Support nested domain-config elements

Nested domain-config inherit unset parameters from the domain-config they are nested in. This helps avoid copy and pasted configs that are almost the same except a few minor differences for a domain with slightly different requirements. For example: Consider a domain-config for example.com that, among other settings, does not enforce hsts. Now if you want the rules for example.com to apply to secure.example.com except that hsts _is_ enforced you can make a nested domain-config for secure.example.com under example.com that sets hstsEnforced="true" and nothing else. Change-Id: I9e33f7e62127fd7f4f15c3560fff2f2626477bd4
author: Chad Brubaker <cbrubaker@google.com> 2015-11-06 23:02:37 -0800
committer: Chad Brubaker <cbrubaker@google.com> 2015-11-07 13:31:04 -0800
commit: bd173c28fcded629da722c6669f1b6478cdcd94f (patch)
tree: 24524a2b7140b729912e123e835f7eaf185c64a4 /tests/NetworkSecurityConfigTest
parent: 5f96702f582050c1598136ed2a748f76b981c94e (diff)
3 files changed, 59 insertions, 0 deletions
diff --git a/tests/NetworkSecurityConfigTest/res/xml/nested_domains.xml b/tests/NetworkSecurityConfigTest/res/xml/nested_domains.xml
new file mode 100644
index 000000000000..d45fd77a5f0f
--- /dev/null
+++ b/tests/NetworkSecurityConfigTest/res/xml/nested_domains.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config>
+    <domain-config>
+      <domain includeSubdomains="true">android.com</domain>
+      <trust-anchors>
+          <certificates src="system" />
+      </trust-anchors>
+      <!-- nested config that adds pins -->
+      <domain-config>
+          <domain>developer.android.com</domain>
+          <pin-set>
+              <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin>
+          </pin-set>
+      </domain-config>
+    </domain-config>
+    <base-config cleartextTrafficPermitted="false">
+    </base-config>
+</network-security-config>
diff --git a/tests/NetworkSecurityConfigTest/res/xml/nested_domains_override.xml b/tests/NetworkSecurityConfigTest/res/xml/nested_domains_override.xml
new file mode 100644
index 000000000000..84e06e324513
--- /dev/null
+++ b/tests/NetworkSecurityConfigTest/res/xml/nested_domains_override.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config>
+    <base-config cleartextTrafficPermitted="false">
+    </base-config>
+    <!-- Nested config that overrides parent -->
+    <domain-config cleartextTrafficPermitted="true">
+        <domain includeSubdomains="true">android.com</domain>
+        <domain-config cleartextTrafficPermitted="false">
+            <domain>developer.android.com</domain>
+        </domain-config>
+    </domain-config>
+</network-security-config>
diff --git a/tests/NetworkSecurityConfigTest/src/android/security/net/config/XmlConfigTests.java b/tests/NetworkSecurityConfigTest/src/android/security/net/config/XmlConfigTests.java
index 4914d06e2311..f52a27995854 100644
--- a/tests/NetworkSecurityConfigTest/src/android/security/net/config/XmlConfigTests.java
+++ b/tests/NetworkSecurityConfigTest/src/android/security/net/config/XmlConfigTests.java
@@ -245,6 +245,35 @@ public class XmlConfigTests extends AndroidTestCase {
         TestUtils.assertUrlConnectionSucceeds(context, "android.com", 443);
     }
 
+    public void testNestedDomainConfigs() throws Exception {
+        XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.nested_domains);
+        ApplicationConfig appConfig = new ApplicationConfig(source);
+        assertTrue(appConfig.hasPerDomainConfigs());
+        NetworkSecurityConfig parent = appConfig.getConfigForHostname("android.com");
+        NetworkSecurityConfig child = appConfig.getConfigForHostname("developer.android.com");
+        MoreAsserts.assertNotEqual(parent, child);
+        MoreAsserts.assertEmpty(parent.getPins().pins);
+        MoreAsserts.assertNotEmpty(child.getPins().pins);
+        // Check that the child inherited the cleartext value and anchors.
+        assertFalse(child.isCleartextTrafficPermitted());
+        MoreAsserts.assertNotEmpty(child.getTrustAnchors());
+        // Test connections.
+        SSLContext context = TestUtils.getSSLContext(source);
+        TestUtils.assertConnectionSucceeds(context, "android.com", 443);
+        TestUtils.assertConnectionSucceeds(context, "developer.android.com", 443);
+    }
+
+    public void testNestedDomainConfigsOverride() throws Exception {
+        XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.nested_domains_override);
+        ApplicationConfig appConfig = new ApplicationConfig(source);
+        assertTrue(appConfig.hasPerDomainConfigs());
+        NetworkSecurityConfig parent = appConfig.getConfigForHostname("android.com");
+        NetworkSecurityConfig child = appConfig.getConfigForHostname("developer.android.com");
+        MoreAsserts.assertNotEqual(parent, child);
+        assertTrue(parent.isCleartextTrafficPermitted());
+        assertFalse(child.isCleartextTrafficPermitted());
+    }
+
     private void testBadConfig(int configId) throws Exception {
         try {
             XmlConfigSource source = new XmlConfigSource(getContext(), configId);
author	Chad Brubaker <cbrubaker@google.com>	2015-11-06 23:02:37 -0800
committer	Chad Brubaker <cbrubaker@google.com>	2015-11-07 13:31:04 -0800
commit	bd173c28fcded629da722c6669f1b6478cdcd94f (patch)
tree	24524a2b7140b729912e123e835f7eaf185c64a4 /tests/NetworkSecurityConfigTest
parent	5f96702f582050c1598136ed2a748f76b981c94e (diff)