of their data to streams of various types. It is achieved through two new content provider APIs, one to interrogate the possible stream MIME types the provider can return, and the other to request a stream of data in a particular MIME type. Because implementations of this will often need to do on-demand data conversion, there is also a utility intoduced in ContentProvider for subclasses to easily run a function to write data into a pipe that is read by the client. This feature is mostly intended for cut and paste and drag and drop, as the complex data interchange allowing the source and destination to negotiate data types and copy (possible large) data between them. However because it is fundamental facility of ContentProvider, it can be used in other places, such as for more advanced GET_CONTENT data exchanges. An example implementation of this would be in ContactsProvider, which can now provider a data stream when a client opens certain pieces of it data, to return data as flat text, a vcard, or other format. Change-Id: I58627ea4ed359aa7cf2c66274adb18306c209cb2
2010-08-06 12:16:55 -07:00
public String[] getStreamTypes(Uri url, String mimeTypeFilter) {
throw new UnsupportedOperationException("unimplemented mock method call");
}
Replace ContentProvider SQL args w/ Bundle & Constants. Test: cts-tradefed run cts-dev -m CtsContentTestCases Bug: 30927484 Change-Id: Idb9dbc2b80896e9f8474a0db71353b7a3810d597
2016-12-02 11:35:35 -08:00
@Override
Add new ContentProvider for doing conversions to data streams. This introduces basic infrastructure that should allow content providers holding complex data to perform on-demand conversion of their data to streams of various types. It is achieved through two new content provider APIs, one to interrogate the possible stream MIME types the provider can return, and the other to request a stream of data in a particular MIME type. Because implementations of this will often need to do on-demand data conversion, there is also a utility intoduced in ContentProvider for subclasses to easily run a function to write data into a pipe that is read by the client. This feature is mostly intended for cut and paste and drag and drop, as the complex data interchange allowing the source and destination to negotiate data types and copy (possible large) data between them. However because it is fundamental facility of ContentProvider, it can be used in other places, such as for more advanced GET_CONTENT data exchanges. An example implementation of this would be in ContactsProvider, which can now provider a data stream when a client opens certain pieces of it data, to return data as flat text, a vcard, or other format. Change-Id: I58627ea4ed359aa7cf2c66274adb18306c209cb2
2010-08-06 12:16:55 -07:00
public AssetFileDescriptor openTypedAssetFile(Uri url, String mimeType, Bundle opts) {
throw new UnsupportedOperationException("unimplemented mock method call");
}
Add async version of "canonicalize" Fixes: b/147699082 Test: atest FrameworksCoreTests:android.content.ContentResolverTest Change-Id: I2e851839a454ad5eabc981c76774d03b57a1aa09
2020-02-14 17:04:13 -08:00
/**
* @hide
*/
@SuppressWarnings("deprecation")
public void canonicalizeAsync(Uri uri, RemoteCallback callback) {
AsyncTask.SERIAL_EXECUTOR.execute(() -> {
final Bundle bundle = new Bundle();
bundle.putParcelable(ContentResolver.REMOTE_CALLBACK_RESULT, canonicalize(uri));
callback.sendResult(bundle);
});
}
Add async version of "uncanonicalize" This CL is basically identical to http://ag/10353234, which did the same with the sister method, "canonicalize". Fixes: b/147705670 Test: atest FrameworksCoreTests:android.content.ContentResolverTest Change-Id: Ide93850f225cdd61779a62fc2c4666efe438b536
2020-10-23 15:47:19 -07:00
/**
* @hide
*/
@SuppressWarnings("deprecation")
public void uncanonicalizeAsync(Uri uri, RemoteCallback callback) {
AsyncTask.SERIAL_EXECUTOR.execute(() -> {
final Bundle bundle = new Bundle();
bundle.putParcelable(ContentResolver.REMOTE_CALLBACK_RESULT, uncanonicalize(uri));
callback.sendResult(bundle);
});
}
Adding ContentProvider#refresh and ContentResolver#refresh. Original CL is from ag/1568530. Bug: 31647485 Change-Id: Ib45fc995a361b8c75cd3600f638910b18a263d51
2016-11-10 13:50:54 -08:00
/**
* @hide
*/
public boolean refresh(Uri url, Bundle args) {
throw new UnsupportedOperationException("unimplemented mock method call");
}
Detailed ContentProvider permissions checks. The new MediaProvider design has an internal dynamic security model based on the value stored in OWNER_PACKAGE_NAME, so the OS always needs to consult the provider when resolving Uri permission grants. Blocking calls from the system process like this are typically discouraged, but this is the best we can do with the limited time left, and there is existing precident with getType(). For now, use "forceUriPermissions" as a proxy for determining when we need to consult the provider directly. Bug: 115619667 Test: atest --test-mapping packages/providers/MediaProvider Test: atest android.appsecurity.cts.ExternalStorageHostTest Change-Id: I1d54feeec93fbb4cf5ff55240ef4eae3a35ed068
2019-05-20 14:00:17 -06:00
/** {@hide} */
@Override
public int checkUriPermission(@NonNull Uri uri, int uid, @Intent.AccessUriMode int modeFlags) {
throw new UnsupportedOperationException("unimplemented mock method call");
}
Implement new MockContentProvider. Also make ContentProvider aware of the class. Rename the old MockContentProvider to MockIContentProvider since it is more appropriate name. Detail: Current developers inevitably depend on the backend used by ContentProvider, which is useful but not ideal nor "testable" from the view of them. Current MockContentResolver only accepts exact "ContentProvider" class, not IContentProvider interface, since we want to hide "IContentProvider" while the old MockContentProvider implements IContentProvider and as a result some methods we want to hide may be exposed to the public SDK now and probably for the future. On the other hand, ContentProvider is not interface but an exact class heavily depends on the internal logic and not suitable for external developers to use for tests. The new MockContentProvider introduces the mock implementation for ContentProvider. It extends ContentProvider, so "is" ContentProvider, but tries to avoid depending on any backend System like IPC in Android, etc. This should be useful from the view of application developers who do not want to be confused with ContentProvider/ContentResolver backend implementation "at all" and want to use MockContentResolver without any other ContentProvider implementations tightly connected to the external worlds.
2009-10-22 08:36:42 +09:00
/**
* Returns IContentProvider which calls back same methods in this class.
* By overriding this class, we avoid the mechanism hidden behind ContentProvider
* (IPC, etc.)
*
* @hide
*/
@Override
public final IContentProvider getIContentProvider() {
return mIContentProvider;
}
Add apis needed for android.test.legacy The long term goal of removing junit and dependent android.test classes from the android.jar is the removal of the runtime libraries that provide those classes. A key part of the strategy for migrating APKs off the runtime libraries is the android.test.legacy library which APKs can statically include in place of the runtime dependencies without having to change their source code. The longer term goal is for all tests to migrate from these classes altogther and to use the Android Test Support Library instead but that will require significant changes to the test source code. In order for it to be safe to statically include android.test.legacy in an APK it cannot use any internal APIs. This change adds the additional classes and methods needed to the android.test.mock API library. The additions are all marked as deprecated to try and avoid developers from using them in new tests. It also marks the AccountManager constructor used by MockAccountManager with the android.annotation.MockApi so that it is included in the mock stubs libraries against which the android.test.mock.stubs[-system] libraries build. Bug: 30188076 Test: make checkbuild Change-Id: I85417cc328cab898ab93b9b726648f4232555324
2017-12-22 16:13:15 +00:00
Add Downloads.Impl.COLUMN_MEDIASTORE_URI & DownloadColumns.Description. Entries from DownloadProvider are added to MediaStore Downloads collection. COLUMN_MEDIASTORE_URI will be used to track corresponding entries in MediaProvider. We can't re-use COLUMN_MEDIAPROVIDER_URI for this purpose because it is updateable by apps. Bug: 120876251 Test: atest DownloadProviderTests Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java Test: atest MediaProviderTests Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore* Change-Id: Ifd252c54f4ee739a31be2866896efac6696a088e
2018-12-16 15:52:33 -08:00
/**
* @hide
*/
public IBinder getIContentProviderBinder() {
Don't use impl lib of android.test.[mock|base|runners] The java_sdk_library modules are now added with 'default_to_stubs: true' so that their impl libraries are not used even when the clients don't have sdk_version property set. This will allow us to replace the direct references to the stub libraries of the java_sdk_library modules with the references to the modules themselves (e.g. android.test.base.stubs -> android.test.base) in many of the CTS tests without unintentionally exposing the private APIs in the impl lib. As part of the change, MockContentProvider.getIContentProviderBinder() now returns an anonymous Binder object instead of throwing an exception. This is to eliminate the need for clients to override the now inaccessible method to escape from the exception. Also, InstrumentationTestRunner.addTestListener method is added to the stub because it is used by several tests (MtpServiceTests, etc.) Bug: 157007292 Test: m Change-Id: I14cf217f21fd3534c920c3a6336cf2d14c02e60c
2020-05-29 10:51:18 +09:00
return new Binder();
Add Downloads.Impl.COLUMN_MEDIASTORE_URI & DownloadColumns.Description. Entries from DownloadProvider are added to MediaStore Downloads collection. COLUMN_MEDIASTORE_URI will be used to track corresponding entries in MediaProvider. We can't re-use COLUMN_MEDIAPROVIDER_URI for this purpose because it is updateable by apps. Bug: 120876251 Test: atest DownloadProviderTests Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java Test: atest MediaProviderTests Test: atest cts/tests/tests/provider/src/android/provider/cts/MediaStore* Change-Id: Ifd252c54f4ee739a31be2866896efac6696a088e
2018-12-16 15:52:33 -08:00
}
Add apis needed for android.test.legacy The long term goal of removing junit and dependent android.test classes from the android.jar is the removal of the runtime libraries that provide those classes. A key part of the strategy for migrating APKs off the runtime libraries is the android.test.legacy library which APKs can statically include in place of the runtime dependencies without having to change their source code. The longer term goal is for all tests to migrate from these classes altogther and to use the Android Test Support Library instead but that will require significant changes to the test source code. In order for it to be safe to statically include android.test.legacy in an APK it cannot use any internal APIs. This change adds the additional classes and methods needed to the android.test.mock API library. The additions are all marked as deprecated to try and avoid developers from using them in new tests. It also marks the AccountManager constructor used by MockAccountManager with the android.annotation.MockApi so that it is included in the mock stubs libraries against which the android.test.mock.stubs[-system] libraries build. Bug: 30188076 Test: make checkbuild Change-Id: I85417cc328cab898ab93b9b726648f4232555324
2017-12-22 16:13:15 +00:00
/**
* Like {@link #attachInfo(Context, android.content.pm.ProviderInfo)}, but for use
* when directly instantiating the provider for testing.
*
* <p>Provided for use by {@code android.test.ProviderTestCase2} and
* {@code android.test.RenamingDelegatingContext}.
*
* @deprecated Use a mocking framework like <a href="https://github.com/mockito/mockito">Mockito</a>.
* New tests should be written using the
* <a href="{@docRoot}tools/testing-support-library/index.html">Android Testing Support Library</a>.
*/
@Deprecated
public static void attachInfoForTesting(
ContentProvider provider, Context context, ProviderInfo providerInfo) {
provider.attachInfoForTesting(context, providerInfo);
}
am 563bfade: fix a build breakage Merge commit '563bfade6601f3410681b3cd8b069ed22af5b048' into eclair-mr2-plus-aosp * commit '563bfade6601f3410681b3cd8b069ed22af5b048': fix a build breakage
2009-12-09 16:00:40 -08:00
}
Reference in New Issue Copy Permalink