From 49eff81262c3b85a1640d01e202a8067eae5be68 Mon Sep 17 00:00:00 2001
From: Chad Brubaker <cbrubaker@google.com>
Date: Fri, 13 Apr 2018 16:18:11 -0700
Subject: Use the network security config's cleartext settings

Previously DownloadManager only respected the manifest attribute, this
change makes DownloadManager handle both the manifest and the network
security config

Change-Id: I5666a1eea6278acc3864620a0e5a4c3ae37635b8
Fixes: 78028215
Test: atest CtsNetSecConfigDownloadManagerTestCases
---
 .../providers/downloads/DownloadThread.java        |  5 +--
 .../providers/downloads/RealSystemFacade.java      | 38 ++++------------------
 .../android/providers/downloads/SystemFacade.java  |  5 +--
 3 files changed, 13 insertions(+), 35 deletions(-)

(limited to 'src')

diff --git a/src/com/android/providers/downloads/DownloadThread.java b/src/com/android/providers/downloads/DownloadThread.java
index fc00fdad..54cc1a5d 100644
--- a/src/com/android/providers/downloads/DownloadThread.java
+++ b/src/com/android/providers/downloads/DownloadThread.java
@@ -421,7 +421,8 @@ public class DownloadThread extends Thread {
             throw new StopRequestException(STATUS_BAD_REQUEST, e);
         }
 
-        boolean cleartextTrafficPermitted = mSystemFacade.isCleartextTrafficPermitted(mInfo.mUid);
+        boolean cleartextTrafficPermitted
+                = mSystemFacade.isCleartextTrafficPermitted(mInfo.mPackage, url.getHost());
         SSLContext appContext;
         try {
             appContext = mSystemFacade.getSSLContextForPackage(mContext, mInfo.mPackage);
@@ -435,7 +436,7 @@ public class DownloadThread extends Thread {
             // because of HTTP redirects which can change the protocol between HTTP and HTTPS.
             if ((!cleartextTrafficPermitted) && ("http".equalsIgnoreCase(url.getProtocol()))) {
                 throw new StopRequestException(STATUS_BAD_REQUEST,
-                        "Cleartext traffic not permitted for UID " + mInfo.mUid + ": "
+                        "Cleartext traffic not permitted for package " + mInfo.mPackage + ": "
                         + Uri.parse(url.toString()).toSafeString());
             }
 
diff --git a/src/com/android/providers/downloads/RealSystemFacade.java b/src/com/android/providers/downloads/RealSystemFacade.java
index 9d07999b..a0ce92c3 100644
--- a/src/com/android/providers/downloads/RealSystemFacade.java
+++ b/src/com/android/providers/downloads/RealSystemFacade.java
@@ -89,25 +89,6 @@ class RealSystemFacade implements SystemFacade {
         return mContext.getPackageManager().getApplicationInfo(packageName, 0).uid == uid;
     }
 
-    @Override
-    public boolean isCleartextTrafficPermitted(int uid) {
-        PackageManager packageManager = mContext.getPackageManager();
-        String[] packageNames = packageManager.getPackagesForUid(uid);
-        if (ArrayUtils.isEmpty(packageNames)) {
-            // Unknown UID -- fail safe: cleartext traffic not permitted
-            return false;
-        }
-
-        // Cleartext traffic is permitted from the UID if it's permitted for any of the packages
-        // belonging to that UID.
-        for (String packageName : packageNames) {
-            if (isCleartextTrafficPermitted(packageName)) {
-                return true;
-            }
-        }
-        return false;
-    }
-
     @Override
     public SSLContext getSSLContextForPackage(Context context, String packageName)
             throws GeneralSecurityException {
@@ -124,22 +105,17 @@ class RealSystemFacade implements SystemFacade {
     }
 
     /**
-     * Returns whether cleartext network traffic (HTTP) is permitted for the provided package.
+     * Returns whether cleartext network traffic (HTTP) is permitted for the provided package to
+     * {@code host}.
      */
-    private boolean isCleartextTrafficPermitted(String packageName) {
-        PackageManager packageManager = mContext.getPackageManager();
-        PackageInfo packageInfo;
+    public boolean isCleartextTrafficPermitted(String packageName, String host) {
+        ApplicationConfig appConfig;
         try {
-            packageInfo = packageManager.getPackageInfo(packageName, 0);
+            appConfig = NetworkSecurityPolicy.getApplicationConfigForPackage(mContext, packageName);
         } catch (NameNotFoundException e) {
-            // Unknown package -- fail safe: cleartext traffic not permitted
-            return false;
-        }
-        ApplicationInfo applicationInfo = packageInfo.applicationInfo;
-        if (applicationInfo == null) {
-            // No app info -- fail safe: cleartext traffic not permitted
+            // Unknown package -- fail for safety
             return false;
         }
-        return (applicationInfo.flags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0;
+        return appConfig.isCleartextTrafficPermitted(host);
     }
 }
diff --git a/src/com/android/providers/downloads/SystemFacade.java b/src/com/android/providers/downloads/SystemFacade.java
index 788ead64..14002a15 100644
--- a/src/com/android/providers/downloads/SystemFacade.java
+++ b/src/com/android/providers/downloads/SystemFacade.java
@@ -63,9 +63,10 @@ interface SystemFacade {
     public boolean userOwnsPackage(int uid, String pckg) throws NameNotFoundException;
 
     /**
-     * Returns true if cleartext network traffic is permitted for the specified UID.
+     * Returns true if cleartext network traffic is permitted from {@code packageName} to
+     * {@code host}.
      */
-    public boolean isCleartextTrafficPermitted(int uid);
+    public boolean isCleartextTrafficPermitted(String packageName, String host);
 
     /**
      * Return a {@link SSLContext} configured using the specified package's configuration.
-- 
cgit v1.2.3