1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package com.android.bedstead.enterprise.annotations;
18 
19 import java.lang.annotation.ElementType;
20 import java.lang.annotation.Retention;
21 import java.lang.annotation.RetentionPolicy;
22 import java.lang.annotation.Target;
23 
24 /**
25  * Used to annotate an enterprise policy for use with {@link PolicyDoesNotApplyTest} and
26  * {@link PolicyAppliesTest}.
27  */
28 @Target(ElementType.TYPE)
29 @Retention(RetentionPolicy.RUNTIME)
30 public @interface EnterprisePolicy {
31 
32     /**
33      * An enterprise policy which can be controlled using permissions.
34      */
35     @interface Permission {
36         /** The permission required to exercise the policy. */
appliedWith()37         String appliedWith();
38         /** Flags indicating who the policy applies to when applied in this way. */
appliesTo()39         int appliesTo();
40         /** Additional modifiers. */
modifiers()41         int modifiers() default NO;
42     }
43 
44     /**
45      * An enterprise policy which can be controlled user app ops.
46      */
47     @interface AppOp {
48         /** The AppOp required to exercise the policy. */
appliedWith()49         String appliedWith();
50         /** Flags indicating who the policy applies to when applied in this way. */
appliesTo()51         int appliesTo();
52         /** Additional modifiers. */
modifiers()53         int modifiers() default NO;
54     }
55 
56     /**
57      * The Device Admin required to exercise the policy.
58      */
59     @interface DeviceAdmin {
60         /** A key which uniquely identifies the device admin for the test. */
key()61         String key() default EnsureHasDeviceAdmin.DEFAULT_KEY;
62         /** Flags indicating who the policy applies to when applied in this way. */
appliesTo()63         int appliesTo();
64         /** Additional modifiers. */
modifiers()65         int modifiers() default NO;
66         /** The policies this device admin must have enabled. */
usesPolicies()67         int[] usesPolicies() default {};
68     }
69 
70     /** A policy that cannot be applied. */
71     int NO = 0;
72 
73     /** A policy which applies to the user of the package which applied the policy. */
74     int APPLIES_TO_OWN_USER = 1;
75     /** A policy which applies to unaffiliated other users. */
76     int APPLIES_TO_UNAFFILIATED_OTHER_USERS = 1 << 1;
77     /** A policy which applies to affiliated other users. */
78     int APPLIES_TO_AFFILIATED_OTHER_USERS = 1 << 2;
79     /** A policy which applies to unaffiliated profiles of the user of the package which applied the policy. */
80     int APPLIES_TO_UNAFFILIATED_CHILD_PROFILES_WITHOUT_INHERITANCE = 1 << 3;
81 
82     /** A policy that is inherited by child profiles if applied on parent. */
83     int INHERITABLE = 1 << 4;
84 
85     int APPLIES_TO_UNAFFILIATED_CHILD_PROFILES = APPLIES_TO_UNAFFILIATED_CHILD_PROFILES_WITHOUT_INHERITANCE | INHERITABLE;
86 
87     /** A policy which applies to affiliated profiles of the user of the package which applied the policy. */
88     int APPLIES_TO_AFFILIATED_CHILD_PROFILES = 1 << 5;
89     /** A policy that applies to the parent of the profile of the package which applied the policy. */
90     int APPLIES_TO_PARENT = 1 << 6;
91 
92     /** A policy that applies to affiliated or unaffiliate profiles of the package which applied the policy. */
93     int APPLIES_TO_CHILD_PROFILES =
94             APPLIES_TO_UNAFFILIATED_CHILD_PROFILES | APPLIES_TO_AFFILIATED_CHILD_PROFILES;
95     /** A policy that applies to affiliated or unaffiliated other users. */
96     int APPLIES_TO_OTHER_USERS =
97             APPLIES_TO_UNAFFILIATED_OTHER_USERS | APPLIES_TO_AFFILIATED_OTHER_USERS;
98 
99     /** A policy that applies to all users on the device. */
100     int APPLIES_GLOBALLY = APPLIES_TO_OWN_USER | APPLIES_TO_OTHER_USERS
101             | APPLIES_TO_CHILD_PROFILES | APPLIES_TO_PARENT;
102 
103 
104     // Applied by
105 
106     /** A policy that can be applied by a system device owner. */
107     int APPLIED_BY_SYSTEM_DEVICE_OWNER = 1 << 7;
108     /** A policy that can be applied by a single user device owner on headless. */
109     int APPLIED_BY_SINGLE_DEVICE_OWNER = 1 << 8;
110 
111     /** A policy that can be applied by a system device owner or a main user device owner. */
112     int APPLIED_BY_DEVICE_OWNER =
113             APPLIED_BY_SYSTEM_DEVICE_OWNER
114                     | APPLIED_BY_SINGLE_DEVICE_OWNER;
115     /** A policy that can be applied by a profile owner of an unaffiliated profile. */
116     int APPLIED_BY_UNAFFILIATED_PROFILE_OWNER_PROFILE = 1 << 9;
117     /** A policy that can be applied by a profile owner of an affiliated profile */
118     int APPLIED_BY_AFFILIATED_PROFILE_OWNER_PROFILE = 1 << 10;
119     /** A policy that can be applied by a profile owner of an organization owned profile */
120     int APPLIED_BY_ORGANIZATION_OWNED_PROFILE_OWNER_PROFILE = 1 << 11;
121 
122     /** A policy that can be applied by a profile owner of an affiliated or unaffiliated profile. */
123     int APPLIED_BY_PROFILE_OWNER_PROFILE =
124             APPLIED_BY_UNAFFILIATED_PROFILE_OWNER_PROFILE
125                     | APPLIED_BY_AFFILIATED_PROFILE_OWNER_PROFILE
126                     | APPLIED_BY_ORGANIZATION_OWNED_PROFILE_OWNER_PROFILE;
127     /**
128      * A policy that can be applied by a Profile Owner for a User (not Profile) with no Device
129      * Owner.
130      */
131     int APPLIED_BY_PROFILE_OWNER_USER_WITH_NO_DO = 1 << 12;
132     /**
133      * A policy that can be applied by an unaffiliated Profile Owner for a User (not Profile) with
134      * a Device Owner.
135      */
136     int APPLIED_BY_UNAFFILIATED_PROFILE_OWNER_USER_WITH_DO = 1 << 13;
137     /** A policy that can be applied by a profile owner of an unaffiliated user. */
138     int APPLIED_BY_UNAFFILIATED_PROFILE_OWNER_USER =
139             APPLIED_BY_PROFILE_OWNER_USER_WITH_NO_DO
140                     | APPLIED_BY_UNAFFILIATED_PROFILE_OWNER_USER_WITH_DO;
141     /** A policy that can be applied by a profile owner of an affiliated user. */
142     int APPLIED_BY_AFFILIATED_PROFILE_OWNER_USER = 1 << 14;
143     /** A policy that can be applied by an affiliated or unaffiliated profile owner on a User (not Profile). */
144     int APPLIED_BY_PROFILE_OWNER_USER =
145             APPLIED_BY_UNAFFILIATED_PROFILE_OWNER_USER | APPLIED_BY_AFFILIATED_PROFILE_OWNER_USER;
146     /** A policy that can be applied by an affiliated profile owner on a user or profile. */
147     int APPLIED_BY_AFFILIATED_PROFILE_OWNER = APPLIED_BY_AFFILIATED_PROFILE_OWNER_PROFILE | APPLIED_BY_AFFILIATED_PROFILE_OWNER_USER;
148     /** A policy that can be applied by a profile owner, affiliate or unaffiliated, running on a user or profile. */
149     int APPLIED_BY_PROFILE_OWNER =
150             APPLIED_BY_PROFILE_OWNER_PROFILE
151             | APPLIED_BY_PROFILE_OWNER_USER;
152 
153     int APPLIED_BY_PARENT_INSTANCE_OF_NON_ORGANIZATIONAL_OWNED_PROFILE_OWNER_PROFILE = 1 << 15;
154     int APPLIED_BY_PARENT_INSTANCE_OF_ORGANIZATIONAL_OWNED_PROFILE_OWNER_PROFILE = 1 << 16;
155 
156     int APPLIED_BY_PARENT_INSTANCE_OF_PROFILE_OWNER_PROFILE =
157             APPLIED_BY_PARENT_INSTANCE_OF_NON_ORGANIZATIONAL_OWNED_PROFILE_OWNER_PROFILE | APPLIED_BY_PARENT_INSTANCE_OF_ORGANIZATIONAL_OWNED_PROFILE_OWNER_PROFILE;
158 
159     // Modifiers
160     /** Internal use only. Do not use */
161     // This is to be used to mark specific annotations as not generating PolicyDoesNotApply tests
162     int DO_NOT_APPLY_TO_POLICY_DOES_NOT_APPLY_TESTS = 1 << 17;
163 
164     /** Internal use only. Do not use */
165     // This is to be used to mark specific annotations as not generating PolicyDoesNotApply tests
166     int DO_NOT_APPLY_TO_CANNOT_SET_POLICY_TESTS = 1 << 18;
167 
168     /**
169      * A policy that the DPM Role Holder can use.
170      *
171      * <p>This should only be used when the role holder is special cased by role. If this capability
172      * is granted by some permission the role holder holds, do not use this flag and instead specify
173      * the permission on the policy.
174      */
175     int APPLIED_BY_DPM_ROLE_HOLDER = 1 << 19 | (DO_NOT_APPLY_TO_CANNOT_SET_POLICY_TESTS);
176 
177     /**
178      * A policy which applies even when the user is not in the foreground.
179      *
180      * <p>Note that lacking this flag does not mean a policy does not apply - to indicate that use
181      * {@link DOES_NOT_APPLY_IN_BACKGROUND}. */
182     int APPLIES_IN_BACKGROUND = 1 << 20 | (DO_NOT_APPLY_TO_POLICY_DOES_NOT_APPLY_TESTS);
183     /**
184      * A policy which does not apply when the user is not in the foreground.
185      *
186      * <p>At present this does not generate any additional tests but may do in future.
187      *
188      * <p>Note that lacking this flag does not mean a policy does apply - to indicate that use
189      * {@link APPLIES_IN_BACKGROUND}. */
190     int DOES_NOT_APPLY_IN_BACKGROUND = 1 << 21;
191 
192 
193     /**
194      * A policy which can be applied by a delegate.
195      *
196      * See {@link #delegatedScopes()} for the scopes which enable this.
197      */
198     int CAN_BE_DELEGATED = 1 << 22;
199 
200     /** A policy that can be applied by a financed device owner. */
201     int APPLIED_BY_FINANCED_DEVICE_OWNER = 1 << 23;
202 
203     /** A policy that has not yet been migrated to allow for DPM Role holder access. */
204     int CANNOT_BE_APPLIED_BY_ROLE_HOLDER = 1 << 24;
205 
206     /** Flags indicating DPC states which can set the policy. */
dpc()207     int[] dpc() default {};
208 
209     /**
210      * {@link Permission} indicating which permissions can control the policy.
211      *
212      * <p>Note that this currently does not generate any additional tests but may do in future.
213      */
permissions()214     Permission[] permissions() default {};
215 
216     /**
217      * {@link AppOp} indicating which AppOps can control the policy.
218      *
219      * <p>Note that this currently does not generate any additional tests but may do in future.
220      */
appOps()221     AppOp[] appOps() default {};
222 
223     /**
224      * Which delegated scopes can control the policy.
225      *
226      * <p>This applies to {@link #dpc()} entries with the {@link #CAN_BE_DELEGATED} flag.
227      */
delegatedScopes()228     String[] delegatedScopes() default {};
229 
230     /**
231      * {@link DeviceAdmin} configurations for non-DPC device administrators which are able to set
232      * this policy.
233      *
234      * <p>Note that this currently does not generate any additional tests but may do in future.
235      */
deviceAdmins()236     DeviceAdmin[] deviceAdmins() default {};
237 }
238