1 /* 2 * Copyright (C) 2021 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.bedstead.enterprise.annotations; 18 19 import java.lang.annotation.ElementType; 20 import java.lang.annotation.Retention; 21 import java.lang.annotation.RetentionPolicy; 22 import java.lang.annotation.Target; 23 24 /** 25 * Used to annotate an enterprise policy for use with {@link PolicyDoesNotApplyTest} and 26 * {@link PolicyAppliesTest}. 27 */ 28 @Target(ElementType.TYPE) 29 @Retention(RetentionPolicy.RUNTIME) 30 public @interface EnterprisePolicy { 31 32 /** 33 * An enterprise policy which can be controlled using permissions. 34 */ 35 @interface Permission { 36 /** The permission required to exercise the policy. */ appliedWith()37 String appliedWith(); 38 /** Flags indicating who the policy applies to when applied in this way. */ appliesTo()39 int appliesTo(); 40 /** Additional modifiers. */ modifiers()41 int modifiers() default NO; 42 } 43 44 /** 45 * An enterprise policy which can be controlled user app ops. 46 */ 47 @interface AppOp { 48 /** The AppOp required to exercise the policy. */ appliedWith()49 String appliedWith(); 50 /** Flags indicating who the policy applies to when applied in this way. */ appliesTo()51 int appliesTo(); 52 /** Additional modifiers. */ modifiers()53 int modifiers() default NO; 54 } 55 56 /** A policy that cannot be applied. */ 57 int NO = 0; 58 59 /** A policy which applies to the user of the package which applied the policy. */ 60 int APPLIES_TO_OWN_USER = 1; 61 /** A policy which applies to unaffiliated other users. */ 62 int APPLIES_TO_UNAFFILIATED_OTHER_USERS = 1 << 1; 63 /** A policy which applies to affiliated other users. */ 64 int APPLIES_TO_AFFILIATED_OTHER_USERS = 1 << 2; 65 /** A policy which applies to unaffiliated profiles of the user of the package which applied the policy. */ 66 int APPLIES_TO_UNAFFILIATED_CHILD_PROFILES_WITHOUT_INHERITANCE = 1 << 3; 67 68 /** A policy that is inherited by child profiles if applied on parent. */ 69 int INHERITABLE = 1 << 4; 70 71 int APPLIES_TO_UNAFFILIATED_CHILD_PROFILES = APPLIES_TO_UNAFFILIATED_CHILD_PROFILES_WITHOUT_INHERITANCE | INHERITABLE; 72 73 /** A policy which applies to affiliated profiles of the user of the package which applied the policy. */ 74 int APPLIES_TO_AFFILIATED_CHILD_PROFILES = 1 << 5; 75 /** A policy that applies to the parent of the profile of the package which applied the policy. */ 76 int APPLIES_TO_PARENT = 1 << 6; 77 78 /** A policy that applies to affiliated or unaffiliate profiles of the package which applied the policy. */ 79 int APPLIES_TO_CHILD_PROFILES = 80 APPLIES_TO_UNAFFILIATED_CHILD_PROFILES | APPLIES_TO_AFFILIATED_CHILD_PROFILES; 81 /** A policy that applies to affiliated or unaffiliated other users. */ 82 int APPLIES_TO_OTHER_USERS = 83 APPLIES_TO_UNAFFILIATED_OTHER_USERS | APPLIES_TO_AFFILIATED_OTHER_USERS; 84 85 /** A policy that applies to all users on the device. */ 86 int APPLIES_GLOBALLY = APPLIES_TO_OWN_USER | APPLIES_TO_OTHER_USERS 87 | APPLIES_TO_CHILD_PROFILES | APPLIES_TO_PARENT; 88 89 90 // Applied by 91 92 /** A policy that can be applied by a system device owner. */ 93 int APPLIED_BY_SYSTEM_DEVICE_OWNER = 1 << 7; 94 /** A policy that can be applied by a single user device owner on headless. */ 95 int APPLIED_BY_SINGLE_DEVICE_OWNER = 1 << 8; 96 97 /** A policy that can be applied by a system device owner or a main user device owner. */ 98 int APPLIED_BY_DEVICE_OWNER = 99 APPLIED_BY_SYSTEM_DEVICE_OWNER 100 | APPLIED_BY_SINGLE_DEVICE_OWNER; 101 /** A policy that can be applied by a profile owner of an unaffiliated profile. */ 102 int APPLIED_BY_UNAFFILIATED_PROFILE_OWNER_PROFILE = 1 << 9; 103 /** A policy that can be applied by a profile owner of an affiliated profile */ 104 int APPLIED_BY_AFFILIATED_PROFILE_OWNER_PROFILE = 1 << 10; 105 /** A policy that can be applied by a profile owner of an organization owned profile */ 106 int APPLIED_BY_ORGANIZATION_OWNED_PROFILE_OWNER_PROFILE = 1 << 11; 107 108 /** A policy that can be applied by a profile owner of an affiliated or unaffiliated profile. */ 109 int APPLIED_BY_PROFILE_OWNER_PROFILE = 110 APPLIED_BY_UNAFFILIATED_PROFILE_OWNER_PROFILE 111 | APPLIED_BY_AFFILIATED_PROFILE_OWNER_PROFILE 112 | APPLIED_BY_ORGANIZATION_OWNED_PROFILE_OWNER_PROFILE; 113 /** 114 * A policy that can be applied by a Profile Owner for a User (not Profile) with no Device 115 * Owner. 116 */ 117 int APPLIED_BY_PROFILE_OWNER_USER_WITH_NO_DO = 1 << 12; 118 /** 119 * A policy that can be applied by an unaffiliated Profile Owner for a User (not Profile) with 120 * a Device Owner. 121 */ 122 int APPLIED_BY_UNAFFILIATED_PROFILE_OWNER_USER_WITH_DO = 1 << 13; 123 /** A policy that can be applied by a profile owner of an unaffiliated user. */ 124 int APPLIED_BY_UNAFFILIATED_PROFILE_OWNER_USER = 125 APPLIED_BY_PROFILE_OWNER_USER_WITH_NO_DO 126 | APPLIED_BY_UNAFFILIATED_PROFILE_OWNER_USER_WITH_DO; 127 /** A policy that can be applied by a profile owner of an affiliated user. */ 128 int APPLIED_BY_AFFILIATED_PROFILE_OWNER_USER = 1 << 14; 129 /** A policy that can be applied by an affiliated or unaffiliated profile owner on a User (not Profile). */ 130 int APPLIED_BY_PROFILE_OWNER_USER = 131 APPLIED_BY_UNAFFILIATED_PROFILE_OWNER_USER | APPLIED_BY_AFFILIATED_PROFILE_OWNER_USER; 132 /** A policy that can be applied by an affiliated profile owner on a user or profile. */ 133 int APPLIED_BY_AFFILIATED_PROFILE_OWNER = APPLIED_BY_AFFILIATED_PROFILE_OWNER_PROFILE | APPLIED_BY_AFFILIATED_PROFILE_OWNER_USER; 134 /** A policy that can be applied by a profile owner, affiliate or unaffiliated, running on a user or profile. */ 135 int APPLIED_BY_PROFILE_OWNER = 136 APPLIED_BY_PROFILE_OWNER_PROFILE 137 | APPLIED_BY_PROFILE_OWNER_USER; 138 139 int APPLIED_BY_PARENT_INSTANCE_OF_NON_ORGANIZATIONAL_OWNED_PROFILE_OWNER_PROFILE = 1 << 15; 140 int APPLIED_BY_PARENT_INSTANCE_OF_ORGANIZATIONAL_OWNED_PROFILE_OWNER_PROFILE = 1 << 16; 141 142 int APPLIED_BY_PARENT_INSTANCE_OF_PROFILE_OWNER_PROFILE = 143 APPLIED_BY_PARENT_INSTANCE_OF_NON_ORGANIZATIONAL_OWNED_PROFILE_OWNER_PROFILE | APPLIED_BY_PARENT_INSTANCE_OF_ORGANIZATIONAL_OWNED_PROFILE_OWNER_PROFILE; 144 145 // Modifiers 146 /** Internal use only. Do not use */ 147 // This is to be used to mark specific annotations as not generating PolicyDoesNotApply tests 148 int DO_NOT_APPLY_TO_POLICY_DOES_NOT_APPLY_TESTS = 1 << 17; 149 150 /** Internal use only. Do not use */ 151 // This is to be used to mark specific annotations as not generating PolicyDoesNotApply tests 152 int DO_NOT_APPLY_TO_CANNOT_SET_POLICY_TESTS = 1 << 18; 153 154 /** 155 * A policy that the DPM Role Holder can use. 156 * 157 * <p>This should only be used when the role holder is special cased by role. If this capability 158 * is granted by some permission the role holder holds, do not use this flag and instead specify 159 * the permission on the policy. 160 */ 161 int APPLIED_BY_DPM_ROLE_HOLDER = 1 << 19 | (DO_NOT_APPLY_TO_CANNOT_SET_POLICY_TESTS); 162 163 /** 164 * A policy which applies even when the user is not in the foreground. 165 * 166 * <p>Note that lacking this flag does not mean a policy does not apply - to indicate that use 167 * {@link DOES_NOT_APPLY_IN_BACKGROUND}. */ 168 int APPLIES_IN_BACKGROUND = 1 << 20 | (DO_NOT_APPLY_TO_POLICY_DOES_NOT_APPLY_TESTS); 169 /** 170 * A policy which does not apply when the user is not in the foreground. 171 * 172 * <p>At present this does not generate any additional tests but may do in future. 173 * 174 * <p>Note that lacking this flag does not mean a policy does apply - to indicate that use 175 * {@link APPLIES_IN_BACKGROUND}. */ 176 int DOES_NOT_APPLY_IN_BACKGROUND = 1 << 21; 177 178 179 /** 180 * A policy which can be applied by a delegate. 181 * 182 * See {@link #delegatedScopes()} for the scopes which enable this. 183 */ 184 int CAN_BE_DELEGATED = 1 << 22; 185 186 /** A policy that can be applied by a financed device owner. */ 187 int APPLIED_BY_FINANCED_DEVICE_OWNER = 1 << 23; 188 189 /** A policy that has not yet been migrated to allow for DPM Role holder access. */ 190 int CANNOT_BE_APPLIED_BY_ROLE_HOLDER = 1 << 24; 191 192 /** Flags indicating DPC states which can set the policy. */ dpc()193 int[] dpc() default {}; 194 195 /** 196 * {@link Permission} indicating which permissions can control the policy. 197 * 198 * <p>Note that this currently does not generate any additional tests but may do in future. 199 */ permissions()200 Permission[] permissions() default {}; 201 202 /** 203 * {@link AppOp} indicating which AppOps can control the policy. 204 * 205 * <p>Note that this currently does not generate any additional tests but may do in future. 206 */ appOps()207 AppOp[] appOps() default {}; 208 209 /** 210 * Which delegated scopes can control the policy. 211 * 212 * <p>This applies to {@link #dpc()} entries with the {@link #CAN_BE_DELEGATED} flag. 213 */ delegatedScopes()214 String[] delegatedScopes() default {}; 215 } 216