TestAppAuthenticatorBuilder

public final class TestAppAuthenticatorBuilder


Builder class that can be used to facilitate the creation of a new AppAuthenticator which can be configured to meet the requirements of the test. Similar to the AppAuthenticator, the static factory methods for this class require either an XML resource or InputStream containing the app-authenticator configuration allowing verification of your declared config as part of the test.

There are several options to configure the behavior of the resulting AppAuthenticator.

  • setTestPolicy - This sets a generic test policy. POLICY_SIGNATURE_ACCEPTED_FOR_DECLARED_PACKAGES will cause the AppAuthenticator to always return that a queried package has the expected signing identity as long as it is explicitly declared in your configuration; that is, the package must be declared in a package element within either an expected-identity or permission element. POLICY_DENY_ALL will cause the AppAuthenticator to always return that a queried package does not have the expected signing identity regardless of its declaration. These two policies can be used to verify good path and error path for scenarios where the package names can be explicitly declared in the XML configuration.

    POLICY_SIGNATURE_ACCEPTED_FOR_DECLARED_PACKAGES is the default policy when no other options are configured. When any of the other set methods (except for setUidForPackage) are invoked they will set the policy to POLICY_CUSTOM.

  • setSignatureAcceptedForPackage - This configures the AppAuthenticator to always return that the specified package has the expected signing identity. Note this still requires the app-authenticator have a path to verify the provided package; that is, the package must either be explicitly declared in a package element or fall under a all-packages element for the query being performed. This is to ensure that a package being verified during the test could also be successfully verified in production for the given query.
  • setSigningIdentityForPackage - This sets an explicit signing identity for the provided package; the signing identity should be specified as the SHA-256 digest of the DER encoding of the signing certificate, similar to how digests are specified in the app-authenticator configuration file. While this can be used to set a signing identity to the expected value, this is more often used to set the signing identity to a value that should not be accepted. For instance, a test suite could have a test that verifies a key that is no longer trusted is never added back to the configuration file.
  • setPackageNotInstalled - This configures the AppAuthenticator to treat the specified package as not installed on the device. Since a package that is not installed can result in a different return code from the AppAuthenticator methods this configuration can be used to verify an app's behavior when an expected app is not installed on the device.
  • setUidForPackage - The AppAuthenticator will always verify the UID of the calling package matches the specified UID (or getCallingUid if a UID is not specified). By default this test AppAuthenticator will use the result of Binder#getCallingUid() as the UID of all queried packages. This method can be used to verify the expected behavior when a calling package's UID does not match the expected UID.

Summary

Constants

static final int

This test policy indicates that the caller will specify the expected results for each package individually.

static final int

This test policy will cause the AppAuthenticator to return that the signing identity of the package does that match the expect identity from the XML configuration for all queried packages.

static final int

This test policy will cause the AppAuthenticator to return a successful signing identity for all packages explicitly declared in the XML configuration.

Public methods

@NonNull AppAuthenticator

Builds an AppAuthenticator with the specified config that can be injected to satisfy test requirements.

static @NonNull TestAppAuthenticatorBuilder
createFromInputStream(
    @NonNull Context context,
    @NonNull InputStream xmlInputStream
)

Returns a new TestAppAuthenticatorBuilder that can be used to create a new configured to behave as required for the test.

static @NonNull TestAppAuthenticatorBuilder
createFromResource(@NonNull Context context, @XmlRes int xmlResource)

Returns a new TestAppAuthenticatorBuilder that can be used to create a new configured to behave as required for the test.

@NonNull TestAppAuthenticatorBuilder

Treats the provided packageName as not being installed by the resulting .

@NonNull TestAppAuthenticatorBuilder

Configures the resulting AppAuthenticator to always return that the signing identity matches the expected value when the specified packageName is queried.

@NonNull TestAppAuthenticatorBuilder
setSigningIdentityForPackage(
    @NonNull String packageName,
    @NonNull String certDigest
)

Sets the provided certDigest as the signing identity for the specified packageName.

@NonNull TestAppAuthenticatorBuilder

Sets the policy to be used by the AppAuthenticator for the test.

@NonNull TestAppAuthenticatorBuilder
setUidForPackage(@NonNull String packageName, int uid)

Sets the provided uid as the UID of the specified packageName.

Constants

POLICY_CUSTOM

Added in 1.0.0-beta01
public static final int POLICY_CUSTOM = 3

This test policy indicates that the caller will specify the expected results for each package individually. This is the default policy used when a new TestAppAuthenticator is built after calling any of the following: setSigningIdentityForPackage, setSignatureAcceptedForPackage, and setPackageNotInstalled. Once the policy has been set to this value it cannot be changed to any of the other policies.

POLICY_DENY_ALL

Added in 1.0.0-beta01
public static final int POLICY_DENY_ALL = 2

This test policy will cause the AppAuthenticator to return that the signing identity of the package does that match the expect identity from the XML configuration for all queried packages.

POLICY_SIGNATURE_ACCEPTED_FOR_DECLARED_PACKAGES

Added in 1.0.0-beta01
public static final int POLICY_SIGNATURE_ACCEPTED_FOR_DECLARED_PACKAGES = 1

This test policy will cause the AppAuthenticator to return a successful signing identity for all packages explicitly declared in the XML configuration. This is the default policy used when a new AppAuthenticator is built without calling setSigningIdentityForPackage, setSignatureAcceptedForPackage, and setPackageNotInstalled.

Public methods

build

Added in 1.0.0-beta01
public @NonNull AppAuthenticator build()

Builds an AppAuthenticator with the specified config that can be injected to satisfy test requirements.

Returns
@NonNull AppAuthenticator

a new AppAuthenticator that will respond to queries as configured

Throws
androidx.security.app.authenticator.AppAuthenticatorXmlException

if the provided XML config file is not in the proper format to create a new AppAuthenticator

java.io.IOException

if an IO error is encountered when attempting to read the XML config file

createFromInputStream

Added in 1.0.0-beta01
public static @NonNull TestAppAuthenticatorBuilder createFromInputStream(
    @NonNull Context context,
    @NonNull InputStream xmlInputStream
)

Returns a new TestAppAuthenticatorBuilder that can be used to create a new configured to behave as required for the test.

Parameters
@NonNull Context context

the context within which to create the AppAuthenticator

@NonNull InputStream xmlInputStream

the XML InputStream containing the definitions for the permissions and expected identities based on packages / expected signing certificate digests

Returns
@NonNull TestAppAuthenticatorBuilder

this instance of the TestAppAuthenticatorBuilder

createFromResource

Added in 1.0.0-beta01
public static @NonNull TestAppAuthenticatorBuilder createFromResource(@NonNull Context context, @XmlRes int xmlResource)

Returns a new TestAppAuthenticatorBuilder that can be used to create a new configured to behave as required for the test.

Parameters
@NonNull Context context

the context within which to create the AppAuthenticator

@XmlRes int xmlResource

the ID of the XML resource containing the definitions for the permissions and expected identities based on package / expected signing certificate digests

Returns
@NonNull TestAppAuthenticatorBuilder

this instance of the TestAppAuthenticatorBuilder

setPackageNotInstalled

Added in 1.0.0-beta01
public @NonNull TestAppAuthenticatorBuilder setPackageNotInstalled(@NonNull String packageName)

Treats the provided packageName as not being installed by the resulting .

Parameters
@NonNull String packageName

the name of the package to be treated as not installed

Returns
@NonNull TestAppAuthenticatorBuilder

this instance of the TestAppAuthenticatorBuilder

setSignatureAcceptedForPackage

Added in 1.0.0-beta01
public @NonNull TestAppAuthenticatorBuilder setSignatureAcceptedForPackage(@NonNull String packageName)

Configures the resulting AppAuthenticator to always return that the signing identity matches the expected value when the specified packageName is queried.

Note, the specified packageName must be defined either explicitly via a package element or implicitly via a all-packages element; this ensures that the XML configuration is correct and that the specified package could be verified on device.

Parameters
@NonNull String packageName

the name of the package for which the signing identity should be treated as matching the expected value

Returns
@NonNull TestAppAuthenticatorBuilder

this instance of the TestAppAuthenticatorBuilder

setSigningIdentityForPackage

Added in 1.0.0-beta01
public @NonNull TestAppAuthenticatorBuilder setSigningIdentityForPackage(
    @NonNull String packageName,
    @NonNull String certDigest
)

Sets the provided certDigest as the signing identity for the specified packageName.

Parameters
@NonNull String packageName

the name of the package that will use the provided signing identity

@NonNull String certDigest

the digest to be treated as the signing identity of the specified package

Returns
@NonNull TestAppAuthenticatorBuilder

this instance of the TestAppAuthenticatorBuilder

setTestPolicy

Added in 1.0.0-beta01
public @NonNull TestAppAuthenticatorBuilder setTestPolicy(@TestAppAuthenticatorBuilder.TestPolicy int testPolicy)

Sets the policy to be used by the AppAuthenticator for the test.

Parameters
@TestAppAuthenticatorBuilder.TestPolicy int testPolicy

the test policy to be used by the AppAuthenticator{} this instance of the {TestAppAuthenticatorBuilder} #POLICY_SIGNATURE_ACCEPTED_FOR_DECLARED_PACKAGES #POLICY_DENY_ALL #POLICY_CUSTOM

setUidForPackage

Added in 1.0.0-beta01
public @NonNull TestAppAuthenticatorBuilder setUidForPackage(@NonNull String packageName, int uid)

Sets the provided uid as the UID of the specified packageName.

This method can be used to verify the scenario where a calling package does not have the expected calling UID.

Parameters
@NonNull String packageName

the name of the package that will be treated as having the provided uid

int uid

the uid to use for the specified package

Returns
@NonNull TestAppAuthenticatorBuilder

this instance of the TestAppAuthenticatorBuilder