/*
 * Copyright (C) 2016 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.android.cts.deviceadmin;

import android.app.admin.DevicePolicyManager;
import android.test.MoreAsserts;

/**
 * Tests that:
 * - need to be run as device admin (as opposed to device owner) and
 * - require resetting the password at the end.
 *
 * Note: when adding a new method, make sure to add a corresponding method in
 * BaseDeviceAdminHostSideTest.
 */
public class DeviceAdminPasswordTest extends BaseDeviceAdminTest {

    @Override
    protected void setUp() throws Exception {
        super.setUp();

        assertNotDeviceOwner();
    }

    private void checkSetPassword_nycRestrictions_success() {
        assertTrue(dpm.resetPassword("1234", /* flags= */ 0));
    }

    private void checkSetPassword_nycRestrictions_failure() {
        try {
            assertFalse(dpm.resetPassword("1234", /* flags= */ 0));
            if (shouldResetPasswordThrow()) {
                fail("Didn't throw");
            }
        } catch (SecurityException e) {
            if (!shouldResetPasswordThrow()) {
                fail("Shouldn't throw");
            }
            MoreAsserts.assertContainsRegex("Admin cannot change current password", e.getMessage());
        }
    }

    private void checkClearPassword_nycRestrictions_failure() {
        try {
            assertFalse(dpm.resetPassword("", /* flags= */ 0));
            if (shouldResetPasswordThrow()) {
                fail("Didn't throw");
            }
        } catch (SecurityException e) {
            if (!shouldResetPasswordThrow()) {
                fail("Shouldn't throw");
            }
            MoreAsserts.assertContainsRegex("Cannot call with null password", e.getMessage());
        }
    }

    private void assertHasPassword() {
        final int currentQuality = dpm.getPasswordQuality(mAdminComponent);
        dpm.setPasswordQuality(mAdminComponent, DevicePolicyManager.PASSWORD_QUALITY_SOMETHING);
        try {
            assertTrue("No password set", dpm.isActivePasswordSufficient());
        } finally {
            dpm.setPasswordQuality(mAdminComponent, currentQuality);
        }
    }

    private void assertNoPassword() {
        final int currentQuality = dpm.getPasswordQuality(mAdminComponent);
        dpm.setPasswordQuality(mAdminComponent, DevicePolicyManager.PASSWORD_QUALITY_SOMETHING);
        try {
            assertFalse("Password is set", dpm.isActivePasswordSufficient());
        } finally {
            dpm.setPasswordQuality(mAdminComponent, currentQuality);
        }
    }

    /**
     * Tests for the new restrictions on {@link DevicePolicyManager#resetPassword} introduced
     * on NYC.
     */
    public void testResetPassword_nycRestrictions() throws Exception {

        assertNoPassword();

        // Can't clear the password, even if there's no password set currently.
        checkClearPassword_nycRestrictions_failure();

        assertNoPassword();

        // No password -> setting one is okay.
        checkSetPassword_nycRestrictions_success();

        assertHasPassword();

        // But once set, DA can't change the password.
        checkSetPassword_nycRestrictions_failure();

        assertHasPassword();

        // Still can't clear the password.
        checkClearPassword_nycRestrictions_failure();

        assertHasPassword();
    }
}